Hi,
> Each gateway B subnets must reach all of gateway A subnets.
Using IKEv2, you can simplify all-to-all subnets and use just a single
connection:
leftsubnet=10.0.0.0/8,192.168.0.0/16,172.16.0.0.12
rightsubnet=10.21.11.0/24,172.16.0.0/24,10.121.11.0/24
> As you can see, some gateway B s
> Is it possible to do that with traffic_selectors ans peer_configs
> tables ?
Yes, you can associate as many traffic_selectors using
child_config_traffic_selector to child_configs as you need.
> In traffic_selectors table, fields to be filled are start_address and
> end_address but you mean it
> We use updown script for child_configs iptables rules. I've seen routes
> are not supported in IKEv2.
In IKEv2 (and now even in IKEv1), routes are installed by the daemon
itself, not the updown script. But you can disable the built-in route
installation using the mentioned option.
> Is it pos
> With IKEv2 on sqlite database, can we configure this variable
Yes, using "virtual" field in the peer_configs table. But I'm not sure
if it is what you want: The given virtual IP (or %any) is requested from
the responder using IKEv2 configuration payloads. The responder usually
allocates such an
Hi Julian,
> is it possible to set the dns servers that are pushed to the client
> seperatly for each conn entry in ipsec.conf?
Using the attr plugin and the associated strongswan.conf options, no,
currently not. These are always global.
The more advanced attr-sql plugin can define per-pool or e
Hi,
>
> I want to setup two VPN same time and load balacing in site B. How can
> I solve this problem?
Our High Availability solution [1] can do load sharing, but only using
multiple SAs (it can't share a single SA to two nodes). If you split up
up your LAN on one side to multiple subnets, these
Hi,
> when I initiate the net-net connection from SUN virtual machine, the
> board receives isakmp but afterwards replies to SUN telling that udp
> port 500 is unreachable, like nobody listens on that port.
> load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke
> kernel-netlink sock
Hi Olivier,
> authentication of 'CN=10.1.1.254, OU=TAC, O=Cisco, C=BE' with EAP successful
> constraint check failed: identity 'C=BE, O=CISCO, OU=TAC, CN=10.1.1.254'
> required
Your gateway identifies itself as 'CN=10.1.1.254, OU=TAC, O=Cisco,
C=BE', but your rightid configuration expects 'C=BE
> I wonder how I could have the strongswan to do enable config pull?
> modeconfig=pull
>
>
Hi,
> I just want to know what is the default value of the cipher suite if
> the ike and esp directives in ipsec.conf are not specified in IKEv2.
For ipsec.conf based configurations, starter adds the following default
proposals if none is given:
ike=aes128-sha1-modp2048,3des-sha1-modp153
Hi,
> a) can two iterations of strongswan be run on the same network -one on the
> main router and the other on the ssh server?
Does the SSH server run on a dedicated box with a public IP? Then there
is no reason why you couldn't run strongSwan on it.
> b) if a) is true, can ipsec traffic be r
Hi,
> leftsubnet=192.168.255.0/24
> rightsubnet=192.168.255.0/24
How should the routing work if you have the same subnet on both ends of
the tunnel? Where should a gateway send such packets to?
> mark_in=11
> mark_out=10
Using the same mark for in and out is prob
Hi,
> 1) I'm hoping DHCP will, (connection specific DNS suffix, which
> allows hostname to resolve instead of hostname.example.com)
No, IKEv2 does not specify an attribute to assign DNS suffix'. It would
be possible to write such an extension, but this won't work with Windows
clients.
You can s
Hi,
> I have configured the block_threshold to 2 keeping COOKIE_THRESHOLD to
> large value (in order to avoid hitting that condition).
I don't think it makes a lot of sense to use block_threshold without
cookie_threshold. The cookie mechanism makes sure that a DoS attacker
can't create state on t
Hi,
> - What is the meaning of "initiators=10 and iterations=100". i would
> think that for simulating establishment of 1000 simultaneous tunnels i
> would want 1000 initiators to be running right? Why only 10 and
> running them 100 times?
