> Is %any[6] just a typo (maybe copied from a different document that had
> footnotes?) or is this something to do with IPv6?
It means that you can optionally add the suffix 6 to %any (i.e. %any6)
to get ::. %any4 does also exist and equals 0.0.0.0, while %any in some
contexts is treated
>> Is %any[6] just a typo (maybe copied from a different document that had
>> footnotes?) or is this something to do with IPv6?
>
> It means that you can optionally add the suffix 6 to %any (i.e. %any6)
> to get ::. %any4 does also exist and equals 0.0.0.0, while %any in some
> contexts is
>> Client logs:
> Those logs are useless. You need to read the logs of the remote side. The
> reason for the error is logged there.
It actually does seem to be a client issue (or more specifically to be
related to the certificates):
> Dec 6 03:59:47 linuxlite-VirtualBox charon-nm: 16[CFG] no
Hi,
> Thank you for your kind answer.
>
> Yes, I think so,
> Limit is not the cause.
>
> I have changed “max_attributes” to 300 at radiusd.conf.
> No difference.
>
> I also disabled proxy request.
>
> #proxy_requests = yes
> #$INCLUDE proxy.conf
>
> (I do not know what the
Hi,
> Fri Mar 24 08:55:37 2017 : Info: Dropping packet without response
> because of error: Possible DoS attack from host 127.0.0.1: Too many
> attributes in request (received 201, max 200 are allowed).
It's very unlikely that the eap-radius plugin actually sent that many
attributes to the
Hi Klaus,
> Is that necessary? I use
> username/password authentication of the clients and the clients don’t
> care about the server certificate.
Yes, the CA certificate (caCert.der) has to be installed on the clients.
They won't trust the server certificate otherwise.
Regards,
Tobias
Hi Klaus,
> What is missing to make it work?
As documented on [1], try adding `leftsendcert=always`. If that doesn't
work, the CA certificate is probably not installed (or trusted) on the
clients.
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients
Hi Victor,
> From your answers I assume that using attr-sql plugin with
> lease_history property can't help us to identify online connection by
> accessing the DB and querying it by virtual IP assigned, before the
> lease is released.
Why not?
> Is there any way to get online leases from the
Hi Noel,
>>> - Can we assure multiple VPN servers configured to work with the same
>>> pool in common DB will assign unique virtual IPs?
>> Yes, if they use the same DB the leases will be unique.
>
> I just had a quick look at the code of the attr-sql plugin.
> The attr-sql plugin seems to close
> I performed a test from 2 android phones and checked the DB content.
> Identities were recorded upon new connection, while leased IP was
> recorded only upon connection close.
Yes, in the `leases` table. The online leases can be seen in the
`addresses` table.
Regards,
Tobias
Hi Yousuf,
> since i find the lifetime parameter however i can not understand where should
> i put lifesize in KB in ipsec config file.
http://lmgtfy.com/?q=strongswan+lifetime+bytes
Regards,
Tobias
___
Users mailing list
Users@lists.strongswan.org
Hi Walter,
> With the patch, I hope to be able to see if it's one of "our" clients failing
> to connect because
> of e.g. fragments being dropped, or it's some scan attempt "from far away".
Enabling the `ike_name` option for the configured logger(s) might also
help as you could then correlate
Hi Marc,
> Is there a way to limit the proposals in VICI ?
You just have to define your proposals. To actually add the default
proposal with VICI, as was done automatically with stroke if ! was not
added, you have to explicitly add "default" to the proposal list.
Regards,
Tobias
Hi Klaus,
> But I still cannot reach anything beyond the VPN server.
Please read [1].
Regards,
Tobias
[1]
https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
___
Users mailing list
Users@lists.strongswan.org
Hi Victor,
> Is there a Linux VPN client to connect to SWAN server that can be
> launched and configured from shell/script? (what client used for SWAN
> tests?)
strongSwan
Regards,
Tobias
___
Users mailing list
Users@lists.strongswan.org
Hi Rodney,
> So I’m asking, is there a (legal) way to make use of strongSwan
> library in my applications, that respect the license software and the
> work involved behind ?
For most parts of the strongSwan source code a commercial license is
available. I'll contact you off-list with details.
Hi Sachin,
> We are facing problem in reaching traffic selectors when we use IPv6
> TS(Single host IP) with /128 prefix BUT whereas when we use subnets, its
> working fine.
