I have an issue with a pretty standard setup using Strongswan, wherein the
tunnel comes up properly but the traffic to the actual server is never
marked for ESP and thus never seems to get onto the tunnel. I've confirmed
that I do not see any traffic for esp using tcpdump, and when I do
a
Andreas,
Per Noel Kuntze's suggestion, I added
charon.make_before_break=yes
to both the initiator and responder. However I still accumulated
duplicate IPSsec child SAs.
Can you offer insight how I may fix this issue?
thanks,
Jeff Weber
Forwarded Message
Subject
ation of
connections..unique
and
charon.make_before_break
settings will fix my issue. Currently I am using the default values for
each.
Advice on a config change to fix duplicate IPSec SAs is requested.
thanks,
Jeff
# common charon.conf file
# Options for the charon IKE daemon.
ch
k
will fix my issue. Advice on config change is requested.
thanks,
Jeff
initiator-strongswan.conf
Description: Binary data
initiator-swanctl.conf
Description: Binary data
responder-strongswan.conf
Description: Binary data
responder-swanctl.conf
Description: Binary data
Does the strongSwan project still provide consulting services? I have
been unable to reach the posted consulting contact
andreas.stef...@strongswan.org .
thanks,
Jeff
responder:
dpd_action=clear
dpd_delay=60s
Initial testing shows this works without a separate initiator "ping"
process, which is attractive, but I'm sure there are many corner cases
I have not considered.
Will the above config create and maintain a stable VPN?
thanks,
Jeff
onf.
I am looking for guidance crafting an initiator swanct.conf to
automatically bring up the VPN for this situation.
thanks,
Jeff
syslog-strongswan
Description: Binary data
swanctl.conf
Description: Binary data
bc
for your reference.
> kapil : can you point me to
>
>
> On Mon, Jun 20, 2016 at 12:31 PM, Jeff Leung <jle...@v10networks.ca>
> wrote:
>
>
> > Hi,
> >
> > i am looking for ways to improve the throughput while using the
>
> Hi,
>
> i am looking for ways to improve the throughput while using the
> strongswan IPSEC.
>
> I read that AES-GCM provides excellent throughput over default
> AES-CBC-
> 128 when used with AES-NI support in intel processors.
>
>
> i want to enable AES-GCM128 cipher in my xeon E5
Sorry to bring this topic up again, but here it goes...
Alright, there seems to be issues with strongSwan 5.2 on the way how it sets up
a Cisco VTI tunnel. I was able to get a working VTI tunnel established between
2 VyOS 1.1 machines that has strongSwan 4.5.2 bundled. The kernel version
One thing to note in particular in both cases - VyOS does not delete
the default route in
table 220 as generated by strongSwan. I suspect for some reason the
way how the VTI
tunnels are configured is causing the network stack not to redirect
marked packets to the
VTI tunnel interface.
To
to successfully establish multiple IKEv1 tunnels
to the same peer.
Were there changes from the days when pluto that is now considered as
incompatible with strongSwan?
-- Jeff
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman
iptables v1.4.3.2
Jeff
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
MR3, ISAKMP SA established);
EVENT_SA_REPLACE in 214s
Jeff Wild
wild...@hotmail.com
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
established);
EVENT_SA_REPLACE in 214s
Jeff Wild
wild...@hotmail.com
Jeff Wild
Wild Information Systems LLC
2010 W. 131st place
Westminster, CO 80234
303-514-9702 cell
303-562-0388 wk
jeff.w...@wildinfosystems.com
___
Users mailing
owner
000 #5: net-net esp.8559b...@x0.x7.x6.25 (1224 bytes, 46s ago)
esp.506b0...@x0.x7.x6.27 (954 bytes, 46s ago); tunnel
000 #1: net-net STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
EVENT_SA_REPLACE in 214s
Jeff Wild
wild...@hotmail.com
___
Users
16 matches
Mail list logo