Hi Tom,
> I am successfully sending UNITY_* attrs to IKEv1 clients which support
> it, but the UNITY_SAVE_PASSWD option does not seem to be accepted
> correctly, it simply doesn't allow the client to save their password.
This has been discussed previously [1]. Basically the attr plugin only
supp
Hi Laurens,
>> The latter is of course because it does not send any certificate
>> requests, whereas 156 of them are sent by the Android app (each a 20
>> byte SHA-1 hash). As I mentioned before, you can avoid that by
>> selecting your CA certificate in the VPN profile in the app. This
>> should
Hi Ariwa,
> I see log. but I cannot figure out dubious point.
> Is there someone have any hint for it?
The log is pretty clear:
> Thu Jul 14 21:51:35 2016 daemon.info syslog: 03 [CFG] looking for
> peer configs matching 192.168.1.32[openwrt5server]...192.168.1.156[C=JP,
> L=Tokyo, O=Dr
Hi Martin,
> Should I document this setup somewhere on the Wiki?
I've added some documentation [1]. As mentioned there, the
hub-and-spoke setup is also demonstrated in an example scenario [2].
Even though its configuration is based on swanctl.conf the concept is
the same when setting it up via i
Hi Christian,
> 16[CFG] looking for peer configs matching
> 192.168.1.29[%any]...80.12.51.163[alice]
> 16[CFG] selected peer config 'BB10'
> 16[IKE] peer requested EAP, config inacceptable
> 16[CFG] no alternative config found
Sounds like the authentication settings of your config are wrong. Do
Hi Christian,
> As highlighted in the same topic : rightauth=eap-mschapv2 (See below)
Your log indicates otherwise, though. Check `ipsec statusall` for the
correct authentication method for the BB10 connection, or increase the
log level for cfg to 2 to see details when the config is loaded.
> P
Hi Harald,
> Problem: The mtu of this tunnel is less than 1500. On the
> first run IKEv2 on my Mac fails with icmp6 "Packet Too Big".
> Since the protocol is udp there is no packet to fragment and
> resend, which means a 10 seconds delay until a higher network
> layer wakes up and tries to authent
Hi,
> is it possible to tell StrongSwan that it should act as initiator only, but
> only for certain connections
auto=add? strongSwan does not initiate such connections unless
explicitly told to do so (via `ipsec up`).
> or as responder only, but again only for certain connections?
right=%any
Hi Christian,
> Below the result I got by activating the loglevel "cfg 2"
You set it via stroke, which is a bit late as some of the interesting
bits would have been the messages after "received stroke: add connection
'BB10'", which list the settings of the loaded config. Either set the
log level
Hi Martin,
>> I've added some documentation [1].
> I read through the hub-and-spoke setup on the internet. Is my setup
> actually a hub-and-spoke type? I connect from the gateways directly to
> the internet and only the traffic to 192.68.0.0/16 is routed through
> VPN.
What traffic you tunnel do
Hi Christian,
> Nevertheless, by removing: `eap_identity` I got the same result.
You might need it, but that depends on the client.
> On basis, I wanted to use StrongSwan as simple as possible without
> certificates CA.
That probably won't work as authenticating clients with EAP requires
authen
Hi Christian,
> Configuration on my BB10.
> Profile Name : home
> Server Address : 78.229.20.105
> Gateway Type : Generic IKEv2 VPN Server
> Authentication Type : EAP-MSCHAPv2
> Authentication ID Type : email
> ID Authentication: alice(n
Hi Stig,
> I've recently upgraded our strongswan from 4.5.2 to 5.2.2 and one of the
> differences I noticed is with the older version I could regenerate
> /etc/ipsec.conf and then do "ipsec rereadall" followed by "ipsec update"
> and any tunnels that were affected would restart.
