Hi,
Is there any support if strongswan can provide to explicitly mention
IKE integrity and PRF, in future ?
Yes. I've implemented this last week (the last three patches from [1]),
it will be available in the next release.
Regards
Martin
I have also expressed the concern to do similar provisioning for
esp= param as well. Can the check be extended for PROTO_ESP too ?
There is no PRF involved in ESP SAs, nor is a dedicated PRF used in
CHILD_SA establishment. Hence I see no reason what we could configure
there.
Regards
Martin
Hi,
# ipsec command not found
Some packagers have renamed the ipsec script to strongswan, I think
this is the case on Fedora.
conn ios
authby=secret
You have a PSK authenticated config, but your client
looking for XAuthInitPSK peer configs matching
Hi,
IKEv1 Information-Notice: transmit success. (R-U-THERE?).
IKEv1 Information-Notice: transmit success. (R-U-THERE?).
IKEv1 Dead-Peer-Detection: maximum retransmits. (DPD maximum retransmits).
IPSec Controller: IKE FAILED. phase 6, assert 0
racoon sends DPD requests, but strongSwan does
Hi Jon,
no netkey IPsec stack detected
If you intend to use the native Linux IPsec stack (Netkey), make sure to
have the appropriate kernel options enabled [1].
load file /usr/local/lib/ipsec/plugins/libstrongswan-openssl.so:
libcrypto.so.1.0.0: cannot open shared object file: No such file
Hi Gerald,
a.) Increase max cert req payloads to 20 (this is not smartcard
related, but necessary for me because I have 6 ca certs in etc/cacerts)
Yes, seems to make sense for IKEv1, as we have a CERTREQ for each CA.
b.) Increase max length of pubkey id from 63 to 127 (the eToken has an
id
Please, look at server log, i can't paste it because it verbose (4.5M):
Please use the standard loglevels to debug in a first step. They are
usually sufficient, but way easier to review.
This user DPD problem start at 13:35 (1 hour difference between server
log and client log)
From what I
Hi,
received proposals: ESP:AES_GCM_16_256/NO_EXT_SEQ
configured proposals:
ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ,
ESP:3DES_CBC/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ,
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
no
Hi Ali,
and now I think HA is only supported in IKEv2. am I right?
This was true for 4.x, but is not anymore for 5.x. charon now handles
IKEv1, and the HA plugin can handle IKEv1 as well.
It hasn't been tested extensively, though, and there may be some issues
with some scenarios. But feel free
Hi Dimitry,
Please tell - if i will use strongswan + eap-radius + freeradius - all
user passwords will be stored encrypted in mysql database?
This does not depend on strongSwan, but on your clients and your RADIUS
installation. If you connect Windows 7 clients with EAP-MSCHAPv2, your
RADIUS
Hi,
1)Charon HTTP requests use the protocol and port from /etc/services (e.g.
TCP/80)?
2)Charon supports the rfc3986 - Uniform Resource Identifier (URI): Generic
Syntax?
CRL fetching is delegated to libcurl (http://curl.haxx.se/libcurl/). I
assume it uses /etc/services, but have never
Hi Clarence,
Please keep the discussion on the mailing list.
If I use the current strongswan android client with the
esp=aes256gcm16! within my ipsec.conf file should I be able to
connect? This is supported, right?
Are you now using the strongSwan App from the Play Store? No, AES GCM is
not
Hi Jordan,
I appreciate if any one could explain to me whether IKE_SA connection
instance # is unique within the entire IKE_SA list?
Yes, they are, except for rekeyings. Each new IKE_SA gets an incremented
unique identifier, but a rekeyed IKE_SA that replaces an old IKE_SA
reuses the
Is it possible to have multiple CHILD_SA under the same IKE_SA ?
Yes.
Is it possible to have multiple CHILD_SA with different connection
NAME under the same IKE_SA.
Yes, ipsec.conf connections get merged if the IKE_SA-relevant parts are
equal. This results in a single IKE_SA specific
Hi Dimitry,
are strongSwan able to handle auth using freeradius as backend auth
server for mac os x clients?
Yes.
