[strongSwan] Single physical interface "roadwarrior" responder using DHCP/FARP

the client.   Any ideas?   Cheers,   Michael.

Re: [strongSwan] Single physical interface "roadwarrior" responder using DHCP/FARP

v4.conf.all.send_redirects" as well completely removes the ICMP.  Not sure if this is intentional or a bug somewhere?   Anyway, thanks again.   Michael.   Sent: Wednesday, April 11, 2018 at 7:50 PM From: "Noel Kuntze" <noel.kuntze+strongswan-users-ml@thermi.consulting> To: 

Re: [strongSwan] Single physical interface "roadwarrior" responder using DHCP/FARP

observed: net.ipv4.conf.eth0.send_redirects = 0   I had to have both lines present to resolve the issue and stop the ICMP redirect being sent.  This didn't seem to make sense to me?   Michael.   Sent: Wednesday, April 11, 2018 at 10:40 PM From: "Noel Kuntze" <noel.kuntze+strong

[strongSwan] checkpoint with username and password

Hello Strongswan-team, is there a setup with strongswan for username and password (one time password, otp) authentication with a checkpoint vpn-server ? Best regards Michael -- Dr. Michael von Mengershausen, MR-Physik / PET Max-Planck-Institute for Neurological Research Gleueler Str

[strongSwan] key length

lacks its description in man ipsec.conf. Best regards, Michael. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] key length

, Michael. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] key length

case. Btw, what do you think about the parameter overridemtu? Shall it help? Best regards, Michael. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] key length

leftsendcert=never rightcert=peerCert.pem Yes. It works as I already said it. Best regards, Michael. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Newbie Question... IP ROUTES

Hello, I am a relative newbie with strongswan but i have sucessfully gotten it installed and working on my CENTOS Linux Box. I am having a weird issue but I am sure it will be a quick fix when someone points me in the right direction. First a brief layout... Server 1(10.0.2.3)10.0.2.0/24

Re: [strongSwan] ipsec update kills current connection without config change

Hi Andreas, thanks for your help, but the problem still exists in V4.3.4rc1. I am currently using kernel V2.6.27.28. i will try out the V4.3.3 with the patch ... kind regards, Michael Am Dienstag, 28. Juli 2009 16:00 schrieb Andreas Steffen: Hi Michael, due to the additional keywords

Re: [strongSwan] ipsec update kills current connection without config change

such a test in the starter. What do you think, is that the right way to do it ? kind regards, Michael Am Sonntag, 2. August 2009 17:15 schrieben Sie: Hi Michael, I found and fixed another bug introduced by the redefinition of the bool standard type some time ago. bool now maps to a char

[strongSwan] NAT-Traversal Problem with V4.3.4

an ipsec reload or restart but only relative to 1 vpn-connection, ipsec down and up is not enought ? I am currently using on vpn1 Linux V2.6.27.34 and Strongswan V4.3.4 and on vpn2 Linux V2.4.37 and Strongswan V2.5.7. best regards, Michael -- Michael Niehren

[strongSwan] StrongSwan 4.2.4 with Windows 7

=192.168.1.0/24 rightid=C=AT, ST=Wien, O=Company, OU=Department, CN=support, e=em...@test.tld keyexchange=ikev2 auto=add Is the used strongSwan version too old? Kind regards, Michael ___ Users mailing list Users@lists.strongswan.org

[strongSwan] Connection to Sonicwall Pro 3060

I need help getting a linux laptop to connect to office VPN running on Sonicwall Pro 3060. Apologies in advance if I have missed something in the manual or public domain, I really don't know how to take this further to determine what settings are required. Any clue appreciated. I I have confirmed

[strongSwan] Problems accessing ecp256

Hi, I am having problems getting StrongSwan to use ECP algorithms. I built with: ./configure --prefix /usr --sysconfdir=/etc --libexecdir=/usr/libexec --enable-openssl But when I try to bring up a connection specifying:

[strongSwan] (no subject)

Hi, I am having problems getting StrongSwan to use ECP algorithms. I built with: ./configure --prefix /usr --sysconfdir=/etc --libexecdir=/usr/libexec --enable-openssl But when I try to bring up a connection specifying: ike=aes128-sha256-ecp256! esp=aes128gcm16! I get: 002 suiteB #1:

