Hi,
For kernel space there is only one thread in ordinary case. But is there
anything different for userspace backend?
No, our libipsec userspace IPsec backend currently uses a single thread
in each flow direction.
If performance is critical, you certainly should use a kernel based
IPsec
Hi Ben, Cindy,
I am attempting to connect to a Strongswan VPN server using the native
Android IPSec client in Android 4.4
Is it possible to set up the vpn connection with Android's own vpn
client (and NOT the strongswan app)?
It is possible, yes. With the exception of the Samsung Galaxy S5
You mean that for multiple ESP SA there can be multiple working thread
involved?
Sorry for being unclear: There is a single thread in each direction in
common for all SAs; even with multiple SAs you only have one thread in
each direction.
I suppose it is possible to add dispersal of
Hi,
Is there an option to set the eap-radius plugin authentication timeout /
retransmit period?
No, these values are currently hardcoded, you may change them at [1].
I am using StrongSwan with FreeRadius (and LDAP), problem is that
authentication requests time out after about 15 seconds.
Cindy,
No xauth-pam :-/
kind of suggests I'd have to recompile strongswan. I'm really hoping
I don't have to!
The xauth-pam plugin is not built by default, you'll have to add
--enable-xauth-pam to ./configure, and then rebuild strongSwan.
Regards
Martin
Hi Thomas,
Are the patches included in the mainstream kernel?
No. As these changes introduce new Netfilter hooks and some major
changes, I expect that is a lot of work to upstream these patches. The
latest patchset based on Linux 3.15 is available at [1].
Not sure if we should upstream these
A node may drop packets before it can process them (heavy load, network
errors). This leads to outgoing replay counters synchronization
problems between nodes.
Yes, this can happen. But as we explicitly advance the outgoing sequence
number counter on fail-over, sequence number reuse can be
Hi Jiri,
We experience relatively frequent kernel crash (~2 a day out of 102
nodes). I enclose a stack trace:
[17243.492885] [81601c06] xfrm_state_lookup+0x66/0x90
[17243.492907] [8160796e] xfrm_user_state_lookup+0x6e/0xe0
[17243.492930] [81255078] ?
The problem we are seeing is that from time to time, a lot of SPIs are
created:
querying SAD entry with SPI c5265bed failed: No such process (3)
This might related to the kernel crashes we see which I described in
thread Occasional kernel crash at __xfrm_state_lookup.
Most likely it is.
Cindy,
We recently released a native application for Mac OS X 10.7 and
newer. It allows easy road-warrior access in a similar fashion as the
NetworkManager integration does on Linux.
So this is a strongswan vpn client?
Yes.
Are there instructions anywhere for installing this? If it seems
I was hoping there would be a way to authenticate *any* peer
that is signed by the CA. Unfortunately, it seems like setting
rightid=%any still results in no matching peer config found.
That should actually work, just make sure to not set any rightcert, as
each client has its own.
Most likely
Hi,
It's seems fairly straightforward however I am continually
getting the error no ike config found.
conn test
keyexchange=ikev1
nat_traversal=yes
nat_traversal is not a conn specific option, and has been deprecated
with 5.x.
left=x.x.x.x
Usually you define the right side
Hi Alexander,
Is it possible to use XAuth not with secrets file, but with
interactive credentials request from user? Is there any interfaces for
that?
I assume you refer to the client that initiates a connection?
When using an ipsec.conf configuration, you may use the ipsec stroke
Is it possible to create plugin of my own to request
credential/password?
Yes. The daemon queries the registered credential_set_t [1] instances
for credentials; in such an implementation you can request the password
from the user. There is a simple callback based wrapper [2] to query
passwords
Hi,
is there any possibility to authenticate IPSec pre-shared keys (PSK)
not from ipsec.secrets.
As IKE PSK authentication has security implications and is not
recommended for larger deployments, we don't provide any backend for
preshared keys beyond ipsec.secrets or swanctl.conf. However, you
Hi Jakob,
08[CFG] looking for pre-shared key peer configs matching
172.17.123.1...a.b.c.d[remote-id]
08[CFG] candidate client-test, match: 1/20/3100 (me/other/ike)
08[IKE] no peer config found
So it is looking for a PSK using the internal address although I
configured a local ID !?