Really? I don't
Hi Martin,
>> The diagrams show four hosts as I though that illustrates the
>> difference between the two approaches a bit better
>
> Maybe I am not the best reference since I started with strongSwan only 2
> weeks ago, but it is quite hard to understand why there is only A-C
> mentioned although
Hi Christian,
> Jul 20 13:26:26 raspberrypi charon: 13[IKE] EAP-MS-CHAPv2 verification
> failed, retry (1)
You might want do double and triple check that you configured the
password exactly the same on both sides.
Regards,
Tobias
___
Users mailing lis
Hi Harald,
As you noticed the IKE_AUTH packet is the one that's problematic. But
since Mac OS X supports IKEv2 fragmentation
> Notify (IKEv2 Fragmentation Supported) Payload:
> No Data
there is really no reason not to enable it (unless you use an old
strongSwan version that does
Hi Harald,
> AFAIU defragmentation is enabled in strongswan for incoming packages,
> anyway.
That's basically for IKEv1 where the first message may already be
fragmented and for misbehaving peers that send fragmented packets even
if it wasn't enabled explicitly. It does not mean that the notify
Hi Austin,
> Have I missed anything obvious?
You might be mixing executables/libraries/plugins from different
releases. The involvement of libipsec.so.0 is also suspect.
Regards,
Tobias
___
Users mailing list
Users@lists.strongswan.org
https://lists.s
Hi Harald,
>>> AFAIU defragmentation is enabled in strongswan for incoming packages,
>>> anyway.
>>
>> That's basically for IKEv1 where the first message may already be
>> fragmented and for misbehaving peers that send fragmented packets even
>> if it wasn't enabled explicitly. It does not mean t
Hi,
> The serial number of the certificate and the serial number in the OCSP
> request is different. It looks like a bug to me.
Is there _any_ certificate in your PKI with the serial number that was
requested? Perhaps one that has the same identity as this one? Or is
this perhaps the verificati
Hi Richard,
> Jul 28 03:24:58 vpn2 charon: 16[NET] received packet: from [..]
>
> Jul 28 03:24:58 vpn2 charon: 02[ENC] parsed INFORMATIONAL_V1 [..]
>
> These 16 and 02, what do they stand for?
The numeric identifier of the thread that logged the message.
Regards,
Tobias
__
Hi Richard,
> The {1} {2} {3} and {4} indicate the tunnels defined in ipsec.conf.
These are the unique sequential identifiers of the CHILD_SAs.
> How do I know which tunnel is logging e.g. the following line?:
>
> Jul 28 11:27:18 vpn2 charon: 13[IKE] retransmit 1 of request with
> message ID 0
Hi Ryan,
> I had to remove the "key" piece of the "ip link add" command, as the
> PLUTO_MARK_OUT and
> PLUTO_MARK_IN variables (which get set when responder) are not set.
> What am I missing?
You answered that question yourself.
Regards,
Tobias
___
Hi Ryan,
> When acting as a responder, I didn’t have to do this, strongSwan seems to
> choose a mark value for me.
Not unless you configured `mark=%unique`.
> Anything else I should check?
Yes, the traffic selectors. As I wrote on [1] the traffic you route
into a VTI device has to match the n
Hi Sriram,
> But the concern is fragment size, though it is set as 1200,
> fragment_size of 576 is seen in the wireshark.
I'm assuming for packets sent by the gateway. The fragment size is not
negotiated, so the gateway might just default to the minimum datagram
size a host must be able to accep
Hi Sriram,
> So I think, since the strongswan file is not proper, charon would have
> defaulted to 576. Please clarify.
Yes, if the file is invalid it gets rejected completely and no options
in it will get applied. You should have seen an error message like
"invalid config file '...'" in the log
Hi Martin,
> I am a bit lost here. Is this a routing or an iptables issue and how can
> I make sure the vpn-second connection is working if I resolve the issues
> (how do I test the tunnel from vpn-second network back to vpn-second)?
Could be any number of things. You should check the traffic
Hi Emeric,
> I guess the following configuration:
>
> ...
> rightid=%a...@any.com
> ...
>
> in ipsec.conf is parsed as an email address equal to "%a...@any.com" and not
> as "a...@any.com" + no IDr sending ?
