Martin,
On 26 February 2013 12:37, Martin Willi mar...@strongswan.org wrote:
Hi Graham,
I've configured the local machine to expect to perform certs
authentication
followed by EAP-AKA.
How did you configure this? I assume the configuration on the initiator
looks something like:
Justin,
I've found it useful in the past to think of left as the local machine
and right as the remote machine.
You'll have an ipsec.conf on both machines and the left in each file will
refer to the local machine where local is from that machine's point of
view.
Graham.
Hi Iris,
The way I solved this in the end was to write my own program that created a
raw UDP socket. I wanted this socket to be able to send broadcast packets,
so I set the SO_BROADCAST option. I also wanted complete control over
specifying the IP header as well as the UDP contents, so I set the
Hi All,
We have a question here concerning verification of the SeGW's certificate by
the local tunnel initiator.
We configure our initiator with the FQDN of the SeGW. The initiator resolves
this FQDN to an IP address and then sends the tunnel setup requests to that
IP address with the IDr set to
All,
Hopefully this is a quick answer for someone ?
When we set up a tunnel, we have to specify a DH group along with the
acceptable encryption and authentication algorithms for the IKE_SA
(e.g. aes-sha-modp1024!).
Is DH re-negotiated everytime we rekey the IKE_SA ?
Also, when we set up a
Dear All,
I wonder if anyone can help me with a strongSwan config issue ?
I'm trying to configure a SeGW running strongSwan (v4.5.1) to accept
incoming tunnel attempts and assign them to different virtual address pools.
I thought the easiest way to do this was to create different config
All,
Warning - probable noob question coming up ...
We've been using strongSwan quite happily for a couple of years now, with
the IPsec clients connecting to a SeGW and talking to hosts on the secure
side.
Now, however, we have a requirement for one IPsec client to talk to another
IPsec client
Andreas,
Thanks for that. Unfortunately, all of these abstract labels are making my
head hurt. Let's try some real numbers.
Host A and Host B have local IP addresses in the 192.16.50.xxx subnet.
The SeGW has an unsecure IP address (i.e. on eth0) in the 172.16.xxx.xxx
subnet and a secure IP
needing the specific UDP port opening too.
Sorry to have wasted your time.
Regards,
Graham.
On 4 March 2011 12:48, Graham Hudspith graham.hudsp...@gmail.com wrote:
Andreas,
Thanks for that. Unfortunately, all of these abstract labels are making my
head hurt. Let's try some real numbers.
Host
Hi All,
Up till recently, we have been setting up tunnels between client and server
using DH Group 2 (aka MODP_1024). We are starting to transition over to DH
Group 14 (aka MODP_2048) and are coming up against problems. I'm hoping
someone can please shed some light ?
The clients are using a
Martin,
Thanks for the swift reply.
On 1 December 2010 13:11, Martin Willi mar...@strongswan.org wrote:
Hi Graham,
selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
DH group MODP_2048 inacceptable, requesting MODP_1024
The client sends back N(INVAL_KE) to the server
Martin, Tobias,
Thanks for the info. I'm glad you confirmed there was no secret method of
emptying the hashtable that I'd missed. Also that my suspicions about
invalidating the enumerator if I enumerated-and-removed were correct.
In the end (a Friday afternoon deadline approaching) I decided to
Hello All,
Quick development question for you (nice on a Friday afternoon).
I've a hashtable_t containing elements and I want to delete all elements
from that hashtable_t. And use the hashtable_t again afterwards.
I can see that hashtable_t supports getting, setting and removing of
elements.
Hello All,
We've been using strongSwan as our IPsec solution for a while now (thanks to
Martin, Andreas and everyone else who has helped us get this far!).
However, we've come up against a problem trying to implement the certificate
hierarchy designed by our device-security guys.
They've come
Martin,
Thanks for that. Using the config param:
esp=aes-sha1-modp1024,aes-sha1!
and a strongSwan rebuilt with your patch, everything now works. Both SeGWs
are happy. Phew!
Cheers,
Graham.
___
Users mailing list
Users@lists.strongswan.org
Hello All,
We've a problem here with a couple of errant security-gateways when trying
to connect our strongswan-using software to them.