The
I agree that the log is not very clear in what is wrong here, I'll see
if we can improve that.
I've pushed a commit [1] that should make it more clear what's wrong.
Regards
Martin
[1]http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=55e85387
Pete,
I've copied them to the /etc/ipsec.d/certs directory and restarted the
daemon but ipsec listcerts still only lists the certificates that I
have a private key for.
Certificates from the cert directory do not get loaded automatically.
The directory merely holds the certificates you can
Hi,
Currently I am stuck with performance problem (iperf) throw IPSec
tunnel from notebook (win8) to server, which are connected throw
switch.
With IPSec I get only 181Mbps, cpu load is 14%
Here is openssl speed test for aes-128-gcm, which shows 506MBps speed:
Hi,
Win7 PC -- MiFi (Verizon Wireless) IPv6 -- SoftlayerIPV6 -- VPS.
authby=xauthrsasig
xauth=server
keyexchange=ikev2
IKEv2 with XAuth makes really no sense. If you want to connect Windows 7
clients with username/password, you probably want EAP-MSCHAPv2. Refer to
Randy,
14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(MULT_AUTH) ]
14[NET] sending packet: from serveripv6v1[500] to clientipv61[500] (312 bytes)
15[JOB] deleting half open IKE_SA after timeout
After sending the IKE_SA_INIT response message, the gateway
Noel,
Can anyone elaborate on why ipsec stroke loglevel any -1
gives me invalid option, but it works with the individual
subsystems?
Try
ipsec stroke -- loglevel any
I think the tip of Thomas is correct; you'll have to terminate the
argument list before adding -1 as option.
I can't
Hi Poonam,
We need to run AKA algorithm in STRONGSWAN. So how can we configure the
Ki value in configuration file?
strongSwan supports multiple backends for the EAP-AKA module. The
eap-simaka-sql plugin reads quintuplets from an SQL database; the
eap-aka-3ggp2 plugin implements the 3GPP2
Hi,
From the client, I ssh to the server to do work. I use this VPN without
issue for many minutes. Then I perform some command like ‘ps -ef’ or
‘vi foo’ and the VPN output hangs. While ‘hung’, from another shell
session I still see heartbeats on the VPN. If I wait around long enough
(30
I want to be able to route one specific IP (say 192.168.0.100) address
on local LAN A so that its gateway is gateway of remote LAN B (say
192.168.10.1). LAN A and B are connected through a site-to-site VPN
using strongswan:
If I understand correctly, you have an IPsec gateway on each
John,
Kindly asking to keep the discussion on the mailing list, thanks.
I added ‘reauth=no’ to the client connection, but the problem persists.
I didn’t need to add it to the server’s config too did I?
You need that option set on both ends, otherwise the AUTH_LIFETIME
negotiation forces the
Hi Sajal,
Just wanted to check if my query below reached you.
Of course it did. But please be aware that this is a community mailing
list, and support is provided as the community members find time to do
so.
Basically i just want to confirm if i can configure Strongswan stack in a
way so
Hi,
We need to add P-CSCF support in CP in strongswan.
I assume you refer to [1]?
As in what all files will be changed and where would be change
required? If it is already done, then please send us the patch.
As a server, you may define custom attributes for example in the attr
plugin [2]
Hi,
Sounds like a regression: how was this supposed to work before the 5.0.2
version?
It never did. Apparently, you are the first one to use these algorithms
(at least without specifying an explicit PRF).
