[strongSwan] Tunnel established but cannot ping. Request help.

ciated. With Rgds, Makarand. Makarand Pradhan Senior Software Engineer. iS5 Communications Inc. #1-1815 Meyerside Drive Mississauga, Ontario L5T 1G3 Main Line: +1-844-520-0588 Ext. 129 Direct Line: +1-289-724-2296 Cell: +1-226-501-5666 Fax:+1-289-401-5206 Email: mailto:makarandprad...@is5com

[strongSwan] Strongswan, Netns and routing configuration question

g is set on all the veth interfaces, e.g.: sh-4.3# cat /proc/sys/net/ipv4/conf/veth0/forwarding 1 sh-4.3# cat /proc/sys/net/ipv4/conf/veth0.80/forwarding 1 I am probably missing something in my routing config. This is probably more of a routing question. Thanks for taking the time to read the questi

Re: [strongSwan] Wrong DH group and hash in IKE phase 1 proposal

, IKE_PHASE1_COMPLETE *Dec 13 17:14:29.259: ISAKMP:(1008):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Thanks. Makarand Pradhan Senior Software Engineer. iS5 Communications Inc. #1-1815 Meyerside Drive Mississauga, Ontario L5T 1G3 Main Line: +1-844-520-0588 Ext. 129 Direct Line: +1-289-724-2296 Cell: +1

Re: [strongSwan] Tunnel going down after 40+ hours

seems to be some temporary network connectivity loss. Though this is difficult as the machines are sitting right next to each other and nothing else was happening over the weekend. We will re run and monitor connectivity again. Thanks. Makarand Pradhan Senior Software Engineer. iS5 Communications

Re: [strongSwan] Tunnel going down after 40+ hours

the previously seen issue anymore. Thanks for your help and suggestions. With rgds, Makarand Pradhan Senior Software Engineer. iS5 Communications Inc. #1-1815 Meyerside Drive Mississauga, Ontario L5T 1G3 Main Line: +1-844-520-0588 Ext. 129 Direct Line: +1-289-724-2296 Cell: +1-226-501-5666 Fax

[strongSwan] Tunnel going down after 40+ hours

ing policy 192.168.1.0/24 === 192.168.2.0/24 in Oct  7 22:58:20 t1024rdb charon: 13[KNL] deleting policy 192.168.1.0/24 === 192.168.2.0/24 fwd Oct  7 22:58:20 t1024rdb charon: 13[KNL] deleting policy 192.168.55.0/24 === 192.168.1.0/24 out Makarand Pradhan Senior Software Engineer. iS5 Commu

[strongSwan] Strongswan Cisco Interop Question (One way traffic)

his issue, your feedback would be very much appreciated. Kind rgds, Makarand Pradhan Senior Software Engineer. iS5 Communications Inc. 5895 Ambler Dr, Mississauga, Ontario L4W 5B7 Main Line: +1-844-520-0588 Ext. 129 Direct Line: +1-289-724-2296 Cell: +1-226-501-5666 Fax:+1-289-401-5206 Email: mak

Re: [strongSwan] ikeV1 tunnel established but packets are not routed. V2 works.

Good morning All, Following up on the issue. We need to manually add the route for ikev1. Would very much appreciate any pointers. Am kind of stuck on ikev1. Kind rgds, Makarand Pradhan Senior Software Engineer. iS5 Communications Inc. 5895 Ambler Dr, Mississauga, Ontario L4W 5B7 Main Line: +1

Re: [strongSwan] ikev2: Tunnel established inspite of different phase 2 DH group

Good morning Tobias, Appreciate your confirmation. Kind rgds, Makarand Pradhan Senior Software Engineer. iS5 Communications Inc. 5895 Ambler Dr, Mississauga, Ontario L4W 5B7 Main Line: +1-844-520-0588 Ext. 129 Direct Line: +1-289-724-2296 Cell: +1-226-501-5666 Fax:+1-289-401-5206 Email

