> For my setup all the configurations are read from /usr/local/etc/*.conf.
> ./configure [...] --with-strongswan-conf
./configure --help says:
> --with-strongswan-conf=arg
> set the strongswan.conf file location (default:
> ${sysconfdir}/st
Hi,
> 14[NET] received packet: from 217.218.83.90[500] to 37.123.118.145[500] (292
> bytes)
> 14[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
> 06[JOB] deleting half open IKE_SA after timeout
The Main Mode does not complete, because the server does not receive the
packet for the next mess
> > With 5.1.0 we now reject the installation of a policy if we already have
> > one installed with the same selectors, but different reqids. This will
> > make CHILD_SA negotiation fail, and you should only ever have one
> > CHILD_SA for the same selectors (but different reqids).
> Can somebody
> is there any way to reduce the buffer size so that it could show
> the logs earlier.
Yes, you can set the "flush_line" option to "yes" to force a buffer
flush after each line. See [1].
Regards
Martin
[1]http://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
__
Hi Farid,
> I have observed if I select charonstat=yes and plutostart=no ipsec
> is not listening in all interfaces
With strongSwan 4.x, two IKE daemons have been in use. Pluto handled
IKEv1 connections, while charon was responsible to handle IKEv2
connections.
Both protocols receive messag
Hi Kris,
> Is there any plan or possible to submit an app to App Store? I
> understand the iOS VPN API is not public and limit to some venders,
> but OpenVPN seems got it and has an app on App Store.
We think that a strongSwan iOS App would be of great value, but as you
said, access to that priva
Hi,
> IKE_SA 1[1] established between
> 10.227.110.112[lmu55]...216.177.93.234[lmudiag]
> generating QUICK_MODE request 1438687057 [ HASH SA No ]
> sending packet: from 10.227.110.112[4500] to 216.177.93.234[4500] (204 bytes)
> sending retransmit 1 of request message ID 1438687057, seq 4
> sendin
Hi,
> I want to route all the traffic originating from android device to be
> tunneled through the gateway using the tun0 interface.
The Android App does no narrowing itself, that happens on the responder
only. To tunnel all traffic from the Android device, set
leftsubnet=0.0.0.0/0 on the respond
Hello Björn,
> As you can see i tried to do that with eap, but didn`t get it to work.
"didn't work" is not a failure description that allows us to help.
I'd try to start with a simple setup terminating EAP-MSCHAPv2 at the
Gateway, no RADIUS involved.
> strongswan-5.1.0 # ./configure --enable-p
Hi Axel,
> In charon log (ike=2) this looks like this:
> Oct 22 23:11:54 06[IKE] initiating Main Mode IKE_SA dorn[35] to ccc.ddd.70.155
> Oct 22 23:11:54 08[IKE] initiating Main Mode IKE_SA dorn[45] to ccc.ddd.70.155
> Oct 22 23:11:54 13[IKE] initiating Main Mode IKE_SA dorn[37] to ccc.ddd.70.155
> "XAuth-EAP method backend not supported: radius"
> listplugins shows that I have the required plugins enabled:
Probably something is wrong with your eap-radius configuration. Do you
see the following log entry during startup?
> loaded 1 RADIUS server configuration
If not, please check that y
Hi Kris,
> > Hi, I saw log 'installing 8.8.8.8 as DNS server...', but in my 10.9
> > system, the DNS still the old ones, is this a known issue?
charon currently appends the new DNS servers to the existing ones, so
the system can try both. This might make sense as fallback one some
setups, but I'l
Hi Hans,
> I added multiple certificates OU= to the cert store, hoping
> that Windows would ask me which one to use, with no luck.
I assume you are using Machine Certificates to authenticate the clients?
I'm not aware of a way to enforce a specific certificate in IKE
authentication.
What you mig
Hi,
> gmpn_addmul_1 function in libgmp.so.3.4.1 consumes most of the CPU
> cycles on both the Linux systems
Yes, this was to expect; DH computation is the most expensive task.
> Do I need to use the Libgcrypt instead of GMP library?
Probably that won't help, GMP is likely the fastest DH backe
> Error 13801 ike authentication credentials are unacceptable...
