Hello,
Hoping someone can point me in the right direction.
Running strongSwan 5.1.3 on Ubuntu 14.10. It appears that while my
tunnels will consistently come up via service strongswan restart, the
iptable rules are sporadically _not_ added to the hosts.
As an example, I've automate the
Use the iptables --wait argument?
From the manpage:
Wait for the xtables lock. To prevent multiple instances of the program
from running concurrently, an attempt will be made to obtain an
exclusive lock at launch. By default, the program will exit if the lock
cannot be obtained. This option
Thanks Bryan -- I appreciate the quick response.
So you modified the /usr/lib/ipsec/_updown script and added the --wait
flag for the add and remove operations?
If so, clever! I'll give that a try.
On Wed, Apr 1, 2015 at 8:03 AM, Bryan Duff duff0...@gmail.com wrote:
Use the iptables --wait
All,
I think I figured out what's going on. Because each host is
auto=start, multiple SAs were being built between each host.
charon would eventually detect that there were non-unique SAs and
destroy them, and the firewall rule would go with it.
I caught then when watching the iptable rules
https://wiki.strongswan.org/issues/817 is another example of this issue.
On Tue, 2015-03-24 at 10:34 +0100, Martin Willi wrote:
Doesn't have the Use default gateway
on remote network in the Advanced... settings of the Internet
Protocol Version 6 Networking Properties of your client connection
Hi,
I am having a problem with the virtual IP pool being exhausted when
connecting from an iOS device. I have the fix in
https://wiki.strongswan.org/issues/764 , but I am seeing the issue
mentioned by one of the users on the bug.
The leak is because the modecfg defined for the iOS device
All,
Looking for best practices on the most secure settings that can be used.
I've scoured the net and found very little in terms of which settings
are most secure and in which combination.
I saw a recommendation on a site that recommended the following settings:
conn %default
Still can't quite get this to work as I'd like.
I copied /usr/lib/ipsec/_updown to /etc/ipsec.updown and modified all
iptables -I and iptables -D calls to include --wait (i.e.,
iptables --wait -I and ... -D).
I then modified my configuration file:
conn dev3-dev5
type=transport
authby=secret
All,
Hoping for some clarity to a behavior I've become aware of with strongSwan.
I have 5 hosts that connect to each other. The config stanzas on all
the hosts are practically identical (except for ids and IP addresses)
to each other and appear as follows:
conn dev4-dev3
type=transport
Thanks Rajiv.
iptables is open between the hosts themselves -- esp and all ports you
listed are included. It's good to have double-checked though, so
thanks for the reminder.
The issue here is that occasionally the iptable rules are not
populated properly when an SA is established. In other
On Mar 24, 2015, at 7:49 AM, Martin Willi
mar...@strongswan.orgmailto:mar...@strongswan.org wrote:
...
I would like to use EAP-GTC authentication with the Mac app and would
be willing to modify the app to add this feature.
The new build additionally comes with the eap-gtc plugin.
Regards
Hi
Maybe the attached ipsec.conf files for Hub and spokes (2 spokes) would be
useful. It worked for me nicely in my setup which is also attached
PS: The attachment is a rar file (zipped using winrar)
thanks regards
rajiv
On Sun, Mar 29, 2015 at 2:43 AM, Noel Kuntze n...@familie-kuntze.de
Hi
My preference would be to do the below steps:
1. add the following rules on each of the ipsec-peer-gws, if not already
done
iptables -A INPUT -p esp -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
iptables -A INPUT -p udp
Hi James,
here are the default proposals for the ike and esp algorithms
if you don't define them explictly:
carol charon: 04[CFG] configured proposals:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
Andreas - this is tremendously useful. Many thanks for the quick reply!
On Wed, Apr 1, 2015 at 6:49 PM, Andreas Steffen
andreas.stef...@strongswan.org wrote:
Hi James,
here are the default proposals for the ike and esp algorithms
if you don't define them explictly:
carol charon: 04[CFG]
15 matches
Mail list logo