Since the determining factor for the source IP is the local traffic
selector, i.e. fc01:eab:xx::xx/128 (which I suppose is
Hi Shreyas,
> What about licenses? If I build the custom plugin for a commercial
> project, will I have to make the modified source code available to the
> public under the GPL?
Yes. However, most parts of the strongSwan source code are also
available under a commercial license. Please contact
Hi Zach,
> Alternatively, is there a way to just ignore embedded CRL distribution
> points, and always use the local CRL?
If the revocation plugin finds a cached CRL (either previously fetched
or loaded manually) that's still valid it will use that and not fetch
any remote CRLs. Check the log
Hi Marc,
> 1- Are DPD rules apply to individual tunnels? If one tunnel cannot
> communicate with the Gateway but other are, what happen if DPD timer
> expires in only one of them?
Yes, they apply to each IKE_SA individually.
> 2- When we set DPD action as restart, do we need to terminate the
Hi Dusan,
> Apr 13 18:25:33 06[ENC] parsed IKE_AUTH response 4 [ EAP/SUCC ]
> Apr 13 18:25:33 06[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
> Apr 13 18:25:33 06[IKE] authentication of 'user1' (myself) with EAP
> Apr 13 18:25:33 06[ENC] generating IKE_AUTH request 5 [ AUTH ]
> Apr 13
Hi Guylain,
> -- Trusted certificate
>
>
> By default all trusted certificates are in the same folder. Ca section
> allows us to pick individual trusted certificate. However, even if
> several ca sections are used, there does not seem to be a way to link
> them to a specific connection. They
Hi Eugene,
> Please indicate where I made a mistake.
The NM plugin currently does not support EAP-TLS. You you'd have to add
a config that e.g. uses plain certificate authentication.
Regards,
Tobias
___
Users mailing list
Users@lists.strongswan.org
Hi Anthony,
>> 1- Are DPD rules apply to individual tunnels? If one tunnel cannot
>> communicate with the Gateway but other are, what happen if DPD timer
>> expires in only one of them?
>
> Yes, they apply to each IKE_SA individually.
> A.M. DpdAction=clear, and multiple interfaces, after
Hi Zach,
> Why is the CRL loaded from /etc/ipsec.d/crls/, but not consulted?
It is either not valid or does not apply when verifying the validity of
the peer's certificate. The lookup for cached CRLs is based on the
subjectKeyIdentifier in the issuer certificate - which must match the
Hi Anthony,
> I tried to terminate using “swanctl -t --child sgateway1-gldl”.
>
> But the error returned was it could not find the connection to terminate.
At that point there is no CHILD_SA with that name. Try --ike.
Regards,
Tobias
___
Users
Hi Gilles,
> charon: 06[KNL] creating rekey job for CHILD_SA ESP/0x/yy.yy.yy.yy
> charon: 08[IKE] queueing CHILD_REKEY task
> ...
> charon: 08[ENC] generating CREATE_CHILD_SA request 0 [ N(REKEY_SA) SA No TSi
> TSr ]
> charon: 08[NET] sending packet: from 192.168.0.230[4500] to
>
Hi Clovis,
> I am looking for any help
> from anyone who can get the right configuration for tcpdump/wireshark to
> generate full bidirectional dump of traffic.
https://wiki.strongswan.org/projects/strongswan/wiki/CorrectTrafficDump
Regards,
Tobias
Hi Yuri,
> After the connection is successfully established, I begin to send data
> using iperf. After about 300 s. data transfer stops. There are next
> records in log files:
The IKE_SA is deleted by the initiator for some reason. Unclear why
from the log, which is also due to several issues
Hi Nimo,
> How can I set the timeout zero ? or could you please tell me how to
> connect Win-C quickly ?
Use a larger pool? Use SQL to set a lower timeout? (While the pool
tool only allows configuration in hours, the timeout is actually stored
in seconds).
Regards,
Tobias
Hi,
> What should I be looking at?
Start with reading [1], which also links to [2].
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
[2]
https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
Hi,
> Is it okay to use one second for timeout ?
Sure. While a lease is actively used by a client the timeout has no
effect. It is only used to reserve an IP address for a specific
identity after it got released, so a client gets the same IP again if it
reconnects within that time frame.
Hi Marcos,
> Config A
> ...
> leftid=MyPublicIPA
> ...
> rightid=MyPublicIPB
> ...
> Config B:
> ...
> leftid=10.0.1.5
> ...
> rightid=MyPublicIPA
> ...
