Hi,
> Fixed below codesonar warning.
> isprint() is invoked here with an argument of signed type char, but
> only has defined behavior for int arguments that are either
> representable as unsigned char or equal to the value of macro EOF(-
> 1).
>
> To avoid this unexpected behaviour, typecasted
Hi,
> If I have "leftsubnet=172.30.0.0/16,0.0.0.0/0", the server leaks
> memory - available memory decreases steadily until all memory+swap
> are consumed and the server needs to be rebooted. No processes are
> using this memory - the sum of all shared + RSS is much lower than
> what htop reports
Hi Ben,
> First, maybe autogen could detect this missing gperf right at the
> beginning and tell the user?
./autogen.sh is just a wrapper for autogen -i these days, so it won't
help users calling that directly.
Doing such a check in ./configure is no option, as gperf is not
required for an
> Where is configure shell in the git?
As with most autotools based packages, ./configure is generated and
therefore not part of git. When building from git sources, you'll have
to generate it using autoreconf.
Alternatively, use the distribution tarballs from [1], which include
the generated
Hi Anthony,
> [...] and he didmention the possibility for using DAVICI.
> mention the possibility for using DAVICI. The problem at the time was
> Andreas lost the support person for this module. So we decided not to
> take the risk.
I don't think there is much of an issue here. I definitely will
Hi Peter
> So, am I correct to assume that you guys usually evaluate the output
> of `ipsec statusall`
Preferably I'd do that over vici [1], as it provides a much better
interface for various languages to query tunnel status or re-initiate
tunnels.
> Do you simply send pings to remote systems
Hi,
> are there any reliable performance figures for IPsec throughput on
> x86_64 Linux machines?
Nothing I could reference here.
> Is 10 GBit/s feasable? If yes, how?
On commodity hardware, maybe, but only if/when:
* using AES-GCM with AESNI/CLMUL, which can handle ~1Gbit/s/core
* your NIC
Hi,
> How exactly do these kind of kind of multipath routes compare to
> multiple routes with different priorities/metrics? In your case you
> have multiple paths with the same weight, how is the actual
> nexthop/interface chosen by the kernel?
The nexthop of a multipath route is selected
Hi,
> > The following is my Strongswan servers routing table (default
> > routes).
> > nexthop via 90.225.x.x dev vlan845 weight 1
> > nexthop via 10.248.x.x dev ppp1 weight 256
> > nexthop via 85.24.x.x dev vlan847 weight 1
> > nexthop via 46.195.x.x dev ppp0
(one of which is quite old - running a dual core netburst
P4 @2.8, the other two are VMs on decent hardware, all of which have no
load) are hitting walls at 300mb/s
On a Netburst architecture you can't expect more; it does not have any
acceleration for AES-GCM.
but can hit 980mb/s
Hi,
> There is no appreaciable load on any of the systems
> during throughput testing.
Please note that IPsec is usually processed in soft IRQ, so have a look
at the "si" field in top. If you are CPU bound, "perf" is very powerful
in analyzing the bottleneck on productive systems. If you are not
Hi John,
> The IKEv1 connections use pubkey & xauth-pam authentication:
> Is there a migration path for IKEv2 connections that makes sense? I see
> there is an eap-gtc module that supports pam but it's not clear in the
> documentation how to configure this to use a specific pam_service.
EAP
Hi Peter,
> If the hash is on SOURCE IP then won’t it potentially hash to a
> different segment depending on the direction of the message?
Yes. The current code does not enforce a return path over the same
segment, so a connection might return over the other node. You'll have
to consider that if
Hi,
From behind NAT only one client is able to connect at a time. If one remote
access vpn in up second vpn connection is failed connect.
The Windows L2TP/IPsec client uses transport mode to secure L2TP. A
gateway can't distinguish two clients behind the same NAT without some
tricks, as they
Hi,
I would like to know if there exist any two-factor combination where
one of them is RADIUS, either IKEv1 or IKEv2, which works with Windows
(Win7 and above) native VPN client.
