on kernel version 2.6.32-46 32-bit.
Distribution is Debian Squeeze 6.0.6
ipsec.conf: http://pastebin.com/eRXjkyp5
strongswan.conf: http://pastebin.com/HkwyDyyF
log: http://pastebin.com/vxhkk2UT
Sincerely,
Noel Kuntze
___
Users mailing list
Users
I might need to add: The log is from a different kernel version, because
I hoped that it works better on my selfcompiled kernel, but it doesn't.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
/66c6cf4atyqfunk/android.log
Also: Please don't abuse the email address. Thank you.
Sincerely,
Noel Kuntze
bin3fuasESfs9.bin
Description: Binary data
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Hello Yordanos,
You need to enter some configuration informatione in the config setup
section or take it out of the configuration.
Regards,
Noel Kuntze
Am 24.01.2013 00:12, schrieb yordanos beyene:
Hi Everyone,
I am unable to load strongswan.conf after I upgraded from SS v5.0.0 to
SS v
Am 26.02.2013 23:35, schrieb Justin Grover:
Hello StrongSwanners,
I'm just getting started with strongswan. I've successfully installed
a strongswan sever (ubuntu 12.04) with IPAddress 192.168.0.50. I'm
attempting to connect to the server using a strongswan client
(ubuntu) installed on
Hello,
I just got strongswan to somewhat work. but still need to fix the issue
of getting No matching outbound IPsec policy for [insert some IP here].
How do I fix this?
Regards,
Noel
ipsec.conf:
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
Hello,
Can you ping one of the interfaces of the router? If yes, then you might
need to enable forwarding for the tunnel in the kernel settings. (sysctl
on linux, key net.ipv[46].conf.tunl[0123456789].forwarding = 1). The
latter made my setup work. You might also want to investigate the
Hello,
I'm looking fir working configuration for xauthrsasig for the Android
4.x integrated IPsec clients.
I'm trying to find out, if apps for android can communicate over vpn, if
the integrated vpn client is used.
Regards,
Noel
___
Users mailing list
Hello,
Is there a reason I should use libipsec instead of the kernel
implementation? Is there a speed benefit to it or something?
Regards,
Noel
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
P.S.: The connection succeeds, when I use vpnc to connect. What could
cause stronswan to not get a reply?
Both the psk and my xauth-credentials are in my local ipsec.secrets.
Here's a part of my config. The last part is the one that matters.
Regards,
Noel
conn %default
ikelifetime=60m
Hello,
Is it planned to add support for CISCO's proprietary UDP encapsulation?
Regards,
Noel
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
That didn't help, sadly. Charon still looses the IKE_SA when
re-authenticating.
Regards,
Noel
Am 07.07.2013 03:32, schrieb Dmitry Korzhevin:
Hi,
Try use uniqueids = never
Noel Kuntze n...@familie-kuntze.de написал(а):
Hello
and loading it
with the load statement in strongswan.conf.
Regards,
Noel Kuntze
On 26.08.2013 12:48, ??? wrote:
Dec 12 01:25:05 freescale daemon.info charon: 01[KNL] received netlink
error: Function not implemented (38)
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.21 (GNU/Linux)
Comment: Using GnuPG
in strongswan.conf.
Regards,
Noel Kuntze
On 26.08.2013 12:48, ??? wrote:
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.21 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJSGzRBAAoJEDg5KY9j7GZYOfsP/AlMo3OSaH3bcDoXSQTz2cy4
know if strongSwan will reject the
traffic to subnets that are not physically attached to it.
Regards,
Noel Kuntze
On 30.08.2013 12:21, Kevin Palmer wrote:
Hi Andy,
The routing on the 10.4.0.0 spoke is configured that any communication to the
following subnets
10.30.0.0/16,10.7.0.0
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello Rakesh,
This can be done with charon-cmd.
Regards,
Noel Kuntze
On 30.08.2013 13:27, rakesh bansod wrote:
hi all,
i want to know is it possible to establish ipsec connection without
entering connection details in ipsec.conf
over ssh or even better, over http,
you can use it in a HTTP-only environment.
Regards
Noel Kuntze
On 25.10.2013 00:51, Robert Tribb wrote:
Is there any hope of running IKE and the IPsec tunnel mode from a network
where internet access is only permitted through a HTTP proxy?
Many proxies
over ssh or even better, over http,
you can use it in a HTTP-only environment.
