are set to 1.
Best Regards
Mugur
-Original Message-
From: Martin Willi [mailto:mar...@strongswan.org]
Sent: lundi 4 août 2014 11:36
To: ABULIUS, MUGUR (MUGUR)
Cc: users@lists.strongswan.org; SCARAZZINI, FABRICE (FABRICE); DIMA, CIPRIAN
(CIPRIAN); WASNIEWSKI, ALAIN (ALAIN)
Subject: Re
Hi Martin
in the end you'll just have to respond appropriately to the
XFRM_MSG_GETSA/XFRM_MSG_GETPOLICY requests with SA usage information
Thank you
Regards
Martin
___
Users mailing list
Users@lists.strongswan.org
Hello,
In our Bump In The Wire IPsec implementation (strongSwan 4.5.2-al4) the
INFORMATIONAL messages are periodically sent even if there is traffic on the
tunnel. Since the tunnel traffic is not seen by Linux this seems normal.
There is any way to tell to strongSwan that there is traffic in
Hello Andreas,
strongSwan only supports SHA-1 with the RSA Digital
Signature AUTH payload
Thank you very much for clarification.
Best Regards
Mugur
___
Users mailing list
Users@lists.strongswan.org
Hello,
Can you please specify if StrongSwan supports for IKEv2 Authentication Payload
RSA Digital signatures using SHA-256 as hash function?
The RFC 5596 (IKEv2) at §3.8 Authentication Payload makes reference to
RSAES-PKCS1-v1_5
signature scheme for which the RFC 3447 includes SHA-256.
Best
Hello,
Our application using StrongSwan requires up to 20 trust anchors in the CERTREQ
payload.
Can you please specify which are theoretical/practical limitations for this
number?
Does StrongSwan loop over the list of trust anchors up to the first match (if
any) and then stops?
Best Regards
Hi Martin,
Thanks for the very useful information.
Regards,
Mugur
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Hi Andreas, Martin
Thanks for your quick answers.
kind regards,
Mugur
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Hi Martin,
CRL fetching is delegated to libcurl (http://curl.haxx.se/libcurl/).
Thanks.
According http://curl.haxx.se/mail/lib-2012-11/0079.html and
http://curl.haxx.se/mail/lib-2012-11/0080.html, libcurl uses
a hardcoded value (=80)
Regards
Mugur
Hi Martin,
Fetching a CRL inside the tunnel to check the certificate status
for the same tunnel does not work: it is a hen-egg problem. With
a strict CRL policy, you can't establish the tunnel, because you
have no CRL. And you can't fetch a CRL, because you don't have a tunnel yet.
In case
Hello,
Can you help please to determine if there are any issues at initialization and
during the life of an IPsec tunnel if CRLs are retrieved via this same IPsec
tunnel?
There are any additional issues if the connection uses the configuration
payload in order to request a Virtual IP to peer?
Hi Martin,
Thank you for clarification
Regards
Mugur
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Thank you Andreas for this usefull information
Regards
Mugur
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Hello,
Can be please confirmed that IKEv2 retransmission algorithm based on
charon.retransmit_base
charon.retransmit_timeout
charon.retransmit_tries
applies as well to IKE_SA_INIT request?
Thank you
Mugur
___
Users mailing list
Hi Martin,
Thank you for reply.
Yes, those options apply to IKE_SA_INIT requests as well.
However, IKE_SA_INIT requests are additionally affected
by the keyingtries
Does 'keyingtries' always supersede 'retransmit_tries' or only
when is smaller?
Best Regards
Mugur
]
Sent: mercredi 14 décembre 2011 21:07
To: ABULIUS, MUGUR (MUGUR)
Cc: Martin Willi; SCARAZZINI, FABRICE (FABRICE); Pisano, Stephen G (Stephen);
users@lists.strongswan.org; WASNIEWSKI, ALAIN (ALAIN)
Subject: Re: [strongSwan] RFC 4325 support - Authority Information Access CRL
Extension
Hello Mugur
Hello,
The ALPHA connection continuously goes up and down if '/etc/ipsec.d/cacerts'
contains 2 certificates
that are the same. In this test the CAs hierarchy has only one level (the
anchor is the certificate of the
signing CA of the local system). The local system (initiator of IKE connection)
Hello Andreas,
the only alternative to extracting http CDPs from end entitcy certificates
is to define additional CDPs in ipsec.conf in a special ca section
Thank you. Assuming that the retrieved CRL was signed by CA1, my question
is: Does strongSwan expects a X.509 certificate with a subject
Hello,
Does Charon support the Authority Information Access CRL Extension as
specified by the RFC 4325?
