Hi,
carol# ipsec up home
received TS_UNACCEPTABLE notify, no CHILD_SA built
Carol proposes
leftsubnet=10.20.5.46/16
rightsubnet=10.20.5.46/16
, but moon accepts
leftsubnet=10.20.5.46/16
only. Not defining a subnet results in a host2host tunnel.
Do you really want
Hi Thomas,
attached patch fixes a small compile error of struct tm not being defined.
Applied to [4733], thanks.
Best regards
Martin
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Hi,
I think the right place to fix this is in the kernel, I'll try to push
a patch upstream.
My kernel patch [1] is in net-next and will be included in 2.6.29.
Regards
Martin
[1]http://kerneltrap.org/mailarchive/linux-netdev/2008/11/25/4231304
Hi,
Could you please let me know if it is possible to deactivate in strongswan
the automatically adding of virtual IP address of roadwarriors to the
physical ethernet interface?
Why do you request a virtual IP if you don't want to use one?
IKE_SA con.2[2] established between
[EMAIL
Hi,
11[ENC] parsed INFORMATIONAL request 0 [ N(COOKIE2) ]
11[ENC] generating INFORMATIONAL response 0 [ ]
--- replies an empty INFO-RSP, is this right?
No, it should reply with the same COOKIE2. And it actually does so in my
tests.
I did some fixes for COOKIE2 support recently, but these
Hi,
I use the split authentication of ikev2 (client with psk, gateway with
cert)
Keep in mind to use such a setup only with strong secrets. PSK client
authentication is subject to dictionary attacks, don't use it with
simple passwords.
in the split modus it is for an attacker also possible
Hi,
I'll have a look what's the best approach to implement a fix.
A patch is gone into SVN, see [1]. This should fix a potential DoS
attack scenario on the pool.
However, there is still no guarantee for this uniqueness check. A peer
can still set up multiple IKE_SAs at the same time, but
Hi Simo,
[1]http://kerneltrap.org/mailarchive/linux-netdev/2008/12/4/4312604
My patch introduced a bug and therefore has been reverted upstream.
Additionally, there are some doubts if encapsulated packets should be
processed if it is not explicitly enabled in the SA. You might join the
Hi,
If in the IKE_AUTH exchange the peers examine a NAT system.
NAT situations are detected in the IKE_SA_INIT exchange.
Is the information to encapsulation packets in UDP safed in the SAD
like the other values (keys, tunnel destination,...)?
Yes. Encap status is shown in ipsec statusall
Hi,
noticed that it uses too short a nonce for PRF HMAC-SHA2-384 and
HMAC-SHA2-512 in the IKE_SA_INIT exchange
Yes, this is true. I already had this on my TODO list, but didn't look
at it in detail yet.
I notice charon is hardwired to use a 16 byte nonce which pretty much
restricts it to
Hi,
From my reading about DPD, it looks like DPD only tries to bring the
connection
back for some amount of time right after the connection is lost. I am
looking for a way to continuously try to make certain that the IPsec
connections are up, even if it is days or weeks since the loss of
Hi,
Is it a normal behaviour?
No, this is a known bug an has been fixed [1] in 4.2.12.
Or is it a real problem?
As the client is authenticated using EAP and the MSK is only a side
effect, this should not affect security.
The bug was really a bad one, but can not be used for attacks.
Hi,
However, after a second the resolv.conf will be modified again, and the DNS
settings provided from strongSwan gateway disappears. Can anyone on the list
give me a hint, what is going wrong here?
NetworkManager does not allow another application to modify resolv.conf,
it overwrites the
Hi,
It would be nice to use twofish with charon as an alternative to aes
for IKEv2.
The problem is that Twofish is currently not defined in IKEv2 [1] (btw.
Blowfish is, and it is supported using the OpenSSL plugin).
We would have to implement Twofish as a vendor specific extension.
Regards
Hi,
I have still problems building strongswan on sles10sp2 with kernel
2.6.16.60-0.33.
