Lars,
> esp=3des-sha1,3des-sha1-modp1024
If you have both non-PFS (3des-sha1) and PFS (3des-sha1-modp1024)
proposals included, strongSwan includes a KE payload for the DH
exchange. The responder is free to ignore the KE payload if it picks the
non-PFS proposal, but it seems that this does not wor
Hi Karl,
> How can I temporarily disable the user, without revoking the
> certificate, can I do that?
>
> Do I revoke it, and to re-enable by removing it from the CRL? Is there
> an easier way?
Setting the certificate on-hold is certainly an option, using a CRL or
even better an OCSP servic
Hi Richard,
> IP traffic --> Ethernet --> IP stack --> StrongSwan --> serial connection to
> second machine --> IP Stack --> Ethernet
>
> Essentially I'm trying to ensure that the decrypted traffic doesn't go
> back down the IP stack to the serial device as we need to assure that
> the decrypted
Hi Erich,
> I our build environment we are using a makefile which is calling the
> original XSwan makefile passing all our relevant parameters.
When using strongSwan you should definitely use the provided ./configure
script to modify any build settings.
> The way I understand StrongSwan it is ba
Hi Lars,
> I am able to establish a SA from right to left (using ICMP ping from the
> server).
>
> When the left side initiates the IKE negotiation, the server never
> responds to the IKE_SA_INIT message. The event log says:
> An IPsec main mode negotiation failed.
> Additional Information:
> K
> Am using load tester plugin. I need to check the end entity certificate
> contents (on demand certificate). So need the on demand certificate in .pem
> format.
You may try to use "ipsec listcerts" to list any certs in the cache,
then use "ipsec stroke exportx509 " to print a certificate for a
D
Hi,
> 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> 10[IKE] no IKE config found for 37.247.54.124...38.109.218.26, sending
> NO_PROPOSAL_CHOSEN
> 10[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
> left=%defaultroute
> right=37.247.54.124
Can you c
Hi Marc,
> I'm using a quite symmetric configuration where both gateways with
> strongSwan 5.1.1 have the auto=start in configuration in order to force
> tunnel being up asap.
Having auto=start on both ends is not unproblematic, as it can result in
collisions for IKE and CHILD_SAs.
If you really
Hi,
> What I want is to use 2 factor authentication - clients without a
> valid certificate should not be able to authenticate even if they know the
> password, and clients with a valid certificate should be prompted for a
> password when trying to connect.
With IKEv2, you then need multiple auth
Hi Sajal,
> Query: Why is strongswan stack dependent on a successful response from peer
> device to do the clean-up of an Expired SA. Shouldn't it clean-up the SAD
> entry on its own, At least after n number of successful attempts? Not sure
> what that "n" would be?
That issue with invalid respon
Hi,
> Can anyone please help me to understand what this error message indicates?
>
> 13[ENC] parsed INFORMATIONAL_V1 request 801051881 [ N(CRIT) ]
> 13[ENC] ignoring unprotected INFORMATIONAL from XX.XX.XX.XX
Your peer sends an unprotected INFORMATIONAL message, which gets
discarded by charon.
Hi Mugur,
> Our application using StrongSwan requires up to 20 trust anchors in the
> CERTREQ payload. Can you please specify which are theoretical/practical
> limitations for this number? Does StrongSwan loop over the list of
> trust anchors up to the first match (if any) and then stops?
When re
Hi Björn,
> Jan 29 15:27:21 : 11[NET] received packet: from xxx[500] to xxx[500] (76
> bytes)
> Jan 29 15:27:21 : 11[ENC] parsed INFORMATIONAL_V1 request 754058000 [
> HASH D ]
> Jan 29 15:27:21 : 11[IKE] received DELETE for ESP CHILD_SA with SPI
> b45041ad
For some reason your pee
> What are the modifications should I need to do so as to use
> APIs (supplied by Octeon Core Crypto Library) instead of OpenSSL's APIs?
If this crypto library works independent of OpenSSL, you should write
your own libstrongswan crypto plugin providing DH functionality using
these functions.
To
Hi,
> strongwan complains that configured DH group ECP_224 not supported.
