Re: [strongSwan] Multiple SAs after rekey with traffic.

Hi 1. why have you changed/set the "rekeyfuzz=0%" - i suggest that you should NOT change any of the "default/pre-defined" settings that are used in the Expry-Rekeying formulae such as "rekeyfuzz" which i believe is 100% as default value. 2. so except for "margintime" (which is correctly set

[strongSwan] about the "ipsec up-nb conn-name, ipsec down-nb conn-name" non-blocking patch and feature

Hello I came across the info that there is a non-blocking version of the below stroke-based ipsec commands: "ipsec up | down " as below: ipsec up-nb | down-nb So i checked in the release images (older and latest v5.8.x/5.9.x), but the nb-version of the commands is not supported... Is the

Re: [strongSwan] Help with setup

Hi If your setup is as below: (192.168.127.2)PC1(127.254)[Home]ipsec tunnel[workrouter](126.254)-PC2(192.168.126.2) 1. Then, with the tunnel established (or send traffic from PC1 to PC2 or vice-versa to bringup the tunnel), try with traffic (ping, etc) between PC1 and PC2

Re: [strongSwan] Help with setup

Hi >From my own understanding (i maybe wrong) of your configs applied...i believe there is a "missing" permit rule for ESP in the INPUT chain of your iptables/firewall rules Try with adding to running config as below, above the drop rule iptables -I INPUT 1 -p esp -i -j ACCEPT and no harm in

Re: [strongSwan] Is multicast-routing (by enabling PIM-SM/PIM-DM) supported directly on the XFRM-Interfaces Or is it possible to use the "forecast" plugin-feature to do the multicast forwarding on the

first though with your specific software. > > Kind regards > Noel > > Am 30.01.22 um 15:59 schrieb Rajiv Kulkarni: > > Hi > > > > I did search for any existing discussion on this, but as of now did not > come across it. > > > > So i have this q

[strongSwan] Is multicast-routing (by enabling PIM-SM/PIM-DM) supported directly on the XFRM-Interfaces Or is it possible to use the "forecast" plugin-feature to do the multicast forwarding on the IKE

Hi I did search for any existing discussion on this, but as of now did not come across it. So i have this question on using xfrm-interfaces with ipsec-tunnels Is multicast-routing supported with the xfrm-interfaces? - I mean, can we enabled and run PIM (SM and/or DM) on the xfrm-interfaces and

Re: [strongSwan] Having forwarding issue in a basic StrongSwan setup

Hi On the Strongswan peer-gateway (ubuntu), try by adding the below before(preferably) or after the ipsec tunnel is up *root# ip route add 172.16.1.0/24 dev ens224 table 220* I think it will then start the forwarding of the inbound (after decryption) packets correctly as

Re: [strongSwan] Multiple CHILD_SA in one IKE_SA with same TS

o the first matching CHILD_SA on the > responder. > > Regards > > - Marcel > > Am 25.01.2022 um 07:42 schrieb Rajiv Kulkarni: > > Hi > > would setting this "reqid" option for each of the tunnels (with different > left-righ-IDs set) in both initi

Re: [strongSwan] Routing between two remote sites

Hello VTwin This is a classic Hub-n-Spoke VPN Topology, where - Central-Gw is the Hub-Ipsec-PeerGw, and - East and West Gws are the Spoke-Gw peers - And you need the local-subnets behind each spoke to communicate not only to subnets behind Central-Gw, BUT also require that the the spoke-to-spoke

Re: [strongSwan] Multiple CHILD_SA in one IKE_SA with same TS

Hi would setting this "reqid" option for each of the tunnels (with different left-righ-IDs set) in both initiator and responder peers help? The below is the setting that is available (in swanctl.conf):

Re: [strongSwan] Overriding DF on XFRM interfaces

Hi John, Hi Lets assume that your network deployment (for the ipsec tunnel) is as below: Note: The values mentioned are the mtu of the interfaces connected [appliance1]1500mtu-1500mtu[openwrt-router1]1500mtu---[internet]-1500mtu[opnwrt-router2]1500mtu-1500mtu[appliance2]1500mtu

Re: [strongSwan] What is the correct subnet for rightsourceip?

