[strongSwan] How can I shutdown the NAT-T feture of IKEv2
Hi Martin, Hi all, I have one question: How can I shutdown the NAT-T feature of IKEv2? As I known, this feature is opened by default in IKEv2. If I want to shutdown this feature, How can I do? By configure some item or must modify code? Best Regards, David ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] 答复: How can I shutdown the N AT-T feture of IKEv2
Hi Martin, If I did not select the --enable-NAT-Transport when I compile the strongswan, If NAT-T feature can be shutdown by this above method? Best Regards, David, -邮件原件- 发件人: Martin Willi [mailto:mar...@strongswan.org] 发送时间: 2009年10月26日 17:13 收件人: weiping deng 抄送: 'users' 主题: Re: How can I shutdown the NAT-T feture of IKEv2 Hi, How can I shutdown the NAT-T feature of IKEv2? As I known, this feature is opened by default in IKEv2. If I want to shutdown this feature, How can I do? By configure some item or must modify code? There is no configuration option for disabling NAT detection, as it usually does not harm to have it enabled. To disable it, the best approach is probably to replace the build/process methods of the ike_natd task, or to not create/queue this task at all. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] 答复: 答复: How can I shutdown the NAT-T feture of IKEv2
Hi Martin, Thank you for your detail information. Best Regards, David -邮件原件- 发件人: Martin Willi [mailto:mar...@strongswan.org] 发送时间: 2009年10月26日 18:10 收件人: weiping deng 抄送: 'users' 主题: Re: 答复: How can I shutdown the NAT-T feture of IKEv2 Hi, If I did not select the --enable-NAT-Transport when I compile the strongswan, If NAT-T feature can be shutdown by this above method? This option is for IKEv1 and affects transport mode connections only. If strongswan default enable this NAT-T feature, and then the following message parsing will be encountered issues due to the 4 bytes of non-ESP and port floating RFC3948. UDP-Encapsulation and other NAT features are enabled only if a NAT was actually detected. strongSwan always includes NAT detection payloads in IKE_SA_INIT requests. If your peer does not support NAT traversal, it will (or should) ignore these payloads and will not include own NAT detection payloads. If strongSwan does not receive NAT detection payloads in IKE_SA_INIT, it assumes your peer is not capable of NAT traversal and will not enable any NAT specific features. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] High availability issue of IPsec
Hi Martin and Andreas, Hi all, I found the IPsec tunnel will be broken unexpectly after a long time no data pass through it. And I have enabled DPD mechanism in ipsec.conf as followed: Keyingtries=%forever ... dpdaction=clear dpdtimeout=5m dpddelay=10 I only configured DPD on peer side. And when IPsec tunnel broken, the ipsec statusall still work and the result indicate that the IPsec tunnel is still on work but I can not ping the server side from peer side. Did other guys encounter this problem? and How can I do something to make the IPsec tunnel high available? Best Regards, David ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] 答复: Some Question about the configuration payload
Hi Andreas, Thanks for your quick response and important information about the configuration payload. I want to affirm the following item with you further: Whether I need to configure nothing in ipsec.conf or strongswan.conf and only need to start the resolv and attr plugins in server side and peer side? Best Regards, David -邮件原件- 发件人: Andreas Steffen [mailto:andreas.stef...