> The #openssl ciphers -v 'ECDH' gives the below output, which
> implies that, openssl has been compiled with ECDH support.
Just switching OpenSSL's libcrypto is not sufficient. You'll have to
build the strongSwan openss
> Something I just realized: it's passing "sha1" to the kernel, not
> "hmac(sha1)", like I saw in previous logs that have been posted:
This is fine. "sha1" is the compatibility name used by older kernels for
"hmac(sha1)". See net/xfrm/xfrm_algo.c.
> I'm going to recompile the missing modules, a
> Jan 17 06:57:21 localhost charon: 02[LIB] sending http request to
> 'http://10.206.1.11:8880'...
> Jan 17 06:57:31 localhost charon: 02[LIB] libcurl http request failed:
> couldn't connect to host
Does that host have access to 10.206.1.11 without the IPsec tunnel?
Please be aware that you
Hi,
> Similarly checked the SSL ciphers supported via OpenSSL> ciphers
> command but did not find the elliptic curve Diffie-Hellman group. I am
> using the Fedora Linux (2.6.33.3-85.fc13.i686) and the version of
> OpenSSL is 1.0.0d-fips 8 Feb 2011 .
Most likely your Fedora OpenSSL comes without E
Hi Stefan,
> ● Instantaneous large-scale any-to-any IP connectivity using a group
> IPsec security paradigm - seems to be RFC6407 GDOI
I think GDOI is particularly interesting for securing multicast traffic.
While it might be usable for plain any-to-any connections, you probably
can achieve the s
Hi Marcelo,
> I have a setup with two iPhones behind a NAT router connecting to a
> strongswan server.
I assume you are using the native "Cisco IPsec" client using IKEv1?
strongSwan version?
> It seems like one connection works, and the second one doesn't.
What does "doesn't work" mean? Can you
Hi Aaron,
> I'm trying to setup StrongSwan (4.5.2) on a fairly old kernel (2.6.31)
> Jan 16 18:21:32 15[KNL] adding SAD entry with SPI c02c6c28 and reqid {2}
> Jan 16 18:21:32 15[KNL] using encryption algorithm AES_CBC with key size 128
> Jan 16 18:21:32 15[KNL] using integrity algorithm HMAC
Hi Sriram,
> When I tested this, I saw peers exchanging AuthorityInfoAccess as part of
> certificate data extensions. But I didnt any exchanges happening between
> ocsp server and peer to confirm the validity of certificates.
For OCSP support, you need both the revocation plugin and one of the
fe
> how can I use split tunnel so only traffic destined for 192.168.10.0/24
> go through ipsec tunnel.
http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
Regards
Martin
___
Users mailing list
Users@lists.strongswan.org
http
Hi,
> I want to enhance IPsec stack performance, I'm evaluating few NIC/PCI
> IPsec hardware acceleration cards.
>
> Please suggest plugin card compatible with strong swan.
strongSwan usually does not process raw ESP packets, that's handled in
the kernel. So to increase IPsec throughput, you'l
Hi,
> This worked like a charm for a single user but when I tried to connect
> second user The first user gets disconnected.
Have a look at the uniqueids option in the "config setup" section of
ipsec.conf. It defaults to yes, meaning only one connection is allowed
with the same peer identity. For
> There is even a %reqid option for marks, [...]
Ups, this seems not to be true; that keyword does not exist. But you may
use the magic mark value 0x to achieve the same.
Regards
Martin
___
Users mailing list
Users@lists.strongswan.org
https:
> Netfilter marks would help me to select connection/SA, but would not
> let me do overlapping traffic selectors?
If you have a distinct mark on a connection, traffic selectors can
overlap. The kernel accepts identical policies if the mark differs.
> conn A
> left=me
> right=peer1
> leftsubne
Kimmo,
> I have not tried libipsec after september but I'm still interested at
> the feature. What kind of plans you have for the libipsec, what kinds
> of features there will be in the future?
I've implemented usage statistics, volume based rekeying and some other
minor tweaks for 5.1.1. There a
Hi Sam,
> The tcp dump logs from my Android device show that the IKE_AUTH
> messages are being sent from the Android device.