I compile strongSwan with --enable-eap-radius, radius is already
configured and works with xl2tp (L2TP server).
We have discussed this a few times already on this list:
The
Hi Mugur,
Can you please confirm that Charon supports multiple
distributionPoints (rfc5280) inside cRLDistributionPoints extension
(therefore multiple HTTP URI for CRL files) ?
Yes, this is supported.
If yes, then how Charon retrieves CRLs from these DPs function of
strictcrlpolicy and
12[CFG] received RADIUS Access-Challenge from server 'primary'
12[IKE] XAuth-EAP backend requested EAP_MD5, but not supported
Your RADIUS server requests EAP-MD5, but your strongSwan build does not
support it. Try to --enable-eap-md5 during ./configure.
Regards
Martin
Hi Andreas,
pluto[1640]: packet from 192.168.1.100:9873: next payload type of
ISAKMP Message has an unknown value: 132
In some situations, iOS6 now uses the Cisco proprietary IKE
fragmentation, even if strongSwan did not indicate support for it. IKE
fragmentation is currently not supported in
Hi Igor,
Is $PLUTO_XAUTH_ID no more at Strongswan 5? If so, how to get Xauth
user id when using IKEv1?
No, this variable is missing in the charon IKEv1 implementation. I've
pushed a patch [1] that fixes this.
Regards
Martin
Hi,
13[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
13[IKE] no acceptable proposal found
13[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(NO_PROP) ]
Your client sends a DH group in the CHILD_SA proposals in IKE_AUTH. This
seems wrong, as a DH exchange is never
Any command to drop a xauth user's connection?
No, there is currently no direct command to terminate a connection with
a (XAuth) user id. You'll have to look up the connection manually with
ipsec status, and then terminate it with the unique IKE_SA identifier.
Regards
Martin
when compile with --enable-unity, then must be set any one of
unity_split_include like:
ipsec pool --addattr unity_split_include
The unity plugin works completely independently of Split-Include
attributes configured through a pool. You should use only one of them.
The unity plugin builds
H Avishek,
But, when I try to send wrong ID payload Data and calculate the Auth
Data with that wrong ID payload Data And Send to Responder(In my case
strongswan) It should process that packet. But for Some reason It is
sending the Auth Failure message.
So you are just using a different IDi
Hi,
Please try to keep the discussion on the mailing list.
looking for peer configs matching 10.1.1.20[%any]...10.1.1.50[122.122.122.122]
no matching peer config found
generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Auth Payload is calculated using 122.122.122.122. But. Actual
Hi Igor,
Why a previously non-responsive server is reused to automatically
reintegrate it if it becomes available again? Any way to make it
reintegrate automatically?
The idea is that if a RADIUS server fails for some reason (reboot,
update, network outage), you might want to reintegrate it
Hi Tiago,
Hmmm, probably the Win7 clients don't like re-authentication proposed
by the strongSwan gateway.
Also check that you use modp1024 as your first DH group, and let the
client initiate rekeying if it is behind NAT. See [1].
Regards
Martin
Hi Zhiheng,
I have a sniffing and debugging need to examine the packets over the
wire. Does strongswan 5.0.1 support null ciphering? If yes, how can I
configure it?
You can use a NULL cipher in ESP packets by using the null encryption
algorithm in the esp ipsec.conf keyword. NULL encryption
Hi,
what is type of heartbeat packet? I mean when I use tcpdump, what
should I see?
Heartbeats use UDP packets to port 4510, equal to those sent for state
synchronization.
I asked this because I think in my test, heartbeats were
not sent. If the heartbeats were not sent, how can I find the
Hi Igor,
How to retry it from time to time? Currently I must to restart
Strongswan to let the server reintegrate.
You can reload the complete RADIUS configuration by sending SIGHUP, this
will reset server preferences and reintegrate a failed server.
The server will automatically reintegrate,
Hi Adrian,
Why is it so difficult to get these packets flowing from the tunnel to
the private network? I thought the certain commands were to add rules
in to the IPtables and remove them when the tunnel is torn down.
