Re: [strongSwan] Typo in documentation?

> Is %any[6] just a typo (maybe copied from a different document that had > footnotes?) or is this something to do with IPv6? It means that you can optionally add the suffix 6 to %any (i.e. %any6) to get ::. %any4 does also exist and equals 0.0.0.0, while %any in some contexts is treated

Re: [strongSwan] Typo in documentation?

>> Is %any[6] just a typo (maybe copied from a different document that had >> footnotes?) or is this something to do with IPv6? > > It means that you can optionally add the suffix 6 to %any (i.e. %any6) > to get ::. %any4 does also exist and equals 0.0.0.0, while %any in some > contexts is

Re: [strongSwan] StrongSwan generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ] (Linux/Anroid)

>> Client logs: > Those logs are useless. You need to read the logs of the remote side. The > reason for the error is logged there. It actually does seem to be a client issue (or more specifically to be related to the certificates): > Dec 6 03:59:47 linuxlite-VirtualBox charon-nm: 16[CFG] no

Re: [strongSwan] IKEv2 with eap-radius does not work.

Hi, > Thank you for your kind answer. > > Yes, I think so, > Limit is not the cause. > > I have changed “max_attributes” to 300 at radiusd.conf. > No difference. > > I also disabled proxy request. > > #proxy_requests = yes > #$INCLUDE proxy.conf > > (I do not know what the

Re: [strongSwan] IKEv2 with eap-radius does not work.

Hi, > Fri Mar 24 08:55:37 2017 : Info: Dropping packet without response > because of error: Possible DoS attack from host 127.0.0.1: Too many > attributes in request (received 201, max 200 are allowed). It's very unlikely that the eap-radius plugin actually sent that many attributes to the

Re: [strongSwan] VPN for iOS 10, "deleting half open IKE_SA after timeout"

Hi Klaus, > Is that necessary? I use > username/password authentication of the clients and the clients don’t > care about the server certificate. Yes, the CA certificate (caCert.der) has to be installed on the clients. They won't trust the server certificate otherwise. Regards, Tobias

Re: [strongSwan] VPN for iOS 10, "deleting half open IKE_SA after timeout"

Hi Klaus, > What is missing to make it work? As documented on [1], try adding `leftsendcert=always`. If that doesn't work, the CA certificate is probably not installed (or trusted) on the clients. Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients

Re: [strongSwan] SWAN leases runtime API

Hi Victor, > From your answers I assume that using attr-sql plugin with > lease_history property can't help us to identify online connection by > accessing the DB and querying it by virtual IP assigned, before the > lease is released. Why not? > Is there any way to get online leases from the

Re: [strongSwan] SWAN leases runtime API

Hi Noel, >>> - Can we assure multiple VPN servers configured to work with the same >>> pool in common DB will assign unique virtual IPs? >> Yes, if they use the same DB the leases will be unique. > > I just had a quick look at the code of the attr-sql plugin. > The attr-sql plugin seems to close

Re: [strongSwan] SWAN leases runtime API

> I performed a test from 2 android phones and checked the DB content. > Identities were recorded upon new connection, while leased IP was > recorded only upon connection close. Yes, in the `leases` table. The online leases can be seen in the `addresses` table. Regards, Tobias

Re: [strongSwan] lifesize in KB.

Hi Yousuf, > since i find the lifetime parameter however i can not understand where should > i put lifesize in KB in ipsec config file. http://lmgtfy.com/?q=strongswan+lifetime+bytes Regards, Tobias ___ Users mailing list Users@lists.strongswan.org

Re: [strongSwan] more info in log message "deleting half open IKE_SA after timeout"

Hi Walter, > With the patch, I hope to be able to see if it's one of "our" clients failing > to connect because > of e.g. fragments being dropped, or it's some scan attempt "from far away". Enabling the `ike_name` option for the configured logger(s) might also help as you could then correlate