Does that IKE_AUTH get fragmented? Any IP fragment restrictions on that
path?
Regards
Martin
___
Users mailing list
Users@lis
Hi,
> 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> 07[NET] sending packet: from 192.168.1.18[500] to 98.26.22x.xx[500]
> 03[NET] received packet: from 98.26.22x.xx[4500] to 192.168.1.18[4500]
> 03[ENC] not enough input to parse rule 1
Hi Kimmo,
> I'm have built strongswan rpm's with mock in Centos 6.5
> (2.6.32-431.el6.x86_64).
> Building 5.1.0 works okay, but 5.1.1 or 5.1.2dr2 does not.
> from networking/tun_device.c:51:
> /usr/include/linux/if_ether.h:125: error: expected
> specifier-qualifier-list before '
Hi,
> The configuration is quite classical: net-to-net ( 192.168.3.0/24 ===
> 192.168.4.0/24 )
> msc-hmnet{5}: INSTALLED, TUNNEL, ESP SPIs: c5329687_i c0101bc4_o, IPCOMP
> CPIs: dcf5_i ab46_o
> But out of the 2 tunnels only 1 is reachable. The other one doesn't ping.
> [root@academ strongsw
Hi,
> the Authentication module reads the AKA credentials from
> /etc/ipsec.secrets file. However with this configuration, the EAP
> authentication fails with following log message at the client side: "
> tried 0 SIM cards
Have you enabled and loaded the eap-aka-3gpp2 module? This module is
requi
Hi,
> esp=aes256gcm16-sha1!
This hardly makes sense. You can specify an integrity algorithm if you
have both AEAD and traditional ciphers. The peer then may select either
the AEAD or the traditional encryption+integrity algorithms.
> Does it removes the -sha1 part
Any integrity algorithm spec
Hi,
> The Diffe Hellman exchange consists of CPU-intensive operations like
> key-pair generation and shared-secret generation. Does strongswan
> (5.0.4) have any options to cache and reuse the diffie-hellman keys for
> enhanced IKE setup rate?
What an implementation can do is to reuse Diffie-Hel
Hi,
> but to hook into our own custom accounting system we need each user
> attached to a separate local interface (E.g. tun0...tun100).
The Linux kernel does not use any tun devices, but handles IPsec
transparently in its IP stack. You may use our userland IPsec backend
which uses tun devices, h
Hi Steffen,
> # ip xfrm state flush
>
> the connection got down immediately (of course). While I have
> strongswan configured to use DPD I expected it to renegotiate
> automatically, but it didn't.
I think this test is somewhat constructed. Unless the admin explicitly
deletes kernel state, this
Hi,
> It doesn’t matter witch HA/LoadBalancing you will choose, it can be
> LVS, Pacemaker or even haproxy before strong swan nodes. The point is
> how to keep the sessions. You will need to setup virtual IP on your
> strong swan, there is a Cluster IP.
To clarify, our HA solution works on top of
> Thank you, but even after adding the enable switch I still get exactly the
> same results.
Any related errors in the startup log?
Regards
Martin
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Hi,
> dae {
> listen = 0.0.0.0 # listen address, default to all
> port = 3799 # port to listen for requests,
> default
> secret = secret
> }
The DAE extension requires an "enable" s
Hi,
> How can create more then one child SA in same IKE SA
ipsec.conf connections get merged to the same configuration if they have
common properties for an IKE_SA (peer addresses, identities etc.).
You can, for example, define IKE_SA specific options in the %default
section, and then provide CH
Hi,
> but when I add ah keyword which available since 5.1.1 as ah=md5,
Please be aware that we support plain AH only, no ESP+AH SA bundles
where AH integrity-protects ESP-encrypted packets.
> 16[CFG] selected proposal: AH:HMAC_MD5_96/NO_EXT_SEQ
> 03[ENC] parsed INFORMATIONAL_V1 request 10833098
Hi,
> cat /proc/sys/net/ipv6/conf/eth1/forwarding
And this is true for all involved interfaces?
> > Do LAN hosts know they have to forward rightsourceip addresses over
> > the gateway? (the farp plugin works for IPv4 only)
>
> Unsure how to address this. I see my client doing ARP requests, but
Hi,
> Can it possible to run multiple instances of Charon daemon in all the
> cores of a system? If yes, will it have any performance benefits?
