> Why did it log such nonsense? Did it TRY to install it or simpy report
> failure without trying? :)
No, it does install a route, just without the next hop. The code that
logs the message is in a different plugin (kernel-pfkey) than the code
that actually installs the route (kernel-pfroute), an
Hi Yogesh,
> received
> proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
> configured
> proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ,
> ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1
Hi Kamil,
> and received dhcp-ack.
> And ... again send dhcp-request, received dhcp-ack, and we end with
> infinite loop.
Do you have the strongSwan log that goes with this? And what strongSwan
and FreeRADIUS versions are you using?
> Now I (temporarily) configure dhcp server not to send offer
Hi Marwan,
> I am wondering if it is possible for multiple connections to have
> the same pool without being shared?
Not when configuring via ipsec.conf, you can probably do this via
vici/swanctl or attr-sql.
> E.g. client1 on conn1 and client2 on
> conn2 are both assigned 10.10.0.1.
What exact
Hi Loyc,
> Here is mine. Where am I wrong please?
Well, what does the log say?
> leftsubnet=my.local.subnet
What's "my.local.subnet" exactly? Is the other end configured
appropriately?
> rightsubnet=the.remote.subnet
And that as well. Is that related to the "VPN Access permi
Hi Marwan,
> In my use case, client1 and client2 are specifying which virtual pool they
> want assigned to their VPN connection. I was hoping that multiple clients
> (connections) could select the same pool without any conflicts.
What do you mean with that? If they select a different pool but
> only something like (I have had no debug):
> 2018-10-14T19:27:57.322435+02:00 alfa charon-systemd[6721]: sending DHCP
> DISCOVER to 192.168.200.200
> 2018-10-14T19:27:57.322643+02:00 alfa charon-systemd[6721]: received DHCP
> OFFER %any from 192.168.200.200
> 2018-10-14T19:27:57.324271+02:00 al
Hi Marwan,
> 3. Client1 connects multiple devices to the VPN, each device has a
> unique virtual IP address and can be accessed through Client1’s VPN
How does it do that? Do you mean it allocates addresses from
10.0.0.0/24 to those clients? (Without the server being aware of that,
which is not
Hi James,
> However when I attempt to ping, I see the ping on the ppp0 interface,
> and the source isn't 172.16.0.1:
> 2018-07-25 18:26:37.085194521 8.0.0.1 → 192.168.1.1 ICMP 100 Echo
> (ping) request id=0x0004, seq=1/256, ttl=64
That indicates you ran into a bug in the 4.15 kernel. See m
Hi Marwan,
>> How does it do that? Do you mean it allocates addresses from
>> 10.0.0.0/24 to those clients? (Without the server being aware of that,
>> which is not a good idea.) Or does it NAT traffic from these devices to
>> the IP address it received from the VPN server?
>
> The idea is tha
Hi Peter,
> I tried using the strongswan version of openssl from strongswan.org:
>
> https://git.strongswan.org/?p=android-ndk-openssl.git;a=summary
>
> but it seems this version of openssl is old and does not have some
> functions used by strongswan 5.6.1:
Yeah, that repository is not really m
Hi Peter,
> Do we have porting guidelines for integrating strongswan with boringssl for
> Android P?
Nope. You shouldn't use the system's libraries from an app anyway.
> I see there is an older version of boringssl
> https://git.strongswan.org/?p=android-ndk-boringssl.git;a=log
That's exactl
Hi Peter,
> Would Google also reject app compiled with this version of boringssl
> when uploading to Play?
It hasn't so far.
> Building with the Android's build tools (Android repo, and not just
> NDK), the system's boringssl library is built and the object files for
> 'libcrypto' goes to the co
Hi Yogesh,
> No it is not strongswan on peer end. I am using third party VPN.
Which probably means the peer sends an invalid TS payload.
> So is the IKE_AUTH packet size is fixed to 204 bytes for PSK mode and
> anything exceeding that can be Invalid length.
