Hello,
Could you please clarify a bit what types of TPM2.0 keys can be used with
strongSwan?
The examples on the TpmPlugin wiki-page show an attestation (restricted
signing) key with RSASSA scheme and SHA256 digest. Is this the only type of an
RSA key that can be used? (Let's ignore ECC for
Hi colleagues,
struggling with the following problem: it seems, that make_before_break
do not process, first closing an existing SA and then negotiating new one:
Responder side logs:
charon-systemd[64387]: closing CHILD_SA pskv2-gagarin-child{17} with SPIs
c9c1dc8e_i (76 bytes) c18d0c57_o (0
Hello George,
Please share a complete log as shown on the HelpRequests page on the wiki.
Use the filelogger at the bottom of it.
Kind regards
Noel
Am 05.11.20 um 20:20 schrieb george:
> Hi Strongswan users!
>
> This is my first post. I have problems to use ECDSA
> certificates with
Hi guys
To start I should say I'm trying this with libipsec.
I have an initiator with local 10.3.1.0/24 and a following
config:
connections {
to-tinyionos {
version = 2
remote_addrs = "A.B.C.D"
vips = "0.0.0.0"
local {
auth = pubkey
certs = "my.cert.der"
}
On 05/11/2020 17:19, Noel Kuntze wrote:
> Hello Lejeczek,
>
> kernel-libipsec (which is required to be loaded for libipsec to be usable)
> creates a tun interface itself. You can not prescribe it to use one.
I do not see, not on the server nor on initiator, any tun
devices created, unless an
Hi Strongswan users!
This is my first post. I have problems to use ECDSA certificates with
strongswan (did not have problems withRSA certificates).
Please help to solve this problem. Thanks.
ipsec.conf file
conn ss_as_init_cert_x2_22685 left=172.16.58.97
leftid=Userikev2-A
Hello Lejeczek,
kernel-libipsec (which is required to be loaded for libipsec to be usable)
creates a tun interface itself. You can not prescribe it to use one.
> mode = pass
That disables all IPsec processing for traffic that matches the policies. You
probably don't want to do that.
Hi Volodymyr,
> - what is wrong with make_before_break, why it (according to logs)
> closes and then creates new SA?
That option only affects IKE_SA reauthentication. CHILD_SA rekeying is
different and should always happen overlapping. However, with your
settings, the SA expires pretty much