> 07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
> 07[NET] sending packet: from 456.456.456.456[4500] to
Most likely the Windows client does not accept the server certificate.
Make sure that you have:
*
Hi,
> With this when I run tcpdum on both tun0 and wlan0, I see all the ESP
> packets going through Wlan0 and not tun0.
I'd say that's the idea; plain packets go over the virtual adapter,
encrypted ones over your physical connection.
> What am I missing here? Why is the route added as 0.0.0.0/1
Axel,
> > Could you post a more complete log (all levels 1) to see where these
> > initiates come from?
>
> You mean:
Beside that your mailer messed up the log and made it hard to read, the
provided log does not show the same behavior as the previous one.
I just see three initiations; two tunne
Hi Tobias,
> I am working on a research project where we compare performances of a VPN
> connection with ipsec in kernel space with ipsec in user space.
Just FYI: Such a comparison with kernel-libipsec is probably not that
meaningful; our libipsec backend is relatively new and didn't yet get
any
> Selecting test-oti.dom.ch failed due to strongswan always using peer
> 'dev' (the first one) and the eap_identity missmatching. Looks like
> the peer config is selected before the eap-tls comes into play. Am I
> missing something here?
Yes, the peer config is selected before EAP-TLS starts, as
Hi Luka,
> Oct 30 07:34:39 00[KNL] received netlink error: Operation not supported (95)
> Oct 30 07:34:39 00[KNL] unable to create IPv4 routing table rule
> Oct 30 07:34:39 00[KNL] received netlink error: Operation not supported (95)
> Oct 30 07:34:39 00[KNL] unable to create IPv6 routing table ru
> I've added charon.routing_table=0 to strongswan.conf
> 00[KNL] unable to create IPv4 routing table rule
The option is not in effect; otherwise that error won't show up. Make
sure you edit the strongswan.conf that charon reads, an you use the
correct syntax (you can't write charon.routing_table
Hi Fred,
> I am trying to get the mac osx native application to connect to it
> (tested 5.1.0-4 and 5.1.1-1) using strongswan installed via homebrew.
I assume you are referring to our new OS X App with the GUI? There is no
external dependency; no homebrew packages required for it.
> 13[IKE] aut
Hi Adrian,
> Fails
> rightid=*@srpvpn.net
Do you have a little more information what exactly fails? Loading the
config? Negotiating the tunnel? Do you have any logs?
Regards
Martin
___
Users mailing list
Users@lists.strongswan.org
https://lis
Fred,
> I'll prepare a new release of the App that allows identity matching
> against certificate subjectAltNames (instead of the strict IDr
> matching).
I've pushed a new release [1] that should accept other identities as
long as the FQDN is in the certificate as subjectAltName. Please let me
kn
Hi,
> --enable-lock-profiler [...] is getting crashed.
> #4 0x00556262af3c in backtrace () from /lib64/libc.so.6
> #5 0x005562189838 in backtrace_create (skip=2) at utils/backtrace.c:531
> #6 0x0055621817e0 in profiler_init (type=)
> at threading/lock_profiler.h:76
> #7 mutex_
Hi Raoul,
> 1] is the EAP Radius setup compatible with IOS clients (ikev1). I have
> read that EAP is a ikev1 concept so my assumption was that it may not work.
> Can you please clarify?
EAP is an IKEv2 concept and is not supported in IKEv1. However, IKEv1
has the XAuth extension, and the eap-ra
Hi,
> Is it possible to send out traffic selectors values TSi,TSr to other
> process (Authorization process) for TS narrow down.
A listener_t interface registered to the charon bus has a narrow() hook,
see [1]. This hook can be used to modify traffic selectors during the
setup of a CHILD_SA.
Hi Björn,
> initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP
> esp=aes128-sha1,aes128-md5,aes256-md5,aes256-sha1,3des-sha1,3des-md5
Your old GW seems to use PFS, but in your 5.1.1 installation you don't
include any DH groups in the esp proposal. To enable PFS in 5.1.1,
you'll have to add a DH gro
Hi,
> Can we configure Private CP attributes using "attr" plugin into StrongSwan?