AFAIK Windows does not support RFC4739. In IKEv1 there is a proprietary
extension called AuthIP in Windows, but
Hi,
[...] when the cisco initiates a connection with both the
transforms, the RSA-SIG being first in the list, strongswan replies back
with a proposal that contains RSA-SIG, because it is the first in the list,
even though the connection is defined as PSK.
Is this a bug and is there a way
Hi,
Is there any way that i could use user/password inside eap-ttls tunnel?
windows clients are able to initiate IKE tunnel with eap-ttls and
user+password as their authentication protocol and I'm trying to use
Strongswan as my server side.
strongSwan EAP-TTLS currently does not support
Can you please share the ipsec configuration files that you used on x86
architecture, so that we can check if we are missing any generic or
architecture specific dependencies.
Our test suite features a regression test for the forecast plugin, see
[1].
Regards
Martin
Hi,
OpenWrt daemon.info charon: 15[CFG] forecast iptables commit failed: Invalid
argument
Please check that your kernel supports the MARK target and the udp/esp
matches.
What architecture is OpenWRT running on? Not unlikely that it is an
alignment issue, I didn't test the plugin beyond
Hi,
I can see the multiple kworker threads spread across all 12 cores in
these fairly high powered systems but I am still dropping packets and
performance is not much improved.
If all your cores are processing traffic, then pcrypt probably works as
it should.
What does fairly high powered
Even at these rates, the CPU did not appear to be very busy. We had one at
85%
occupied but that was the one running nuttcp.
On the outgoing path, the Linux kernel usually accounts ESP encryption
under the process that sends traffic using a socket send() call. So
these 85% probably include
why it wasn't sending identity before but does sent it now?
The client now offers EAP authentication by omitting the AUTH payload in
the first IKE_AUTH exchange. This allows the server to trigger the
EAP-Identity exchange, followed by EAP-MSCHAPv2.
and why does authentication fail?
The
Hi,
What I don't understand is why it is failing on EAP identity when I clearly
defined 'eap_identity=%any'
parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(MULT_AUTH) ]
parsed IKE_AUTH request 1
Gerd,
you are probably aware of the recent Weak DH / Logjam attack on
Diffie-Hellman,
see: https://weakdh.org/
Yes. Our TLS stack as server uses at least MODP2048, so is not directly
affected. I've queued a fix to reject groups smaller 1024-bit as client,
subject for the next release, see
Hi Holger,
server requested EAP_AKA authentication (id 0x00)
EAP method not supported, sending EAP_NAK
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random
nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem open
ssl xcbc cmac hmac ctr ccm gcm attr
Hi,
all CHILD SAs will have the same traffic selector (i.e., 40.0.0.1/8)
on responder side, as proposed by initiator. Is there any way to
specify/configure different initiator_tsr for each initiator?
Currently all initiators use the same subnet as defined with
initiator_tsr. So no, there is
As per the implementation, an SPD entry would contain the destination
IP as selector field and uses the same as a key to search the SPD
table.
I don't think this will work; The remote selector does not have to be
unique per CHILD_SA/policy. Having multiple CHILD_SAs having the same
remote
Hi,
ca section1
cacert=/usr/local/etc/ipsec.d/cacerts/CA.pem
6. After removing this and executing ipsec update we expect that the
SA will not get established as the end which does not have root CA of
peer will reject the IKE_AUTH.
All CA certificates placed under the cacerts
I don't really get how I'm supposed to use leftid, am I supposed to find a
string-ASN.1 converter ?
No, you define a string representation of your identity. strongSwan
detects the identity type, and tries to convert it to the appropriate
binary encoding (ASN.1 in the case of a DN).
While you
Hi,
1) [...]