>>>Is there any harm if I chose subset /22 to increase it to 1022 IPs? No None at all...you can configure /22 also...ensure that its unique network-subnet...and the same not used in any part of your local-lan network of the vpn-server On Sat, Dec 18, 2021 at 12:39 PM Houman wrote: > Hello, >

Re: [strongSwan] cannot connect with android 11 standard client (but android strongswan works)

Hi Try configuring your vpn-server as below: For Split-Tunnel: - conn WindowsAndroidOtherClients_wEAP left= right=%any leftsubnet=192.168.0.0/22,192.168.12.0/22,192.168.21.0/24 rightsourceip=10.254.236.2/22

Re: [strongSwan] disable sending vendor id

Hi Actually, by default Strongswan is configured with NOT sending Vendor_idbut you can make it explicit by enabling/uncommenting the setting in "../Strongswan.d/charon.conf" file as below: # Send strongSwan vendor ID payload send_vendor_id = no hope this helps thanks & regards Rajiv

Re: [strongSwan] Matching Cisco "esp-3des esp-sha256-hmac" to strongswan config

Hi It seems the IKE-proposal (3des-sha256-modp1024) that you are sending from the Strongswan (1.1.1.1) to the remote peer (2.2.2.2) DOES NOT MATCH WHAT IS CONFIGURED ON THE 2.2.2.2/PEER So confirm that the ike proposal sent by Strongswan (as initiator of the tunnel) is matched by the same

Re: [strongSwan] IPSEC IKEv2 disconnecting after ~8 hours - Windows 10 Client

Hi Looks like the windows-native clients are behind nat-routers. And also somewhere its documented (in strongswan-wiki) windows-ikev2-clients especially behind nat-routers (meaning tunnel with NAT-T) do not respond or misbehave when the vpn-server initiates a rekey Ofcourse as you have already

Re: [strongSwan] GRE Strongswan Question

Hi Check the sample-config/info in the attached doc. Maybe it will help One thing i check from my experience (especially for tunnel-mode ipsec) is that on the R1 and R2, eventhough they may be connected back-to-back/in-same-subnet (as per your config posted), you should still ensure that the

Re: [strongSwan] kernel traps with auto=route, and "install_routes=no" - how to view traps installed and the routes if any installed by Strongswan-Charon

lugins.kernel-netlink.fwmark in strongswan.conf is >> > recommended as it will allow using a more efficient source address >> lookup. >> >> Answers to your other questions can be drawn from the quote. >> >> Kind regards >> >> Noel >> >>

Re: [strongSwan] kernel traps with auto=route, and "install_routes=no" - how to view traps installed and the routes if any installed by Strongswan-Charon

t; > recommended as it will allow using a more efficient source address > lookup. > > Answers to your other questions can be drawn from the quote. > > Kind regards > > Noel > > [1] > https://wiki.strongswan.org/projects/strongswan/wiki/IntroductionTostrongSwan#Routin

[strongSwan] kernel traps with auto=route, and "install_routes=no" - how to view traps installed and the routes if any installed by Strongswan-Charon

Hi Its mentioned that when we set "auto=route" in a connection entry/record for a ipsec tunnel, the "kernel traps are installed" In layman's terms and understanding: 1. What exactly are these "kernel traps installed? Can we view what traps are installed? 2. By default "install_routes" is YES, so

Re: [strongSwan] Windows VPN client issue with Strongswan

Hi Maybe this info maybe of some use/help for the users. It took up a lot of time spent in studying various aspects and arriving at this confighence sharing for some use to other users too. The below is the config for Strongswan VPN server for Windows-IKEv2 clients (using Certs-ONLY and/or

Re: [strongSwan] KEY_ID encoding

sorry there was a typoi meant to use as below: secrets { tst1 { id = @#0x636973636f617361 secret = test123456789 } } would this work? thanks Rajiv On Wed, Oct 7, 2020 at 3:57 AM Rajiv Kulkarni wrote: > Hi > > Iam also interested to know how to configure with &quo

Re: [strongSwan] KEY_ID encoding

Hi Iam also interested to know how to configure with "swanctl.conf" would this config method work? = connections { ... . remote { id = keyid:ciscoasa auth = psk

