[strongSwan] Strongswan 5 ikev1 draft-ietf-ipsec-nat-t-ike-02 support

2012-12-06 Thread Volker Rümelin
is working on it, I will do it. Is there a chance to get this into the strongswan repositories? Thanks! Volker Rümelin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] strongswan 5.X windows, ikev1, cert

2013-01-09 Thread Volker Rümelin
Hello Martin, Hi Pawel, charon: 01[ENC] certificate encoding ENC_PKCS7_WRAPPED_X509 not supported Charon currently doesn't handle these exotic PKCS#7 wrapped certificates sent by XP clients using certificate authentication. It shouldn't be to hard to implement it, though, as we have the

[strongSwan] IKEv1 fragmentation support for Windows clients

2013-10-06 Thread Volker Rümelin
Hi strongSwan developers, sometimes I have problems to build up a VPN connection to strongswan with my Windows clients because of misconfigured or broken routers dropping IP fragments. A few months ago I tried to enable IKEv1 fragmentation support for Windows clients with a small patch. This

Re: [strongSwan] Problems with StrongSwan 5.x and Cisco

2013-12-02 Thread Volker Rümelin
//Hi Matus, /13[CFG] keyexchange=ikev0/ you have to add keyexchange=ikev1 to your connection definition. With the default of keyexchange=ike strongswan uses ikev2 as protocol. /13[NET] sending packet: from A.A.A.A[500] to E.E.E.E[500] (692 bytes)/ /14[IKE] retransmit 1 of request with

Re: [strongSwan] Win7 IKEv1 L2TP rekeying fails

2013-12-18 Thread Volker Rümelin
Hi Lars, which kernel version do you use? There was a bug in the l2tp_core module in some kernel versions before v3.3 which may explain your problem with dropped packets after rekeying.

Re: [strongSwan] strongswan-5.1.1 with 4.xx, tunnel pb

2013-12-30 Thread Volker Rümelin
Hello Serge, Dec 29 22:23:19 karma charon: 11[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) ] Dec 29 22:23:19 karma charon: 11[NET] sending packet: from 192.168.4.10[4500] to 192.168.4.87[62698] (1612

Re: [strongSwan] strongswan-5.1.1 with 4.xx, tunnel pb

2013-12-31 Thread Volker Rümelin
Hello Volker, This packet was a large packet and was sent as two UDP fragments. One or possibly both fragments were dropped on the route to the other side. Is it possible to handle the packets fragmentation to fix the problem? Unfortunately, the real world situation is such that in the

Re: [strongSwan] strongswan-5.1.1 with 4.xx, tunnel pb

2014-01-06 Thread Volker Rümelin
Hello Serge, Hello, I made some homework and found out different elements, which may help to troubleshoot. This packet was a large packet and was sent as two UDP fragments. What looked like to be a packet fragmentation, in fact appeared to be two different CAs sent in the key exchange.

Re: [strongSwan] strongswan-5.1.1 with 4.xx, tunnel pb

2014-01-07 Thread Volker Rümelin
Hello Serge, tcpdump shows you still have a fragmentation problem. To show the problem I copied the interesting parts from /var/log/messages and merged them with the output from tcpdump. == the bt side === Jan 7 22:53:48 bt charon: 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No

Re: [strongSwan] strongswan-5.1.x, tunnel and routing pb

2014-01-19 Thread Volker Rümelin
Hello Serge, Hello Volker, We have an ongoing routing problem since the attempt to migrate from strongswan-4.x.x to strongswan-5.1.x Are there any ideas of what is going wrong ? sorry, no. I looked at your logs but couldn't find anything obvious. Did you try to disable IPComp? That's

Re: [strongSwan] strongswan-5.1.x, NATed routing pb

2014-01-20 Thread Volker Rümelin
Hello Serge, conn academ.certs.locally.stored leftsubnet=192.168.169.0/24 leftsendcert = never right=%any rightcert=peercerts/academ2034.hostCert.pem rightsendcert = never rightsubnet=192.168.3.0/24 //which way is better

Re: [strongSwan] strongswan-5.1.x, NATed routing pb

2014-01-21 Thread Volker Rümelin
Hello Serge, please look again at the three policies. [root@frqx ~]# ip xfrm policy src 192.168.3.0/24 dst 192.168.169.0/24 dir in priority 1859 tmpl src xx.xx.210.3 dst xx.xx.230.112 proto esp reqid 78 mode tunnel src 192.168.169.0/24 dst 192.168.3.0/24

Re: [strongSwan] strongswan-5.1.x, NATed routing pb

2014-03-19 Thread Volker Rümelin
Hi Serge, I am running our of ideas of what could be checked further and how to fix it. The setup was perfectly working under strongswan 4.3 and works well for other connections and even with the Win8 roadwarrior (behind the NAT). Could you go throught once again through the logs and probably

Re: [strongSwan] Weird connection problem with one machine (IKEv2)