>
>
> Am I correct?
No. The % character is parsed by the stroke plugin before the i
Hi,
> ../../src/libstrongswan/.libs/libstrongswan.so: undefined reference to
> `X509_get0_signature'
> How is to resolve this ?
According to the OpenSSL docs [1] this function was added with OpenSSL
1.0.2 (it is defined in crypto/asn1/x_x509.c). Only if the OpenSSL
headers indicate a version low
Hi Andreas,
Thanks for the detailed report. I was able to reproduce the issue. The
problem is caused by the FWD policies in the outbound direction that are
installed since 5.5.0. Or rather an incomplete update of the cached
data when adding/removing policies to/from the kernel and a peculiarity
Hi Tore,
> - Is the strongSwan behaving correctly when it is also deleting the ESP
> CHILD_SA when receiving the DELETE IKE_SA from the FortiGate, instead
> of "moving" it to the other active IKE_SA as it appears the FortiGate
> has done? RFC4306, section 2.4 says the following:
>
> «Clos
Hi Marc,
> after upgrading from Ubuntu 14.04 to 16.04 I ran into the problem that seems
> to be related to bug 824 (https://wiki.strongswan.org/issues/824).
Doesn't look like it's related as you only have one interface and the
route installation fails. Since you are using the kernel-libipsec
plu
Hi David,
> Then strongSwan will try to initiate a connection using the link-local
> address of the pppoe-wan interface (which fails), presumably because it
> is the device used for outgoing IPv6 traffic. But pppoe-wan doesn't have
> a global IPv6 address assigned.
Yes, the found route gives us t
Hi John,
> What am I missing?
That the Red Hat/Fedora package maintainers renamed the script to
`strongswan`, as mentioned on [1]. The config files are also located in
a subdirectory in /etc.
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/ipseccommand
___
Hi Tore,
> That said, it seems to me that even if we're talking specifically about
> reauthentications, strongSwan's default "break before make"
> behaviour still violates the standard:
>
>Reauthentication is done by creating a new IKE SA from scratch (using
>IKE_SA_INIT/IKE_AUTH exchange
Hi Tore,
> There was one thing you mentioned above that gave me some pause though:
>
> «some heuristics might have to be used to avoid destroying the old SAs
> as duplicates»
>
> Could you elaborate on how this might be a problem?
>
> If I understand correctly: if make-before-break reauth is be
Hi Steve,
> Question 1) Can I define multiple proposals for 'ike' and adding '!' to
> restrict Strongswan to accept the defined proposals only? Since the
> initiator is not fixed, local Strongswan can be the responder or
> initiator depends on different scenario.
Yes, adding ! in ipsec.conf will
Hi Tore,
> I was under the impression that enabling "charon.make_before_break"
> would only alter how strongSwan behaves when it is the party initiating
> the re-authentication procedure.
Correct.
> In the initiator case, I wouldn't have
> thought there was any need for such heuristics and assum
Hi Steve,
> About Q1, for example, remote peer only accept *3des-sha1-modp1024*, and
> local Strongswan using the following "ike" config.
>
> a) ike=aes256-sha1-modp1024,*3des-sha1-modp1024*,aes128-sha2_256-modp1024
> b) ike=aes256-sha1-modp1024,*3des-sha1-modp1024*,aes128-sha2_256-modp1024!
>
>
Hi Kapil,
> What is the upper limit on replay window size ? i didn't find any
> documentation on upper limit. is it dependent on Hardware, if so how to
> find the limit
There is no hard limit. But since storing the window requires a certain
amount of memory per SA there is definitely some upper
Hi Robbie,
You have to configure the identity the server is using in the profile
explicitly, i.e. the subject DN of the server's certificate:
> OU=Domain Control Validated, OU=PositiveSSL Multi-Domain, CN=PointtoServer.com
Regards,
Tobias
___
Users ma
Hi Isaac,
> Sep 6 17:12:17 ec2vsswp01 charon: 09[IKE] unable to reauthenticate
> IKE_SA, no CHILD_SA to recreate
Check the log for information why there is no CHILD_SA. Maybe it was
deleted by the other peer (e.g. due to inactivity). You might want to
consider using `auto=route` and reading [1
Hi Luke,
> With the above setup, multiple devices are able to connect with ease,
> however they all devices with the same user authentication credentials
> receive the same Virtual IP from strongswan.