> attr {
> 16385 = xx
> }
Yes, this is supported, see [1]. The value must either contain single
IPs or CIDR subnets to do any conversion. Otherwise the comma separated
attributes get
Hi,
> Does Strong-swan process IPv6 packet on UDP port 4500?
Yes, we process IPv6 IKE packets received on port 4500.
Support for UDP encapsulated ESP (for NAT) however depends on the
support of your kernel.
Regards
Martin
___
Users mailing list
User
Hi,
> 1] I don't see a failed auth in the RADIUS logs in the latter case. But I
> do (say) when I provide an incorrect xauth password. THis suggests to me
> that it isn't even going to RADIUS when I added the
> "rightgroups"constraint. Is there anything wrong with my config?
I don't have any lo
> So if I don't see a RADIUS auth attempt when I add "rightgroups" then
> how could it ever determine the group to know if it would match.
It won't, and the connection just does not match if that group
membership is not determined.
However, rightgroups is a generic concept, not directly related
Hi Adrian,
> Doesn't allow more that 115 subnets.
> leftsubnet=172.16.1.0/24,172.16.2.0/24,172.16.3.0/24,172.16.4.0/24,[...]
I think this limitation is fine:
* All this subnet definitions add a traffic selector, letting your
TSi/TSr payloads grow. This creates huge packets, which
Hi,
> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
ASA sends NO_PROPOSAL_CHOSEN, which usually indicates that no matching
crypto proposal was received.
> IKEv2-PROTO-1: (1027): Failed to find a matching policy
I don't know what the ASA exactly means with "policy", but you may try
to ch
Hi,
> 12[CFG] looking for RSA signature peer configs matching
> 10.195.82.145...199.188.195.215[C=CH, O=strongSwan, CN=client]
> 12[IKE] no peer config found
Your client requests plain RSA authentication only.
> rightauth=rsa
> rightauth2=xauth-noauth
Your configuration uses
> 1) If I create a host-to-net vpn (iOS to Debian) can I make the client
> (iOS) NOT send all the traffic through the VPN? I'd like only the
> communication with certain hosts to be over VPN
To use Split Tunneling with the native iOS IKEv1 client, you'll need the
unity extension. This extension a
Hi,
> 03[ENC] generating QUICK_MODE request 1871762211 [ HASH SA No ID ID ]
> 03[NET] sending packet: from 10.201.50.70[4500] to W.X.Y.Z[4500] (172 bytes)
> 14[NET] received packet: from W.X.Y.Z[4500] to 10.201.50.70[4500] (76 bytes)
> 14[IKE] queueing TRANSACTION request as tasks still active
T
Adrian,
> I can ping my GW private side via IPV6, but no packets are seen trying
> to leave any interface when I ping another system on the internal
> network.
> leftsubnet=fc00::/16
> rightsourceip=fc00::2:1/112
Sounds like a routing/forwarding issue.
* Have you enabled IPv6
Hi,
> most of the threads are blocked forever in pthread_cond_timedwait ().
> Here goes the stack trace.
> #0 0x0055630e4eb4 in pthread_cond_wait () from /lib64/libpthread.so.0
> #1 0x005563141d44 in process_jobs (worker=0x126013900) at
> processing/processor.c:278
I don't see any pth
Hi,
> Can it possible to run multiple instances of Charon daemon in all the
> cores of a system? If yes, will it have any performance benefits?
If you run your OS on all cores, no. You may not run more than one
charon daemon per OS instance.
Even if you'd manage to get multiple charon processes
Hi,
> cat /proc/sys/net/ipv6/conf/eth1/forwarding
And this is true for all involved interfaces?
> > Do LAN hosts know they have to forward rightsourceip addresses over
> > the gateway? (the farp plugin works for IPv4 only)
>
> Unsure how to address this. I see my client doing ARP requests, but
Hi,
> but when I add ah keyword which available since 5.1.1 as ah=md5,
Please be aware that we support plain AH only, no ESP+AH SA bundles
where AH integrity-protects ESP-encrypted packets.
> 16[CFG] selected proposal: AH:HMAC_MD5_96/NO_EXT_SEQ
> 03[ENC] parsed INFORMATIONAL_V1 request 10833098
Hi,
> How can create more then one child SA in same IKE SA
ipsec.conf connections get merged to the same configuration if they have
common properties for an IKE_SA (peer addresses, identities etc.).