The problem persists since the last three versions of strongswan.
A workaround is to change ltmain.sh in strongswan sources with
/usr/share/libtool/ltmain.sh.
Do you use the ./configure script shipped
Hi,
attached is a patch to start charon/pluto only if they were built.
Applied in a slightly modified version [1] to trunk, thanks!
Regards,
Martin
[1]http://trac.strongswan.org/changeset/5002
___
Users mailing list
Users@lists.strongswan.org
Hi,
can i get whole links of /apidoc (www.strongswan.org/apidoc) in one folder
or something like that.
There is a make target that allows you to build the apidoc from sources.
Running make apidoc in configured sources will build the apidoc folder
(you'll need Doxygen installed).
Regards
Hi,
Apr 6 08:36:57 csp-laptop charon: 17[IKE] requesting address change using
MOBIKE
Apr 6 08:36:57 csp-laptop charon: 17[ENC] generating INFORMATIONAL request
2 [ ]
Apr 6 08:36:57 csp-laptop charon: 17[IKE] checking path 192.168.5.80[4500]
- 194.116.5.51[4500]
Apr 6 08:36:57
Hi Graham,
Is there any way to configure the client so that it will either not bother
verifying the server, or if it does try to verify and fails, will not care
?
No, there is currently no such option.
For our application, the server MUST be able to verify the identity of the
clients, but
Hi,
- checks for Extended Key Usage Flags
- requires the DNS name entered as Gateway address to be included in
the DN or as subjectAltName
It seems that Windows 7 accepts the certificate if it fulfills these
requirements. I've added a page with some details to our wiki [1].
There are
Hi,
Whenever the byte in memory is half-word-aligned, reading it as a uint16
works as expected. The other half of the time, the compiler is adjusting
the pointer (back one) to make it half-word-aligned before reading the two
bytes as a uint16.
Yes, it seems that some ARM CPUs don't like
Hi,
What is the command for deleting the created CREATE_CHILD_SA in
strongSwan ?
To close CHILD_SAs, you can use curly brackets {}. Use
ipsec down conn1{}
to close the first found CHILD_SA named conn1, or use
ipsec down {2}
to close the CHILD_SA with reqid 2 (as seen in statusall).
Hi,
1.How do we combine strongswan and the plugin? when we do ./configure it
doesn't take this directory into account.
First, you'll have to extend the configure script, add an
--enable-eap-eke option, set the corresponding USE_EAP_EKE flag and
build the Makefile in AC_OUPUT. The easiest way
Hi,
So why strongswan is always using PFS for ike_sa rekeying?
It was optional in RFC4306, but recommended to use. In IKEv2bis it is
not optional anymore, the KE payload is required (see [1]).
Can i disable that in some way?
No, strongSwan does not support IKE_SA rekeying without DH
Hi,
[...] more precisely break-before-make case.
Break-before-make support is currently somewhat limited. While it should
work, strongSwan has a rather short timeout before dropping the SA. If
it can't update the SA withing 30 seconds or so, the SA gets deleted.
Is this case
Hi,
any idea on how to fix it [...] ?
I'll try to tweak the code at [2], I think that should be doable.
I've updated [1] the matching code to prefer the first traffic selector
in the proposed list.
This should be sufficient for most cases. Please try if the patch works
for your setup.
Hi,
[...] test case: ikev2/rw-eap-aka-rsa [...]
Received MAC does not match XMAC, sending AKA_AUTHENTICATION_REJECT
ca...@strongswan.org :EAP “Ar3etTnp01qlp0gb
Your secret looks (at least in your mail) screwed up. Have you tried a
simpler secret without quotes? Try to add a space between :
Hi,
Does strongswan Support SINGLE_PAIR_REQUIRED notification?
No, we do not support the SINGLE_PAIR_REQUIRED notify. I don't think
there are many scenarios where this is useful. Even IKEv2bis 2.9 says:
{{ Clarif-4.11 }} Few implementations will have policies that require
separate SAs for
Hi,
Last week I have received a strongSwan update to release 4.3.3 and now I have
serious trouble with the new root-privilege dropping features.