Note that these algorithms are very exotic, and most likely not even
supported by
Hi,
rightauth=psk
rightauth2=xauth
But After I change the xauth to eap-radius [...]
eap-radius is an EAP authentication method and works for IKEv2
connections, only. The eap-radius plugin provides an XAuth
authentication backend using RADIUS as well, but you'll need to set
rightauth2
Hi Rolf,
During connection attempts of a Windows 7 client by IKEv1 in transport mode,
I see the following:
[IKE] L2TP/IPsec-PSK|1 received 25000 lifebytes, configured 0
These lifebytes refer to the number of bytes the peer allows over this
Quick Mode before it expires, as sent in its
Hi Emeric,
What about the authenticated encryption algorithms (e.g. gcm)?
Is the integrity algorithm mandatory for parsing but not used?
If you have both traditional ciphers and AEAD ciphers in a proposal,
you'll obviously need a integrity algorithm as well. If the AEAD gets
selected, the
Hi Elmar,
With Strongswan v5 (U5.2.1/K3.14.17-SMP) sometimes if a rekey happens
(not sure, when exactly) the down-Script will be executed, but not the
up-script.
strongSwan actually does not execute the updown() script for
CHILD_SA/Quick Mode rekeying, as the SA stays the same.
We have
Does IKEv1 re-authentication support make-before-break mechanism?
IKEv1 does not re-negotiate the Quick Modes during re-authentication,
but the existing Quick Modes are still valid after removing the old
ISAKMP-SA. In strongSwan we migrate the Quick Modes to the new ISAKMP-SA
if
Hi,
I want to set up a L2TP/IPSec server on Ubuntu 14.04, [...] but for now
just trying to get Windows going
conn rw
left=192.168.1.17
leftid=@moon.strongswan.org
leftsubnet=10.1.0.0/16
leftauth=psk
leftfirewall=yes
right=%any
Hi Aries,
The VPN is using IKEv2 and the connections between clients and server
established successfully. The clients are assigned virtual IPs drawn
from a 10.0.0.0/24 pool. The clients can also access each other through
the tunnel without a problem. However I notice that the server itself
Hi Emeric,
Kindly asking to avoid thread hijacking, please create a new mail
instead of replying to another, unrelated thread. Thanks.
By default, the charon.install_routes is set to value yes. I don't
really understand why it is the default behavior?
While that route is not required in all
Hi Noel,
Judging from this flow chart [1] , the packets have to be marked
correctly before XFRM LOOKUP is hit on any side.
One could argue that XFRM decapsulation won't need a mark to select the
SA, as the SPI uniquely identifies the inbound SA. This is, however, not
how XFRM processes marks
Hi,
I am facing an issue with charon (strongSwan 4.4.0) that, if SA
entries are flushed from responder side, further initiation of tunnel
from responder is not feasible.
NODE-B# ip xfrm state flush
14[CFG] trap not found, unable to acquire reqid 2
You can't just flush the kernel SA
Hi,
leftsubnet=192.168.2.0/24,172.16.0.0/16
Are you using the unity plugin to negotiate multiple subnets in IKEv1?
modeconfig=push
Which of your clients is using push mode? Most of them probably use pull
mode, and you must have the correct mode configured on the used
strongSwan
Hi,
Any idea whats the best authentication method for username/password only
on client-side? EAP-MD5?
The client should be able to connect via windows ikev2 native clients,
the strongswan android-app,
If you want to use the native Windows IKEv2 Agile VPN client, there is
no way around
Hi,
When using a static ip in the rightsourceip parameter the
client(android) is resolving my mailserver with the internal ip as it
should(because I set that up with the attr plugin), but when using
rightsourceip=%dhcp the settings for dns with attr plugin seems to be
ignored and then
Hi Cindy,
I've been reading through this [AppleIKEv2Profile] and particularly
the Certificate section. Assuming I have a 10.10 and above, is this
what I need to do to setup a vpn client??
Unfortunately, despite some other information floating around, OS X
10.10 does not support IKEv2 and the
Hi Denis,
On server I have several IP addresses (let's say 10.0.0.1, 10.0.0.2,
10.0.0.3), and I need somehow pass to freeradius info about server IP
where client connects.
strongSwan includes several attributes to each authentication request.
Calling-Station-Id contains the peers IKE endpoint
Hi Jordan,
Does strongswan 5.x provide esp replay protection with IKEv1?