You can, for example, define IKE_SA specific options in the %default
section, and then provide CH
Hi,
> dae {
> listen = 0.0.0.0 # listen address, default to all
> port = 3799 # port to listen for requests,
> default
> secret = secret
> }
The DAE extension requires an "enable" s
> Thank you, but even after adding the enable switch I still get exactly the
> same results.
Any related errors in the startup log?
Regards
Martin
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Hi,
> It doesn’t matter witch HA/LoadBalancing you will choose, it can be
> LVS, Pacemaker or even haproxy before strong swan nodes. The point is
> how to keep the sessions. You will need to setup virtual IP on your
> strong swan, there is a Cluster IP.
To clarify, our HA solution works on top of
Hi Steffen,
> # ip xfrm state flush
>
> the connection got down immediately (of course). While I have
> strongswan configured to use DPD I expected it to renegotiate
> automatically, but it didn't.
I think this test is somewhat constructed. Unless the admin explicitly
deletes kernel state, this
Hi,
> but to hook into our own custom accounting system we need each user
> attached to a separate local interface (E.g. tun0...tun100).
The Linux kernel does not use any tun devices, but handles IPsec
transparently in its IP stack. You may use our userland IPsec backend
which uses tun devices, h
Hi,
> The Diffe Hellman exchange consists of CPU-intensive operations like
> key-pair generation and shared-secret generation. Does strongswan
> (5.0.4) have any options to cache and reuse the diffie-hellman keys for
> enhanced IKE setup rate?
What an implementation can do is to reuse Diffie-Hel
Hi,
> esp=aes256gcm16-sha1!
This hardly makes sense. You can specify an integrity algorithm if you
have both AEAD and traditional ciphers. The peer then may select either
the AEAD or the traditional encryption+integrity algorithms.
> Does it removes the -sha1 part
Any integrity algorithm spec
Hi,
> the Authentication module reads the AKA credentials from
> /etc/ipsec.secrets file. However with this configuration, the EAP
> authentication fails with following log message at the client side: "
> tried 0 SIM cards
Have you enabled and loaded the eap-aka-3gpp2 module? This module is
requi
Hi,
> The configuration is quite classical: net-to-net ( 192.168.3.0/24 ===
> 192.168.4.0/24 )
> msc-hmnet{5}: INSTALLED, TUNNEL, ESP SPIs: c5329687_i c0101bc4_o, IPCOMP
> CPIs: dcf5_i ab46_o
> But out of the 2 tunnels only 1 is reachable. The other one doesn't ping.
> [root@academ strongsw
Hi Kimmo,
> I'm have built strongswan rpm's with mock in Centos 6.5
> (2.6.32-431.el6.x86_64).
> Building 5.1.0 works okay, but 5.1.1 or 5.1.2dr2 does not.
> from networking/tun_device.c:51:
> /usr/include/linux/if_ether.h:125: error: expected
> specifier-qualifier-list before '
Hi,
> 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> 07[NET] sending packet: from 192.168.1.18[500] to 98.26.22x.xx[500]
> 03[NET] received packet: from 98.26.22x.xx[4500] to 192.168.1.18[4500]
> 03[ENC] not enough input to parse rule 1
Hi Sam,
> The tcp dump logs from my Android device show that the IKE_AUTH
> messages are being sent from the Android device.
Does that IKE_AUTH get fragmented? Any IP fragment restrictions on that
path?
Regards
Martin
___
Users mailing list
Users@lis
Kimmo,
> I have not tried libipsec after september but I'm still interested at
> the feature. What kind of plans you have for the libipsec, what kinds
> of features there will be in the future?
I've implemented usage statistics, volume based rekeying and some other
minor tweaks for 5.1.1. There a
> Netfilter marks would help me to select connection/SA, but would not
> let me do overlapping traffic selectors?
If you have a distinct mark on a connection, traffic selectors can
overlap. The kernel accepts identical policies if the mark differs.
> conn A
> left=me
> right=peer1
> leftsubne
> There is even a %reqid option for marks, [...]