Regards
Noel Kuntze
On 25.10.2013 00:51, Robert Tribb wrote:
Is there any hope of running IKE and the IPsec tunnel mode from a network
where internet access is only permitted through a HTTP proxy?
Many proxies
and then probably negotiates the IP offered by the first
server to respond.
Regards
Noel Kuntze
On 03.11.2013 19:08, Jean-Marc Choulet wrote:
Hello,
Is it possible to have one DHCP server per connection ?
For example :
- use dhcp.local1.net server for conn local1-net and
- use dhcp.local2.net
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello Lawrence,
I think to make this work, you have to specify two different pars of XAUTH
credentials in ipsec.secrets.
One for your iPad and one for your Android phone.
Regards
Noel Kuntze
On 05.11.2013 14:35, Lawrence Chiu wrote:
I
/to the subnets you want to.
Regards
Noel Kuntze
On 05.11.2013 18:14, Adrian Milanoski wrote:
HI all,
Is it possible to setup ipsec.secrets to allow only certain subnets to use
certain PSKs
24.177.*.* : PSK “tempskforme”
Is this at all possible? How can I control which subnets
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello Luka,
See
http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
For solutions to this problem.
Regards
Noel Kuntze
Am 07.11.2013 07:54, schrieb Luka:
Hi.
I've successfully installed StrongSwan 5.0.4 IPsec server
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello Ulrich,
You can use auto=start in the connection section to start a connection as
soon as strongSwan starts.
Regards
Noel Kuntze
On 08.11.2013 11:03, Ulrich Schinz wrote:
Hi there,
seems to be a very simple problem, but I can't manage
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello Mikael,
You can't explicitely blacklist modules, but you can use your own
load-statement in strongswan.conf to make strongSwan load only the modules you
need.
See the manpage for strongswan.conf for further information.
Regards
Noel
and find out with what settings
it tries to connect to strongSwan.
Increasing the log's verbosity on charon's side might help, if the
documentation of SOPHOS UTM isn't clear about this.
Regards
Noel Kuntze
On 09.11.2013 15:21, Huang, Zhenxing wrote:
HI,super,
We are prepare use SOPHOS UTM
Noel Kuntze
On 10.11.2013 11:50, Luka wrote:
Hi.
I've found way to fix that error: iptables: No chain/target/match by that
name by executing command:
insmod xt_policy
Now when I connect, iPhone gets IP 10.0.0.2 and following policy is added to
FORWARD chain:
Chain FORWARD (policy DROP 0
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Sorry, it is iptables -A POSTROUTING -t nat -s 10.0.0.0/24 -o eth0 -j
MASQUERADE
On 10.11.2013 15:05, Noel Kuntze wrote:
Hello Luka,
You need to masquerade the traffic from your iPhone to the LAN or the
internet.
You do this with either
the
rule to the chain.
Example: iptables -I POSTROUTING 1 -s 10.0.0.0/24 -j MASQUERADE
Regards
Noel Kuntze
On 10.11.2013 16:31, Luka wrote:
Hi Noel.
Still no luck.
I’ve added masquerade, following line is added to nat iptable:
Chain POSTROUTING (policy ACCEPT 2500 packets, 221K bytes)
num
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello Bjoern,
In this case, you need to set the cipher settings for IKE by hand.
You can do this using the ike statement (and maybe the esp statement, too)
in ipsec.conf
See the manpage for further information.
Regards
Noel Kuntze
Am 11.11.2013 09
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello Bjoern,
Try it with an exclamation mark at the end.
Regards
Noel Kuntze
Am 11.11.2013 10:28, schrieb bjoern wahl:
Hello Noel,
thanks for the fast response.
I did that already
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello Luka,
Is IP forwarding activated? if it isn't, then activate it.
Getting the IP packets from the tunnel to your LAN is probably the problem.
Regards
Noel Kuntze
On 13.11.2013 21:27, Luka wrote:
Hi Noel.
My postrouting chain contains
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello Luka,
Yes, this is all okay.
Does the traffic counters, you see when you do ipsec statusall, increase when
you try to communicate with your LAN?
Regards
Noel Kuntze
On 13.11.2013 22:11, Luka wrote:
IP forward is enabled. I can't find
a lot.
When logging, please send us logs with default=3.
The logfiles can grow quite large over time.
Also, what version of strongSwan do you use?
