Hi David,
> The first was some simple compile errors which I think I fixed in the
> attached patch.
Thanks, applied to master.
> On startup I get the following messages:
>
> 00[DMN] Starting IKE charon daemon (strongSwan 5.0.1rc1, FreeBSD
> 9.0-RELEASE-p4, amd64)
> 00[KNL] unable to set UDP_EN
Hi Guru,
> My primary goal is to disable the replay protection. In
> strongswan.conf, if I set the "replay_window = 0" (or any value <=
> 32), I see the replay window to be stuck at 32 (when seen with setkey
> -D).
You couldn't configure the replay window to be below the default of 32
via strongs
Hi Zhiheng,
> I am also seeing this UDP_ENCAP error in 5.0.1rc1 on my Red Hat Enterprise
> Linux 5.6 machine.
> I did not see it in the 5.0.0 release, so looks like this error is new
in 5.0.1 and is happening not only on the FreeBSD:
> Sep 27 11:44:53 sit-iwf charon: 00[DMN] Starting IKE charon
Hi Gowri,
> Here, this payload is of 9 bytes as payload length also mentions
> correctly. But, my doubt is on notification data which is 2D.
> It is always 2D even if I set notification data on sending node (say 01).
This value has nothing to do with the notification data, but with the
payload ty
Hi Mirko,
> * Charon on OpenWrt was unable to perform the MOBIKE address update;
> eventually the IKE SA was destroyed and reestablished.
This issue has already been reported [1]. In your case the ongoing
(but, due to unusable addresses, unsuccessful) DPD exchange blocks the
MOBIKE task. Once
Hi,
> Oct 1 14:42:26 localhost charon: 13[ENC] parsed IKE_AUTH request 1 [
> IDi CERT CERTREQ AUTH SA TSi TSr ]
> ...
> Oct 1 14:42:26 localhost charon: 13[CFG] looking for peer configs
> matching 35.0.0.2[%any]...35.0.0.1[]
Your client seemed have sent an empty IDi payload (seen as [] above),
Hi Anoop,
> I would like to know, is it done purpose fully, or am I doing something
> wrong with the configuration?
Yes, this is done on purpose. If a NAT is detected, strongSwan as
client will not propose transport mode, but switch to tunnel mode
instead. Likewise, strongSwan as gateway, will
Hi Gerald,
> Do I understand right:
>
> 1 the certificate is selected using the first certificate that has a matching
> subject compared to leftid
> 2 the fingerprint of the associated public key is computed
> 3 from any private key, you compute the public key and compute the
> fingerprint of
Hi,
> I initially imagined the participant ID was the combined "C", "O" and
> "CN" fields on the client certificate. However, that doesn't seem to
> be the case.So I'm gathering participant ID then defined as "ios"
> in this case? i.e. what I reerred to as the "traffic selector" above?
No,
Hi,
>>> Is there a configuration setting I can do to "clobber" (kick off) any
>>> existing sessions from the same client certificate (based on CN). I
>>> thought that might be "uniqueids" but based on the above it seems not.
>>
>> Yes, uniqueids is the right option but you will have to use differ
Hi,
>>> I'm wondering if IOS devices will allow rsasig over xauthrsasig.
>>
>> As far as I know, they don't.
>
> That being the case ... if I wanted to still use xauthrsasig would it
> be feasible for me to patch strongswan (5.0.1) to use the "DN" of the
> client cert as the uniqueness check with
Hi,
> We are trying to add routes on *tun0 *interface using addRoute() Api of
> CharonVpnService Builder Adapter (Using Java code).
> ...
> When we call addRoute api before establishing the tunnel the routes are
> getting added. But After establishing the tunnel the routes are not
> getting added.
Hi Hamid,
> Oct 27 09:25:06 4 charon: 16[ENC] generating INFORMATIONAL_V1 request
> 2434938569 [ N(INVAL_KE) ]
There are several possible reasons why charon would respond with an
INVALID_KEY_INFORMATION notify, but for most the actual reason is
logged. There seems to be one scenario where this i
Hi,
>Is there anyway to dump Session keys used for encryption and
> authentication for IKEv2 messages in Debug
> logs?