@strongswan.org] 发送时间: 2009年9月24日 15:03 收件人: weiping deng 抄送: 'Martin Willi'; users@lists.strongswan.org 主题: Re: Some Question about the configuration payload weiping deng wrote: Hi Both, Excuse me. I have the following questions about the configuration payload: Q1: In current version of strongswan, whether the internal DNS can be assigned by server when peer initiates the request for it with the same configuration payload for virtual IP request? If internal DNS can be assigned, where I can get this information? And If I want to obtain this information for further handling, how can I do? Yes, internal DNS servers can be assigned to a strongSwan client via the configuration payload. A sample scenario is shown here: http://www.strongswan.org/uml/testresults43/ikev2/config-payload/console.log By default the DSN servers are added to /etc/resolv.conf by the resolv-conf plugin. The destination file can be changed via the --with-resolv-conf=file configuration option. strongSwan as a server can read DNS and WINS server information from /etc/strongswan.conf using the attr plugin: http://www.strongswan.org/uml/testresults43/ikev2/config-payload/moon.strong swan.conf Both the attr and resolv-conf (renamed to resolve starting with release 4.3.5) plugins are enabled by default. Q2: I have always a question, ie: as the description of RFC4306 (IKEv2), server can assigned the internal subnet and corresponding netmask to peer. Why we need to configure the rightsubnet in peer’s ipsec.conf? Is this item can be removed from ipsec.conf? or maybe this item is not be used to configure internal subnet and can be set as random value �C (in fact, it can not be work when I set a random value to right/leftsubnet). on the client side you can define right|leftsubnet=0.0.0.0/0 and the server will narrow the range down to its own definition. Narrowing is an IKEv2 feature. Look forward to your answer, thanks. David Regards Andreas == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] 答复: Some Question About NAT- T and DPD
Hi Martin, Thank you. Another question is if I want to enable this feature, what configuration should be done? Now I use the kernel 2.6.28, so the first solution I will adopt. Best Regards, David -邮件原件- 发件人: Martin Willi [mailto:mar...@strongswan.org] 发送时间: 2009年9月24日 16:42 收件人: Andreas Steffen 抄送: weiping deng; users@lists.strongswan.org 主题: Re: Some Question About NAT-T and DPD Hi, I'm not sure whether our MOBIKE implementation supports this but Martin will know. Yes, we support the detection of changes in the NAT situation, either using the MOBIKE enabled DPD, or with a recent kernel (2.6.29?) by detecting changes in the UDP encapsulation of ESP packets. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] 答复: 答复: question about th e handling of identity payload during t he procedure of EAP-SIM and EAP-AKA
Hi Martin, About the identity payload (http://marc.info/?l=strongswan-usersm=125352578718423w=2), I still have the following questions: 1) Whether the latest version added the identity payload handling code for EAP-AKA is released? 2) In latest version of strongswan, Identity is default-set? or is configured in ipsec.conf or other configuration file? Look forward for your answer, thanks. Best Regards, David ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] 答复: 答复: 答复: How to peel off strongswan code for running in an space-stressed ARM
Hi Martin, I forgot to install the xfrm4_mode_tunnel.ko and xfrm4_mode_transport.ko. After I installed these two modules, the problem has gone. Thank you for your help. Best Regards, David -邮件原件- 发件人: users-boun...@lists.strongswan.org [mailto:users-boun...@lists.strongswan.org] 代表 weiping deng 发送时间: 2009年9月18日 20:11 收件人: 'Martin Willi' 抄送: users@lists.strongswan.org 主题: [strongSwan] 答复: 答复: How to peel off strongswan code for running in an space-stressed ARM Hi Martin, reduced from 131M to 67M. But the error still exists. If error code 93 is EPROTONOSUPPORT, I think maybe it is still the problem of linux kernel (version under 2.6.29) about the IPv6 kernel modules. But I actually patched the kernel using the patch you provided for me and I also patch the strongswan using your provided patch. The module I installed into kernel is listed as followed: xfrm4_tunnel 2752 0 - Live 0xbf07e000 tunnel4 3752 1 xfrm4_tunnel, Live 0xbf078000 ipcomp 3232 0 - Live 0xbf072000 xfrm_ipcomp 5384 1 ipcomp, Live 0xbf06e000 xfrm_user 20544 0 - Live 0xbf063000 esp4 6528 0 - Live 0xbf05c000 ah4 5248 0 - Live 0xbf055000 af_key 32464 0 - Live 0xbf048000 Best Regards, David -邮件原件- 发件人: Martin Willi [mailto:mar...