Was it working with an older version?
As of today Gentoo installs strongSwan 4.3.3 with mandatory
root-privilege dropping to a non-privileged
Hi,
1. Through ipsec.conf, I want to create multiple CHILD SA's under an
IKE SA in tunnel mode but I want to give different internal IP's to
every CHILD SA. So, how to do this?
Internal IPs are actually assigned per IKE_SA, not per CHILD_SA. You
could theoretically set up multiple internal
Hi,
How can I add new connections dynamically with Strongswan?
The IKEv2 daemon provides a very flexible plugin system. The clean
approach would be to implement a plugin receiving the required
information from your application.
The nm plugin implements very similar functionality: It receives
fixes the problem (at least for v4)
It seems that the kernel does not support SCTP over IPv6 with IPsec at
all, SCTP packets just bypass the IPsec policy :-/.
So just forget the IPv6 part of the patch.
Regards
Martin
___
Users mailing list
, the proposed solution might be
wrong, or at least incomplete. I'll post the patch on the SCTP list,
maybe we get some feedback.
Regards
Martin
From 3eb3e3e140f0a16a8cdf90a87edf98e348e92219 Mon Sep 17 00:00:00 2001
From: Martin Willi mar...@strongswan.org
Date: Fri, 7 Aug 2009 17:33:35 +0200
Subject
Hi Stephen,
It doesn't appear that strongSwan supports configuration of byte limits to
control rekeying of CHILD_SAs. Is this correct?
Yes, volume based rekeying is currently not implemented. However, I've
got a patch to merge providing this functionality.
I'll incorporate these changes
Hi Roger,
initiating IKE_SA host-host[1] to 135.252.130.87
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 135.252.131.87[500] to 135.252.130.87[500]
received packet: from 135.252.130.87[500] to 135.252.131.87[500]
parsed IKE_SA_INIT response 0 [
Hi,
I can not find the daemon.log on moon side.
charon by default logs to the DAEMON syslog facility. But it depends on
your syslogger configuration to which file syslogger logs to.
The moon side is Fedora Core 9 Linux.
Our (rather old) Fedora box uses /var/log/daemon.
Regards
Martin
Hi Roger,
they are all using a secret in ipsec.secrets instead of running UMTS
algorithm.
Our EAP-AKA plugin implements the UMTS algorithm from 3GPP2 (S.S0055) in
software. What you configure in ipsec.secrets is actually the secret key
usually contained in a USIM.
I want to know if there is
Hi,
When a CHILD_SA is rekeyed, there is a time when SAD will have two SA
entries corresponding to the CHILD_SA that is rekeyed.
Yes, you'll have two overlapping CHILD_SAs during rekeying.
how do we know which SA Entry is to be used out of the 2 Entries.
The kernel usually uses the newer SA
Hi,
1) upgrade to kernel 2.6.29 and apply patch [1] from above, to the linux
kernel.
No, 2.6.29 already contains the patch.
2) stick with kernel 2.6.28 and apply the disable-iaf-tunnels patch to
charon, (this patch will brake v6/v4 mixed operation)
Yes, then no kernel patch is required.
Hi,
received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Your peer does not like the proposal you offer. Have you included the
belt cipher in your peers proposal, too?
Regards
Martin
___
Users mailing list
Users@lists.strongswan.org
Hi,
If I want to add an abstraction layer between the EAP-AKA protocol and
corresponding parameter calculation, how can I do? And what should be
noticed?
It's probably a good idea to use a similar abstraction as the EAP-SIM
plugin. One could extend the existing SIM manager [1], or use the
Hi,
these two messages are NOT supported by strongSwan
Yes, our AKA implementation is not complete. It does not support
Identity exchange, pseudonyms or Re-Authentication.