There are no fixed sizes for any mess
Hi,
Your rightsourceip setting is incorrect:
> Virtual IP pools (size/online/offline):
> 0.0.0.0/0: 2147483646/1/0
> ...
>ikev2-vpn{4}: 0.0.0.0/0 === 0.0.0.1/32
You don't want to use 0.0.0.0/0 for that pool, but a private subnet (the
tutorial sets it to 10.10.10.0/24).
Regards,
Tobias
Hi,
> in my scenario i wont all the Android clients to be able to access the
> vpn from any source IP so i set it to all (0.0.0.0/0) .
> Is there any other way to make this scenario work ...
Yes, read the documentation [1] and (hopefully) come to the realization
that the rightsourceip setting doe
Hi Fred,
> When the remote peer address changes,
> strongswan correctly processes the XFRM_MSG_MAPPING message, and updates
> the xfrm SA and SP in the Linux kernel, except the traffic selector.
Yes, updating that selector was, in fact, missing in the responsible
function. I pushed a potential f
Hi Fred,
> Yes, it works.
Great, thanks for testing.
> Will it be included in an upcoming Strongswan release?
Yes, will be included in the next release.
Regards,
Tobias
Hi Alexander,
> How do I set
>
> leftauth=eap-mschapv2
>
> via NetworkManager Strongswan plugin?
Just select "EAP" in the GUI and make sure the eap-mschapv2 plugin is
loaded by charon-nm (plus probably the eap-identity plugin). The actual
EAP method is requested by the server (the client r
Hi,
> so is there a way to make both of client and server use random ports
Using random ports on the server does not really work because the client
has to know the port.
> (i
> tried to set port_nat_t = 0 but the client doesn't understand it).
What do you mean "doesn't understand it"?
See [1]
Hi Pavel,
> I use openresolv (https://roy.marples.name/projects/openresolv) as my
> resolvconf implementation.
Does that provide /sbin/resolvconf?
> I there any way to get more verbose output from resolve plugin?
No, but errors returned from resolvconf are logged (which doesn't seem
to be the c
Hi Peter,
Your description of DPDs and the role strongSwan plays in this is a bit
confusing. I assume you are referring to the Android/libipsec
implementation where strongSwan handles IKE as well as ESP (otherwise,
ESP is handled by the kernel, not strongSwan).
> Given that the normal traffic is
Hi Chris,
> Oct 30 18:06:43 pfSense_2.4.4 charon: 06[NET] received packet:
> from 198.51.100.49[500] to 203.0.113.121[500] (460 bytes)
> Oct 30 18:06:43 pfSense_2.4.4 charon: 06[ENC] parsed QUICK_MODE
> request 3072107701 [ HASH SA No KE ID ID ]
> Oct 30 18:06:43 pfSense_2.4.4 charon: 06[CFG]
Hi Alexander,
> (I follow strictly https://nordvpn.com/ru/tutorials/linux/ikev2ipsec/ but the
> only place they differ I think is "leftauth=eap-mschapv2".)
No, that's not it, the authentication works fine (albeit with EAP-MD5).
The problem is this:
> Nov 5 18:59:40 node-calculate2 charon-nm[16
Hi Kseniya,
> So my question is: is it a default behavior for strongswan to list all
> subnets in Traffic Selector fields even if their CHILD SAs are not
> expired yet? Is it possible to change this behavior to include only
> those subnets, which need rekeying, into proposals?
You are not rekeyin
Hi Marco,
> openssl 1.1.1 added support for X448 and Ed448.
> Is there a way to configure it with strongSwan?
No, the openssl plugin currently doesn't have a wrapper for X/Ed25519 or
X/Ed448.
Regards,
Tobias
> Honestly, I thought that for IKEv2 multiple traffic selectors
> are possible anyway.
Unfortunately, there are implementations that don't support it.
