Hi folks,
I would like to run dnsmasq on the strongswan server to
manage an address pool (providing dhcp and dns). dhcp.conf:
dhcp {
force_server_address = yes
identity_lease = yes
interface = lo
load = yes
server = 127.0.0.1
}
Problem: In phase 2 the dhcp request runs into
Hi folks,
Question: How can I tell charon to send or request intermediate
certificates to/from the peer?
Sample case would be a common root CA, one or two intermediate CAs,
and a client certificate for each peer. Both are using strongswan.
IMU charon has to trust the root CA to verify the whole
Hi Tobias,
On 02/23/18 14:25, Tobias Brunner wrote:
> Hi Harri,
>
>> I had hoped that putting the whole chain into /etc/ipsec.d/certs/mycert.pem
>> would help, but apparently it doesn't.
>
> strongSwan reads only the first certificate from PEM encoded files. So
> put them in separate files.
>
Hi Tobias,
On 02/26/18 09:28, Tobias Brunner wrote:
Hi Harri,
I had hoped that putting the whole chain into /etc/ipsec.d/certs/mycert.pem
would help, but apparently it doesn't.
strongSwan reads only the first certificate from PEM encoded files. So
put them in separate files.
This is unus
Hi Tobias,
On 02/23/18 14:25, Tobias Brunner wrote:
> Hi Harri,
>
>> I had hoped that putting the whole chain into /etc/ipsec.d/certs/mycert.pem
>> would help, but apparently it doesn't.
>
> strongSwan reads only the first certificate from PEM encoded files. So
> put them in separate files.
>
Hi folks,
Setup: road warrior, strongswan 5.6.2 on both peers, the gateway
runs dnsmasq to manage an IP address pool and DNS.
Problem: charon-nm seems to forwards the DN from the certificate
as the identifier. Apparently charon on the peer seems to ignore
the FQDN from the certificate's DNS entr
On 03/06/18 10:32, Tobias Brunner wrote:
Hi Harald,
Question is, how can I tell charon's dhcp plugin to forward either
the FQDN or the CN from the DN entry in the dhcp request?
You can't, the plugin simply uses the client's (IKE or EAP) identity, so
it's up to the client to use the identity y
On 03/06/18 10:42, Tobias Brunner wrote:
Hi Harald,
Question is, how can I tell charon's dhcp plugin to forward either
the FQDN or the CN from the DN entry in the dhcp request?
You can't, the plugin simply uses the client's (IKE or EAP) identity, so
it's up to the client to use the identity y
Hi folks,
Question: If a roadwarrior running MacOS sets up a connection
via IPv4 to my strongswan server, then the Mac gets an additional
routing entry for my server, e.g.
192.168.1.209 10.100.0.1 UGHS00 en0
192.168.1.209 in this example is the IP address of
Hi folks,
is it just me, or is IPsec broken for ios 11 (iphone)? I can establish
an IPsec connection once, but if I reconnect then the routing appears
to be broken. I cannot ping the DNServer on the remote net.
My ipad (ios 10) with a similar profile has no such problem.
Can anybody reproduce th
IPv4 or dual-stack?
> On Mar 29, 2018, at 19:07, Robert Leonard wrote:
>
> I am using IPsec w/ IKEv2 reliably on iOS 11.2.6
>
>> On Thu, Mar 29, 2018 at 12:23 PM, Harald Dunkel wrote:
>> Hi folks,
>>
>> is it just me, or is IPsec broken for ios 11 (
On 03/29/18 18:23, Harald Dunkel wrote:
> Hi folks,
>
> is it just me, or is IPsec broken for ios 11 (iphone)? I can establish
> an IPsec connection once, but if I reconnect then the routing appears
> to be broken. I cannot ping the DNServer on the remote net.
>
> My ipad (i
Hi folks,
https://wiki.strongswan.org/projects/strongswan/wiki/PskSecret shows several
examples for entries in ipsec.secrets with '@' at the begin of a FQDN. There
is no example for a PSK using FQDNs without '@'.
https://wiki.strongswan.org/projects/strongswan/wiki/IpsecSecrets does not
mention
Hi folks,
I have to connect a Kyocera ECOSYS M8130 printer (running in a
foreign environment behind a NAT) to my local network via our road
warrior IPsec gateway. Strongswan 5.6.2. rightsourceip is %dhcp,
as for the road warriors.