"initiators" defines the number of threads. Each thread i
> 15[CFG] looking for peer configs matching
> 172.17.10.10[srv.strongswan.org]...172.17.10.253[c5-1.strongswan.org]
> 15[CFG] no matching peer config found
> 15[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> conn rw-server
> left=172.17.10.10
> leftsubnet=192.168.20.0
Hi Graham,
> Does strongSwan (on the initiator) check that the original FQDN/IDr is
> also in the certificate ?
Yes.
> If the certificate has only a "subject" and no "subjectAltName", does
> strongSwan check that the IDr matches the CN specified in the
> "subject" of the certificate ?
Unlike in
Hi,
> 06[KNL] creating rekey job for ESP CHILD_SA with SPI cbe46239 and reqid {458}
> 05[DMN] thread 5 received 11
> 05[DMN] killing ourself, received critical signal
I think it would make much more sense to fix the bug causing the crash.
If possible, please upgrade to 4.5.3 and attach GDB to see
Hi,
> ike=3des looks like a very simple proposal.
This proposal is actually incomplete. An IKE proposal must contain an
encryption and a integrity algorithm (or a combined mode algorithm), and
a DH group. Try ike=3des-sha1-modp2048 instead.
Regards
Martin
__
Hi Peter,
> [IKE] unable to allocate SPIs from kernel
Unfortunately, the stock N900 kernel does not support the required IPsec
modules. You'll have to install the "kernel-power" [1] package. It seems
that such a hint is missing on our wiki page, I'll fix that.
Regards
Martin
[1]http://wiki.maem
Hi,
> daemon log shows "client error 'unable to process packet'", board side
> cann't log, it outputs something like 'MAC' error...
The error condition occurs on your board, probably because the MAC
calculated for authentication does not match. A more complete log from
the board would really help
Hi Fabrice,
> When i modify sqlite database (add/remove connexions or
> add/modify/remove child_SA), ipsec modifications are not read and
> connexions stay down/up (depend on add/remove) .
Connections are read from the database and kept in memory for active
connections. Any changes to IKE- or C
Hi,
> It seems when certificates is added or modified in database, it can't
> be read until ipsec is restarted.
Certificates are cached for performance reasons. Try "ipsec purgecerts"
to flush the certificate cache and reread the certificate during the
next authentication.
Regards
Martin
> Is there a way to reload or reread database or flush database cache
> without restarting ipsec ?
Connection definitions shown in "statusall" and IKE connections that get
newly established are always reread from the database. If it doesn't
show up in "statusall", it is either invalid or somethi
Hi,
> Why does Pluto only add the connection but does not start it, although
> I have defined "auto=start" in ipsec.conf?
> plutostart=yes
> charonstart=no
> keyexchange=ikev2
IKEv2 connections are handled by the charon daemon, pluto is the IKEv1
daemon. Either enable ch
Hi,
> In kernel_netlink_ipsec.c add_policy methed, the code checks if mode !=
> MODE_TRANSPORT to insert to route.
Yes. Why do you need an additional route in transport mode? There are
usually no new addresses or routes involved, transport mode just
protects the traffic between two hosts that alr
Hi Igor,
> Hi, how can I config to deny same user (PSK auth) multi login, just
> one session for one user?
Please have a look at the uniqueids option in ipsec.conf [1].
Regards
Martin
[1]http://wiki.strongswan.org/projects/strongswan/wiki/ConfigSetupSection
__
Hi,
> i tried with 1000 tunnels i.e. with initiator 5 and iterations 200 and
> delay 100ms. In this i got around 900 tunnels out of 1000
Probably one of your peers gets overloaded and can't handle all
connection requests. Pakets get lost, and some tunnels can't establish
at all. Try to incre
Hi,
> Much to my pleasant surprise I was able to set up a RW connection to a
> Cisco IOS 15.1 headend using IKEv2. Kudos so the StrongSwan team!
That's good to hear!
