Re: [strongSwan] strict crl policy

2021-09-26 Thread Andreas Steffen
uniqueids = no ====== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org strongSec GmbH, 8952 Schlieren (Switzerland) ==

Re: [strongSwan] docker strongswan image

2021-09-24 Thread Andreas Steffen
idential; Commercially Sensitive Business Data ====== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org strongSec GmbH, 8952 Schlieren (Switzerland) ==

Re: [strongSwan] PGP Key used for signing

2021-07-07 Thread Andreas Steffen
15A 211B 6390  60A9 E30D 9B9B 3EBF F1A1 > ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org strongSec GmbH, 8952 Schlieren (Switzerland) ==

Re: [strongSwan] Version numbers

2021-06-23 Thread Andreas Steffen
6_64" > > What is the difference between the two versions? Is one 32-bit and one > 64-bit? > > *Dave Pearce* > > Blue Origin OLS > > dpear...@blueorigin.com <mailto:dpear...@blueorigin.com> > =====

[strongSwan] Archived recording of the joint strongSwan and wolfSSL Webinar

2021-06-05 Thread Andreas Steffen
Hi, the recording of the strongSwan and wolfSSL Webinar is now available under the following link: https://www.youtube.com/watch?v=Ul_M3XzRa4Q Best regards Andreas On 28.05.21 13:30, Andreas Steffen wrote: > Please join us for our upcoming webinar with Security Expert Eric > Blank

[strongSwan] Upcoming joint strongSwan and wolfSSL Webinar

2021-05-28 Thread Andreas Steffen
Please join us for our upcoming webinar with Security Expert Eric Blankenhorn from wolfSSL and Andreas Steffen from the strongSwan Project. Leveraging the FIPS-certified security of wolfSSL and the power of strongSwan to make a more perfect VPN! strongSwan and wolfSSL are coming together

Re: [strongSwan] how to increase timeout for "deleting half open IKE_SA with after timeout" ?

2021-05-16 Thread Andreas Steffen
is a 30sec timeout on the IPsec gateway. Is there > a chance to increase this timeout (using stroke, ie. ipsec.conf)? > https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection > mentions only the DPD timeout (150 sec per default) and the inac- > tivity timeout (child sa only,

Re: [strongSwan] OpenIKED strongswan question

2021-03-03 Thread Andreas Steffen
, RG. -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions University of Applied Sciences Rapperswil

Re: [strongSwan] Unable to establish connection with Fortigate device

2021-03-01 Thread Andreas Steffen
C8DB81EC258089F8E48EEBB2313BE63C33FF5 I'm fairly new to strongswan so I might have missed something in the server configuration. Any hint is welcome. Thanks [1] https://wiki.strongswan.org/projects/strongswan/wiki/Fortinet -- =========

Re: [strongSwan] Strongswan with ECDSA certificate

2020-12-11 Thread Andreas Steffen
Hello George, you have to enable one of the libstrongswan plugins that support ellicptic curve cryptography. Either the openssl, wolfssl or botan plugin. Best regards Andreas On 05.11.20 20:20, george wrote: eature PUBKEY:ECDSA in plugin 'pem' has unmet dependency: PUBKEY:ECDSA

Re: [strongSwan] Is there an official docker image for StrongSwan?

2020-06-28 Thread Andreas Steffen
nk you for advice, > Houman ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions HSR University of Applied Sciences Rapperswil C

Re: [strongSwan] eap auth with 5.8 - how?

2020-05-11 Thread Andreas Steffen
But I think the remote side is not configured for EAP-based client authentication or cannot find its private signature key so AUTHENTICATION FAILED ensues. Any chance of getting the remote log? Andreas On 11.05.20 08:45, Andreas Steffen wrote: > Hi, > > in the remote section you ha

Re: [strongSwan] eap auth with 5.8 - how?

