Re: [strongSwan] Security Comparison

--On Thursday, July 19, 2018 09:58:51 AM +0100 Christian Salway wrote: Thanks. answers inline On 19 Jul 2018, at 09:38, Tobias Brunner wrote: Hi Christian, I am also limited to the native OSX/Windows VPN clients which currently support a maximum of aes256-sha256-prfsha256-ecp256-mo

Re: [strongSwan] Windows gives error 13868: Policy match error but Linux connect works

nts AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force jupp sorry, copy/paste on a wrap <http://www.naimuri.com/> On 4 May 2018, at 07:47, Dirk Hartmann wrote: Set-VPNConnectionIPsecConfiguration -ConnectionName "" -Authen

Re: [strongSwan] Windows gives error 13868: Policy match error but Linux connect works

--On Friday, May 04, 2018 04:53:29 PM +1200 flyingrhino wrote: Hi, Just to keep a complete record of this for other people who may search the list archive for this solution: The solution was to create a windows registry key: Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasma

Re: [strongSwan] Migrating to swanctl.conf

Hi Thomas, --On Thursday, February 22, 2018 10:47:00 AM +0100 Thomas Egerer wrote: On 02/22/2018 10:33 AM, Dirk Hartmann wrote: Hi, so the other migration I'm planning is to move to swanctl.conf/VICI-Plugin. As it is possible to run both plugins stroke and VICI at the same time a

Re: [strongSwan] Migrating to a new ca

Hi Tobias, --On Thursday, February 22, 2018 10:54:37 AM +0100 Tobias Brunner wrote: Is it possible to add a second connection definition that is identical but has conn win2018eapmschap leftcert=serverCert2018.pem leftid="C=DE, O=OUR COMPANY, CN=STRONGSWANSERVER2018" so that

[strongSwan] Migrating to swanctl.conf

Hi, so the other migration I'm planning is to move to swanctl.conf/VICI-Plugin. As it is possible to run both plugins stroke and VICI at the same time at the same server, is this a good idea? It would definitely ease the migration if I could simply migrate our approximately 250 connections

[strongSwan] Migrating to a new ca

Hi, after many years with our old certification authority for strongswan I'm planning to migrate to a new one with more modern crypto. To make it as painless as possible for the end users I plan on adding a second ca and a matching second server certificate to our installation. Over time I wo

Re: [strongSwan] strongswan.tar.gz issue

Hi, --On Friday, February 02, 2018 06:35:54 AM + "Kalyani Garigipati (kagarigi)" wrote: I have downloaded strongswan.tar.gz file from strongswan website, but when I have extracted it, I found that the Makefile is missing in the folder. Did anyone encounter this issue ? Because of this I

Re: [strongSwan] road worrior IP - can it also be used by services/daemons to listen onto?

--On 10. November 2017 at 15:20:40 + lejeczek wrote: On 10/11/17 14:34, Dirk Hartmann wrote: Hi, > > --On Friday, November 10, 2017 02:21:09 PM + lejeczek > wrote: > >> I've a working roadwarrior which links up to a server(not mine, >> meanin

Re: [strongSwan] road worrior IP - can it also be used by services/daemons to listen onto?

Hi, --On Friday, November 10, 2017 02:21:09 PM + lejeczek wrote: I've a working roadwarrior which links up to a server(not mine, meaning - no control over it) and I wonder - can that IP my roadworrior gets other things use? From that other(server) end, the network behind the server see

Re: [strongSwan] charon says "DH group MODP_1024 inacceptable, requesting MODP_1536"

--On Wednesday, October 28, 2015 05:18:28 PM +0800 Rayson Zhu wrote: yes, but only if you don't use high encryption. so sad. On Wed, Oct 28, 2015 at 4:56 PM, Roger Skjetlein wrote: I found out that this combination works with of the devices out there: ike = 3des-sha1-modp1024 esp = aes2