Re: [strongSwan] Restricting protocol and port numbers question

Hello Tobias, I need your help for clarifying 2-3 queries below with reference to your advice on adding routes in table 220.. 1. with policies based on ports/protocols used, Would the routes need to be added still, if we say disable use of table 220 by applying the option "install_routes=no" in

Re: [strongSwan] Multiple IKE SA between same pair of address

t testing, you only need > many CHILD_SAs. > > Kind regards > > Noel > > On 15.01.2018 18:35, Rajiv Kulkarni wrote: > > Hi > > > > Actually it works when using PSK, without setting "uniqueids=no"..it > could continue to be the default ."uniqueids

Re: [strongSwan] Issue with IKE_SA rekey towards Cisco

Hi If iam correct...these tunnels to be established are Cisco-ezvpn tunnels using the Cisco-unity plugin.. The Cisco EzVPN IPSec Tunneling work only with IKEv1...and if PSK is used..with GroupID...then it has to be aggressive-mode only. And ofcourse XAUTH is needed By the way the Groupnames

Re: [strongSwan] dpd not getting triggered

OOps!!!my comments are completely in the wrong context...and do not really applyplease forgive me...sorry for this On Mon, Jan 15, 2018 at 11:26 PM, Rajiv Kulkarni <rajivkulkarn...@gmail.com> wrote: > Hi > > > Are these below not dpd-keepalive informational messages

Re: [strongSwan] dpd not getting triggered

Hi Are these below not dpd-keepalive informational messages?i think dpd-keepalive is being exchanged between the peers... = 1[IKE] peer supports MOBIKE Jan 12 08:34:15 strongswan charon: 06[IKE] sending DPD request Jan 12 08:34:15 strongswan charon: 06[ENC]

[strongSwan] Will there be a Interoperability issue with Cisco Routers/Peers if we use "reauth=no" for ikev2 conns in strongswan peer

will the use of "reauth=no" in strongswan create any interoperability problems with Cisco IKEv2 IPsec Peers? On Mon, Dec 4, 2017 at 10:48 AM, Rajiv Kulkarni <rajivkulkarn...@gmail.com> wrote: > Hi > > Although mentioned in the wiki that IKEv1 always does reauthenticat

[strongSwan] Does "reauth=no" apply to IKEv2 connections ONLY?

Hi Although mentioned in the wiki that IKEv1 always does reauthentication when rekeying IKEv1-SAs... I still was getting some doubts...Can you please confirm that if i use the below config for ipsec (using Strongswan 5.5.x)...the use of "reauth=no" in the "conn default" will apply to all IKEv2

Re: [strongSwan] what the use (effect) of "righthostaccess=yes"

ghtfirewall and righthostaccess are used when > "right" is local and "left" is remote as in the > following scenario where sides are swapped: > > > https://www.strongswan.net/testing/testresults/ikev2/config- > payload-swapped/ > > Regards > > Andrea

[strongSwan] what the use (effect) of "righthostaccess=yes"

Hi I have a ipsec tunnel deployed/configured as below: PC1(lan)[GW1](wan)=IPSEC(wan)[GW2](lan)---PC2 PC1-ipaddr: 192.168.22.x PC2-ipaddr: 192.168.25.x GW1-lan-ipaddr: 192.168.22.1 GW2-lan-ipaddr: 192.168.25.1 I see that to allow access to 192.168.22.1 from PC2 (via the ipsec

Re: [strongSwan] Strongswan-IKEv2-Android-Client: How to config for EAP-GTC ONLY Authentiction Method, and Require clarification on other EAP methods config

Hello Tobias, Yes. As per your advice, i set the default eap-method in the Freeradius server to GTC...and it works as required. Now the Android Strongswan-IKEv2 client [with "IKEv2 EAP (username/password)" menu item selected] is using EAP-GTC method to authenticate with the radius - For

[strongSwan] Strongswan-IKEv2-Android-Client: How to config for EAP-GTC ONLY Authentiction Method, and Require clarification on other EAP methods config

Hello I have been using the Android-Strongswan-IKEv2-Client (on a Android-v5.1 run Motorola-E series 3G phone)... - with FreeRadius-serverr-v3.x for AAA authentication of the vpn clients. - The Strongswan-v5.5.1 is running on a Ubuntu-14x-LTS host - i also have some hosts in the lan-side of the