> handling INTERNAL_IP4_NETMASK attribute failed
> handling INTERNAL_IP4_SUBNET attribute failed
> handling INTERNAL_IP4_SUBNET a
Hi,
> left=169.254.3.75
> leftsubnet=169.254.3.0/32
> right=169.254.4.75
> rightsubnet=169.254.4.0/32
> root@localhost:/root> ping 169.254.4.75
Your configuration looks wrong. You are sending traffic between your
hosts 169.254.4.75 and 169.254.3.75, but the tunnel you set
Hi Gaurav,
> 1.apart from strongswan.conf file changes, is it needed to put the
> kernal patch as specfied in above link,
Yes, the kernel patch is definitely required. Otherwise the CLUSTERIP
kernel module is unable to forward traffic as a gateway at all and can't
handle IPsec traffic as the HA p
Hi,
> Sadly, this does not work. A minor inconvenience is that strongSwan
> does not like it if the directory is empty, but that is easily solved
> with an empty dummy file. However, it seems that only the first `real'
> configuration file is read, and anything beyond that does not work.
> Also,
Hi,
> id 'moon.example.org' not confirmed by certificate, defaulting to
> 'C=GB, O=Example Limited, CN=moon.example.org'
When using certificates, the IKE identity should be contained in the
certificate to allow the other peer to find the required cert. This is
enforced for local certificates.
It
Hi,
> localhost charon:13[IKE] sending DHCP DISCOVER to 10.10.10.20
> localhost charon:09[MGR] ignoring request with ID 1,already processing
> localhost charon:13[CFG] sending DHCP DISCOVER to 10.10.10.20
> localhost charon:13[IKE] sending DHCP DISCOVER to 10.10.10.20
> localhost charon:05[MGR] ig
Hi,
> The HA setup supported by Strongswan is Active/Active or
> Active/standby ?
It supports Active/Active configurations, but each CHILD_SA is actually
Active/Passive. The active node might be different for each CHILD_SA,
resulting in a load sharing between the two nodes if you run more than a
Hi,
> Testing with Windows 7 IKEv2 client, it prompts "Error 13801: IKE
> authentication credentials are unacceptable."
> 10[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MD5 ]
Looks to me like the client does not accept the certificate it gets from
the gateway. Does it have the pr
Hi,
> We also find that the changes required in ipt_CLUSTERIP.c file
> (Patch : Extended CLUSTERIP module to use it on IPSec gateway) are
> only valid for 2.6.39 in the Strongswan git repository and we may not
> able to apply the same on 2.6.31.
Our git repository has tags with patches for diffe
Hi Graham,
> Is it possible to send a packet to a subnet's broadcast address on the
> secure side of a SeGW and have the packet sent down each IPsec tunnel
> whose inner IP address belongs to that subnet ?
It's not trivial, but it can be done. You'll need to:
* include the broadcast addres
Hi,
> - Tunnels already established remained operational but no new
> connection accepted. We verified with tcpdump that connection requests
> arrive at the box (a Vyatta VM) but /var/log/messages showed no charon
> activity.
Maybe all the threads are blocked somewhere and therefore the daemon is
Hi Robin,
> I suspect that many of these things are already referenced within the
> code somewhere, just not instrumented to keep tally or expose those
> counters. Of course, it would be great to not have to cobble and have
> a nice RPC/XML API, SNMP or other query system
Indeed much of this inf
Hi,
> So I want to know weather there is a way to know the SN in the
> outbound SA? Is there a IKE information message carrying such payload?
> Or is it a way to back up the SN very conveniently?
There is an IKEv2 extension [1] that add client synchronization
functionality, but we don't sup
Hi Mave,
> I was wondering if the latest release of the strongSwan has
> incorporated any changes mentioned in RFC5739, regarding integration
> of IPv6 in IKEv2 (charon) demon for the purpose of remote access
> clients (road-warriors)?
No, strongSwan has IPv6 support as described in RFC4306/5996,
Hi Amit,
> Thanks for your reply. I am more interested in IKEv1 performance.
> Please share if you have any performance numbers for IKEv1.
No, I haven't done any performance measurement for IKEv1.
> From figures you have mentioned ( > 10'000 tunnels in couple of
> minutes) at the max 83 tunnel
Hello Mugur,
>
> There is any way to inform an application about an authentication
> failure due to a certificate rejected by the CRL (or inability to
> fetch the CRL)?