Re: [strongSwan] radius and certificate CN user authentication

--On Wednesday, September 10, 2014 12:09:52 PM +0200 Miroslav Kubiczek wrote: --On Wednesday, September 10, 2014 11:31:07 AM +0200 Martin Willi wrote: I had the following working config which nevertheless prompts for username and password on the device (iPhone): The whole point of XAut

Re: [strongSwan] radius and certificate CN user authentication

Hi --On Wednesday, September 10, 2014 11:31:07 AM +0200 Martin Willi wrote: I had the following working config which nevertheless prompts for username and password on the device (iPhone): The whole point of XAuth authentication is to verify a username/password combination. You may disable

Re: [strongSwan] Small Problems with 5.2

Hi Tobias, --On Wednesday, July 16, 2014 10:48:30 AM +0200 Tobias Brunner wrote: Not sure why the behavior changed between 5.1.3 and 5.2.0 in this regard; likely that it is related to the replaced ipsec.conf parser. It's probably the new parser. Checking the logs on the gateway running 5.1

Re: [strongSwan] Small Problems with 5.2

Hi Martin, --On Tuesday, July 15, 2014 01:52:45 PM +0200 Martin Willi wrote: With this connection active it doesn't matter if I set rightsendcert to ifasked or yes in the default section or the specific connection section of my linux roadwarrior. I can't connect because charon doesn't se

Re: [strongSwan] Small Problems with 5.2

Hi Martin, --On Tuesday, July 15, 2014 11:24:04 AM +0200 Martin Willi wrote: was there a change in 5.2 about charon asking for the certificate of the peer? I can establish a connection when I add leftsendcert=yes to the configuration of my roadwarrior. None that I'm aware of. leftsendcert=

Re: [strongSwan] Small Problems with 5.2

Hi Martin, --On Friday, July 11, 2014 03:04:27 PM +0200 Martin Willi wrote: ipsec_starter[3318]: notifying watcher failed: Broken pipe I got: no trusted RSA public key found for NAME Btw, I don't think these two issues are directly related. While asynchronous IPC operation is affected

Re: [strongSwan] Small Problems with 5.2

Hi Martin, --On Friday, July 11, 2014 02:55:26 PM +0200 Martin Willi wrote: Thanks for the update. I could reproduce the issue, it happens when starter forks() to the background. I haven't seen that, as starter logs to a different file here. ah yes I use auth.log for all strongswan related

Re: [strongSwan] Small Problems with 5.2

Hi Martin, --On Friday, July 11, 2014 09:52:40 AM +0200 Martin Willi wrote: 1. I get this error on both systems after upgrade: ipsec_starter[3318]: notifying watcher failed: Broken pipe Hm, interesting, not sure were this broken pipe could come from, nor do I see this error on my 64bit Whe

Re: [strongSwan] Small Problems with 5.2

15:54, schrieb Dirk Hartmann: Hi, I hit two problems after upgrading to 5.2. System on both sides is a Debian wheezy 64. Strongswan compiled with: [client] ./configure --prefix=/usr --sysconfdir=/etc --enable-blowfish --enable-curl --enable-openssl --disable-ikev1 --enable-ntru [gateway] ./configure --p

[strongSwan] Small Problems with 5.2

Hi, I hit two problems after upgrading to 5.2. System on both sides is a Debian wheezy 64. Strongswan compiled with: [client] ./configure --prefix=/usr --sysconfdir=/etc --enable-blowfish --enable-curl --enable-openssl --disable-ikev1 --enable-ntru [gateway] ./configure --prefix=/usr --sysconf

Re: [strongSwan] temporarily disable a road warrior user

Hi Karl, --On Tuesday, February 18, 2014 06:24:46 PM +0100 Karl Hiramoto wrote: I have multiple road warriors with their own certificates. How can I temporarily disable the user, without revoking the certificate, can I do that? I assume you don't have an unique entry for every user in yo

Re: [strongSwan] wiki article iOS

have set left=212.69.162.156 and right=%any Dirk -- Dirk Hartmann, Heise Zeitschriften Verlag GmbH & Co. KG IT-Systemmanagement, Karl-Wiechert-Allee 10, D-30625 Hannover E-Mail: d...@heise.de - Tel.: +49 511 5352 494 - FAX: - 479 PGP-Fingerprint 4153 7C95 3259 C39F 49AA 9BAA 6833 A8DC 6D90