Re: [strongSwan] How to restrict IKE and ESP proposals in VICI

Hi Marc, > Is there a way to limit the proposals in VICI ? You just have to define your proposals. To actually add the default proposal with VICI, as was done automatically with stroke if ! was not added, you have to explicitly add "default" to the proposal list. Regards, Tobias

Re: [strongSwan] VPN for iOS 10, "deleting half open IKE_SA after timeout"

Hi Klaus, > But I still cannot reach anything beyond the VPN server. Please read [1]. Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling ___ Users mailing list Users@lists.strongswan.org

Re: [strongSwan] Linux VPN client for SWAN

Hi Victor, > Is there a Linux VPN client to connect to SWAN server that can be > launched and configured from shell/script? (what client used for SWAN > tests?) strongSwan Regards, Tobias ___ Users mailing list Users@lists.strongswan.org

Re: [strongSwan] Use strongSwan on a Proprietary app

Hi Rodney, > So I’m asking, is there a (legal) way to make use of strongSwan > library in my applications, that respect the license software and the > work involved behind ? For most parts of the strongSwan source code a commercial license is available. I'll contact you off-list with details.

Re: [strongSwan] Traffic selectors routing issue for IPv6 TS with 128 prefix

Hi Sachin, > We are facing problem in reaching traffic selectors when we use IPv6 > TS(Single host IP) with /128 prefix BUT whereas when we use subnets, its > working fine. Since the determining factor for the source IP is the local traffic selector, i.e. fc01:eab:xx::xx/128 (which I suppose is

Re: [strongSwan] Use strongswan for Ike only

Hi Shreyas, > What about licenses? If I build the custom plugin for a commercial > project, will I have to make the modified source code available to the > public under the GPL? Yes. However, most parts of the strongSwan source code are also available under a commercial license. Please contact

Re: [strongSwan] CRL check: how to fail over to local CRL if fetch fails

Hi Zach, > Alternatively, is there a way to just ignore embedded CRL distribution > points, and always use the local CRL? If the revocation plugin finds a cached CRL (either previously fetched or loaded manually) that's still valid it will use that and not fetch any remote CRLs. Check the log

Re: [strongSwan] DPD issues when using multiple interfaces to same Gateway

Hi Marc, > 1- Are DPD rules apply to individual tunnels? If one tunnel cannot > communicate with the Gateway but other are, what happen if DPD timer > expires in only one of them? Yes, they apply to each IKE_SA individually. > 2- When we set DPD action as restart, do we need to terminate the

Re: [strongSwan] Problem after upgrade 5.5.0->5.5.1

Hi Dusan, > Apr 13 18:25:33 06[ENC] parsed IKE_AUTH response 4 [ EAP/SUCC ] > Apr 13 18:25:33 06[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established > Apr 13 18:25:33 06[IKE] authentication of 'user1' (myself) with EAP > Apr 13 18:25:33 06[ENC] generating IKE_AUTH request 5 [ AUTH ] > Apr 13

Re: [strongSwan] PKI configuration per connection

Hi Guylain, > -- Trusted certificate > > > By default all trusted certificates are in the same folder. Ca section > allows us to pick individual trusted certificate. However, even if > several ca sections are used, there does not seem to be a way to link > them to a specific connection. They

Re: [strongSwan] Unable to connect to the VPN server from ubuntu via nm-strongswan

Hi Eugene, > Please indicate where I made a mistake. The NM plugin currently does not support EAP-TLS. You you'd have to add a config that e.g. uses plain certificate authentication. Regards, Tobias ___ Users mailing list Users@lists.strongswan.org

Re: [strongSwan] DPD issues when using multiple interfaces to same Gateway

Hi Anthony, >> 1- Are DPD rules apply to individual tunnels? If one tunnel cannot >> communicate with the Gateway but other are, what happen if DPD timer >> expires in only one of them? > > Yes, they apply to each IKE_SA individually. > A.M. DpdAction=clear, and multiple interfaces, after