2020-05-11 Thread Andreas Steffen
UP) > N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) > N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] > [NET] sending packet: from xx.XX.yy.YY[4500] to > xx.XX.zz.ZZ[4500] (432 bytes) > [NET] received packet: from xx.XX.zz.ZZ[4500] to > xx.XX.yy.YY[4500] (80 bytes)

Re: [strongSwan] Password protection on private key using PKI tool

2020-03-28 Thread Andreas Steffen
ess of the key install on a client one still > needs the password to use them. > >   > > Regards > > Dries ====== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN So

Re: [strongSwan] configuring android StrongSwan VPN Client 2.2.1

2020-01-07 Thread Andreas Steffen
gt; change: CONNECTING => DESTROYING > > What do I need to change in the android client configuration?  I would > prefer not to touch the linux server as it is working with windows > clients, but will do so if absolutely necessary.  Thank you for your > assistance in this matter. >

Re: [strongSwan] Regarding Strongswan and AD

2019-08-15 Thread Andreas Steffen
. > > My setup is: > client -> Strongswan(centos 7) -> radius(free radius,centos 7) -> > AD(Microsoft) > > Can you provide some guidance regarding this? I've to complete this > project this month.  > > Thank you -- =======

Re: [strongSwan] How to determine how many connections are currently active?

2019-07-31 Thread Andreas Steffen
fference between them in this > context? > > Many Thanks, > Houman > > On Wed, 31 Jul 2019 at 11:14, Andreas Steffen > mailto:andreas.stef...@strongswan.org>> > wrote: > > Hi Houman, > > you can get the number of active IKE SAs via > >   swanctl --l

Re: [strongSwan] Certificate-based IPsec tunnel failing to complete

2019-07-05 Thread Andreas Steffen
ed > [CFG] no alternative config found > [ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ] > [NET] sending packet: from 172.26.0.85[4500] to $MY_ON_PREM_EXT_IP[4500] (65 > bytes) > initiate failed: establishing CHILD_SA 'net1-net1' failed > > > > > You are re

Re: [strongSwan] Can strongswan tnc be used with TPM 2.0 ?

2019-07-01 Thread Andreas Steffen
NC/PTS feature compliant with TPM 1.2 and TPM 2.0 ? > > Thanks > > > > -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Soluti

Re: [strongSwan] Removing individual certs

2019-05-19 Thread Andreas Steffen
t; > Thanks. ====== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions HSR University of Applied Sciences Rapperswil CH-

Re: [strongSwan] Error connecting from Fortigate VPN to Strongswan

2019-03-15 Thread Andreas Steffen
e ID 1 Mar 15 00:37:41 klick001 charon: 14[NET] sending packet: from 10.138.0.4[4500] to 200.10.1**.***[4500] (988 bytes) Please assist as we are about to go live soon. Thanks in advance. Moses K =======

Re: [strongSwan] How to improve connection loss when moving from 4G to Wifi?

2019-02-10 Thread Andreas Steffen
eamlessly? > > Many Thanks, > -- ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions HSR University of Applied Sciences Rapper

Re: [strongSwan] length of TRAFFIC_SELECTOR_SUBSTRUCTURE substructure list invalid

2018-10-29 Thread Andreas Steffen
what does 'length of TRAFFIC_SELECTOR_SUBSTRUCTURE substructure > list invalid' means, I tried finding it in RFC, but could not find > the same. > > > Thanks & Regards, > > Yogesh Purohit > > > > -- > Best Regar

Re: [strongSwan] PEAP

2018-09-16 Thread Andreas Steffen
nssl \ > --enable-eap-peap > > NPS > > > > > > Windows 10 reports: > -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN S

Re: [strongSwan] (no subject)

2018-09-04 Thread Andreas Steffen
oned for PSK based auth (irrespective of the PSK > chosen by the user)? > > > Thanks, > > Sandesh > > > On Fri, Aug 31, 2018 at 3:50 PM Andreas Steffen > mailto:andreas.stef...@strongswan.org>> > wrote: > > Hi Sandesh, > > stro

Re: [strongSwan] (no subject)

2018-08-31 Thread Andreas Steffen
ws.com/2018/08/20/ipsec-vpn-connections-broken-using-20-year-old-flaw/ > https://securityaffairs.co/wordpress/75352/hacking/key-reuse-ipsec-attack.html > > Thanks, > Sandesh ========== Andreas Steffen an

Re: [strongSwan] help with ext-auth plugin

2018-08-04 Thread Andreas Steffen
curve25519 xcbc cmac hmac attr > kernel-netlink resolve socket-default stroke vici updown xauth-generic > counters > 00[JOB] spawning 16 worker threads > > Please guide me on what did i miss? > > -- > Regards, > Amit Priyadarshi > >   >   >   -- =

Re: [strongSwan] Security Comparison

2018-07-20 Thread Andreas Steffen
c/media/publications/sp/800-131a/rev-1/final/documents/sp800-131a_r1_draft.pdf > [2] > https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-57pt1r4.pdf > [3] > https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations > --

Re: [strongSwan] strongSwan plugins - openssl and x509

2018-07-11 Thread Andreas Steffen
9 certificates supported by both the above plugins? > So, if I am enabling openssl plugin, can x509 plugin be disabled? > My use case requires using x509 certificates, without CRL or OCSP support. > > - Divya > -- ==========

Re: [strongSwan] TPM2.0 and ESAPI

2018-07-04 Thread Andreas Steffen
tand from it, that switching to > ESAPI is possible but not in the nearest future as ESAPI is quite new > and require some significant time to learn how to use it. Am I correct? > > Pozdrowienia/Regards, > > Piotr Parus > > > > W dniu 26.06.2018 o 17:07, Andreas Steffen

Re: [strongSwan] TPM2.0 and ESAPI

2018-06-26 Thread Andreas Steffen
t regards, > > Piotr Parus > -- ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions HSR University of

Re: [strongSwan] Checking X509 Extended Key Usage

2018-06-22 Thread Andreas Steffen
:43 schrieb Andreas Steffen: >> Hi Sven, >> >> you can use certificate policies which are based on OIDs. >> >> With swanctl.conf: >> >> remote { >> auth = pubkey >> cert_policy = >> ... >> } >> >> or w

Re: [strongSwan] Checking X509 Extended Key Usage

2018-06-20 Thread Andreas Steffen
um 18:47 schrieb Andreas Steffen: >> Hi Sven, >> >> according to section 5.1.3.12. "ExtendedKeyUsage" of RFC 4945 >> "The Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX" >> the IPsec User EKU is deprecated: >> >

Re: [strongSwan] Checking X509 Extended Key Usage

2018-06-19 Thread Andreas Steffen
c, if it is set. We may use some other flags > out of our own space too. > > How can I check in StrongSwan, if a certain EKU exists? > > Regards > Sven Anders > -- == Andreas Steffen

Re: [strongSwan] Loading certificate fails

2018-06-05 Thread Andreas Steffen
to fail). Regards, Tobias -- ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions University of Applied Sciences Rapperswil CH-86

Re: [strongSwan] Loading certificate fails

2018-06-05 Thread Andreas Steffen
VPN.pem' failed Kind regards, Mike. -- ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions University of

Re: [strongSwan] VICI and PSK

2018-05-16 Thread Andreas Steffen
:58, Modster, Anthony wrote: Hello ? how to configure VICI for PSK Thanks -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Instit

Re: [strongSwan] starting strongswan without starter

2018-05-08 Thread Andreas Steffen
is the correct way to start strongswan without 'ipsec start' ? -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked

Re: [strongSwan] IKE_SA_INIT response with notification data missing

2018-04-16 Thread Andreas Steffen
htauth=psk esp=3des-aes-sha1-md5-modp1024 ike=3des-sha1-md5-modp1024 auto=add type=tunnel Thanks, Balaji -- ====== Andreas Steffen andreas.stef...@strongswan.org strongSwan

Re: [strongSwan] Not Able to Connect

2018-03-29 Thread Andreas Steffen
server has to be configured. Regards Andreas On 29.03.2018 20:12, Info wrote: > > On 03/29/2018 10:21 AM, Andreas Steffen wrote: >> Hi, >> >> yes you can fully integrate a remote host into a LAN by using the >> farp and dhcp plugins on the VPN gateway so that the g

Re: [strongSwan] Not Able to Connect

2018-03-29 Thread Andreas Steffen
reseeably have IPV6 (Frontier Comm)  I'll > need to use a tunnel broker.  Will this be a problem with Strongswan, > and can the Android app do IPV6? > > > On 03/28/2018 02:35 PM, Andreas Steffen wrote: >> The connection setup gets now very far but finally fails because >&g

Re: [strongSwan] Not Able to Connect

2018-03-28 Thread Andreas Steffen
lain > "classic and combined-mode algos" nor not to mix them.  I can't know > these things by instinct. > > Something else is wrong with the example.  I copied it -exactly- (except > I used your esp_proposals), and the error log is attached. > > > > On 03/28/2018 0

Re: [strongSwan] Not Able to Connect

2018-03-28 Thread Andreas Steffen
MAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_1024 > Tue, 2018-03-27 15:26 15[CFG]   local: > Tue, 2018-03-27 15:26 15[CFG]    id = cygnus.darkmatter.org > Tue, 2018-03-27 15:26 15[CFG]   remote: > Tue, 2018-03-27 15:26 15[CFG] added vic