Revocation reasons are currently logged only. Extending the revocation
plugin to store revocation reasons is not that hard, we
Hi,
>
> One of them wants for his connections the behavior as for
> “strictcrlpolicy=no”, another one as for “strictcrlpolicy=ifuri” and
> the third one as for “strictcrlpolicy=yes”. There is any way to
> satisfay all three cases from the same strongSwan instance?
Charon internally handles CRL p
Hi,
> If the above is all the mutex is trying to protect, then it would make
> my change simpler.
No, the important part is to protect the list of registered listeners.
There are not only loggers, but other dynamically registered listeners
that use this interface. Invoking a listener function whi
Hi,
> Is there an easy way to change the dynamic library names
> (libstrongswan, libhydra, and libcharon) to something else?
No, these are hard-coded. What's the reason for doing so?
If you need to separate these libraries, you can add --with-ipseclibdir
to ./configure to install them in a dedic
Hello Julien,
> I would like to set up a VPN where the entry point E (strongswan
> server) and the services server S are not in the same place (LAN).
>
> The point is that I want the traffic from clients to S not to be
> routed through E.
>
> In some way, E is used only to authenticate the vpn u
Hello Mugur,
> Does Charon support the "Authority Information Access CRL Extension" as
> specified by the RFC 4325?
No, we currently don't support the Authority Information Access
extension in CRLs.
Regards
Martin
___
Users mailing list
Users@lists.s
> Correct?
No, you'll have to define the complete list of plugins you'd like to
load, in the correct order. The best way to get this list for your
configuration is to start strongswan and look for the line
> loaded plugins: aes des sha1 sha2 md5 random ...
Then use this plugin list in the load
Hi,
> After disabling rekeying for Windows 7 connection I got rid of most of
> the reconnects caused by rekeying the SAs, but I still have one
> annoying connection interruption left.
When following the rules from [1], rekeying initiated by strongSwan
works fine here.
> But for some reason IP Se
Hi,
> activating IKE_REKEY task
> initiating IKE_SA rw-win-7[4] to 82.147.51.146
> received DELETE for IKE_SA rw-win-7[3]
Your log level configuration doesn't show any messages, but it seems
that Windows is not happy about the rekeying and deletes the SA.
> I also tried with and without reauth
Hi,
> I just need some help understanding how\why either host fails to
> recover from the failed Child SA response.
It's not related to the CHILD_SA, but authentication fails at the
initiator because the identity constraint is not fulfilled.
The IKEv2 protocol does not specify a mechanism to sen
Hello Eric,
> 01[KNL] creating acquire job for policy
> fc00:2518::221:9bff:fe98:854b/128[udp/60525] ===
> fc00:2518::10:125:56:9/128[udp/1025] with reqid {10}
If your policy triggering the tunnel covers all traffic, of course any
ICMP messages are covered by this policy, too. So the name resolut
Hi,
> each individual instance of the load test having its own private key
> and certificate generated by ipsec pki tool.
As outlined at [1], client certificates are generated on the fly for
each connection attempt in load-tester. All certs use the same keypair.
There is currently no option to c
Hello François,
> used as an IKEv2 IPsec/L2TP server
Windows supports L2TP/IPsec for a long time, but this setup uses IKEv1.
The new IKEv2 client in Windows 7 does plain IPsec, no L2TP tunneling is
involved.
So if you have Windows 7 Clients only, I highly recommend to use IKEv2
only.
> Despite
Hello Radek,
> Problem over here is that when I turn on firewall packets are rejected
> because origin of (decrypted) packets is eth0. Is there any possibility
> to route VPN traffic via dummy0, so firewall will see those as comming
> from dummy0?
I'm not aware of any method to change the inte
Hi,
> I have v4.5.2. Will the passthrough option insist on manual keying?
Passthrough policies are not supported with charon before 4.5.3. You can
install them manually using other tools (setkey or iproute2), but it
might be a little tricky to get it right. Probably simpler to update to
a recent
Hello Simon,
> I am running tests with User-Mode Linux. I face the problem that if I
> start both pluto and charon then charon can never establish connection.
> Tcpdump at both ends indicate the response does come back but charon
> just can't receive it.