Re: [strongSwan] CRL check: how to fail over to local CRL if fetch fails

Hi Zach, > Why is the CRL loaded from /etc/ipsec.d/crls/, but not consulted? It is either not valid or does not apply when verifying the validity of the peer's certificate. The lookup for cached CRLs is based on the subjectKeyIdentifier in the issuer certificate - which must match the

Re: [strongSwan] terminate a partial connection

Hi Anthony, > I tried to terminate using “swanctl -t --child sgateway1-gldl”. > > But the error returned was it could not find the connection to terminate. At that point there is no CHILD_SA with that name. Try --ike. Regards, Tobias ___ Users

Re: [strongSwan] Connection dropped on rekeying

Hi Gilles, > charon: 06[KNL] creating rekey job for CHILD_SA ESP/0x/yy.yy.yy.yy > charon: 08[IKE] queueing CHILD_REKEY task > ... > charon: 08[ENC] generating CREATE_CHILD_SA request 0 [ N(REKEY_SA) SA No TSi > TSr ] > charon: 08[NET] sending packet: from 192.168.0.230[4500] to >

Re: [strongSwan] tcpdump/wireshark and Strongswan IPsec VPNs

Hi Clovis, > I am looking for any help > from anyone who can get the right configuration for tcpdump/wireshark to > generate full bidirectional dump of traffic. https://wiki.strongswan.org/projects/strongswan/wiki/CorrectTrafficDump Regards, Tobias

Re: [strongSwan] Data transfer stops

Hi Yuri, > After the connection is successfully established, I begin to send data > using iperf. After about 300 s. data transfer stops. There are next > records in log files: The IKE_SA is deleted by the initiator for some reason. Unclear why from the log, which is also due to several issues

Re: [strongSwan] disable lease time of address pool

Hi Nimo, > How can I set the timeout zero ? or could you please tell me how to > connect Win-C quickly ? Use a larger pool? Use SQL to set a lower timeout? (While the pool tool only allows configuration in hours, the timeout is actually stored in seconds). Regards, Tobias

Re: [strongSwan] is it stongswan or local firewall ?

Hi, > What should I be looking at? Start with reading [1], which also links to [2]. Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests [2] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling

Re: [strongSwan] disable lease time of address pool

Hi, > Is it okay to use one second for timeout ? Sure. While a lease is actively used by a client the timeout has no effect. It is only used to reserve an IP address for a specific identity after it got released, so a client gets the same IP again if it reconnects within that time frame.

Re: [strongSwan] fail using PSK shared key

Hi Marcos, > Config A > ... > leftid=MyPublicIPA > ... > rightid=MyPublicIPB > ... > Config B: > ... > leftid=10.0.1.5 > ... > rightid=MyPublicIPA > ... > Jul 13 15:30:06 vpnserver charon: 05[CFG] looking for peer configs > matching

Re: [strongSwan] Traffic selector modification ignored when rekeying SA

Hi, > Is there a way to force TS modification at rekeying time ? No. Regards, Tobias

Re: [strongSwan] "auto = try_again_later" on DNS problems?

Hi Harald, > I tried both "auto = start" You could set charon.retry_initiate_interval, then initiation will be tried again if the DNS resolution failed. > and "auto = route". I pushed a change to the child-sa-rekeying branch that addresses this. Unless %dynamic is used in the remote traffic

Re: [strongSwan] xauth-pam and ip address

Hi Mike, > (The problem) > /var/log/secure > 2017-07-14T18:13:46.537632+00:00 transit-pvd-tunnel-2 charon: > pam_console(ipsec:session): getpwnam failed for 192.168.0.149 > 2017-07-14T18:13:46.537793+00:00 transit-pvd-tunnel-2 charon: > pam_unix(ipsec:session): session closed for user

Re: [strongSwan] Not using libsoup

Hi Nicolas, > Correct, the brew version of pkg-config was insufficient using `sudo port > install pkgconfig` worked The brew version works fine if you also use libraries installed via brew, but you have to heed the console output that brew spits out when it installs libraries (i.e. to use it