Regards
Noel Kuntze
On 13.11.2013 22:18, Luka wrote:
Traffic counters stays at 0
ios{2}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o
/strongswan/wiki/IOS_(Apple)
Regards
Noel Kuntze
On 14.11.2013 19:21, Marcelo Barbudas wrote:
Hi.
I'm coming from the world of OpenVPN and having a hard time
understanding how to implement some features using strongswan.
I have been googling and reading docs. I still have some questions
that I
Noel Kuntze
On 14.11.2013 19:49, Marcelo Barbudas wrote:
Hi Noel,
I'm trying something simple, taking one step at a time, to establish
the VPN connection and from the client's side (iOS) to still be able
to navigate freely (to hosts not through the VPN). This is the server
config I am using
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello Sam,
IPsec is a layer 3 VPN, hence strongSwan works on layer 3. If you want to
bridge on layer 2, you need to use l2tp inside the tunnel or other software
that can tunnel layer 2.
Regards
Noel Kuntze
On 18.11.2013 13:43, Ccf Cloud wrote
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello Andrej,
I encountered the exact same problem with my own setup with exactly the same
behaviour.
If you found a solution, please let me know.
Regards
Noel Kuntze
On 19.11.2013 17:44, Andrej Podzimek wrote:
Hello,
my question might
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello Ilyas,
You can gather more information about what is happening by activating logging.
A link to that is here [1].
[1] http://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
Regards
Noel Kuntze
On 20.11.2013 16:48, ilyas
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello Ilyas,
You need to put s around the password.
Regards
Noel Kuntze
On 20.11.2013 20:21, ilyas Guennoun wrote:
So I set debug level to 4 for ike, kernel, config and network
I removed the ids to keep the minimum configuration (for better
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello Christian,
You need to use the farp plugin, if you use the IP from your LAN subnet.
Otherwise the router on the LAN won't be able to resolve the IPs to MAC
addresses.
The farp plugin solves this issue by spoofing arp responses.
Regards
Noel
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello Christian,
This guide[1] should clarify a couple of things and might help you get it
working.
[1]
http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
Regards
Noel Kuntze
Am 09.12.2013 12:50, schrieb Christian
?
StrongSwan doesn't to that for you.
Refer to [1] for the needed settings and a how-to.
[1]
http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
Regards
Noel Kuntze
On 09.12.2013 18:09, Sergio Samayoa wrote:R
Hi Noel.
Thanks but I already tried that way but same result.
I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello,
What is the configuration of the other side and what is in the log of the other
side?
If configured properly, strongSwan 4.x and strongSwan 5.x are compatible to
each other.
Regards
Noel Kuntze
On 29.12.2013 22:43, s s wrote:
Hello
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello Chris,
You only need an L2TP-server, if you configure your client for it.
StrongSwan doesn't come with an L2TP-server, so if you need one, install xl2tpd.
Regards
Noel Kuntze
On 01.01.2014 15:23, Chris wrote:
Dear All,
I'd like
side.
Taking the error message ping gives to you and interpreting it, might help,
too.
Regards
Noel Kuntze
On 05.01.2014 22:50, s s wrote:
Hello,
I made some homework and found out different elements, which may help to
troubleshoot.
This packet was a large packet and was sent as two UDP
network.
A command for that could be: iptables -I POSTROUTING -t nat -s 192.168.1.1/24
-d 10.10.10.0/24 -j MASQUERADE
There is more information about this on the strongSwan website:
http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
Regards
Noel Kuntze
On 19.02.2014
network.
A command for that could be: iptables -I POSTROUTING -t nat -s 192.168.1.1/24
-d 10.10.10.0/24 -j MASQUERADE
There is more information about this on the strongSwan website:
http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
Regards
Noel Kuntze
On 19.02.2014
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello Jerry,
I didn't try to make them work yet, but judging from the data sheet for the VIA
client, it should be pretty straight forward and without any show stoppers.
Ask the mailing list, if you have any concrete problems.
Regards
Noel Kuntze
, netcat and pv:
On peer one: netcat -l localip localport | pv -pert /dev/null
On peer two: dd if=/dev/zero | netcat peerone remoteport
Or with iperf:
On peer one: iperf -s
On peer two: iperf -c peerone
Regards
Noel Kuntze
On 23.02.2014 17:44, Itzik S wrote:
Hi,
So far I've installed and checked
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello Chinmaya,
It looks like the initiator client doesn not like your cipher proposal.