Ups, this seems not to be true; that keyword does not exist. But you may
use the magic mark value 0x to achieve the same.
Regards
Martin
___
Users mailing list
Users@lists.strongswan.org
https:
Hi,
> This worked like a charm for a single user but when I tried to connect
> second user The first user gets disconnected.
Have a look at the uniqueids option in the "config setup" section of
ipsec.conf. It defaults to yes, meaning only one connection is allowed
with the same peer identity. For
Hi,
> I want to enhance IPsec stack performance, I'm evaluating few NIC/PCI
> IPsec hardware acceleration cards.
>
> Please suggest plugin card compatible with strong swan.
strongSwan usually does not process raw ESP packets, that's handled in
the kernel. So to increase IPsec throughput, you'l
> how can I use split tunnel so only traffic destined for 192.168.10.0/24
> go through ipsec tunnel.
http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
Regards
Martin
___
Users mailing list
Users@lists.strongswan.org
http
Hi Sriram,
> When I tested this, I saw peers exchanging AuthorityInfoAccess as part of
> certificate data extensions. But I didnt any exchanges happening between
> ocsp server and peer to confirm the validity of certificates.
For OCSP support, you need both the revocation plugin and one of the
fe
Hi Aaron,
> I'm trying to setup StrongSwan (4.5.2) on a fairly old kernel (2.6.31)
> Jan 16 18:21:32 15[KNL] adding SAD entry with SPI c02c6c28 and reqid {2}
> Jan 16 18:21:32 15[KNL] using encryption algorithm AES_CBC with key size 128
> Jan 16 18:21:32 15[KNL] using integrity algorithm HMAC
Hi Marcelo,
> I have a setup with two iPhones behind a NAT router connecting to a
> strongswan server.
I assume you are using the native "Cisco IPsec" client using IKEv1?
strongSwan version?
> It seems like one connection works, and the second one doesn't.
What does "doesn't work" mean? Can you
Hi Stefan,
> ● Instantaneous large-scale any-to-any IP connectivity using a group
> IPsec security paradigm - seems to be RFC6407 GDOI
I think GDOI is particularly interesting for securing multicast traffic.
While it might be usable for plain any-to-any connections, you probably
can achieve the s
Hi,
> Similarly checked the SSL ciphers supported via OpenSSL> ciphers
> command but did not find the elliptic curve Diffie-Hellman group. I am
> using the Fedora Linux (2.6.33.3-85.fc13.i686) and the version of
> OpenSSL is 1.0.0d-fips 8 Feb 2011 .
Most likely your Fedora OpenSSL comes without E
> Jan 17 06:57:21 localhost charon: 02[LIB] sending http request to
> 'http://10.206.1.11:8880'...
> Jan 17 06:57:31 localhost charon: 02[LIB] libcurl http request failed:
> couldn't connect to host
Does that host have access to 10.206.1.11 without the IPsec tunnel?
Please be aware that you
> Something I just realized: it's passing "sha1" to the kernel, not
> "hmac(sha1)", like I saw in previous logs that have been posted:
This is fine. "sha1" is the compatibility name used by older kernels for
"hmac(sha1)". See net/xfrm/xfrm_algo.c.
> I'm going to recompile the missing modules, a
Hi,
> strongwan complains that configured DH group ECP_224 not supported.
> The #openssl ciphers -v 'ECDH' gives the below output, which
> implies that, openssl has been compiled with ECDH support.
Just switching OpenSSL's libcrypto is not sufficient. You'll have to
build the strongSwan openss
> What are the modifications should I need to do so as to use
> APIs (supplied by Octeon Core Crypto Library) instead of OpenSSL's APIs?
If this crypto library works independent of OpenSSL, you should write
your own libstrongswan crypto plugin providing DH functionality using
these functions.
To
Hi Björn,
> Jan 29 15:27:21 : 11[NET] received packet: from xxx[500] to xxx[500] (76
> bytes)
> Jan 29 15:27:21 : 11[ENC] parsed INFORMATIONAL_V1 request 754058000 [
> HASH D ]
> Jan 29 15:27:21 : 11[IKE] received DELETE for ESP CHILD_SA with SPI
> b45041ad
For some reason your pee
Hi Mugur,
> Our application using StrongSwan requires up to 20 trust anchors in the
> CERTREQ payload. Can you please specify which are theoretical/practical
> limitations for this number? Does StrongSwan loop over the list of
> trust anchors up to the first match (if any) and then stops?