Yes.
I can pass packets with seq number 1, 2, 3 , ..., 31, 1, 2,3, ..., 31.
Basically packets with duplicate sequence number are not dropped.
In my tests this works as expected, both for IKEv1 and IKEv2, and with a
Hi,
I have tried both using the native client of Windows XP (that does not
connect at all)
The XP client configured through the RAS GUI uses L2TP/IPsec, that is a
L2TP tunnel protected by IPsec in transport mode using IKEv1. strongSwan
can handle the IPsec protection only, for L2TP you'll need
Attached go the Strongswan and Shrew log for the connection.
Shrew rejects the Quick Mode with:
14/12/10 12:06:56 ii : phase2 rejected, id value mismatch
14/12/10 12:06:56 ii : - loc ANY:10.10.10.14:* - ANY:0.0.0.0/0:*
14/12/10 12:06:56 ii : - rmt ANY:10.10.10.0/24:* - ANY:10.10.10.14:*
Hi Marcel,
IDir 'redacted.selfhost.eu' does not match to 'redacted.selfhost.eu'
Both strings that I've replaced by redacted are equal in the output.
In IKE, each identity has an associated type, which is not directly
visible in the log. strongSwan automatically detects the type of
configured
after i've set the nas identifier in eap-radius section,the nas
identifier in freeradius is still shown as strongSwan
eap-radius {
accounting = yes,
nas_identifier = custom_nas_id
}
Having the nas_identifier in the root of the eap-radius section is
supported in legacy
that's correct! now it's working as expected.Thanks!
Great. As the documentation is not very precise about these options,
I've pushed a patch [1] that uses these legacy configuration options as
fallback if they are not given in the servers subsection.
Regards
Martin
Cindy,
14[CFG] looking for RSA signature peer configs matching
vpn_ip...client_ip[C=US, O=ThatsUs, CN=myemailaddr]
Would this be as expected? I can't figure out why it isn't trying to
match to the vpn host certificate.
Before looking for certificates, strongSwan looks for a configuration
However, choosing New Connection doesn't do anything?
I am on a Mac Book Pro, this one is on version 10.7.5 which should be
enough according to the Strongswan notes on the native application?
It should, but if I remember correctly there have been (are?) some
window focus issues; possible
Question: what is the use of that table 220? Do we have a CLI to avoid
Strongswan installing that route? It's not necessary in case of VTI.
strongSwan installs routes for negotiated policies to a dedicated
routing table mainly for two reasons:
* Avoid any conflicts with the main routing
Quick question, If I understand you well, it's a global setting.
Yes.
Are you planning to add a knob under the conn itself? It would be nice
to be able to control it per conn.
Currently it is not planned, as it would require passing all the
connection options down to the kernel layer,
Hi,
generating TRANSACTION response 4124377813 [ HASH CPA(X_STATUS) ]
sending packet: from 192.168.xx.xx[4500] to 192.168.yy.yy[4500] (76 bytes)
generating TRANSACTION request 2379419226 [ HASH CPRQ(ADDR DNS) ]
sending packet: from 192.168.xx.xx[4500] to 192.168.yy.yy[4500] (76 bytes)
Hi,
left=public ip of the strongswan gateway on openwrt
leftsubnet=subnet behind the gateway
leftfirewall=yes
lefthostaccess=yes
leftauth=pubkey
leftcert=gatewayCert.der
Now I would like to have OSX connecting to it with the strongswan native
application,
Hi,
Did somebody try forecast multicast/broadcast plug-in ? Do it work ?
It definitely is experimental, but it at least works as shown in the
provided KVM testcase.
Have it been included to as 5.2.2 release at all as Ubuntu 5.2.2 nightly
build repository ?
No, the plugin is not yet
Please keep the discussion on the mailing list, thanks.
So, but can you send or place 5.2.2 release (or later) code with your
plau-in.
No, the plugin is not part of 5.2.2 or any other release. You'll have to
build from the forecast git branch [1].