The printer has built-in IKEv2 and IPsec support.
Problem: Authe
Hi folks,
the documentation say for left|rightikeport
"If unspecified, port 500 is used with the port floating to 4500 if a
NAT is detected ..."
This sounds pretty vague. I would like to tell strongswan to use 443/udp
for NAT traversal and dead peer detection, and to use port 500/udp for
isakmp
Hi folks,
using isc-dhcp-server 4.3.5 on the peer network my laptop takes just
a second to establish an IPsec connection (dhcp plugin involved, of
course). Using dnsmasq 2.80 it takes at least 3 seconds, maybe 4.
Can anybody reproduce this disadvantage of dnsmasq over isc-dhcp? Do
you think it w
Hi folks,
attached you can find charon's and dnsmasq's log files (running on the
same hardware).
Hope this helps
Harri
Jan 14 10:48:07 12[NET] <43> received packet: from 192.168.1.13[61985] to
192.168.1.209[500] (1256 bytes)
Jan 14 10:48:07 12[ENC] <43> parsed IKE_SA_INIT request 0 [ SA KE No
On 1/16/19 9:38 AM, Harald Dunkel wrote:
Hi folks,
attached you can find charon's and dnsmasq's log files (running on the
same hardware).
Strongswan's dhcp plugin sends out the DHCPDISCOVER at 10:48:07. dnsmasq
seems to wake up somehow (there is a log file entry), but at 10:4
Hi folks,
using IKEv2 and NetworkManager I wonder how the DNS domain search
attribute is supposed to be added to /etc/resolv.conf?
My attr.conf on the IPsec gateway says
attr {
dns = 10.0.122.9, 10.0.96.123, 10.0.96.124
nbns = 10.0.98.253
28674 = ipsec.example.com ac.example.com vs.
Hi folks,
using IKEv2 and NetworkManager I wonder how the DNS domain search
attribute is supposed to be added to /etc/resolv.conf?
My attr.conf on the IPsec gateway says
attr {
dns = 10.0.122.9, 10.0.96.123, 10.0.96.124
nbns = 10.0.98.253
28674 = ipsec.example.com ac.example.com vs.
Hi Tobias,
On 7/1/19 10:41 AM, Tobias Brunner wrote:
AFAICT NetworkManager would like to call resolvconf itself, but apparently
it is missing the DNS domain.
Is a search domain actually required in your setup? Because, as I said,
there is no standardized IKEv2 attribute for it at all.
Ye
On 7/1/19 3:06 PM, Tobias Brunner wrote:
Nobody forces you to use IPsec :-)
:-(
Hi folks,
imagine a road warrior scenario (all peers running Strongswan 5.7.2).
A warrior's laptop is usually connected via ethernet cable to the
company network, but he might prefer an IPsec connection over Wlan
instead, e.g. for the conference room or for home office. Using dhcp
and farp plugi
Hi folks,
road warrior setup:
If I disconnect the cable, wait for Network Manager to
recognize, and enable IPsec over WLAN to connect to the
same network, then some hosts become inaccessible.
tcpdump on such an inaccessible host (CentOS 7.4) shows:
# tcpdump -envi eno1 icmp
tcpdump: listening
Hi Noel,
On 8/26/19 6:40 PM, Noel Kuntze wrote:
Hello Harald,
That by itself is quite useless. Please provide the outputs of `ipsec statusall`
(or `swanctl -l`, depending on what frontend you're using), `ip route show
table all`, `ip rule` and `ip address`.
Kind regards
Noel
See attachmen
Hi folks,
apparently the MacOS road warriors have to manually adjust the MTU on
ipsec0 to 1280 in some networks, e.g. if the IP provider is Unitymedia,
or if they travel in an ICE of Deutsche Bahn and use the free Wifi.
Without *sudo ifconfig ipsec0 mtu 1280* their IPsec connection appears
to be
On 12/11/19 10:39 PM, Harald Dunkel wrote:
Hi folks,
apparently the MacOS road warriors have to manually adjust the MTU on
ipsec0 to 1280 in some networks, e.g. if the IP provider is Unitymedia,
or if they travel in an ICE of Deutsche Bahn and use the free Wifi.
Without *sudo ifconfig ipsec0
Hi folks,
I've seen it several times that the dead peer detection on my
IPsec gateway recognized a lost connection to a road warrior
laptop, but the laptop itself didn't know.