>
> I tried charondebug=all, but I could not able to find the sessions keys
> in debug logs .
Please have a look at [1] (there is no such thing as charondebug=all).
The key
Hi Mark,
> Can you please look into implementing the new always on VPN feature
> of Android 4.2 for the strongSwan Android client?
There is not much documentation (yet) about this feature and the SDK for
4.2 is also not available yet. But what I got from news sources is that
this is a system set
Hi,
> "strongswan(client) - Netgear(server)"
I suppose you meant "strongswan(server) - Netgear(client)" because...
> But according to RFC 4306, IDr payload is optional
(Please use RFC 5996 for future reference) ...the IDr payload *is*
optional, but only in the IKE_AUTH *request*. See page 11
> It's sending a valid IDi payload with
> proper identification data and I attached IKEv2 packet dumps (strongswan
> -Netgear) for your reference.
The IKE_AUTH message is encrypted, please provide the encryption and
authentication keys.
Regards,
Tobias
__
Hi,
Thanks for the keys.
> It's sending a valid IDi payload with
> proper identification data.
It isn't. The encoding of the IDi payload looks like this:
25 00 00 22 09 00 00 00 43 3d 43 48 2c 20 4f 3d %.."C=CH, O=
0010 73 74 72 6f 6e 67 73 77 61 6e 2c 20 43 4e 3d 69 strongswan
Hi Stanislav,
> Is it an undocumented feature or maybe it will be removed after
> sometime?
Whack has been removed entirely with strongSwan 5.0.x.
Regards,
Tobias
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/
Hi,
> Is there a list of known devices available on which this solution does
> not work?
Unfortunately, there isn't. But since we released the app we had only
one error report due to this (from a Sony Ericsson Xperia Pro MK16i).
Regards,
Tobias
___
U
Hi Jordan,
> I appreciate if any one could explain to me whether IKE_SA connection
> instance # is unique within the entire IKE_SA list?
Yes, the number displayed in [] behind the connection name uniquely
identifies an IKE_SA within the entire IKE_SA list.
> Is the instance ID unique with in the
Hi Gerald,
> I get an endless recursion in function get_route. It seems that the
> eth interface is already down, but the default gateway is still there
> (at least route->gtw contains the ip addr of the default gateway, how
> it was before the eth was disconnected).
>
> Any idea how to fix this?
Hi Dmitry,
> I can't fing strongswan logo in SVG, only PNG. Can anybody advicem wgere
> i can get logo with good resolution?
The logo is no vector graphic and thus not available in SVG format. A
larger PNG graphic can be downloaded at [1].
May I ask why you need the logo in higher resolution?
Hi Mark,
> Can you please look into implementing the new always on VPN feature
> of Android 4.2 for the strongSwan Android client?
The 4.2 SDK is out and it turns out that the "always-on VPN" feature is
exclusive to the native Android VPN solution. It can be enabled via an
option in the native V
Hi Dmitry,
> Just want to print strongSwan logo on mug :)
http://www.strongswan.org/store.html ;-)
Regards,
Tobias
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Hi Dragomir,
> But when I do:
> user@vpn-server:/etc/ppp# ipsec down "L2TP"[2]
> 021 no connection named "L2TP[2]"
The old IKEv1 daemon pluto does not support this syntax. That is, you
can't tear down individual instances of a config. If you want that you
have to upgrade to 5.0.x (or use a sepa
Hi André,
> I cannot establish an VPN. I tested it with an Galaxy S3 and get an
> timeout on the client.
Did it work with earlier strongSwan versions?
> Jan 21 11:38:29 rossini charon: 15[ENC] parsed TRANSACTION request 2246836868
> [ HASH CP ]
> Jan 21 11:38:29 rossini charon: 15[IKE] peer re
Hi,
> After that I have followed the instructions given
> at: http://wiki.strongswan.org/projects/strongswan/wiki/AndroidVPNClient
> for building the .so files for my native code.
Make sure there are no errors when executing the commands given on that
page. Especially, those in the section "The
Hi
> I suspect the configuration is wrong on the server, but I have not
> found what prevents the client from installing a policy for traffic
> through the tunnel.