Regards
Noel Kuntze
On 27.02.2014 12:25, Chinmaya Dwibedy wrote:
Hi ,
I am using the modpnull Diffie-Hellman gr to avoid the DH calculation
overhead
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello Otto,
Did you try to talk to the ASA on port 500 instead of port 4500 already?
Regards
Noel Kuntze
Am 04.03.2014 14:26, schrieb Otto Bretz:
Hello,
I’m having problems getting a tunnel going to a client with a cisco router.
This is my
(ikev2) or pluto (ikev1).
I don't know the command for pluto, but ipsec statusall since version 5.x
shows the cipher proposal of both the ike and esp state for charon.
You might want to look in the man page or the help for ipsec whack, as ipsec
whack pertains interaction with pluto.
Regards
Noel
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello Adrian,
Yes, that is possible by setting the parameter uniqueids to the desired value.
Look at the manpage for ipsec.conf to see what settings it has.
Regards
Noel Kuntze
Am 22.03.2014 21:01, schrieb Adrian Milanoski:
HI all
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello Peer,
If course you can do that. Iptables on Linux and pfsense on BSD offer enough
functionality to do that.
Look at the policy module for iptables.
I don't know where to look for BSD, but it ought to have something similiar.
Regards
Noel
connections to a specific subnet with
those parameters.
Regards
Noel Kuntze
Am 25.03.2014 09:11, schrieb Dr.Peer-Joachim Koch:
Hello Noel,
yes, using iptables directly would be one way. Another would be
to include somehow into the ipsec configuration. To have all configuration
issues at one point
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello Ben,
You should probably take a look at this:
http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
Regards,
Noel Kuntze
Am 02.04.2014 17:07, schrieb Hay, Ben (TS Consulting):
Hi Everyone
I am trying
in that
regard.
Regards,
Noel Kuntze
GPG Key id: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F
63EC 6658
Am 15.04.2014 12:33, schrieb maria isabel:
Hello,
Just curious.. I recently read an article on how the heartbleed issue had
exposed that over 0.5 million certificates
and this: http://inai.de/images/nf-packet-flow.png
Regards,
Noel Kuntze
GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 17.04.2014 07:20, schrieb Patrick Shyvers:
I’m trying to migrate from L2TP/IPsec to IPsec IKE. L2TP/IPsec is working
with strongswan, and I
/ssh(?)/other
protocols. The trusted MITM then just does something like wireshark does with
esp traffic.
Regards,
Noel Kuntze
[1] http://inai.de/images/nf-packet-flow.png
GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 21.04.2014 18:41, schrieb Bob W
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
What I forgot to mention: You need to actively impersonate a peer, because the
keys are negotiated over DH with an identity proof (See RFC4 306).
That means you need the secrets of your side.
GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7
it.
Regards,
Noel Kuntze
GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 21.04.2014 21:20, schrieb Bob W:
Hi Noel,
Thanks for the response. I think getting the packets off the wire is
the easy part as well as running the decryption on the ESP
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello Zhang,
[1] graph shows the path packets follow in the netfilter part of the Linux
kernel, which also shows, why it doesn't work as expected.
[1] http://inai.de/images/nf-packet-flow.png
Regards,
Noel Kuntze
GPG Key id: 0x63EC6658
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello,
That is a known issue and is caused by certain Juniper firmwares returning
wrong SPI numbers.
To work around this issue, disable rekeying (rekey=no) and reauthenticate
instead.
Regards,
Noel Kuntze
GPG Key id: 0x63EC6658
Fingerprint: 23CA
to log level 1.
Regards,
Noel kuntze
GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 23.04.2014 17:12, schrieb Tiago Vasconcelos:
I've enabled dpd by adding the following lines to the conn %default section
of ipsec.conf:
dpdaction=restart
will be compressed.
Regards,
Noel Kuntze
GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 24.04.2014 16:40, schrieb Bob W:
Thanks everyone(David, Martin, Noel, JC) for the responses... looks like
I have some homework to do.
Bob
On 4/24/2014 3:33 AM
different SAs between peers.
See RFC2041 for more details.
Regards,
Noel Kuntze
GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 25.04.2014 12:30, schrieb m.divya.mohan:
Hi,
Could you please help regarding this.
- Divya
On Wed, 23 Apr 2014 22:00
work quite well.