If this extensions is supported, can be specified please in few words how is
retrieved, where is stored, when and how is used by strongSwan the certificate
of the CRL issuer from this
Hello Martin,
No, we currently don't support the Authority Information Access extension in
CRLs.
Regards
Mugur
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Hello Martin,
No, we currently don't support the Authority Information Access extension in
CRLs.
Thank you for answer.
1. Which is the behavior of strongSwan when it receives a X.509 certificate
with an AIA extension? The extension is ignored or there is some specific
processing?
2. We are
Hello,
Does charon remove CRLs files cached from /etc/ipsec.d/crls directory when
started ?
Best Regards
Mugur
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
To: ABULIUS, MUGUR (MUGUR)
Cc: users@lists.strongswan.org; SCARAZZINI, FABRICE (FABRICE); Pisano, Stephen
G (Stephen); WASNIEWSKI, ALAIN (ALAIN)
Subject: Re: [strongSwan] How to bypass CRL checks?
Hello Mugur,
with IKEv2 revocation checks can be easily disabled by not loading the
revocation plugin
Hi,
Assuming the ipsec.conf defines several connections with different left= and
right= values, which source IP@ is used by strongSwan to retrieve CRLs from a
CDP? In our case URI is a HTTP URI. Charon is used.
Best Regards
Mugur
___
Users mailing
...@strongswan.org]
Sent: mercredi 23 novembre 2011 19:30
To: ABULIUS, MUGUR (MUGUR)
Cc: users@lists.strongswan.org; SCARAZZINI, FABRICE (FABRICE); Pisano, Stephen
G (Stephen); WASNIEWSKI, ALAIN (ALAIN)
Subject: Re: [strongSwan] Which source IP@ is used to retrieve CRLs?
Hello Mugur,
I don't quite understand
Hello,
Our understanding in case of setting strictcrlpolicy to **no** for charon is
that strongSwan denies the authentication if the certificate appears in the
fetched CRL. But,
if the certificate does not specify an uri or if the CRL can't be fetched the
authentication is
not denied.
Can you
Hi Martin,
Thank you for your help.
On our strongSwan systems we want to switch on/off the
CRL checks. If the check is switched off then even if received
certificate specifies a CDP extension toward an accessible
remote CRL we don't want that strongSwan rejects the IKE
connection even if the
Hello,
We are running Charon with the strictcrlpolicy option. Because the option is
part of the config setup section my understanding is that the same value of the
option applies to all connections in ipsec.conf. However, our system has
connections (IPsec tunnels) with several customers and
Hi Martin,
Is the introduction of this new option planned for the near future?
Best Regards
Mugur
-Original Message-
From: Martin Willi [mailto:mar...@strongswan.org]
Sent: vendredi 18 novembre 2011 14:55
To: ABULIUS, MUGUR (MUGUR)
Cc: 'users@lists.strongswan.org'; Pisano, Stephen G
Hi Martin,
Adding a new ESP cipher is possible, but not straight forward.
You'll need to add support in several layers:
1) First, of course, the kernel needs support for this algorithm
in the crypto API
2) The kernel needs support for the new algorithm in the XFRM
subsystem.
3)
Hello,
In my configuration the strongSwan system initiates IKEv2 connections with two
different Securities Gateways (SEGs) and uses two distinct certificates
(leftcert=) for them. In general, the certificates for each SEG are
administered by different entities. Certificates in the strongSwan
Hello,
For left|rightca the ConnSection documentation says:
the distinguished name of a certificate authority which is required to lie in
the trust
path going from the left|right participant's certificate up to the root
certification authority.