> Also, I was confused about the subnets because with
> ipsec statusall it shows different rekey time values for different
> policies which includ
Hi Anthony,
> !!!Selected user cert is CN=TDY Test SCA 4
> 2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[CFG] certificate
> \"C=US, O=Teledyne Controls Engineering, OU=Systems Engineering, CN=TDY Test
> SCA 4\" key: 2048 bit RSA
That's the server's certificate, selected to verify the a
Hi Anthony,
> For this setup are credential directory looks like this
> /media/sde1/certs/Org1:
> Org1.chain Org1.crt Org1.keyOrg1.sca1 Org1.ta
> /media/sde1/certs/Org2:
> Org2.chain Org2.crt Org2.keyOrg2.sca2 Org2.ta
>
> So we only load the "user cert" using VICI, were lett
Hi Thomas,
> Tunnel is established and for an unknown reason he delete the virtual ip and
> re establish tunnel.
Not for an unknown reason, the log tells you that the daemon sends a DPD
and a bunch of retransmits and gives up after 5 of them and then
reestablishes the SA (due to the DPD action y
Hi,
> I dont understand how this is possible. Is there another lower-level
> routing table?
Yes and no. There are additional routing tables, which you won't see
with the old route command, use the `ip` command from the iproute2
package instead to see the routes installed by strongSwan in routing
Hi Sven,
> We are using strongSwan 5.6.2 on a Linux kernel 4.1.39.
Try using a newer strongSwan version.
> The installed policy (in this case) is the following:
>
> src 10.0.0.0/8 dst 192.168.3.67/32
> dir out priority 379519 ptype main
> tmpl src 217.6.20.66 dst 84.160.101.118
Hi Anthony,
As I suspected, you use the same identity for the two end-entity
certificates that are signed by different intermediate CAs:
> ipsec pki –-print –i /etc/swanctl/x509/Org1.crt> subject: "CN=RA00017.auth,
> ..."
> issuer: "..., CN=TDY Test SCA 1"
> ...
> altNames: ra00...@teledyne.
Hi Sven,
> So the problem is known?
Not really, but maybe something changed that avoids the issue, and I
don't particularly fancy debugging old versions.
> Which version should I use at least. Will 5.6.3 be enough or
> should I use 5.7.1 instead?
If you consider updating, use the latest.
> The
Hi,
> I think the reason why it doesn't work is the following error
Correct.
> According to the
> bugtracker there is a feature missing in the linux kernel
That is a possible reason, yes. But it's not in this case. The problem
is this:
> Thu, 2018-11-22 18:04 02[IKE] <2> faking NAT situation
Hi Anthony,
> ? can VICI be configured to load a specific SCA cert per VPN (would this help)
That doesn't make a difference. As mentioned, only the identity is
relevant on the client. So unless you can get the server to send a TLS
certificate request only for a specific intermediate CA you can'
Hi Sven,
> I will send you a link to download it. If anybody want the log output too, to
> analyse
> it, I will send you the link.
Thanks. I was actually pretty sure you worked together with Marcel
Müller who opened #2840 last week (same problem, same version, German).
See my analysis there at
Hi Dmitry,
> I would like to have a possibility to authenticate technical support
> users with local secrets (i.e. rightauth=eap-mschapv2) in case of RADIUS
> server unavailability. Is there a way to have 2 auth methods
> simultaneously for right=%any anyhow? Or maybe some fallback mechanism?
No,
Hi,
> Dec 2 15:34:13 charon-custom: 11[ENC] generating IKE_SA_INIT request 0
> [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
> ...
> Dec 2 15:34:49 charon-custom: 10[ENC] parsed ID_PROT request 0 [ SA V V
> V V V V V V ]
strongSwan tries to initiate an IKEv2 connection, while the peer
conc
Hi Naveen,
> Is there a configuration to avoid strongswan from responding
> to unsolicited request from scans, even when strongswan is not
> configured with an endpoint configuration,
What kind of request is sent, what kind response? And what exactly
makes a request unsolicited?
Anyway, there
Hi Naveen,
> The vulnerability is : ISAKMP endpoint allows short key lengths or
> insecure encryption algorithms to be negotiated. This could allow remote
> attackers to compromise the confidentiality and integrity of the data by
> decrypting and modifying individual ESP and AH packets.
