Re: [strongSwan] High latencies

On 19 Sep 2017, at 18:28, Turbo Fredriksson <tu...@bayour.com> wrote: > I’ve really never been a friend of tcpdump. I could never get it to give > me what I needed. Well, running: sudo tcpdump -i eth0 port 6379 2>&1 | tee /tmp/y & and then the redis client after t

Re: [strongSwan] High latencies

On 19 Sep 2017, at 18:08, Noel Kuntze wrote: > Likely has to do with pmtu discovery. You can use tcpdump and alike to try to > figure out what > actually happens on the network or continue wondering about what the strange > machines do. I’ve

Re: [strongSwan] High latencies

On 19 Sep 2017, at 16:00, Noel Kuntze wrote: > Check the tcp metrics (ip tcp_metrics) and look at the MSS. There’s no metrics at all related to mss on either of the VPN instances: root@jumpbox-london:~# ip tcp_metrics | grep -i mss

Re: [strongSwan] High latencies

On 19 Sep 2017, at 15:57, Turbo Fredriksson <tu...@bayour.com> wrote: > all of a sudden it worked!! Does anyone know a priest in London? It stopped working again! I hate when things like this happens!! :) signature.asc Description: Message signed with OpenPGP

Re: [strongSwan] High latencies

This is spooky!! I ran ip link set dev eth0 mtu 1500 on all instances in the chain. Then run iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 128 on both the VPN

Re: [strongSwan] High latencies

On 19 Sep 2017, at 15:16, Noel Kuntze wrote: > Usage of the MSS target in iptables, usage of kernel-netlink.mtu or of MTUs > on the routes in the routing tables root@jumpbox-london:~# iptables-save | grep -i MSS root@jumpbox-london:~# ip

Re: [strongSwan] High latencies

Copying a file from ‘London VPN’ to ‘Redis client London’ via scp completes without any problem and I don’t see any “hiccups” or stop-and-start of the copy. The file downloads at 13MB/s, which isn’t fast, but good enough I’m sure.

Re: [strongSwan] High latencies

On 19 Sep 2017, at 14:57, Noel Kuntze wrote: > Did you fix the MSS? Is the MTU on the tunnel correct? Did you maybe break > PMTU discovery? Not sure, can’t remember… How do I check?

[strongSwan] High latencies

I’m not sure if this is a Strongswan problem, but I see some indications that it might be, so I’m posting it here. If this is not the right place, let me know and I’ll take it elsewhere. I have setup a new region (London) in our AWS environment and are trying to connect one of instances in there

Re: [strongSwan] 24/7/365 tunnel?

On 14 Sep 2017, at 11:23, Eric Germann wrote: > I’ve found auto=route to be much more stable in AWS. Spins up when it’s down > but needed and starts passing traffic. Ok, thanx! I’ll let it run like this for a couple of days so I get a feel for how it works and then try

Re: [strongSwan] 24/7/365 tunnel?

route" it will reestablish the >>> tunnel as needed. We run several hundred tunnels this way in AWS without >>> issue. >>> >>> EKG >>> >>> >>>> On Sep 13, 2017, at 09:21, Turbo Fredriksson <tu...@bayour.com>

[strongSwan] 24/7/365 tunnel?

I’m trying to setup a tunnel between two regions in AWS. Works fine, other than the fact that Strongswan seems to take down the tunnel automatically (?) after a few hours. How can I 1) make sure there’s no timeout (?) and 2) that IF the tunnel goes down, for whatever reason, that it will

[strongSwan] Commercial support?

I’m having some trouble with my VPN connections, and I’d like to get some commercial support. Anyone feel up to helping me out? ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Successfully established connection goes offline after some time

On 19 Jan 2017, at 12:18, Varun Singh wrote: > I have strongSwan 5.3.5 on Ubuntu 16.04LTS. When I connect iOS VPN client to > it, it connects successfully and I am able to browse the internet. But after > some time, the connection goes offline. If it helps, I have the

[strongSwan] MultiOS to strongSwan host to network VPN?