To run both pluto and charon in parallel,
Hi Claude,
> He claims that while trying to setup, NetworkManager freezes as soon as
> he selects "IPsec/IKEv2".
Yes, the package is broken with the new NetworkManager release. I have
upgraded the package [1] to NM 0.9, but it has not been pushed yet to
Debian/Ubuntu.
But even with the new packa
Hello Kimmo,
> I'm using strongswan 4.6.1 as vpn server, Centos 5.7 with kernel
> 2.6.18-274.7.1.el5.
> 06[KNL] unable to copy replay state from old SAD entry with SPI
> c62cb34c
To update IP addresses in the Linux kernel SA state, we have to
reinstall the whole SA. This resets the ESP sequence
Hi,
> but 4.6.1 don't add the route automatically
Pluto has been migrated to the kernel interface of the IKEv2 daemon
charon. This interface installs routes to a dedicated routing table to
avoid any conflicts with the default table. The route should be visible
in table 220, try
> ip route show t
Hello Adrian,
> but I cannot ping anything on the private side however when on the GW
> itself I can ping both public and private networks.
Have you enabled IP forwarding in the kernel? Have all involved hosts
routes for your VPN connection?
Regards
Martin
Hi,
> i am using strongswan with hostapd as a AAA server
How does your setup exactly look like? Are you using a strongSwan client
with the eap-aka plugin against a strongSwan server with eap-radius and
a hostapd backend?
> but stuck at the point "received mac does not match xmac"
Our eap-aka pl
Hi Mukesh,
> I have question about how to use IPSEC on Cavium blade where IKE will
> done on Cavium blade with Linux running core and encryption/decryption
> of packet will be done on Cavium accelarater's core's designed for
> IPSEC performance running with simple executive.
For crypto primitives
n-Id.
Regards
Martin
>From 434cdbac090ad1708bcbf46b13bed820eb763008 Mon Sep 17 00:00:00 2001
From: Martin Willi
Date: Fri, 24 Feb 2012 10:04:31 +0100
Subject: [PATCH] Send client external address as Calling-Station-Id in RADIUS
accounting
---
.../plugins/eap_radius/eap_radius_accounting.c
y confusing.
Maybe we should switch everywhere to the more commonly used v4:port and
[v6]:port notations, but I think that is something for the next major
release.
Regards
Martin
>From d93f204ca5374fb96a154e57223a53003c4445af Mon Sep 17 00:00:00 2001
From: Martin Willi
Date: Fri, 24 Feb 201
Hello Thomas,
> C99 states it will always be zero terminated IIRC.
> So this is not a real issue.
I think it is save to snprintf() to short buffers, as long as you don't
rely on the return value for length calculations.
> - Return value of snprintf() is the number of bytes that would
> have be
Hi Kimmo,
> Is there any way to use PAM, radius, ldap or anything else than
> ipsec.secrets to authenticate users when using mschapv2?
EAP-MSCHAPv2 does not transmit the password in the clear, hence using it
for PAM does not work. We have a EAP-GTC plugin that authenticates user
against PAM, but
6148c33ff Mon Sep 17 00:00:00 2001
From: Martin Willi
Date: Tue, 3 Apr 2012 08:35:25 +0200
Subject: [PATCH] Accept zero-length certificate request payloads
---
src/libcharon/encoding/payloads/certreq_payload.c |3 +--
1 files changed, 1 insertions(+), 2 deletions(-)
diff --git a/src/
Hi Dan,
> 08[CFG] received stroke: initiate 'rem'
> 08[IKE] unable to initiate to %any
Side note: As a responder, it is sufficient to set auto=add. auto=start
doesn't work, as the remote IP is not known.
> 13[NET] received packet: from 75.99.83.90[500] to 192.168.1.104[500]
> 13[ENC] parsed IKE_
Hi,
> I use pre-shared keys.
Looks more like you're using certificates?
> sending cert request for "C=AU, ST=Some-State, O=Internet Widgits Pty Ltd"
> sending cert request for "C=AU, ST=Some-State, O=Internet Widgits Pty Ltd"
> received cert request for "C=AU, ST=Some-State, O=Internet Widgits
Hi Mohan,
> I am trying to establish 1000 GRE over IPsec Tunnels between a Linux
> Machine and Cisco Router using the Load-Tester Plugin. I need help on
> how to configure strongswan.conf to set 'leftprotoport=47' (GRE).
