Re: [strongSwan] Parameters to connect to a Cisco 3000 series

2011-12-14 Thread vivek bairathi
, Vivek Bairathi ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Query regarding route based security

2010-11-02 Thread vivek bairathi
On Tue, Nov 2, 2010 at 12:35 PM, vivek bairathi bairathi.vi...@gmail.comwrote: Hi Andreas, Thanks for your quick reply. I have some more queries regarding kernel_netlink interface: If I use auto=route in ipsec.conf file for a connection: Q1. Does the stack after reading the ipsec.conf

[strongSwan] Query regarding route based security

2010-11-01 Thread vivek bairathi
Hi All, I want to know that if I set auto=route in ipsec.conf for a connection. The IKEv2 stack will install kernel traps for that connection and will initiate an SA only when it gets a packet between the leftsubnet and the rightsubnet. For this the IKEv2 stack needs trigger from kernel so

Re: [strongSwan] IKE SA's are getting deleted

2010-08-03 Thread vivek bairathi
, Vivek On Tue, Aug 3, 2010 at 11:33 AM, vivek bairathi bairathi.vi...@gmail.comwrote: Hi All, I am facing a problem. The problem is as following:- When I am initiating an IKE SA from my Computer towards the Security Gateway (SGW). At the same time, SGW is also initiating an IKE SA for the same

[strongSwan] Closure of IKE SA or IPSEC SA on change in cinfiguration in ipsec.conf

2010-07-21 Thread vivek bairathi
Hi All, Can anyone tell me that strongswan IKEv2 stack automatically closes or not an IKE SA or IPSEC SA on change of its configuration in ipsec.conf ? Regards, Vivek ___ Users mailing list Users@lists.strongswan.org

Re: [strongSwan] Closure of IKE SA or IPSEC SA on change in cinfiguration in ipsec.conf

2010-07-21 Thread vivek bairathi
, vivek bairathi bairathi.vi...@gmail.com wrote: Hi All, Can anyone tell me that strongswan IKEv2 stack automatically closes or not an IKE SA or IPSEC SA on change of its configuration in ipsec.conf ? Regards, Vivek ___ Users mailing list

Re: [strongSwan] Query regarding a particular scenario

2010-07-20 Thread vivek bairathi
Hi Andreas/Martin/Tobias, Request you to please provide your comments for the mail below. Regards, Vivek On Wed, Jul 14, 2010 at 11:55 AM, vivek bairathi bairathi.vi...@gmail.comwrote: Hi All, I have a query regarding a scenario. *The scenario is as following*:- *My implementation

[strongSwan] Query regarding a particular scenario

2010-07-14 Thread vivek bairathi
Hi All, I have a query regarding a scenario. The scenario is as following:- My implementation: On changing of a parameter in ipsec.conf I first bring down the SA, update the configuration and then bring it up again. So, when I connect to a Security Gateway(SGW), I make an SA and start the

[strongSwan] Doubt regarding Certificate updation in IKEv2 Stack

2010-05-27 Thread vivek bairathi
Hi, Some doubts regarding certificates updation in IKEv2 Stack. Consider the following scenario:- CACERT1(old with new) CACERT2 (new with new) are both from same CA. CERT1 : signed with CACERT1 CERT2: signed with CACERT2 PC1 PC2 1.

[strongSwan] Processor not able to process jobs

2010-05-14 Thread vivek bairathi
Hi, My configuration creates 3 IKE SAs and 6 IPsec SAs. Configuration file attached. Now when I change the esp encryption algorithm for IpSecMPlane then I fire the following commands in the given below order:- 1. ipsec down IpSecMPlane 2. Write the new esp encryption algorithm for IpSecMPlane in

[strongSwan] IPsecSA encrypting traffic from any destination

2010-05-07 Thread vivek bairathi
Hi, I wanted to create an IPsec SA that would encrypt traffic from any destination ( rightsubnet= any ). However, the following configuration is not accepted by strongswan:- conn IpSecSSEPlane ikelifetime=24h keyexchange=ikev2 keyingtries=%forever keylife=90m

Re: [strongSwan] Problem in stack when crl updation is done

2010-03-30 Thread vivek bairathi
Hi Andreas, did you find anything? Regards, Vivek On Fri, Mar 26, 2010 at 6:28 PM, Andreas Steffen andreas.stef...@strongswan.org wrote: Hi Vivek, can you send me both the old and new CRL and the issuing CA certificate? Best regards Andreas On 26.03.2010 13:44, vivek bairathi wrote