For example my certificate subjet is :
C=FR, ST=Région Parisienne, L=Paris, OU=Org, CN=1.Org,
E=jacques.moni...@gmail.com
but when I do ipsec listall I have :
C=FR, ST=R?gion Parisienne, L=Paris, OU=Org, CN=1.Org,
E=jacques.moni...@gmail.com
Converting Distinguished Names
Emeric,
It seems to be related to: https://wiki.strongswan.org/issues/839#note-1
It is, and as discussed in that ticket, is a consequence of the
pair-wise (un-)installation of SAs.
To properly fix this issue, we would have to defer outbound SA
installation/activation as exchange responder to
Hi Lars,
Is it possible to have different cipher suites for all the conn
parameters in ipsec.conf?
Yes. But for IKE proposals, algorithm selection happens very early in
the exchange, before any peer identity gets exchanged. This is because
these details are explicitly protected under the
Hi,
It seems to me (I found some hints but no real doc) that you have to
specify the direction like this:
lefthost righthost : PSK rightpsk
righthost lefthost : PSK leftpsk
This can work, but I don't think that it must in all cases. The lookup
function for shared keys takes the
So what is the added benefit of having two PSKs, since IKEv2 explicitly
allows that compared to IKEv1?
While it is allowed in IKEv2, I don't see much benefit from doing that.
RFC 7296 says:
In particular, the initiator may be using a shared key while the
responder may have a public
Hi,
set_strongswan_conf_options(lfile);
system(starter --daemon charon);
You can't set options in the current process, and then expect that these
options get inherited to a child process spawned using system() or any
exec*() function.
If you want to set strongswan.conf options
Hi,
Please can you advise whether StrongSWan can support Multicast
Dissemination Protocol (MDP) ?
strongSwan does not provide any form of explicit support for that
protocol. Possible that you can use strongSwan as building block to
secure MPD traffic, but I've no experience with that.
Regards
Hi,
Is there a way I can avoid this and specify the path to
the library files and the package folder currently present in
lib/ipsec/ as compared to the old version where it was stored directly
in lib/.
Yes, have a look at the --with-ipsecdir, --with-ipseclibdir and
--with-plugindir options
Hi,
Does %dynamic work in net2net? Or only in road-warrior scenarios?
If any has been negotiated, %dynamic resolves to the virtual IP for that
endpoint. If not, it resolves to the IKE endpoint address. It can be
used in either scenario, but has a slightly different behavior.
Regards
Martin
Hi,
How we can add custom Algorithm for ESP in Strongswan 4.6.4.
ESP is usually handled by the kernel, so you'll have to implement your
algorithm there. On Linux, you'll have to provide your algorithm through
the Linux Crypto API.
Once that is done, you need to define a transform identifier
Hi Noel,
foo=collections.OrderedDict(strongswan.list_sas())
ValueError: need more than 1 value to unpack
list_sas() returns a generator over SA dictionaries, an iterable over a
list. Creating a dictionary from that does not make much sense, as there
in no key for the value. Instead, you
Hi,
The issue that I'm facing is that SA on Strongswan side is up but stuck in
IN-NEG” status on Cisco side (Response is outside of window received 0x1,
expect 0x2 = mess_id 0x2).
16[ENC] parsed IKE_AUTH request 1 [ V IDi CERT CERTREQ ... ]
[...]
16[IKE] IKE_SA csr-swan[1] established
Hi,
Is there a mechanism to change the level of required log to 'debug', so
that they will get automatically redirected to /var/log/debug.
No, charon currently always logs with LOG_INFO. With strongswan.conf you
can control the facility only (using the auth or daemon section).
Regards
Martin
Hi Luka,
I have just found out, that recent openssl 1.0.2 commit
929b0d70c19f60227f89fac63f22a21f21950823
breaks hmac when using openssl plugin for hmac functions
This commit prevents the pre-initialization with an empty key we use to
avoid any non-initialized use of HMAC_Update(). Most
Please let me know if there is a fix for openssl since changing the
load order of plugin is not recommended.
If you are using OpenSSL 1.0.2a, you might try the strongSwan fix
provided at [1].