> Jul 13 15:30:06 vpnserver charon: 05[CFG] looking for peer configs
> matching
Hi,
> Is there a way to force TS modification at rekeying time ?
No.
Regards,
Tobias
Hi Harald,
> I tried both "auto = start"
You could set charon.retry_initiate_interval, then initiation will be
tried again if the DNS resolution failed.
> and "auto = route".
I pushed a change to the child-sa-rekeying branch that addresses this.
Unless %dynamic is used in the remote traffic
Hi Mike,
> (The problem)
> /var/log/secure
> 2017-07-14T18:13:46.537632+00:00 transit-pvd-tunnel-2 charon:
> pam_console(ipsec:session): getpwnam failed for 192.168.0.149
> 2017-07-14T18:13:46.537793+00:00 transit-pvd-tunnel-2 charon:
> pam_unix(ipsec:session): session closed for user
Hi Nicolas,
> Correct, the brew version of pkg-config was insufficient using `sudo port
> install pkgconfig` worked
The brew version works fine if you also use libraries installed via
brew, but you have to heed the console output that brew spits out when
it installs libraries (i.e. to use it
>>> - what happens with other IKEv2 implementations?
>>
>> That's the big question and the reason it is disabled by default (well,
>> actually that old strongSwan version don't support it). It only works
>> if the responder can handle this properly so you have to experiment.
>
> Do you mean that
Hi Emeric,
> To be more specific:
> - what happens exactly if it is enabled only on one side?
It only has an effect on the peer that initiates the reauthentication.
Enabling it on a host that's always responder has no effect at all.
> - what happens with other IKEv2 implementations?
That's the
Hi John,
> and I conclude from this example, that private key stored in TPM is
> loaded to program memory the same way as if it was stored in a file (log
> message: "...charon-systemd[21165]: loaded RSA private key from token").
> Am I correct?
No, that's only the generic log message that you'll
Hi Nicolas,
> And I get the error
>
> ./configure: line 19934: syntax error near unexpected token `soup,'
> ./configure: line 19934: `PKG_CHECK_MODULES(soup, libsoup-2.4)'
Sounds like you were missing pkg-config when you called ./autogen.sh.
The built configure script should not contain the
Hi Emeric,
>>> To be more specific:
>>> - what happens exactly if it is enabled only on one side?
>>
>> It only has an effect on the peer that initiates the reauthentication.
>> Enabling it on a host that's always responder has no effect at all.
>
> What happens on strongSwan>=5.3.0 if the peer
Hi Emeric,
> Two peers try to renegotiate an IKE SA, they both use strongSwan >=5.3.0
> The first peer has the make-before-break authentication enabled
> The second peer does not have the make-before-break authentication enabled
>
> What happens if the first peer initiates first?
What's
Hi Emeric,
> To sum up, for compatibility reason, as soon as there is something other than
> an IP address, we have to activate the
> "i_dont_care_about_security_and_use_aggressive_mode_psk" option?
The charon daemon, since 5.5.2, does a config lookup based on the IP
addresses and then
Hi Mike,
> ikelifetime=6m
> margintime=3m
Not ideal as that, depending on rekeyfuzz and the randomization, could
result in rekeying getting disabled (see the formula on the ExpiryRekey
page).
> If I change reauth=yes to reauth=no
You definitely have to disable reauth to use
Hi Karl,
> What would be the /least /traffic-generating option for its use? In
> other words /exactly what either has to be on the client -- or sent from
> the server -- for that switch to work?/
The least traffic you get if you import the server certificate into the
app and configure
Hi Mike,
> It says "configured DH group CURVE_25519 not supported". But of course it
> does
> not have this error upon initially establishing the IKEv2 SA and all works
> well until
> it is time to rekey.
Very odd. The code path there is the same initially and during the
rekeying. So it
Hi Karl,
> But now, when that certificate is selected, StrongSwan doesn't seem to
> want to *find* the certificate, even though it *does* verify as ok
> against the CA that issued it, and it's in the "certs" directory.
No need to put it there unless you actually reference it explicitly in
Hi Alex,
> Everything works except when i connect to SSWan from multiple apple
> devices with same .mobielconfig each remote client gets the same ip
> address assigned.
>
> Currently sitting with connection from iOS 10 and macos 10.12 both with
> same ip address assigned.
>
> I'm guessing its
Hi Karl,
> Except that I can't install the server's certificate into Android's
> storage (whether from the base "Security" tab or in the StrongSwan
> client); it refuses and says there's no certificate it can import.
