[strongSwan] ikelifetime maximum?

While perusing the documentation, specifically http://wiki.strongswan.org/projects/strongswan/wiki/ConnSection , I noticed that a 24h maximum is specified for 'lifetime', but there is no maximum specified for 'ikelifetime'. I don't personally want to use a large 'ikelifetime', but for the sake

Re: [strongSwan] reduce size

On Sep 12, 2013, at 8:35 PM, Naveen Neelakanta nbnopens...@gmail.com wrote: Is there a way to reduce the size of charon and strongswan , i just need the basic vpn client with out extra pluggins and use openssl for cryptography. The last time this came up, the recommendation was to build

[strongSwan] Recommended command order.

We currently use a firewall distro that has a GUI to add/modfiy/delete/restart StrongSwan tunnels. The update to v5 of StrongSwan caused some issues, which were eventually traced back to the GUI issuing ipsec reload, but not ipsec rereadsecrets when creating a PSK tunnel. My hunch here is

Re: [strongSwan] ipsec update and SIGHUP

On 03/18/2015 9:37 AM, Tobias Brunner wrote: But still ipsec update does reread contents of ipsec.conf, am I right? Yes, this will cause starter to reread ipsec.conf. And does sending HUP to charon forces it to reread ipsec.conf or just the strongswan.conf? The charon daemon only reads

[strongSwan] Usage questions: DPD and auto=

All, I have two questions: 1.) Since IKEv2 does not use DPD, should one omit the dpdaction directives from ipsec.conf for a connection using IKEv2? Is there any harm/unintended consequences if they are left in, and are there alternate directives that one should use instead? 2.) Is it

Re: [strongSwan] Loss of tunnel service while reauthenticating IKE_SA?

On 03/12/2015 11:16 AM, Noel Kuntze wrote: Hello Ken, It is dependent on the IKE version. Quote from the man page: reauth = yes | no whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1, reauthentication is always done. In

Re: [strongSwan] Query reg UDP encapsulation for IPv6

On 04/15/2015 10:15 AM, Ruel, Ryan wrote: Mukesh, I believe the idea is that for IPv6, NAT will not be needed (that's the beauty of having so much address space!). Technically, sure, you could NAT IPv6. But why? /Ryan Ryan, Perhaps the best reason to address this is that the exact same

Re: [strongSwan] Recommendations for dpdaction= and auto=

with the dynamic IP. Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 30.07.2015 um 18:18 schrieb Tom Rymes: We have a number of sites connected via StrongSwan IKEv2 tunnels, and I was hoping that someone

[strongSwan] Recommendations for dpdaction= and auto=

We have a number of sites connected via StrongSwan IKEv2 tunnels, and I was hoping that someone might provide me with the recommended settings for dpdaction and auto, given our setup. I think have a reasonable handle on this, but I wanted to ask in case I was doing anything that might result

Re: [strongSwan] unable to install policy for clients some minutes after the first client has connected

On 07/21/2015 2:43 PM, Larsen wrote: Hello Noel, problem didn´t occur again when I tested over more than two hours. Should be fixed. The problematic vhost:%no,%priv seems to stem from IPcop that IPFire was forked from. I could remove this by unchecking Roadwarrior virtual IP (inner-IP). I will

[strongSwan] Best practices for connection tracking and IPSec

I am sure that this is a dumb question that will reveal my lack of sophisticated networking skills, but here goes anyway: We have used a number of Linux Firewall distributions that have issues with connection tracking (NAT) and StrongSwan IPSec tunnels. Specifically, issues arise with SIP

Re: [strongSwan] Best practices for connection tracking and IPSec

And I already put my foot in my mouth. I meant to specify that I was referring to the conntrack NAT helpers for specific protocols, not connection tracking in general. > On Sep 28, 2015, at 7:22 PM, Tom Rymes <try...@rymes.com> wrote: > > I am sure that this is a dumb question t

Re: [strongSwan] Problem when forwarding all traffic to tunnel (site-to-site VPN)

If nothing else, you can use the updown script to add these entries, I presume? > On Sep 21, 2015, at 3:41 AM, Rajiv Kulkarni wrote: > > Hi > Thats great. Yes ofcourse...addition and deletion/updation of new networks of > lan in to this strongawan routing table 220

[strongSwan] Recommended Practice: Encryption options for net-to-net tunnels

I was hoping that someone might aid me in providing a best practice when setting up a tunnel between two devices connecting two lans. Is it best to specify one and only one combination of encryption schemes for this tunnel (i.e.: ike=aes256-sha2_256-ecp512bp) or multiple options? This is

Re: [strongSwan] Recommended Practice: Encryption options for net-to-net tunnels

On 12/10/2015 11:34 AM, Andreas Steffen wrote: By the way ike=aes256-sha2_256-ecp512bp does not give you constant 256 bit security. The correct choice is ike=aes256-sha512-ecp512bp! Make sure to add the '!' strict flag at the end of your proposal list. Otherwise a big list of

[strongSwan] Issue Upon Rekey Collision.

