Hi Tobias and Martin.
I started to see following message all of sudden and it is totally disaster.
I would like to know what causing the following issue.
2018-01-18T02:14:13-0500 00[KNL] getting SPD hash threshold failed: Operation
not supported (95)
2018-01-18T02:14:13-0500 00[KNL] getting SP
I am trying to build davici lib, but it seems like there are some missing files
according to the INSTALL.
Where is configure shell in the git?
Thanks.
On Feb 13, 2019, at 10:42 PM, Martin Willi
mailto:mar...@strongswan.org>> wrote:
> Where is configure shell in the git?
As with most autotools based packages, ./configure is generated and
therefore not part of git. When building from git sources, you'll have
to generate it using autore
Hi I have a ikev2 configuration to the peer 10.180.2.195.
This is a point to point ikev2 configuration to 10.180.2.195 and when I ping to
10.180.2.195
the StrongSwan select wrong selector and program xfrm incorrectly.
2019-07-24T19:13:03-0700 28[CFG] selecting traffic selectors for us:
2019-0
Thank you Tobias.
I figured out the second option you suggested and it resolve my problem.
> On Aug 12, 2019, at 7:19 AM, Tobias Brunner wrote:
>
> Hi Jaehong,
>
>> the StrongSwan select wrong selector and program xfrm incorrectly.
>
> No, everything works as it's designed to. However, the
I am testing Debain 10 + Strongswan and facing an issue.
Test on StrongSwan 5.7.2 as well as the latest 5.9.2.
Debian 10, iproute2-ss190107
Here is My ipsec statusall dump.
Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-14-amd64, x86_64):
uptime: 2 minutes, since Mar 06 06:58:27
Hi.
I have a question on vici_stringify implementation.
vici_stringify function is calling snprintf(but, size, "%.*s”, (int)chunk.len,
chunk.ptr);
and this snprintf is mapped builtin_vsnprintf in libstrongswan.
Those passing chunk data doesn’t contain null terminator as long as I can see.
An
Hi.
I am trying to connect StrongSwan Windows client to Cisco ASA, and facing
following two issues.
(In Linux, there is no such issue.)
1. CREATE_CHILD_SA kicks in right away after Windows StrongSwan finished IKE
negotiation.
2. Every single outbound packet attempt, strongswan creates schedules
Hi Noel.
Thanks for the response.
If you read further, you will see retry and success. I copied and pasted
message from failure to success here.
See the end of log.
2015-11-28T08:42:56 13[KNL] setting WFP SA SPI failed: 0x80320035
2015-11-28T08:42:56 13[IKE] unable to install IPsec policies (S
Hi Noel.
I haven’t see your response after my reply
I have further question regarding log.
Am I still missing something?
On Nov 28, 2015, at 10:57 AM, Noel Kuntze
mailto:n...@familie-kuntze.de>> wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello Jaehong,
Your diagnosis is comple
, Jaehong Park
mailto:jaehong.p...@illumio.com>> wrote:
Hi.
I am trying to connect StrongSwan Windows client to Cisco ASA, and facing
following two issues.
(In Linux, there is no such issue.)
1. CREATE_CHILD_SA kicks in right away after Windows StrongSwan finished IKE
negotiation.
2. Every
Hi. I found something funny.
I have a two machines having two interfaces but one default gateway.
First of all, this is my setup. (Strongswan 5.3.5)
Client machine have
eth0 10.6.1.101
eth1 10.2.1.170
Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUs
Yes. It looks like this is the one.
Sorting by priority which will results in selecting no more specific ip address
as a source.
> On May 6, 2016, at 6:46 AM, Tobias Brunner wrote:
>
>>> After query RTM_GETROUTE, it will collect all the possible route entries.
>>>
>>> With above network setu
Hi. I have tried to build StrongSwan 5.5.0 with GCC version 4.2.1 and now it
seems like build is broken
with undefined with __builtin_bswap64.
I had never had such issue before, but it seems like not working any longer.
Is there any workaround this issue other than bump up GCC version?
Hi Tobias.
I have following server side StrongSwan configuration(transport mode) and found
strange behavior.
conn tcp_udp_4001
leftsubnet=0.0.0.0/0[%any/4001]
conn icmp_any
leftsubnet=0.0.0.0/0[1/%any]
And if a peer (10.6.3.185) do ping, I am expecting it bring up Child SA
properly on con
Thanks Tobias.
That make sense a lot.
Here is another question.
If I split these into
Server side ( IP address is 10.6.3.187)
conn tcp_4001
leftsubnet=0.0.0.0/0[6/4001]
conn udp_4001
leftsubnet=0.0.0.0/0[17/4001]
Client side (IP address is 10.6.3.188)
conn 4.10-6-3-187.32.6.4001
esp=s
Hi Martin.
6b57790270fb07c579315c70ecce34f8ad9a4d63
If a system uses routing metrics, we should honor them when doing (manual)
routing lookups for IKE. When enumerating routes, the kernel reports priorities
with the RTA_PRIORITY attribute, not RTA_METRICS. We prefer routes with a
lower priority v
Thanks for the clarification.
> On Sep 7, 2017, at 11:30 PM, Tobias Brunner wrote:
>
> Hi Jaehong,
>
>> The logic of get_route function in
>> /libcharon/plugins/kernel_netlink/kernel_netlink_net.c was ported to
>> differently than it is described above.
>
> Yes, that was changed with 3f4
One more question on the topic.
let’s say I have two default gateway like
Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse Iface
0.0.0.0 10.10.1.1 0.0.0.0 UG1 00 eth0
0.0.0.0 10.10.2.1 0.0.0.0
Hi I see some strange behavior about ipsec update.
I have two questions regarding ipsec update.
Please see the question inline along the procedure below.
First of all, I am trying to configure IPSec based on port.
Mode is transport.
Version 5.2.1
My setup is
Carol(54.68.129.251) is initiator,
20 matches
Mail list logo