Hi Noel,--On Thursday, July 10, 2014 06:35:40 PM +0200 Noel Kuntze <[email protected]> wrote:
Can you please provide your strongswan.conf?
sure.Server now back on 5.1.3 is simple using still the single strongswan.conf:
=================
charon {
threads = 16
cisco_unity = yes
send_vendor_id = yes
plugins {
sql {
loglevel = -1
}
attr {
dns = xx.xx.xx.xx, xx.xx.xx.xx
nbns = xx.xx.xx.xx
}
}
libhydra {
plugins {
attr-sql {
database =
sqlite:///etc/ipsec.d/database/strongswandb.sqlite
}
}
}
pluto {
}
libstrongswan {
}
=====================
I think it's a good time to remove pluto from it.
Client still running 5.2 using the split config:
=====================
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf
aes {
load = yes
}
attr {
load = yes
}
blowfish {
load = yes
}
cmac {
load = yes
}
constraints {
load = yes
}
curl {
load = yes
}
des {
load = yes
}
dnskey {
load = yes
}
fips-prf {
load = yes
}
gmp {
load = yes
}
hmac {
load = yes
}
kernel-netlink {
load = yes
}
md5 {
load = yes
}
nonce {
load = yes
}
ntru {
load = yes
}
openssl {
load = yes
}
pem {
load = yes
}
pgp {
load = yes
}
pkcs12 {
load = yes
}
pkcs1 {
load = yes
}
pkcs7 {
load = yes
}
pkcs8 {
load = yes
}
pubkey {
load = yes
}
random {
load = yes
}
rc2 {
load = yes
}
resolve {
file = /etc/resolve.strongswan
load = yes
resolvconf {
}
}
revocation {
load = yes
}
sha1 {
load = yes
}
sha2 {
load = yes
}
socket-default {
load = yes
}
sshkey {
load = yes
}
stroke {
load = yes
}
updown {
load = yes
}
x509 {
load = yes
}
xcbc {
load = yes
}
charon {
send_vendor_id = yes
crypto_test {
}
host_resolver {
}
leak_detective {
}
processor {
priority_threads {
}
}
tls {
}
x509 {
}
}
charon {
filelog {
}
syslog {
auth {
default = 1
enc = 0
lib = 0
knl = 0
job = 0
}
}
}
pki {
}
scepclient {
}
starter {
}
openac {
}
pki {
}
scepclient {
}
=================
Thanks
Dirk
Am 10.07.2014 15:54, schrieb Dirk Hartmann:Hi, I hit two problems after upgrading to 5.2. System on both sides is a Debian wheezy 64. Strongswan compiled with: [client] ./configure --prefix=/usr --sysconfdir=/etc --enable-blowfish --enable-curl --enable-openssl --disable-ikev1 --enable-ntru [gateway] ./configure --prefix=/usr --sysconfdir=/etc --enable-blowfish --enable-curl --enable-eap-radius --enable-ha --enable-openssl --enable-xauth-eap --enable-eap-mschapv2 --enable-eap-identity --enable-sql --enable-attr-sql --enable-sqlite --enable-xauth-noauth --enable-ntru 1. I get this error on both systems after upgrade: ipsec_starter[3318]: notifying watcher failed: Broken pipe 2. I had to roll back to 5.1.3 on the gateway because I couldn't connect from other linux IKEv2 clients which authenticate via X.509 certificates. I got: no trusted RSA public key found for NAME On the other side IKEv1 connections from Mac/iOS with certificates and IKEv2 connections from Windows clients with eap-mschapv2 had no problems. (No Win7 Client with IKEv2 and X509 certificates try to connect that time) As the gateway is in productive use I coudn't debug the problem for long. I have a second server with the same configuration that I can use to dig deeper into the problem. What further information would you need, what debug levels should I use? All the while the gateway is back on 5.1.3 while my home client is still on 5.2 and can connect despite the Broken Pipe error. Best Regards Dirk _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users-----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTvsDcAAoJEDg5KY9j7GZY5NwQAJU4RfQJ763TjqYIGkMOZlzG sg7U66+Fxwe39pzyr6qL/vrSBMyMDrogc4unvT6N3vfRduK24n7ZOqo+UjcsM62X gJON8ODTNywIxP08zXm2zWkJwfXqr3H/ApBveVlMyPJ/9pBFe3o7vBoKN+XOJkrY b8oqhHxOJ0LTu+N03U7GjFLPE/RVVg4LzRrRXQoAISiCo9te0kFjC5Ah3xjwpABz zMFjt5fnKXN6nVvOboQSO7sAK9EHy0f6IqCQp6LApa809FBDrLvcOLd1Wes3K8L6 PD+PVRQKXtZhx8nBBo4sZAXCSTNDTlrTXfm8aMjzjNyJoqluga/qrj0o7NmsXqx9 wDYmNcSSwpqAiRT9fN8uHuMZK1m51ZD1anDM1+fzMbG33zkqwPKPKWbw8Rm8r1Xg p8/iHpQqFtAf7lElaCHboUXffz+YDFM/iDTRb0W2XFqe73CWL85gNUvdA1XEAcB+ hwjcY/1cgWeK9mJzQ2zl1rB7vLP4TD6wtY4EjFvvXRNfx5VO1gwq/m2GI5gEWtS4 MNb3aGtJmrq9ZvztoqwWJ8NEp7Tz1axB14VxwyhEI998R+Hyf9sFcujHW+oPkBis YlTrTXIqacObqcKf3q/gnUCgLK1OdFgp6bOHq+SGulKJ6w6pDXeDJr/GU8Uurjam wC7poreK5XYAjGTnpO6/ =f+Xu -----END PGP SIGNATURE----- _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
-- Dirk Hartmann, Heise Zeitschriften Verlag GmbH & Co. KG IT-Systemmanagement, Karl-Wiechert-Allee 10, D-30625 Hannover E-Mail: [email protected] - Tel.: +49 511 5352 494 - FAX: - 479 PGP-Fingerprint 4153 7C95 3259 C39F 49AA 9BAA 6833 A8DC 6D90 050E Don't blame me for the following spam, blame european government: Heise Zeitschriften Verlag GmbH & Co. KG Registergericht: Amtsgericht Hannover HRA 26709 Persönlich haftende Gesellschafterin: Heise Zeitschriften Verlag Geschäftsführung GmbH Registergericht: Amtsgericht Hannover, HRB 60405 Geschäftsführer: Ansgar Heise, Dr. Alfons Schräder
pgpK2BKICsyoo.pgp
Description: PGP signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
