Hi Noel,--On Thursday, July 10, 2014 06:35:40 PM +0200 Noel Kuntze <n...@familie-kuntze.de> wrote:
Can you please provide your strongswan.conf?
sure.Server now back on 5.1.3 is simple using still the single strongswan.conf:
================= charon { threads = 16 cisco_unity = yes send_vendor_id = yes plugins { sql { loglevel = -1 } attr { dns = xx.xx.xx.xx, xx.xx.xx.xx nbns = xx.xx.xx.xx } } libhydra { plugins { attr-sql { database = sqlite:///etc/ipsec.d/database/strongswandb.sqlite } } } pluto { } libstrongswan { } ===================== I think it's a good time to remove pluto from it. Client still running 5.2 using the split config: ===================== charon { load_modular = yes plugins { include strongswan.d/charon/*.conf } } include strongswan.d/*.conf aes { load = yes } attr { load = yes } blowfish { load = yes } cmac { load = yes } constraints { load = yes } curl { load = yes } des { load = yes } dnskey { load = yes } fips-prf { load = yes } gmp { load = yes } hmac { load = yes } kernel-netlink { load = yes } md5 { load = yes } nonce { load = yes } ntru { load = yes } openssl { load = yes } pem { load = yes } pgp { load = yes } pkcs12 { load = yes } pkcs1 { load = yes } pkcs7 { load = yes } pkcs8 { load = yes } pubkey { load = yes } random { load = yes } rc2 { load = yes } resolve { file = /etc/resolve.strongswan load = yes resolvconf { } } revocation { load = yes } sha1 { load = yes } sha2 { load = yes } socket-default { load = yes } sshkey { load = yes } stroke { load = yes } updown { load = yes } x509 { load = yes } xcbc { load = yes } charon { send_vendor_id = yes crypto_test { } host_resolver { } leak_detective { } processor { priority_threads { } } tls { } x509 { } } charon { filelog { } syslog { auth { default = 1 enc = 0 lib = 0 knl = 0 job = 0 } } } pki { } scepclient { } starter { } openac { } pki { } scepclient { } ================= Thanks Dirk
Am 10.07.2014 15:54, schrieb Dirk Hartmann:Hi, I hit two problems after upgrading to 5.2. System on both sides is a Debian wheezy 64. Strongswan compiled with: [client] ./configure --prefix=/usr --sysconfdir=/etc --enable-blowfish --enable-curl --enable-openssl --disable-ikev1 --enable-ntru [gateway] ./configure --prefix=/usr --sysconfdir=/etc --enable-blowfish --enable-curl --enable-eap-radius --enable-ha --enable-openssl --enable-xauth-eap --enable-eap-mschapv2 --enable-eap-identity --enable-sql --enable-attr-sql --enable-sqlite --enable-xauth-noauth --enable-ntru 1. I get this error on both systems after upgrade: ipsec_starter[3318]: notifying watcher failed: Broken pipe 2. I had to roll back to 5.1.3 on the gateway because I couldn't connect from other linux IKEv2 clients which authenticate via X.509 certificates. I got: no trusted RSA public key found for NAME On the other side IKEv1 connections from Mac/iOS with certificates and IKEv2 connections from Windows clients with eap-mschapv2 had no problems. (No Win7 Client with IKEv2 and X509 certificates try to connect that time) As the gateway is in productive use I coudn't debug the problem for long. I have a second server with the same configuration that I can use to dig deeper into the problem. What further information would you need, what debug levels should I use? All the while the gateway is back on 5.1.3 while my home client is still on 5.2 and can connect despite the Broken Pipe error. Best Regards Dirk _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users-----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTvsDcAAoJEDg5KY9j7GZY5NwQAJU4RfQJ763TjqYIGkMOZlzG sg7U66+Fxwe39pzyr6qL/vrSBMyMDrogc4unvT6N3vfRduK24n7ZOqo+UjcsM62X gJON8ODTNywIxP08zXm2zWkJwfXqr3H/ApBveVlMyPJ/9pBFe3o7vBoKN+XOJkrY b8oqhHxOJ0LTu+N03U7GjFLPE/RVVg4LzRrRXQoAISiCo9te0kFjC5Ah3xjwpABz zMFjt5fnKXN6nVvOboQSO7sAK9EHy0f6IqCQp6LApa809FBDrLvcOLd1Wes3K8L6 PD+PVRQKXtZhx8nBBo4sZAXCSTNDTlrTXfm8aMjzjNyJoqluga/qrj0o7NmsXqx9 wDYmNcSSwpqAiRT9fN8uHuMZK1m51ZD1anDM1+fzMbG33zkqwPKPKWbw8Rm8r1Xg p8/iHpQqFtAf7lElaCHboUXffz+YDFM/iDTRb0W2XFqe73CWL85gNUvdA1XEAcB+ hwjcY/1cgWeK9mJzQ2zl1rB7vLP4TD6wtY4EjFvvXRNfx5VO1gwq/m2GI5gEWtS4 MNb3aGtJmrq9ZvztoqwWJ8NEp7Tz1axB14VxwyhEI998R+Hyf9sFcujHW+oPkBis YlTrTXIqacObqcKf3q/gnUCgLK1OdFgp6bOHq+SGulKJ6w6pDXeDJr/GU8Uurjam wC7poreK5XYAjGTnpO6/ =f+Xu -----END PGP SIGNATURE----- _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
-- Dirk Hartmann, Heise Zeitschriften Verlag GmbH & Co. KG IT-Systemmanagement, Karl-Wiechert-Allee 10, D-30625 Hannover E-Mail: d...@heise.de - Tel.: +49 511 5352 494 - FAX: - 479 PGP-Fingerprint 4153 7C95 3259 C39F 49AA 9BAA 6833 A8DC 6D90 050E Don't blame me for the following spam, blame european government: Heise Zeitschriften Verlag GmbH & Co. KG Registergericht: Amtsgericht Hannover HRA 26709 Persönlich haftende Gesellschafterin: Heise Zeitschriften Verlag Geschäftsführung GmbH Registergericht: Amtsgericht Hannover, HRB 60405 Geschäftsführer: Ansgar Heise, Dr. Alfons Schräder
pgpK2BKICsyoo.pgp
Description: PGP signature
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users