2014-03-26 Thread Volker Rümelin
Hi Raoul, So given that my tcpdump establishes that in the bad case the ikev2_auth[I] arrives at the machine but the logs in strongswan do not indicate that it was processed/received then what could be the issue here? I believe I have ruled out iptables/firewall as a cause. So I *think* the

Re: [strongSwan] strongswan+xl2tpd+ppp for multiple connections

2014-03-26 Thread Volker Rümelin
Hi, I want to use i2tp/ipsec as compatible connect. Why Can't build user multiple connections at the same time(only one user). User A was connected the server . but when user B connected the server soon , the A or B link-line will down I guess you meant multiple users behind the same NAT

Re: [strongSwan] swanctl and bypass/shunt policies

2014-08-19 Thread Volker Rümelin
Did anyone already write a bypass/shunt policy with swanctl? If so, I'd like to see one as an example. Hi Noel, # ip xfrm pol src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0

Re: [strongSwan] Can't connect to port 4500 with Brighthouse cable hotspot

2014-12-26 Thread Volker Rümelin
Hi Jay, I am resending this mail, because I forgot to include the mailing list. Nov 29 08:24:14 14[ENC] generating IKE_AUTH request 1 [ IDi CERT N (INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] Nov 29

Re: [strongSwan] Can't connect to port 4500 with Brighthouse cable hotspot

2014-12-26 Thread Volker Rümelin
Hi Noel, Jay, Hello, I just looked up the description and fragmentation is supported. I think patching the server would be necessary then. Mit freundlichen Grüßen/Regards, Noel Kuntze Right, support for the IKEv2 fragmentation mechanism was added in 5.2.1. The server needs an update from

Re: [strongSwan] strongSwan 5.2+ disconects clients after 1 hour

2015-03-02 Thread Volker Rümelin
Hello Dan, I am quite sure this is the same problem. https://lists.strongswan.org/pipermail/users/2013-December/005699.html https://lists.strongswan.org/pipermail/users/2013-December/005703.html Regards, Volker Hi, strongSwan 5.2.1 (also tested with 5.2.0 and 5.2.2) on Slackware 13.1.

Re: [strongSwan] deleting half open IKE_SA after timeout

2015-03-01 Thread Volker Rümelin
Hi Denis, Hello, my previous suggestion was wrong. I've compared tcpdumps on working and non-working hosts again, and found that in broken case client continues to re-send this packed to server: 19:53:09.673551 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto UDP (17), length 1212)

Re: [strongSwan] PKCS#12 and leftid

2015-05-12 Thread Volker Rümelin
Hi Jacques, After reading your explanations, I tried : 1) leftid=C=FR, ST=Région Parisienne, L=Paris, OU=Org, CN=1.Org, E=jacques.moni...@gmail.com mailto:jacques.moni...@gmail.com I get : no private key found for 'C=FR, ST=R??gion Parisienne, L=Paris, OU=Org, CN=1.Org,

Re: [strongSwan] PKCS#12 and leftid

2015-05-13 Thread Volker Rümelin
The RDN specifies C=FR, but I don't know if I have to do something more to precise the encoding. Am I supposed to change it at the creation of the x509, of the p12 or after ? I don't know how you create your x509 certificate. So it's either at the creation of your certificate, or even

Re: [strongSwan] PKCS#12 and leftid

2015-05-20 Thread Volker Rümelin
Hi Jacques, However, I would need to be able to use the old certificates I have. Is there still any way to use them ? Do I have to convert unicode to binary to have something like leftid=asn1dn:#0a010110101... Moreover the sharp sign seems to be interpreted as commentary in bash, how am I

Re: [strongSwan] Multiple vpn clients behind NAT support

2015-07-02 Thread Volker Rümelin
Hi Martin, If that is not an option for you, you might have a look at the connmark plugin [2], which allows you to use Conntrack and Netfilter marks to bind connections to specific SAs. This is all not that trivial, though. [2]https://wiki.strongswan.org/projects/strongswan/wiki/Connmark

Re: [strongSwan] PKCS#12 and leftid

2015-05-26 Thread Volker Rümelin
If you have any reference (website, paper) talking about this, I would be glad to read them. The english wikipedia article about ASN.1 should get you started. Don't miss the link to that 'A Layman's Guide to a Subset of ASN.1, BER, and DER' article there. RFC 5280 defines x509 certificates.

Re: [strongSwan] slow IPv6 scp over VPN

2016-08-20 Thread Volker Rümelin
Hi Daniel, on my systems I could solve this problem by disabling a few network offload features with ethtool -K. It was always the network card where the unencrypted data was coming in. With best regards, Volker On 15/08/16 10:59, Daniel Pocock wrote: Hi all, I have a dual-stack

Re: [strongSwan] charon.routing_table is limited to 8 bits.

2019-09-23 Thread Volker Rümelin
Hi Ben, > Hello, > > I'd like to have charon use routing_table ID of 22000 or something else > quite large. > > But, it seems charon cannot handle extended routing table ID, so when I > configure > it for 22000, it silently uses 240 instead. > > Could someone that knows the code fix this?  I'll