Correct, parts of your configuration seem to originate from an
IKEv1/IPsec/L2TP connection because due to
> leftprotoport=17/1701
Hi Bhargav,
> Because of new child_sa getting established , still setkey -DP still
> shows the related policies. why this is happening?
Which version are you using? In releases before 4.5.3 the close action,
which is triggered by a peer closing the CHILD_SA, was the same as the
DPD action. So d
Hi Jordan,
> When I make changes to the traffic selector of an IPsec connection that
> uses "auto=route", "ipsec update" fails to update IPsec policies in the
> kernel. The only way I can get around this is issue is by using "ipsec
> unroute", followed by "ipsec update".
>
> I am using strongswa
Hi Jordan,
> But when I set "compress = yes", ipsec SA get
> established but I can't pass traffic through the tunnel. I think I have
> enabled the required kernel modules.
That's unlikely as the following error in your log clearly indicates you
are missing a required kernel module:
> 2013-02-12
Hi Bhargav,
Please keep the discussion on the mailing list.
> I am using quite older version.
> strongSwan 4.3.6
>
> One more doubt:
> Can you tell what exactly this dpdaction=restart does. Is there any
> dependency for auto=route and dpdaction=restart.
dpdaction=restart reestablishes a CHILD_S
Hi,
> The Android client authenticates itself with the certificate subject
> when using certificate authentication, wich is a full Distinguished
> Name.
>
> @Tobias, there is currently no way to change that, right?
No, the app currently does not provide an option to change the identity.
Regards
Hi,
> I´m using a CentOS 6.3 with a just installed strongswan-4.6.4-1.el6.i686 via
> the epel repo. When I type the command ipsec, I get an:
> -bash: ipsec: command not found
> Did I missed something ? Are there more packets I have to install ?
I think this package renamed the ipsec script to s
Hi Keith,
> Is it possible with strongswan to setup a generic conn entry for
> transport mode to any host in a particular subnet for IPv6?
Currently not. Last year I did some experiments on this in a separate
branch of our Git repository [1]. right=%any combined with auto=route
does work with t
Hi Adrian,
> For the use in the DH key exchange, an additional standard would be
> required, which as far as I know is not finalized yet, see [1].
Even more problematic is their use with ECDSA, see [1] for some background.
Regards,
Tobias
[1] http://tools.ietf.org/html/draft-kivinen-ipsecme-sig
Hi Bharath,
> I was wondering if the Strongswan VPNClient on GooglePlay supports
> XAUTH.
No. XAuth is a concept of IKEv1. strongSwan VPN Client currently
supports the superior IKEv2 protocol only (this has several advantages,
for instance, MOBIKE allows a mobile device to move between WiFi and
Hi,
> When we were using the earlier strongswan releases, there was an option
> of *interfaces_use* in strongswan.conf to set the device interface to
> be used for creating the
> tunnel. Now, in this case with the Strongswan VPN Client code (fetched
> from src/frontends/android) since we are not
Hi Bharath,
> Also, currently the gateway information and the authentication method is
> to be manually entered (along with username/password). To ease
> deployment to multiple machines, is it possible to have the app "import
> a profile" with the appropriate config settings. The user will still
>
Hi Michael,
Your conn section is not loaded by the daemon.
The reason is the comment here (also applies to the second comment in
your config):
> conn ios
> keyexchange=ikev1
> #authby=xauthrsasig
> ...
Comments in ipsec.conf have to be indented the same way as the options.
That
Hi Timm,
> I'm kind of confused as I can't find a passage in the RFCs stating the
> maximum allowed number of five here. Anyone similiar experiences?
The limit is basically arbitrary, the patch at [1] doubles it.
Regards,
Tobias
[1] http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=66
Hi,
> conn rw-cert
> left=172.16.254.200
> leftsubnet=0.0.0.0/0
> leftcert=pi-peer.der
> leftid=my-fqdn.example.com
> rightsourceip=172.16.254.0/24
> right=%any
> rightsendcert=always
> auto=add
>
> conn rw-eap
> left=172.16.254.200
> le
Hi Alok,
> I'm facing this issue on Both Locations, do I need to add specific route
> on both the location on each computer, please suggest what changes it
> requires?