I don't
Hi Giorgos,
> I am trying to connect my galaxy s9+ via the native IKEv2 client to a
> strong swan server of mine via IKEv2-PSK.
That's not exactly what you are doing. From the server's perspective
you are using a PSK only to authenticate the client (rightauth), the
server is authenticated with a
Hi Florian,
> Unfortunately, after the 64 bit build two of the unit tests fail:
The failing tests require ::1 to be available. So either change the
network config on your build host, or disable the tests when building
the package (look for dh_auto_test in debian/rules).
Regards,
Tobias
Hi,
> I tried forking the slow functions in my script, but it appears that
> strongswan waits for them to exit too :(
To avoid that, it's important to remember to redirect STDOUT and STDERR.
For instance, if you want to start a sub-script or program for which
you don't want to wait from your up
Hi,
> This produce an error INTERNAL_ADDRESS_FAILURE (identities anonymized):
> ...
> Do you know what I need to correct to prevent this error?
Did you load the address pool with swanctl --load-pools? (Using
--load-all also works.) Check with --list-pools if the pool is loaded.
Regards,
Tobia
Hi Chris,
> So it
> almost seems like the StrongSwan client is blocking traffic while the
> VPN connection is being built (after phase 1).
It does. If there is an app or IP address that should bypass the VPN,
configure it in the advanced VPN profile settings.
Regards,
Tobias
Hi Andreas,
> ### who does this and why, or how to prevent?
>
> Jan 16 14:27:24 nx03 charon: 06[CFG] changing proposed traffic selectors
> for us:
> Jan 16 14:27:24 nx03 charon: 06[CFG] 0.0.0.0/0
Disable the unity plugin [1] completely, or just don't set
charon.cisco_unity.
Regards,
Tobias
[1
Hi Naveen,
> I see an issue where, when I unload a connection from the vici API, and
> reload a connection, the old Sa's are not getting deleted immediately,
> but I see a soft expire or 3077(sec).
Why should it? Unless you have a start_action configured (which is
reversed if a config is unloade
Hi,
> I found this: https://wiki.strongswan.org/issues/294
>
> Both ends of my tunnel are Fedora29, so version of Strongswan should be
> that-bug-free, it's: Linux strongSwan U5.7.1/K4.19.10-300.fc29.x86_64
Why would you think that issue has anything to do with your problem?
> But still when u
Hi,
This is probably the more serious issue:
> 03[KNL] setting WFP SA SPI failed: 0x80320035
> 03[IKE] unable to install IPsec policies (SPD) in kernel
See [1].
Regards,
Tobias
[1] https://wiki.strongswan.org/issues/2750
Hi Josh,
> Question: why do I need do explicitly extract letsencrypt parent
>
> Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3
>
> certificate from /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
> (found after # DST Root CA X3) and load into configuration dialog?
strongSwan only e
Hi,
> And all, well, two, three clients I connect (at the same time) get the
> same 10.3.1.220 IP, why?
Do they all use the same client identity? Also, check the log for details.
Regards,
Tobias
Hi Yogesh,
> so I tried configuring right id as strongswan is expecting, and tunnel was
> established.
You mean with E instead of emailAddress? No other changes?
> So why is strongswan not using complete '*emailAddress*' field of
> Subject distinguished name and only '*E*' instead ?
emailAddr
Hi Yogesh,
> I have two ends of site to site VPN where both are configured with
> strongswan and version IKEv1.
Please use IKEv2 if you have strongSwan on both sides, no reason to use
a deprecated protocol.
> Is it normal behavior of strongswan, that we can establish only one
> tunnel at a time
Hi Stephan,
> we’ve two windows 10 clients which got the identical IP-address from
> their dsl router at home. Now they are fighting against each other in
> catching the vpn tunnel. Is there a way to fix that beside reconfiguring
> the home router?
What type of authentication are you using? It s
Hi Yogesh,
> To make it work I had to configure 'E' for emailAddress in rightid field
> of ipsec.conf.