@strongswan.org] 发送时间: 2009年9月18日 18:16 收件人: weiping deng 抄送: users@lists.strongswan.org 主题: Re: 答复: How to peel off strongswan code for running in an space-stressed ARM Hi, 1) If the used virtual memory exceed, the following error will be occurred, is it right? Resource temporarily unavailable-93: received netlink error I have never seen such a Resource temporarily unavailable error from netlink, and 93 is actually EPROTONOSUPPORT. You are probably missing a kernel module (tunnel/transport/esp/...), make sure to have a kernel with all options for your setup. I don't think this has anything to do with memory consumption. Virtual memory does not really exceed, unless you reach the end of address space. it can be set in strongswan.conf file as followed: Charon { threads = 8; } Yes, but strongswan.conf does not use semicolons. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] question about the handling of identity payload during the procedure of EAP-SIM and EAP-AKA
Hi Martin, Excuse me. There are two questions about the EAP-SIM and EAP-AKA implementation as followed, please help me, thanks. Q1: In the current implementation of EAP-SIM and EAP-AKA authentication, the payload of IDENTITY REQ was not handled or handled with only attribute ID. Is there a specific cause for this? I refer to some document about these two authentication mechanism, IDENTITY REQ payload is still needed. But I don't known how to generate the NAI (identity of peer) if I implement these payload handling code. What specification or compliance can be followed by me. Q2: As I known, there are three comp128 algorithms (which were called A3/A8 or combined A3/A8) for calculating SRES and Kc during the EAP-SIM authentication procedure. And now only comp128-1 is open and another two algorithms (comp128-2 and comp128-3) is un-open. So if I want to simulate the whole procedure of SRES and Kc calculating procedure in SIM card, what algorithms should be implemented by me. And where I can get the material for comp128-2 and comp128-3? Best Regards, David ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] 答复: question about the handl ing of identity payload during the proc edure of EAP-SIM and EAP-AKA
Hi Martin, Thank you for your quick answer. As a generic open-source project, covering the basic part of protocols is an advisable selection because the corresponding specification always is in change. The current implementation of these two authentication mechanisms is a good start for future development, thank you. Best Regards, David -邮件原件- 发件人: Martin Willi [mailto:mar...@strongswan.org] 发送时间: 2009年9月21日 17:36 收件人: weiping deng 抄送: users@lists.strongswan.org 主题: Re: question about the handling of identity payload during the procedure of EAP-SIM and EAP-AKA Hi, In the current implementation of EAP-SIM and EAP-AKA authentication, the payload of IDENTITY REQ was not handled or handled with only attribute ID. For EAP-SIM, we just reply identity requests with the configured identity. The same semantics have been implemented for EAP-AKA just last week. Is there a specific cause for this? I refer to some document about these two authentication mechanism, IDENTITY REQ payload is still needed. We do not support all the glory of these protocols, just the basics (no Re-Authentication, Pseudonyms, ...). I think we are in the specs when answering identity requests with our IKE/EAP identity. So if I want to simulate the whole procedure of SRES and Kc calculating procedure in SIM card, what algorithms should be implemented by me. And where I can get the material for comp128-2 and comp128-3? I'm not very familiar with these GSM specs, but there are probably different variations of these algorithms (this is the case at least for AKA)... Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] 答复: About the problem of re ceived netlink error: Resource temporar ily unavailable