Re: [strongSwan] (no subject)

...@hotmail.com CC: users@lists.strongswan.org Subject: Re: [strongSwan] (no subject) Yeah, this is strange indeed. Have Elliptic Curves been enabled in libcrypto.so-0.9.8e ? We know of some Linux distributions where this hasn't been the case. Regards Andreas On 21.10.2010 20:24, Michael Sneed

[strongSwan] Android (normal client) + L2TP/IPSEC and certificates

is StrongSwan identifying the peer by ID_IPV4 when the certificate is being sent and parsed? Thanks, Michael Holstein Cleveland State University ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Android (normal client) + L2TP/IPSEC and certificates

to put it in/out of airplane mode to get a new IP to reconnect). Begs the question .. is there an easy way to clean up unexpired but unused EROUTES with whack? Thanks, Michael Holstein Cleveland State University ___ Users mailing list Users

Re: [strongSwan] VPN from iPad to ubuntu-10.4

(or) (packet) - ipsec - ipsec-natt - host Cheers, Michael Holstein Cleveland State University ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] verify_cert off (racoon) possible in StrongSwan?

this? Yes, I realize all the reasons why you wouldn't want to do that, since Strongswan was built for its certificate support. TIA, Michael Holstein Cleveland State University ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org

Re: [strongSwan] unity_split_include prevents VPN from connecting.

for 172.16.1.0/24===172.16.1.102:4500[C=US, O=AnsibleThreshold strongSwan, CN=server ip]...174.252.36.126:3047[C=US, O=AnsibleThreshold strongSwan, CN=My iPhone]===10.0.8.1/32 Some help would be very much appreciated, ~ Michael Gorbach smime.p7s Description: S/MIME cryptographic signature

Re: [strongSwan] unity_split_include prevents VPN from connecting.

/24 } } } The 28676 and 28675 are the the SPIT_INCLUDE and DOMAIN attributes.makes a - Switched strongSwan to running as root, though I don't know if that made a difference. ~ M. On Mar 7, 2012, at 11:13 PM, Michael Gorbach wrote: (Don't know if this email will get

Re: [strongSwan] unity_split_include prevents VPN from connecting.

|~ leftsubnet=172.16.1.0/24 ~ M. On Mar 9, 2012, at 1:00 PM, Michael Gorbach wrote: I've got this working as follows: - Removed the UNITU_SPLIT_INCLUDE attribute from the SQL DB. - In StrongSwan.conf: pluto { plugins { attr

[strongSwan] Strongswan 5 Apple iOS5

Hi, I'm using StrongSwan on my OpenWRT based router to setup a VPN for my roadwarrior iOS 5 using XAUTH with PSK. My setup is like this: My internal network: Network and range 172.16.67.96/255.255.255.224 (172.16.67.96 - 172.16.67.126)Gateway 172.16.67.97DNS 172.16.67.97 My OpenWRT is the

[strongSwan] xauthrsa and iOS

Is there a way to specify in Strongswan 5.0.1 an authentication combination of xauth-pam and rsa? Rather than storing accounts and passwords for XAUTH authentication in ipsec.secrets I'd like to have xauth use PAM to look up accounts and passwords. There's an xauth-pam method, but I don't see

[strongSwan] Using X509 DN for rightid

In the wiki page that specifies a configuration that works for iOS devices (http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple) ) it says in the section titled Install Certificates: It is not necessary to keep the client certificate on the server, but it can be useful to use

[strongSwan] Using certificate-only authentication for iOS devices?