Unless you have a firewall with default DROP policies, you don't need
any
Hi Igor,
How can I make it possible to do like: when user use g1 as its group
name and then it select the peer config 1, so g2 to use peer
config 2 ?
If you are talking about Group Name in context of Cisco IPsec (as it
used by iOS and OS X), this is not related to the rightgroups option.
If
Hi Igor,
The newest iOS app seems added IPSec and IKEv2 support
Yes, according to the changelog, IKEv2 support was added in the latest
release of Cisco Anyconnect.
Dec 11 02:00:14 14[ENC] payload type CONFIGURATION was not encrypted
Seems that this client sends a proprietary unencrypted
Hi Jordan,
Is this expected? Can any one please explain to me whether there is
dependency between PSK selector and connection leftid/rightid?
The problem is that with IKEv1 in Main Mode, you need the PSK before you
even get the remote identity or could look up an associated
configuration.
Hi,
[c0007f84] cavium_ipsec_esp4_output+0xdc/0x3c0
[cvm_ipsec_kame]
[8051dec0] xfrm_output_resume+0x2f8/0x420
The kernel crashes in the IPsec extensions from Cavium. We don't have
access to these sources, you'll have to ask Cavium about this issue.
Regards
Martin
Hi,
The strongSwan responder was having trouble rekeying IKE SAs with
Windows 7 Agile VPN initiator every 3 hours due to unacceptable traffic
selectors.
According to your log (and your subject), I'd guess it is the other way
round: CHILD_SA rekeying fails once an IKE_SA rekeying completed. An
Hi,
pluto[3388]: | ignoring IKEv2 packet
charon: 13[IKE] deleting IKE_SA android[4]
If you are using IKEv2 only, pluto is not required. Disabling it will
help you in debugging, man ipsec.conf for details how to do it.
12[IKE] received INTERNAL_ADDRESS_FAILURE notify, no CHILD_SA built
Hi Pawel,
charon: 01[ENC] certificate encoding ENC_PKCS7_WRAPPED_X509 not supported
Charon currently doesn't handle these exotic PKCS#7 wrapped certificates
sent by XP clients using certificate authentication.
It shouldn't be to hard to implement it, though, as we have the PKCS#7
charon: 10[IKE] no trusted RSA public key found for 'C=PL, S..
By the way, you might try to just configure the end entity certificate
using rightcert. But this of course won't scale to a larger userbase.
Regards
Martin
___
Users mailing list
Hi,
I have a problem with Charon seemingly locking up after initialization.
charon {
# number of worker threads in charon
threads = 1
This won't work. Charon requires dedicated threads for certain tasks
(such as processing requests from the ipsec
Hi Michael,
Is there a way to specify in Strongswan 5.0.1 an authentication
combination of xauth-pam and rsa?
Yes, see [1]. You can authenticate the client with RSA first using
rightauth=pubkey, and then XAuth using rightauth2=xauth-pam.
Regards
Martin
Hi Claude,
Is the rightgroups parameter in ipsec.conf appicable to Certificate DN's ?
No, none of the DN components is interpreted as group.
To limit a connection to an O=, OU= or other RDN you can use wildcards
in rightid, such as C=CH, O=strongSwan, OU=sales, CN=*.
Regards
Martin
Hi,
my workaround is to store all client certificate in aacert directory.
If you haven't seen it, a patch bringing PKCS#7 support has been
integrated and will be part of 5.0.2. If you want to give it try right
now, you can build the developer release at [1].
Regards
Martin
Hi,
ike=aes256gcm16-aesxcbc-modp2048!
esp=aes256gcm16-modp2048!
[...] why we need aesxcbc for ike in conjunction with
aes256gcm16?
In the esp keyword, you define an encryption and an integrity
algorithm, and optionally a DH group used when rekeying the CHILD_SA.
In the ike
Hi,
1) List of loaded plugins without the openssl for the failed test case.
00[LIB] key integrity tests failed
00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 6 builders
When openssl plugin was enabled, we created a patch file as workaround
to bypass the RSA_check_key.