Re: [strongSwan] make before break and default activation

>>> - what happens with other IKEv2 implementations? >> >> That's the big question and the reason it is disabled by default (well, >> actually that old strongSwan version don't support it). It only works >> if the responder can handle this properly so you have to experiment. > > Do you mean that

Re: [strongSwan] make before break and default activation

Hi Emeric, > To be more specific: > - what happens exactly if it is enabled only on one side? It only has an effect on the peer that initiates the reauthentication. Enabling it on a host that's always responder has no effect at all. > - what happens with other IKEv2 implementations? That's the

Re: [strongSwan] Strongswan and TPM

Hi John, > and I conclude from this example, that private key stored in TPM is > loaded to program memory the same way as if it was stored in a file (log > message: "...charon-systemd[21165]: loaded RSA private key from token"). > Am I correct? No, that's only the generic log message that you'll

Re: [strongSwan] Not using libsoup

Hi Nicolas, > And I get the error > > ./configure: line 19934: syntax error near unexpected token `soup,' > ./configure: line 19934: `PKG_CHECK_MODULES(soup, libsoup-2.4)' Sounds like you were missing pkg-config when you called ./autogen.sh. The built configure script should not contain the

Re: [strongSwan] make before break and default activation

Hi Emeric, >>> To be more specific: >>> - what happens exactly if it is enabled only on one side? >> >> It only has an effect on the peer that initiates the reauthentication. >> Enabling it on a host that's always responder has no effect at all. > > What happens on strongSwan>=5.3.0 if the peer

Re: [strongSwan] make before break and default activation

Hi Emeric, > Two peers try to renegotiate an IKE SA, they both use strongSwan >=5.3.0 > The first peer has the make-before-break authentication enabled > The second peer does not have the make-before-break authentication enabled > > What happens if the first peer initiates first? What's

Re: [strongSwan] IKEv1 and identifiers

Hi Emeric, > To sum up, for compatibility reason, as soon as there is something other than > an IP address, we have to activate the > "i_dont_care_about_security_and_use_aggressive_mode_psk" option? The charon daemon, since 5.5.2, does a config lookup based on the IP addresses and then

Re: [strongSwan] rekeying IKEv2 SA

Hi Mike, > ikelifetime=6m > margintime=3m Not ideal as that, depending on rekeyfuzz and the randomization, could result in rekeying getting disabled (see the formula on the ExpiryRekey page). > If I change reauth=yes to reauth=no You definitely have to disable reauth to use

Re: [strongSwan] New Android update option - how to best exploit?

Hi Karl, > What would be the /least /traffic-generating option for its use? In > other words /exactly what either has to be on the client -- or sent from > the server -- for that switch to work?/ The least traffic you get if you import the server certificate into the app and configure

Re: [strongSwan] rekeying IKEv2 SA

Hi Mike, > It says "configured DH group CURVE_25519 not supported". But of course it > does > not have this error upon initially establishing the IKEv2 SA and all works > well until > it is time to rekey. Very odd. The code path there is the same initially and during the rekeying. So it

Re: [strongSwan] What the blankety-blank-blank is Win10 doing? (now Android and ECDSA certs)

Hi Karl, > But now, when that certificate is selected, StrongSwan doesn't seem to > want to *find* the certificate, even though it *does* verify as ok > against the CA that issued it, and it's in the "certs" directory. No need to put it there unless you actually reference it explicitly in

Re: [strongSwan] ip address allocation .. same ip for different machines

Hi Alex, > Everything works except when i connect to SSWan from multiple apple > devices with same .mobielconfig each remote client gets the same ip > address assigned. > > Currently sitting with connection from iOS 10 and macos 10.12 both with > same ip address assigned. > > I'm guessing its

Re: [strongSwan] New Android update option - how to best exploit?

