uniqueids = no
======
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
strongSec GmbH, 8952 Schlieren (Switzerland)
==
idential; Commercially Sensitive Business Data
======
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
strongSec GmbH, 8952 Schlieren (Switzerland)
==
15A 211B 6390 60A9 E30D 9B9B 3EBF F1A1
>
==========
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
strongSec GmbH, 8952 Schlieren (Switzerland)
==
6_64"
>
> What is the difference between the two versions? Is one 32-bit and one
> 64-bit?
>
> *Dave Pearce*
>
> Blue Origin OLS
>
> dpear...@blueorigin.com <mailto:dpear...@blueorigin.com>
>
=====
Hi,
the recording of the strongSwan and wolfSSL Webinar is now available
under the following link:
https://www.youtube.com/watch?v=Ul_M3XzRa4Q
Best regards
Andreas
On 28.05.21 13:30, Andreas Steffen wrote:
> Please join us for our upcoming webinar with Security Expert Eric
> Blank
Please join us for our upcoming webinar with Security Expert Eric
Blankenhorn from wolfSSL and Andreas Steffen from the strongSwan Project.
Leveraging the FIPS-certified security of wolfSSL and the power of
strongSwan to make a more perfect VPN!
strongSwan and wolfSSL are coming together
is a 30sec timeout on the IPsec gateway. Is there
> a chance to increase this timeout (using stroke, ie. ipsec.conf)?
> https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
> mentions only the DPD timeout (150 sec per default) and the inac-
> tivity timeout (child sa only,
,
RG.
--
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Solutions
University of Applied Sciences Rapperswil
C8DB81EC258089F8E48EEBB2313BE63C33FF5
I'm fairly new to strongswan so I might have missed something in the server
configuration. Any hint is welcome.
Thanks
[1] https://wiki.strongswan.org/projects/strongswan/wiki/Fortinet
--
=========
Hello George,
you have to enable one of the libstrongswan plugins that support
ellicptic curve cryptography. Either the openssl, wolfssl or botan
plugin.
Best regards
Andreas
On 05.11.20 20:20, george wrote:
eature PUBKEY:ECDSA in plugin 'pem' has unmet dependency: PUBKEY:ECDSA
nk you for advice,
> Houman
==========
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
C
But I think the remote side is not configured
for EAP-based client authentication or cannot
find its private signature key so AUTHENTICATION
FAILED ensues. Any chance of getting the remote log?
Andreas
On 11.05.20 08:45, Andreas Steffen wrote:
> Hi,
>
> in the remote section you ha
UP)
> N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR)
> N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
> [NET] sending packet: from xx.XX.yy.YY[4500] to
> xx.XX.zz.ZZ[4500] (432 bytes)
> [NET] received packet: from xx.XX.zz.ZZ[4500] to
> xx.XX.yy.YY[4500] (80 bytes)
ess of the key install on a client one still
> needs the password to use them.
>
>
>
> Regards
>
> Dries
======
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN So
gt; change: CONNECTING => DESTROYING
>
> What do I need to change in the android client configuration? I would
> prefer not to touch the linux server as it is working with windows
> clients, but will do so if absolutely necessary. Thank you for your
> assistance in this matter.
>
.
>
> My setup is:
> client -> Strongswan(centos 7) -> radius(free radius,centos 7) ->
> AD(Microsoft)
>
> Can you provide some guidance regarding this? I've to complete this
> project this month.
>
> Thank you
--
=======
fference between them in this
> context?
>
> Many Thanks,
> Houman
>
> On Wed, 31 Jul 2019 at 11:14, Andreas Steffen
> mailto:andreas.stef...@strongswan.org>>
> wrote:
>
> Hi Houman,
>
> you can get the number of active IKE SAs via
>
> swanctl --l
ed
> [CFG] no alternative config found
> [ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
> [NET] sending packet: from 172.26.0.85[4500] to $MY_ON_PREM_EXT_IP[4500] (65
> bytes)
> initiate failed: establishing CHILD_SA 'net1-net1' failed
>
>
>
>
> You are re
NC/PTS feature compliant with TPM 1.2 and TPM 2.0 ?
>
> Thanks
>
>
>
>
--
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Soluti
t;
> Thanks.