Would it be possible to enable dead peer detection and dpdaction
restart in the network manager app?
Regards
Harri
Hi folks,
are there any recommendations how to give a Docker container running on
a road warrior laptop access to the host's IPsec connection?
Easy testcase (using Docker's default bridge network):
% docker run -it --rm debian
# ping some.internal.ip.address
From 10.100.
Hi Noel,
On 2020-01-30 13:45, Noel Kuntze wrote:
Hello Harri,
The NAT rules on the host need to change the source IP address to match the
negotiated IPsec policies' local TS.
The road warrior's IP address in the TS appears to be chosen by the IPsec
gateway. How is the Docker container's net
Hi folks,
is it possible that aa3d5bf7916ce8fed0051feadae0b0139d5fbe24 (Revert "nm:
Remove dummy TUN device") affects iptables?
Regards
Harri
Hi Tobias,
On 1/25/21 9:46 AM, Tobias Brunner wrote:
Hi Harri,
is it possible that aa3d5bf7916ce8fed0051feadae0b0139d5fbe24 (Revert "nm: Remove
dummy TUN device") affects iptables?
In what way?
Regards,
Tobias
ip link shows me a new network interface "tun0" that wasn't there before
the
Hi folks,
how can I compute the MAC address used for farp/dhcp (7a:a7:xx:xx:xx:xx),
*before* trying to connect? Need this for configuring dhcp.
Regards
Harri
Hi folks,
I have a few road warriors (3 out of ~140) having severe problems to
connect via IKEv2. Within the last 4 weeks they had >1000 problems
during IKE SA init each, e.g.:
May 12 09:55:28 18[NET1] <92244> received packet: from 192.168.1.177[61416] to
10.0.0.17[500] (432 bytes)
May 12 09:55
On 5/14/21 9:21 PM, Thomas Egerer wrote:
What you're looking for is not a part of the swanctl.conf or ipsec.conf. It's
part
of the strongswan.conf (/etc/strongswan.conf) and documented at [1]. Use
the keyword 'half_open_timeout' in the 'charon' section:
charon {
half_open_timeout = 42
Hi folks,
I wonder if it is reasonable to use connection tracking for
500/udp and 4500/udp in the iptables configuration, esp.
wrt dead peer detection?
Your thoughts on this?
Regards
Harri
Hi folks,
question about DPD in a road-warrior configuration: Is it
sufficient for either side to answer DPD packets, or should
both sides run their own DPD in parallel, independent from
the DPD sent by their peer?
Reason for asking is, I have the impression that some home
office gateways keep t
Hi Tobias,
On 6/8/21 10:19 AM, Tobias Brunner wrote:
Hi Harri,
question about DPD in a road-warrior configuration: Is it
sufficient for either side to answer DPD packets, or should
both sides run their own DPD in parallel, independent from
the DPD sent by their peer?
DPDs are INFORMATIONAL e
TL,DR:
How does strongswan handle renewed or expired CRLs?
Platform: 5.9.4 on Debian 11. Private CA. CRL distributed
via http.
Hi folks,
Apparently certificate revocation lists have an expiration date. AFAIU
this is the maximum time a CRL should be cached.
I had revoked a few road-warrior cert
Hi Tobias,
On 2022-04-01 12:05:38, Tobias Brunner wrote:
Even on
"ipsec rereadcrls" the new CRL was ignored.
This reads CRLs from /etc/ipsec.d/crls, nothing else. To flush the
in-memory cache use `ipsec purgecrls` (CRLs cached on disk have to be
deleted manually from the directory above, no
Hi Martin,
On 08/04/14 11:40, Martin Willi wrote:
> Hi Harald,
>
>> seems that network-manager-strongswan is not recognized
>> by the network-manager-gnome applet (0.9.10) anymore.
>
> AFAIK there have been significant changes in NetworkManager, making our
> plugin incompatible. I didn't check i
Hi folks,
I have 2 problems with network-manager-strongswan (1.3.1) and
charon-nm (5.3.2):
- if the IPsec connection goes down, then it is not restarted
- if I try to reconnect manually, then I have to try two or
three times. Sometimes I have to reboot to make it work again.
Using a "regular" r
Hi folks,
I am trying to connect an ios 9.1 device to strongswan 5.3.3,
using IKEv2. Problem: It doesn't.