Regards
Martin
[1]http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=openssl-hmac
Hi Ken,
Not sure if keeping the current DNS servers installed is the best
approach, maybe we should remove the previous servers. But we
currently just add them to have them as a fallback.
I've pushed a new build [1] based on 5.3.0-rc1 that instead of appending
the servers to the list, it
Hi Richard,
If we add ff00::/8 to rightsubnet [...] the Router Solicitation and
Router Advertisement packets pass correctly. The client gets a default
route, and everything works. However, when we try to connect the VPN
from a second client, it fails to connect because of duplicate traffic
Hi Michael,
1. users should authenticate with a certificate (optional, but planned for
the future) (Certificate is checked by StrongSwan)
2. users should authenticate against our active directory via freeRadius
(username + password)
3. users should also enter an OTP (send as SMS by the
Hi,
i need to change the host certificate (/etc/ipsec.d/certs/xxx.pem
Certificates from the ipsec.d/certs directory do not get loaded
implicitly, but get referenced in your ipsec.conf conn definition. Use
ipsec update or ipsec reload to reload the connection, refer to the
manpage for details.
Hi Chris,
leftsubnet=10.72.0.0/16,192.168.1.0/24,public ip subnet/29,another public
ip subnet/29
On Windows 7 and Windows 8 we can only access the private ip subnets
after connecting to strongswan. We have to add manually routes to
access the public ip subnet via the tunnel. Is this a
ESN support must be negotiated, as defined in RFC 4304, 2.2.1:
This of course is RFC 4303 (ESP), sorry for the confusion.
Regards
Martin
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Hi,
The wiki mentions this ESN support is only for IKEv2. Is it so?
Yes.
As per my understanding this ESN feature refers to sequence
numbers in ESP. So why is this support dependent on version of IKE?
ESN support must be negotiated, as defined in RFC 4304, 2.2.1:
To support high-speed
Hi,
1. Is it possible to use port other than 4500 for NAT-T UDP
encapsulation. If yes how can I configure it ?
Yes, with the port_nat_t option in strongswan.conf, refer to [1] for
details.
To initiate a connection to a host with non-default ports, use the
ipsec.conf rightikeport option.
Hi Fabrice,
But when i execute ipsec statusall command, it replies :
reading from socket failed: Permission denied
When i suppress /etc/apparmor.d/usr.lib.ipsec.stroke AppArmor
profile, the command replies correctly.
We don't ship any AppArmor profiles from upstream, so you most likely
Yves,
When we generate a new version of these files we issue an ipsec reload
(not just update). I'd expect that to kill connections that are not
relevant anymore, but this is not the case ipsec statusall shows them
still as defined and up and running.
ipsec reload by design does not affect
Hi,
During our testing with IKEv2, we found that the 1st packet(IKE_SA_INIT) does
not have any information on vendor ID payload which is a MUST criteria as
per the RFC.
As per the RFC 3947.
“In the first two messages of Phase1, the vendor id payload for this
specification MUST be sent
Ken,
Are there any issues with DNS StrongSwan Mac OS X app?
The osx-attr plugin prepends the negotiated DNS servers to the currently
configured ones. You may check with scutil if that works as expected.
Not sure if keeping the current DNS servers installed is the best
approach, maybe we
Hi,
As per the description of vulnerabilities in above links, the
vulnerability is only applicable and will lead to crash in pluto IKE
daemon alone. Charon is not mentioned.
You should apply these fixes even if using charon only, the
libstrongswan code is used by charon. Not sure where this
Hi Tom,
Is there a reason that, when using two Strongswan endpoints, one would
not choose reauth=no?
Yes. Reauthentication re-evaluates authentication credentials, checks
the certificate status or rechecks permissions in the AAA backend.
IKE_SA rekeying, as used with reauth=no, only refreshes
Hi,
Is it essential for both nodes to receive all the ESP packets?
Yes.
Cannot be ESP sequence numbers synchronized through the HA plugin?