======
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-
e ID 1
Mar 15 00:37:41 klick001 charon: 14[NET] sending packet:
from 10.138.0.4[4500] to 200.10.1**.***[4500] (988 bytes)
Please assist as we are about to go live soon.
Thanks in advance.
Moses K
=======
eamlessly?
>
> Many Thanks,
>
--
==========
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapper
what does 'length of TRAFFIC_SELECTOR_SUBSTRUCTURE substructure
> list invalid' means, I tried finding it in RFC, but could not find
> the same.
>
>
> Thanks & Regards,
>
> Yogesh Purohit
>
>
>
> --
> Best Regar
nssl \
> --enable-eap-peap
>
> NPS
>
>
>
>
>
> Windows 10 reports:
>
--
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN S
oned for PSK based auth (irrespective of the PSK
> chosen by the user)?
>
>
> Thanks,
>
> Sandesh
>
>
> On Fri, Aug 31, 2018 at 3:50 PM Andreas Steffen
> mailto:andreas.stef...@strongswan.org>>
> wrote:
>
> Hi Sandesh,
>
> stro
ws.com/2018/08/20/ipsec-vpn-connections-broken-using-20-year-old-flaw/
> https://securityaffairs.co/wordpress/75352/hacking/key-reuse-ipsec-attack.html
>
> Thanks,
> Sandesh
==========
Andreas Steffen an
curve25519 xcbc cmac hmac attr
> kernel-netlink resolve socket-default stroke vici updown xauth-generic
> counters
> 00[JOB] spawning 16 worker threads
>
> Please guide me on what did i miss?
>
> --
> Regards,
> Amit Priyadarshi
>
>
>
>
--
=
c/media/publications/sp/800-131a/rev-1/final/documents/sp800-131a_r1_draft.pdf
> [2]
> https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-57pt1r4.pdf
> [3]
> https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations
>
--
9 certificates supported by both the above plugins?
> So, if I am enabling openssl plugin, can x509 plugin be disabled?
> My use case requires using x509 certificates, without CRL or OCSP support.
>
> - Divya
>
--
==========
tand from it, that switching to
> ESAPI is possible but not in the nearest future as ESAPI is quite new
> and require some significant time to learn how to use it. Am I correct?
>
> Pozdrowienia/Regards,
>
> Piotr Parus
>
>
>
> W dniu 26.06.2018 o 17:07, Andreas Steffen
t regards,
>
> Piotr Parus
>
--
==========
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Solutions
HSR University of
:43 schrieb Andreas Steffen:
>> Hi Sven,
>>
>> you can use certificate policies which are based on OIDs.
>>
>> With swanctl.conf:
>>
>> remote {
>> auth = pubkey
>> cert_policy =
>> ...
>> }
>>
>> or w
um 18:47 schrieb Andreas Steffen:
>> Hi Sven,
>>
>> according to section 5.1.3.12. "ExtendedKeyUsage" of RFC 4945
>> "The Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX"
>> the IPsec User EKU is deprecated:
>>
>
c, if it is set. We may use some other flags
> out of our own space too.
>
> How can I check in StrongSwan, if a certain EKU exists?
>
> Regards
> Sven Anders
>
--
==
Andreas Steffen
to fail).
Regards,
Tobias
--
==========
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Solutions
University of Applied Sciences Rapperswil
CH-86
VPN.pem' failed
Kind regards,
Mike.
--
==========
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Solutions
University of
:58, Modster, Anthony wrote:
Hello
? how to configure VICI for PSK
Thanks
--
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Instit
is the correct way to start strongswan
without 'ipsec start' ?
--
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked
htauth=psk
esp=3des-aes-sha1-md5-modp1024
ike=3des-sha1-md5-modp1024
auto=add
type=tunnel
Thanks,
Balaji
--
======
Andreas Steffen andreas.stef...@strongswan.org
strongSwan
server has to
be configured.
Regards
Andreas
On 29.03.2018 20:12, Info wrote:
>
> On 03/29/2018 10:21 AM, Andreas Steffen wrote:
>> Hi,
>>
>> yes you can fully integrate a remote host into a LAN by using the
>> farp and dhcp plugins on the VPN gateway so that the g
reseeably have IPV6 (Frontier Comm) I'll
> need to use a tunnel broker. Will this be a problem with Strongswan,
> and can the Android app do IPV6?