If you run your OS on all cores, no. You may not run more than one
charon daemon per OS instance.
Even if you'd manage to get multiple charon processes
Hi,
> most of the threads are blocked forever in pthread_cond_timedwait ().
> Here goes the stack trace.
> #0 0x0055630e4eb4 in pthread_cond_wait () from /lib64/libpthread.so.0
> #1 0x005563141d44 in process_jobs (worker=0x126013900) at
> processing/processor.c:278
I don't see any pth
Adrian,
> I can ping my GW private side via IPV6, but no packets are seen trying
> to leave any interface when I ping another system on the internal
> network.
> leftsubnet=fc00::/16
> rightsourceip=fc00::2:1/112
Sounds like a routing/forwarding issue.
* Have you enabled IPv6
Hi,
> 03[ENC] generating QUICK_MODE request 1871762211 [ HASH SA No ID ID ]
> 03[NET] sending packet: from 10.201.50.70[4500] to W.X.Y.Z[4500] (172 bytes)
> 14[NET] received packet: from W.X.Y.Z[4500] to 10.201.50.70[4500] (76 bytes)
> 14[IKE] queueing TRANSACTION request as tasks still active
T
> 1) If I create a host-to-net vpn (iOS to Debian) can I make the client
> (iOS) NOT send all the traffic through the VPN? I'd like only the
> communication with certain hosts to be over VPN
To use Split Tunneling with the native iOS IKEv1 client, you'll need the
unity extension. This extension a
Hi,
> 12[CFG] looking for RSA signature peer configs matching
> 10.195.82.145...199.188.195.215[C=CH, O=strongSwan, CN=client]
> 12[IKE] no peer config found
Your client requests plain RSA authentication only.
> rightauth=rsa
> rightauth2=xauth-noauth
Your configuration uses
Hi,
> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
ASA sends NO_PROPOSAL_CHOSEN, which usually indicates that no matching
crypto proposal was received.
> IKEv2-PROTO-1: (1027): Failed to find a matching policy
I don't know what the ASA exactly means with "policy", but you may try
to ch
Hi Adrian,
> Doesn't allow more that 115 subnets.
> leftsubnet=172.16.1.0/24,172.16.2.0/24,172.16.3.0/24,172.16.4.0/24,[...]
I think this limitation is fine:
* All this subnet definitions add a traffic selector, letting your
TSi/TSr payloads grow. This creates huge packets, which
> So if I don't see a RADIUS auth attempt when I add "rightgroups" then
> how could it ever determine the group to know if it would match.
It won't, and the connection just does not match if that group
membership is not determined.
However, rightgroups is a generic concept, not directly related
Hi,
> 1] I don't see a failed auth in the RADIUS logs in the latter case. But I
> do (say) when I provide an incorrect xauth password. THis suggests to me
> that it isn't even going to RADIUS when I added the
> "rightgroups"constraint. Is there anything wrong with my config?
I don't have any lo
Hi,
> Does Strong-swan process IPv6 packet on UDP port 4500?
Yes, we process IPv6 IKE packets received on port 4500.
Support for UDP encapsulated ESP (for NAT) however depends on the
support of your kernel.
Regards
Martin
___
Users mailing list
User
Hi,
> Can we configure Private CP attributes using "attr" plugin into StrongSwan?
> attr {
> 16385 = xx
> }
Yes, this is supported, see [1]. The value must either contain single
IPs or CIDR subnets to do any conversion. Otherwise the comma separated
attributes get
Hi Björn,
> initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP
> esp=aes128-sha1,aes128-md5,aes256-md5,aes256-sha1,3des-sha1,3des-md5
Your old GW seems to use PFS, but in your 5.1.1 installation you don't
include any DH groups in the esp proposal. To enable PFS in 5.1.1,
you'll have to add a DH gro
Hi,
> Is it possible to send out traffic selectors values TSi,TSr to other
> process (Authorization process) for TS narrow down.
A listener_t interface registered to the charon bus has a narrow() hook,
see [1]. This hook can be used to modify traffic selectors during the
setup of a CHILD_SA.