No, this is not how the HA plugin works. ESP sequence numbers move very
fast, making a synchronization in userland difficult.
You may try to synchronize
On Sam, 2015-03-07 at 21:52 +, Tormod Macleod wrote:
Hello,
I'm getting the above error when rekeying. I think it might be related to
issue #431? I've tried the workaround of setting reauth=no but this did not
resolve the issue. I have only started running into this since we started
Aleksey,
when I test failover [...], traffic won't flow through standby
node until rekey on child SA is done
To me this sound like an ESP sequence number issue. I assume you have
patched your kernel to include our ClusterIP IPsec extensions, as
discussed at [1]. You may find some never patches
Hi,
Sorry for my previous mail, this time with some content:
I have only started running into this since we started using more than
one subnet in the left side of the connection.
leftsubnet=10.176.0.0/13,10.130.0.0/16
rightsubnet=192.168.0.0/16
Iona-VPN-FW[1]: IKEv2
Then you should check if ClusterIP works as expected, and both on the
inbound and outbound paths the ESP packets hit both nodes.
To clarify, on the outbound path this of course is plain traffic subject
to ESP encapsulation.
Regards
Martin
___
Users
Noel,
I would like to know how the performance of strongswan/Linux is with
about 1000 established tunnels and ~3000 (XFRM) policies.
I think XFRM policy lookup in the kernel scales fine, handling ~3000
policies shouldn't be a problem at all.
How much traffic can be forwarded? Is the
Hi,
13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
]
13[NET] sending packet: from 10.1.186.35[500] to 10.1.186.174[500] (432 bytes)
17[KNL] WFP MM failure: 10.1.186.35/32 === 10.1.186.174/32, 0x3601,
filterId 0
Have you disabled the IKEEXT Windows IKE
Hi Tom,
1.) Since IKEv2 does not use DPD, should one omit the dpdaction
directives from ipsec.conf for a connection using IKEv2?
While IKEv2 does not use DPD, it provides a very similar mechanism
called liveness checks. The dpdaction and dpddelay keywords work for
both IKEv1 and IKEv2 in
Ken,
The initiator received signal 6 (SIGABRT) after eight hours of operation.
Actually, the offending signal is SIGSEGV (11). charon catches that,
prints a backtrace, and then calls abort() to terminate itself.
I have a ~182MB core file from the initiator. How can I get it to you?
I don't
I will try to more quickly produce the crash by setting ikelifetime.
Is there a recommended (or minimum) value?
You may set it to 30s or so, but make sure to adjust
rekeymargin/rekeyfuzz accordingly.
(gdb) p *cert
$4 = {get_type = 0xd30fe0, get_subject = 0x7f5e631a9ed8 main_arena+88,
Hi Ken,
09[DMN] thread 9 received 11
09[LIB] dumping 2 stack frame addresses:
09[LIB] /lib64/libpthread.so.0 @ 0x7fb8fd3ab000 [0x7fb8fd3ba710]
09[LIB] - sigaction.c:0
09[LIB] /lib64/libc.so.6 @ 0x7fb8fce13000 [0x7fb8fd1a2ed8]
09[LIB] - interp.c:0
09[DMN] killing ourself,
My understanding was ip address assignment to interface can happen
later after child SA is negotiated with tunnel end point using the
virtual ip stored in the Strongswan internal data structures.
No, this won't work. Negotiating the CHILD_SA installs IPsec SAs and
policies to the kernel,
Hi,
What is the need for activate the TASK_IKE_CONFIG before
TASK_CHILD_CREATE.