Here is the log file:
Oct 27 09:33:25 srvl047 charon: 02[NET] received packet: from
2001:db8:30:fff0:4ff:fc45:f6a4:3860[500] to 2001:db8:13b0:::63[500]
Oct 27 09:33:25 srvl047 charon: 0
Hi Tobias,
On 10/27/15 11:43, Tobias Brunner wrote:
> Hi Harald,
>
>> Please note that both peers agreed upon a proposal including DH group 5,
>> but then there is a message "DH group MODP_1024 inacceptable, requesting
>> MODP_1536". The selected proposal wasn't DH2, so I wonder WTH?
>
> Since t
Hi folks,
AFAIK a log file message like
no trusted RSA public key found for 'peer.example.com'
means that the issuer for peer's certificate is not trusted.
Wouldn't it be helpful if the issuer of the "bad" certificate
is shown in the log file as well?
Just a suggestion, of course. Rega
Hi folks,
strongswan 5.3.3 on Linux, IOS 9.1, IKEv2:
Using strongswan on both peers I see in the log file that
the roadwarrior sends the issuer certificate next to its
own end entity certificate to the gateway. The iphone doesn't.
Result:
no trusted RSA public key found for 'iphone01.example.com
PS: To clarify the CA story: There is a self-signed root
certificate, an intermediate "IPsec" certificate signed
by the root cert, and a client cert for each peer signed
by the IPsec cert. Of course the whole chain has been loaded
on the iphone.
Regards
Harri
Hi Tobias,
On 10/30/15 08:50, Tobias Brunner wrote:
> Hi Harald,
>
>> Of course the whole chain has been loaded
>> on the iphone.
>
> But not on the strongSwan host?
>
The strongswan host has copies of the iphone's root and
issuing ca certificates in ipsec.d/cacerts. It's own
certificate has b
To send an update:
I found a working (more or less) configuration.
Somehow strongswan doesn't use the DN of the iphone's
certificate as the remote ID, but either the FQDN, IPv4
address or IPv6 address. (I didn't check USER_FQDN.)
Probably this is influenced by the iphone somehow?
In the iphone's
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Since kernel 4.3 routing seems to be broken. I get some messages
in /var/log/daemon.log saying
:
Nov 9 21:24:44 cecil charon: 13[IKE] installing new virtual IP 172.19.97.237
Nov 9 21:24:44 cecil charon: 13[KNL] received netlink error: Invalid argu
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi folks,
On 11/09/15 21:41, Noel Kuntze wrote:
>
> Hello Harald,
>
> Look at issue #1189[1]
>
> [1] https://wiki.strongswan.org/issues/1189
>
Sorry, I should have checked the bug tracker. Thanx for your
patience.
Regards
Harri
-BEGIN PGP
Hi folks,
what is the recommended procedure/option to forward a domain search
list to the peer using IKEv2?
I found the attr plugin
https://wiki.strongswan.org/projects/strongswan/wiki/Attrplugin
UNITY_DEF_DOMAIN and UNITY_SPLITDNS_NAME seem to be restricted
to IKEv1 only.
Every helpf
Hi folks,
looking for some advice: Would you suggest to use pfs for esp?
Apparently pfs is a must-have to establish an ike_sa today, but
is this reasonable for the child_sas as well?
Every helpful comment is highly appreciated
Harri
___
Users mailing li
Hi folks,
I wonder how I can define the default ciphers for charon-nm?
The network-manager GUI doesn't support setting ciphers, so I
had hoped charon-nm could read /etc/ipsec.conf?
Regards
Harri
___
Users mailing list
Users@lists.strongswan.org
https:/
Hi John,
On 03/01/2016 12:55 PM, John Brown wrote:
> Hi,
>
> I can give you two links with some small amount information about your
> question:
>
> http://www.juniper.net/documentation/en_US/junos12.1x46/topics/concept/vpn-security-phase-2-ipsec-proposal-understanding.html
>
> and
>
> https
Hi folks,
left side is strongswan 5.3.5 on Debian, right side is a
road warrior macbook running MacOS 10.11.3. There is a
NAT gateway & firewall on both sides.
If the IPsec connection is activated and the mac is put to
sleep, then strongswan drops the connection after some
minutes. Problem: When
Hi Tobias,
your tips were very helpful. Using
dpdaction = clear
dpdtimeout = 1500s
dpddelay= 300s
the "no response to retransmit" messages are gone. The users
can access their desktop immediately and do not have to wait.