Hi Martin, My kernel version is: 2.6.28 and I have patched with the patch you gave me before, and I also got the following error messages: kernel_netlink_shared.c:241:Resource temporarily unavailable-93: received netlink error kernel_netlink_ipsec.c:1162:c3fddd90: unable to add SAD entry with SPI kernel_netlink_shared.c:241:Resource temporarily unavailable-93: received netlink error kernel_netlink_ipsec.c:1162:cc1ac880: unable to add SAD entry with SPI sa/tasks/child_create.c:476:inbound :and :outbound : unable to install IPsec SA(SAD) in kernel Is it the same as the old one or is it a new problem, please help me check, thanks. Best Regards, David -邮件原件- 发件人: Martin Willi [mailto:mar...@strongswan.org] 发送时间: 2009年8月25日 17:09 收件人: weiping deng 主题: Re: About the problem of received netlink error: protocol not supported (93) Hi, Is this patch applied to the strongswan4.3.1 and above version? No, it is a workaround, but not the clean solution (it breaks mixed v4/6 tunnels). Or can you give me the patch? Attached. The issue has been fixed in the kernel with 2.6.29. For older kernels, apply http://kerneltrap.org/mailarchive/linux-netdev/2008/11/25/4231304 Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] question about the EAP-SIM authentication
Hi Martin, Excuse me. I have one question about the EAP-SIM authentication. When I read the code of EAP-SIM authentication, I found RAND was read from triplet.dat rather than received from Server. And I refer to some materials for EAP-SIM authentication, and found RAND is an input parameter (received from server) for SIM which will be used to calculate SRES and KC (through A3 and A8 algorithm) and I don't know why the RAND is also treated as a output from SIM (triplet.dat) in strongswan implementation. Look forward to your answer.Thanks. Best Regards, David ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] one question about the Subjectid and SubjectAltName of two peers
Hi Both, I have one question about the SubjectID and SubjectAltName to ask you: Now I want to configure the SubjectID or SubjectAltName automatically while not configure these items manually.. Today, I try the following method: reading the result generated by the command ipsec listcerts after certificates has been loaded by strongswan. But I found sometimes certificates can not be load in some scenarios, such as: EAP-SIM or EAP-AKA related cases. .. If I can automatically obtain the SubjectID and SubjectAltName from two peers' certificate in my own application by using other current mechanisms which provided by StrongSwan: Such as: certificate loading and parsing mechanism If so, how can I do and what should be noticed by me? Thanks. Best Regards, David ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] 答复: about two peers communi cation over IPSec
Hi Roger, You can try the virtual machine; maybe it will resolve your problem. Best Regards, David -邮件原件- 发件人: users-boun...@lists.strongswan.org [mailto:users-boun...@lists.strongswan.org] 代表 Zhang, Long (Roger) 发送时间: 2009年9月8日 22:03 收件人: 'Martin Willi' 抄送: users@lists.strongswan.org 主题: Re: [strongSwan] about two peers communication over IPSec Martin, Thanks for your reply. I am doing a host to net test that needs IPSec tunnel is setup between client A and server B. The inner virtual IP address is required to be allocated. After IPSec tunnel is setup, I want to send message with inner virtual IP address to peer C through B. I am thinking if the C can reside on B server. Then I do not need to setup a 3rd machine for C, currently I only have 2 machines. Regards, Roger -Original Message- From: Martin Willi [mailto:mar...