If you tried the import option in the CA certificate view of the app and
it
Hi Jamie,
> One other issue - the client is actually a router, and NATed clients behind
> it can’t seem to access the internet, although the client itself can.
> Any thoughts?
What do you mean? Access the Internet via VPN or locally? Perhaps [1]
has some pointers for you.
Regards,
Tobias
Hi Aanand,
> Can this capability be added in the next release?
The problem is that some implementations (including strongSwan with
default settings) might not send a certificate back if they don't
receive a matching certificate request. So disabling them will only
work if the server behaves
Hi Alex,
> Jun 29 13:49:12 06[LIB] executing MySQL statement
> failed: Duplicate entry
> '9-0\x81\x881\x1D0\x1B\x06\x03U\x04\x03\x0C\x14sumvis...@york.ac.' for key
> 'type'
That shouldn't happen as right before that insert there is a query that
should return the identity
Hi Jamie,
> Server is Ubuntu 17, Client LEDE trunk. Authentication happens, but I think
> client and server cannot agree on an algorithm?
They do, but the chosen algorithm (probably AES-GCM) apparently is not
supported by the client's kernel:
> 16[KNL] received netlink error: Function not
Hi Karl,
> BTW is the OCSP check failure due to lack of "curl" support in the
> Android client?
No, it's because the revocation plugin can't build an OCSP request (only
the x509 plugin can do so but on Android we use the openssl plugin to
parse certificates so that plugin isnt' enabled). I
Hi Karl,
> Yes. If the frag-eating monster does not get me BOTH certificates work
> (when sent from the server with the switch turned on.)
OK, I see what the problem is. If no certificate is exchanged the used
certificate does not end up in the remote auth-cfg in a way currently
used when
Hi,
> My problem is that I don't see how to keep the necessary "eap_identity =
> %identity" line in the vici configuration.
Set eap_id to %any in the corresponding remote* section.
Regards,
Tobias
Hi Emeric,
> We noticed that for a tunnel between A and B:
> - if A sets the option to "yes" and B sets the option to "no", A does not
> fragment messages.
> - if A and B set the option to "yes", A does fragment messages respecting the
> fragmentation_size parameter
>
> Do you confirm this
Hi Zach,
> I do wish I could figure out the file:/// problem though.
> /usr/bin/curl has no problem fetching the CRL via the file URI, so I
> don't suspect libcurl is the problem. Besides it's a default Debian
> installation. Debian's libcurl should be pretty typical. Is there a
> way to coax
> That would be something like that:
> - no -> announce support (but do not fragment output packets)
> - yes -> announce support and use it to fragment output packets
>
> What do you think?
You won't be able to completely disable the feature this way. For
example, if the peer supports it but
Hi Emeric,
>>> We would expect A to fragment messages since B can accept them anyway?
>>
>> No, it only will accept fragmented messages if A sends them even if not
>> negotiated. But B will only negotiate fragmentation (and thus enable it
>> if A wants to use it) if the option is set to yes.
>>
Hi Paul,
> I'm afraid I'm struggling with the wiki documentation and would like
> to use the roadwarrior app - however it asks for a username whereas I
> want to use the certificate already installed on the machine (which is
> used for Active Directory integration), what can I do here?
Use the
Hi Dusan,
> default
> nexthop via 90.225.x.x dev vlan845 weight 1
> nexthop via 10.248.x.x dev ppp0 weight 256
> nexthop via 85.24.x.x dev vlan847 weight 1
> nexthop via 46.195.x.x dev ppp1 weight 1
>
> My gateway is configured to use 10.248.0.x as "default
Hi Piyush,
> while the rightID on server would be %any.
If you set `rightcert` this will cause `rightid` to default to the
subject DN of the certificate, which in turn won't match "client". So
either set `rightid=client` or don't set `leftid` on the client so the
client's own identity defaults
Hi Jaehong,
> And if I do udp iperf3 testing on port 4001, from client to server
>
> Somehow the all the SA is up and TCP control packets flows but not the
> UDP data traffic.
Why should there be TCP control packets if you do UDP testing? At least
iperf doesn't do that. Are you sure you
Hi Aanand,
> Does the Strongswan client for Mac also have this capability?
No, the only overlap between the macOS and the Android client is that
they are both using the IKEv2 implementation provided by libcharon. But
their GUI, architecture and config interface is completely different.
Hi Yuri,
> I changed logging settings as you suggested. Full logs are in attachments.