Very big improvement.
However,
Hi Tobias,
I am still struggling with this. The messages with "no
response to retransmit" are still there :-(.
On 03/10/2016 09:31 AM, Tobias Brunner wrote:
>
>> dpddelay= 30s
>
> This together with dpdtimeout (which defaults to 150s) is probably too
> low. The Mac OS X client ap
Hi Tobias,
On 03/11/2016 10:03 AM, Tobias Brunner wrote:
>
> Just as a side note, you might want to adjust your logger/syslog
> settings to avoid the duplicate log messages.
>
This is debug mode. Usually I have
charondebug="dmn 1, mgr 1, ike 1, chd 1, cfg 1, net 1"
Which setting would
Hi Tobias,
On 03/11/16 10:03, Tobias Brunner wrote:
>
> One potential issue I hadn't considered so far is that while the client
> is asleep the mapping on the NAT router might time out (it probably does
> not send keepalives while asleep). So when it reconnects it will do so
> from different sou
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 03/16/16 18:02, Harald Dunkel wrote:
> PS: After enabling debug logging in racoon and a reboot the problem went
> away. I will keep debugging enabled, of course.
>
PPS: After my IP provider changed the external IP address over
nig
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi Tobias,
On 03/15/16 12:13, Tobias Brunner wrote:
> Hi Harald,
>
>> I have no idea why the Mac opens a new session now, instead of relying upon
>> the old IKE_SA, but it seems to me that the Mac missed to send xauth info.
>> Is this correct?
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
PS: After enabling debug logging in racoon and a reboot the problem
went away. I will keep debugging enabled, of course.
Regards
Harri
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
iQEcBAEBCAAGBQJW6ZGyAAoJEAqeKp5m04HLpuUIAJAKHoBY+g7yNIIjWUoTqWFW
Hi folks,
Using IKEv2 to connect to MacOS 10.11.4:
It seems that either the received DHCP options are not forwarded
to the MacOS client, or the MacOS client ignores these options.
Charon's log file entries show the DHCP discover and the received
IP address and netmask, but it doesn't show which o
On 04/11/16 16:24, Harald Dunkel wrote:
> Hi folks,
>
> Using IKEv2 to connect to MacOS 10.11.4:
>
PS: Sorry, this was misleading. Its a road warrior scenario
between a few MacOS laptops and a central strongswan
installation using IKEv2. The connections are initiated
only by
Hi folks,
https://wiki.strongswan.org/projects/strongswan/wiki/Attrplugin
lists a few "Cisco Unity extensions for IKEv1". Apparently they
are sent to the peer for IKEv2 as well (as a log file written
on MacOS shows). Is this on purpose? A typo on the wiki page?
Every clarification is highly appr
Hi folks,
environment:
IPsec gateway/firewall, Debian 8
strongswan 5.4.0
kernel 4.5.4-1~bpo8+1
about 30 road warriors (OS X, iphones)
IKEv1, IPv4 only, NAT at both sides
problem:
I see a number of DNS queries via IPsec blocked at the
internal firewall each
Hi folks,
what is the default for the inactivity config option?
https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
doesn't tell.
Thanx in advance
Harri
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman
PS: I found out a little bit more. If there is a new connection
initiated by a road warrior, then /var/log/messages shows me
Jul 4 08:55:03 srvl047 kernel: [73014.164939] iptables-dropped: IN=eth0
OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.87
DST=172.19.96.123 LEN=67 T
Hi Dennis,
On 07/04/16 12:53, Dennis Jacobfeuerborn wrote:
>
> I'm not sure what your objection is to creating the same rules
> permanently (which the page seems to call "global") that the updown
> script create dynamically anyway?
>
The concern is to open a potential door for an intruder.
The
d" in this case) fails. You might imagine that
this affects a lot of tools (calendar lookup, EMail, etc.)
From the user's point of view this is the difference between
"works" and "doesn't work".
Thanx very much
Harri
On 07/04/16 09:33, Harald Dunkel wrote:
>
Hi Noel,
On 07/05/16 14:12, Noel Kuntze wrote:
> That is what is happening. IPsec packets are processed as soon as the SAs and
> SPs are inserted into the SAD and SPD, but
> the updown script takes some time to execute. Obviously the firewall rules
> are inserted too late.