@strongswan.org] Sent: 2009年9月8日 21:24 To: Zhang, Long (Roger) Cc: users@lists.strongswan.org Subject: Re: [strongSwan] about two peers communication over IPSec Hi, A is client, B is server. Can server B get an inner IP address also? In theory, yes. IKEv2 provides a pull (CFG request/response) and a push (CFG set/ack) mode to assign inner IP addresses (IKEv1 provides a similar concept). However, the push mode is rarely used, as you normally assign addresses of (a part) of the internal network to connecting clients. Usually you would statically assign e.g. 10.0.0.1/16 to the responder and hand out inner addresses dynamically from the 10.0.1.0/24 pool to each connecting client. We do not support this push mode in IKEv2, only the pull mode. Or server B can only work as a router, client A can only talk with C thourgh B? B can assign inner IPs of a subnet to both clients and route packets between A and C. If B has an IP (statically) assigned in that tunnel, it can also communicate with A and C. As I have applications that need to run over IPSec tunnel mode, if server B can only work as router, I need to introduce a 3rd PC and configure B as router. If B can have an inner IP, then A and B can talk over IPSec with inner IP. There is actually no need to assign an inner IP in tunnel mode. If you have unique IP addresses on each node and communicate host-to-host only, it may be simpler without. Inner IP addresses are useful if: - You have clients behind NAT, potentially using the same inner IP (e.g. from the often used 192.168.1.0/24 private addresses). - You do host-to-net tunneling and you have to make sure that traffic back from net to host goes through your IPsec gateway. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] An issue about the ipsec starter
Hi Martin, Hi Andreas, Hi All, When I set the left=%defaultroute in ipsec.conf and start the ipsec, the following item was always indicated: Starting strongswan 4.3.3 IPsec [starter] ... no default route - cannot cope with %defaultroute!!! # default route not known: left=%defaultroute bad argument value in conn 'rw-home' I checked the mail-list of strongswan, and found this issue has been reported by an old mail: https://lists.strongswan.org/pipermail/users/2009-March/003295.html I thought this issue should has been resolved and can only be occurred again only in a specific environment, Is it right? If so, what environment can cause this issue again and how can I resolve this issue if I really want the support of default root can be automatically got? In my current environment, some commands can not be supported, such as: iproutes2-related command and iptables. Look forward to your answers, thanks. Best Regards, David ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] unable to initiate to %any
Hi Martin, Hi all, When I try to find out the mechanism of virtual IP and initiate the strongswan with the following configuration, but I always got the error indication: unable to initiate to %any. Please give me a clue to trace down this problem , thanks. Configuration of two peers: [moon]- config setup strictcrlpolicy=no plutostart=no keep_alive=40m conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn host-host left=172.19.2.13 leftfirewall=yes leftcert=/usr/local/etc/ipsec.d/certs/moonCert.pem leftsubnet=192.168.253.0/24 right=%any rightsourcip=%config auto=add --[sun]--- config setup strictcrlpolicy=no plutostart=no keep_alive=40m conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn home left=172.19.2.88 leftsourceip=192.168.253.88 leftcert=/usr/local/etc/ipsec.d/certs/sunCert.pem leftfirewall=yes right=172.19.2.13 rightsubnet=192.168.253.0/24 auto=add - BTW, I still have the following two questions: 1) What's the mechanism of virtual ip? 2) If I can simulate one gateway by setting the secondary ip address of linux pc? If it is feasible, and then how? Best Regards, David ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] 答复: unable to initiate to % any