Thanks. What lifetimes did you configure now? It seems the CHILD_SAs
are rekeyed immediately after they got established (i.e. the settings
you mentioned in your first email can't be in use here).
Anyway, I
Hi Yuri,
> I've used lifetimes from my first mail.
That seems unlikely as the last logs show that the two peers rekey the
CHILD_SAs immediately after they got established. With lifetime=2m and
margintime=20s, and the default rekeyfuzz=100% the rekeyings should
happen randomly between 80 and 100
Hi Jaehong,
> This is the charon.log with debug level 2, when the problem happens.
> At the end of selecting ts for us, it picks tcp_udp_4001 instead of
> selecting icmp_any.
> Is this a bug?
Not really. The tcp_udp_4001 connection allows any protocol, so when
the peer proposes ICMP that's
Hi,
> Is there anything way to execute external script when IKE is created and
> deleted ?
The updown script is/was intended to install firewall rules that go with
the IPsec SAs so the script is tied to the lifecycle of CHILD_SAs (but
is not called when CHILD_SAs are rekeyed as the original
Hi Dusan,
> May 11 08:37:04 10[IKE] CHILD_SA azure{5} established with
> SPIs cbf4ad11_i 25a1672e_o and TS 10.1.1.0/26 === 10.0.1.0/24
> May 11 15:44:10 07[IKE] no acceptable proposal found
> May 11 15:44:10 07[IKE] failed to establish CHILD_SA, keeping
> IKE_SA
Hi Stephen,
> On startup, swanctl seems to load and then immediately unload the
> private key associated with the "local" cert:
> 10[CFG] loaded RSA private key
> 10[CFG] unloaded private key with id
> 4d12e9d018870dfc33ddd431233ec05a97498ccc
I was able to reproduce this issue. It
Hi,
> Can I direct read URL via strongSwan to complete import?
No, but the next version will allow importing VPN profiles via Storage
Access Framework (on Android versions that support it). So users can
browse to a downloaded file and the MIME-type or filename doesn't matter.
> Can the
Hi Guylain,
> If in understand the documentation correctly it should be possible. Am I
> right?
That mainly depends on two things, the IKE version (it only works for
IKEv2, see [1]) and whether your peer has a matching configuration and
supports multiple traffic selectors per CHILD_SA - it might
Hi Stephen,
> but the local_addrs/remote_addrs/local_ts/remote_ts +
> start_action=trap in swanctl.conf looks like it should get the job done.
You can do the same thing with ipsec.conf.
> I was having trouble
> understanding how to ensure that swanctl.conf was being used and
> ipsec.conf being
Hi Emeric,
>>> - accept: announce IKE frag support, accept IKE fragmented packets
>>> - yes: announce IKE frag support, accept IKE fragmented packets and emit
>>> fragmented packets using the other option to set the max fragment size.
>>
>> That's simple enough to implement. See the
Hi Aanand
> Now,
> if I am using a RADIUS server to do EAP-TLS authentication then the
> client has to additionally validate the RADIUS server (using the RADIUS
> server’s certificate). How should I specify the root certificate for
> RADIUS server cert validation?
As mentioned at [1] the RADIUS
Hi Stella,
> - There is no option per-app VPN. Is it correct ?
No, but the next release of the app will support this.
> - There is VPN split tunneling in the IP level. Is it correct?
No, but the next release of the app will support this.
> - What does the following option mean: "block ipv4
Hi Karl,
> StrongSwan never gets this packet. I assume the problem here is the
> length mismatch, but not certain. What is certain is that StrongSwan
> never sees it; no matter how far up I turn the logging I never see any
> evidence of it being logged.
Sounds like an IP fragmentation issue
Hi Aanand,
> When will Strongswan be adding rowsing for profile files using SAF?
As I mentioned, with the next release (the code can be found in the
android-updates branch), which is due this or next week.
> Also, how do I specify split tunnel routes? Does the server have to enforce
> that by
> When I choose automatic CA certificate selection, the Strongswan client sends
> the hashes of all the root certs installed on Android (including the ones in
> the "System" store). Is there a way to disable this behavior on the
> Strongswan client so that it doesn’t send all the hashes?
No,
Hi Nathan,
> The output I get is (I get the same log output if I do ipsec start
> instead of executing charon directly):
>
> root@kltetmo:/ # charon
> 00[DMN] Starting IKE charon daemon (strongSwan 5.5.2, Linux 3.4.0, armv7l)
> 00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has
> Actually, can someone confirm if allow_swap=no will NOT work in 5.1.2?