I encountered an issue today with a rekey collision. When it happened, the tunnel appeared to be up, but traffic could not traverse the tunnel. After digging around, I found this discussion, which seems to be the same issue, and the original poster also seems to be using IPFire, as I am:

Re: [strongSwan] Recommended Practice: Encryption options for net-to-net tunnels

On 12/10/2015 11:34 AM, Andreas Steffen wrote: if you know the options on both sides then one set of options is sufficient. If the connection setup works the first time around then it will always work. If you are not sure what the other side supports then you have to define several options with

[strongSwan] Site-to-Site with Cisco devices

Before I start digging through the logs (more than I have already), I thought I would ask if there are some obvious recommended settings for connecting Strongswan to Cisco routers. I am running Strongswan 5.3.2 as part of the IPfire distribution. This box hosts a dozen or so tunnels to other

Re: [strongSwan] Site-to-Site with Cisco devices

On Nov 28, 2015, at 1:58 PM, Noel Kuntze wrote: > Hello Tom, > > Provide logs and configuration details, so we can aid you in debuggin it. > We can't help you without detailed information. > It's probably a configuration problem. Thanks, Neil. For the record, I am using

Re: [strongSwan] Site-to-Site with Cisco devices

On 11/28/2015 1:58 PM, Noel Kuntze wrote: Hello Tom, Provide logs and configuration details, so we can aid you in debuggin it. We can't help you without detailed information. It's probably a configuration problem. More Details. As of now, after being up for a day or more, I see this on the

Re: [strongSwan] fail open mode for strongswan

You could try setting up IPSec for only a portion of the subnet, using the subnet mask to limit which hosts use IPSec. Change the hosts within that portion of the subnet, then change the mask to include more hosts, set them to use IPSec, and keep going until the entire subnet is swapped over.

[strongSwan] Multiple SAs immediately after connection

I have occasionally seen this over the years, and I am not certain if it’s anything I should be concerned about. If I start a tunnel named mytunnel, this is what it looks like on the CLI: [root@mainoffice ~]# ipsec up mytunnel received packet: from XXX.XXX.XXX.XXX[4500] to YYY.YYY.YYY.YYY[4500]

Re: [strongSwan] strongswan not reloading/updating configs

Henry, Have you tried "ipsec rereadall"? Tom From: Users [mailto:users-boun...@lists.strongswan.org] On Behalf Of Henry Griffiths Sent: Friday, January 13, 2017 2:58 AM To: users@lists.strongswan.org Subject: [strongSwan] strongswan not reloading/updating configs Hello! I have issue

[strongSwan] L2TP/IPSec Passthrough - Interfaces?

We are running StrongSWAN as part of an IPFire router distribution. Strongswan handles multiple tunnels via the WAN interface, and that interface has multiple public IPs associated with it. We are also trying to pass L2TP/IPSec through the router to a Windows RRAS server for the purpose of

Re: [strongSwan] High latency (satellite) link : what can we improve ?

On Oct 24, 2017, at 11:53 AM, Hoggins! wrote: > > Hello, > > We sometimes use a satellite link for one of our site2sites tunnels, and > there are times when the tunnel simply stops working. Maybe we don't > wait enough for it to respawn by itself, but then we just restart the

Re: [strongSwan] High latency (satellite) link : what can we improve ?

AM, Hoggins! <hogg...@radiom.fr> wrote: > >> Le 24/10/2017 à 18:52, Tom Rymes a écrit : >>> On Oct 24, 2017, at 11:53 AM, Hoggins! <hogg...@radiom.fr> wrote: >>> Hello, >>> >>> We sometimes use a satellite link for one of our site2sites tunnels,

Re: [strongSwan] DHCP!