Hi Andreas, I got it. Thanks for your help. I have another question to ask: If the leftid and rightid can not be provided when I configure two peers? If I did not provided these information, it will adopt the subject id in the certificate. Is it right? Best Regards, David -邮件原件- 发件人: Andreas Steffen [mailto:andreas.stef...@strongswan.org] 发送时间: 2009年8月27日 18:58 收件人: weiping deng 抄送: 'Martin Willi'; users@lists.strongswan.org 主题: Re: [strongSwan] unable to initiate to %any Hi David, with right=%any you cannot actively initiate a connection as an initiator since the peer's IP address is not known. You can only act as a passive responder waiting for the other side to initiate. Regards Andreas weiping deng wrote: Hi Martin, Hi all, When I try to find out the mechanism of virtual IP and initiate the strongswan with the following configuration, but I always got the error indication: unable to initiate to %any. Please give me a clue to trace down this problem , thanks. Configuration of two peers: [moon]- config setup strictcrlpolicy=no plutostart=no keep_alive=40m conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn host-host left=172.19.2.13 leftfirewall=yes leftcert=/usr/local/etc/ipsec.d/certs/moonCert.pem leftsubnet=192.168.253.0/24 right=%any rightsourcip=%config auto=add --[sun]--- config setup strictcrlpolicy=no plutostart=no keep_alive=40m conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn home left=172.19.2.88 leftsourceip=192.168.253.88 leftcert=/usr/local/etc/ipsec.d/certs/sunCert.pem leftfirewall=yes right=172.19.2.13 rightsubnet=192.168.253.0/24 auto=add - BTW, I still have the following two questions: 1) What's the mechanism of virtual ip? 2) If I can simulate one gateway by setting the secondary ip address of linux pc? If it is feasible, and then how? Best Regards, David === Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] 答复: 答复: unable to initia te to %any
Hi Andreas, I always think it is inconvenient to let users configure leftid and rightid with complete DN or AltSubjectName. If the current version of strongswan supports the automatic acquired of these two information even if certificate is configured as never to be send? if not supported, is there a plan for supporting this? Best Regards, David -邮件原件- 发件人: users-boun...@lists.strongswan.org [mailto:users-boun...@lists.strongswan.org] 代表 weiping deng 发送时间: 2009年8月28日 10:24 收件人: 'Andreas Steffen' 抄送: users@lists.strongswan.org 主题: [strongSwan] 答复: unable to initiate to %any Hi Andreas, I got it. Thanks for your help. I have another question to ask: If the leftid and rightid can not be provided when I configure two peers? If I did not provided these information, it will adopt the subject id in the certificate. Is it right? Best Regards, David -邮件原件- 发件人: Andreas Steffen [mailto:andreas.stef...@strongswan.org] 发送时间: 2009年8月27日 18:58 收件人: weiping deng 抄送: 'Martin Willi'; users@lists.strongswan.org 主题: Re: [strongSwan] unable to initiate to %any Hi David, with right=%any you cannot actively initiate a connection as an initiator since the peer's IP address is not known. You can only act as a passive responder waiting for the other side to initiate. Regards Andreas weiping deng wrote: Hi Martin, Hi all, When I try to find out the mechanism of virtual IP and initiate the strongswan with the following configuration, but I always got the error indication: unable to initiate to %any. Please give me a clue to trace down this problem , thanks. Configuration of two peers: [moon]- config setup strictcrlpolicy=no plutostart=no keep_alive=40m conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn host-host left=172.19.2.13 leftfirewall=yes leftcert=/usr/local/etc/ipsec.d/certs/moonCert.pem leftsubnet=192.168.253.0/24 right=%any rightsourcip=%config auto=add --[sun]--- config setup strictcrlpolicy=no plutostart=no keep_alive=40m conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn home left=172.19.2.88 leftsourceip=192.168.253.88 leftcert=/usr/local/etc/ipsec.d/certs/sunCert.pem leftfirewall=yes right=172.19.2.13 rightsubnet=192.168.253.0/24 auto=add - BTW, I still have the following two questions: 1) What's the mechanism of virtual ip? 2) If I can simulate one gateway by setting the secondary ip address of linux pc? If it is feasible, and then how? Best Regards, David === Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] [strongswan] -- probem on EAP-AKA authentication case