According to the Apple Enterprise Deployment Guide, you can distribute an IPSec VPN profile to an iOS device with Xauth authentication set to '0' which would imply that you can have a connection authenticated only by a client certificate. Does anyone out there use this with Strongswan or know

Re: [strongSwan] OS X/iOS clients with XAUTH

I'm a little puzzled here. Apple's own website has a document VPN Server for iOS Devices: IPSec settings (at help.apple.com/iosdeployment-vpn/mac/1.2/#app36c95bff) that states it does not support Re-keying of phase 1 and recommends rekeying times on the server of 1 hour. But in an earlier

Re: [strongSwan] OS X/iOS clients with XAUTH

documentation pages for iOS / OS X connections. Yours, ~ M. On Feb 18, 2013, at 12:03 AM, Brian Mastenbrook br...@mastenbrook.net wrote: On 2/17/2013 12:49 PM, Michael Durket wrote: I'm a little puzzled here. Apple's own website has a document VPN Server for iOS Devices: IPSec settings

Re: [strongSwan] OS X/iOS clients with XAUTH

(based on your information on modeconfig on rekeying). I have no problem with giving each device a separate X509 certificate but the xauth problems and statically assigned IPs is a real dealbreaker. On Feb 17, 2013, at 9:03 PM, Brian Mastenbrook wrote: On 2/17/2013 12:49 PM, Michael Durket

[strongSwan] wiki article iOS

(NO_PROP) ] -- mit freundlichen Grüssen, Michael Monnerie, Ing. BSc | Tel: +43 660 415 6531 XING: https://www.xing.com/profile/Michael_Monnerie Facebook: https://www.facebook.com/michael.monnerie Twitter: @MichaelMonnerie https://twitter.com/MichaelMonnerie LinkedIn: http://lnkd.in/uGx6ug Google+: https

Re: [strongSwan] wiki article iOS

=xauth right=%any rightsubnet.0.0.0/24 rightsourceip.0.0.2 rightcert=zmiPadCert.pem rightid=C=AT, O=Proteger, CN=* compress=no auto�d #pfs=no -- mit freundlichen Grüssen, Michael Monnerie, Ing. BSc | Tel: +43 660 415 6531 XING

Re: [strongSwan] iOS Config

Grüssen, Michael Monnerie, Ing. BSc | Tel: +43 660 415 6531 XING: https://www.xing.com/profile/Michael_Monnerie Facebook: https://www.facebook.com/michael.monnerie Twitter: @MichaelMonnerie https://twitter.com/MichaelMonnerie LinkedIn: http://lnkd.in/uGx6ug Google+: https://plus.google.com/u/0

Re: [strongSwan] wiki article iOS

Any ideas someone? Am Samstag, 16. März 2013, 09:15:54 schrieb Michael Monnerie: Am Freitag, 15. März 2013, 09:14:31 schrieb Larsen: try using another IKE version. If it´s the same for the iPad as for the iPhone it should be IKEv1. Thank you for the response. I took the config from

Re: [strongSwan] Win7 L2TP/IPSEC clients disconnect every 8 hours

. Thanks, Michael On Monday, July 22, 2013 02:43:33 PM Paton, Andy wrote: Some useful info from the Wikihttp://wiki.strongswan.org/projects/strongswan/wiki/Windows7 which may help you on this one: Rekeying behavior IKE_SA rekeying The Windows 7 client supports IKE_SA rekeying, but can't

[strongSwan] Android Strongswan + VOIP

route gets used since the 10 subnet is not configured anywhere (and would be impossible to predict for a road warrior). Does anyone have experience using the android strongswan client and a voip android app successfully? Michael ___ Users mailing list

[strongSwan] Win2008 main mode neg failed, no policy configured

Hi all, I have used the scepclient (strongswan 5.1.1) and NDES to enroll a certificate to a linux box. Then I configured a host-host connection and I am able to establish a SA from right to left (using ICMP ping from the server). When the left side initiates the IKE negotiation, the server

[strongSwan] Win2008 main mode neg failed, no policy configured

Hi Martin, AFAIK, Windows 2008 Server does not support IKEv2 when using non-RAS transport mode connections. Great advice! using: keyexchange=ikev1 the main mode now completes! On to the quick mode neg., which fails: generating QUICK_MODE request 2717344713 [ HASH SA No KE ID ID ] sending

[strongSwan] NO_PROPOSAL_CHOSEN when connect with Fritzbox

, Michael ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] iptables question

ACCEPT My problem is that there are wrong devices (eth0) in the rules. I need eth1 instead eth0. Where can I define the device? Or can I disable the generation of the rules? Best regards, Michael ___ Users mailing list Users@lists.strongswan.org https