>
>
> On 03/28/2018 02:35 PM, Andreas Steffen wrote:
>> The connection setup gets now very far but finally fails because
>&g
lain
> "classic and combined-mode algos" nor not to mix them. I can't know
> these things by instinct.
>
> Something else is wrong with the example. I copied it -exactly- (except
> I used your esp_proposals), and the error log is attached.
>
>
>
> On 03/28/2018 0
MAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_1024
> Tue, 2018-03-27 15:26 15[CFG] local:
> Tue, 2018-03-27 15:26 15[CFG] id = cygnus.darkmatter.org
> Tue, 2018-03-27 15:26 15[CFG] remote:
> Tue, 2018-03-27 15:26 15[CFG] added vic
4 L2TP/IPsec connectivity.
>>>
>>> I know the iPhone 4 is almost 8 years old, however, mine looks like I
>>> bought it yesterday, and the battery is still in a perfect shape, and I
>>> don't want to buy a new one in the foreseeable future. Please may I ask to
expire use: soft 0(sec), hard 0(sec)
> lifetime current:
> 0(bytes), 0(packets)
> add 2018-03-12 18:15:44 use -
> src ::/0 dst ::/0 uid 0
> socket out action allow index 20 priority 0 share any flag (0x)
> lifetime config:
> li
25519 xcbc cmac hmac attr kernel-netlink socket-default stroke vici
> updown xauth-generic
>
>
>
> Do we need to install additional plugins?
>
>
>
> Kind regards,
>
> Mike.
>
--
==
Andreas Steffen
hat way, other than nobody gotten around to doing it?
>
> Regards,
> Jafar
==========
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Inst
t;
>
> Thanks in advance,
>
> Rajeev
>
--
==========
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Solutions
HSR Univer
--
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Solutions
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland
net-net
> left=10.127.47.104
> leftsubnet=10.127.47.104/32
> leftid=10.127.47.104
> right=10.104.108.110
> rightsubnet=10.104.108.110/32
> rightid=10.104.108.110
> auto=start
>
> ~
> Regards,
> kalyani
>
--
==
] On Behalf Of Andreas
Steffen
Sent: Saturday, December 16, 2017 2:23 AM
To: Modster, Anthony <anthony.mods...@teledyne.com>; users@lists.strongswan.org
Subject: Re: [strongSwan] OSCP
Hello Anthony,
if the OCSP URI is not included via an authorityInfoAccess extension in
the end entity certi
ron?
>
>
> I did not find anything the docs.
>
>
> Mit freundlichen Grüßen,
>
--
==========
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution! www
e needed on the host
>
>
>
> Thanks
>
>
>
--
==========
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Solutions
HSR
a CA tustchain.
Thanks,
Jafar
--
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Solutions
University
ghtsourceip=10.10.10.0/24
> rightsendcert=never
> eap_identity=%identity
>
> My /etc/ipsec.secrets contains:
>
> 128.199.36.88 : RSA "/etc/ipsec.d/private/vpn-server-key.pem"
> vpnusername %any% : EAP "vpnpasswordredacted"
>
> What might be the issue?
>
&
ither in GW1 or in GW2
- So my query is: whats the use of the option
"righthostaccess=yes"...where and when do we use this option?
thanks & regards
Rajiv
--
==
Andreas Steffen and
as to be decrypted
once by the device.
Many thanks,
Mario
--
==========
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for N
C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs
> Root Certification Authority"
>
> validity: not before Nov 11 17:19:44 2014, ok
>
> not after Nov 11 17:19:44 2064, ok (expires in 17206 days)
>
> serial: b1:b0:d3:be:
s me the following error:
>
>
> bash: caKey.der: Permission denied
>
>
> I tried to run it with sudo and I get the same error. I assume the key
> would be populated in:
>
> /etc/ipsec.d/private
>
>
> Any help is appreciated!
>
>
--
========
byte number. Thanks for confirming
that.
I also came across nonce plugin configuration:
nonce {
}
Is there really any thing configurable here or is that just there for
completeness?
Kind Regards,
Jafar
On 9/14/2017 1:56 AM, Andreas Steffen wrote:
Hi Jafar,
section 2.10 of IKEv2 RFC
Al-Gharaibeh wrote:
> Hi,
>
>What is the default length of the nonce used to establish and rekey
> IKE/Child SAs? is that based on the DH group? and is the length
> configurable?