And does it really allow to transfer
Hi Andreas,
Now my problem is that tunnels between devices break every few days. The log
states that strongSwan detects a CHILD_REKEY collision, then it resolves the
collision, but no traffic is going through.
I noticed that after a rekey collision, some iptables rules were gone. I
still
Hi,
iptables -A PREROUTING -p 50 -d $EXTIP -j DNAT --to-destination 192.168.7.1
iptables -A PREROUTING -p 51 -d $EXTIP -j DNAT --to-destination 192.168.7.1
You probably won't need ESP/AH forwarding rules, as in your NAT
situation all traffic is UDP encapsulated over ports 500/4500.
and ipsec
Hi,
constraint requires public key authentication, but EAP was used
selected peer config 'test' inacceptable: constraint checking failed
On the server side I have:
leftauth=eap-ttls
rightauth=eap-ttls
and on the client side I have:
leftauth=eap
If you want to
Hi Mihai,
ip route show table 220 returns empty. I guess the problem is here
that the route does not get installed. DO you have any suggestions
about fixing this?
First take a look at your log about any errors related to route
installation. Increasing the knl loglevel to 2 might give some
Hi Daniel,
[...] think of a typical Site-to-Site scenario where Subnets are
protected by their respective gateways.
However, the expert told me that it is possible to use Transport Mode
instead of Tunnel Mode for this scenario a well.
As the endpoints that communicate from within the
Hi Milen,
07[IKE] initiating EAP_IDENTITY method (id 0x00)
07[IKE] peer supports MOBIKE
07[IKE] authentication of '[...]' (myself) with RSA signature successful
07[IKE] sending end entity cert [...]
07[ENC] generating IKE_AUTH response 1 [IDr CERT AUTH EAP/REQ/ID ]
07[NET] sending packet:
Hi,
Anyone who knows how to configure load-tester to support xauth, please help
me. Really appreciated.
Please refer to my answer and the patch for ticket #835 [1].
Regards
Martin
[1]https://wiki.strongswan.org/issues/835#change-2837
___
Users
Hi Ryan,
Does strongSwan currently support RFC-5685, IKEv2 redirect?
No, RFC 5686 is currently not supported by strongSwan. At this time we
have no plans to implement this extension.
Regards
Martin
___
Users mailing list
Users@lists.strongswan.org
Hi Pavan,
My question is whether INITIAL_CONTACT notification can be sent in
IKE_AUTH response? If yes, in which condition this notification will be
sent by responder?
Theoretically yes, but strongSwan never sends INITIAL_CONTACT as
responder, only as initiator.
While sending the notify as
0.2131s / 2079 times in lock created at: dumping 7 stack frame addresses:
/usr/lib/ipsec/libstrongswan.so.0 @ 0xb7708000 [0xb774aee5]
This is a lock profiler backtrace. It is usually required only if you
want to find lock bottlenecks, but for normal operation/testing you
should build without
I would need support for new payload attributes on both peers.
At the server side, configuring custom attributes is already doable, for
example with the attr plugin [1]. If configuration by the numerical
value is too cryptic, adding aliases should be trivial.
Maybe Strongswan could support a
Hi Thomas,
is it possible to uses strongswan with eap-ttls and pap?
EAP-TTLS in strongSwan currently supports tunneling other EAP methods
only. PAP is not an EAP method, but a different protocol for password
authentication. Plain (non-EAP) PAP, CHAP or MSCHAP is not supported in
our EAP-TTLS
Hi,
How to send IDi and DN separately such that DN doesn't overwrite IDi?
strongSwan requires that the IDi matches one of the identities in the
certificate, and enforces that if it does not. To use a different ID,
you should include that ID as subjectAltName in your certificate.
If you really
Hi Ryan,
I’m trying to build strongSwan without Kernel dependencies. I’d like
to use something like the lib-ipsec module (but modified), to receive
the child SA’s for use on a crypto processor.
strongSwan has different kernel backends. If you don't want to use one
of ours, you might provide
Hi,
1) Does this mean to support IKE layer fragmentation UE needs to send
NON_FIRST_FRAGMENTS_ALSO in the first IKE_AUTH message ?