When re
Hi,
> Can anyone please help me to understand what this error message indicates?
>
> 13[ENC] parsed INFORMATIONAL_V1 request 801051881 [ N(CRIT) ]
> 13[ENC] ignoring unprotected INFORMATIONAL from XX.XX.XX.XX
Your peer sends an unprotected INFORMATIONAL message, which gets
discarded by charon.
Hi Sajal,
> Query: Why is strongswan stack dependent on a successful response from peer
> device to do the clean-up of an Expired SA. Shouldn't it clean-up the SAD
> entry on its own, At least after n number of successful attempts? Not sure
> what that "n" would be?
That issue with invalid respon
Hi,
> What I want is to use 2 factor authentication - clients without a
> valid certificate should not be able to authenticate even if they know the
> password, and clients with a valid certificate should be prompted for a
> password when trying to connect.
With IKEv2, you then need multiple auth
Hi Marc,
> I'm using a quite symmetric configuration where both gateways with
> strongSwan 5.1.1 have the auto=start in configuration in order to force
> tunnel being up asap.
Having auto=start on both ends is not unproblematic, as it can result in
collisions for IKE and CHILD_SAs.
If you really
Hi,
> 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> 10[IKE] no IKE config found for 37.247.54.124...38.109.218.26, sending
> NO_PROPOSAL_CHOSEN
> 10[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
> left=%defaultroute
> right=37.247.54.124
Can you c
> Am using load tester plugin. I need to check the end entity certificate
> contents (on demand certificate). So need the on demand certificate in .pem
> format.
You may try to use "ipsec listcerts" to list any certs in the cache,
then use "ipsec stroke exportx509 " to print a certificate for a
D
Hi Lars,
> I am able to establish a SA from right to left (using ICMP ping from the
> server).
>
> When the left side initiates the IKE negotiation, the server never
> responds to the IKE_SA_INIT message. The event log says:
> An IPsec main mode negotiation failed.
> Additional Information:
> K
Hi Erich,
> I our build environment we are using a makefile which is calling the
> original XSwan makefile passing all our relevant parameters.
When using strongSwan you should definitely use the provided ./configure
script to modify any build settings.
> The way I understand StrongSwan it is ba
Hi Richard,
> IP traffic --> Ethernet --> IP stack --> StrongSwan --> serial connection to
> second machine --> IP Stack --> Ethernet
>
> Essentially I'm trying to ensure that the decrypted traffic doesn't go
> back down the IP stack to the serial device as we need to assure that
> the decrypted
Hi Karl,
> How can I temporarily disable the user, without revoking the
> certificate, can I do that?
>
> Do I revoke it, and to re-enable by removing it from the CRL? Is there
> an easier way?
Setting the certificate on-hold is certainly an option, using a CRL or
even better an OCSP servic
Lars,
> esp=3des-sha1,3des-sha1-modp1024
If you have both non-PFS (3des-sha1) and PFS (3des-sha1-modp1024)
proposals included, strongSwan includes a KE payload for the DH
exchange. The responder is free to ignore the KE payload if it picks the
non-PFS proposal, but it seems that this does not wor
> And the single receiver thread becomes bottleneck due to high
> connection rate/setup rate.
The receiver job is rather trivial, only the IKE header is parsed and
some rate limiting is enforced for DoS protection. Any further
processing is delegated to the thread pool using that
process_message_
Hi,
> When ipcomp is in play - are these stats before or after compression?
The test scenario at [1] uses:
> ping -n -c 2 -s 8184 -p deadbeef 10.1.0.10
but "ipsec statusall" shows:
> AES_CBC_128/HMAC_SHA1_96, 182 bytes_i (2 pkts, 0s ago), 180 bytes_o (2 pkts,
> 0s ago)
So the SA statistics o
Hi Noam,
> When peering two instances of this code with each other, I have a race
> where one instance believes that it has a valid outgoing child_sa, and the
> other does not yet recognize this SPI.