Please be aware that the load-tester plugin currently works for IKEv2
conne
Hi Andreas,
> 01[CFG] policy 1.1.1.1.1 missing in issuing certificate 'CN=CA, ... C=DE'
The constraint plugin enforces different X.509 constraints, such as path
length, name and policy constraints.
In your case, it seems that your end entity certificate has a
certificate policy 1.1.1.1.1.1. Your
Hi Kenxin,
> Question 1 : Can I add the milenage algoritm by modifying the USIM API
> card_get_quintuplet( ) in the file simaka_manager.c ? Would it check
> wether there is one USIM as default ?
Our eap-aka-3gpp2 plugin implements S.S0055 from the 3GPP2 specs.
Milenage from 3GPP has the same purp
Hi Divya,
> Why is SA getting created by ICMP traffic, when the rule is added only
> for UDP traffic?
While this might be a little unexpected, it really works this way on
most Linux boxes. The reason is that the ping utility binds a UDP socket
to probe for a source address. While no traffic is ac
Hi,
> I am working on a project that involves using a 2.4 Linux kernel.
Linux 2.4 does not have an IPsec stack. You'd either have to use the 2.6
Netkey backport [1], or the KLIPS stack from the FreeSWAN project.
Our 2.8 release comes with KLIPS support, see README, but it isn't
maintained active
Hi,
> When we stop IPSec service in Cisco, its sending Informational
> exchange with delete payload and message ID as 1.
It seems that the Cisco box messes up the message IDs. In IKEv2, message
IDs are strictly incremental and assigned independent of the exchange
type.
> parsed IKE_SA_INIT reque
Hi Eric,
> Initiator (Strongswan) Responder
> Defined host (i.e. 10.1.1.1) defined network (I.e. 10.0.0.0\8)
> Defined subnet (i.e. 10.1.1.0\24) defined network (I.e. 10.0.0.0\8)
> Defined Wildcard (i.e. 0.0.0.0.0\0) defined network (I.e. 10.0.0.0\8)
> Defined network (i.e
Hi Naren,
> The Client certificates are generated on demand signed by the CA
> certificate ( load_tester_creds.c file ). How can i add the
> subjectAltName to these on demand certificates ? Is there any
> configuration file ? or do i need to make alterations in the code ?
No, there is no such co
Hello Wolfgang,
> Problem: I apply the first "patch" and one out of the 4 files to be patched
> gives
> an error. I'm running on a 2.6.32 kernel (UBUNTU 10.04) and the patch is
> allegedly written for it (I took it from the git repository). Do you have an
> idea of how can I solve it?
Are you su
> I tried adding BUILD_SUBJECT_ALTNAMES, "DNS:iprc.nlt.in", to the
> load_tester_creds.c file as u told but i am getting the following
> error from the DMN
Please read the documentation at the links I posted carefully. You'll
have to pass a linked_list_t containing identification_t's as argumen
Hi,
> How do we specify how to find the library for curl (libcurl.a)? I dont
> think it is --lib
"./configure --help" says:
> LDFLAGS linker flags, e.g. -L if you have libraries in a
> nonstandard directory
Setting LDFLAGS=-L./INSTALL_STAGE/curl-7.25.0/usr/lib during ./configur
Hi,
> leftid=@localhost
> rightid=@localhost
These identities don't make much sense. When using certificate
authentication, the peer identities must be contained in the
certificate, either as subject or as subjectAltName.
> 08[CFG] id 'localhost' not confirmed by certificate, d
> Do you mean that strongswan needs this libcurl.so when "curl" plugin
> is loaded at runtime?
Yes.
> If so, then where should this libcurl.so be located at run time, e.g.
> as a part of all other strongswan's .so file location?
Wherever your dynamic linker looks for shared libraries,
usually /u
Hi,
> LDFLAGS=/local/user_data/mkpne_yhc_yhc_ltefdd_la6.0_112784/eccm/build/INSTALL_STAGE/curl-7.25.0/usr/local/li)
LDFLAG takes linker options, not only the directory. Try to prepend -L:
> LDFLAGS=-L/local/...