Can you confirm please that the rightca is the
Hello,
The Synopsis and examples of ipsec pki -req command at
http://wiki.strongswan.org/projects/strongswan/wiki/IpsecPkiReq suggest that
the only supported output format of a certificate request file is binary DER.
How can be created a certificate request file in a PEM format with strongSwan
Hi Martin,
the only supported output format of a certificate request file is
binary DER.
For which reason one will choose ipsec pki -req on a strongSwan system
instead openssl to generate certificate request files in DER format?
More general question: Do you know which one of DER or PEM
Hello,
How strongSwan addresses the following RFC4306 requirement? There is any
strongSwan parameter
to manage the CREATE_CHILD_SA exchange?
[[[...Repeated rekeying using CREATE_CHILD_SA without additional Diffie-
Hellman exchanges
leaves all SAs vulnerable to cryptanalysis of a single key or
strongSwan specific feature or it is specified by a RFC?
It is strongSwan specific, other implementations might do this differently.
You'll have to check this with your other implementation,
maybe there are ways to do this manually.
Regards
Martin
Similarly I wish to apply to SCTP packets a
Mugur
-Original Message-
From: Martin Willi [mailto:mar...@strongswan.org]
Sent: mardi 19 janvier 2010 11:37
To: ABULIUS, MUGUR (MUGUR)
Cc: users@lists.strongswan.org; SCARAZZINI, FABRICE (FABRICE); ROSSI, MICHEL MR
(MICHEL); Salvarani, Alexandro (Alex); Pisano, Stephen G (Stephen)
Subject
Message-
From: Martin Willi [mailto:mar...@strongswan.org]
Sent: mardi 19 janvier 2010 14:40
To: ABULIUS, MUGUR (MUGUR)
Cc: users@lists.strongswan.org; SCARAZZINI, FABRICE (FABRICE); Salvarani,
Alexandro (Alex); ROSSI, MICHEL MR (MICHEL); Pisano, Stephen G (Stephen)
Subject: RE: [strongSwan
Hello,
Does strongSwan allow different esp = cipher suites for different conn
name directives of a
same tunnel?
Example:
conn proto1
also=host-host
leftsubnet=10.5.0.0/16
rightsubnet=10.6.0.0/16
leftprotoport=tcp
rightprotoport=tcp/http
esp=aes128-sha256-modp2048!
Hello Andreas,
Thank you very much
So, each conn corresponds to exactly one CHILD_SA
Best Regards
Mugur
-Original Message-
From: Andreas Steffen [mailto:andreas.stef...@strongswan.org]
Sent: dimanche 27 décembre 2009 14:42
To: ABULIUS, MUGUR (MUGUR)
Cc: users@lists.strongswan.org; Pisano
Hello,
I looked to strongSwan connection parameters
(http://wiki.strongswan.org/wiki/1/ConnSection) and I am not sure how to define
several tunnels between the same endpoints, each tunnel with several traffic
selectors.
In my understanding an independent tunnel is defined by a conn name
(subnets and protos) are exactly protected by the
first CHILD_SA and which by the second CHILD_SA?
Best Regards
Mugur
-Original Message-
From: Andreas Steffen [mailto:andreas.stef...@strongswan.org]
Sent: samedi 26 décembre 2009 14:48
To: ABULIUS, MUGUR (MUGUR)
Cc: users
for different IPsec-ed flows between two peers?
Best Regards
Mugur
-Original Message-
From: ABULIUS, MUGUR (MUGUR)
Sent: samedi 26 décembre 2009 18:22
To: Andreas Steffen
Cc: users@lists.strongswan.org; Pisano, Stephen G (Stephen); ROSSI, MICHEL MR
(MICHEL); SCARAZZINI, FABRICE (FABRICE
Hello Andreas,
Do you have any plan to allow for more than one IKE_SA between two peers? This
may help for enhanced QoS class management.
Best Regards
Mugur
-Original Message-
From: Andreas Steffen [mailto:andreas.stef...@strongswan.org]
Sent: samedi 26 décembre 2009 18:59
To: ABULIUS
44 matches
Mail list logo