AKA-Identity
There was no need for AKA-Identity so far, as most setups use a
separate EAP-Identity exchange or directly
Hi,
I found RAND was read from triplet.dat rather than received from
Server.
On the client, RAND is received from the server. But the client uses the
RAND value to look up SRES and KC. The triplet.dat file contains
RAND/SRES/KC triplets, on the client the RAND value is the key to look
up SRES
Hi Graham,
to lighten the load on the AAA infrastructure behind the Security
Gateway.
Yes, I agree. Even if we do not support Re-auth, supporting a minimal
Identity exchange as we do in EAP-SIM would really help.
I can let you have the AKA-Identity support as a patch if you want.
A tested
Hi,
We are in a very critical state of our project. Please fin gtime to
respond to the issue below.
Yes, the software we provide is free, but SLAs are not. We are giving
our best to provide support free of charge, and we have indeed spent
several hours to help you on your issues. But paying
Hi,
1) If the used virtual memory exceed, the following error will be occurred,
is it right?
Resource temporarily unavailable-93: received netlink error
I have never seen such a Resource temporarily unavailable error from
netlink, and 93 is actually EPROTONOSUPPORT. You are probably missing
Hi,
In the current implementation of EAP-SIM and EAP-AKA authentication,
the payload of IDENTITY REQ was not handled or handled with only
attribute ID.
For EAP-SIM, we just reply identity requests with the configured
identity. The same semantics have been implemented for EAP-AKA just last
Hi Peter,
ipsec tunnels build from inside should have [...]
ipsec tunnels build from outside (Internet) should have [...]
Is there a way to extend/modify the config to get this behaviour?
You can define two different configurations, one for internal, one for
external connections. The tricky
Hi again,
The way to go is probably gateway address matching
Forgot to mention, our UML scenarion [1] uses such a configuration to
select different source address, but defining different leftsubnets
works the same way.
Regards
Martin
Hi,
Shouldn't strongswan use mysql_config during configure to begin with?
Yes, sounds reasonable. I have updated [1] the build system to use
mysql_config.
Regards
Martin
[1]http://wiki.strongswan.org/repositories/revision/1/84074347
___
Users
Hi,
1) Whether the latest version added the identity payload handling code for
EAP-AKA is released?
This feature will be included in 4.3.5, planned for November.
2) In latest version of strongswan, Identity is default-set? or is
configured in ipsec.conf or other configuration file?
The IKE
Hi,
I'm not sure whether our MOBIKE implementation supports this
but Martin will know.
Yes, we support the detection of changes in the NAT situation, either
using the MOBIKE enabled DPD, or with a recent kernel (2.6.29?) by
detecting changes in the UDP encapsulation of ESP packets.
Regards
Hi Barry,
Most of the time my connections restart fine, but sometimes charon
decides it doesn't want to send out IKE_SA_INIT requests any more
after a dpd timeout.
11[IKE] giving up after 5 retransmits
This is indeed a bug. keyingtries=%forever should never give up. This
hardcoded limit of
Hi,
I will encounter this problem only on board.
What processor is your board using?
While I have fixed the daemon core code, the EAP-AKA/SIM plugins still
use some unaligned (half-)word reads to parse payloads. It is on my TODO
list to fix this, some processors can't handle unaligned reads.
Hi,
And my question is: if I need to initiate unilateral Authentication,
How can I support that?
only change the configure
We currently do not support this configuration-wise, as it clearly
violates what the IKEv2 standard says.
There is a draft discussing an extension to skip public
Hi,
If I did not select the --enable-NAT-Transport when I compile the
strongswan, If NAT-T feature can be shutdown by this above method?
This option is for IKEv1 and affects transport mode connections only.
If strongswan default enable this NAT-T feature, and then the
following message
Hi,
Scanning through the mailing list I can see that the recomended minimum
number of threads is 8-10 depending on the plugins used.
Is there a way to determine the absolute minimum number of threads for a
given plugin configuration?