Hi Raoul,
> 1] is the EAP Radius setup compatible with IOS clients (ikev1). I have
> read that EAP is a ikev1 concept so my assumption was that it may not work.
> Can you please clarify?
EAP is an IKEv2 concept and is not supported in IKEv1. However, IKEv1
has the XAuth extension, and the eap-ra
Hi,
> --enable-lock-profiler [...] is getting crashed.
> #4 0x00556262af3c in backtrace () from /lib64/libc.so.6
> #5 0x005562189838 in backtrace_create (skip=2) at utils/backtrace.c:531
> #6 0x0055621817e0 in profiler_init (type=)
> at threading/lock_profiler.h:76
> #7 mutex_
Fred,
> I'll prepare a new release of the App that allows identity matching
> against certificate subjectAltNames (instead of the strict IDr
> matching).
I've pushed a new release [1] that should accept other identities as
long as the FQDN is in the certificate as subjectAltName. Please let me
kn
Hi Adrian,
> Fails
> rightid=*@srpvpn.net
Do you have a little more information what exactly fails? Loading the
config? Negotiating the tunnel? Do you have any logs?
Regards
Martin
___
Users mailing list
Users@lists.strongswan.org
https://lis
Hi Fred,
> I am trying to get the mac osx native application to connect to it
> (tested 5.1.0-4 and 5.1.1-1) using strongswan installed via homebrew.
I assume you are referring to our new OS X App with the GUI? There is no
external dependency; no homebrew packages required for it.
> 13[IKE] aut
> I've added charon.routing_table=0 to strongswan.conf
> 00[KNL] unable to create IPv4 routing table rule
The option is not in effect; otherwise that error won't show up. Make
sure you edit the strongswan.conf that charon reads, an you use the
correct syntax (you can't write charon.routing_table
Hi Luka,
> Oct 30 07:34:39 00[KNL] received netlink error: Operation not supported (95)
> Oct 30 07:34:39 00[KNL] unable to create IPv4 routing table rule
> Oct 30 07:34:39 00[KNL] received netlink error: Operation not supported (95)
> Oct 30 07:34:39 00[KNL] unable to create IPv6 routing table ru
> Selecting test-oti.dom.ch failed due to strongswan always using peer
> 'dev' (the first one) and the eap_identity missmatching. Looks like
> the peer config is selected before the eap-tls comes into play. Am I
> missing something here?
Yes, the peer config is selected before EAP-TLS starts, as
Hi Tobias,
> I am working on a research project where we compare performances of a VPN
> connection with ipsec in kernel space with ipsec in user space.
Just FYI: Such a comparison with kernel-libipsec is probably not that
meaningful; our libipsec backend is relatively new and didn't yet get
any
Axel,
> > Could you post a more complete log (all levels 1) to see where these
> > initiates come from?
>
> You mean:
Beside that your mailer messed up the log and made it hard to read, the
provided log does not show the same behavior as the previous one.
I just see three initiations; two tunne
Hi,
> With this when I run tcpdum on both tun0 and wlan0, I see all the ESP
> packets going through Wlan0 and not tun0.
I'd say that's the idea; plain packets go over the virtual adapter,
encrypted ones over your physical connection.
> What am I missing here? Why is the route added as 0.0.0.0/1
> Error 13801 ike authentication credentials are unacceptable...
> 07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
> 07[NET] sending packet: from 456.456.456.456[4500] to
Most likely the Windows client does not accept the server certificate.
Make sure that you have:
*
Hi,
> gmpn_addmul_1 function in libgmp.so.3.4.1 consumes most of the CPU
> cycles on both the Linux systems
Yes, this was to expect; DH computation is the most expensive task.
> Do I need to use the Libgcrypt instead of GMP library?
Probably that won't help, GMP is likely the fastest DH backe
Hi Hans,
> I added multiple certificates OU= to the cert store, hoping
> that Windows would ask me which one to use, with no luck.
I assume you are using Machine Certificates to authenticate the clients?
I'm not aware of a way to enforce a specific certificate in IKE
authentication.