Re: [strongSwan] OS X/iOS clients with XAUTH

--On Monday, February 04, 2013 10:24:46 AM +0100 Martin Willi wrote: >> I'm finding that clients drop after 45 minutes because the client >> wants to rekey, but doesn't expect to have to perform XAUTH >> authentication again. > > Yes, that's a known issue with iOS clients. I didn't know the sa

Re: [strongSwan] Multiple tunnels between two endpoints

--On Tuesday, January 08, 2013 11:30:00 AM +0330 Ali Masoudi wrote: > Thank you Dirk for your answer, > > But what about ikev1 connections? I think using multiple subnets in > one connection is acceptable in ikev2. If I'm wrong, correct me > please. no that is correct. "IKEv2 supports multipl

Re: [strongSwan] Multiple tunnels between two endpoints

Hi Ali, --On Monday, January 07, 2013 02:39:55 PM +0330 Ali Masoudi wrote: > I have a simple question, and I would be grateful if anyone could > answer it. > > If we want to establish multiple tunnels between two endpoints, is it > recommended to use "reuse_ikesa = no" option in strongswan.conf

Re: [strongSwan] iOS ipad Config

Hi, --On Monday, November 19, 2012 09:59:42 PM -0500 Chris Arnold wrote: > strongswan 4.4 i believe and trying to get an ipad with ios 6 to > connect to the server. I have this for my ipsec.conf: > > conn iOS > keyexchange=ikev1 > authby=xauthrsasig > xauth=server > left

Re: [strongSwan] W7 eap-mschapv2 with defined ip

...@strongswan.org. > If a '-' (hyphen) is given instead of a file name, the addresses are > read from STDIN. > Reading addresses stops at the end of file or an empty line. > Pools created with this command can not be resized. > > timeout: Lease time in hours, 0 for static le

[strongSwan] W7 eap-mschapv2 with defined ip

Hi, I played with a config to connect Win7 clients with EAP-MSCHAPv2 auth: works so far, but has the drawback that you can't assign a static IPs to a special user. I tried to simply use two connections with: conn win7e

Re: [strongSwan] CA

--On Sunday, March 15, 2009 09:29:16 AM +0100 Daniel Mentz wrote: > http://sandbox.rulemaker.net/ngps/m2/howto.ca.html > > I did not check it in detail and there might be better sites. But I > think if you mix the information you get from this site with the > information from the strongSwan co

Re: [strongSwan] IPsec SA error

--On Friday, March 13, 2009 02:25:32 PM +0100 Daniel Mentz wrote: > antonio quisillo wrote: >> received netlink error: Protocol not supported (93) >> unable to add SAD entry with SPI c0844b4a >> unable to install IPsec SA (SAD) in kernel > > Here's a quote from strongSwan developer Martin Will

Re: [strongSwan] Low-Prio Feature Request libstrongswan plugin twofish

--On Friday, March 13, 2009 08:53:40 AM +0100 Martin Willi wrote: > The problem is that Twofish is currently not defined in IKEv2 [1] > (btw. Blowfish is, and it is supported using the OpenSSL plugin). > > We would have to implement Twofish as a vendor specific extension. If I understand it,

Re: [strongSwan] ipsec IKEv2 host-host

Hi --On Friday, March 13, 2009 00:26:21 +0530 abhishek kumar wrote: > no matching config found for '192.168.3.4'...'192.168.3.3' just a guess: try switching the left and right in ipsec.conf on sun to: conn host-host left=192.168.3.4 right=192.168.3.3 Dirk _

[strongSwan] Low-Prio Feature Request libstrongswan plugin twofish

Hi, just as in the Subject, I have a low priority feature request. At the moment I try to migrate as many tunnels as possible to IKEv2. It would be nice to use twofish with charon as an alternative to aes for IKEv2. Thanks Dirk ___ Users mailing list