What strongSwan version do you use?
Regards,
Tobias
Hi Luke,
Have you set `uniqueids=never` [1]? Otherwise, any existing SA with the
same client ID is terminated and the virtual IP gets released and
reassigned on the new SA.
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/ConfigSetupSection
_
Hi Shreyas
> Is there a way to use strongswan for IKE only without using the linux
> IPsec stacks ? I want to export the SAs that get negotiated through
> IKE and use my hardware IPsec stack for IPsec implementation. Is that
> possible? Also, some pointers to such would be very helpful.
Yes, see
Hi Joe,
> Sep 16 17:42:13 vmi82861 charon: 05[ENC] invalid ID_V1 payload length,
> decryption failed?
> Sep 16 17:42:13 vmi82861 charon: 05[ENC] could not decrypt payloads
> Sep 16 17:42:13 vmi82861 charon: 05[IKE] message parsing failed
Looks like a mismatching PSK [1].
Regards,
Tobias
[1]
ht
Hi Mahesh,
> It seems that phase 1 IKE is working but not phase 2 ESP. I've tried
> different settings for ike= to no avail. Config and brief log below and
> extended log attached.
You should check the responder's log. It seems to immediately delete
the IKE_SA after receiving the Quick Mode req
Hi Joe,
> I was under the impression that strongswan was using the mysql DB to obtain
> the PSK for Cisco IPsec connections but it seems that I was wrong.
> Would you happen to know if that is possible ?
Yes, that should be possible. You'll find several examples using PSKs
at [1]. However, th
Hi Fabrice
> When revocation plugin is disabled, it's OK.
This didn't seem to be a problem previously, where you complained about
CRLs not getting saved on 16.04 - which I can't reproduce, by the way -
but the revocation plugin seemed to have worked fine on both 14.04 and
16.04. So what changed?
Hi Mihaly,
> But anyway I setp up left/rightid on the server side, I always get "no
> matching peer config found".
>
> How is Android "Server identity" matched on server side?
Exactly as you'd suspect I guess, it's matched against the local
identity on the server (presumably leftid). Check the
Hi Mihaly,
> Does it assigned and missing from the log, or this is not implemented yet?
If valid DNS servers are received (check for corresponding configuration
attributes in the IKE_AUTH message) they are added to the
VpnService.Builder instance used to create the TUN device. There is
just no m
Hi Mihaly,
> So I guess need to put altName in the cert if I want to use same cert
> for multiple peers configs.
You'd have to do that anyway as the client wouldn't accept the
certificate otherwise.
Regards,
Tobias
___
Users mailing list
Users@lists.
Hi Fabrice,
> Yes, revocation plugin works fine on 14.04, but crashes are sometimes
> once a day and othertimes several times a minute.
> It seems to be at strongswan start (not each time) and at IKE_SA
> reauthentication (not each time).
Considering that, the version your are using (5.1.2) and t
Hi Fabrice,
> Now, just one test is failed :
> Running case 'include/load_files[_section]': ++-
> Failure in 'test_load_files_section':
> !settings->load_files_section(settings, include1".no", TRUE, "")
> (suites/test_settings.c:650, i = 0)
>
> Have you an idea why it fails ?
That happens
Hi Laurens,
> Is it possible to use EAP-GTC with the StrongSwan macOS app?
Yes, the plugin is enabled. But it is not included in the default
plugin list that's used by charon-xpc (which is hard-coded for some
reason [1]). You could try setting `charon-xpc.load` in
/usr/local/etc/strongswan.conf
> I do not seem to have a /usr/local/etc/strongswan.conf file. Can I just
> create it?