What you mig
Hi Kris,
> > Hi, I saw log 'installing 8.8.8.8 as DNS server...', but in my 10.9
> > system, the DNS still the old ones, is this a known issue?
charon currently appends the new DNS servers to the existing ones, so
the system can try both. This might make sense as fallback one some
setups, but I'l
> "XAuth-EAP method backend not supported: radius"
> listplugins shows that I have the required plugins enabled:
Probably something is wrong with your eap-radius configuration. Do you
see the following log entry during startup?
> loaded 1 RADIUS server configuration
If not, please check that y
Hi Axel,
> In charon log (ike=2) this looks like this:
> Oct 22 23:11:54 06[IKE] initiating Main Mode IKE_SA dorn[35] to ccc.ddd.70.155
> Oct 22 23:11:54 08[IKE] initiating Main Mode IKE_SA dorn[45] to ccc.ddd.70.155
> Oct 22 23:11:54 13[IKE] initiating Main Mode IKE_SA dorn[37] to ccc.ddd.70.155
Hello Björn,
> As you can see i tried to do that with eap, but didn`t get it to work.
"didn't work" is not a failure description that allows us to help.
I'd try to start with a simple setup terminating EAP-MSCHAPv2 at the
Gateway, no RADIUS involved.
> strongswan-5.1.0 # ./configure --enable-p
Hi,
> I want to route all the traffic originating from android device to be
> tunneled through the gateway using the tun0 interface.
The Android App does no narrowing itself, that happens on the responder
only. To tunnel all traffic from the Android device, set
leftsubnet=0.0.0.0/0 on the respond
Hi,
> IKE_SA 1[1] established between
> 10.227.110.112[lmu55]...216.177.93.234[lmudiag]
> generating QUICK_MODE request 1438687057 [ HASH SA No ]
> sending packet: from 10.227.110.112[4500] to 216.177.93.234[4500] (204 bytes)
> sending retransmit 1 of request message ID 1438687057, seq 4
> sendin
Hi Kris,
> Is there any plan or possible to submit an app to App Store? I
> understand the iOS VPN API is not public and limit to some venders,
> but OpenVPN seems got it and has an app on App Store.
We think that a strongSwan iOS App would be of great value, but as you
said, access to that priva
Hi Farid,
> I have observed if I select charonstat=yes and plutostart=no ipsec
> is not listening in all interfaces
With strongSwan 4.x, two IKE daemons have been in use. Pluto handled
IKEv1 connections, while charon was responsible to handle IKEv2
connections.
Both protocols receive messag
> is there any way to reduce the buffer size so that it could show
> the logs earlier.
Yes, you can set the "flush_line" option to "yes" to force a buffer
flush after each line. See [1].
Regards
Martin
[1]http://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
__
> > With 5.1.0 we now reject the installation of a policy if we already have
> > one installed with the same selectors, but different reqids. This will
> > make CHILD_SA negotiation fail, and you should only ever have one
> > CHILD_SA for the same selectors (but different reqids).
> Can somebody
Hi,
> 14[NET] received packet: from 217.218.83.90[500] to 37.123.118.145[500] (292
> bytes)
> 14[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
> 06[JOB] deleting half open IKE_SA after timeout
The Main Mode does not complete, because the server does not receive the
packet for the next mess
> For my setup all the configurations are read from /usr/local/etc/*.conf.
> ./configure [...] --with-strongswan-conf
./configure --help says:
> --with-strongswan-conf=arg
> set the strongswan.conf file location (default:
> ${sysconfdir}/st
> leftsubnet=82.73.43.12,192.168.1.0/24
> rightsubnet=140.5.12.76,10.1.1.0/24
These subnets include the directly attached subnets, but not the other
ones (I assume you do no NAT on your internal routers?).
If you want to tunnel all the subnets, use something like:
leftsubne
Hi Răzvan,
> I am unable to ping between 10.2.1.0/24, 10.3.1.0/24, 192.168.23.0/24
> and 192.168.24.0/24 (from each other).
How does your left/rightsubnet configuration look like? Have you
included all the subnets to tunnel? What shows "ipsec statusall"?