Originally, we specified a connection to use the following params:
ike=aes-sha-modp1024!
esp=aes-sha1
The first segw was *unhappy* with this, because the
Dear All,
We're happily using strongSwan 4.3.5+, but we've come up against a situation
where the route between us and the Security-Gateway has a firewall which is
configured to open port 4500 only and to NOT open port 500.
Is there any way to configure strongSwan to go straight to using port
Martin, Andreas,
We're in the process of opting out of strongSwan managing routes when
setting up and tearing down tunnels (by setting strongswan.conf's
charon.install_routes option to 'no').
However, although strongswan is no longer installing the routes, whenever
the tunnel goes down it looks
Dimitrios,
That is a brilliant idea, thank you. Out-of-the-box thinking. Or is that
out-of-the-table ? :-)
Graham.
2009/11/15 Dimitrios Siganos dimit...@siganos.org
I can think of another option might might make the whole setup cleaner.
Introduce another route table (e.g. 219), which has
All,
Having learnt how to provide access to the local subnet when the tunnel is
up, I now want to restrict the list of subnets available through the tunnel.
In other words, I want everything to go OFF-tunnel unless it is in the
supplied list of subnets.
So, I set up a normal tunnel and provide a
Andreas,
Thanks for the reply. I'm afraid I'm not an expert on xfrm policies. Could
you please give an example of the add command you had in mind?
However, as Daniel states, your diagnosis does not sound quite right to me.
Just going via the ip routing tables (and ignoring xfrm), it seems that
Hello All,
We're grappling with an access-to-local-subnet-when-the-tunnel-is-up
problem.
After a tunnel is brought up, the routing table is thus:
*# ip route show*
192.168.50.0/24 dev eth0 proto kernel scope link src 192.168.50.154
default via 192.168.50.1 dev eth0
*# ip route show table 220*
Hi.
Is it possible to specify a value for ikelifetime (e.g. 10m) but leave
lifetime turned off (e.g. 0) ?
And vice versa ?
During testing we want to be able to checking child-rekeying without
worrying about ike-rekeying, and vice versa.
I realise that we could set the unwanted one to
the problem might be that although jupiter's satellites are NAT-ed to
jupiter's eth0 address 192.168.50.159, jupiter itself uses the virtual
IP address 10.10.2.147 within the IPsec tunnel. I know
from personal experience that NAT-ing clients behind a gateway
to the gateway's outer IP address
Hi,
I have a situation which I hope someone can please help me with.
I have a machine (called jupiter) on our lan. Using it's eth0 NIC (we're
talking linux, of course), jupiter can ping and connect to other machines
on the lan. One machine it can reach (called saturn) acts as a gateway to
a
Martin,
Thanks for your swift reply. I've gone away and read the RFC on
EAP-AKA and had a think about what you said.
The problem with not supporting AKA-Identity is that it stops
everything else (in an EAP-AKA environment) from working. Get
AKA-Identity implemented and you do
We've come across a problem sending UDP packets through a tunnel when the
tunnel goes through a firewall and I was hoping someone can
explain/confirm what is going on (please).
Our machine sets up a tunnel to a secure gateway and then opens a UDP
socket through that tunnel to a machine on the far
I've removed any reads to unaligned integers in the parser code [1],
generator looks OK so far. I don't have an ARM box, so any feedback is
very welcome.
Thanks
Martin
[1]http://wiki.strongswan.org/repositories/diff/strongswan?rev=42748858
Martin,
Thanks for that patch.
With a
Dear All,
I've tried finding information on the plugins used by strongSwan and
have failed miserably. I'm hoping someone here can please throw some
light on the matter.
We're using eap-sim and eap-aka mechanisms to set up the tunnel. So
I have configured and built strongSwan
Hi,
I wonder if anyone can please help me with a problem I'm having getting
strongSwan (4.2.14) running on the ARM ?
I've played about getting strongSwan working on x86 setting up a tunnel to
a server. I then compiled strongSwan for ARM and copied across the config
files I used on x86.
30 matches
Mail list logo