Hi Karl, > Except that I can't install the server's certificate into Android's > storage (whether from the base "Security" tab or in the StrongSwan > client); it refuses and says there's no certificate it can import. If you tried the import option in the CA certificate view of the app and it

Re: [strongSwan] cipher choice causing issue

Hi Jamie, > One other issue - the client is actually a router, and NATed clients behind > it can’t seem to access the internet, although the client itself can. > Any thoughts? What do you mean? Access the Internet via VPN or locally? Perhaps [1] has some pointers for you. Regards, Tobias

Re: [strongSwan] Using RADIUS EAP-TLS auth on the Strongswan Android app

Hi Aanand, > Can this capability be added in the next release? The problem is that some implementations (including strongSwan with default settings) might not send a certificate back if they don't receive a matching certificate request. So disabling them will only work if the server behaves

Re: [strongSwan] SSwan 5.5.3 , X.509 certs and attr-sql issue

Hi Alex, > Jun 29 13:49:12 06[LIB] executing MySQL statement > failed: Duplicate entry > '9-0\x81\x881\x1D0\x1B\x06\x03U\x04\x03\x0C\x14sumvis...@york.ac.' for key > 'type' That shouldn't happen as right before that insert there is a query that should return the identity

Re: [strongSwan] cipher choice causing issue

Hi Jamie, > Server is Ubuntu 17, Client LEDE trunk. Authentication happens, but I think > client and server cannot agree on an algorithm? They do, but the chosen algorithm (probably AES-GCM) apparently is not supported by the client's kernel: > 16[KNL] received netlink error: Function not

Re: [strongSwan] New Android update option - how to best exploit?

Hi Karl, > BTW is the OCSP check failure due to lack of "curl" support in the > Android client? No, it's because the revocation plugin can't build an OCSP request (only the x509 plugin can do so but on Android we use the openssl plugin to parse certificates so that plugin isnt' enabled). I

Re: [strongSwan] New Android update option - how to best exploit?

Hi Karl, > Yes. If the frag-eating monster does not get me BOTH certificates work > (when sent from the server with the switch turned on.) OK, I see what the problem is. If no certificate is exchanged the used certificate does not end up in the remote auth-cfg in a way currently used when

Re: [strongSwan] eap_identity=%identity option support using VICI ?

Hi, > My problem is that I don't see how to keep the necessary "eap_identity = > %identity" line in the vici configuration. Set eap_id to %any in the corresponding remote* section. Regards, Tobias

Re: [strongSwan] Question about IKE frag

Hi Emeric, > We noticed that for a tunnel between A and B: > - if A sets the option to "yes" and B sets the option to "no", A does not > fragment messages. > - if A and B set the option to "yes", A does fragment messages respecting the > fragmentation_size parameter > > Do you confirm this

Re: [strongSwan] CRL check: how to fail over to local CRL if fetch fails

Hi Zach, > I do wish I could figure out the file:/// problem though. > /usr/bin/curl has no problem fetching the CRL via the file URI, so I > don't suspect libcurl is the problem. Besides it's a default Debian > installation. Debian's libcurl should be pretty typical. Is there a > way to coax

Re: [strongSwan] Question about IKE frag

> That would be something like that: > - no -> announce support (but do not fragment output packets) > - yes -> announce support and use it to fragment output packets > > What do you think? You won't be able to completely disable the feature this way. For example, if the peer supports it but

Re: [strongSwan] Question about IKE frag

Hi Emeric, >>> We would expect A to fragment messages since B can accept them anyway? >> >> No, it only will accept fragmented messages if A sends them even if not >> negotiated. But B will only negotiate fragmentation (and thus enable it >> if A wants to use it) if the option is set to yes. >>

Re: [strongSwan] roadwarrior client on macOS?

Hi Paul, > I'm afraid I'm struggling with the wiki documentation and would like > to use the roadwarrior app - however it asks for a username whereas I > want to use the certificate already installed on the machine (which is > used for Active Directory integration), what can I do here? Use the

Re: [strongSwan] Tunnels with dynamic IP and another route issue

Hi Dusan, > default > nexthop via 90.225.x.x dev vlan845 weight 1 > nexthop via 10.248.x.x dev ppp0 weight 256 > nexthop via 85.24.x.x dev vlan847 weight 1 > nexthop via 46.195.x.x dev ppp1 weight 1 > > My gateway is configured to use 10.248.0.x as "default

Re: [strongSwan] left ID, right ID and no matching peer config

Hi Piyush, > while the rightID on server would be %any. If you set `rightcert` this will cause `rightid` to default to the subject DN of the certificate, which in turn won't match "client". So either set `rightid=client` or don't set `leftid` on the client so the client's own identity defaults

Re: [strongSwan] Wrong traffic selecting on local side.