I’ve been trying for a couple of days now to make my strongSwan setup to connect to my LDAP/KerberosV servers. From what I can tell there’s [at least] two ways to do this: 1. PAM - this works fine in the os/sshd etc so that was my first try -> My OSX/Windows7 [native]

Re: [strongSwan] Running on AWS behind Elastic IP

On 16 Nov 2016, at 19:42, Mathew Marulla wrote: > Confused now... Is your VPN entirely within AWS? Yes. > If not, how are you connecting over the public internet with a private IP? I don’t. I connect to the EIP. But StrongSWAN don’t need to know that.

Re: [strongSwan] Running on AWS behind Elastic IP

On 16 Nov 2016, at 17:56, Mathew Marulla wrote: > If I am reading your reply correctly, it seems you are getting this to work > by not using an elastic IP, but just the public IP of your instance. Then > using a script to update it as needed. Maybe that’s the only way… > > I

Re: [strongSwan] Running on AWS behind Elastic IP

On 16 Nov 2016, at 05:27, Mathew Marulla wrote: > Although I have read just about every tutorial and similar posting I can find > about running StrongSwan on an EC2 instance, I still can not seem to get it > to work. I’m doing the same thing, but I started “from scratch”

Re: [strongSwan] No VPN connection

> On 4 Nov 2016, at 20:03, Turbo Fredriksson <tu...@bayour.com> wrote: > Nov 4 20:50:38 ip-10-203-0-15 charon: 05[MGR] checkin IKE_SA client[1] > Nov 4 20:50:38 ip-10-203-0-15 charon: 05[MGR] check-in of IKE_SA successful. > Nov 4 20:50:38 ip-10-203-0-15 charon: 03[NET] se

Re: [strongSwan] No VPN connection

On 4 Nov 2016, at 20:03, Turbo Fredriksson <tu...@bayour.com> wrote: > Nov 4 19:46:51 ip-10-203-0-15 charon: 06[NET] sending packet: from > [4500] to [4500] (372 bytes) Enabling some debugging, the next lines after this is: Nov 4 20:50:38 ip-10-203-0-15 charon: 05[MGR] checkin I

[strongSwan] No VPN connection

I’m trying to setup a new StrongSWAN server for work, so I’m using my own, private setup as base for this. This server is located on a Ubuntu 16.04/LTS server in AWS. Eventually I got as far as it (my client) actually trying to do the connection. But the client ‘just stops’. It never finishes

Re: [strongSwan] Apple IOS 10 VPN

On 30 Oct 2016, at 16:59, Turbo Fredriksson <tu...@bayour.com> wrote: > I’ve been following this myself and it works on my Android phone, but not on > my > new OSX 10.12.1. Oops, sorry for vasting space and oxygen.. The keyword here is “new OSX”. I forgot to add my CA to the l

Re: [strongSwan] Apple IOS 10 VPN

On 30 Oct 2016, at 01:09, Derek Cameron wrote: > Here is a configuration that works for iOS 10: > http://xpu.ca/strongswan-ubuntu/ I’ve been following this myself and it works on my Android phone, but not on my new OSX 10.12.1. I get

[strongSwan] Promote routes to the VPN client?

I installed my NAT/IPSEC/GW many, many years ago with OpenSWAN and "a while" (also probably "many, many years ago" :) ago, I upgraded that to StrongSWAN. My config is almost entirely still OpenSWAN, but that seems to be ok.. However, my use-case have slightly changed since that time in the far

[strongSwan] expected record boundary in key

I'm trying to setup the usage of certificates etc with strongSWAN, but there might be something I've missed. I have had my own CA for many years, genererating working certificates for a bunch of services (ldaps, https, etc). When I try to add 'leftcert', I can no longer use PSK. conn

Re: [strongSwan] expected record boundary in key

On Tue, 07 Feb 2012 16:44:41 +0200, Turbo Fredriksson wrote: conn %default ... leftcert=host_domain_tld.pem [...] C=SE, O=Bayour.COM, OU=System, CN=host.domain.tld, E=tu...@bayour.com %any : PSK aNothEERseCreT And if I try to connect, this is what I get in the logs

[strongSwan] Net2Net w/ StrongSWAN/OpenBSD

I'm trying to connect to a friends OpenBSD firewall using OpenSWAN on my Linux, kernel 2.6.32 but it keeps failing. After 8h, we got this far (on the OpenBSD side): 160024.269867 Default attribute_unacceptable: life attribute received, none in policy 160024.269873 Negt 20