[strongSwan] Problem in stack when crl updation is done

2010-03-26 Thread vivek bairathi
Hi All, I am getting a problem with the strongswan-4.2.8, whenever I revoke a peer certificate and update the latest crl at my end and then try to make an SA it gets created as it should not. When I debug the stack I found that in credential_manager.c there is a function get_better_crl, in this

[strongSwan] Loading CRLs from file

2010-02-19 Thread vivek bairathi
Hi All, Hi All, I have a CRL in pem format with me. The CRL file is loaded at startup. 1. If the CRL file is updated in the directory, how can strongswan be indicated to update it. Does crlCheckInterval timer work with strongswan IKEv2? 2. Is there an option to load CRL present in Cert

[strongSwan] dead peer detection

2010-01-21 Thread vivek bairathi
Hi All, I have some query regarding dpd's: 1. If I give dpddelay value as zero in ipsec.conf then will IKEv2 Stack send dpd's or not? 2. Is last_use_time is used in case of dpd's only? Thanks in advance. Regards, Vivek ___ Users mailing list

[strongSwan] Dead Peer Detection

2010-01-11 Thread vivek bairathi
Hi All, I have a query regarding dpd's:- 1. When does ikev2 stack start sending dpd's? 2. When does it know that its time to close the IPSEC SA or IKE SA? 3. Can you tell me where is the handling for closing the IPSEC SA or IKE SA in case of no response to the dpd's? Thanks in advance.

Re: [strongSwan] Regarding CN as left/rightid

2010-01-04 Thread vivek bairathi
4, 2010 at 11:48 PM, Daniel Mentz danielml+mailinglists.strongs...@sent.comdanielml%2bmailinglists.strongs...@sent.com wrote: vivek bairathi wrote: Some doubts regarding CERT mode:- 1. Is it necessary to know the CN of peer before establishing an IKE SA? Generally speaking, no. It depends

[strongSwan] Regarding CN as left/rightid

2010-01-03 Thread vivek bairathi
Hi All, Some doubts regarding CERT mode:- 1. Is it necessary to know the CN of peer before establishing an IKE SA? 2. Is the left/rightid is always equal to the CN from the certificate? Thanks in advance. Regards, Vivek ___ Users mailing list

[strongSwan] Dead Peer Detection

2009-12-23 Thread vivek bairathi
Hi All, I have a query regarding dpd's. 1. When does ikev2 stack start sending dpd's? 2. When does it know that its time to close the IPSEC SA or IKE SA? 3. Can you tell me where is the handling for closing the IPSEC SA or IKE SA in case of no response to the dpd's? Thanks in advance.

[strongSwan] Problem with ipsec.conf

2009-12-23 Thread vivek bairathi
Hi All, I am using strongswan-4.2.8 stack. And I am getting a strange problem with this stack:- The steps that I have taken:- 1. I created an IKE SA for IpSecCPlane and two CHILD SA's under it - IpSecCPlane IpSecUCSPlane. 2. After that I bring down IpSecUCSPlane CHILD SA by using the command

Re: [strongSwan] Working with Different SAs with same src-dst IP but different Port

2009-09-17 Thread vivek bairathi
Hi, We are in a very critical state of our project. Please fin gtime to respond to the issue below. I would be of great help to us Thanks in advance, Ritu On 9/16/09, vivek bairathi bairathi.vi...@gmail.com wrote: Hi, We have the requirement that traffic between same source-destination IPs

[strongSwan] support of IP addresses and ports as traffic selectors

2009-09-15 Thread vivek bairathi
Hi, I had a doubt regarding the support of IP addresses and ports as traffic selectors. For example:- I have following SPD Entry. All the entries are using same security association: S.No.Source IP Destination IP Src Port Dst Port SA Ptr 11.1.1.1

[strongSwan] Signature verification failed

2009-09-03 Thread vivek bairathi
Hi, Thanks for your reply. I am trying to establish SA between two machines of which one is QNX machine and the other is Linux machine. I am able to transmit the IKE_SA_INIT request and response messages from one machine to another but when IKE_AUTH request is received by any of the machine it