Hi Jaehong, > And if I do udp iperf3 testing on port 4001, from client to server > > Somehow the all the SA is up and TCP control packets flows but not the > UDP data traffic. Why should there be TCP control packets if you do UDP testing? At least iperf doesn't do that. Are you sure you

Re: [strongSwan] Strongswan VPN Profile for Android.

Hi Aanand, > Does the Strongswan client for Mac also have this capability? No, the only overlap between the macOS and the Android client is that they are both using the IKEv2 implementation provided by libcharon. But their GUI, architecture and config interface is completely different.

Re: [strongSwan] Data transfer stops

Hi Yuri, > I changed logging settings as you suggested. Full logs are in attachments. Thanks. What lifetimes did you configure now? It seems the CHILD_SAs are rekeyed immediately after they got established (i.e. the settings you mentioned in your first email can't be in use here). Anyway, I

Re: [strongSwan] Data transfer stops

Hi Yuri, > I've used lifetimes from my first mail. That seems unlikely as the last logs show that the two peers rekey the CHILD_SAs immediately after they got established. With lifetime=2m and margintime=20s, and the default rekeyfuzz=100% the rekeyings should happen randomly between 80 and 100

Re: [strongSwan] Wrong traffic selecting on local side.

Hi Jaehong, > This is the charon.log with debug level 2, when the problem happens. > At the end of selecting ts for us, it picks tcp_udp_4001 instead of > selecting icmp_any. > Is this a bug? Not really. The tcp_udp_4001 connection allows any protocol, so when the peer proposes ICMP that's

Re: [strongSwan] executing updown script when IKE is created and deleted

Hi, > Is there anything way to execute external script when IKE is created and > deleted ? The updown script is/was intended to install firewall rules that go with the IPsec SAs so the script is tied to the lifecycle of CHILD_SAs (but is not called when CHILD_SAs are rekeyed as the original

Re: [strongSwan] Tunnel failing when rekeying

Hi Dusan, > May 11 08:37:04 10[IKE] CHILD_SA azure{5} established with > SPIs cbf4ad11_i 25a1672e_o and TS 10.1.1.0/26 === 10.0.1.0/24 > May 11 15:44:10 07[IKE] no acceptable proposal found > May 11 15:44:10 07[IKE] failed to establish CHILD_SA, keeping > IKE_SA

Re: [strongSwan] swanctl unloads private key on startup (not desired)

Hi Stephen, > On startup, swanctl seems to load and then immediately unload the > private key associated with the "local" cert: > 10[CFG] loaded RSA private key > 10[CFG] unloaded private key with id > 4d12e9d018870dfc33ddd431233ec05a97498ccc I was able to reproduce this issue. It

Re: [strongSwan] Questions about import sswan file.

Hi, > Can I direct read URL via strongSwan to complete import? No, but the next version will allow importing VPN profiles via Storage Access Framework (on Android versions that support it). So users can browse to a downloaded file and the MIME-type or filename doesn't matter. > Can the

Re: [strongSwan] multiple subnet in local_ts and remote_ts in swanctl.conf

Hi Guylain, > If in understand the documentation correctly it should be possible. Am I > right? That mainly depends on two things, the IKE version (it only works for IKEv2, see [1]) and whether your peer has a matching configuration and supports multiple traffic selectors per CHILD_SA - it might

Re: [strongSwan] swanctl.conf debugging-- fails to load certificates

Hi Stephen, > but the local_addrs/remote_addrs/local_ts/remote_ts + > start_action=trap in swanctl.conf looks like it should get the job done. You can do the same thing with ipsec.conf. > I was having trouble > understanding how to ensure that swanctl.conf was being used and > ipsec.conf being