[strongSwan] ikev2: Tunnel established inspite of different phase 2 DH group

[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536 Would highly appreciate your inputs. Is the system behaving correctly? i.e. the DH group is used only during reneg after expiry of lifetime? Kind rgds, Makarand Pradhan Senior Software Engineer. iS5 Communications

Re: [strongSwan] ikev2: Tunnel established inspite of different phase 2 DH group

CHILD_SA, keeping IKE_SA Kind rgds, Makarand Pradhan Senior Software Engineer. iS5 Communications Inc. 5895 Ambler Dr, Mississauga, Ontario L4W 5B7 Main Line: +1-844-520-0588 Ext. 129 Direct Line: +1-289-724-2296 Cell: +1-226-501-5666 Fax:+1-289-401-5206 Email: makarandprad...@is5com.com Website

Re: [strongSwan] ikev2: Tunnel established inspite of different phase 2 DH group

Tx Tobias. Kind rgds, Makarand Pradhan Senior Software Engineer. iS5 Communications Inc. 5895 Ambler Dr, Mississauga, Ontario L4W 5B7 Main Line: +1-844-520-0588 Ext. 129 Direct Line: +1-289-724-2296 Cell: +1-226-501-5666 Fax:+1-289-401-5206 Email: makarandprad...@is5com.com Website

Re: [strongSwan] ikeV1 tunnel established but packets are not routed. V2 works.

Hi All, The wiki gave me a hint. The issue was route. For v1 the remote protected network route has to be explicitly added: For me: ip ro add 10.10.9.0/24 via 91.0.0.3 ip ro add 192.168.9.0/24 via 91.0.0.2 Thanks all for looking at the issue. Kind rgds, Makarand Pradhan Senior Software

[strongSwan] ikeV1 tunnel established but packets are not routed. V2 works.

highly appreciated. Kind rgds, Makarand Pradhan Senior Software Engineer. iS5 Communications Inc. 5895 Ambler Dr, Mississauga, Ontario L4W 5B7 Main Line: +1-844-520-0588 Ext. 129 Direct Line: +1-289-724-2296 Cell: +1-226-501-5666 Fax:+1-289-401-5206 Email: makarandprad...@is5com.com Website: www.iS5C

Re: [strongSwan] ikeV1 tunnel established but packets are not routed. V2 works.

one subnet. Still the same. Tunnel is up traffic does not go thru unless I add the route. Do I need any iptables configuration to get it to work? Kind rgds, Makarand Pradhan Senior Software Engineer. iS5 Communications Inc. 5895 Ambler Dr, Mississauga, Ontario L4W 5B7 Main Line: +1-844-520-0588

Re: [strongSwan] ikeV1 tunnel established but packets are not routed. V2 works.

appreciated. Kind rgds, Makarand Pradhan Senior Software Engineer. iS5 Communications Inc. 5895 Ambler Dr, Mississauga, Ontario L4W 5B7 Main Line: +1-844-520-0588 Ext. 129 Direct Line: +1-289-724-2296 Cell: +1-226-501-5666 Fax:+1-289-401-5206 Email: makarandprad...@is5com.com Website: www.iS5Com.com

Re: [strongSwan] ikeV1 tunnel established but packets are not routed. V2 works.

.168.9.0/24 via 91.0.0.2" when I am running v1? With this route, the packets get encrypted. If this is the desired behaviour then we do not have an issue. Would appreciate if someone can confirm if v1 needs the route addition. V2 does work without the explicit route addition. Kind rgds, Makara

Re: [strongSwan] ikeV1 tunnel established but packets are not routed. V2 works.