Hi all, When I verifying the test case: ikev2/rw-eap-aka-rsa, I encountered the following error: ~~~ Parsed IKE_AUTH response 1 [IDr CERT AUTH EAP] ….. Server requested EAP_AKA authentication Received MAC does not match XMAC, sending AKA_AUTHENTICATION_REJECT …… ~ It seems that the verification of MAC in authentication procedure failed! And it is a hard work for me to located the error for MAC and XMAC calculation. So can anyone help me? Thanks in advance! The configuration of two peers is: 1) ipsec.secrets of MOON : RSA /etc/ipsec.d/private/monkey.pem ca...@strongswan.org :EAP “Ar3etTnp01qlp0gb 2) ipsec.secrets of CAROL ca...@strongswan.org : EAP “Ar3etTnp01qlp0gb Best Regards, David ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] 答复: [strongswan] -- probem on EAP-AKA authentication case
After checked all the procedure of EAP-AKA, it seems that the AK calculated from F5(...) is not equal in two peers. So who can give me some clue for this problem? Please help, thanx! -邮件原件- 发件人: users-boun...@lists.strongswan.org [mailto:users-boun...@lists.strongswan.org] 代表 weiping deng 发送时间: 2009年7月7日 16:58 收件人: users@lists.strongswan.org 主题: [strongSwan] [strongswan] -- probem on EAP-AKA authentication case Hi all, When I verifying the test case: ikev2/rw-eap-aka-rsa, I encountered the following error: ~~~ Parsed IKE_AUTH response 1 [IDr CERT AUTH EAP] ….. Server requested EAP_AKA authentication Received MAC does not match XMAC, sending AKA_AUTHENTICATION_REJECT …… ~ It seems that the verification of MAC in authentication procedure failed! And it is a hard work for me to located the error for MAC and XMAC calculation. So can anyone help me? Thanks in advance! The configuration of two peers is: 1) ipsec.secrets of MOON : RSA /etc/ipsec.d/private/monkey.pem ca...@strongswan.org :EAP “Ar3etTnp01qlp0gb 2) ipsec.secrets of CAROL ca...@strongswan.org : EAP “Ar3etTnp01qlp0gb Best Regards, David ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] : help --- can not insmod esp4.ko
Hi all, When I want to run strongswan on the basis of NETKEY, I encountered the following problem. Please help to check. Thanks! Issue description: = Linux Kernel: 2.6.18 Selected module: 1) user configuration interface 2) PF_key sockets 3) Advanced router 4) Policy routing 5) AH transformation 6) ESP transformation 7) IPComp Transformation 8) IPsec transport mode 9) IPsec tunnel mode 10)ipsec “policy” match support Encountered issue: when I cross-compiled the kernel, generated uImage and download the .ko file to ARM and then I insmod the .ko. Escept the esp4.ko can not be installed, other .ko file can be installed successfully. And the following error can be seen: ~~~` Esp4: Unknown symbol skb_cow_data Esp4: Unknown symbol pskb_put Esp4: Unknown symbol skb_to_sgvec Insmod: error inserting ‘esp4.ko’: -1 Unknown symbol in module ~~~ After I checked the /proc/kallsyms, and found that actually there are no these symbols in it. But when I checked the System.map, I found these symbols. Did anybody encounter the same issue? Please help me, Thanks in advance! Best Regards, David ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] [help]: please help to find the root cause of Authentication_failed problem, thanx!
Hi All, I am trying to use certificates to authenticate strongswan peers. I followed the steps mentioned in configuration documentation of strongswan to generate CA and end entity certificates using openssl. After all certificates have been created, I ipsec start in two hosts and ipsec up host-host in moon. But I have encountered the AUTHENTICATION_FAILED problem. Can anyone help me find the root cause of this problem? thanx a lot! The Log information in host moon listed as followed: ~~~ Jun 5 14:43:03 JerryPico ipsec_starter[17495]: Starting strongSwan 4.2.14 IPsec [starter]... Jun 5 14:43:04 