While these tasks get executed during the same exchange(s) with an
IKE_AUTH piggybacked CHILD_SA, the order is still important. If a
virtual IP is negotiated, this must be done beforehand. The CHILD_SA
IPsec
Hi,
StrongSwan V5.2.0 is configured to be an IPsec VPN gateway on a Linux
machine. A Mac laptop connects to it using the native Mac OS X
v10.10.2 Cisco IPsec VPN client. The connection is established and
works well for roughly 6,516 seconds (1 hour, 48 minutes, 36 seconds;
or ~108 minutes)
Of not is Section 3.12.1: Dead Peer Detection is implemented only for
server-to-server site-to-site-tunnel mode IPsec tunnels on Windows
Server 2012 and Windows Server 2012 R2. Dead Peer Detection is not
implemented on Windows 8 or Windows 8.1 for IKEv2-based VPN (that is,
VPN
Hi,
Can I support different types of authentication method simultaneously
for IKEv2? i.e. can I support both PEAP-MSCHAPv2 and EAP-TLS at the same
time ?
As initiator/client, you can configure leftauth=eap without a method to
authenticate with whatever the responder offers.
On the
Kindly asking to keep the discussion on the list, thanks.
IKEv2 supports certificate authentication without EAP, which is much
simpler and faster.
Would I be able to do this with the StrongSwan applet for Mac OS X ?
No, the strongSwan OS X App currently supports EAP-MSCHAPv2 only using
Hi Ryan,
I have an application scenario where I need to test Nested IPsec Tunnels.
I googled and came up with some old threads talking about how this isn't
supported with strongSwan unless I use two boxes, or a VM to route the
traffic through again. Is this still the case?
Yes, this is
Hi,
In that particular configuration (no monitoring/heartbeat) stopping
charon on the active node should clear the connections on the remote
gateway (OK) and on the other node (not OK), right?
The active node will delete the IKE_SA, and send a close event to the
passive node.
If you are not
Hi James,
Here's the log with error...
08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR) SA TSi TSr
N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
08[NET] sending packet: from server.external.ip[4500] to
client.external.ip[15546] (2204 bytes)
11[NET] received packet: from
Hi Sam,
1) Is there alternative for 'leftfirewall=yes' in the VICI interface to
automatically setup iptables rules?
There is no option for the default updown script, but you may manually
specify ipsec _updown in the CHILD_SA updown configuration option.
2) What is the syntax for loading a
Hi Denis
07[ENC] generating ID_PROT response 0 [ ID CERT SIG ]
07[NET] sending packet: from 179.179.179.179[4500] to 46.211.133.122[39592]
(1660 bytes)
07[ENC] generating TRANSACTION request 2234314252 [ HASH CPRQ(X_USER X_PWD) ]
07[NET] sending packet: from 179.179.179.179[4500] to
When charon is stopped on one of the nodes, DELETE are sent to the remote
hosts:
Actually, it should not if it has an active heartbeat connection with
the other node. If a node knows that another node is active, it should
deactivate all responsible segments locally before shutting down, and
Hi,
Your fix to use the ordered dictionary worked perfectly. Thank you very
much. It is now accepting vpn connections.
Great. I'll check how we can mention that issue in the documentation.
Regarding the `vips` configuration, I thought that it was the replacement
for the `rightsourceip`
Hi,
I am wondering how the specification of multiple addresses in the left|right
option works.
right=134.111.75.171,134.111.75.172
The right option can take multiple addresses, but only to match the
connection when responding to initiators.
For example, how many kernel policies I should
Hi,
Is there a way to configure a device to connect to a gateway [ eg
10.1.1.254]. If that gateway fails [ detected via DPD],it would
connect to 10.1.1.253 [ his backup gateway]?
No, specifying fallback addresses is currently not implemented in
strongSwan.
I've tried with
Hi,
rightid=001122334455667788
*IDir '62.43.189.77' does not match to '001122334455667788*'
Your Sonicwall uses '62.43.189.77' as its identity. Your strongSwan
configuration strictly requires '0011223344556677880' as defined by
rightid. Either change your Sonicwall or your strongSwan
Hi,
I'm trying to setup strongswan 5.2 but am experiencing problems where the
leftside can't seem to connect to the right side and keeps retransmitting
the request till it times out.