Yes.
Regards,
Tobias
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Hi Slava,
> I am trying configure ikev2 for IOS devices with eap-gtc.
iOS does not support EAP-GTC:
> Sep 26 14:33:19 11[IKE] initiating EAP_GTC method (id 0x7D)
> ...
> Sep 26 14:33:19 16[IKE] received EAP_NAK, sending EAP_FAILURE
Regards,
Tobias
Hi Brian,
> Fred : EAP "1234567"
>
> fred : XAUTH "deadbeef1234567"
>
> Please note the different capitalisation of the letter f for the two
> different
> usernames.
Matching these identities is not case sensitive (simple names are parsed
as FQDN). So both secrets can be used by both of
Hi Michael,
> I'm trying to configure StrongSwan on a Linux platform that has three
> interfaces (for simplicity, I'll call them a, b, and c). I only want to
> do IPsec on interface a and I want interfaces b and c to be unaffected.
> In the strongswan.conf file I added the line interfaces_ignore =
Hi Amit,
> Here I expect client to send UPDATE_SA_ADDRESS notification for new IP
> address 85.1.96.159 before actually start using this new IP address.
> However, client start sending DPD messages using new IP
> to which CISCO GW is not responding (As GW is not aware of new IP
> address)
And why
Hi Mihály,
> Where from is getting its value?
lefthostaccess=yes
Regards,
Tobias
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Hi Rajiv,
> Is this supported in Strongswan?
No. strongSwan will just use the best matching PSK as determined by
matching their associated identities against the identities of the
IKE_SA (PSKs that match the remote identity better are preferred, if
both match it equally well, the one matching th
Hi,
> But in the strongswan-master code repo, i see no reference to open-ssl
> plugin .
>
> eg. openssl_crypter_create function in openssl_crypter.c
That's the whole point of our plugin system. All this is hidden from
the users in other components, they just create a crypter of a specific
type
Hi David,
>>> So, the question is if it'd be possible to take the "from 2001:/56"
>>> part of the default route into consideration when selecting the source
>>> IPv6 address?
>>
>> I pushed a quick patch to the kernel-netlink-rta-src branch [1].
>
> I've finally gotten around to cross-compile
Hi Sridhar,
> We have configured two proposals one with PFS enabled and another with
> PFS disabled. With this configuration, strongswan is sharing only one
> PFS enabled proposal to peer in quick mode.
> ...
> With the above configuration, strongswan is sending only one proposal
> "*/aes128-md5-m
Hi,
> Sep 24 12:58:15 router6654A1 charon: 16[ENC] parsed TRANSACTION
> request 3221496499 [ HASH CPRQ(U_SPLITINC U_LOCALLAN U_BANNER
> U_SAVEPWD U_NATTPORT VER U_FWTYPE) ]
Your client seems to send a Mode Config request after strongSwan already
pushed config options. strongSwan can't handle tha
Hi Maerkis,
> This works fine, until I connect the tunnel, at which point I can see the
> clients sending requests to bob, and bind9 logs show it doing the queries,
> but the response never appears in wireshark and the client hangs. Queries
> originating from bob still work however.
Since bob
Hi Alex,
> All is working. I then unplug my network cable, wait a few seconds, and
> plug it back in. Now table 220 is empty. The tunnel still says it's
> connected, and I suppose it is - but because the route isn't there any
> more, I get no traffic over the VPN.
You should check the log with th
Hi,
> 1. Why does strongswan wait for the response in spite of assigning
> the IP requested by client ?
You configured `modeconfig=push`, so strongSwan pushed config attributes
to the client and waits for a response. If that's not what the client
expects change the config to `modeconfig=pull
Hi Alex,
> But when there's no immediate path, e.g. if the only network adapter has
> a cable unplugged or if switching WiFi networks takes too long, the
> route is deleted and when an interface comes back up, it isn't re-added.
The latter should be the case if an interface that was down is activ
> Is %any[6] just a typo (maybe copied from a different document that had
> footnotes?) or is this something to do with IPv6?