This additionally depends on how you'll use the
Hi,
What is the difference between the two plugins eap-aka and eap-aka-3gpp2?
The eap-aka plugin provides the protocol layer of the EAP-AKA
functionality, but no quintuplet calculation. It uses other plugins
implementing the sim_card_t/sim_provider_t interface to actually
calculate the
Hi,
Gateway address: 192.168.0.1
Gateway certificate: cacert.pem
There is no option to configure the gateway identity on the client, as
it should be as simple as possible to set up a connection. But for
authentication with CA certificate, the client MUST enforce a specified
gateway identity;
Hi,
OP is a 128 bit operator variant algorithm configuration field and opc
is a 128 bit key derived from OP and K known only to the HSS and the
ISIM/USIM application on the UICC
Are you are talking about a EAP-AKA algorithm to calculate quintuplets?
what is the purpose of these two fields?
Hi,
Introduce another route table (e.g. 219), which has priority over the
table 220, and has the route for the local network. To setup that you
need to look at the ip rule commands.
I agree, this is probably the best solution. This routing policy
database is very powerful, just man ip for
Hi Graham,
[ Strongswan is also using the list of allowed subnets to set up ip xfrm
policies. I'm not sure if I want these or understand them, but I'll leave
them be until I learn more about xfrm. ]
Based on the older IPsec standards (RFC2401), the Linux kernel does not
support (multiple)
Hi Vivek,
1. Can you tell me the requirement of this while loop as from what I
understand the stroke plugin of charon is not sending anything back to
the src/stroke/stroke.c so why it is waiting on the read call?
Yes it does. Charon sends status and log information down to this Unix
socket,
Hi,
I am assuming it is a mis-configuration or bug.
Maybe both. It seems that your client requests a DNS server, but your
server returns an empty or a 0.0.0.0 address.
The IPsec gateway is a:
Linux strongSwan U4.2.11/K2.6.28-11-generic
Some time passed since 4.2.11, probably we handle it
It should either print out 0.0.0.0 or nothing at all. I am not sure
which is more appropriate.
0.0.0.0 is almost as invalid as %any, installing it does not make sense.
I pushed a patch that does not install such servers.
Regards
Martin
___
Users
Hi,
Does anyone have reference numbers about StrongSwan scalability? How many
clients can be supported (in which configuration)?
We have no hard limit, so this highly depends on CPU and available
memory.
For the IKEv2 daemon, we tested with 20'000 road warrior connections,
each
Hi Johannes,
Thanks for your patch.
+PKG_CHECK_EXISTS([libnm-glib],
+ [ PKG_CHECK_MODULES(nm, [NetworkManager libnm-glib-vpn gthread-2.0])
],
+ [ PKG_CHECK_MODULES(nm, [NetworkManager libnm-glib-vpn gthread-2.0])
])
I assume this should be _ in the second case. I've
Hi,
#0 0xb758cf00 in raise () from /lib/libc.so.6
#1 0xb758e43c in abort () from /lib/libc.so.6
#2 0xb75c57b5 in ?? () from /lib/libc.so.6
#3 0xbfa11e58 in ?? ()
#4 0xb76d2f7c in ?? () from /lib/libpthread.so.0
#5 0x003b in ?? ()
#6 0xb7677381 in ?? () from /lib/libc.so.6
#7
Hi Frank,
It probably does not hang, but just blocks to read in random data
from /dev/random.
Private key generation needs good random data, and most plugins rely
on /dev/random. Try to fill your pool with more entropy by moving your
mouse or surf the web while generating a key. It may take a
Hi Daniel,
Could you please comment on this. How can I pass FQDNs to charon?
This is indeed currently not possible via starter. It works fine with
other plugins (such as the network-manager plugin). But it would require
some tweaks to explicitly not resolve hosts for connections passed to
Hi,
plutostart=no
keyexchange=ikev2
I'm not aware of any Cisco VPN client that speaks IKEv2. You'll have to
setup pluto and define a IKEv1 connection.