Re: [strongSwan] The option "rightca=ca-dn-here" in v5.5.1 seems to have no effect for IKEv1, cert requests for all CAs in cacerts are still sent to peer

Hello Tobias, As per your advice i did run a checkbut i did not see any of the errors or not-found messages when the config was loaded On further narrowing down the issue...i believe the issue with "rightca=" is ONLY when the ipsec-gw acts as a responder... As a responder to incoming

Re: [strongSwan] strongswan not picking up traffic

OOPs!!...Jumped the Gun...Sorry! Noel has answered it more correctly and succintlySorry again On Fri, Sep 22, 2017 at 5:26 AM, Rajiv Kulkarni <rajivkulkarn...@gmail.com> wrote: > Hi > > Try giving the "right=" > > for e,g: > > left=1.1.1.11 > r

Re: [strongSwan] strongswan not picking up traffic

Hi Try giving the "right=" for e,g: left=1.1.1.11 right=2.2.2.51 and also use the below policy instead of using leftprotoport/rightprotoport leftsubnet=1.1.1.11[gre] rightsubnet=2.2.2.51[gre] maybe then the gre tunnel traffic will trigger the ipsec tunnel; to come up Also first try if

[strongSwan] The option "rightca=ca-dn-here" in v5.5.1 seems to have no effect for IKEv1, cert requests for all CAs in cacerts are still sent to peer

Hi I have used the

Re: [strongSwan] Asymmetric PSK auth support for IKEv2 tunnel between Cisco-IOS Router and Strongswan

OK. I will use only same/symmetric PSK for these tunnels (you are right, when you look at it, asymmetric-psk is not really required) Thank you so much for your response and thank you for the info on this support in strongswan regards Rajiv On Tue, Oct 4, 2016 at 5:54 PM, Tobias Brunner

[strongSwan] Asymmetric PSK auth support for IKEv2 tunnel between Cisco-IOS Router and Strongswan

Hi Is this supported in Strongswan? Iam using on some peers strongswan 5.0.4 and on some peers strongswan-v5.2.1 and some strongswan 5.3.0... Iam trying to establish site-to-site tunnels (using ikev2) to Cisco-IOS-router On the strongswan side iam configuring as below:

[strongSwan] Certificate Expiry of Local Cert NOT being checked

Hi Does Strongswan running on a local-gw, supposed to check whether the certificate that is being used in "leftcert=xxx.pem" is valid or expired? Its not doing so as observed below, is there any option to be enabled?

Re: [strongSwan] IPSEC-SECRETS FILE file parsing issue results in "calculated HASH does not match HASH payload" and HASH N(AUTH_FAILED)

Hi Can somebody take a look and advice and suggest a solution to this issue iam facing.? Any other methods to employ to move ahead with solving this issue? thank you -rajiv On Sun, Nov 15, 2015 at 10:37 PM, Rajiv Kulkarni <rajivkulkarn...@gmail.com> wrote: > Hi > > Just

Re: [strongSwan] IPSEC-SECRETS FILE file parsing issue results in "calculated HASH does not match HASH payload" and HASH N(AUTH_FAILED)

Hi Just to set it right..There is a typo in the peer2 config...it should be 2.2.2.5 (and not 2.2.2.25...my mistake while copy-paste editing on the mail page) thanks & regards rajiv On Sun, Nov 15, 2015 at 10:27 PM, Rajiv Kulkarni <rajivkulkarn...@gmail.com> wrote: > Hi Strongsw

Re: [strongSwan] cisco vpn client fails to connect to rw-server on Strongswan-v5.3.0 - Please Help

the Group-Id and PSK for IKE-Auth on the Cisco-Client (and on the Strongswan-v5.3.0 server), iam still facing the below issues...auth failed. Is this a config issue or anything else?.. Please help with some advice thanks & regards rajiv On Wed, Oct 14, 2015 at 10:34 PM, Rajiv Kulkarni <rajiv

[strongSwan] cisco vpn client fails to connect to rw-server on Strongswan-v5.3.0 - Please Help

Hi I have the following configuration on a ubuntu-14.x machine and iam trying to connect using a Cisco-VPN-Client-v5.x (the ipsec only client) and iam unable to get it to work now on the strongswan-v5.3.0 server (below) Iam getting the below errors as seen in the foreground output where am i