If I
Hi Jordan,
I kept build flags from 5.0.0. and the only flag I added is CFLAGS +=
-DCONFIG_H_INCLUDED=1. I use my own build files and I don't use
config.h.
I think this is problematic. The build options have changed with the use
of config.h, and I don't know how this behaves when not using
Hi Rachel,
Does Strongswan support IKE v2's CP(CFG_REQUEST) with multiple
INTERNAL_ADDRESS attributes?
Yes. Starting with strongSwan 5.0.1, strongSwan can send multiple
addresses.
To configure it, define two addresses or explicit/named pools in the
ipsec.conf rightsourceip option, separated
Hi Markus,
the tunnel won't get up if I only do an ipsec start and try to ping a
machine on the remote network. The Juniper device complains about wrong
*/32 ProxyIDs.
Are you using strongSwan 5.0.0? If yes, this is a known bug and has been
fixed [1] in 5.0.1. 5.0.0 included the traffic
Hi,
I have a VPN (strongswwan 5.0.2) which is a gateway for all traffic
(IOS devices, ikev1). I would like to exclude certain sites (aka
hostnames) from that.
As far as I know, split-exclude does not work with iOS clients. It works
with OS X, but unfortunately not with iOS or the native
Hi Brian,
I'm finding that clients drop after 45 minutes because the client
wants to rekey, but doesn't expect to have to perform XAUTH
authentication again.
Yes, that's a known issue with iOS clients. I didn't know the same
applies to OS X, though.
sending an OK status immediately instead
Hi,
a] that my www.2600.com experiment is a valid one and that my
expectations are correct
It is, but I don't think it is possible to get Split-Exclude working
with iOS.
b] if you saw anything meaningful/useful in the log output I provided.
Shunted Connections:
Unity (ios[1]:
Hi Andrew,
IDir '165.228.92.xx' does not match to '165.228.92.xx'
This usually means the the peer identifies itself as '165.228.92.xx',
but you have configured and are expecting an identity of
'165.228.92.xx'. The daemon sees a difference between these identities,
and hence rejects this
Hi Sasi,
With strongswan's 4.4.0 I didn't face any issue, since the libs are
installed under /usr/lib64/.
There is a --with-ipseclibdir ./configure option that you can use to
change the library path to whatever you prefer.
Regards
Martin
___
Hi Azfar,
I am using Strongswan 4.5.2 (Debian Squeeze) with xauthrsasig auth type.
Now I want to replace ipsec.secrets and put a radius server.
In 4.5.2, IKEv1 is handled in the pluto daemon. Pluto does not have
support for RADIUS authentication.
With strongSwan 5.x, we reimplemented IKEv1 in
Hi Gerald,
to me it seems that charon (5.0.1) does not support phase 1 rekeying at
all?
It does. However, strictly speaking, there is no such thing as Phase 1
rekeying (as it exists in IKEv2). ISAKMP SAs get reestablished from
scratch to replace the old one.
charon was initially designed for
Hi Claude,
I'm using the xauth-pam module and strongswan runs as unprivileged user
'vpn'. [...] charon is not permitted to read /etc/shadow, even when
adding user 'vpn' to the group 'shadow' which is allowed to read the
file.
I've tried to reproduce that, unfortunately without success. It
Hi,
we should install the bypass policy between the local 192.*
address and 2600.com. [...] I don't know if we need some changes to route
installation
I have pushed two changes to [1], fixing Unity Split-Excludes as
strongSwan client when using virtual IPs. We now add a shunt for the
local
Hi Graham,
I've configured the local machine to expect to perform certs authentication
followed by EAP-AKA.
How did you configure this? I assume the configuration on the initiator
looks something like:
rightauth=pubkey
leftauth=pubkey
leftauth2=eap
If I then configure the remote to
Hi Adrian,
Can anyone provide me any information on if strongSwan currently
support the following RFC or not?
No, strongSwan currently does not support brainpool curves in any form.
RFC 5639 defines the use in certificates only. For the use in the DH key
exchange, an additional standard would
Hi,
Scenario-1-- No child SA allowed using CREATE_CHILD_SA (apart from the
one created during the AUTH exchange) How does strongswan behave in
this case ? will it delete the IKE and try to recreate the IKE child
again?
