Hi,
> rightid=001122334455667788
> *IDir '62.43.189.77' does not match to '001122334455667788*'
Your Sonicwall uses '62.43.189.77' as its identity. Your strongSwan
configuration strictly requires '0011223344556677880' as defined by
rightid. Either change your Sonicwall or your strongSwan configu
Hi,
> I'm trying to setup strongswan 5.2 but am experiencing problems where the
> leftside can't seem to connect to the right side and keeps retransmitting
> the request till it times out.
Most likely this is a connectivity or firewalling issue. You should
check where that IKE_SA_INIT message get
Hi,
> Your fix to use the ordered dictionary worked perfectly. Thank you very
> much. It is now accepting vpn connections.
Great. I'll check how we can mention that issue in the documentation.
> Regarding the `vips` configuration, I thought that it was the replacement
> for the `rightsourceip` o
Hi,
> I am wondering how the specification of multiple addresses in the left|right
> option works.
> right=134.111.75.171,134.111.75.172
The right option can take multiple addresses, but only to match the
connection when responding to initiators.
> For example, how many kernel policies I shou
Hi,
> Is there a way to configure a device to connect to a gateway [ eg
> 10.1.1.254]. If that gateway fails [ detected via DPD],it would
> connect to 10.1.1.253 [ his backup gateway]?
No, specifying fallback addresses is currently not implemented in
strongSwan.
> I've tried with right=10.1.1.
Thanks Martin!
At least I know that I need to find an another solution [ eg Virtual-IP on the
remote end]
Regards,
> Subject: Re: [strongSwan] stateless high availability
> From: mar...@strongswan.org
> To: olivier_pele...@hotmail.com
> CC: users@lists.strongswan.org
> Date: Fri, 27 Feb 2015 10
Hello,
I have several identicall servers (but in different datacenters), client can
connect to any except one.
configs are completely identical (ensured by cfengine, tripple re-checked
manually), so probably that's not configuration issue.
logs look like:
Feb 27 13:58:34 s04001011709 charon: 07
Hi Denis
> 07[ENC] generating ID_PROT response 0 [ ID CERT SIG ]
> 07[NET] sending packet: from 179.179.179.179[4500] to 46.211.133.122[39592]
> (1660 bytes)
> 07[ENC] generating TRANSACTION request 2234314252 [ HASH CPRQ(X_USER X_PWD) ]
> 07[NET] sending packet: from 179.179.179.179[4500] to 46.
Hello Martin,
same client connects to other servers successfully, with same credentials.
After I change server name - connection fails.
and this happend only with one particular server, so according to your
explanation either client didn't get XAuth request or server didn't get reply.
I've just
Hello,
I have set a HA cluster using strongswan 5.2.2.
When charon is stopped on one of the nodes, DELETE are sent to the remote hosts:
Feb 27 15:14:34 00[DMN] signal of type SIGINT received. Shutting down
Feb 27 15:14:34 00[MGR] going to destroy IKE_SA manager and all managed IKE_SA's
Feb 27 15
> When charon is stopped on one of the nodes, DELETE are sent to the remote
> hosts:
Actually, it should not if it has an active heartbeat connection with
the other node. If a node knows that another node is active, it should
deactivate all responsible segments locally before shutting down, and
Thanks for your answer, I missed that point!
Actually I'm running the cluster in active/passive mode (just 1 segment, two
nodes). You're right: the monitoring/heartbeat is disabled since I already have
an external tool to monitor the nodes.
The external tool directly control the segment responsi
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello Tom,
What are the expiry times for those SAs?
And do you have a log of a rekey event?
Mit freundlichen Grüßen/Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 25.02.2015 um 15:57
Ok, thanks for the information.
Two final (quick) questions:
1) Is there alternative for 'leftfirewall=yes' in the VICI interface to
automatically setup iptables rules?
2) What is the syntax for loading a secret in via VICI. My current format (
`load_shared({'type': 'xauth', 'data': 'test : XAUT
14 matches
Mail list logo