Hm, that seems strange.
> I know it is not a big issue and it is working for me with 'E', but
> ideally it should work with exact Subject of x.509 certificate which has
> 'emailAddress' as the
Hi Stephan,
> we are using radius authentication with user certificates.
With EAP (EAP-TLS in your case) Windows insists on using the local IP
address as IKE identity. Unfortunately, that identity won't change when
RADIUS is used (even if the RADIUS server does an EAP-Identity
exchange). Did y
Hi Venu,
Sorry, I don't understand what you are asking. Please try to clarify
what confuses you or doesn't meet your expectations.
Regards,
Tobias
Hi Venu,
> The above get_usestats funtion above gets called with packets, bytes as
> NULL.
There are lots of places where they are not NULL. But yes, for DPDs
that's currently the case.
> In that case is it intended that we first do update_usetime {
> which sends policy query to kernel } , if t
Hi,
> I've had my certs okey but now (I admit I've not used this tunnel in
> long time) this connection fails and it seems due to some cert issues.
Not directly, but it could be related.
> But am I right to blame some change in my strongswan package? What can
> be the problem?
Your config? Old
Hi Josh,
> Is there any reason strongSwan can't utilize linux system default
> certificates like curl, wget and possibly others do?
Not beyond what I already explained.
Regards,
Tobias
Hi,
> The log lines for the match show
> candidate "site2site", match: 1/20/1048 (me/other/ike)
> candidate "rw", match: 1/1/1052 (me/other/ike)
>
> .Candidate "rw" has higher ike match (1052) resulting in "rw" being chosen.
Yes, that's how it currently works. The IKE match (which also incl
Hi Chris,
> Even if I
> exclude the app from the VPN, it still has to follow the routing table,
> correct? There aren't separate tables for the VPN and things excluded,
> right?
No there are. That's exactly how this exclusion is implemented (policy
routing, marks etc.). When an app is excluded
Hi Chris,
>> So my question to you is why is the route being injected BEFORE the
>> tunnel is fully authenticated?
>
> It isn't. However, that MFA you use isn't integrated into the IKE
> authentication. So for the IKE client (and server) the IKE_SA is
> established successfully. I guess if the
Hi Derek,
> (1) An IKEv2 profile importer for Windows 10, modeled on the
> strongSwan profile importer for Android:
> https://github.com/dcamero2016/vpn-importer
Nice idea. local.ca is wrong, though, it's the CA certificate to verify
the remote's certificate, it hasn't necessarily anything to do
Hi Derek,
> Originally I wanted to use p12 files with everything in them (CA cert,
> client cert, client key), but this created messiness on the Windows
> end.
As mentioned in the previous mail, the CA certificate that issued the
client and server certificates don't have to be the same (often the
Hi,
> My iphone disconnects after a ikelifetyme but my windows and android
> clients are working fine.
> My configuration is at https://pastebin.com/NpeLJzjF
Your rekey settings are quite low. Anyway, without more information (in
particular logs that show what's happening with such a client) we
Hi Derek,
>> Does Windows require the complete chain for the client
>> certificate?
>
> If you deliberately delete the CA certificate of the client
> certificate on Windows, then when you try to connect, you will get an
> error message in red, "Invalid certificate type." This is an
> "all-purpose
Hi Peter,
> Running the strongswan 5.7.2 testsuite, all tests passed except for the
> following:
> 412 tnccs-20-ev-pt-tls failed
> 419 tnccs-20-os failed
> 420 tnccs-20-os-pts failed
> 421 tnccs-20-pdp-eap failed
> 422 tnccs-20-pdp-pt-tls failed
> 424 tnccs-20-pts-no-ec
Hi Peter,
> Is there a wiki or instruction for this?
See [1].