>
> Thanks,
> Jafar
==========
--
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Solutions
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland
ate
> key loaded by the configuration backend, whether that private key is
> actually loaded into memory or it's just a reference to a key
> (as is the
> case here). Private keys on PKCS#11 tokens or in a TPM can't be
> accessed directly, so
)
Regards
Andreas
On 04.08.2017 16:41, Dusan Ilic wrote:
> Hi Andreas
>
> One side is 2.6.36 and the other 3.10.20
>
>
> Den 2017-08-04 kl. 12:48, skrev Andreas Steffen:
>> Hi Dusan,
>>
>> this is a Linux kernel issue. Which kernel versions are you running
>
aes256-sha256-modp2048!
>>> esp=aes256-sha256-modp2048!
>>>
>>> Below combo doesn't work either:
>>>
>>> ike=aes256-sha256-modp2048!
>>> esp=aes128-sha256-modp2048!
>>>
>>>
>>> Also, are above settings good? I'm h
DMN] initialization failed - aborting charon
root@kltetmo:/ # pki --help
strongSwan 5.5.2 PKI tool
loaded plugins: aes des rc2 sha2 sha1 md5 random x509 revocation pkcs1
pkcs7 pkcs8 pkcs12 dnskey sshkey pem gmp hmac
==
Andreas Stef
forwards.
--
Piyush Agarwal
Life can only be understood backwards; but it must be lived forwards.
--
Piyush Agarwal
Life can only be understood backwards; but it must be lived forwards.
___
Users mailing list
Users@lists.str
ou pls clarify this.
>
> cheers,
> vijaya
==========
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Solutions
HSR University of Applied
Security Associations (0 up, 0 connecting):
> none
>
> Problem is I have no SA Associations.
>
>
> I attach conf file from both sites. I have strongswan 5.2.1 on Debian 8 x64
>
> Thank you for any help.
>
>
--
===
still not binding to port 500. Is
> there any other place I should look at?
>
> Thanks,
> Di
>
>
> 2017-03-07 14:36 GMT-08:00 Andreas Steffen
> <andreas.stef...@strongswan.org <mailto:andreas.stef...@strongswan.org>>:
>
> Hi,
>
>
elp on this, anything l missed or I should configure?
>
> Thanks,
> Di
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Solutio
On 16.01.2017 20:39, Varun Singh wrote:
On Mon, Jan 16, 2017 at 6:04 PM, Michael Schwartzkopff <m...@sys4.de> wrote:
Am Montag, 16. Januar 2017, 20:06:45 schrieb Andreas Steffen:
Hi Varun,
we have customers who have successfully been running up to 60k
concurrent tunnels. In order to ma
n/wiki/StrongTNC
Thanks,
Mark
On Thursday, January 12, 2017 6:09 AM, Andreas Steffen
<andreas.stef...@strongswan.org> wrote:
Hi Mark,
you can find a [little-outdated] TNC server configuration HOWTO
under the following link:
https://wiki.strongswan.org/projects/strongswan/wiki/TNCS
In
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil
10.1.9.119
Jan 06 16:19:44 [IKEv1]Group = 10.1.9.119, IP = 10.1.9.119, PHASE 1 COMPLETED
Jan 06 16:19:44 [IKEv1]Group = 10.1.9.119, IP = 10.1.9.119, Generating secret
keys: unknown encryption algorithm!
Jan 06 16:19:44 [IKEv1]Group = 10.1.9.119, IP = 10.1.9.119, Generating secret
keys: unknown encr
omes this limitation?
> Does it come from StrongSwan implementation or from Linux kernel (as
> suggested by the error message)?
> Does anybody have ideas?
>
> Best regards,
> Gyula Kovacs
==========
Andreas Steffen
or does not understand this
feature, but I have no idea, what this can be.
Does anybody knows?
Best regards,
John,
==========
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN So
.vanapa...@gmail.com <mailto:vvnrk.vanapa...@gmail.com>
>
>
> ___
> Users mailing list
> Users@lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
--
==
>>> to the kernel would require a kernel_ipsec_t as well. Is this correct?
>>
>> Yes.
>>
>> Regards,
>> Tobias
>>
> ___
> Users mailing list
> Users@lists.strongswan.org
> https://lists.st
D chain sees the source IP address as 192.168.2.X (host cannot
be reached until these packets are SNAT'ed to 10.2.0.3)
Richard Chan
==========
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Ope
Testing the availability of the strongSwan mailing list server.