The documentation at [1] might be of some help.
Regards,
Tobias
[1]
http://wiki.strongswan.org/projects/strongswan/wiki/Forward
Hi Mariano,
> Here are the important lines from the Client log file:
> ---
> *Mar 26 00:56:01 13[LIB] builder: failed to build TUN device**
> **Mar 26 00:56:01 13[DMN] failed to setup TUN device**
> *---
>
> Could this be caused by a missing kernel module, something like
> "tun.ko"? Maybe my ROM
Hi Scot,
> Apr 2 15:18:16 00[LIB] feature PUBKEY:ECDSA in 'pem' plugin has unsatisfied
> dependency: PUBKEY:ECDSA
It seems the openssl plugin was not built with ECDSA support. Which is
strange if you used ipsec pki on the same host to create the ECDSA keys
and certificates. The openssl plugin
Hi Jon,
> charondebug="ike 1, knl 1, cfg 0"
Why did you set the log level for cfg to 0? That's where you'd see why
this error occurs.
Regards,
Tobias
Hi Giuseppe,
> ipsec pool --replace net1_pool --addresses /etc/ipsec.pools
> preparing MySQL statement failed: Commands out of sync; you can't run
> this command now
> deleting pool failed.
I think the problem is that there are two commands executed overlapping
on the same connection (prepared st
Hi Jeff,
> Despite the periodic pinging, the VPN did not come up. Manually
> intervention bringing up the VPN with "swanctl --initiate" immediately
> brought the VPN up. However, I need the VPN to come up automatically.
Do you ping with `-I 10.16.0.1`? If not, the route that the daemon is
attem
Hi Joshua,
> I got some problems about the configuration of strongswan, no matter
> how I configured the IKEv2 connection just couldn't establish.
This doesn't look like a configuration issue but a network problem. The
client does not seem to receive the IKE_SA_INIT response sent by the
serv
Hi Martin,
> Client connects sucessfully and i can see tcpdumped traffic coming from VPN
> client to the destination hosts (on the backend router). Trouble is the
> returning traffic.
> Traffic reach the strongswan machine a from there it is not directed back to
> VPN client.
Please refer to [
Hi Flavius,
As IKEv1 responder the trigger to use UDP encapsulation is the
encapsulation mode sent in the proposals received from the client during
Quick Mode. If it proposes tunnel mode without encapsulation then the
server won't use UDP encapsulation (there is currently no check if a NAT
was fo
Hi Gordon,
> Connections from Windows 10 and Android are fine. My understanding of
> all things VPN is very basic.
That's because they use IKEv2, which is what you configured in strongSwan.
> Getting the backup CentOS 6 libreswan connected has stumped me, I'm
> unable to get past "no IKE config
Hi Flavius,
> I changed the log level enc to 3 and attached the strongswanlog. I also
> attached a tcpdump from isakmpd which gives detailed information
> about the proposals. (Isakmpd makes packet captures for debugging purposes).
Thanks. The encap mode attribute (type 4) in the first and only
Hi,
The problem are the dots in the section names of your EAP secrets. For
instance:
eap-us...@mydomain.com {
id = us...@mydomain.com
secret=secret1
}
When enumerating the id... keys in these sections the current section
name was written to a string buffer instead of using the param
Hi,
Combining reauthentication with closeaction=restart is a bad idea. Note
that reauth=no does not disable reauthentication if the other peer has
reauth=yes configured, see [1].
Regards,
Tobias
[1]
https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey#IKEv2-Responder-Behavior
> IIRC there also was some patch set from somebody that implemented exactly
> what you ask.
> I can't find it right now, though.
https://github.com/strongswan/strongswan/pull/64
Regards,
Tobias
Hi Alex,
> What do i have to do to make the plugin use my new value ?
No idea. Just make sure the executables you built are actually the ones
that are installed and get executed. Alternatively, you may also
configure the directory via charon-nm.ca_dir in strongswan.conf.