Does a ping from 10.2.1.0/24 make it to
Hi Sam,
> I need an EAP-SIM based authentication with the radius server. For this
> I compiled the strongswan library with --enable-eap-sim,
> --enable-eap-sim-file and --enable-eap-radius options on both the
> Android device and the gateway machine.
If you delegate EAP-SIM authentication to RADI
Hi Bob,
> What is the purpose of send_delay and how exactly does it work? Is it
> there for testing purposes or is there a use in the real world?
It is mostly for testing purposes, I don't think that there is much real
use from it in productive setups.
> Is this true any time an INFORMATIONAL is
Hi Joern,
> Do you have any plans to make this configurable in one of the upcoming
> releases (I can imagine that there are other implamentations available
> which are behaving in the same way)? Or is the change you introduced with
> 5.1.0 the final solution?
As we reject additional, identical SA
Hi Björn,
> So I got to the point where we need a FreeRadius to be connected to the
> eDir.
> But now i am not sure what way to take. I very much like the ikev2 but
> as described here [...] We need a IKEv1 Xauth to use it.
Do you want to connect IKEv1 or IKEv2 clients to your LAN? The whole
xau
Hi,
> authentication of (myself) successful
> What does the "(myself)" part do to validate itself?
It just means that the server successfully created a signature for
authentication using the mentioned certificate's private key. The client
then verifies the same signature to authenticate the ser
> From the Charon log (vpn-57-122.log) I see that the SPI the Checkpoint
> is using (line 598) has been established later that the one used by
> strongswan (line 523), so I would assume that strongswan uses the
> older SPI.
I don't agree. The CHILD_SA {404} was established at line 119 along with
Hi Joern,
> After re-establishing the connection it seems that both peers will
> initiate a tunnel and as a result I will have two Child_SA pairs.
> Strongwan is using 0xf9029d40 while Checkpoint is using 0xc2088c97.
> vpn-57-9{454}: INSTALLED, TUNNEL, ESP SPIs: c3a797a1_i f9029d40_o
>
Hi,
> * is there a way to make strongswan to send a "certreq" payload with
> empty CA name field ? I could think of any parameter to make strongswan
> to do this.
No, there is no such option.
strongSwan (5.x) either includes a single CERTREQ if you have a rightca,
or it sends a CERTREQ for each
Hi Aaron,
> Is there any way to tell StrongSwan 5.x (when a headend) to ignore the ID
> sent by the client, and always use the Certificate DN as the remote ID?
No, currently not. strongSwan always requires that the IKE identity is
contained in the certificate, either as subject DN or as subjectAl
Hi,
> About 15 minutes after init and auth successes, StrongSwan sends
> create_child_sa to rekey the child sa. But the message id is reset to 0
> and neither initiator nor response flag is set. I don't think it is
> right according to standard.
This depends who is initiating the rekeying. If it
Hi,
> "00[LIB] opening AF_ALG socket failed: Address family not supported by
> protocol"
>
> Is this error something to be concerned about and how to eliminate it?
It seems that your kernel does not support the AF_ALG crypto API. On
such a kernel, it makes no sense to enable the af-alg plugin,
Hi Kimmo,
> Can I use libipsec based configuration and netkey based configuration
> at the same time?
No. The kernel-libipsec backend is one of several IPsec backends that
can be used, but only ever one is active at the same time. Currently all
connections use the same backend.
> how one should
> I find, there are lots of retransmissions (as it prints the status of
> the initiation with *character mostly) in console. I know, these are
> certainly considered to be bad. But I have set the retransmit_timeout
> and retransmit_tries to 300 seconds and 300 times respectively, which
> is a huge
> Due to your unique policy and a limitation of our new IKEv1
> implementation, this leads to a problem: The uniqueness policy deletes
> the old ISAKMP during re-authentication before it can complete.
>
> This is a know issue, and I hope I'll find some time to fix this.
I've pushed a few changes
Kris,
> Any plan to support eap-radius authentication?
eap-radius is a server plugin, so it is not directly related to the
client application. You can use eap-radius on a server, and use
EAP-MSCHAPv2 between the client and your AAA to do authentication.
> After VPN connected, OSX still uses pro
301 - 400 of 1132 matches
Mail list logo