Please disregard
Andreas
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
--
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source
://lists.strongswan.org/mailman/listinfo/users
--
==========
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies a
t.
>
> Kindly confirm that my understanding is correct.
>
> Thanks,
> Ravikanth
>
> On Tue, Oct 11, 2016 at 3:54 AM, Andreas Steffen
> <andreas.stef...@strongswan.org
> <mailto:andreas.stef...@strongswan.org>> wrote:
>
>
t; I am finding it difficult to know which module calls this API
> eap_tls_create_peer to initialize EAP TLS peer identity.
>
> Kindly provide any inputs regarding my issue.
>
> Thank you very much.
>
> --
> Regards,
> RaviKanth
=======
has actually gotten user/password with IKEv2 to
work on Sierra.
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet
ngswan.org
https://lists.strongswan.org/mailman/listinfo/users
--
==========
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for
ld be highly appreciated.
--
Regards,
RaviKanth
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
--
==========
And
like the
> certificate?
>
> Thanks,
> Rajeev
>
> On Thu, Aug 4, 2016 at 12:16 AM, Andreas Steffen
> <andreas.stef...@strongswan.org
> <mailto:andreas.stef...@strongswan.org>> wrote:
>
> Hi Rajeev,
>
> differe
02 110043015,
>> CN=0120101V-01-TEST.ac-toulouse.fr]
>> 2016-09-09T14:35:48.994137+02:00 sphynx.ac-test.lan charon: 11[IKE]
>> IKE_SA
>> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[1]
>> established between 192.168.0.11[C=FR, L=Dijon, O=Education Nationale,
>> OU=0002 110043015, CN=sp
es, is there a
> configuration in strongswan to set the TPM Owner password?
>
> Regards,
>
> Vikas
==========
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN So
hmi
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Scien
me is from wireshark ESP decryption table.
>
>
> Cheers,
>
> Codrut.
>
>
>
> ___
> Users mailing list
> Users@lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
--
=======
-sha256-modp2048!
esp=aes256gcm128-sha256!
Invalid combo:
keyexchange=ikev1
ike=aes256gcm128-sha256-modp2048!
esp=aes256gcm128-sha256!
Thanks,
Lakshmi
On Fri, Aug 5, 2016 at 1:49 PM, Andreas Steffen
<andreas.stef...@strongswan.org <mailto:andreas.stef...@strongsw
_256_128/PRF_HMAC_SHA2_256/MODP_2048
>
> configured
> proposals:IKE:AES_GCM_16_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
>
>
> Thanks and Regards,
>
> Lakshmi
==========
Andreas Steffen and
I was expecting leftfirewall=yes would take care of adding default
> policies for IKE, ESP and drop traffic.
> From your explanation, I understood that we need to explicitly configure
> iptables. So what does leftfirewall actually do?
>
> Regards,
> Sarat Vajrapu
>
> On Tue,
t; Do you know what could be issue here? Looks like software is not able to
> recognize the pem format but again it worked when using swanctl.conf file.
>
> Thanks,
> Rajeev
>
>
> On Tue, Aug 2, 2016 at 5:41 AM, Andreas Steffen
> <andreas.stef...@strongswan.org
=74de8c3727833891e6f3a73d5cc776d201112dfd#l392
What OpenSSL version are you using (openssl version)?
Andreas
On 08/02/2016 03:06 PM, Andreas Steffen wrote:
> Hi Lakshmi,
>
> it seems that your OpenSSL libcrypto library has not been built with
> ECC (Elliptic Curve Cryptography) support.
s shown as part of the loaded configs, this error
> seems to get hit. Is there anything that I am possibly missing whike
> compiling?
>
> -Lakshmi
==========
Andreas Steffen andreas.ste
rom 9.11.120.120[500] to 9.11.53.11[500] (116 bytes)
>
> parsed ID_PROT response 0 [ KE No ]
>
> There is no more logs beyond this and my wireshark capture stops at MM2.
>
> - Lakshmi
>
>
> On Tue, Aug 2, 2016 at 3:12 PM, Andreas Steffen
> <andreas.stef...@strong
1 - 100 of 961 matches
Mail list logo