No. The CHILD_SA does not get created, but no further actions follow.
Hi,
If the responder rejects the CREATE_CHILD_SA request with a
NO_ADDITIONAL_SAS notification, the implementation MUST be capable of
instead deleting the old SA and creating a new one.
I'd say strongSwan is capable of doing that. But instead of just closing
and recreating the CHILD_SA, we
Hi,
But I think we are violating the following RFC clause here right ?
failed attempt to create a Child SA SHOULD NOT tear down the IKE SA:
there is no reason to lose the work done to set up the IKE SA.
I don't think so. This statement is in the section of creating
CHILD_SAs, not rekeying
Hi,
Suppose If the IKE has multiple CHILD_SA's (one IKE, under that multiple
CHILD_SA's) , deleting creating of the IKE (deleting all CHILD_SA's
too) as affect the traffic on other CHILD_SA's too. In that case how to
handle that situation.
As said, if an implementation can handle multiple
Hi Zoltan,
During initial exchange when IKE_AUTH response is lost [...]
ignoring IKE_AUTH in established IKE_SA state
Any thoughts on this issue (seems to pose some reliability problems)?
Yes, this is a bug I have introduced in the latest release. It has been
fixed in master with [1].
Hi,
There are a lot of exchanges in your log, and many of them fail for
different reasons. The error
14[IKE] failed to establish CHILD_SA, keeping IKE_SA
results from
14[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
which means that the other peer does not accept the crypto
Hi Victor,
How many IPsec VPN tunnels can strongswan handle?
I don't have much experience with upscaling our new (5.x) IKEv1
implementation in charon yet. However, it uses the same architecture as
IKEv2, which can handle several ten thousand tunnels when configured
properly.
What maximum
Hi Chad,
src 192.168.1.208 dst 192.168.1.3
proto esp spi 0xc19173e1(3247535073) reqid 4(0x0004) mode tunnel
replay-window 32 seq 0x flag af-unspec (0x0010)
enc cbc(aes) 0xccde20ccf4265eaf08aebd1b0b80c487 (128 bits)
This looks suspicious. The
Hi Justin,
SERVER ipsec.conf
[...]
leftcert=cert.pem
leftid=%any
In strongswan, it is required that you define a leftid that is contained
in your certificate, either as subject or as subjectAltName. This is
certainly not the case for %any, hence the daemon overrides leftid with
Here is the state on the ubuntu machine:
auth-trunc hmac(sha1) 0x7198930c79ce8e6d60365a9f87212e365c596f4e (160 bits) 96
enc cbc(aes) 0xce4e5ad80e7927091973c8d1de9aa30f (128 bits)
That looks much better.
My DUT is using a Freescale BSP Linux 2.6.38 MIPS compiled with mc68.
Either
I tried a manual entry and it looks good. So is there a strongswan config
option perhaps I am missing?
No, looks more like a bug. Unfortunately it is very difficult for me to
debug this without having such a board. If you want to debug this
yourself, have a look at [1] how the Netlink
From 8737c848c40c7b1abd2fcbb2b65c03574adf413c Mon Sep 17 00:00:00 2001
From: Martin Willi mar...@revosec.ch
Date: Fri, 8 Mar 2013 15:21:36 +0100
Subject: [PATCH] Add missing XAuthRespPSK switch case to IKEv1 key derivation
---
src/libcharon/sa/ikev1/keymat_v1.c |1 +
1 file changed, 1 insertion
Hi,
Please don't double-post to the bug tracker and the mailing list,
reporting issues in one place is sufficient.
937[ENC] parsed IKE_SA_INIT request 61 [ SA KE No V ]
937[IKE] received message ID 61, expected 0. Ignored
I want to know why the memory of charon keep rising?
It seems that
Hi Chad,
I traced the root issue to an alignment problem in the strongswan macro
NLMSG_LEN.
NLMSG_LENGTH is not a strongSwan macro, but one defined by the netlink.h
Linux header.
