it turns out all it needs is to put mascare on the interface
strongswan creates when clients vpn successfully.
On fedora it's as simple as doing:
$ firewall-cmd --zone=external --add-interface=ipsec0
now - questions: how to make above happen, or something that
would result in the same, upon
hi everybody
I have, I'd like to think a regular setup: a client => a
server(rightsourceip=10.5.10.220,10.5.10.221) and local net
10.5.10.0/24
client can ping server and others on 10.5.10.0/24
client can ssh to server and vice versa
but
client cannot sshd to nodes behind server on
hi everyone
I'd like to ask - how MTU affects link/connection of a
tunnel if MTUs on both ends are different?
I'm asking because I'm seeing behaviour, symptoms which I
think relate or are directly caused by:
_Aclient(auto=1500) <=> server(out iface auto=1500), server
other iface
On 17/08/17 16:04, lejeczek wrote:
On 16/08/17 15:23, Tobias Brunner wrote:
Hi,
What should I be looking at?
Start with reading [1], which also links to [2].
Regards,
Tobias
[1]
https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
[2]
https://wiki.strongswan.org
On 16/08/17 15:23, Tobias Brunner wrote:
Hi,
What should I be looking at?
Start with reading [1], which also links to [2].
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
[2]
hi everyone
I've a working roadwarrior which links up to a server(not
mine, meaning - no control over it) and I wonder - can that
IP my roadworrior gets other things use?
From that other(server) end, the network behind the server
sees that IP my roadworrior gets, can ping it but, how to
On 10/11/17 14:34, Dirk Hartmann wrote:
Hi, > > --On Friday, November 10, 2017 02:21:09 PM +
lejeczek > <pelj...@yahoo.co.uk> wrote: > >> I've a working
roadwarrior which links up to a server(not mine, >> meaning
- no control over it) and I wonder - can t
hi everyone
I have a working strongswan and from clients I can get to
swan's local iface, whichis of bridge type, but..
clients => ext iface(swan), internal iface(bridge) <=> a
virtual machine
...that virtual machine which sits on/behind that bridge
interface, I cannot get to from
hi people
I have a server and a roadwarrior connects to the server
fine,config uses certificates, all seems ok.
Then I've tried to setup a second RR, I use the same setting
same certs, only IP is different, naturally.
But, there I have a problem, it must be trivial - I believe
many
hi guys,
I've had this working, the config which is now failing, I can easily
blame strongswan update my distro sent down.
I've had my certs okey but now (I admit I've not used this tunnel in
long time) this connection fails and it seems due to some cert issues.
But am I right to blame some
hi guys
I found this: https://wiki.strongswan.org/issues/294
Both ends of my tunnel are Fedora29, so version of Strongswan should be
that-bug-free, it's: Linux strongSwan U5.7.1/K4.19.10-300.fc29.x86_64
But still when up my tunnel, it's successful with that one problem:
scheduling
hi guys
would you know if there are bits that fail2ban could use to look after
Strongswan?
Obviously I mean actions & filters for fail2ban and I'm thinking best
would be if those came from Strongswan devel as who knows Swan better
than they do.
many thanks, L.
hi everyone,
I'm having a roadwarrior which connects nicely to strongswan server,
both on Fedora 30s. But one bit is not working there and I hope you
could help.
I see these from roadwarrior upon establishing a connection:
...
maximum IKE_SA lifetime 3375s
installing DNS server 10.3.1.99 via
On 17/10/2019 18:52, jacek burghardt wrote:
> Where I can find strongswan package for centos 8
they seem to have libreswan 3.27 available in default repos
pEpkey.asc
Description: application/pgp-keys
On 30/10/2019 15:08, Noel Kuntze wrote:
> Hello L.,
>
> You're probably doing it wrong.
>
> Please provide your complete config and output of ipsec listcerts.
>
> Kind regards
>
> Noel
>
> Am 30.10.19 um 16:06 schrieb lejeczek:
>> On 30/10/2019 13:22, Noel K
SAN or DN in the rightid field.
> 2) No configured leftid on the responder: Set leftid to the value that the
> remote peer expects. E.g. what you configured in rightid.
>It has to be authenticated by the certificate.
>
> Kind regards
>
> Noel
>
> Am 29.10.19 um 19:18
hi guys,
ufff.. I've been on my strongswan case for last few days and I hope I'm
getting there, but here is where I hope an expert to advise.
On the server in logs:
...
09[ENC] parsed IKE_AUTH request 1 [ EF(3/3) ]
09[ENC] received fragment #3 of 3, reassembled fragmented IKE message
(1120
hi eveyone,
I found this - https://wiki.strongswan.org/issues/3139 - but how to make
a good use of it I'm not sure.
I hit such a problem, roadwarrior side of the logs:
...
06[MGR] checkin of IKE_SA successful
04[NET] sending packet: from 10.0.0.5[4500] to 10.5.154.202[4500]
04[NET] sending
gt; help, provide what I asked.
>
>
>
> Am 30.10.19 um 16:27 schrieb lejeczek:
>> On 30/10/2019 15:08, Noel Kuntze wrote:
>>> Hello L.,
>>>
>>> You're probably doing it wrong.
>>>
>>> Please provide your complete config and output of
On 30/10/2019 16:37, Tobias Brunner wrote:
> Hi,
>
>> Is the problem caused be my certificates being crafted in a way which
>> did not comply with what Strongswan requires?
> Yep.
>
>> Or this can be resolved with configuration?
> No. Either don't add any keyUsage flags to the certificate, or
hi everyone,
I've asked a long time ago, was not urgent and I did put it off.