Re: [strongSwan] Signature verification failed

2009-09-03 Thread vivek bairathi
a possible condition because of which this is happening and ofcourse if possible a solution also? Thanks Regards, Vivek On 9/3/09, vivek bairathi bairathi.vi...@gmail.com wrote: Hi, Thanks for your reply. I am trying to establish SA between two machines of which one is QNX machine

[strongSwan] Handling of outgoing packets when CHILD_SA is rekeyed

2009-09-01 Thread vivek bairathi
Hi, When a CHILD_SA is rekeyed, there is a time when SAD will have two SA entries corresponding to the CHILD_SA that is rekeyed. In other words this is the time, when stack has received a correct response to CREATE_CHILD_SA Request and hence has installed the new SA in SAD, however it has yet

[strongSwan] Issue regarding entries of SAD table

2009-08-20 Thread vivek bairathi
Hi, Sorry to bother you. But i have some doubts regarding SAD table: 1. Do the kernel-netlink-ipsec interface send the encryption key and integrity key to the kernel so that the kernel shall store it in SAD? 2. The source and destination address which the kernel-netlink-ipsec interface send to

[strongSwan] Issue regarding rekeying and updation of an IKE SA

2009-08-06 Thread vivek bairathi
Hi, Thanks for your reply. With your help now I am able to create IKE SA and CHILD SA but there is a problem with updation rekeying of IKE SA:- 1. I am trying to change a/all parameter (for e.g:- rekeytime, encryption algo, integrity algo, DH group parameter) in ipsec.conf so that when I do

[strongSwan] Tunnel configuration issue

2009-07-30 Thread vivek bairathi
Hi, I have some queries:- 1. In case I need to create a tunnel with mutiple child SAs, would there be different connection for each tunnel ip - virtual IP pair or there is a single connection containing all the virtual IPs corresponding to each Child SA? 2. In case there is a single connection

Re: [strongSwan] support for tunnel configuration

2009-07-28 Thread vivek bairathi
. Thanks Regards, Vivek On 7/27/09, Andreas Steffen andreas.stef...@strongswan.org wrote: Hi Vivek, vivek bairathi wrote: Hi all, I have a requirement for creating tunnel SAs. After reading strongswan documentation and code I arrived at the following conclusion:- 1. left| right

[strongSwan] support for tunnel configuration

2009-07-27 Thread vivek bairathi
Hi all, I have a requirement for creating tunnel SAs. After reading strongswan documentation and code I arrived at the following conclusion:- 1. left| right source IP in the conn section of ipsec.conf is used to specify the internal IP in the tunnel( virtual IP). The external tunnel IP will be

Re: [strongSwan] support for tunnel configuration

2009-07-27 Thread vivek bairathi
Regards, Vivek On 7/27/09, Andreas Steffen andreas.stef...@strongswan.org wrote: Hi Vivek, vivek bairathi wrote: Hi all, I have a requirement for creating tunnel SAs. After reading strongswan documentation and code I arrived at the following conclusion:- 1. left| right source IP in the conn

Re: [strongSwan] Kernel-netlink issue

2009-07-07 Thread vivek bairathi
the IKE_SA creation can be triggered from the kernel? I would highly appretiate your help on these issues. Looking forward for a reply. Thanks, Vivek On 7/6/09, vivek bairathi bairathi.vi...@gmail.com wrote: Hi, Thanks for your help. I still have a doubt that who initiates the IKE SA

Re: [strongSwan] Kernel-netlink issue

2009-07-06 Thread vivek bairathi
knows the local and remote IP addresses? 3. If I have asked the wrong question or have wrongly understood your stack code then please do explain me how an IKE SA and CHILD SA is initiated or triggered in your stack? Thank you. Regards, Vivek On 7/2/09, vivek bairathi bairathi.vi...@gmail.com

Re: [strongSwan] Kernel-netlink issue

2009-07-02 Thread vivek bairathi
Hi Martin, Thanks for your help. The problem is that we have a propritary implementaion of the IP stack in micro engine whose development is in assembly language. As per what you have suggested, I think it would make sense that we let the kernel interface remain as is ( just change address

Re: [strongSwan] Kernel-netlink issue

2009-07-01 Thread vivek bairathi
Hi Martin, Thanks for your help. For our implementation we need to port the strongswan stack on QNX. QNX does not have a kernel, but only a microkernel. This we need to remove any interface with the kernel in the strongswan stack and replace it with our own interface. Since Kernel