is working on it, I will do it. Is there a chance to get this
into the strongswan repositories?
Users mailing list
charon: 01[ENC] certificate encoding ENC_PKCS7_WRAPPED_X509 not supported
Charon currently doesn't handle these exotic PKCS#7 wrapped certificates
sent by XP clients using certificate authentication.
It shouldn't be to hard to implement it, though, as we have the
Hi strongSwan developers,
sometimes I have problems to build up a VPN connection to strongswan
with my Windows clients because of misconfigured or broken routers
dropping IP fragments. A few months ago I tried to enable IKEv1
fragmentation support for Windows clients with a small patch. This
you have to add
to your connection definition. With the default of keyexchange=ike strongswan
uses ikev2 as protocol.
/13[NET] sending packet: from A.A.A.A to E.E.E.E (692 bytes)/
/14[IKE] retransmit 1 of request with
which kernel version do you use? There was a bug in the l2tp_core module in
some kernel versions before v3.3 which may explain your problem with dropped
packets after rekeying.
Dec 29 22:23:19 karma charon: 11[ENC] generating IKE_AUTH response 1 [ IDr
CERT AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR)
Dec 29 22:23:19 karma charon: 11[NET] sending packet: from 192.168.4.10
to 192.168.4.87 (1612
This packet was a large packet and was sent as two UDP fragments. One or
possibly both fragments were
dropped on the route to the other side.
Is it possible to handle the packets fragmentation to fix the problem?
Unfortunately, the real world situation is such that in the
I made some homework and found out different elements, which may help to
This packet was a large packet and was sent as two UDP fragments.
What looked like to be a packet fragmentation, in fact appeared to be two
different CAs sent in the key exchange.
tcpdump shows you still have a fragmentation problem. To show the
problem I copied the interesting parts from /var/log/messages and merged
them with the output from tcpdump.
== the bt side ===
Jan 7 22:53:48 bt charon: 16[ENC] generating IKE_SA_INIT request 0 [ SA KE
We have an ongoing routing problem since the attempt to migrate from
strongswan-4.x.x to strongswan-5.1.x
Are there any ideas of what is going wrong ?
sorry, no. I looked at your logs but couldn't find anything obvious.
Did you try to disable IPComp? That's
leftsendcert = never
rightsendcert = never
rightsubnet=192.168.3.0/24 //which way is better
please look again at the three policies.
[root@frqx ~]# ip xfrm policy
src 192.168.3.0/24 dst 192.168.169.0/24
dir in priority 1859
tmpl src xx.xx.210.3 dst xx.xx.230.112
proto esp reqid 78 mode tunnel
src 192.168.169.0/24 dst 192.168.3.0/24
I am running our of ideas of what could be checked further and how to fix it.
The setup was perfectly working under strongswan 4.3 and works well for other
connections and even with the Win8 roadwarrior (behind the NAT).
Could you go throught once again through the logs and probably
So given that my tcpdump establishes that in the bad case the
ikev2_auth[I] arrives at the machine but the logs in strongswan do not
indicate that it was processed/received then what could be the issue
here? I believe I have ruled out iptables/firewall as a cause. So I
I want to use i2tp/ipsec as compatible connect.
Why Can't build user multiple connections at the same time(only one user).
User A was connected the server . but when user B connected the server soon ,
the A or B link-line will down
I guess you meant multiple users behind the same NAT
Did anyone already write a bypass/shunt policy with swanctl?
If so, I'd like to see one as an example.
# ip xfrm pol
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
I am resending this mail, because I forgot to include the mailing list.
Nov 29 08:24:14 14[ENC] generating IKE_AUTH request 1 [ IDi CERT N
(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA
TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Hi Noel, Jay,
I just looked up the description and fragmentation is supported. I think
patching the server would be necessary then.
Mit freundlichen Grüßen/Regards,
Right, support for the IKEv2 fragmentation mechanism was added in 5.2.1. The
server needs an update from
I am quite sure this is the same problem.
strongSwan 5.2.1 (also tested with 5.2.0 and 5.2.2) on Slackware 13.1.
my previous suggestion was wrong. I've compared tcpdumps on working and
non-working hosts again, and found that in broken case client continues to
re-send this packed to server:
19:53:09.673551 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto UDP
(17), length 1212)
After reading your explanations, I tried :
leftid=C=FR, ST=Région Parisienne, L=Paris, OU=Org, CN=1.Org,
I get : no private key found for 'C=FR, ST=R??gion Parisienne,
L=Paris, OU=Org, CN=1.Org,
The RDN specifies C=FR, but I don't know if I have to do something more
to precise the encoding. Am I supposed to change it at the creation of
the x509, of the p12 or after ?
I don't know how you create your x509 certificate. So it's either at the
creation of your certificate, or even
However, I would need to be able to use the old certificates I have. Is
there still any way to use them ?
Do I have to convert unicode to binary to have something like
Moreover the sharp sign seems to be interpreted as commentary in bash,
how am I
If that is not an option for you, you might have a look at the connmark
plugin , which allows you to use Conntrack and Netfilter marks to
bind connections to specific SAs. This is all not that trivial, though.
If you have any reference (website, paper) talking about this, I would
be glad to read them.
The english wikipedia article about ASN.1 should get you started. Don't
miss the link to that 'A Layman's Guide to a Subset of ASN.1, BER, and
DER' article there. RFC 5280 defines x509 certificates.
on my systems I could solve this problem by disabling a few network
offload features with ethtool -K. It was always the network card where
the unencrypted data was coming in.
With best regards,
On 15/08/16 10:59, Daniel Pocock wrote:
I have a dual-stack
> I'd like to have charon use routing_table ID of 22000 or something else
> quite large.
> But, it seems charon cannot handle extended routing table ID, so when I
> it for 22000, it silently uses 240 instead.
> Could someone that knows the code fix this? I'll
Mail list logo