Re: [strongSwan] Problem when forwarding all traffic to tunnel (site-to-site VPN)

nks.for your reply. I tried your method and now my LAN is able to > access to the Internet. But dealing with routes by manual is troublesome > when a gateway already had complex routing tables. I will use this > workaround temporarily and continue to find other solutions. > > On Sun, Sep

Re: [strongSwan] Problem when forwarding all traffic to tunnel (site-to-site VPN)

Hi One workaround method i have been using in this scenario is to put the route you have added into table 220 - the routing table referenced by strongswan. e,g: ip route add 10.10.0.0/16 dev lan table 220 - i guess it should start working with the above route in table 220 - the route you have

[strongSwan] can we use "leftprotoport/rightprotoport" in 5.3.0 eventhough its supposed to be deprecated?

Hi I have a question. It says that in wiki that "leftprotoport/rightprotoport" is deprecated from 5.1.x onwards. I am using v5.3.0. Can we still use these options? The use of leftsubnet/rightsubnet=%dynamic is very confusing when we have to use transport-mode tunnels. Using the

Re: [strongSwan] why is rekeying disabled seen in the ipsec statusall output?

Hi All Can somebody enlighten me on this observation of rekeying disabled when it is actually enabled (as by default settings)? thanks regards rajiv On Sun, May 24, 2015 at 10:23 PM, Rajiv Kulkarni rajivkulkarn...@gmail.com wrote: Hi I have a network setup for ipsec tunnels

Re: [strongSwan] why is rekeying disabled seen in the ipsec statusall output?

Hello Tobias, Thanks for the help and the pointer to the wiki-page with the important info Yes ofcourse...as you said with the values i have used for lifetime, rekeytime would be =0. So for my specific requirement of ensuring quick rekeys, should i use rekeymargin as =3m? so that rekeytime

[strongSwan] why is rekeying disabled seen in the ipsec statusall output?

Hi I have a network setup for ipsec tunnels as in attached txt doc (also contains other info such as syslogs, ipsec.conf configs, etc) Its a setup with a central-gw behind which there is a file-server. There are about 3 branches (gw2/gw3/gw4) which establish a site-to-site ipsec tunnels to the

Re: [strongSwan] vpn clients (cisco/shrewsoft and other cisco unity clients) connectivity issues with Strongswan-v5.2.1

Hello Martin, Sorry for replying and acknowledging and reporting the results so late in the day. Yes!!! your advice and solution was spot-on and worked . For the benefit of other users and future reference for info. Iam posting the sample configs used at both Server-side (vpn/roadwarrior-server

[strongSwan] issue with using leftsubnet/rightsubnet = %dynamic. Tunnels are not coming up

Hi I have 2 clients with multiple subnets behind them connecting to a single unity-supported vpn-server which also has multiple subnets behind it. All are using strongswan-v5.2.1. Now can the below config on each of these GWs work in suucessfully setting up tunnels and protect the traffic

[strongSwan] Issue with using leftsubnet/rightsubnet = %dynamic. Tunnels are not coming up

Hi I have 2 clients with multiple subnets behind them connecting to a single unity-supported vpn-server which also has multiple subnets behind it. All are using strongswan-v5.2.1. Now can the below config on each of these GWs work in suucessfully setting up tunnels and protect the traffic

Re: [strongSwan] L2TP over strongswan

why dont you try the below sample configs please: On L2TP-Server === # /etc/ipsec.conf - strongSwan IPsec configuration file config setup strictcrlpolicy=no crlcheckinterval=180 conn %default ikelifetime=30m keylife=15m rekeymargin=3m keyingtries=1

Re: [strongSwan] Set up strongswan in hub-and-spoke topology

Hi Maybe the attached ipsec.conf files for Hub and spokes (2 spokes) would be useful. It worked for me nicely in my setup which is also attached PS: The attachment is a rar file (zipped using winrar) thanks regards rajiv On Sun, Mar 29, 2015 at 2:43 AM, Noel Kuntze n...@familie-kuntze.de