Regards,
Tobias
Hi Alex,
> # Where is this coming from ? The cert on vpn.york.ac.uk
> lives on a host called vpn10.york.ac.uk
> and has multiple SubjAlt Name entries for all
> the real vpn servers we might want to use the cert on.
> # Think this is "wrong " message,
> Dec 1 10:40:13 deadpool charon-nm: 06[TLS]
Hi Alex,
> so you're saying that my radius server also needs to have vpn.york.ac.uk
> as a SubjAltName in it as well ?
Yes, that's one option. Not using the NM plugin is another. With the
config files you can set the AAA identity to vpn.york.ac.uk so it
matches the certificate (or %any so any i
Hi Alex
> So if my client is connecting to vpn.york.ac.uk,
> the cert that needs installing is vpn.york.ac.uk
> . swhere /etc/ipsed.d/aacerts /etc/ipsed.d/certs ?
This refers to configuring the certificate in the GUI (in which case
only that certificate is loaded the certificates in the CA di
Using auto=start on both ends in combination with uniqueids=yes and
closeaction=restart is a bad idea. If a duplicate SA is created and
that's detected and the duplicate is then closed this deletion will
again trigger another SA, causing another duplicate and so on.
Regards,
Tobias
Hi Rich,
> The problem:
>
> When Racoon is the initiator and the connections go through NAT, phase 2
> negotiation fails with the following error on the Racoon side:
>
>ERROR: mismatched IDcr was returned.
With Transport Mode in NAT situations strongSwan will replace the
received traf
Hi Rich,
> I’m not clear on next steps, though — are you saying that this is expected
> behaviour that can’t be worked around, or that the fix needs to be on the
> racoon side?
I think this is actually due to a bug in your strongSwan release. Back
then we sent back the wrong IP address in one
Hi Rajeev,
> Using DAVICI, I did make sure local.id is "C=US,
> O=ARRIS Group, Inc., OU=DCA Remote Device Certificate, CN=FF:FF:05:E6:E7:80"
The comma between "Group" and "Inc." in the O RDN lets the identity
string parser fail and this string will not be treated as ASN.1 DN but
as opaque key ID
Hi Jafar,
> 2- "pki --verify --in certfile " change it to use the "default" trust
> store if no additional arguments are supplied
There is no "default" trust store. It very much depends on the
configuration backend used by the daemon from where certificates are
loaded automatically (if at all
Hi Jafar,
> I did write a script that does that but I thought it is very inefficient
> since you have to sweep through CAs/CRLs with pki --print to figure out
> the correct chain in order to use them with pki --verify.
You can just pass it all the CA certs/CRLs you (or rather the daemon)
trust.
Hi Jafar,
> If I omit the crl option completely no crl check takes place as expected:
Yes, that would require adding the --online option. The --crl option
automatically does that.
> The crl command line options forces a crl check but the locally provided
> crl is completely ignored even though
Hi Marco,
> VPN Client -> Gateway -> internal network with some servers
> The VPN gets an IP from DHCP Server (i.e 192.168.1.100)
> Gateway has IP 192.168.1.10, can ping the VPN client 192.168.1.100
> Pinging the VPN client from a server in the network (e.g. 192.168.1.20) does
> not work.
>
> Wh
Hi Mike,
> Is it possible to use a sql ip pool from the ipsec.conf?
Sure, just configure %nameofthepool in rightsourceip (see [1]).
> If yes, are there examples or HowTo’s to set up a SQL-IP-Pool other than
> the test scenarios?
What are you missing in those examples?
Regards,
Tobias
[1]
http
Hi Karthik,
> CHILD_SA vpn{2} established with SPIs c13091e4_i c869298c_o and TS
> 10.244.15.1/32 === 0.0.0.0/32
This remote traffic selector (0.0.0.0/32) doesn't look right. This
should probably be 0.0.0.0/0. Since your client config looks OK, check
how the server is configured.
Regards,
Tob
Hi,
> 1). public node can create IPsec connection with 2 or more private nodes
> behind NAT?
Sure.
> 2). IPv6 behind NAT?