If you'd checked `man strongswan.conf` you'd have seen that the option
is not available in that version. Actually, it was added in 5.3.3 [1].
Regards,
Tobias
[1] https://wiki.strongswan.org/versions/58
Hi Simon,
> It would seems MOBIKE tasks are not caused by interface up/down.
> Can you tell what events can trigger activation of MOBIKE task?
As I already wrote DPDs are also handled by MOBIKE tasks if both peers
support MOBIKE. You could disable MOBIKE in the config if you don't
want to use
Hi Nathan,
> Still no indication on why it fails when I look at the logs.
Probably glob(3) is not available.
Regards,
Tobias
Hi Aanand,
> The link also refers to a file media type. I didn’t do
> anything specific to set the file’s media type. Could that be the reason
> why the import is failing?
Yep, most likely. The next release will allow browsing for profile
files using the SAF.
> How do I set the media type for
Hi Chinmaya,
> I am using the strongSwan VPN client app (as an IKEv2 initiator) in my
> android device. How can I disable NAT feature? Because by default, it
> sends IKE_AUTH request and data traffic in UDP encapsulated packet which
> I do not want.
You can't. The app uses the VpnService API
> There's no option to force retrying in any case.
But there is one to retry if DNS resolution failed
(charon.retry_initiate_interval).
Regards,
Tobias
___
Users mailing list
Users@lists.strongswan.org
Hi Justin,
> Is it possible to bring up only an IKE SA (and not any associated child ipsec
> SA)?
No, strongSwan currently doesn't support RFC 6023 [1].
Regards,
Tobias
[1] https://tools.ietf.org/html/rfc6023
___
Users mailing list
Hi,
> I am a bit confused with eap-dynamic, and eap-radius. When we say
> "rightauth=eap-radius", does that mean, it will accept all the EAP
> methods by authenticating with radius?
Pretty much. The eap-radius plugin doesn't really care about specific
EAP methods it just passes EAP messages
Hi Simon,
> 1. Any guesses on how MOBIKE task get stuck and won't timeout? Should
> there be on-going re-tries?
Read the log.
> 2. I think charon is still sending keepalive messages to the peers with
> MOBIKE task active, but no DPD is sent. This behavior seems to create
> the situation that
Hi Emeric,
> Let's sum up the proposal:
> - no: do not announce IKE frag support, drop received IKE fragmented packets
While we could do that, at least for IKEv1 it is not really possible
(due to the `force` case - we handle the initial messages before we know
what was configured). And I'm not
Hi Harri,
> What is the exact meaning of these fancy strings like "07[NET]",
> "26[ENC]" etc. in the logfile? They seem to be related to
> charondebug, but are they? What does the number tell me? Some
> kind of "context id"?
See [1] for the log subsystems. The number is the internal ID of the
Hi Marcos,
> I setup two connections with ipsec and now I was checking how to use
> systemd with ipsec. Now Im using package charon-systemd
>
> https://wiki.strongswan.org/projects/strongswan/wiki/Charon-systemd
>
> but not accepts ipsec.conf file. I can't find examples about changes to
> do to
Hi Rajiv,
> I have used the
Hi Jon,
> charondebug="ike 1, knl 1, cfg 0"
Why did you set the log level for cfg to 0? That's where you'd see why
this error occurs.
Regards,
Tobias
Hi Ric,
> I managed to find the bug, wrong truncation still exists in latest
> 4.4 kernel:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/tree/
> net/xfrm/xfrm_algo.c?h=v4.4.87
That's only because you are using the kernel-pfkey plugin on Linux,
which you should
Hi Alex,
> In my strongswan build, how do I tell NM to use eap-mschapv2?
>
> At the moment, by default its using eap-md5
The server selects the EAP method. The only option the client has is
returning an EAP-Nak with the methods it supports/prefers. strongSwan
does so if the requested method
Hi Nimo,
> I don't want to use "ipsec restart" because other IPsec sessions are
> disconnected.
> How can I make enabled the revocation without disconnecting other's
> IPsec session ?
You used the same crlNumber for your second CRL. So it didn't replace
the CRL that you loaded before (this is
Hi Gyula,
> First, without --disable-curve25519, which means that the plugin is
> enabled (https://wiki.strongswan.org/projects/strongswan/wiki/Autoconf).
> After that, I added --disable-curve25519 to ./configure options.
Also note that you might need to run `make clean` first after you
changed
501 - 600 of 1123 matches
Mail list logo