Regards
Martin
___
Users mailing list
Hello Stephen,
> We want to use strongswan IKEv2 in such a way that the private key used
> by IKE (e.g. for creating the AUTH payload) never leaves some
> specialized custom secure hardware.
> 00[CFG] loaded private key from
> %smartca...@etoken:33423544384442423444303736374239
>
> Suggesting
Hi,
> I have libcurl.so in the libexec/ipsec/plugins directory.
Your dynamic linker probably doesn't look for libraries, there. All the
libstrongswan-* plugins are not loaded implicitly by the linker, but by
dlopen().
> Any reason why it is failing to load? I tried to put libcurl.so in
> /usr/li
We have been informed about a security vulnerability in
strongSwan. If the strongSwan "gmp" plugin is used for RSA signature
verification, an empty or zeroed signature is handled as a legitimate
one. CVE-2012-2388 has been reserved for this vulnerability.
To exploit the vulnerability, a connection
Hi,
> Does anybody know if there is a OCF-linux accelerated strongswan
> available?
strongSwan provides the userland components (IKE) of IPsec only and does
not have direct support for OCF. We have a crypto backend that uses
OpenSSL, though, and it might be possible to use OCF in userland through
Hi,
> Once the tunnel is established, SSH packet is getting encrypted and
> is working fine. But if I try to reach the server via any other proto
> like ICMP (ping), I'm not getting the reply on the client side.
How does your configuration look like? Do you use a virtual IP assigned
to the clien
Hi,
> So, it would be ideal to have some sort of 'dynamic control at run
> time' in strongswan.conf to indicate which plugin is to be
> 'enabled/disabled'.
Beside the load statement, there is currently no option to
enable/disable the revocation plugin globally. Have you seen the
ipsec.conf stric
Hi Nitin,
> I want to know is there any system level variable or container that
> stores the virtual IP assigned by the strongSwan server to the
> strongSwan client's interface.
When using the attr-sql [1] pool backend, you can use "ipsec pool
--leases" on the server to list all leases. When usin
Hi Wolfgang,
> Once the setting of the virtual IP's on each virtual machine is done (eth0:0),
> We can actually ping that address from the laptop.
Unless the ClusterIP rules are installed, these pings probably use the
real interface MAC address, poisoning the ARP cache on your client.
> Problem
Hi,
> moon :
> cpu: 333 MHz PowerPC
> Then the client alice send the udp packets of 100 bytes length every
> 10 microseconds with about 10 threads at one time. Under these
> circumstances, the idle of moon's CPU would be less than 10%, even
> 0% .
10 * 100 bytes / 0.1s = 100MB/s
If
Hi Chris,
> I have followed
> http://wiki.strongswan.org/projects/strongswan/wiki/WindowsVista after
> not being able to configure a successful connection in windows 7 using
> the agile vpn client.
I think you are mixing things up. The wiki page documents how to connect
Vista through the Windows
Hi Andreas,
> If the plugin gmp is in strongswan.conf not enabled, is it in use or
> not?
If no load statement is given, the plugin configuration depends on
your ./configure options. If you didn't --disable-gmp explicitly, it is
built and used by default.
> Is it possible to see all used plugins
Hi Daniel,
> I'm wondering if routing rules within the example were added
> automatically by strongSwan or if they were set manually.
Yes, they get installed unless charon.install_routes is set to "no" in
strongswan.conf.
> If strongSwan does it automatically, can you please tell me which is
> t
Hi,
> I need to run a performance test for finding out IKEv2 Tunnel
> Establishment Rate (no of tunnels per second), i have a DUT running
> strongswan-4.3.6 on OpenWRT.
>
> How to do this? I have tried with Load-Tester Plugin setup, but that's
> just load. How to find out the rate of tunnels est
Hi,
> I have copied the End Entity certificate and key; but I have not copied
> the CA certificate.
It looks like you are using the same certificate and key for the two
peers. Is this correct?
> I was expecting the connection to fail, as authentication should fail
> in this case.
> leftcert="/e
201 - 300 of 1132 matches
Mail list logo