Tx for the clarification. All information per the wiki is attached. Kind rgds, Makarand Pradhan Senior Software Engineer. iS5 Communications Inc. 5895 Ambler Dr, Mississauga, Ontario L4W 5B7 Main Line: +1-844-520-0588 Ext. 129 Direct Line: +1-289-724-2296 Cell: +1-226-501-5666 Fax:+1-289-401-5206

[strongSwan] aesxcbc did not work for ph2 but worked for ph1

c05ee772 (FAILED) 13[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel 13[IKE] failed to establish CHILD_SA, keeping IKE_SA Kind rgds, Makarand Pradhan Senior Software Engineer. iS5 Communications Inc. 5895 Ambler Dr, Mississauga, Ontario L4W 5B7 Main Line: +1-844-520-0588 Ext. 129

Re: [strongSwan] aesxcbc did not work for ph2 but worked for ph1

Thanks Tobias for your response. I recompiled the kernel with: +CONFIG_CRYPTO_XCBC=y And it worked for me. Kind rgds, Makarand Pradhan Senior Software Engineer. iS5 Communications Inc. 5895 Ambler Dr, Mississauga, Ontario L4W 5B7 Main Line: +1-844-520-0588 Ext. 129 Direct Line: +1-289-724-2296

[strongSwan] Restricting protocol and port numbers question

configuration? Thanks. Kind rgds, Makarand Pradhan Senior Software Engineer. iS5 Communications Inc. 5895 Ambler Dr, Mississauga, Ontario L4W 5B7 Main Line: +1-844-520-0588 Ext. 129 Direct Line: +1-289-724-2296 Cell: +1-226-501-5666 Fax:+1-289-401-5206 Email: makarandprad...@is5com.com Website: www.iS5Com.com

[strongSwan] Windows VPN client issue with Strongswan

Hello All, I am having trouble while connecting a Windows VPN client to Strongswan using Machine certificates. I am following the wiki: https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients Would appreciate any pointers to resolve the issue. Issue: Windows client is not connecting

Re: [strongSwan] Windows VPN client issue with Strongswan

c.d/cacert, ipsec.d/cert and the server private key is installed in ipsec.d/private Will recheck and get back. Thanks again. Makarand. -Original Message- From: Tobias Brunner Sent: October 12, 2020 10:59 AM To: Makarand Pradhan ; users@lists.strongswan.org Subject: Re: [strongSwan] Windows

Re: [strongSwan] Multiple CHILD_SA's after reauth timer expires

Thanks Tobias for your quick response. Am trying the make-before-break approach and so far the results are good. Will run traffic for some more time to confirm the resolution. Kind rgds, Makarand Pradhan Senior Software Engineer. iS5 Communications Inc. 5895 Ambler Dr, Mississauga, Ontario L4W

[strongSwan] Multiple CHILD_SA's after reauth timer expires

on how to avoid the multiple CHILD_SAs after reauth? Kind rgds, Makarand Pradhan Senior Software Engineer. iS5 Communications Inc. 5895 Ambler Dr, Mississauga, Ontario L4W 5B7 Main Line: +1-844-520-0588 Ext. 129 Direct Line: +1-289-724-2296 Cell: +1-226-501-5666 Fax:+1-289-401-5206 Email: makarandprad

Re: [strongSwan] Blowfish not working for IKE, but works for CHILD_SA (Linux strongSwan U5.8.2/K4.1.35-rt41)

status: ... m1[18]: IKEv2 SPIs: 1b652ce7683f67fa_i 269af6263b48d37e_r*, pre-shared key reauthentication in 45 minutes m1[18]: IKE proposal: BLOWFISH_CBC_128/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536 Kind rgds, Makarand Pradhan Senior Software Engineer. iS5 Communications Inc

[strongSwan] Multiple SAs on Link up. Race condition.

, rekeying in 5847s, expires in 6838s in c5538838, 0 bytes, 0 packets out c69ab573, 0 bytes, 0 packets local 192.168.10.0/24 192.168.52.0/24 remote 10.10.10.0/24 192.168.62.0/24 Thanks. Kind rgds, Makarand Pradhan Senior Software

Re: [strongSwan] DPD question

Thanks Thomas. Will use 5. That makes sense. Kind rgds, Makarand Pradhan Senior Software Engineer. iS5 Communications Inc. 5895 Ambler Dr, Mississauga, Ontario L4W 5B7 Main Line: +1-844-520-0588 Ext. 129 Direct Line: +1-289-724-2296 Cell: +1-226-501-5666 Fax:+1-289-401-5206 Email: makarandprad