>
I am glad that we
Hi folks,
if I migrate the road warriors from IKEv1 to IKEv2, then
they get new mac addresses (using identity_lease = yes in
dhcp.conf). This breaks their dhcp lease, and we have to
register the new mac addresses in the dhcp server
configuration for mac-based access control.
Each road warrior has
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi folks,
I am using IPv6 over IPv4 at home (via sixxs.net). No NAT.
Problem: The mtu of this tunnel is less than 1500. On the
first run IKEv2 on my Mac fails with icmp6 "Packet Too Big".
Since the protocol is udp there is no packet to fragment and
Hi Tobias,
On 07/18/16 11:53, Tobias Brunner wrote:
> Hi Harald,
>
>> Problem: The mtu of this tunnel is less than 1500. On the
>> first run IKEv2 on my Mac fails with icmp6 "Packet Too Big".
>> Since the protocol is udp there is no packet to fragment and
>> resend, which means a 10 seconds delay
PS: Here is the tcpdump:
:
09:38:32.605298 a4:d1:8c:e5:e8:50 > 80:ee:73:95:c1:0d, ethertype IPv6 (0x86dd),
length 1510: (flowlabel 0xe21e2, hlim 64, next-header Fragment (44) payload
length: 1456) 2001:db8:0:1:3dfa:f382:2017:d7f7 > 2001:db8:0:2::63: frag
(0xd1710203:0|1448) 4500 > 4500
09:38:32
Hi Tobias,
On 07/20/16 17:03, Tobias Brunner wrote:
> Hi Harald,
>
> As you noticed the IKE_AUTH packet is the one that's problematic. But
> since Mac OS X supports IKEv2 fragmentation
>
>> Notify (IKEv2 Fragmentation Supported) Payload:
>> No Data
>
> there is really no reason
Hi Tobias,
On 07/21/16 11:24, Tobias Brunner wrote:
> Hi Harald,
>
>> AFAIU defragmentation is enabled in strongswan for incoming packages,
>> anyway.
>
> That's basically for IKEv1 where the first message may already be
> fragmented and for misbehaving peers that send fragmented packets even
>
Hi folks,
I get these messages in the log file on my gateway:
:
Aug 10 08:56:49 srvl047 charon: 22[IKE] establishing CHILD_SA IPSec-IKEv2{271}
Aug 10 08:56:49 srvl047 charon: 22[ENC] generating CREATE_CHILD_SA request 190
[ N(REKEY_SA) SA No KE TSi TSr ]
Aug 10 08:56:49 srvl047 charon: 22[NET] s
PS: Its Windows 10, sorry.
Harri
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi folks,
charon mentions a few lines in syslog every day saying
sending DHCP RELEASE failed: No buffer space available
I found https://lists.strongswan.org/pipermail/users/2015-February/007438.html
but this seems to be a different problem.
What
On 12/03/16 14:52, Harald Dunkel wrote:
> Hi folks,
>
> charon mentions a few lines in syslog every day saying
>
> sending DHCP RELEASE failed: No buffer space available
>
> I found https://lists.strongswan.org/pipermail/users/2015-February/007438.html
> but this seems t
Hi folks,
I have quite a number of MacOS 10.11 and 10.12 road warriors.
The common IPsec gateway is a Linux PC with strongswan 5.5.1.
IKEv2.
The problem is that some Macs loose the IPsec connection while
it is in use. The road warrior is working in an ssh session over
IPsec to another system in o
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 12/03/16 15:35, Thomas Egerer wrote:
> Moinsen Harald,
>
> On 12/03/2016 02:52 PM, Harald Dunkel wrote:
>> Hi folks,
>
>> charon mentions a few lines in syslog every day saying
>
>> sending DHCP RELEASE failed:
Hi folks,
there are some rumors on Google that IPsec connections
to Apple devices are distorted, if the IP provider is
Unitymedia. Some say, Unitymedia sets the ECN bits on
the IP traffic without looking, and the IPsec implemen-
tation on MacOS/Ios is supposed to drop these packages,
according to
Hi folks,
charon-nm seems to reject a key, but its error message doesn't
appear to be very useful:
Jun 05 11:42:13 ppcl001 charon-nm[6609]: 05[LIB] building CRED_PRIVATE_KEY -
RSA failed, tried 10 builders
Jun 05 11:42:13 ppcl001 charon-nm[6609]: 05[CFG] received initiate for
NetworkManager con
Hi folks,
Is there a config option for strongswan to watch farp at
work? I had the impression that sometimes it forgets
a client.