I have a relatively simple config, on the server:
conn to_NRR
hi everyone
I'm having problems with certs, strongswan complains about missing keys
and some more..
But I want to ask if this behavior where servers does not load anything
from '/etc/strongswan/ipsec.d/certs' is normal & expected?
It does goes through /etc/strongswan/ipsec.d/cacerts and
On 11/05/2020 02:40, Noel Kuntze wrote:
> Hi,
>
> You need to specify the EAP method you want to use to authenticate yourself.
> And what's the ipsec.conf you're trying to translate?
>
> Kind regards
>
> Noel
>
> Am 10.05.20 um 14:17 schrieb lejeczek:
>&g
On 11/05/2020 10:39, Tobias Brunner wrote:
> Hi,
>
>> rightid="DNS:vpn.remote.fqdn"
>> rightid=%any
> Obviously not the same as configuring `id="DNS:remote.fqdn"`.
>
> Also, setting `mode="pass"` is probably not what you want.
>
> Regards,
> Tobias
ah.. was staring in my face yet I did not
11.05.20 08:45, Andreas Steffen wrote:
>> Hi,
>>
>> in the remote section you have to set
>>
>> auth = pubkey
>>
>> since the responder is using a certificate-based
>> authentication.
>>
>> Regards
>>
>> Andreas
>>
>
On 11/05/2020 12:43, Tobias Brunner wrote:
> Hi,
>
>> Having only:
>>
>> remote {
>> certs = "remote.fqdn.crt"
>> auth = "pubkey"
>> }
>>
>> does not help.
> Again, not the same thing as configuring %any as remote identity (there
> is a fallback to the certificate's
On 28/09/2020 10:52, Tobias Brunner wrote:
> Hi,
>
>> up-client is called for each combination of remote ts and local ts
>> components, as is down-client, when a CHILD_sa is established/destroyed.
>> So when a CHILD_SA is rekeyed, both are called in the order the CHILD_SAs
>> are
gotiated/destroyed.
>
> Kind regards
>
> Noel
>
> Am 28.09.20 um 10:58 schrieb lejeczek:
>> Hi guys.
>>
>> I have a strongswan with 'updown' which controls tunnels,
>> routes, etc. I took the script from doc examples and built
>> upon it.
>> What
On 24/06/2020 10:29, Tobias Brunner wrote:
> Hi,
>
>> Would you know how to catch the following in updown script
>> variables?
>>
>> remote_ts = "172.16.0.0/12, 10.5.2.10/32"
>>
>> With 'PLUTO_PEER_CLIENT' I get only the latter IP/net.
> If you actually have a CHILD_SA negotiated with
On 25/06/2020 08:50, Tobias Brunner wrote:
> Hi,
>
>> But I see it appear only once with the latter IP/net.
> Then you either use IKEv1, or your peer narrowed the traffic selectors
> (due to its configuration or maybe because it only supports a single TS
> per CHILD_SA), check the log for
You can use VTI configuration for LAN purposes, while
> having separate interface (with masquerading) for public
> access.
>
> Hope this'll help.
>
Now I wonder is it possible and if yes then how, to add NAT
to such at vti based VPNs.
Anybody any thoughts?
many thanks, L.
>
&g
On 15/06/2020 08:53, lejeczek wrote:
>
> On 15/06/2020 07:16, Volodymyr Litovka wrote:
>> Hi L.,
>>
>> if you can ping server from client, then, in general, you
>> can ping everything from everywhere.
>>
>> It is a question of routing and fir
s
land on the same server's LAN then 'ping' to roadwarriors
works, but erratically.
many thanks, L
> On 14.06.2020 23:02, lejeczek wrote:
>> Hi guys,
>>
>> I have a strongswan serving clients and all seem to flow
>> nicely from roadwarriors to server's LAN.
>>
On 16/06/2020 12:58, lejeczek wrote:
>
> On 15/06/2020 10:29, Volodymyr Litovka wrote:
>> Hi,
>>
>> may be it makes sense to consider different interfaces?
>> One for public access, another one - for LAN access.
>>
>> Take a look into
>> http
ne thing I know is that on RHEL
and derivatives we have a 'strongswan-libipsec' package when
installed, does the trick.
How to create VDI or even better XFRM per connection? - I
only started reading and have just tried
"if_id_in/if_id_out" but I cannot see any effect of that.
thanks,
Hi guys,
Would you know how to catch the following in updown script
variables?
remote_ts = "172.16.0.0/12, 10.5.2.10/32"
With 'PLUTO_PEER_CLIENT' I get only the latter IP/net.
many thanks, L.
Hi guys,
I have a strongswan serving clients and all seem to flow
nicely from roadwarriors to server's LAN.
I wonder now, before I'd go into configs and settings, how
to make roadworriors accessible from server's LAN.
Is this sever-client issues or something completely
independent and falls into
Hi guys
To start I should say I'm trying this with libipsec.
I have an initiator with local 10.3.1.0/24 and a following
config:
connections {
to-tinyionos {
version = 2
remote_addrs = "A.B.C.D"
vips = "0.0.0.0"
local {
auth = pubkey
certs = "my.cert.der"
}
On 05/11/2020 17:19, Noel Kuntze wrote:
> Hello Lejeczek,
>
> kernel-libipsec (which is required to be loaded for libipsec to be usable)
> creates a tun interface itself. You can not prescribe it to use one.
I do not see, not on the server nor on initiator, any tun
devices cre
39 matches
Mail list logo