Re: [strongSwan] issue with firewall rules

Hi My preference would be to do the below steps: 1. add the following rules on each of the ipsec-peer-gws, if not already done iptables -A INPUT -p esp -j ACCEPT iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT iptables -A INPUT -p udp -m udp --dport 4500 -j ACCEPT iptables -A INPUT -p udp

Re: [strongSwan] vpn clients (cisco/shrewsoft and other cisco unity clients) connectivity issues with Strongswan-v5.2.1

Can somebody please help me with some advice on how to go about solving this issue iam seeing in v5.2.1? please kindly help me my config on server is as in attachments #/etc/ipsec.conf - strongSwan IPsec configuration file config setup strictcrlpolicy=no charondebug=ike 3, knl 3, cfg 3

[strongSwan] auth fails with no peer config found...cisco-vpn-client to strongswan-v5.0.4-server (with cisco unity plugin enabled)

much with regards - rajiv kulkarni ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] How do we assign backupserver ipaddresses list and other cisco specific options, using modeconfig to cisco vpn clients?

Hi I have read thru the cisco unity plugin options and also the attr-plugin attributes. There is no mention of pushing backupserver ipaddress to the remote cisco vpn client using the modeconfig. Is there any way we could set this or its not supported at all in strongswan (iam using

Re: [strongSwan] Ipsec pki Tool Question

Hi, Maybe this will help: 1. use the standard procedure for generating certs in DER form only, as below = CA certificate -- First, generate a private key, the default generates a 2048 bit RSA key: ipsec pki --gen

Re: [strongSwan] Strongswan IKEv2 Performance (Tunnel Establishment rate per second)

Hello Martin, Thanks for your reply. Could you please validate the methodology used by me to do the performance characterization for IKEv2 as below. I tried with a sample 500 ipsec tunnels establishment test Based on your response, i tried a test method to measure the tunnel establishment rate

[strongSwan] Strongswan IKEv2 Performance (Tunnel Establishment rate per second)

-- Forwarded message -- From: Rajiv Kulkarni rajivkulkarn...@gmail.com Date: Fri, Jun 15, 2012 at 4:37 PM To: users@lists.strongswan.org Hi Can you help me on this? I need to run a performance test for finding out IKEv2 Tunnel Establishment Rate (no of tunnels per second), i have

Re: [strongSwan] Ping is not working after establishing a tunnel in strongswan

Hi can you try by disabling iptables on the GW running Strongswan (iam assuming that it is a linux machine). Try executing these commands, then start ipsec and then send traffic: root# iptables -F root# iptables -F -t nat root# ipsec start --- or --- ipsec start --nofork if above works, then

Re: [strongSwan] Regarding Certificate based authentication ( Load Tests )

Hi why dont't you try the below steps (it worked for me): 1. you will need to first access the following link http://wiki.strongswan.org/projects/strongswan/repository/entry/src/libcharon/plugins/load_tester/load_tester_creds.c and then - copy the RSA private-key into 2 files and name them

[strongSwan] what does sent QI2, ipsec sa established on Initiator and sent MR3, isakmp sa established mean?

Hi I have a question for IKEv1. when i run the command ipsec status, i get to see: - On initiator: sent QI2, IPsec SA established (ISAKMP SA established) and on Responder: (IPsec SA established) sent MR3, ISAKMP SA established

Re: [strongSwan] rightid (Ipsec with Certificates)

Hi Also, i think the following entries in the left-peer-gw should also work if iam right? In the ipsec.conf of left and/or right GWs - .. . leftcert=testcert.pem rightca=%same

Re: [strongSwan] Strongswan Unable to load OpenSSL RSA Private-Key File

Hi Tobias Thank you so much for all the help in solving this issue iam facing. You are right iam getting the same error when i use the -check option for the priv key files. I will try to see why its so? Will get back to you with any updates/info. The surprising thing is that when i use the same

Re: [strongSwan] Strongswan Unable to load OpenSSL RSA Private-Key File

@evm1gw: Please forgive me again for the lengthy submission of the issue thanks once again with regards Rajiv Kulkarni -- Hi Rajiv, * [root

Re: [strongSwan] Strongswan Unable to load OpenSSL RSA Private-Key File

encrypts the private key to the ipsec.secrets entry? : RSA /ssl/private/mfcgw1key.pem my passphrase Regards Andreas On 10.11.2011 15:10, Rajiv Kulkarni wrote: Hi It has been quite sometime now since i could followup on the issue submiited by me, very sorry about the delay in doing so. I

