Victor Sudakov wrote:
> Tobias Brunner wrote:
> >
> > > esp=3des-sha1!
> >
> > PFS is enabled if you add a DH group to the ESP proposal.
>
> I suspected that, but Windows offers two knobs which can be enabled
> independently, that's the confusion.
>
ifetime=1h
lifetime=10m
keyexchange=ikev2
type=transport
left=10.10.10.5
right=y.y.y.y
leftprotoport=47
rightprotoport=47
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/
Kind regards
>
> Noel
>
> Am 05.03.20 um 12:03 schrieb Victor Sudakov:
> > Dear Colleagues,
> >
> > There was a power outage, the Mikrotik router at home was powered off
> > for several hours. Then it was powered on again but there was no IPSec
> > SA f
authby=secret
dpddelay=10s
dpdaction=restart
esp=aes256-sha1-modp2048
ike=aes256-sha1-modp2048
ikelifetime=1h
lifetime=10m
keyexchange=ikev2
type=transport
left=10.10.10.5
right=y.y.y.y
leftprotoport=47
rightprotoport=47
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/
need for `keyingtries=%forever` in the `auto=route` mode?
>
> Further traffic will trigger another acquire (it might even cause
> duplicate SAs if a retry occurs while traffic triggers another acquire
> from the kernel).
Thank you very much Tobias, I've learned a lot from this conve
the SA if matching traffic
> occurs.
Is there no need for `keyingtries=%forever` in the `auto=route` mode?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/
signature.asc
Description: PGP signature
cation. If any
important info is missing please let me know, I'll update the archive.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/
Victor Sudakov wrote:
> Noel Kuntze wrote:
> >
> > Please provide me with a copy of all data as shown on the HelpRequests page.
>
> Here you are: http://admin.sibptus.ru/~vas/strongswan_ipv6_problem.tar
>
> The information there should be sufficient to get the id
correct.
> Do not set right or left. If you do that, you can't use transport mode
> anymore while having rightsubnet != right and leftsubnet != left.
>
> Am 21.01.20 um 16:59 schrieb Victor Sudakov:
> > noel.kuntze+strongswan-users-ml@thermi.consulting wrote:
> >> https
Is it also normal that the SA lifetimes always look so tremendous?
Victor Sudakov wrote:
> Dear Colleagues,
>
> I want to protect L2TP traffic (and *only* L2TP traffic with IPSec).
> FreeBSD 12.1, Strongswan 5.8.2
>
> c.c.c.c is the L2TP client and s.s.s.s is the L2TP serve
//unique:4
created: Feb 8 17:02:20 2020 lastused: Feb 8 17:02:20 2020
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=1998 seq=0 pid=16018 scope=global
refcnt=1
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/
.
2. Windows cannot configure IKEv2 from GPO, only from PowerShell. I'm
not quite ready for that yet, please do not advise to switch to IKEv2.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/
To be sure we'd need to test those cases and look at what it does differently.
I'd be happy to test if I knew where and what to look for on the Strongswan
side.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/
if both the left and right hosts are like this?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/
Noel Kuntze wrote:
> Am 20.01.20 um 17:30 schrieb Victor Sudakov:
> > Dear Colleagues,
> >
> > If I want to set up an IPSec transport mode connection between two
> > hosts, I describe the following connection, and it works:
> >
> > conn test-v6
> >
Victor Sudakov wrote:
>
> If you mean the "Host-To-Host transport mode" example at
> https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples
> this is exactly what I would like explained a bit:
>
> 1. Why does the example use "right=%any rightsubnet=
noel.kuntze+strongswan-users-ml@thermi.consulting wrote:
> Because that's how it's implemented in this case. Read the linked pages in
> the description.
Can you please give a direct link or quote the relevant text?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidone
:19f0:8001:1219::/64
type=transport
authby=psk
auto=route
Host B (has multiple addresses from a /64 network)
conn test-v6
left=%any
leftsubnet=2001:19f0:8001:1219::/64
right=2001:470:35:7af::2
type=transport
authby=psk
auto=route
--
Victor Sudakov, VAS4-RIP
Victor Sudakov wrote:
> Felipe Polanco wrote:
> > > Does this not cause excessive SAs piling up? I've seen a similar
> > > problem with Strongswan on my side and a MikroTik on the remote side:
> > > too many excessive SAs in "ipsec status" output an
ome resource is
exhausted.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/
s to send an SNMP trap, the IPSec connection will have already
been established. No need for triggering.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/
signature.asc
Description: PGP signature
Victor Sudakov wrote:
> Tobias Brunner wrote:
> >
> > > I see that the first packet in matching
> > > traffic is always lost: in a ping session, packet with seq=1 never makes
> > > it to the other side, only from seq=2 onwards.
> > >
> > >
rent traffic selectors on SAs: one is x.x.x.x
> <-> y.y.y.y, while another is x.x.x.x <-> z.z.z.z
>
>
> On 13.11.2020 05:13, Victor Sudakov wrote:
> > Dear Colleagues,
> >
> > What's the reason for strongSwan to create (sometimes) multiple SAs for
>
4}: x.x.x.x/32[gre] === z.z.z.z/32[gre]
root@tunn:~#
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/
protoport=47
rightprotoport=47
conn officeru4
also = officeru3
right=z.z.z.z
=
There are more peers like "officeru4" down the config.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/
e to comment.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/
26 matches
Mail list logo