Re: [strongSwan] Question about IKE frag

Hi Emeric, >>> - accept: announce IKE frag support, accept IKE fragmented packets >>> - yes: announce IKE frag support, accept IKE fragmented packets and emit >>> fragmented packets using the other option to set the max fragment size. >> >> That's simple enough to implement. See the

Re: [strongSwan] Using RADIUS EAP-TLS auth on the Strongswan Android app

Hi Aanand > Now, > if I am using a RADIUS server to do EAP-TLS authentication then the > client has to additionally validate the RADIUS server (using the RADIUS > server’s certificate). How should I specify the root certificate for > RADIUS server cert validation? As mentioned at [1] the RADIUS

Re: [strongSwan] mobile client - per app vpn support

Hi Stella, > - There is no option per-app VPN. Is it correct ? No, but the next release of the app will support this. > - There is VPN split tunneling in the IP level. Is it correct? No, but the next release of the app will support this. > - What does the following option mean: "block ipv4

Re: [strongSwan] What the blankety-blank-blank is Win10 doing? :-)

Hi Karl, > StrongSwan never gets this packet. I assume the problem here is the > length mismatch, but not certain. What is certain is that StrongSwan > never sees it; no matter how far up I turn the logging I never see any > evidence of it being logged. Sounds like an IP fragmentation issue

Re: [strongSwan] Strongswan VPN Profile for Android.

Hi Aanand, > When will Strongswan be adding rowsing for profile files using SAF? As I mentioned, with the next release (the code can be found in the android-updates branch), which is due this or next week. > Also, how do I specify split tunnel routes? Does the server have to enforce > that by

Re: [strongSwan] Using RADIUS EAP-TLS auth on the Strongswan Android app

> When I choose automatic CA certificate selection, the Strongswan client sends > the hashes of all the root certs installed on Android (including the ones in > the "System" store). Is there a way to disable this behavior on the > Strongswan client so that it doesn’t send all the hashes? No,

Re: [strongSwan] charon unmet dependency on native android build

Hi Nathan, > The output I get is (I get the same log output if I do ipsec start > instead of executing charon directly): > > root@kltetmo:/ # charon > 00[DMN] Starting IKE charon daemon (strongSwan 5.5.2, Linux 3.4.0, armv7l) > 00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has

Re: [strongSwan] Exclude protocol from IPsec

> Actually, can someone confirm if allow_swap=no will NOT work in 5.1.2? If you'd checked `man strongswan.conf` you'd have seen that the option is not available in that version. Actually, it was added in 5.3.3 [1]. Regards, Tobias [1] https://wiki.strongswan.org/versions/58

Re: [strongSwan] MOBIKE task got stuck Strongswan version 5.3.2

Hi Simon, > It would seems MOBIKE tasks are not caused by interface up/down. > Can you tell what events can trigger activation of MOBIKE task? As I already wrote DPDs are also handled by MOBIKE tasks if both peers support MOBIKE. You could disable MOBIKE in the config if you don't want to use

Re: [strongSwan] charon unmet dependency on native android build

Hi Nathan, > Still no indication on why it fails when I look at the logs. Probably glob(3) is not available. Regards, Tobias

Re: [strongSwan] Strongswan VPN Profile for Android.

Hi Aanand, > The link also refers to a file media type. I didn’t do > anything specific to set the file’s media type. Could that be the reason > why the import is failing? Yep, most likely. The next release will allow browsing for profile files using the SAF. > How do I set the media type for

Re: [strongSwan] How to disable NAT traversal with strongSwan VPN client app (on android device)?