Re: [strongSwan] Strongswan Unable to load OpenSSL RSA Private-Key File

Hello Tobias I did as adviced and iam getting the following error on ipsec start --nofork --- 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets' 00[LIB] key integrity tests failed 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 5 builders 00[CFG]

Re: [strongSwan] Strongswan Unable to load OpenSSL RSA Private-Key File

Hello Tobias, Please find included the sample certs (including the rsa private key files whose passwd is config123). The attachments are in winrar rar file format. hope this helps thanks regards rajiv On Thu, Nov 10, 2011 at 10:34 PM, Tobias Brunner tob...@strongswan.orgwrote: Hi Rajiv,

Re: [strongSwan] multiple ipsec tunnels (multiple ipsec/esp SAs between 2 peer gws with 1 IKE SA)

to work more with the load-tester plugin and update if any new observations/issues thanks regards rajiv On Tue, Aug 2, 2011 at 6:54 PM, Rajiv Kulkarni rajivkulkarn...@gmail.comwrote: Hi One more followup info. On the m/c enabled with load-tester plugin and simulating multiple rw-clients

Re: [strongSwan] multiple ipsec tunnels (multiple ipsec/esp SAs between 2 peer gws with 1 IKE SA)

Hi The problem is not the secret, but that no config matches on your responder. leftid defaults to left (172.17.10.10), but actually is srv.strongswan.org. Try leftid=srv.strongswan.org, or even leftid=%any. I did just that, i used leftid=%any on the rw-server. But when i start the ipsec (ipsec

Re: [strongSwan] multiple ipsec tunnels (multiple ipsec/esp SAs between 2 peer gws with 1 IKE SA)

system with id as srv.strongswan.org, whereas it is actually supposed to be a rw-client thanks regards rajiv On Tue, Aug 2, 2011 at 6:25 PM, Rajiv Kulkarni rajivkulkarn...@gmail.comwrote: Hi The problem is not the secret, but that no config matches on your responder. leftid defaults to left

Re: [strongSwan] multiple ipsec tunnels (multiple ipsec/esp SAs between 2 peer gws with 1 IKE SA)

= no } in strongswan.conf on the initiating system. On Fri, Jul 29, 2011 at 5:15 PM, Rajiv Kulkarni rajivkulkarn...@gmail.comwrote: Hi Tobias Thanks for the reply. No, i did not know of the load-tester plugin till you told me about it. I followed your advice and started setting up the load

Re: [strongSwan] multiple ipsec tunnels (multiple ipsec/esp SAs between 2 peer gws with 1 IKE SA)

Hi Tobias Thanks for the reply. No, i did not know of the load-tester plugin till you told me about it. I followed your advice and started setting up the load-tester plugin with strongswan-4.5.2 on Linux-Fedora servers - As mentioned in one of the mail-list on Load-Tester plugin, I have

[strongSwan] multiple ipsec tunnels (multiple ipsec/esp SAs between 2 peer gws with 1 IKE SA)

Hi I need some help from you all on the following issue: 1. I have a setup using Racoon (ikev1 only) between 2 Peer Gws (Linux servers) and i needed to have about 1000 ipsec tunnels between them (i.e it would come to 2000 ipsec/esp SAs with 1 IKE SA between the peer gws). I did this using the

[strongSwan] Strongswan Unable to load OpenSSL RSA Private-Key File

Hi I am facing a problem in my Strongswan deployment on a Linux-Fedora13 Server. I have created a CA and some device certs on the Linux-Fed13 server using OpenSSL. But iam unable to use the device certs (the private-key file) in strongswan. Iam getting the following error (console trace). Also

[strongSwan] Does IKEv2 in strongSwan4.5 support ESN64bit sequence numbers by default (or does not support ESN at all)?

-Fedora13 servers with ESN64 supported. Also iam trying to setup IKEv2-IPSec tunnels between a Linux-Fedora13-Strongswan4.5 and a OpenWRT-Linux-Gw (running strongSwan4.3.6) Can i do it? if not is there a alternate way to do it thanks so much for your help with regards Rajiv Kulkarni