Hi,
I wanted to create an IPsec SA that would encrypt traffic from any
destination ( rightsubnet= any ). However, the following configuration is
not accepted by strongswan:-
conn IpSecSSEPlane
ikelifetime=24h
keyexchange=ikev2
keyingtries=%forever
keylife=90m
Hi,
My configuration creates 3 IKE SAs and 6 IPsec SAs. Configuration file
attached.
Now when I change the esp encryption algorithm for IpSecMPlane then I fire
the following commands in the given below order:-
1. ipsec down IpSecMPlane
2. Write the new esp encryption algorithm for IpSecMPlane in
Hi,
Steps:
1. I created an IKE Sa and a CHILD SA for a connection.
2. After that I brought down only the CHILD SA by using the connection id.
3. Then I changed the port for this SA in ipsec.conf on both the sides
(between the entities I am creating an SA) and fired ipsec update.
4. Now when I fir
Hi,
Some doubts regarding certificates updation in IKEv2 Stack. Consider
the following scenario:-
CACERT1(old with new) & CACERT2 (new with new) are both from same CA.
CERT1 : signed with CACERT1
CERT2: signed with CACERT2
PC1 PC2
1.
Hi All,
I have a query regarding a scenario. The scenario is as following:-
My implementation: On changing of a parameter in ipsec.conf I first bring
down the SA, update the configuration and then bring it up again.
So, when I connect to a Security Gateway(SGW), I make an SA and start the
traff
Hi Andreas/Martin/Tobias,
Request you to please provide your comments for the mail below.
Regards,
Vivek
On Wed, Jul 14, 2010 at 11:55 AM, vivek bairathi
wrote:
> Hi All,
>
> I have a query regarding a scenario. *The scenario is as following*:-
>
> *My implementation:* O
Hi All,
Can anyone tell me that strongswan IKEv2 stack automatically closes or
not an IKE SA or IPSEC SA on change of its configuration in ipsec.conf ?
Regards,
Vivek
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman
ration and then bring the SA up.
Regards,
Vivek
On Wed, Jul 21, 2010 at 2:29 PM, Ashutosh Datta wrote:
> No there is no dynamic update of configuration in strongswan. If one wants
> to update the config he have to issue.
>
> ipsec update
>
> regds
> ashutosh
>
> O
Hi All,
I am facing a problem. The problem is as following:-
When I am initiating an IKE SA from my Computer towards the Security Gateway
(SGW). At the same time, SGW is also initiating an IKE SA for the same
configuration. Both the IKE SA's are created successfully but as soon
as both the SA's a
st Regards,
Vivek
On Tue, Aug 3, 2010 at 11:33 AM, vivek bairathi wrote:
> Hi All,
>
> I am facing a problem. The problem is as following:-
>
> When I am initiating an IKE SA from my Computer towards the Security
> Gateway (SGW). At the same time, SGW is also initiating an IKE SA for th
Hi All,
I want to know that if I set auto=route in ipsec.conf for a connection.
The IKEv2 stack will install kernel traps for that connection and will
initiate an SA only when it gets a packet between the leftsubnet and the
rightsubnet.
For this the IKEv2 stack needs trigger from kernel so which
On Tue, Nov 2, 2010 at 12:35 PM, vivek bairathi wrote:
> Hi Andreas,
>
> Thanks for your quick reply.
>
> I have some more queries regarding kernel_netlink interface:
>
> If I use auto=route in ipsec.conf file for a connection:
> Q1. Does the stack after reading the
_
> Users mailing list
> Users@lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
--
Regards,
Vivek Bairathi
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
refer us to any documentation that explains the intent of
using net interface in the StrongSwan stack to us?
Thanks for your help in advance.
Regards,
Vivek Bairathi
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman
IP address
etc.
Thanks in advance for your help.
Vivek Bairathi
On 6/26/09, Martin Willi wrote:
> Hi,
>
>> 1. IP Sec interface:-
>> Provides a mechanism to interface with the kernel through XFRM sockets
>> to update SPD and SADs.
>
> Yes, the ipsec interface mana
Hi Martin,
Thanks for your help.
For our implementation we need to port the strongswan stack on QNX.
QNX does not have a kernel, but only a microkernel. This we need to
remove any interface with the kernel in the strongswan stack and
replace it with our own interface.
Since Kernel net-interfac
Hi Martin,
Thanks for your help. The problem is that we have a propritary
implementaion of the IP stack in micro engine whose development is in
assembly language.
As per what you have suggested, I think it would make sense that we
let the kernel interface remain as is ( just change address family
knows the local and remote IP addresses?
3. If I have asked the wrong question or have wrongly understood your
stack code then please do explain me how an IKE SA and CHILD SA is
initiated or triggered in your stack?
Thank you.
Regards,
Vivek
On 7/2/09, vivek bairathi wrote:
> Hi Mar
creation can be triggered from the
kernel?
I would highly appretiate your help on these issues.
Looking forward for a reply.