Most likely this is a connectivity or firewalling issue. You should
check where that IKE_SA_INIT message gets
Sam,
test: remote: uses XAuth authentication: any
test: remote: [C=US, O=xx, CN=test] uses public key authentication
The order of remote authentication rounds is wrong; XAuth follows public
key, not vice-versa.
As your config tree looks correct, most likely the order of
authentication
Are you using the Python library? I think ruby gets this right, as it is
guaranteed that Hashes enumerate their values in the order that the
corresponding keys were inserted.. Probably not true for Python.
Maybe using collections.OrderedDict to define your tree helps.
Regards
Martin
Hi,
I am not observing init script to configure ipsec.conf and
ipsec.secrets from /etc/config/strongswan configuration file. Is this
available in any patch or in any other release? where can I find the
init script for it?
We don't provide any init scripts from upstream (beside some systemd
Hi,
I have attempted to create the same configuration using a call to the VICI
with this dictionary:
Have you tried to configure that in swanctl.conf to avoid any problems
with your dictionary? Here such an XAuth configuration works fine when
defined in swanctl.conf.
This keeps returning
Hi Akash,
no TLS peer certificate found for
'223456789123...@nai.epc.mnc213.mcc090.3gppnetwork.org', skipping client
authentication
EAP_TLS method failed
As the TLS stack does not find a usable certificate with a private for
your ID, it skips client authentication. Your server most likely
Hi,
My new setup uses MD5 passwords in Radius, while my old config used
NT-hash. It seems now with radius-eap I have problems authenticating
against the MD5 passwords. It is using eap-mschapv2 and it seems it is
not a supported combination -
This can't work, a server verifying clients with
Hi Daniel,
[...] think of a typical Site-to-Site scenario where Subnets are
protected by their respective gateways.
However, the expert told me that it is possible to use Transport Mode
instead of Tunnel Mode for this scenario a well.
As the endpoints that communicate from within the
Hi Milen,
07[IKE] initiating EAP_IDENTITY method (id 0x00)
07[IKE] peer supports MOBIKE
07[IKE] authentication of '[...]' (myself) with RSA signature successful
07[IKE] sending end entity cert [...]
07[ENC] generating IKE_AUTH response 1 [IDr CERT AUTH EAP/REQ/ID ]
07[NET] sending packet:
Hi,
How to send IDi and DN separately such that DN doesn't overwrite IDi?
strongSwan requires that the IDi matches one of the identities in the
certificate, and enforces that if it does not. To use a different ID,
you should include that ID as subjectAltName in your certificate.
If you really
Hi Ryan,
I’m trying to build strongSwan without Kernel dependencies. I’d like
to use something like the lib-ipsec module (but modified), to receive
the child SA’s for use on a crypto processor.
strongSwan has different kernel backends. If you don't want to use one
of ours, you might provide
Hi Thomas,
is it possible to uses strongswan with eap-ttls and pap?
EAP-TTLS in strongSwan currently supports tunneling other EAP methods
only. PAP is not an EAP method, but a different protocol for password
authentication. Plain (non-EAP) PAP, CHAP or MSCHAP is not supported in
our EAP-TTLS
Hi Ryan,
Does strongSwan currently support RFC-5685, IKEv2 redirect?
No, RFC 5686 is currently not supported by strongSwan. At this time we
have no plans to implement this extension.
Regards
Martin
___
Users mailing list
Users@lists.strongswan.org
Hi Pavan,
My question is whether INITIAL_CONTACT notification can be sent in
IKE_AUTH response? If yes, in which condition this notification will be
sent by responder?
Theoretically yes, but strongSwan never sends INITIAL_CONTACT as
responder, only as initiator.
While sending the notify as
Hi,
Anyone who knows how to configure load-tester to support xauth, please help
me. Really appreciated.
Please refer to my answer and the patch for ticket #835 [1].
Regards
Martin
[1]https://wiki.strongswan.org/issues/835#change-2837
___
Users
1 - 100 of 883 matches
Mail list logo