Long story:
Consider a road warrior setup. The IPsec gateway to the
company network has a direct connection to the internet
via IPv4 and IPv6. No NAT. It runs strongs
Hi folks,
What is the exact meaning of these fancy strings like "07[NET]",
"26[ENC]" etc. in the logfile? They seem to be related to
charondebug, but are they? What does the number tell me? Some
kind of "context id"?
I haven't found it in the wiki, but maybe I was too blind to
see. Every helpf
Hi folks,
Consider a road warrior setup (>20 peers online). Strongswan 5.5.3 on
Debian 8. The right addresses are grabbed via dhcp, farp is supposed
to answer the arp requests.
Problem is, sometimes farp ignores the arp requests for one (or more?)
IP address bound to a child SA.
I saw this on my
Hi folks,
sometimes starting charon fails with "Temporary failure
in name resolution", e.g.
Jul 10 19:58:50 00[DMN] Starting IKE charon daemon (strongSwan 5.5.3, Linux
4.11.9-raw, x86_64)
Jul 10 19:58:50 00[CFG] PKCS11 module '' lacks library path
Jul 10 19:58:50 00[CFG] loading ca certificates
Hi Tobias,
On Fri, 14 Jul 2017 13:59:05 +0200
Tobias Brunner wrote:
> Hi Harald,
>
> > I tried both "auto = start"
>
> You could set charon.retry_initiate_interval, then initiation will be
> tried again if the DNS resolution failed.
>
Sorry, my bad. I had expected some connection specific
On Tue, 18 Jul 2017 16:00:07 +0200
Harald Dunkel wrote:
> Hi Tobias,
>
> On Fri, 14 Jul 2017 13:59:05 +0200
> Tobias Brunner wrote:
>
> > Hi Harald,
> >
> > > I tried both "auto = start"
> >
> > You could set charon.retry_ini
Hi folks,
the documentation says for left|rightca:
%same means that the value configured for the other participant
should be reused.
Please note the "configured". How can I tell charon to do require
a matching root CA by default, without explicitly configuring the
peer's CA?
I am not sure i
On Tue, 5 Sep 2017 13:33:59 +0200
Noel Kuntze wrote:
> Hi,
>
> > a matching root CA by default
>
> What do you mean with that? charon always authenticates the certificates. You
> can't turn that off.
>
I don't want to turn that off. AFAIU left and right side can use
independent certifica
Hi Noel,
On Tue, 5 Sep 2017 15:34:40 +0200
Noel Kuntze wrote:
> Hi,
>
> No, that is not the default. Any authenticatable certificate with a matching
> ID to it is accepted (Unless it's revoked via CRLs or OCSP).
> In your case, just set leftca to the DN of your root CA certificate, and
> righ
Hi folks,
I had a typo in rightca, like
rightca="CN=my-CA"
instead of
rightca="C=DE, O=example gmbh, OU=it, CN=my-CA"
There was a message in charon.log:
CA certificate "CN=my-CA" not found, discarding CA constraint
The IPsec gateway was much more open than intended. S
Hi folks,
is there some way to tell charon-nm to use 4500/udp for the outgoing
connection, instead of an arbitrary port, if available? Same for
500/udp.
I assume a problem on the AVM Fritzbox in this context. 500/udp and
4500/udp at both ends appears to be more reliable. However, I am not
sure a
Hi Tobias,
On 2022-07-14 16:15:29, Tobias Brunner wrote:
Hi Harald,
is there some way to tell charon-nm to use 4500/udp for the outgoing
connection, instead of an arbitrary port, if available? Same for
500/udp.
You can explicitly configure the ports via strongswan.conf
(charon-nm.port and ch
Hi folks,
environment:
VPN gateway running Debian 11 and strongswan 5.9.6
appr 140 road-warrior devices (Linux, Windows, MacOS/ios)
According to
https://en.avm.de/service/knowledge-base/dok/FRITZ-Box-7590/169_Using-VPN-software-from-another-manufacturer-in-the-home-network/
the
Hi folks,
To work around some sites having problems with ESP over IPv6 I had
disabled ESP by setting
forceencaps = yes
in ipsec.conf on my gateway. It worked fine for MacOS, iphones and
Linux, but many Windows users (if not all) were offline. Is this as
expected? Is there a hidden check
1 - 100 of 108 matches
Mail list logo