Re: [strongSwan] iptables question

Am 13.02.2014 21:26, schrieb Pawel Grzesik: On 13 Feb 2014, at 18:52, Wagenknecht Michael mwagenkne...@gmx.net wrote: Hi, I have another question. After activating a connection between the Fritzbox and strongswan, I have 4 additional iptables rules: -A INPUT -s 192.168.0.0/24 -d

Re: [strongSwan] Win2008 main mode neg failed, no policy configured

I was configuring IPsec transport mode between a strongswan client and Windows 2008, but ran into problems: On to the quick mode neg., which fails:  generating QUICK_MODE request 2717344713 [ HASH SA No KE ID ID ]  sending packet: from 192.168.0.3[500] to 192.168.0.2[500] (300 bytes)  received

Re: [strongSwan] Win2008 main mode neg failed, no policy configured

Hi Martin, esp=3des-sha1,3des-sha1-modp1024 If you have both non-PFS (3des-sha1) and PFS (3des-sha1-modp1024)  proposals included, strongSwan includes a KE payload for the DH  exchange. The responder is free to ignore the KE payload if it picks the  non-PFS proposal, but it seems that this

[strongSwan] Overlaping IP addresses

/WAN distuingish between both boxes? If yes, how? Thanks for any hints. Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263

[strongSwan] eap-md5: constraint requires public key authentication, but EAP was used

=never rightsubnet=192.168.56.0/24 # auto = add Anybody here who could help me why this authentication is failing? Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Franziskanerstraße 15, 81669 München

Re: [strongSwan] PIv6 over IPv4 Tunnel

Am Mittwoch, 14. Januar 2015, 10:24:06 schrieb Michael Schwartzkopff: Hi, I have a IPv4 transport network. so moon (responder) and carol machines have IPv4 adresses. The IPv4 IPsec tunnel works. Can I assign IPv6 addresses to my carol host? Something like rightsourceip = 192.168.100.0

[strongSwan] PIv6 over IPv4 Tunnel

? Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender

Re: [strongSwan] High availability configuration

to set up such a config, you have to configure the correct MAC address in the switches in the ports. Atherwise you could have loops and you will see much traffic. (...) Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044

Re: [strongSwan] eap-radius and ssha passwords

of the authentication protocol and password storage compatibility matrix? http://deployingradius.com/documents/protocols/compatibility.html Do you do a ldapbind oder ldapsearch? Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044

Re: [strongSwan] Visibility on usage of a strongswan/ipsec server

, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein

Re: [strongSwan] No udp encapsulation behind a NAT device?

Am Dienstag, 4. August 2015, 10:36:21 schrieb Tobias Brunner: Hi Michael, VPN connection is established: There are no CHILD_SAs listed there. Only IKE_SAs. Could you send the logs of when the SAs are established (including the initial messages where the NAT is detected). What strongSwan

[strongSwan] No udp encapsulation behind a NAT device?

in clear text. Any ideas what might be wrong? Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben

[strongSwan] Log file documentation

Hi, I tried to find a gocumentation of the entries in the strongswan log file. Especially I am looking to the dokumentation of the IKE attributes like NATD_S_IP, NATD_D_IP, INVAL_KE, IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(EAP_ONLY). An good hints? Mit freundlichen Grüßen, Michael

Re: [strongSwan] FW: FW: strongswan ipsec monitor via SNMP

Am Freitag, 31. Juli 2015, 19:37:01 schrieb Nitin Agarwal: Hello Monti and Michael I also wanted to do same things and my team started the work on same. We have done good work on this and trying to update information via SNMP in OpenNMS. We wanted to integrate with OpenNMS, so that we can

Re: [strongSwan] FW: FW: strongswan ipsec monitor via SNMP

Am Freitag, 31. Juli 2015, 19:37:01 schrieb Nitin Agarwal: Hello Monti and Michael I also wanted to do same things and my team started the work on same. We have done good work on this and trying to update information via SNMP in OpenNMS. We wanted to integrate with OpenNMS, so that we can

Re: [strongSwan] FW: strongswan ipsec monitor via SNMP

Am Freitag, 31. Juli 2015, 10:38:39 schrieb Monti, Marco: Hi Michael, So there is not any MIBs to use for ipsec as you know I would have to write a subagent from scratch I have tried to find out but seems there is not any What language and API would you suggest? Marco Standard is C