> https://lists.libreswan.org/pipermail/swan/2018/002489.html shows
> that libreswan does NOT support it because "Linux does not yet have
> support for IPv6-ESP-in-UD
Hi Marco,
> FARP is configured on both client and gateway, and I can reach
> all the internal network from the vpn client (ubuntu linux).
> ...
> Still pinging the vpn client from the internal network does not work.
You mean you are able to e.g. ping hosts in the remote network from the
client (i
Hi Chris,
> Is that option maybe obsolete with IKEv2? Afterall, pfsgroup is listed under
> "Removed parameters (since 5.0.0)":
DH groups for IPsec SAs are configured differently for IKEv2 and since
5.0.0 also for IKEv1. They are added to ESP/AH proposals (esp/ah
setting in ipsec.conf). If you
Hi Dirk,
> Is it possible to add a second connection definition that is identical
> but has
> conn win2018eapmschap
> leftcert=serverCert2018.pem
> leftid="C=DE, O=OUR COMPANY, CN=STRONGSWANSERVER2018"
>
> so that eap clients can connect to the server when they are equiped
> with ei
Hi Dirk,
> left= in ipsec.conf only accepts one argument (ip,fqdn) while
> connections..local_addrs in swanctl.conf allows multiple that is
> a good reason to start with VICI :)
This is the same for left and right. But migrating to swanctl.conf is
still a good idea.
Regards,
Tobias
Hi Harri,
> I had hoped that putting the whole chain into /etc/ipsec.d/certs/mycert.pem
> would help, but apparently it doesn't.
strongSwan reads only the first certificate from PEM encoded files. So
put them in separate files.
Regards,
Tobias
Hi Harri,
>>> I had hoped that putting the whole chain into /etc/ipsec.d/certs/mycert.pem
>>> would help, but apparently it doesn't.
>>
>> strongSwan reads only the first certificate from PEM encoded files. So
>> put them in separate files.
>>
>
> This is unusual, is it?
What is?
> If I do, wi
Hi,
> I am facing a problem of load-tester that "%d" of initiator_id didnot
> start from 1, but from 2.
Yes, that's the case since 5.2.0 (since [1] to be exact). I pushed a
fix to the load-tester-id branch. Is that really a problem, though?
Regards,
Tobias
[1] https://git.strongswan.org/?p=st
Hi Trevor,
> Is PLUTO_XAUTH_ID (as passed to a user-defined updown script) 100%
> trustworthy in an ikev2 / eap-tls / user certs connection scenario?
> What I mean by that, is can it be selected, set, or spoofed by the
> client?
Yes, it's trustworthy. While the client can send an arbitrary value
Hi Harald,
> I had hoped that putting the whole chain into
> /etc/ipsec.d/certs/mycert.pem
> would help, but apparently it doesn't.
strongSwan reads only the first certificate from PEM encoded files. So
put them in separate files.
>>>
>>> This is unusual, is it?
>
Hi,
> If the case you mentioned has been fixed in 5.2.1,
I never said that. What I said is that the behavior changed with 5.2.0.
But it has never been fixed, the fix can only be found in the
load-tester-id branch, which I pushed yesterday, so no released version
contains it.
> What I concern a
Hi Trevor,
>>> So I then tried user certs to select on EAP identity in the user
>>> cert. Set that up then finally found a couple of emails/sites that
>>> said strongswan can't switch conns based on identitiy.
>>
>> That's not entirely true. If you delegate the authentication to a
>> RADIUS ser
Hi Mike,
> gateway ipsec.conf:
>
> ca %default
> certuribase=http://hashandurl.my-server.de/
> auto=add
If that's the only ca section in your config this won't work. The
%default section is never loaded itself it only provides defaults for
other sections of the same type. Also, defining a
Hi Mike,
> What certificate is referenced by the cacert entry, the "leftcert ca" or the
> "leftcert root ca" ?
> Have all certificates in the certificate chain to be accessible from the
> certuribase?
Similar to CRL URIs, the configured base URI is only used for
certificates that are immediate
Hi Mike,
> Is the ca section of the ipsec.conf used only for ca-certificates or also for
> the leftcert itself?