The len value passed in was never aligned and therefore the kernel
is off by two bytes when it computes the
Hi Gerald,
The IKE Rekeying succeeds, but afterwards it gets
stuck within a mode_config request. I don't think there should be a
mode_config request during rekeying or I am wrong?
strongSwan binds an INTERNAL_IPx_ADDRESS to the ISAKMP_SA, so it valid
only during the lifetime of an ISAKMP_SA.
Hi,
1) A second IKE created by Strong Swan, even if there is only one IKE at the
DUT configured.
A REAUTH is initiated by DUT (Strong Swan) with an INFORMATIONAL message.
The remote end (a IKEv2 emulator) sends the response with a delay of roughly
22 s
In-between the Strong swan is
Hi,
[...], the traffic is not forwarded. The VPN-Gateway has a internal IP
192.168.16.45 and an external IP like XXX.XXX.94.199. So when the
client comes from the network 192.168.170.x, and not from 192.168.16.x
nothing happends.
As you don't seem to assign a virtual IP to the client, how
I'm awaiting your response regarding the UNSUPPORTED_CRITICAL_PAYLOAD query.
Yes, that should be possible by sending a payload, for example in the
private range, having the critical bit set. I haven't tested if this
works correctly with 4.5.3, though.
Meanwhile, I'm attaching the logs for
Hi,
Following is the excerpt from the RFC-4301 (section 4.1) which suggests
to support multiple SA between a given sender receiver with same
traffic selectors. How to configure such connections(policies) in the
ipsec.conf file ?
The Linux Netkey IPsec stack does not allow to install
The client is an Android phone with the Strongswan app.
I've never tried that on an Android kernel. Do the multicast packets get
forwarded? Do you see them arriving at the server?
leftsubnet=192.168.2.0/24,239.255.255.250/32
Is the target for these SSDP packets the local host? If
Hi Mugur,
SEG cert chain : RootX/sub-CAy/SEG (same hierarchy, different end
entities)
SEG sends only the SEG certificate in CERT payload (instead of
sub-CAy/SEG)
Does authentication work?
As long as you have the correct sub-CAy installed on your client, it
should be no problem
Hi,
The dameon modules of charon said it receive the signal 10 and kill itself.
I check usage of linux signal in the manual of linux, and find that signal
10 means SIGBUS because of bad memory access.
Under which architecture does your system run? What compiler did you
use?
To identify the
Hi Eric,
I see that Vista support appears possible [...]. It would do this via
Windows firewall rules. This is rather different than the way I set up
Windows 7, which was through Windows Set up a connection or network
GUI.
It should be possible to set up a VPN connections through the Windows
Hi Patrick,
So I want to have each box provide it's own subnet, and then a larger
subnet which encompasses the other IPsec gateway. This way traffic
will take the shortest route to each remote subnet, but if an IPsec
gateway goes down, the traffic will route through the remaining
gateway.
Hi,
In an updown script it seems that $PLUTO_PEER gives me the public
address of the VPN user. Is there any way to get the VPN address
assigned to the user (i.e. the 10.x.x.x address).
Yes, just have a look at the default updown script, it explains all
variables supported. PLUTO_MY_SOURCEIP
Hi Matt,
00[KNL] unable to set IPSEC_POLICY on socket: Invalid argument
On what architecture/kernel does strongSwan run? Are you running 32-bit
userland on a 64-bit kernel?
Regards
Martin
___
Users mailing list
Users@lists.strongswan.org
Hi Karl,
11[IKE] ignoring IKE_AUTH in established IKE_SA state
That message is triggered by a bug, see [1]. It prevents charon as a
responder to retransmit the last IKE_AUTH message. Applying the patch at
[1] should fix that issue.
It appears that the phone is either never seeing the AUTH
Hi,
Does the strongswan support sending of INITIAL_CONTACT notification ?
If so, do we need to enable it with some configuration parameter ?