Regards,
Noel Kuntze
GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 28.04.2014 15:03, schrieb Jerry Lundström:
On mån, 2014-04-28 at 13:20 +0200, Martin Willi wrote:
So how can I manually add routes for subnets to the tunnel?
You can't
be finde)
Decide on what secrets you want to use specifically (Should I use a PSK
'foo'or a PSK 'bar', or should I use certificates?)
To interact with strongSwan during runtime, use the ipsec tool.
And read the man pages, of course.
Regards,
Noel Kuntze
Am 01.05.2014 18:34, schrieb Brian Watson:
Hi
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
The Networkmanager plugin has a couple of restrictions and can only be used as
a client. If you want to connect two VMs together, at least one has to run
strongSwan all the time and be able to react to the other VM's packets.
You can't use
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Replied offlist.
GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 02.05.2014 11:11, schrieb martin naskovski:
I'm at the end of my wits here on how to setup a VPN between my Fedora 20 box
and my workplace
11:20:34 +0200
Von: Noel Kuntze n...@familie-kuntze.de
An: martin naskovski mar...@naskovski.info
Hello Martin,
set ike=aes-sha1-modp1024!
and esp=aes-sha1!
Otherwise, charon only adds the ciphers to its proposal, instead of only
sending the configured one.
You can see here, that it doesn't work
box. Please install it, then
try again. As an alternative, you could also use openssl.
To use openssl instead of libgmp for cryptography, just replace gmp with
openssl in the load argument in strongswan.conf.
Regards,
Noel Kuntze
Am 06.05.2014 16:54, schrieb Brian Watson:
I also have done
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello Ted,
Did you try enabling logging [1] and what do you see there?
[1] http://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
Regards,
Noel Kuntze
GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F
probably have to upgrade to a newer version of strongSwan, that supports
libipsec, because it's one of the newer things.
Regards,
Noel Kuntze
Am 09.05.2014 19:31, schrieb Rolf Schöpfer:
Hi
Today I didn't succed to configure site2site VPN with strongSwan. Details:
- Server Debian 7.3 32-bit
available to do the
job or the daemon is not running.
Regards,
Noel Kuntze
Am 11.05.2014 07:27, schrieb Nanda Gopal:
Hi,
I have a IPSec setup, which has 8 IKEv1 or 8 IKEv2 Protect Policies
configured, tunnels established successfully with the Security gateway.
An application program reads
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello list,
I want to use a configurable option in strongswan.conf, for which I need to
parse the file.
I already searched for the correct library to do that, but could not find it.
I hope you can help me.
Regards,
Noel Kuntze
- --
GPG Key id
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello Martin,
Okay, so lib-settings-get_* returns a string then.
To implement the thing I want, I need to introduce a new parameter in
strongswan.conf.
That means, that I also need to touch the settings_t class and implement a
method to grab
the
by the packet structure that is used in transport mode.
Regards,
Noel Kuntze
Am 13.05.2014 20:09, schrieb Brad Johnson:
We use a transport type connection to send PPP traffic (so a ppp tunnel
inside the VPN). The problem we are having is the xfrm states that get
created have selectors restricting
a log/trace of the packets, when they hit *nat postrouting.
See [2] for the packet flow in the Linux kernel.
[1] http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/
[2] http://inai.de/images/nf-packet-flow.png
Regards,
Noel Kuntze
Am 13.05.2014 20:47, schrieb Brad Johnson:
Thanks
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello Martin,
You can set up logging[1].to see more information.
[1 ]http://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
Regards,
Noel Kuntze
Am 14.05.2014 19:12, schrieb Martin Shemon:
Hi all,
after testing
like this: 1us, 1ms, 1s, 1m, 1h, 1d.
As you can see, the suffix is sometimes than one character wide. Where would I
put such a function in the code?
Should I put it in invokecharon.c or should I extend the libstrongswan to
include the function, although I only need it in starter?
Regards,
Noel
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello Bhavesh,
You can do this. To facilitate efficient client-to-client access, you have to
work with virtual IPs and can get it working with just one connection.
Otherwise you need n connections on the central host.
Regards,
Noel Kuntze
Am
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
No, sorry. That was wrong. You can do it also with just one connection without
virtual IPs by simply ommiting right. It defaults to %any, allowing any host to
connect and use the connection.