Re: [strongSwan] DPD question

after 1 retransmits 11[IKE] retransmit 1 of request with message ID 2 11[NET] sending packet: from 172.16.31.100[500] to 172.16.21.100[500] (76 bytes) 06[IKE] giving up after 1 retransmits Kind rgds, Makarand Pradhan Senior Software Engineer. iS5 Communications Inc. 5895 Ambler Dr, Mississauga

[strongSwan] DPD question

for looking at my qery. Kind rgds, Makarand Pradhan Senior Software Engineer. iS5 Communications Inc. 5895 Ambler Dr, Mississauga, Ontario L4W 5B7 Main Line: +1-844-520-0588 Ext. 129 Direct Line: +1-289-724-2296 Cell: +1-226-501-5666 Fax:+1-289-401-5206 Email: makarandprad...@is5com.com Website

[strongSwan] Question regarding Drop dead packets

in the absence of traffic. "dpddelay = 30s | defines the period time interval with which R_U_THERE messages/INFORMATIONAL exchanges are sent to the peer. These are only sent if no other traffic is received." Can anyone comment if this is the expected behaviour? Kind rgds, Makarand Pradhan Senio

[strongSwan] Tunnel and Transport mode mismatch

seconds ago, 172.16.31.1[172.16.31.1]...172.16.31.2[172.16.31.2]   m1{1}:  INSTALLED, TRANSPORT, reqid 1, ESP SPIs: cdd622d2_i cfe1297d_o   m1{1}:   172.16.31.1/32 === 172.16.31.2/32 Thanks for looking at my post. Kind rgds, Makarand Pradhan Senior Software Engineer. iS5

Re: [strongSwan] Subnet selector question

: Users On Behalf Of Makarand Pradhan Sent: January 28, 2021 12:33 PM To: users@lists.strongswan.org Subject: [strongSwan] Subnet selector question GM Everyone, Am trying to selectively push icmp traffic into the tunnel. Am missing something, would appreciate any pointers. Scenario: (PC1 10.10.9.31/2

[strongSwan] Subnet selector question

10.10.9.0/24[icmp] 192.168.61.0/24 === 192.168.9.0/24[icmp] 192.168.51.0/24 I notice that the ARP request is not answered. When I do not specify icmp, everything works. I think strongswan responds to the ARP. Don't see it with icmp filter. Thanks for looking. Kind rgds, Makarand Pradhan Senior Soft

[strongSwan] GRE Strongswan Question

peer 172.16.100.1 inet 10.10.1.2/24 scope global tunnel1 valid_lft forever preferred_lft forever Thanks. Kind rgds, Makarand Pradhan Senior Software Engineer. iS5 Communications Inc. 5895 Ambler Dr, Mississauga, Ontario L4W 5B7 Main Line: +1-844-520-0588 Ext. 129 Direct Line: +1-289

Re: [strongSwan] Multiple SAs after rekey with traffic.

appreciate if anyone can suggest if I have missed a config in charon.conf. Have tried but am not seeing any improvement. Hoping to hear comments/suggestions on the issue. Thanks and Regards, Makarand Pradhan Senior Software Engineer. iS5 Communications Inc. 5895 Ambler Dr, Mississauga, Ontario L4W

Re: [strongSwan] Multiple SAs after rekey with traffic.

GM Rajiv, Appreciate your suggestions. Will test for 24 hours and get back. With regards, Makarand. From: Rajiv Kulkarni Sent: May 25, 2022 3:35 PM To: Makarand Pradhan Cc: Users@lists.strongswan.org Subject: Re: [strongSwan] Multiple SAs after rekey with traffic. Hi 1. why have you changed

[strongSwan] Multiple SAs after rekey with traffic.

/MODP_1536 policy1{12}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c5fabaf0_i c5dad3ed_o policy1{12}: AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 0 bytes_i, 0 bytes_o, rekeying in 18 minutes policy1{12}: 192.168.101.0/24 === 10.10.101.0/24 Kind rgds, Makarand Pradhan Senior Software