NON_FIRST_FRAGMENT_ALSO is unrelated to IKE message fragmentation as
defined by RFC7383, but defines how to handle non-first fragments on
tunnel mode payload
Hi,
Is there any way to measure the Phase 1 or Phase 2 rekeys PerSeconds?
There is no mechanism to directly print rekeyings per second, but you
may subsequently use the ipsec listcounters command to query the
number of rekeyings done so far.
Regards
Martin
Hi,
1) There is only one node.. i.e the android client. Why would be the
need to use a HA plugin here.
There really is none. The HA plugin synchronizes SA state between nodes
in a gateway cluster. It really makes no sense to enable the plugin on
your Android client device.
Regards
Hi Igor,
I'm unable to assign addresses to clients:
sending DHCP DISCOVER to 255.255.255.255
DHCPDISCOVER from 7a:a7:f8:aa:e8:2f via lan
DHCPOFFER on 192.168.180.104 to 7a:a7:f8:aa:e8:2f via lan
Is lan really the network device name? Is strongSwan running on Linux?
Is the DHCP server on the
Yves,
When we generate a new version of these files we issue an ipsec reload
(not just update). I'd expect that to kill connections that are not
relevant anymore, but this is not the case ipsec statusall shows them
still as defined and up and running.
ipsec reload by design does not affect
Hi,
During our testing with IKEv2, we found that the 1st packet(IKE_SA_INIT) does
not have any information on vendor ID payload which is a MUST criteria as
per the RFC.
As per the RFC 3947.
“In the first two messages of Phase1, the vendor id payload for this
specification MUST be sent
Hi,
1. Is it possible to use port other than 4500 for NAT-T UDP
encapsulation. If yes how can I configure it ?
Yes, with the port_nat_t option in strongswan.conf, refer to [1] for
details.
To initiate a connection to a host with non-default ports, use the
ipsec.conf rightikeport option.
Hi Fabrice,
But when i execute ipsec statusall command, it replies :
reading from socket failed: Permission denied
When i suppress /etc/apparmor.d/usr.lib.ipsec.stroke AppArmor
profile, the command replies correctly.
We don't ship any AppArmor profiles from upstream, so you most likely
ESN support must be negotiated, as defined in RFC 4304, 2.2.1:
This of course is RFC 4303 (ESP), sorry for the confusion.
Regards
Martin
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Hi,
The wiki mentions this ESN support is only for IKEv2. Is it so?
Yes.
As per my understanding this ESN feature refers to sequence
numbers in ESP. So why is this support dependent on version of IKE?
ESN support must be negotiated, as defined in RFC 4304, 2.2.1:
To support high-speed
Ken,
Are there any issues with DNS StrongSwan Mac OS X app?
The osx-attr plugin prepends the negotiated DNS servers to the currently
configured ones. You may check with scutil if that works as expected.
Not sure if keeping the current DNS servers installed is the best
approach, maybe we
Hi Tom,
1.) Since IKEv2 does not use DPD, should one omit the dpdaction
directives from ipsec.conf for a connection using IKEv2?
While IKEv2 does not use DPD, it provides a very similar mechanism
called liveness checks. The dpdaction and dpddelay keywords work for
both IKEv1 and IKEv2 in
Ken,
The initiator received signal 6 (SIGABRT) after eight hours of operation.
Actually, the offending signal is SIGSEGV (11). charon catches that,
prints a backtrace, and then calls abort() to terminate itself.
I have a ~182MB core file from the initiator. How can I get it to you?
I don't
I will try to more quickly produce the crash by setting ikelifetime.
Is there a recommended (or minimum) value?
You may set it to 30s or so, but make sure to adjust
rekeymargin/rekeyfuzz accordingly.