On 05/04/2018 3:45 AM, Christian Salway wrote: Thanks to Dirk Hartmann and his scripting idea,  The simplest way to add a VPN connection to Windows 10 that includes the routing to the internal IP, is by running the following commands in PowerShell commands.  This also enables strong ciphers

Re: [strongSwan] DHCP!

find it helpful. Tom On 05/04/2018 9:15 AM, Christian Salway wrote: We are working with very locked down systems so wouldn’t be able to install that software unfortunately but will have a look out of interest, Thanks On 4 May 2018, at 13:15, Tom Rymes <try...@rymes.com> wrote: On 05/04/

Re: [strongSwan] High latency (satellite) link : what can we improve ?

Odd, it works fine for us. The tunnel is set up as routed, and once traffic destined for the other side of the tunnel shows up, the connection is established and all is well. You've reached the limit of my abilities, hopefully someone else can help. > On Oct 26, 2017, at 5:14 AM, Hoggins!

[strongSwan] Challenges with MacOS Roadwarrior

I have spent a fair amount of time lurking and searching for the answers to this, and I am fairly certain that I have overlooked something basic, such as putting the right data in the proper SAN. Unfortunately, the learning curve here seems to be quite steep, and I am not keeping up.

Re: [strongSwan] Tunnel stability issues after upgrade from 4.5.2 to 5.5.1

Martin, I can't help with the more technical portions of your query, but I can confirm that using auto=route has proven to be more reliable than auto=start, as a dropped tunnel seems more likely to be brought back up automatically. I had asked specifically about that setting a few years ago,

[strongSwan] Challenges with MacOS Roadwarrior (again)

My apologies for having to ask about this again, but I am stuck trying to make a MacOS IPSec connection to Strongswan. I had similar issues in the past, and Noel kindly helped me out, and I thought I had it all documented, but here I am again. Once again, Strongswan is reporting that it cannot

Re: [strongSwan] Challenges with MacOS Roadwarrior (again)

left out all SANs. In the end, adding “DNS:myhost.mydom.dom” to the server’s certificate and “email:u...@mydom.dom” to the Mac’s certificate solved the issue. Thank you for your patience and my apologies for the wasted bandwidth. Tom > On Dec 9, 2018, at 10:12 AM, Tom Rymes wrote: >

Re: [strongSwan] Strongswan on Ubuntu - Failure to connect from Windows 10 client -error: deleting half open IKE_SA with 154.**.***.** after timeout

Moses, While I cannot speak to your specific issue here, you should likely look into using PowerShell to modify the Windows VPN parameters to use more robust encryption, as it provides many more options:

[strongSwan] Windows Client - Multiple Connections, Multiple Certs

Hopefully this will not result in a duplicate post, I sent the first version of this message from a different address. I have specified two IKEv2 connections on a Windows 10 client, each one connecting to a different Strongswan machine using machine certificates. Connection1 works just fine,

Re: [strongSwan] Strongswan on Ubuntu - Failure to connect from Windows 10 client -error: deleting half open IKE_SA with 154.**.***.** after timeout

> On Feb 19, 2019, at 7:07 AM, IL Ka wrote: > > 1701 is L2TP port. > It could be that Windows client tries several protos including PPTP/GRE, L2TP > and so on. > > What do you see on Windows side? Which error? [snip] Moses, I think your instructions for configuring the connection in

[strongSwan] Windows Client - Specify Machine Cert

I have specified two IKEv2 connections on a Windows 10 client, each one connecting to a different Strongswan machine using machine certificates. Connection1 works just fine, but when I add the second connection, along with its certificate, it does not work. The Strongswan server for

[strongSwan] Selecting proper encryption pairings

Can anyone point me to some good information for which of the various options should be paired together? I've done a fair amount of digging, but it's always nice to have some confirmation that my interpretation is accurate. I am working with Strongswan and Windows Roadwarrior clients, and am

[strongSwan] MacOS X and DNS

While digging around a bit, I have found a number of older posts regarding DNS and MacOS clients, and it seems like a bit of a mess. Among other things, it seems that MacOS will not use pushed DNS servers unless all traffic is tunneled. That does work for me. When sending all traffic across the

Re: [strongSwan] NATing around a subnet conflict

On 09/15/2020 4:47 AM, Tobias Brunner wrote: Hi Tom, Any help and pointers to the appropriate documentation would be appreciated. Please have a look at the ikev2/net2net-same-nets test scenario [1]. Regards, Tobias [1] https://www.strongswan.org/testing/testresults/ikev2/net2net-same-nets/

[strongSwan] NATing around a subnet conflict

Can anyone point me in the right direction to getting traffic routed across a site-site tunnel in a scenario where there is a subnet conflict? Basically, our local subnet (10.100.0.0/23) conflicts with one on the remote side, so we need to use NAT to trick the other side into seeing us as