Re: [strongSwan] Cipher Suite proposals changed in the course of 5.6.0 to 5.6.2

2018-03-19 Thread Andreas Steffen
4 L2TP/IPsec connectivity. >>> >>> I know the iPhone 4 is almost 8 years old, however, mine looks like I >>> bought it yesterday, and the battery is still in a perfect shape, and I >>> don't want to buy a new one in the foreseeable future. Please may I ask to

Re: [strongSwan] Strongswan IPSec VPN is up but does not pass traffic

2018-03-13 Thread Andreas Steffen
     expire use: soft 0(sec), hard 0(sec) >     lifetime current: >       0(bytes), 0(packets) >       add 2018-03-12 18:15:44 use - > src ::/0 dst ::/0 uid 0 >     socket out action allow index 20 priority 0 share any flag  (0x) >     lifetime config: >       li

Re: [strongSwan] problem: fetching from hash_and_url

2018-03-01 Thread Andreas Steffen
25519 xcbc cmac hmac attr kernel-netlink socket-default stroke vici > updown xauth-generic > >   > > Do we need to install additional plugins? > >   > > Kind regards, > > Mike. > -- == Andreas Steffen

Re: [strongSwan] pki --verify Command

2018-02-10 Thread Andreas Steffen
hat way, other than nobody gotten around to doing it? > > Regards, > Jafar ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Inst

Re: [strongSwan] Strongswan 5.5

2018-02-06 Thread Andreas Steffen
t; > > Thanks in advance, > > Rajeev > -- ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions HSR Univer

Re: [strongSwan] Separate files for crt and key

2018-01-26 Thread Andreas Steffen
-- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland

Re: [strongSwan] dpd not getting triggered

2018-01-12 Thread Andreas Steffen
net-net >     left=10.127.47.104 >     leftsubnet=10.127.47.104/32 >     leftid=10.127.47.104 >     right=10.104.108.110 >     rightsubnet=10.104.108.110/32 >     rightid=10.104.108.110 >     auto=start > > ~ > Regards, > kalyani > -- ==

Re: [strongSwan] OSCP

2017-12-19 Thread Andreas Steffen
] On Behalf Of Andreas Steffen Sent: Saturday, December 16, 2017 2:23 AM To: Modster, Anthony <anthony.mods...@teledyne.com>; users@lists.strongswan.org Subject: Re: [strongSwan] OSCP Hello Anthony, if the OCSP URI is not included via an authorityInfoAccess extension in the end entity certi

Re: [strongSwan] Autorisation in vici?

2017-12-18 Thread Andreas Steffen
ron? > > > I did not find anything the docs. > > > Mit freundlichen Grüßen, > -- ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www

Re: [strongSwan] OSCP

2017-12-16 Thread Andreas Steffen
e needed on the host > >   > > Thanks > >   > -- ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions HSR

Re: [strongSwan] Validating Local Host Own Certificate

2017-12-06 Thread Andreas Steffen
a CA tustchain. Thanks, Jafar -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions University

Re: [strongSwan] StrongSwan Android app, NO_PROPOSAL_CHOSEN error & Digital Ocean's VPN tutorial

2017-11-20 Thread Andreas Steffen
ghtsourceip=10.10.10.0/24 > rightsendcert=never > eap_identity=%identity > > My /etc/ipsec.secrets contains: > > 128.199.36.88 : RSA "/etc/ipsec.d/private/vpn-server-key.pem" > vpnusername %any% : EAP "vpnpasswordredacted" > > What might be the issue? > &

Re: [strongSwan] what the use (effect) of "righthostaccess=yes"

2017-11-20 Thread Andreas Steffen
ither in GW1 or in GW2 - So my query is: whats the use of the option "righthostaccess=yes"...where and when do we use this option? thanks & regards Rajiv -- == Andreas Steffen and

Re: [strongSwan] Remote Attestation through Cisco ASA

2017-11-15 Thread Andreas Steffen
as to be decrypted once by the device. Many thanks, Mario -- ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for N

Re: [strongSwan] No private key found

2017-10-05 Thread Andreas Steffen
C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs > Root Certification Authority" > >   validity:  not before Nov 11 17:19:44 2014, ok > >              not after  Nov 11 17:19:44 2064, ok (expires in 17206 days) > >   serial:    b1:b0:d3:be:

Re: [strongSwan] Permission Denied error

2017-09-18 Thread Andreas Steffen
s me the following error: > > > bash: caKey.der: Permission denied > > > I tried to run it with sudo and I get the same error.   I assume the key > would be populated in: > >   /etc/ipsec.d/private > > > Any help is appreciated! > > -- ========

Re: [strongSwan] nonce Length

2017-09-14 Thread Andreas Steffen
byte number. Thanks for confirming that. I also came across nonce plugin configuration: nonce { } Is there really any thing configurable here or is that just there for completeness? Kind Regards, Jafar On 9/14/2017 1:56 AM, Andreas Steffen wrote: Hi Jafar, section 2.10 of IKEv2 RFC

Re: [strongSwan] nonce Length

2017-09-14 Thread Andreas Steffen
Al-Gharaibeh wrote: > Hi, > >What is the default length of the nonce used to establish and rekey > IKE/Child SAs? is that based on the DH group? and is the length > configurable? > > Thanks, > Jafar ==========

Re: [strongSwan] Default value of inactivity in ipsec.conf

2017-09-12 Thread Andreas Steffen
-- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland

Re: [strongSwan] Strongswan and TPM

2017-08-31 Thread Andreas Steffen
ate > key loaded by the configuration backend, whether that private key is > actually loaded into memory or it's just a reference to a key > (as is the > case here). Private keys on PKCS#11 tokens or in a TPM can't be > accessed directly, so

Re: [strongSwan] SHA1 vs SHA256

2017-08-04 Thread Andreas Steffen
) Regards Andreas On 04.08.2017 16:41, Dusan Ilic wrote: > Hi Andreas > > One side is 2.6.36 and the other 3.10.20 > > > Den 2017-08-04 kl. 12:48, skrev Andreas Steffen: >> Hi Dusan, >> >> this is a Linux kernel issue. Which kernel versions are you running >

Re: [strongSwan] SHA1 vs SHA256

2017-08-04 Thread Andreas Steffen
aes256-sha256-modp2048! >>> esp=aes256-sha256-modp2048! >>> >>> Below combo doesn't work either: >>> >>> ike=aes256-sha256-modp2048! >>> esp=aes128-sha256-modp2048! >>> >>> >>> Also, are above settings good? I'm h

Re: [strongSwan] charon unmet dependency on native android build

2017-05-25 Thread Andreas Steffen
DMN] initialization failed - aborting charon root@kltetmo:/ # pki --help strongSwan 5.5.2 PKI tool loaded plugins: aes des rc2 sha2 sha1 md5 random x509 revocation pkcs1 pkcs7 pkcs8 pkcs12 dnskey sshkey pem gmp hmac == Andreas Stef

Re: [strongSwan] listen interface specification

2017-05-02 Thread Andreas Steffen
forwards. -- Piyush Agarwal Life can only be understood backwards; but it must be lived forwards. -- Piyush Agarwal Life can only be understood backwards; but it must be lived forwards. ___ Users mailing list Users@lists.str

Re: [strongSwan] remote_addrs with more than one IP address

2017-04-27 Thread Andreas Steffen
ou pls clarify this. > > cheers, > vijaya ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions HSR University of Applied

Re: [strongSwan] Security Associations

2017-04-06 Thread Andreas Steffen
Security Associations (0 up, 0 connecting): > none > > Problem is I have no SA Associations. > > > I attach conf file from both sites. I have strongswan 5.2.1 on Debian 8 x64 > > Thank you for any help. > > -- ===

Re: [strongSwan] Config/Install compiled strongswan

2017-03-07 Thread Andreas Steffen
still not binding to port 500. Is > there any other place I should look at? > > Thanks, > Di > > > 2017-03-07 14:36 GMT-08:00 Andreas Steffen > <andreas.stef...@strongswan.org <mailto:andreas.stef...@strongswan.org>>: > > Hi, > >

Re: [strongSwan] Config/Install compiled strongswan

2017-03-07 Thread Andreas Steffen
elp on this, anything l missed or I should configure? > > Thanks, > Di == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutio

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

2017-01-16 Thread Andreas Steffen
On 16.01.2017 20:39, Varun Singh wrote: On Mon, Jan 16, 2017 at 6:04 PM, Michael Schwartzkopff <m...@sys4.de> wrote: Am Montag, 16. Januar 2017, 20:06:45 schrieb Andreas Steffen: Hi Varun, we have customers who have successfully been running up to 60k concurrent tunnels. In order to ma