> make-testing had:
> [FAIL] Connecting image to NBD device /dev/nbd0
>
> build-strongswan had:
> Root image /home/user/builddirmaster/build/images/root.qcow2 not found
No idea, never seen either message. Perhaps something with the
Hi Peter,
> Any idea why there is no pkcs12 in the log message?
https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#Plugin-is-missing
Regards,
Tobias
Hi,
> Is
> righhtca2 supposed to work with eap-tls and eap-identity connections?
rightca2 is for a second authentication round. Which is not what
happens with EAP-TLS (unless you actually use it in a second round after
e.g. a regular pubkey authentication). So maybe try rightca instead.
Regard
Hi Peter,
> By adding the ! to force loading it, confirms failure to load this plugin.
What failure? What's logged? If there are missing plugin features, you
may have to load other plugins (you can increase the log level for lib
to see more messages by the plugin loader).
> 2) strongswan.conf
Hi,
> Rightca does not work either. If I use rightca, the authentication seems
> to fail always, even though the certificate hierarchy is correct.
> Rightca works when I dont use eap-tls. The constraint is correctly enforced.
Do you use the eap-tls plugin or RADIUS? It only works with the forme
Hi Kostya,
> It was the conf syntax I was after :)
>
> I now see it in the docs for swanctl.conf under "secrets.private
> section".
You only have to configure private keys in such sections if they are
password protected (and you can't or don't want to provide the password
interactively) or if t
Hi Yogesh,
> Is Chinese Ascii characters allowed in subject of certificates used in
> authentication while negotiating the ipsec tunnel in ikev2 ?
I'd disagree that these are ASCII characters, but sure you can use
UTF8String as type for the RDNs in the subject DN.
> So can I configure this certi
Hi Kostya,
> Hmm, there is no strongswan-swanctl service on Debian (buster / testing)...
There is if you install it [1].
> systemctl start strongswan
That's the legacy service provided by strongswan-starter (i.e. it starts
starter, which parses ipsec.conf etc.).
> Does this look like a Debian
Hi Kostya,
> Now I'm wondering if it's possible to uninstall this legacy service (which
> supports ipsec.conf format configuration files).
>
> apt-get remove strongswan-starter
Sure, go ahead.
> The following packages will be REMOVED:
> strongswan strongswan-charon strongswan-starter
>
> Re
Hi Moses,
Configure an IKE proposal that's accepted by your peer (you disabled log
message for cfg, so you didn't see the details of the proposal
negotiation). Most likely the problem is that modp1024 is proposed, a
DH group strongSwan doesn't include in its default IKE proposal anymore.
So to u
Hi Moses,
> But now it gives the error that it didn't
> connect as the remote host did not resolve . :(
That doesn't sound like it's in any way related to your previous issue.
And until you fix that (DNS, firewall or whatever else the problem is)
the config updates or the log won't help as the c
Hi Moses,
> Security Associations (1 up, 0 connecting):
> ikev2-vpn[21]: ESTABLISHED 41 minutes ago, 102.1*9.2**.***[
> 102.1*9.2**.***]... 185.135.*.** [remoteprivate]
> ikev2-vpn[21]: IKEv2 SPIs: 0338f500edc84652_i 1ae30618408f64a4_r*,
> rekeying disabled
> ikev2-vpn[21]: IKE proposal:
Hi Vijay,
> I am specifically looking for help in understanding if StrongSwan has support
> to handle “EAP Expanded Type” with a non-zero “Vendor-Id” as defined in IETF
> rfc3748 Section 5.7.
It does.
> Are there any existing plugins that would serve the purpose?
There are many plugins that i
Hi Tom,
> I do not see anywhere that I
> can specify which certificate the client should use for a given connection.
I think you can only do that with EAP-TLS (i.e. not with machine
certificates) where you might actually get prompted for a certificate if
there are multiple and the advanced VPN o
Hi Brian,
> I am using `type=transport`
You can't use transport mode to tunnel traffic from IPs other than the
two hosts themselves (that's exactly what tunnel mode is for where the
complete IP packet, including the original header, is encapsulated),
unless, you use an additional tunneling protoc
Hi Vijay,
> PLUGIN_PROVIDE(EAP_SERVER, type, vendor);
> -and-
> PLUGIN_PROVIDE(PEER_VENDOR, type, vendor);
>
> Macros are everywhere :)
No, the existing usages of e.g. EAP_SERVER are without vendor ID. The
identifiers when using a vendor ID are the ones I gave before
(EAP_SERVER_VENDOR and EAP_
Hi Moses,
> One question, I would like to ask is, how come
> the VPN server never gets assigned a private IP?