Regards
Martin
___
Users mailing list
Users@lists.strongswan.org
Hi,
What is needed (cpu) to get 10Mbps
Not tested, but maybe a Pentium class processor?
100Mbps,
Pentium 3/4?
1Gbps,
A recent multi-core processor should be capable of doing 1Gbps, but
requires parallel crypto patches, see [1].
10Gbps
Not without hardware acceleration. Maybe the
Hi,
After ESP communication there is TCP packet / http packet flowed between
them.
Wireshark/tcpdump shows incoming packets twice, once encrypted and once
decrypted. This is the normal behavior on Linux kernels.
2) Do i have any specific conditions to check in TCP / http packets to get
Hi Michael,
Is an example code available that I can use as base?
You might have a look at its counterpart, the Manager [1] sources [2], a
FastCGI application.
We haven't done anything with SMP for a while, so I'm not sure if
everything still works...
Regards
Martin
Hi,
conn to-WORLD-unless-HOST1and2
There is no way to exclude specific hosts from a TS. But if you have
multiple tunnels, more specific ones match with a higher priority.
rightsubnet=0.0.0.0/0
includes all traffic. If a another tunnel is up to a specific IP, that
policy should have a
By which way the priority of a policy can be specified into 'ipsec.conf' file?
There is currently no way of specifying priorities manually in
ipsec.conf. But smaller subnets are always installed with a higher
priority.
[...] should be replaced by rightsubnet=0.0.0.0/0?
Yes,
strongSwan specific feature or it is specified by a RFC?
It is strongSwan specific, other implementations might do this
differently. You'll have to check this with your other implementation,
maybe there are ways to do this manually.
Regards
Martin
Hi,
Just want to push some custom route tabels to the
VPN clients, is it possible to do this?
You can't push arbitrary routes to the client.
Instead, you can use leftsubnet/rightsubnet options to define which
traffic to include in the tunnel. In IKEv2, the server can narrow down
the
Hi,
Similarly I wish to apply to SCTP packets a cipher suite
that supersedes the cipher suite to be applied to all other
packets from the same IP@ (i.e. 10.5.0.1). Can this be done
by strongSwan with the example below?
Yes. But SCTP traffic to 10.6.0.2 will use the to-HOST connection in
your
Hi,
Which is the upper limit for number of subnets supported for one
connection?
There is no hard limit, maybe you'll encounter some scaling issues.
In our application we need to specify up to 16 subnets. Is
this possible for a single CHILD_SA?
Did a quick test, seems to be no problem
Hi,
Does IKEv2 protocol allow only one out and one in CHILD_SA in this case?
A CHILD_SA is not specific for in/out, but always includes a
bidirectional data flow (two ESP SAs, actually). So you'll have only a
single CHILD_SA covering leftsubnet/32 and all 16 rightsubnets.
How many CHILD_SA
Hi Stephen,
Why would multiple policies specifying different traffic selectors results in
only a single SA pair?
In IKEv2, a single CHILD_SA results in two ESP kernel SAs (called states
in Linux), one inbound, one outbound. The SA defines the transformation
applied, encryption keys,
Hi Christophe,
If an IKEv2 negotiation fails due to a timeout (typically during the
IKE_AUTH exchange) after a successful IKE_SA_INIT exchange [...]
The SA will remain in a zombie state, even a later acquire message will
not enable to leave this lock up situation.
I agree, this is a case
Hi Mugur,
Implementers should take note of this fact and set a limit on CREATE_CHILD_SA
exchanges
between exponentiations...
While we always use a Diffie-Hellman exchange for IKE_SA rekeying,
CHILD_SA rekeying by default does not use a DH exchange. You can change
this behavior by including a
Hi,
I am getting compilation error while compiling x509.c file.
Whack_log(RC_COMMENT, subject: \%Y\,...)
Please provide the complete compiler error.
The compiler is not able to identify %Y
The compiler does not have to, %Y is part of the format string. The
printf hook will handle this
Hi,
Any idea what's happening , beside the file missing ?