Thanks,
Vivek
On 7/6/09, vivek bairathi wrote:
> Hi,
>
> Thanks for your help.
>
> I still have a doubt that who initiates the IKE SA and CHILD SA.
> 1
IKE_SA creation can be triggered from the
kernel?
I would highly appretiate your help on these issues.
Looking forward for a reply.
Thanks,
Vivek
On 7/6/09, vivek bairathi wrote:
> Hi,
>
> Thanks for your help.
>
> I still have a doubt that who initiates the IKE SA and CHILD
Hi Martin,
1. I was going through the update SA code, I figured out that the
replay data for an SA is fetched separately from the other SA data,
however, while adding the updated SA replay value is sent with other
entries. What is the reason for this discrepancy.
2. We did not find the query_sa
Hi,
Thanks Tobias for your help.
1. I have a doubt that while establishing an SA, if a response from
peer does not reach the stack then it will retransmit the request
after a retransmission time out. If still the stack is not able to
receive any response from the peer and the maximum number of
re
Hi Tobias,
Thanks for your reply.
For the first Query in my previous mail, lets take a Scenario:
1. We provide an IpSec.conf to stack with a configuration that
requires a Set of SAs to be established.
2. Now while establishing the SA, It is found that the destination is
not reachable(or some othe
Hi,
I had a query regarding creating proposals in IKE_INIT message in strongswan.
Once charon is spawned, is it possible to change the encryption
algorithms in th proposal, without killing strongswan?
More generally , is there a possibility to change the configuration
provided in ipsec.conf, aft
Hi all,
I have a requirement for creating tunnel SAs. After reading
strongswan documentation and code I arrived at the following
conclusion:-
1. left| right source IP in the conn section of ipsec.conf is used to
specify the internal IP in the tunnel( virtual IP). The external
tunnel IP will be
& Regards,
Vivek
On 7/27/09, Andreas Steffen wrote:
> Hi Vivek,
>
> vivek bairathi wrote:
>> Hi all,
>>
>> I have a requirement for creating tunnel SAs. After reading
>> strongswan documentation and code I arrived at the following
>> conclusion:-
>>
&g
E/IPSEC SA: can the new re-keying value be
>> assinged to new SA created henceforth?
>>3. Encryption algorithm can be changed for an IKE SA?
>>
>> It would be great help if you could answer the above queries.
>>
>> Thanks & Regards,
>> Vive
emoving IP
address. We can comment the code that installs the virtual IP into the
kernel.
We were thinking of always providing the complete IP addresses in
IPSec.conf and setting charon_process_route = "no". Will this be
sufficient.
Thanks in advance for all your support
Vivek
On 7/2
Hi,
I have some queries:-
1. In case I need to create a tunnel with mutiple child SAs, would
there be different connection for each tunnel ip - virtual IP pair or
there is a single connection containing all the virtual IPs
corresponding to each Child SA?
2. In case there is a single connection f
Hi,
1. Through ipsec.conf, I want to create multiple CHILD SA's under an
IKE SA in tunnel mode but I want to give different internal IP's to
every CHILD SA. So, how to do this? If you can give any example of the
ipsec.conf for this scenario, It would be of great help.
2. Also, I am getting an err
Hi,
Thanks for your quick response.
We have following requirement for our deployment:
Our Peer network element is a Security Gateway(SGW), with which we
have a tunnel. This tunnel needs to secure traffic from two different
IP Endpoints. And for each IP Endpoint we need a seperate CHILD SA as
thes
Hi,
Thanks for your reply.
With your help now I am able to create IKE SA and CHILD SA but there
is a problem with updation & rekeying of IKE SA:-
1. I am trying to change a/all parameter (for e.g:- rekeytime,
encryption algo, integrity algo, DH group parameter) in ipsec.conf so
that when I do "i
Hi,
I have a scenario in which I have a single tunnel and with the help of
this tunnel I want to communicate with a single internal IP on one
side to multiple internal IPs on the other side. That means I should
be able to accept the packets from all the IPs on the other side on
this tunnel SA and
Hi,
Sorry to bother you. But i have some doubts regarding SAD table:
1. Do the kernel-netlink-ipsec interface send the encryption key and
integrity key to the kernel so that the kernel shall store it in SAD?
2. The source and destination address which the kernel-netlink-ipsec
interface send to t
Hi,
When a CHILD_SA is rekeyed, there is a time when SAD will have two SA
entries corresponding to the CHILD_SA that is rekeyed. In other words
this is the time, when stack has received a correct response to
CREATE_CHILD_SA Request and hence has installed the new SA in SAD,
however it has yet not
Hi,
Thanks for your reply.
I am trying to establish SA between two machines of which one is QNX
machine and the other is Linux machine. I am able to transmit the
IKE_SA_INIT request and response messages from one machine to another
but when IKE_AUTH request is received by any of the machine it sa
give a possible condition because of which this is
happening and ofcourse if possible a solution also?