Just assign one yourself if you think that's necessary.
> What can I ping on the server from the client apart from the server's
> public IP that can be used to ascertain the VPN connecti
Hi Moses,
> Is the VPN tunnel complete without the private IP of the VPN
> server?
Sure, but it might depend on your use case.
Regards,
Tobias
Hi Brian,
VTI devices won't change anything. You can't use transport mode with
any IPs other than those of the endpoints (i.e. it doesn't work with
virtual IPs or arbitrary subnets - you have to use tunnel mode for
that). [1] might help to explain these modes to you.
Regards,
Tobias
[1] http:/
Hi Felipe,
> How can I get the ID of a given IKE SA?
swanctl --list-sas
Regards,
Tobias
Hi Kostya,
> Does IPSec in general and strongSwan in particular support certificate
> authentication with ECDSA keys?
Sure.
> -BEGIN EC PARAMETERS-
> Bgg.==
> -END EC PARAMETERS-
> -BEGIN EC PRIVATE KEY-
> MHcCA...yDpwQ==
> -END EC PRIVATE KEY-
Remove th
Hi Kostya,
> It seems to me that at this point the server should already know which
> connection "block" it's dealing with
It doesn't. At that point (IKE_SA_INIT response) it only has IP
addresses to select an initial partial config, that is, there is no peer
config with identities and certs ye
Hi Michael,
> Any additional ideas?
Read the log on the Sophos side.
Regards,
Tobias
Hi Marco,
> But all traffic is then routed over my home network (which is
> working but I only want to have the traffic for 192.168.178.0/24 routed
> over VPN).
You configured leftsubnet=0.0.0.0/0. If you only want to tunnel one
subnet, configure that (or do it on the other peer when it requests
Hi Jens,
> But after hours/days I have "hundreds" of these tunnels and they are
> getting more and more until I restart the deamon (on the client).
>
> Why does this happen?
>
> What would be the correct dpdaction or closeaction (if this is the problem).
If the connection is closed or the peer
Hi Moses,
> Apr 1 20:57:58 klick-001 charon: 11[IKE] expected a virtual IP
> request, sending FAILED_CP_REQUIRED
I guess reading is hard. Or is that message (that you explicitly marked
in your email) really that unclear?
Regards,
Tobias
Hi Roberts,
> Description: I want to set up 2000 IKEv2 cert based tunnels.
And you need to use separate private keys for each tunnel to identify
your peer/host?
> Problem: After applying the configuration, I see that load of private
> keys cannot finish as ipsec is restarting after 10s.
That ti
Hi Roberts,
> Ah, ok, you're suggesting to use a single private key and use it for the
> CSRs/Certificates?
That's what our load-tester plugin does [1].
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/LoadTests
Hi Chris,
The NM plugin currently does not provide an option to configure the
expected AAA server identity. So the IKE identity is reused and
enforced. This will fail if the AAA server uses a different identity
during EAP-PEAP/(T)TLS:
> [IKE] authentication of 'CN=vpn.company.com' with RSA sign
Hi Chris,
> So I guess the question is, what's the security risk here? I always knew
> that with PEAP, there is PKI as an outer method. What am I missing
> without that outer method encryption. Guess I need to read some more
One aspect is whether the EAP-MSCHAPv2 authentication is terminated
Hi Lars,
> Got a roadwarrior/client connection where NAT-T isn't auto detected.
Why is that?
> I tried to solve this by forcing UDP encapsulation using forceencaps=yes and
> expected that NAT keep alive packets also where sent in order to keep the
> connection alive.
> But this doesn't seem to
401 - 500 of 1241 matches
Mail list logo