Re: [strongSwan] strongswan ipsec monitor via SNMP

-Agent ist quite a task. But I could help you a little bit. But beware, I do not have too much time. Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München

[strongSwan] Strange routing table 220 entries

The question is: Is there some obvious misconfiguration which causes the routes in table 220 to appear. It looks like the strange routes do no harm, as everything works as expected so far or will they? Any general hints for this setup? Thanks and best regards, Michael

[strongSwan] StrongSwan 5.3.3 / iOS 9.1 split-exclude does not work

traceroute to 8.8.8.8. This was configured like this: leftsubnet=0.0.0.0/2,64.0.0.0/4,80.0.0.0/8,...,128.0.0.0/1 Any clues? I tried to configure ike2 using the iOS gui config, but had no success so far. Would any one share a working ike2 config with iOS 9.1 which is multi-client and gui conf

Re: [strongSwan] iOS 9 & IKEv2: Strange network issues with active vpn connection over 3G

Hi Marcel, i tried to establish an ike2 connection using ios9.1 and strongswan 5.3.3 but was not able to connect so far. Could you please share your configuration (especially ios config). If i'm able to connect i can try to reproduce your problem. Best regards, Michael > Hello every

[strongSwan] Simple Setup between Strongswan V4.6.4 and Strongswan V5.3.3 in IKEV1-Mode does not work

r 20 ms Oct 1 16:40:15 charon: 09[IKE] initiating Main Mode IKE_SA testvpn[1] to 79.232.231.58 after starting the connection with robo@/etc/ipsec.d/connections# ipsec start Starting strongSwan 5.3.3 IPsec [starter]... Hope for you help, best regards M

[strongSwan] Problem when using a VIP in "left" setting.

Hi, Note: below I use the term "VIP". By this, I mean the IP address associated with a Linux virtual network interface, like eth1:0. I want to avoid confusion with the strongSwan concept of "Virtual IP". I have configured strongSwan so that the "left" conn parameter refers to a VIP. This

Re: [strongSwan] Support of forwarding of client DHCP requests in strongswan?

le to hand out it own IP adresses. See: https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp https://wiki.strongswan.org/projects/strongswan/wiki/Dhcpplugin Is this an otion in your setup? Or do the IP addresses really have to be passed on to the central DHCP server? Mit freundlichen Grüßen, M

Re: [strongSwan] DH group for key exchange is undefined

e x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr load-tester kernel-netlink resolve socket-default stroke updown xauth-generic On Sun, Jan 31, 2016 at 1:57 AM, Thomas Egerer <hakke_...@gmx.de> wrote: > -BEGIN PGP S

[strongSwan] Push route possible?

local gateway? Any ideas? Thanks. Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc

[strongSwan] load-tester with eap disable

Hi, Is it possible to use load-tester plugin with EAP disabled? Thanks, Michael ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] DH group for key exchange is undefined

] retransmit 2 of request with message ID 0 charon: 12[NET] sending packet: from 2.2.2.20[500] to 2.2.2.1[500] (288 bytes) charon: 13[IKE] retransmit 3 of request with message ID 0 On Fri, Feb 5, 2016 at 6:31 AM, Tobias Brunner <tob...@strongswan.org> wrote: > Hi Michael, > > I think

Re: [strongSwan] DH group for key exchange is undefined

? I have the following parameter in my load-tester.conf file. proposal = aes-sha1-modp1024 On Fri, Jan 29, 2016 at 12:40 PM, Michael Chan <mcha...@gmail.com> wrote: > Hi, > I'm wanting to use the load-tester plugin to perform load testing on > remote host, but the remote hos

Re: [strongSwan] DH group for key exchange is undefined

Hash: SHA256 > > Michael, > > while unloading the dishwasher I gave your issue another thought ;) > It seems I have somehow misread your problem. The peer you are trying > to connect the load tester to, runs which VPN-service? If it is a > strongwan instance, you should pro

[strongSwan] DH group for key exchange is undefined

esp and proposal to use modp1024, but it doesn't change the key exchange payload DH group at all. Is there a way to set the group in load-tester? Thanks, Michael ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman

[strongSwan] Converting ipsec.conf to swanctl.conf

Hi, I wanted to give it a try, but failed with the first statement. What does "charondebug=..." in ipsec.conf map to in swanctl.conf? - Michael ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Converting ipsec.conf to swanctl.conf

en..local_ts", but I have no idea what value to use for "". The examples use "net", but I don't understand where this value comes from. If there were several "connections..children." sections with different "&qu

[strongSwan] Working Android 6 Native XAUTH configuration?

payload length, decryption failed?" and found several bug reports, most closed without real solution. I tried every hint I could find there to no avail. - Michael ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Strongswan on FreeBSD - reduced privilege possible?

Hi, with current reduced privilege configuration option it requires use of libcap which is only available in Linux. Can the --with-user option be used for FreeBSD to reduce privilege of the daemon running on FreeBSD? What is the downside? -- Rgds, Michael

[strongSwan] Replace ssh socks5 proxy with IPSec

I would like to setup a more stable secure connection between my servers. Currently I'm using ssh socks5 proxy, which does work: ssh -fN -D localhost:1080 myuser@my-remote-ip and then I'm able to cURL with curl --socks5-hostname:localhost:1080 ... I'm able to setup StrongSWAN between my to

[strongSwan] Pre-Shared Key Conditioning

Hello, I'm trying to find some documentation on what algorithms, if any, StrongSwan uses for pre-shared key conditioning. Can anyone point me to an RFC or a web page that has this? Thanks, *Michael Wages* ___ Users mailing list Users

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

Am Montag, 16. Januar 2017, 18:30:15 schrieb Varun Singh: > On Mon, Jan 16, 2017 at 6:18 PM, Michael Schwartzkopff <m...@sys4.de> wrote: > > Am Montag, 16. Januar 2017, 18:09:00 schrieb Varun Singh: > >> On Mon, Jan 16, 2017 at 6:04 PM, Michael Schwartzkopff <m...@sys4

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

Am Montag, 16. Januar 2017, 18:55:35 schrieben Sie: > On Mon, Jan 16, 2017 at 6:32 PM, Michael Schwartzkopff <m...@sys4.de> wrote: > > Am Montag, 16. Januar 2017, 18:30:15 schrieb Varun Singh: > >> On Mon, Jan 16, 2017 at 6:18 PM, Michael Schwartzkopff <m...@sys4.de>

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

stood what the expert was saying. If not, I > > should discuss this with him. > > Neither strongSwan, nor openvpn do that. I have never seen something like > that. Old versions of openswan / freeswan did create interfaces. Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

opic was discussed here on the list. Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schi

[strongSwan] Question about charon.interfaces_ignore/charon.interfaces_use

to the charon subsection. However, I am seeing that traffic going to interfaces b and c are still attempting to negotiate IPsec. Conversely, I tried interfaces_use = a and still saw the same result. Is there something I am missing? Thanks, *Michael Wages

Re: [strongSwan] hardware requirement for about 600 users

alell? What bandwidth (aggregated)? How many re-authentications per second (or minute)? Any recent CPU should be able to handle "normal" internet connection speeds up to 100 MBit/s and user figures as given above. Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys

Re: [strongSwan] High Scale VPN deployment recommendation?

d trust the hardware vendors. Also have an eye on the VPN setup rate. Establishing a VPN link needs performance ,so you would like to have as few renegitiations per second as possible. If you have 10k clients and a tunnel lifetime of 3600 sec, you would have about 3 IPsec SA negotioations per sec. Th

[strongSwan] Strongswan sends PSK+XAUTH, but XAUTH is not configured

Hi We are using strong swan on a box which should connect to another Firewall. The strongswan initiates the connection. We have wiresharked the packets on the receiving site and we see that strongswan is sending XAUTH and PSK but I have only configured to use xauth. I've also disabled XAUTH

Re: [strongSwan] Setup StrongSwan as server for client connections

Is it simply removing right side parameters and adding: right=%any On Wednesday, December 14, 2016, Michael Nielsen <mic.nie...@gmail.com> wrote: > I'm running StrongSwan for site2site VPN connections. > It works fine. > > I have a client who cannot use site2site. > > H