It means that you can optionally add the suffix 6 to %any (i.e. %any6)
to get ::. %any4 does also exist and equals 0.0.0.0, while %any in some
contexts is treated speciall
>> Is %any[6] just a typo (maybe copied from a different document that had
>> footnotes?) or is this something to do with IPv6?
>
> It means that you can optionally add the suffix 6 to %any (i.e. %any6)
> to get ::. %any4 does also exist and equals 0.0.0.0, while %any in some
> contexts is treate
Hi Gyula,
> Anybody have an idea what could be wrong?
That's due to a recently fixed bug that mapped the aes*gmac keywords
incorrectly for AH proposals. You may either update to 5.5.1, which
includes the fix, or try to apply the patch at [1] (won't apply cleanly
to any older version as it is bas
Hi Gyula,
> Thank you for the idea, but I'm using version 5.5.1 (see below).
I see. The other end might not, though.
Regards,
Tobias
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Hi Gyula,
> I'm running the test between two identical Debian 8.6 VMs.
> Both have the same version of strongSwan (v5.5.1), compiled withe the
> same switches.
I was able to reproduce this in our testing environment. On the
responder you should have seen the following messages:
> [CHD] no keyle
Hi Marko,
> What is the reason for this ? Is it the expected behaviour ?
Yes, how could the client know that this is the first IKE_SA with the
peer if it doesn't know the peer's identity (rightid=%any)?
Regards,
Tobias
___
Users mailing list
Users@lis
Hi Marko,
> Shouldn't the same apply when you use wildcards then ? Because in this
> case also is not determined on what the exact peer identity is, but
> still the INIT_CONTACT is being sent...?
The code currently just checks if there is an IDr before checking for
existing connections. With rig
Hi Joy,
> Any new plugin for talking
> to the kernel would require a kernel_ipsec_t as well. Is this correct?
Yes.
Regards,
Tobias
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Hi Don,
> I'm not sure what else to try, can anyone suggest?
If you are using Google's Project Fi, please have a look at [1].
Regards,
Tobias
[1]
https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVPNClient#Known-LimitationsIssues
___
Users m
Hi John,
> ip address add dev lo 10.2.3.4/32
> ...
> Nov 17 10:56:43 127 daemon.info charon: 16[KNL] no local address found in
> traffic selector 10.2.3.4/32
> ...
> I'm using: Linux strongSwan U4.5.2/K3.4.113
That's really old. Back then loopback interfaces were not considered.
You need at lea
Hi John,
> rightca="CN=aa, ST=aa, C=aa, E=aa, O=aa, L=aa, OU=aa, OU=aa"
>
> I've changed values of fields in righid, but rightca is taken from real
> config without modification.
The CA constraint internally uses certificates to match against the
trust chain. So you can't set `rightca`
Hi John,
> Did you mean that when using rightca, I should have locally installed
> the certificate with DN the same as provided for rightca option
> otherwise the option is igmored?
Yep. You should actually see a warning in the log, saying something
like "CA certificate "..." not found, discardi
Hi Francis,
> Is it possible at all to tell farp which subnets to ignore, or is it
> hard coded to respond to everything?
No, the farp plugin sends ARP responses only for IPs that match the
remote traffic selector of an established CHILD_SA.
Regards,
Tobias
Hi,
> How can I remove remove residue left from installation of the source version
> and make sure ipsec command runs usr/sbin/ipsec?
Remove /usr/local/sbin/ipsec.
> I have tried make uninstall but it didn't remove anything
If you configured it the same way you did originally (before running
>> Client logs:
> Those logs are useless. You need to read the logs of the remote side. The
> reason for the error is logged there.
It actually does seem to be a client issue (or more specifically to be
related to the certificates):
> Dec 6 03:59:47 linuxlite-VirtualBox charon-nm: 16[CFG] no is
Hi Varun,
> I have strongSwan 5.3.5 on Ubuntu 16.04LTS. When I connect iOS VPN
> client to it, it connects successfully and I am able to browse the
> internet. But after some time, the connection goes offline.
iOS doesn't like the NAT-D payloads added to the DPDs so it doesn't respond:
> Jan 19
Hi Aanand,
> 2. Create the configuration files offline and provide it to an end user
> so that the user can import it into the Strongswan client and start
> connecting.
