[strongSwan] Accepted types of TPM2.0 keys?

Hello, Could you please clarify a bit what types of TPM2.0 keys can be used with strongSwan? The examples on the TpmPlugin wiki-page show an attestation (restricted signing) key with RSASSA scheme and SHA256 digest. Is this the only type of an RSA key that can be used? (Let's ignore ECC for

[strongSwan] make_before_break and rekeying

Hi colleagues, struggling with the following problem: it seems, that make_before_break do not process, first closing an existing SA and then negotiating new one: Responder side logs: charon-systemd[64387]: closing CHILD_SA pskv2-gagarin-child{17} with SPIs c9c1dc8e_i (76 bytes) c18d0c57_o (0

Re: [strongSwan] Strongswan with ECDSA certificate

Hello George, Please share a complete log as shown on the HelpRequests page on the wiki. Use the filelogger at the bottom of it. Kind regards Noel Am 05.11.20 um 20:20 schrieb george: > Hi Strongswan users! > > This is my first post. I have problems to use ECDSA  > certificates with

[strongSwan] traffic beyond initiator yes, but no between initiator & server

Hi guys To start I should say I'm trying this with libipsec. I have an initiator with local 10.3.1.0/24 and a following config: connections {   to-tinyionos {     version = 2     remote_addrs = "A.B.C.D"     vips = "0.0.0.0"     local {   auth = pubkey   certs = "my.cert.der"     }    

Re: [strongSwan] traffic beyond initiator yes, but no between initiator & server

On 05/11/2020 17:19, Noel Kuntze wrote: > Hello Lejeczek, > > kernel-libipsec (which is required to be loaded for libipsec to be usable) > creates a tun interface itself. You can not prescribe it to use one. I do not see, not on the server nor on initiator, any tun devices created, unless an

[strongSwan] Strongswan with ECDSA certificate

Hi Strongswan users! This is my first post. I have problems to use ECDSA certificates with strongswan (did not have problems withRSA certificates). Please help to solve this problem. Thanks. ipsec.conf file  conn ss_as_init_cert_x2_22685    left=172.16.58.97            leftid=Userikev2-A        

Re: [strongSwan] traffic beyond initiator yes, but no between initiator & server

Hello Lejeczek, kernel-libipsec (which is required to be loaded for libipsec to be usable) creates a tun interface itself. You can not prescribe it to use one. > mode = pass That disables all IPsec processing for traffic that matches the policies. You probably don't want to do that.

Re: [strongSwan] make_before_break and rekeying

Hi Volodymyr, > - what is wrong with make_before_break, why it (according to logs) > closes and then creates new SA? That option only affects IKE_SA reauthentication. CHILD_SA rekeying is different and should always happen overlapping. However, with your settings, the SA expires pretty much