[strongSwan] IPsec performance figures

Hi, are there any reliable performance figures for IPsec throughput on x86_64 Linux machines? Is 10 GBit/s feasable? If yes, how? Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München Sitz der

[strongSwan] Meshed VPN with dynamic routing

the site C. Is such a scenario possible? How? Any hints? Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter

Re: [strongSwan] 24/7/365 tunnel?

fact that Strongswan seems to take >> down the tunnel automatically (?) after a few hours. >> >> How can I 1) make sure there’s no timeout (?) and 2) that IF >> the tunnel goes down, for whatever reason, that it will reinitiate >> the connection automaticall

Re: [strongSwan] StrongSwan and EAP (FreeRadius)

Am 15.11.2017 um 08:24 schrieb Houman: > Hi, > > I'm new to the concept of EAP and might be misunderstanding something. > Apologies up front. > > I have finally been able to install FreeRadius and enable the SQL module. > I have created a user in the database and was hoping to establish a VPN >

Re: [strongSwan] StrongSwan and EAP (FreeRadius)

Am 15.11.2017 um 09:58 schrieb Houman: > Hallo Michael, > > > Thanks for your reply. Indeed I should have checked the radius log. It > seems the shared secret is incorrect, but there do match in configs as > pasted below. > Where else could the secret have been used that I

[strongSwan] Autorisation in vici?

Hi, is there any kind of authentication / autorization in the vici interface? Or does everybody that has access to the socket (or tcp socket) full control over charon? I did not find anything the docs. Mit freundlichen Grüßen, -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64

Re: [strongSwan] Monitoring stronswan

Am 14.12.2017 um 11:49 schrieb Michael Stiller: > Ah ok, > > for that i enabled the vici plugin in strongswan and have a go program using > github.com/bronze1man/goStrongswanVici which implements a small http > listening healthcheck program. > > Best regards, > &g

[strongSwan] Monitoring stronswan

Hi, What is the best way to do a fault monitoring of a strongswan server? In the first place, my monitoring service should check if the server is able to offer the VPN service, which means i.e. that UDP/500 will send a correct answer if checked from the outside. Any ideas? Mit freundlichen

Re: [strongSwan] Monitoring stronswan

d compare it with the expected value (e.g. address of the vpn server) If not -> alarm. Best regards, Michael > On 14. Dec 2017, at 11:29, Michael Schwartzkopff <m...@sys4.de> wrote: > > Hi, > > > What is the best way to do a fault monitoring of a strongswan server? In >

Re: [strongSwan] Strongswan + Radius + MySQL + Hashed Passwords: Possible?

Am 10.01.2018 um 04:39 schrieb RA: > Hi. > > Thanks for your reply. 'NT-Password' isn't working with Strongswan > though radtest is checking it just fine: > > # smbencrypt mypass > LM Hash NT Hash > >

Re: [strongSwan] Multiple VPN servers possible?

Am 14.01.2018 um 15:34 schrieb Noel Kuntze: > Hi, > > A wrapper script or some patches to strongSwan and add a feature to VICI to > specify a different destination IP for the CHILD_SA you want to initiate. > > Kind regards > > Noel > > On 12.01.2018 20:56, Mich

[strongSwan] Multiple VPN servers possible?

Hi, is it possible to configure several / multiple VPN servers as entry points to a data center? My idea is to have several VPN servers with different IP addresses. The client checks which one is available and connets to it to get a connection to the data center. Is this scenario possible

Re: [strongSwan] fallback to local secrets when RADIUS server unavailable

Am 04.12.18 um 14:09 schrieb Dmitry Soloshenko: > Hello, Tobias. > > Thank you for response. > >>> As an example, on Cisco router I would create 2 access groups and >>> have 2 >>> profiles on Cisco VPN client: one for local auth, one for RADIUS. >> And how/when does it switch between the two? > In

Re: [strongSwan] DNS LoadBalancing and Failover

Am 16.09.2018 um 09:34 schrieb Markus P. Beckhaus: > Dear all, > > we are thinking about using a DNS Load-Balancer to distribute a huge count of > strongswan clients to multiple VPN gatweways. Also, the DNS Load-Balancer > should detect the failure of VPN gateways and remove them from the DNS >

  1   2   >