Hi Chinmaya, > I am using the strongSwan VPN client app (as an IKEv2 initiator) in my > android device. How can I disable NAT feature? Because by default, it > sends IKE_AUTH request and data traffic in UDP encapsulated packet which > I do not want. You can't. The app uses the VpnService API

Re: [strongSwan] fails to retry after DNS failure

> There's no option to force retrying in any case. But there is one to retry if DNS resolution failed (charon.retry_initiate_interval). Regards, Tobias ___ Users mailing list Users@lists.strongswan.org

Re: [strongSwan] bring up only IKE SA and not ipsec child SA

Hi Justin, > Is it possible to bring up only an IKE SA (and not any associated child ipsec > SA)? No, strongSwan currently doesn't support RFC 6023 [1]. Regards, Tobias [1] https://tools.ietf.org/html/rfc6023 ___ Users mailing list

Re: [strongSwan] Regarding IKEv2 EAP

Hi, > I am a bit confused with eap-dynamic, and eap-radius. When we say > "rightauth=eap-radius", does that mean, it will accept all the EAP > methods by authenticating with radius? Pretty much. The eap-radius plugin doesn't really care about specific EAP methods it just passes EAP messages

Re: [strongSwan] MOBIKE task got stuck Strongswan version 5.3.2

Hi Simon, > 1. Any guesses on how MOBIKE task get stuck and won't timeout? Should > there be on-going re-tries? Read the log. > 2. I think charon is still sending keepalive messages to the peers with > MOBIKE task active, but no DPD is sent. This behavior seems to create > the situation that

Re: [strongSwan] Question about IKE frag

Hi Emeric, > Let's sum up the proposal: > - no: do not announce IKE frag support, drop received IKE fragmented packets While we could do that, at least for IKEv1 it is not really possible (due to the `force` case - we handle the initial messages before we know what was configured). And I'm not

Re: [strongSwan] log file question

Hi Harri, > What is the exact meaning of these fancy strings like "07[NET]", > "26[ENC]" etc. in the logfile? They seem to be related to > charondebug, but are they? What does the number tell me? Some > kind of "context id"? See [1] for the log subsystems. The number is the internal ID of the

Re: [strongSwan] using IPsec with systemd

Hi Marcos, > I setup two connections with ipsec and now I was checking how to use > systemd with ipsec. Now Im using package charon-systemd > > https://wiki.strongswan.org/projects/strongswan/wiki/Charon-systemd > > but not accepts ipsec.conf file. I can't find examples about changes to > do to

Re: [strongSwan] The option "rightca=ca-dn-here" in v5.5.1 seems to have no effect for IKEv1, cert requests for all CAs in cacerts are still sent to peer

Hi Rajiv, > I have used the

Re: [strongSwan] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

Hi Jon, > charondebug="ike 1, knl 1, cfg 0" Why did you set the log level for cfg to 0? That's where you'd see why this error occurs. Regards, Tobias

Re: [strongSwan] Cannot ping machines on remote local network - solved

Hi Ric, > I managed to find the bug, wrong truncation still exists in latest > 4.4 kernel: > > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/tree/ > net/xfrm/xfrm_algo.c?h=v4.4.87 That's only because you are using the kernel-pfkey plugin on Linux, which you should

Re: [strongSwan] Selecting eap-mschapv2 for use by NM plugin

Hi Alex, > In my strongswan build, how do I tell NM to use eap-mschapv2? > > At the moment, by default its using eap-md5 The server selects the EAP method. The only option the client has is returning an EAP-Nak with the methods it supports/prefers. strongSwan does so if the requested method

Re: [strongSwan] revoke certification with out "ipsec restart"

Hi Nimo, > I don't want to use "ipsec restart" because other IPsec sessions are > disconnected. > How can I make enabled the revocation without disconnecting other's > IPsec session ? You used the same crlNumber for your second CRL. So it didn't replace the CRL that you loaded before (this is

Re: [strongSwan] configured DH group CURVE_25519 not supported

Hi Gyula, > First, without --disable-curve25519, which means that the plugin is > enabled (https://wiki.strongswan.org/projects/strongswan/wiki/Autoconf). > After that, I added --disable-curve25519 to ./configure options. Also note that you might need to run `make clean` first after you changed

<    1   2   3   4   5   6   7   8   9   10   >