(gdb) p *cert
$4 = {get_type = 0xd30fe0, get_subject = 0x7f5e631a9ed8 main_arena+88,
On Sam, 2015-03-07 at 21:52 +, Tormod Macleod wrote:
Hello,
I'm getting the above error when rekeying. I think it might be related to
issue #431? I've tried the workaround of setting reauth=no but this did not
resolve the issue. I have only started running into this since we started
Aleksey,
when I test failover [...], traffic won't flow through standby
node until rekey on child SA is done
To me this sound like an ESP sequence number issue. I assume you have
patched your kernel to include our ClusterIP IPsec extensions, as
discussed at [1]. You may find some never patches
Hi,
Sorry for my previous mail, this time with some content:
I have only started running into this since we started using more than
one subnet in the left side of the connection.
leftsubnet=10.176.0.0/13,10.130.0.0/16
rightsubnet=192.168.0.0/16
Iona-VPN-FW[1]: IKEv2
Then you should check if ClusterIP works as expected, and both on the
inbound and outbound paths the ESP packets hit both nodes.
To clarify, on the outbound path this of course is plain traffic subject
to ESP encapsulation.
Regards
Martin
___
Users
Noel,
I would like to know how the performance of strongswan/Linux is with
about 1000 established tunnels and ~3000 (XFRM) policies.
I think XFRM policy lookup in the kernel scales fine, handling ~3000
policies shouldn't be a problem at all.
How much traffic can be forwarded? Is the
Hi Ken,
09[DMN] thread 9 received 11
09[LIB] dumping 2 stack frame addresses:
09[LIB] /lib64/libpthread.so.0 @ 0x7fb8fd3ab000 [0x7fb8fd3ba710]
09[LIB] - sigaction.c:0
09[LIB] /lib64/libc.so.6 @ 0x7fb8fce13000 [0x7fb8fd1a2ed8]
09[LIB] - interp.c:0
09[DMN] killing ourself,
Hi,
Is it essential for both nodes to receive all the ESP packets?
Yes.
Cannot be ESP sequence numbers synchronized through the HA plugin?
No, this is not how the HA plugin works. ESP sequence numbers move very
fast, making a synchronization in userland difficult.
You may try to synchronize
Hi,
13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
]
13[NET] sending packet: from 10.1.186.35[500] to 10.1.186.174[500] (432 bytes)
17[KNL] WFP MM failure: 10.1.186.35/32 === 10.1.186.174/32, 0x3601,
filterId 0
Have you disabled the IKEEXT Windows IKE
Hi,
As per the description of vulnerabilities in above links, the
vulnerability is only applicable and will lead to crash in pluto IKE
daemon alone. Charon is not mentioned.
You should apply these fixes even if using charon only, the
libstrongswan code is used by charon. Not sure where this
Hi Tom,
Is there a reason that, when using two Strongswan endpoints, one would
not choose reauth=no?
Yes. Reauthentication re-evaluates authentication credentials, checks
the certificate status or rechecks permissions in the AAA backend.
IKE_SA rekeying, as used with reauth=no, only refreshes
Hi Ken,
Not sure if keeping the current DNS servers installed is the best
approach, maybe we should remove the previous servers. But we
currently just add them to have them as a fallback.
I've pushed a new build [1] based on 5.3.0-rc1 that instead of appending
the servers to the list, it
Hi Richard,
If we add ff00::/8 to rightsubnet [...] the Router Solicitation and
Router Advertisement packets pass correctly. The client gets a default
route, and everything works. However, when we try to connect the VPN
from a second client, it fails to connect because of duplicate traffic
Hi Luka,
I have just found out, that recent openssl 1.0.2 commit
929b0d70c19f60227f89fac63f22a21f21950823
breaks hmac when using openssl plugin for hmac functions
This commit prevents the pre-initialization with an empty key we use to
avoid any non-initialized use of HMAC_Update(). Most
Please let me know if there is a fix for openssl since changing the
load order of plugin is not recommended.
If you are using OpenSSL 1.0.2a, you might try the strongSwan fix
provided at [1].
Regards
Martin
[1]http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=openssl-hmac
701 - 800 of 868 matches
Mail list logo