Re: [strongSwan] Android TNC server basic setup

2017-01-14 Thread Andreas Steffen
n/wiki/StrongTNC Thanks, Mark On Thursday, January 12, 2017 6:09 AM, Andreas Steffen <andreas.stef...@strongswan.org> wrote: Hi Mark, you can find a [little-outdated] TNC server configuration HOWTO under the following link: https://wiki.strongswan.org/projects/strongswan/wiki/TNCS In

Re: [strongSwan] Android TNC server basic setup

2017-01-12 Thread Andreas Steffen
== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil

Re: [strongSwan] Resubmission as plaintext - Strongswan with ESP-NULL and ESP-NONE , NULL encryption and NONE integrity

2017-01-06 Thread Andreas Steffen
10.1.9.119 Jan 06 16:19:44 [IKEv1]Group = 10.1.9.119, IP = 10.1.9.119, PHASE 1 COMPLETED Jan 06 16:19:44 [IKEv1]Group = 10.1.9.119, IP = 10.1.9.119, Generating secret keys: unknown encryption algorithm! Jan 06 16:19:44 [IKEv1]Group = 10.1.9.119, IP = 10.1.9.119, Generating secret keys: unknown encr

Re: [strongSwan] AH Transport AES CMAC PSK

2016-11-27 Thread Andreas Steffen
omes this limitation? > Does it come from StrongSwan implementation or from Linux kernel (as > suggested by the error message)? > Does anybody have ideas? > > Best regards, > Gyula Kovacs ========== Andreas Steffen

Re: [strongSwan] how to use 'rightca' connection option?

2016-11-23 Thread Andreas Steffen
or does not understand this feature, but I have no idea, what this can be. Does anybody knows? Best regards, John, ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN So

Re: [strongSwan] triggering MOBIKE in strongswan

2016-11-16 Thread Andreas Steffen
.vanapa...@gmail.com <mailto:vvnrk.vanapa...@gmail.com> > > > ___ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users > -- ==

Re: [strongSwan] libhydra

2016-11-15 Thread Andreas Steffen
>>> to the kernel would require a kernel_ipsec_t as well. Is this correct? >> >> Yes. >> >> Regards, >> Tobias >> > ___ > Users mailing list > Users@lists.strongswan.org > https://lists.st

Re: [strongSwan] Why doesn't table 220 change forwarded packets source IP address?

2016-11-06 Thread Andreas Steffen
D chain sees the source IP address as 192.168.2.X (host cannot be reached until these packets are SNAT'ed to 10.2.0.3) Richard Chan ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Ope

[strongSwan] Testing

2016-10-28 Thread Andreas Steffen
Testing the availability of the strongSwan mailing list server. Please disregard Andreas == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution

Re: [strongSwan] Abbreviations

2016-10-13 Thread Andreas Steffen
___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source

Re: [strongSwan] Duplicate log entries using default configuration

2016-10-12 Thread Andreas Steffen
://lists.strongswan.org/mailman/listinfo/users -- ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies a

Re: [strongSwan] initialzing EAP TLS peer with a different IDi than the IDi used in teh first IKE AUTH message

2016-10-11 Thread Andreas Steffen
t. > > Kindly confirm that my understanding is correct. > > Thanks, > Ravikanth > > On Tue, Oct 11, 2016 at 3:54 AM, Andreas Steffen > <andreas.stef...@strongswan.org > <mailto:andreas.stef...@strongswan.org>> wrote: > >

Re: [strongSwan] initialzing EAP TLS peer with a different IDi than the IDi used in teh first IKE AUTH message

2016-10-11 Thread Andreas Steffen
t; I am finding it difficult to know which module calls this API > eap_tls_create_peer to initialize EAP TLS peer identity. > > Kindly provide any inputs regarding my issue. > > Thank you very much. > > -- > Regards, > RaviKanth =======

Re: [strongSwan] MacOS 10.12 Sierra IKEv2 user/password auth

2016-10-09 Thread Andreas Steffen
has actually gotten user/password with IKEv2 to work on Sierra. == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet

Re: [strongSwan] file content is not binary ASN.1

2016-10-06 Thread Andreas Steffen
ngswan.org https://lists.strongswan.org/mailman/listinfo/users -- ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for

Re: [strongSwan] need for openssl plugin use case

2016-10-05 Thread Andreas Steffen
ld be highly appreciated. -- Regards, RaviKanth ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users -- ========== And