When initiating connections from both ends, you should take care to
avoid having two tunnels esta
Hi,
> Is there a way to allow servers with valid certs and
> OU=Servers_vpngateway2 and ignore all other (there may be one, two,
> three, four, etc) OU's that is not writing conn definitions for all the
> different combinations?
No, unfortunately DN matching is limited to strict RDN sequences,
Hi,
> If the wider tunnel (tun1) comes up first then the narrow tunnel (tun2)
> never comes up! Traffic for the tun2 destination of interest just gets
> routed down tun1.
Policies for an installed SA always have a higher priority compared to
trap policies. The way we currently calculate prioriti
Hi,
> From the above statistics, it just means that Receiver thread ( of
> Charon daemon at IKE Responder end) is not reading the socket fast
> enough.
Of course. If your system under test is overloaded (by plain CPU power,
or due to locking bottlenecks), it will reduce the rate it receives from
Steffen,
> - Are there generally things I should consider from the beginning that
> will limit the amount of connections handled by strongswan?
The number of simultaneous connections is mostly limited by the
available RAM on your system. We did some memory optimizations recently,
depending on y
Hi,
> Has anyone else seen this problem with the ksoftirq thread reaching 100%?
> Is there anything that can be done to alleviate this problem?
The kernel handles ESP data path processing in this thread, and it is by
default limited to the single core that processes NIC interrupts. So you
basical
Hi Steffen,
> In the other cases the packet order seems correct (on the responder
> side) but arrive incorrectly on the initiator side:
>
> -> A
> B <-
> -> C
> D <-
> -> E1
> -> E2
> F1 <-
> G <-
> F2 <-
Is my assumption correct that you are initiating Main Mode, followed by
a transaction reque
Hi,
> Under high load, the #ipsec statusall shows the job queue is
> empty (0/0/0/0) but scheduled shows more than 4+ always.
> Does it mean that the processor is slow to execute?
No. The scheduler stores jobs to execute at a certain time in the future
(rekeying, retransmission etc.). It ju
Hi Jerry,
> For rw-cert this is the configuration and log I used:
> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> received AUTHENTICATION_FAILED notify error
The peer rejects authentication, but we can't see why on this end. Maybe
the Aruba peer has more information about this failure in its l
> > The peer rejects authentication, but we can't see why on this end. Maybe
> > the Aruba peer has more information about this failure in its log?
>
> This gives ERR_IPSEC_NO_MAP.
Hm, hard to say what this error means. Maybe Aruba or its community has
more experience with this?
> > Seems that
Chinmaya,
> Using the pthread_setaffinity_np() API to put threads into different
> cores, I find the tunnel setup rate to be 400+ (maximum) without any
> packets loss at both ends. Without setting processor affinity, only
> once core gets used (100%) and setup rate was found to be 250 (max). I
> t
Hello Otto,
> I upgrade to the latest debian package (5.1.2-4~bpo7) today
Upgraded from which version?
> 13[NET] sending packet: from 192.158.A.B[500] to 194.17.X.Y[500] (188 bytes)
> 08[NET] error writing to socket: Invalid argument
Is the selected source address for sending this packet correc
Hi Peter,
> This works just fine and it gives me one tunnel if I check with *ipsec
> status*. I do how ever after half an hour or so get more and more active
> tunnels, and it gets unresponsive.
> ikelifetime=60m
> keylife=20m
> rekeymargin=1
As you set rekeymargin to only 1 secon
Hi Harry,
> Apr 17 12:38:22 server-ip charon: 12[ENC] generating ID_PROT response 0 [ ID
> CERT SIG ]
> Apr 17 12:38:22 server-ip charon: 12[NET] sending packet: from
> server.ip[4500] to remote.ip[16523] (1484 bytes)
> Apr 17 12:38:22 server-ip charon: 12[ENC] generating TRANSACTION request
>
Atri,
> I notice you mention in your response that strongswan is rejecting an
> unencrypted payload that it expects to be encrypted.
I assume you are referring to the one-and-a-half year old discussion at
[1]?
> However, this particular attribute is included in Message 1 which can't
> be encrypt
601 - 700 of 1132 matches
Mail list logo