If you are referring to the strongSwan Android client then, yes, this is
possible since the latest release. Refer to [1] for de
Hi John,
> We have problems with certificate authentication and see "RSA signature
> verification failed: Bad signature" during strongswan connection try. We
> would like to retrieve all remote certificate chain to "manually" check
> this issue. Is this possible using strongswan (for example by en
Hi Alexander,
> I've attached a chunk of the log which hopefully shows what was happening.
It shows that DPDs do not get through in one direction (response from
the peer). So maybe other traffic in that direction is also affected.
You also seem to use an IP from the remote subnet inside the tunn
Hi Yudi,
> Is there a way to fine tune this behavior, ie, If the remote peer is
> trying to authenticate via EAP-MSCHAPV2 the server should pick the right
> method (eap-mschapv2) not the first one in the list.
You need to use the eap-dynamic plugin [1].
Regards,
Tobias
[1] https://wiki.strongsw
Hi Alexander,
> My understanding was that the IKE_MOBIKE task was triggered by changes
> to routes/interfaces.
>
> I'm intermittently seeing the IKE_MOBIKE task be queued at 30 second
> intervals, with no interface changes. There is nothing in the syslog or
> kernel log in between most of these e
Hi Oliver,
> Any help would be appreciated.
Please don't cross-post: https://wiki.strongswan.org/issues/2244
Regards,
Tobias
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Hi Piotr,
> it seems that Android app doesn't support cipher esp=aes256gcm16-modp2048
Correct. That proposal is not supported by the app, see [1] for the
list of currently configured proposals. So you basically have to use a
stronger DH group when using aes256gcm16.
Regards,
Tobias
[1]
https:
Hi Piotr,
> But how can I control this on Android? Is it hardcoded somewhere? If
> yes, can somebody help me and point me to the right direction?
See [1] or [2].
> I'm trying to use OTP to authenticate IKEv2. So far, so good, but the
> main issue is to maintain the tunnel as long as possible - I
Hi Michael,
> I'm trying to find some documentation on what algorithms, if any,
> StrongSwan uses for pre-shared key conditioning.
Currently, none. Are there IKE implementations that do? You could
obviously pre-process the PSKs before making them available to the
daemon (they can be provided in
> > But how can I control this on Android? Is it hardcoded somewhere? If
> > yes, can somebody help me and point me to the right direction?
>
> See [1] or [2].
>
> Where is [1] or [2]? :)
Odd, I distinctly remember pasting the links into an email. Anyway,
here they are:
[1]
https:/
Hi Sriram,
> "ipsec listcerts" says that the above (device)cert is not yet valid.
> Still tunnel gets established properly.
strongSwan does use seemingly invalid certificates for its own
authentication, but won't accept invalid remote certificates. So if the
server certificate was also only vali
Hi Akshar,
> client receives response IDci=IP ADRESSS
> which was sent in request and IDcr=ID_IPV4_ADDR_SUBNET(0400
> 0afe ff00).
> Fortinet clinet was printing "VPNmismatched ID
> was returned."
Looks like you configured leftsubnet=10.254.0.0/24 on the server but the
client exp
Hi Aanand,
> I would like to know if some or all of the plugins defined here - are
> available on the Strongswan client too.
The strongSwan IKE daemon may be used as client or server or both,
depending on the configuration. It does not enforce a clear distinction
(excluding specific client imple
Hi Aanand,
> In case of the Android App or the Network Manager - does all this mean
> that if I were to add additional EAP plugins they will not show up in
> the UI and hence users dialing through the UI wouldn't be able to see
> and use them?
Most EAP methods can't be selected explicitly in the
901 - 1000 of 1241 matches
Mail list logo
