[strongSwan] iPhone, iOS with TLS+EAP

ntity ipsec.secrets: : RSA server.key user : PSK "test" user %any% : EAP "test" Regards Sven Anders -- Sven Anders () UTF-8 Ribbon Campaign /\ Support plain text e-mail ANDURAS intranet security AG Mess

[strongSwan] Strongswan 5.6.2: Segfault if charondebug = cfg > 2

bkey #rightauth2=xauth-pam #xauth=server #auto=add # this requires the eap-radius plugin. # (for iPhones with IKEv1 and passwords on radius/DC) #conn ikev1-pubkey-xauth-radius #also=rw-config # keyexchange=ikev1 ##rightauth=pubkey #rightauth2=eap-radi

Re: [strongSwan] Strongswan 5.6.2: Segfault if charondebug = cfg > 2

Kuntze: > Hi, > > Try with O2, not O3. > > Kind regards > > Noel > > On 05.06.2018 22:11, Sven Anders wrote: >> Hello! >> >> I'm experiencing a segmentation fault, if I set charondebug = cfg to a value >> greater than 2. >> I

[strongSwan] Checking X509 Extended Key Usage

own space too. How can I check in StrongSwan, if a certain EKU exists? Regards Sven Anders -- Sven Anders () UTF-8 Ribbon Campaign /\ Support plain text e-mail ANDURAS intranet security AG Messestrasse 3 - 94036 P

Re: [strongSwan] Checking X509 Extended Key Usage

age is a just a list of OIDs and there are no restrictions I know of, we use this to differentiate between classes of certificates we issue. If this isn't supported, how can we use StrongSwan to distinguish between groups of certificates without using Sub-CAs? We cannot be the first with this requ

Re: [strongSwan] Checking X509 Extended Key Usage

ed self-signed root ca with a path length of 1 8235[IKE] authentication of 'MYNAME@my-group.local' with RSA signature successful 8235[CFG] constraint requires cert policy 1.3.6.1.5.5.7.3.2 8235[CFG] selected peer config 'ikev2-pubkey' inacceptable: non-matching authentication done 8

[strongSwan] attr-sql - case insensitive?

Hello! I'm using the "attr-sql" plugin to make static user IP assignments. The database matches the CN in the certificate. Is it possible to match here case insensitive? Regards Sven Anders -- Sven Anders () UTF-8

[strongSwan] attr-sql - case insensitive?

nsitive? Or any other ideas? Regards Sven Anders PS: Sorry for the first wrong posting... -- Sven Anders () UTF-8 Ribbon Campaign /\ Support plain text e-mail ANDURAS intranet security AG Messestrasse 3 - 94036 Passau

Re: [strongSwan] Checking X509 Extended Key Usage

ontained in all certificates > of the X.509 trust chain. See the following example scenario: > > https://www.strongswan.org/testing/testresults5dr/swanctl/rw-ed25519-certpol/ > > Regards > > Andreas > > On 20.06.2018 13:41, Sven Anders wrote: >> Am 20.06.2018 um 10:

Re: [strongSwan] attr-sql - case insensitive?

actly match that of the column. > > Another option is probably to convert the identities to text and store > and compare them as such, but that would also require several code changes. > > Regards, > Tobias Thank for the answer! In other words: I have to chan

Re: [strongSwan] attr-sql - case insensitive?

03030... ). So no chance here, even if I set the data field to "TEXT NOT NULL COLLATE NOCASE". But thanks for the tips! Regards Sven Anders -- Sven Anders () UTF-8 Ribbon Campaign /\ Support plain text e-m

[strongSwan] Problems with CRLs

TC 2018, reason: remove from crl Aug 22 16:01:43 2101120420063 charon: 30400[CFG] using cached crl Aug 22 16:01:43 2101120420063 charon: 30400[IKE] no trusted RSA public key found for 'testu...@company.de' But as you can see here, the user is denied. What happened here? Is the (d

Re: [strongSwan] Problems with CRLs

Am 22.08.2018 um 17:48 schrieb Sven Anders: > Hello! > > We are experiencing two problems when using CRLs. > Our Linux systems runs strongSwan 5.6.2. > > > 1) Because we want a hourly update of CRLs and the standard CRLs timeout >is 7 days, we created a cronjob, tha

Re: [strongSwan] Problems with CRLs

Hello! can nobody help me with this issue? Or isn't the question worth it? Regards Sven Am 27.08.18 um 23:32 schrieb Sven Anders: > Am 22.08.2018 um 17:48 schrieb Sven Anders: >> Hello! >> >> We are experiencing two problems when using CRLs. >> Our Lin

Re: [strongSwan] Problems with CRLs

.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 50-55 Rechtsform: Aktiengesellschaft - Sitz: Passau - Amtsgericht: Passau HRB 6032 Mitglieder des Vorstands: Dipl.-Inf. Sven Anders, Dipl.-Inf. Marcus Junker Vorsitzender des Aufsichtsrats: RA Mark Peters <>

[strongSwan] Problem: "unable to install policy -the same policy for reqid XXXX exists "

ar problem, but that changed nothing... Regards Sven Anders ---8X- Here is the configuration: ipsec.conf: --- config setup uniqueids=never charondebug = ike 2, net 2, pts 2, lib 2, tls 2, cfg 3,

Re: [strongSwan] Problem: "unable to install policy -the same policy for reqid XXXX exists "

ot;auto=route", which I found in a >> description >> of a similar problem, but that changed nothing... > > auto=route makes no sense on a gateway for roadwarriors. Ok, just read about it in another similar problem and this was one idea to solve it

Re: [strongSwan] Problem: "unable to install policy -the same policy for reqid XXXX exists "

message do you expect or what should I search for? > > For instance, messages around refcount changes of the policies. You can > also post it somewhere for us to have a look at. Thank you, I will send you a link to download it. If anybody want the log output too, to a

[strongSwan] IPSec / IKEv2, IP-(Re)assignment problem

-add dynamic --start 192.168.3.20 --end 192.168.3.254 --timeout 4h ipsec pool --add static --addresses static.ippool --timeout 0 -- Sven Anders () UTF-8 Ribbon Campaign /\ Support plain text e-mail ANDURAS intranet securit

Re: [strongSwan] IPSec / IKEv2, IP-(Re)assignment problem

e a simultaneous login from the iPhone and the iPad. If this "uniqueness" is only determined by the login username and not further data (like a mac address or name of the connecting device), I see that this will not work. Or do you have any other ideas to make this work? Regards

[strongSwan] Problem with pcrypt

tunnel src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src ::/0 dst ::/0 socket in priority 0 src ::/0 dst

Re: [strongSwan] Problem with pcrypt

Do you know a working configuration that I can use as a reference? > Disabling replay protection does not improve performance. Ok, I did read about this in some posting, so I tried this too. Regards Sven Anders -- Sven Anders () UTF-8 Ribbon Campaign