This means that you have configured plugins that are not available on
your system. Either the compiled in default list contains not installed
plugins, or you have configured plugins in strongswan.conf that are not
available.
Hi,
As we plan to implement source routing on our product, we would like to
know if charon daemon is filling the source IP address of egress IKE
packets with the local outer IP address (left parameter of the
ipsec.conf file) and if the egress IKE IP packets go through linux
routing stack.
Hi,
This means that we can access each other directly without IPsec while
charon is setting up the tunnel. And when I set auto=route - charon
works ok and filters unsecured packets back and forth.
Yes, this is the intended behavior. auto=start does not install policies
until the tunnel has
Hi Anil,
While trying to run Pluto on my platform, create_rng function is
failing.
RNGs are provided through plugins, by default via the random plugin.
The plugin reads random data from /dev/random and /dev/urandom.
Double check that the plugin is loaded properly and these files are
available
Hi,
conn test
authby=xauthrsasig
forceencaps=yes
keyexchange=ikev1
keyingtries=1
type=tunnel
xauth=client
right=CheckPoint VPN Firewall IP Address
leftsourceip=%modeconfig
ipsec up test
021 no connection named test
You
However when I try to load random, I get errors stating undefined symbol:
lib.
Seems that the plugin can not find symbols in the libstrongswan library.
On what platform/architecture are you seeing this error? Using any
non-standard tools/libraries?
Regards
Martin
Hi Stephen,
Reinitiating the IKE_SA from
scratch is also not possible on asymmetric connections.
Can you elaborate on this point? What is an asymmetric connection? And why
is reinitiating an IKE_SA not possible in this case?
Under asymmetric I meant an IKE_SA that can be initiated by
Hi,
git clone http://git.strongswan.org/strongswan.git
fatal: http://git.strongswan.org/strongswan.git/info/refs not found:
Due to the migration of the strongSwan infrastructure to a new server,
the git repository is currently accessible through the git protocol
only.
git clone
Hi,
The problem: I want to route all my internet traffic through the server and
the local traffic should stay on the local net.
To tunnel all internet traffic, you'll need a 0.0.0.0/0 rightsubnet.
This however, includes your local network in the tunnel too.
To explicitly bypass the local
Hi,
the problem here is, as i know, i cannot configure two peers with the
same leftsubnet...
You can't install two identical policies. One could, in theory, install
a single policy set with two sets of SAs. In the failover case, the
policies are migrated to the other set of SAs.
However, this
Hi,
I for one don't have IP: policy routing enabled (didn't know
it was required) and strongswan still works just fine.
It's not required, but highly recommended. IKEv2 uses a separate routing
table for own routes installed along with tunnels. This allows it to
ignore these routes for IKE
Hi,
AH = sha1
We currently do not support AH in IKEv2.
ESP = 3des, aes-cbc-128
Use a comma separated list of proposals in the esp parameter:
esp=aes128-sha1,aes256-aesxcbc,aes128gcm12,3des-md5
By default, the IKEv2 daemon appends a default catch all proposal
including all supported
ESP = 3des, aes-cbc-128
esp=aes128-sha1,aes256-aesxcbc,aes128gcm12,3des-md5
Forgot to mention, you may even add multiple algorithms of the same
class to a single proposal:
esp=aes128-aes192-aes256-sha1,3des-md5-sha1!
Best regards
Martin
Hi,
Does strongSwan make any checks on received identification payload IDr
from the IKE_AUTH exchange for a remote system that is authenticated
with certificates?
The received identity is used to:
- Look up a configuration: If it does not find a connection matching the
given identity
Hi,
If I am not mistaken, IPComp is applied only if compression is
meaningful. So will it not work for small packets? I am seeing ping go
through only for packet size = 288 bytes
Yes, the kernel does not compress small packets, as it probably would
not save any bytes on the wire. Smaller
1 - 100 of 868 matches
Mail list logo