Yes, charon sends an INITIAL_CONTACT notify if it has a uniqueness
policy of replace or keep. man ipsec.conf for the uniqueids option
with more details
Hi,
Linux strongSwan U4.5.3/K2.6.32.60-1-lfs130202-ci1-fct
Linux strongSwan U5.0.2/K2.6.18-128.el5
Why is there such a difference between two outputs?
strongSwan 5.x introduces a completely new implementation of the IKEv1
protocol in the charon daemon (that previously handled IKEv2 only).
Hi,
But I couldn't see any parameter to achieve this in the 4306/5996 as
part of INIT, auth or create_child_SA messages. Could you please put
more light on this topic ?
There is no mechanism in IKEv2 to negotiate anti-replay window options.
How do we enable/disable anti replay on
Hi,
12[IKE] client.ip.address is initiating a Aggressive Mode IKE_SA
12[CFG] looking for XAuthInitPSK peer configs matching
server.ip.address...client.ip.address[group]
12[IKE] no peer config found
I don't see the aggressive keyword in your ipsec.conf. Have you set
it? man ipsec.conf for
Hi Michi,
Does strongswan support policy groups?
No, strongSwan currently does not know such a configuration concept.
how can I configure strongswan so that it never sends traffic in clear
text?
Usually you can achieve this with a routed policy, i.e. one with the
auto=route keyword to a
Hi Jordan,
I would like to import the code changes for IKEv1 fragmentation
extension to strongswan 5.0.1. I appreciate if anyone can guide me
how to get the specific changes (diff).
The merge for IKEv1 fragmentation was 21235e1e.
With git as your friend, you can get the associated changes,
Hi Wolfgang,
5.0.4 did not sent the rightsubnet for IKEv1 correctly. Is this a bug or
I am missing something in my configuration?
I can't reproduce here that charon sends an invalid subnet. It might do
so when using a sourceip, but it shouldn't otherwise.
Have you tried to increase the cfg
Hi Anton,
So why IPCOMP does not work through NAT or UDP encapsulation ? I
suspect there is some fundamental reason (protocols restrictions or
so).
There is no protocol restriction or something that could prevent IPComp
for working over NAT. However, there were some restrictions with the way
Hi Anton,
(192.168.0.0/22 - main NET1)--[Main VPN gateway]=={internet}==[office VPN
gateway]--(192.168.1.0/24 - office NET2)
Is it possible to use farp plugin for this task ?
The farp plugin is actually very simple; it fakes ARP responses to
itself for any request that:
* comes from
Hi Paul,
16[ENC] parsed QUICK_MODE request 3295287818 [ HASH SA No ID ID ]
16[ENC] generating QUICK_MODE response 3295287818 [ HASH SA No ID ID ]
02[ENC] parsed QUICK_MODE request 1762205300 [ HASH SA No ID ID ]
01[ENC] parsed QUICK_MODE request 3295287818 [ HASH ]
01[IKE] sa payload
I recently tried the patch which removes the restriction on IPComp from
NATd connections and unfortunately it appears not to work.
Hm, looks like there was good reason why we disabled IPComp on NATed
connections.
In my short test the connection worked, but I NATed on the same box as
Hi Francois,
Anyway, these variables seems to be hard coded in charon (at ./configure
time). As IKEv2 support is really required, I was wondering if I missed
something. Is there any way to change these parameters on a per-process
basis?
No, these paths are hard coded, there are currently no
Hi Olivier,
Strongswan Sends his Vendor ID in Main Mode 1 - IOS sends his vendor ID
in Main Mode 4 but Strongswan does not seems to recognize it.
Yes, we currently process vendor ID payloads in the first message only.
Seems that this is insufficient for some implementations.
When I find some
Hi Jeremy,
I recently tried the patch which removes the restriction on IPComp from
NATd connections and unfortunately it appears not to work.
I did some more testing with IPComp enabled over NAT.
Everything seems to work fine here (on Linux 3.0.2), I can't reproduce
the issue you are seeing.
Hi,
what I see with load-tester is that TSr is by default the remote IP
address (as it is configured in strongswan.conf).
Yes.
I need to send the traffic from host behind Y to host behind X and
vice-versa via IPsec tunnels established between A and B.
Custom traffic selectors in
401 - 500 of 868 matches
Mail list logo