Re: [strongSwan] Strongswan 5.4 issue using certificates

2016-09-16 Thread Andreas Steffen
like the > certificate? > > Thanks, > Rajeev > > On Thu, Aug 4, 2016 at 12:16 AM, Andreas Steffen > <andreas.stef...@strongswan.org > <mailto:andreas.stef...@strongswan.org>> wrote: > > Hi Rajeev, > > differe

Re: [strongSwan] Empty CRL cache

2016-09-13 Thread Andreas Steffen
02 110043015, >> CN=0120101V-01-TEST.ac-toulouse.fr] >> 2016-09-09T14:35:48.994137+02:00 sphynx.ac-test.lan charon: 11[IKE] >> IKE_SA >> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[1] >> established between 192.168.0.11[C=FR, L=Dijon, O=Education Nationale, >> OU=0002 110043015, CN=sp

Re: [strongSwan] TPM Owner password in strongswan IMC

2016-08-12 Thread Andreas Steffen
es, is there a > configuration in strongswan to set the TPM Owner password? > > Regards, > > Vikas ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN So

Re: [strongSwan] sha256 failing with netlink error

2016-08-11 Thread Andreas Steffen
hmi == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Scien

Re: [strongSwan] Authentication algoritm supported by strongSwan

2016-08-05 Thread Andreas Steffen
me is from wireshark ESP decryption table. > > > Cheers, > > Codrut. > > > > ___ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users > -- =======

Re: [strongSwan] Strongswan not sending encryption algorithm

2016-08-05 Thread Andreas Steffen
-sha256-modp2048! esp=aes256gcm128-sha256! Invalid combo: keyexchange=ikev1 ike=aes256gcm128-sha256-modp2048! esp=aes256gcm128-sha256! Thanks, Lakshmi On Fri, Aug 5, 2016 at 1:49 PM, Andreas Steffen <andreas.stef...@strongswan.org <mailto:andreas.stef...@strongsw

Re: [strongSwan] Strongswan not sending encryption algorithm

2016-08-05 Thread Andreas Steffen
_256_128/PRF_HMAC_SHA2_256/MODP_2048 > > configured > proposals:IKE:AES_GCM_16_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 > > > Thanks and Regards, > > Lakshmi ========== Andreas Steffen and

Re: [strongSwan] Drop data traffic if ipsec is not present

2016-08-04 Thread Andreas Steffen
I was expecting leftfirewall=yes would take care of adding default > policies for IKE, ESP and drop traffic. > From your explanation, I understood that we need to explicitly configure > iptables. So what does leftfirewall actually do? > > Regards, > Sarat Vajrapu > > On Tue,

Re: [strongSwan] Strongswan 5.4 issue using certificates

2016-08-03 Thread Andreas Steffen
t; Do you know what could be issue here? Looks like software is not able to > recognize the pem format but again it worked when using swanctl.conf file. > > Thanks, > Rajeev > > > On Tue, Aug 2, 2016 at 5:41 AM, Andreas Steffen > <andreas.stef...@strongswan.org

Re: [strongSwan] parsed ID_PROT response 0 [ KE No ]

2016-08-02 Thread Andreas Steffen
=74de8c3727833891e6f3a73d5cc776d201112dfd#l392 What OpenSSL version are you using (openssl version)? Andreas On 08/02/2016 03:06 PM, Andreas Steffen wrote: > Hi Lakshmi, > > it seems that your OpenSSL libcrypto library has not been built with > ECC (Elliptic Curve Cryptography) support.

Re: [strongSwan] parsed ID_PROT response 0 [ KE No ]

2016-08-02 Thread Andreas Steffen
s shown as part of the loaded configs, this error > seems to get hit. Is there anything that I am possibly missing whike > compiling? > > -Lakshmi ========== Andreas Steffen andreas.ste

Re: [strongSwan] parsed ID_PROT response 0 [ KE No ]

2016-08-02 Thread Andreas Steffen
rom 9.11.120.120[500] to 9.11.53.11[500] (116 bytes) > > parsed ID_PROT response 0 [ KE No ] > > There is no more logs beyond this and my wireshark capture stops at MM2. > > - Lakshmi > > > On Tue, Aug 2, 2016 at 3:12 PM, Andreas Steffen > <andreas.stef...@strong

  1   2   3   4   5   6   7   8   9   10   >