> If so, what is the element cacert referring to?
man ipsec.conf or [1]?
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/CaSection
Hi Naveen,
> 1) The second connection with the below configuration fails .
The log message tells you why. The policies of the two connections
conflict. While you don't get that error message with newer strongSwan
releases (>= 5.3.0) it would not work properly as you'd still have two
connections
Hi Harald,
> Even if Strongswan ignores the additional certs, is it possible that
> some crypto implementation *used* by Strongswan does not, but reads
> all certificates found in the cert files (in /etc/ipsec.d)?
Only the pem plugin reads PEM encoded files, and it only parses one
credential per
Hi Harald,
> Question is, how can I tell charon's dhcp plugin to forward either
> the FQDN or the CN from the DN entry in the dhcp request?
You can't, the plugin simply uses the client's (IKE or EAP) identity, so
it's up to the client to use the identity you want to see on the server.
Regards,
T
Hi Harald,
>>> Question is, how can I tell charon's dhcp plugin to forward either
>>> the FQDN or the CN from the DN entry in the dhcp request?
>>
>> You can't, the plugin simply uses the client's (IKE or EAP) identity, so
>> it's up to the client to use the identity you want to see on the server.
Hi Mike,
> If you need more installation or configuration details please let me know.
The (complete) server config might help.
Regards,
Tobias
Hi Mike,
> I hope you mean the ipsec.conf only:
>
> Ipsec.conf:
> config setup
> charondebug="cfg 2, dmn 1, ike 1, net 1, job 0"
>
> conn %default
> keyexchange=ikev2
> ike=aes256-sha256-modp2048,aes256-sha1-modp2048!
> esp=aes256-sha256-modp2048,aes256-sha1-modp2
Hi Mike,
> We use in the ipsec.conf the configuration:
> ike=aes256-sha256-modp2048,aes256-sha1-modp2048!
> esp=aes256-sha256-modp2048,aes256-sha1-modp2048!
>
> How big is the size of the private exponent at least, or could a size of
> 256 bit guaranteed?
Depends on the dh_expone
Hi Mike,
> Did you find something that could help us?
You gave the answer basically yourself by considering the very old
strongSwan version (which you claimed to be 5.5.3 on both ends in your
original mail btw.). If you didn't stop there but e.g. checked the
changelog [1] to see since when IKEv2
Hi Alex,
> I am in the need to verify that a Strongswan Responder is initiating a
> IKE SA reauthentication in case the Initiator doesn‘t.
The responder might not be able to initiate a reauthentication (depends
on the config, e.g. whether EAP or virtual IPs are used).
> Therefore, would you see
Hi Mike,
> But after disconnecting, waiting 15 seconds and connecting again in the
> reversed order, each roadwarrior get the ip as it got in the first
> connection order.
Offline leases for the same identity are reused (you see "acquired
existing lease for address ... in pool '...'" in the log).
Hi,
> I am not able to establish a connection with the Android app yet and so
> have no proposed ciphers in my log.
Did you check the server log?
> I infer that which ciphers are supported by the app depend on the
> Android kernel, at least for encryption.
No, IPsec is handled completely in use
Hi,
> I've made its cert with --san quantum-equities.com,cygnus.darkmatter.org,
> because the LAN gateway is known outside as quantum-equities.com and the
> IPSec gateway is known in the LAN as cygnus.darkmatter.org.
That syntax is not valid. Just use --san multiple times for each SAN
(as the
Hi,
> I'm looking to VPN every machine in a LAN. I infer that this would be
> something like a host-to-host config.
Did you have a look at the trap-any scenario?
Regards,
Tobias
[1] https://www.strongswan.org/testing/testresults/ikev2/trap-any/
Hi Andrii,
> I see the problem on IKE side, but don’t know how to debug and fix it.
The log tells you _exactly_ what the problem is:
> 12[ENC] parsed INFORMATIONAL_V1 request 2090615229 [ HASH N(NO_PROP) ]
> 12[IKE] received NO_PROPOSAL_CHOSEN error notify
The peer doesn't like the crypto propo
201 - 300 of 1241 matches
Mail list logo