Thanks & Regards,
Vivek
On 9/3/09, vivek bairathi wrote:
> Hi,
>
> Thanks for your reply.
>
> I am trying to establish SA between two machines of which one is QNX
> mac
Hi,
I had a doubt regarding the support of IP addresses and ports as
traffic selectors.
For example:-
I have following SPD Entry. All the entries are using same security association:
S.No.Source IP Destination IP Src Port Dst
Port SA Ptr
11.1.1.1
Hi,
We are in a very critical state of our project. Please fin gtime to
respond to the issue below. I would be of great help to us
Thanks in advance,
Ritu
On 9/16/09, vivek bairathi wrote:
> Hi,
>
> We have the requirement that traffic between same source-destination IPs
> but
Hi All,
I have some doubts regarding the functionality of strongswan:-
1. Does strongswan consider half-closed connections as anomalous?
2. When an IKE message is arrived with an unknown SPI but from a known
IP address. Does strongswan sends an INFORMATIONAL message in response
to it?
3. Does a
Hi,
Thanks Martin for your quick response.
I am facing a little trouble in running the stack on my machine.
The stack is getting stuck in the following while loop of the file
src/stroke/stroke.c:-
send_stroke_msg()
{
while ((byte_count = read(sock, buffer, sizeof(buffer)-1)
Hi All,
I have a query regarding dpd's.
1. When does ikev2 stack start sending dpd's?
2. When does it know that its time to close the IPSEC SA or IKE SA?
3. Can you tell me where is the handling for closing the IPSEC SA or
IKE SA in case of no response to the dpd's?
Thanks in advance.
Regards
Hi All,
I am using strongswan-4.2.8 stack. And I am getting a strange problem
with this stack:-
The steps that I have taken:-
1. I created an IKE SA for IpSecCPlane and two CHILD SA's under it -
IpSecCPlane & IpSecUCSPlane.
2. After that I bring down IpSecUCSPlane CHILD SA by using the command
"i
LinkedIn
Vivek Bairathi requested to add you as a connection on LinkedIn:
--
Alok,
I'd like to add you to my professional network on LinkedIn.
- Vivek
Accept invitation from Vivek Bairathi
http://www.linkedin.com/e/JujeSnIZ3
Hi All,
Some doubts regarding CERT mode:-
1. Is it necessary to know the CN of peer before establishing an IKE SA?
2. Is the left/rightid is always equal to the CN from the certificate?
Thanks in advance.
Regards,
Vivek
___
Users mailing list
Users@li
ds,
Vivek
On Mon, Jan 4, 2010 at 11:48 PM, Daniel Mentz <
danielml+mailinglists.strongs...@sent.com
> wrote:
> vivek bairathi wrote:
>
>> Some doubts regarding CERT mode:-
>> 1. Is it necessary to know the CN of peer before establishing an IKE SA?
>>
>
> Genera
Hi All,
I want to create an IKE SA with authentication done using certificates and I
want to mention multiple cacerts in the
the ipsec.conf.
How should I do it?
If I have two ca certicficates then should I write the name of the file
of cacertificates like the following way:
ca Plane
cac
Hi All,
I have a query regarding dpd's:-
1. When does ikev2 stack start sending dpd's?
2. When does it know that its time to close the IPSEC SA or IKE SA?
3. Can you tell me where is the handling for closing the IPSEC SA or
IKE SA in case of no response to the dpd's?
Thanks in advance.
Regard
Hi All,
I have following doubt regarding dpd's:
1. I gave dpddelay value as zero in ipsec.conf then will IKEv2 Stack be able
to detect dead peer as dpd is now disabled?If yes, how?
2. last_use_time is used to sent dpd's only or is it used in any other case?
If yes, Can you tell me that case?
Tha
Hi All,
I have some query regarding dpd's:
1. If I give dpddelay value as zero in ipsec.conf then will IKEv2 Stack send
dpd's or not?
2. Is last_use_time is used in case of dpd's only?
Thanks in advance.
Regards,
Vivek
___
Users mailing list
Users@lis
Hi All,
Hi All,
I have a CRL in pem format with me. The CRL file is loaded at startup.
1. If the CRL file is updated in the directory, how can strongswan be
indicated to update it. Does crlCheckInterval timer work with
strongswan IKEv2?
2. Is there an option to load CRL present in Cert direct
Hi All,
I am getting a problem with the strongswan-4.2.8, whenever I revoke a peer
certificate and
update the latest crl at my end and then try to make an SA it gets created
as it should not.
When I debug the stack I found that in credential_manager.c there is a
function
"get_better_crl", in this
Hi Andreas,
did you find anything?
Regards,
Vivek
On Fri, Mar 26, 2010 at 6:28 PM, Andreas Steffen <
andreas.stef...@strongswan.org> wrote:
> Hi Vivek,
>
> can you send me both the old and new CRL and the issuing CA certificate?
>
> Best regards
>
> Andreas
>
53 matches
Mail list logo