JerryPico charon: 01[DMN] starting charon (strongSwan Version 4.2.14) Jun 5 14:43:04 JerryPico charon: 01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Jun 5 14:43:04 JerryPico charon: 01[LIB] loaded certificate file '/etc/ipsec.d/cacerts/strongswanCert.pem' Jun 5 14:43:04 JerryPico charon: 01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Jun 5 14:43:04 JerryPico charon: 01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Jun 5 14:43:04 JerryPico charon: 01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Jun 5 14:43:04 JerryPico charon: 01[CFG] loading crls from '/etc/ipsec.d/crls' Jun 5 14:43:04 JerryPico charon: 01[CFG] loading secrets from '/etc/ipsec.secrets' Jun 5 14:43:04 JerryPico charon: 01[CFG] loaded private key file '/etc/ipsec.d/private/sunKey.pem' Jun 5 14:43:04 JerryPico charon: 01[DMN] loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown Jun 5 14:43:04 JerryPico charon: 01[KNL] listening on interfaces: Jun 5 14:43:04 JerryPico charon: 01[KNL] eth0 Jun 5 14:43:04 JerryPico charon: 01[KNL] 172.19.2.112 Jun 5 14:43:04 JerryPico charon: 01[KNL] fe80::20c:29ff:fe18:698e Jun 5 14:43:04 JerryPico charon: 01[JOB] spawning 16 worker threads Jun 5 14:43:04 JerryPico ipsec_starter[17503]: charon (17504) started after 40 ms Jun 5 14:43:04 JerryPico charon: 17[CFG] received stroke: add connection 'host-host' Jun 5 14:43:04 JerryPico charon: 17[LIB] loaded certificate file '/etc/ipsec.d/certs/sunCert.pem' Jun 5 14:43:04 JerryPico charon: 17[CFG] peerid 172.19.2.112 not confirmed by certificate, defaulting to subject DN Jun 5 14:43:04 JerryPico charon: 17[LIB] loaded certificate file '/etc/ipsec.d/certs/moonCert.pem' Jun 5 14:43:04 JerryPico charon: 17[CFG] added configuration 'host-host': 172.19.2.112[C=CH, ST=BEIJING, O=PICOCHIP, OU=SECURITY, CN=SUN, e=s...@picochip.com]...172.19.2.123[c=ch, ST=BEIJING, O=PICOCHIP, OU=SECURITY, CN=DAVID, e=weipi...@picochip.com] Jun 5 14:43:23 JerryPico charon: 08[NET] received packet: from 172.19.2.123[500] to 172.19.2.112[500] Jun 5 14:43:23 JerryPico charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Jun 5 14:43:23 JerryPico charon: 08[IKE] 172.19.2.123 is initiating an IKE_SA Jun 5 14:43:23 JerryPico charon: 08[IKE] 172.19.2.123 is initiating an IKE_SA Jun 5 14:43:23 JerryPico charon: 08[IKE] sending cert request for C=CH, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, CN=DAVID, e=weipi...@picochip.com Jun 5 14:43:23 JerryPico charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] Jun 5 14:43:23 JerryPico charon: 08[NET] sending packet: from 172.19.2.112[500] to 172.19.2.123[500] Jun 5 14:43:24 JerryPico charon: 09[NET] received packet: from 172.19.2.123[4500] to 172.19.2.112[4500] Jun 5 14:43:24 JerryPico charon: 09[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ] Jun 5 14:43:24 JerryPico charon: 09[IKE] received cert request for C=CH, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, CN=DAVID, e=weipi...@picochip.com Jun 5 14:43:24 JerryPico charon: 09[IKE] received end entity cert C=CH, ST=BEIJING, O=PICOCHIP, OU=SECURITY, CN=DAVID, e=weipi...@picochip.com Jun 5 14:43:24 JerryPico charon: 09[CFG] using trusted ca certificate C=CH, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, CN=DAVID, e=weipi...@picochip.com Jun 5 14:43:24 JerryPico charon: 09[CFG] checking certificate status of C=CH, ST=BEIJING, O=PICOCHIP, OU=SECURITY, CN=SUN, e=s...@picochip.com Jun 5 14:43:24 JerryPico charon: 09[CFG] certificate status is not available Jun 5 14:43:24 JerryPico charon: 09[CFG] using trusted certificate C=CH, ST=BEIJING, O=PICOCHIP, OU=SECURITY, CN=SUN, e=s...@picochip.com Jun 5 14:43:24 JerryPico charon: 09[IKE] signature validation failed, looking for another key Jun 5 14:43:24 JerryPico charon: 09[CFG] using certificate C=CH, ST=BEIJING, O=PICOCHIP, OU=SECURITY, CN=DAVID, e=weipi...@picochip.com Jun 5 14:43:24 JerryPico charon: 09[CFG] using trusted ca certificate C=CH, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, CN=DAVID,