Am 20.05.2014 23:22, schrieb Noel Kuntze:
Hello
, that a local host is pinged and not your
remote one.
Examine the kernel's ipsec policies (ip xfrm policy) to see, if there is an SA
installed, which is used when you ping.
Regards,
Noel Kuntze
Am 23.05.2014 16:27, schrieb Rolf Schöpfer:
Hi
After hours of reading and troubleshoot no solution so far
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello Peter,
%any is the default value for left and you don't need to set it to that, if you
didn't set it in conn %default.
The error message is misleading.
What you're doing is perfectly fine.
Regards,
Noel Kuntze
GPG Key id: 0x63EC6658
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello Bhargav,
There is no conn specific setting for that yet.
Regards,
Noel Kuntze
GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 10.06.2014 18:18, schrieb bhargav p:
Hi,
Currently, I am using
same subject.[...]
Regards,
Noel Kuntze
GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 10.06.2014 08:59, schrieb Mukesh Yadav:
Hi,
This is question more specifc to Openssl, but being generic scenario posting
this on stongswan if some one can provide
the organization part of the DN
of the certificate.
Regards,
Noel Kuntze
GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 13.06.2014 18:48, schrieb bviper47:
Greetings,
I am attempting to set up an IKEv1 RSA endpoint to serve Android and
iOS native clients. However, I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello Matthias,
You can copy and modify the _updown script in /usr/lib/strongswan/ to suit your
needs, if the default one gives you problems.
You can then set the path to the script using leftupdown.
Regards,
Noel Kuntze
GPG Key id: 0x63EC6658
identical and sends
it all to A.
The response packet to B's initiation packet never reaches B.
This can be worked around by disabling VPN forwarding on the NAT router, so it
maps
different UDP connections from port 500 to different, distinguished high ports.
Regards,
Noel Kuntze
GPG Key id
to B's initiation packet never reaches B.
This can be worked around by disabling VPN forwarding on the NAT router, so it
maps
different UDP connections from port 500 to different, distinguished high ports.
Regards,
Noel Kuntze
GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592
to no.
Regards,
Noel Kuntze
GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 16.06.2014 11:22, schrieb Jakob Curdes:
Hello, we have a setup where we want to hide the real IP addresses of the
tunneled services from the peer side.
We have setup an ikev1 /32
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello Rainer
Yes, this is possible.
Look at those scenarios: [1] and [2].
[1] http://www.strongswan.org/uml/testresults/ikev2/host2host-cert/
[2] http://www.strongswan.org/uml/testresults/ikev2/host2host-transport/
Regards,
Noel Kuntze
GPG Key
-10.2.255.255 ) or a subnet ( 10.1.0.0/16 ) can be specified, and
multiple addresses, ranges and
subnets can be separated by commas. While one can freely combine these items,
to initiate the connection at least one non-range/subnet is required.
Regards,
Noel Kuntze
GPG Key id: 0x63EC6658
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello Rainer,
I think I heard that you can have opportunistic encryption using auto=start and
right=someSubnet/CIDR.
But I think that's not very resistant against an attacker, hence I didn't come
up with it right away.
Regards,
Noel
GPG Key id:
).
Regards,
Noel Kuntze
GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 27.06.2014 20:56, schrieb Sajal Malhotra:
Hi,
Just wondering if i use DH group in esp cipher suite however keep pfs=no.
Then how does Strongswan charon behave?
We are facing an issue
-file
and importing it on the Android device by opening it with a file manager.
After you imported it, you can set it in the strongSwan VPN app,
or whatever app you're using (or the integrated client).
[1] http://wiki.strongswan.org/projects/strongswan/wiki/EapRadius
Regards,
Noel Kuntze
GPG Key
, it works just fine.
Did anyone have such a problem and how do I fix that?
I already tried incrementing the replay window to over 32, but strongSwan just
sets it to 0, if I try that.
(charon.replay_window)
Regards,
Noel Kuntze
- --
GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello Arvindhar,
You need to set aggressive=yes in the conn. Also, please show us your
ipsec.conf.
Regards,
Noel Kuntze
GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 03.07.2014 11:58, schrieb Arvindhar
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello Arvindhar,
As I wrote before, you need to set aggressive=yes in conn %default or conn rw
or make the Shrewsoft Client initiate in main mode, not aggressive mode.
Regards,
Noel Kuntze
GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7
1 - 100 of 1212 matches
Mail list logo