So, I put mark=%unique and local broadcast 255.255.255.255 to ipsec.conf. But for my tests, local broadcasg 255.255.255.255 was necessary to put to leftsubnet only and enough so. I didn' t put 255.255.255.255 to rightsubnet and I didn' t put net broadcast 192.168.0.255 to any subnets all worked.
But there are 2 questions again. :) First: Double password query is appeared. That is thw right password at my Win7 connection, but after it passes for the first time, there is parsed IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ] 05[IKE] EAP-MS-CHAPv2 username: '%any' 05[IKE] no EAP key found for hosts '%any' - '%any' 05[IKE] EAP-MS-CHAPv2 verification failed, retry (1) 10[MGR] ignoring request with ID 2, already processing 05[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ] and password query is appeared again and after pass password secondly connection is established. There wasn' t it before. Quite strange, I turned forecast off but such doubled passwording remained. But I didn' t change anything except settings for forecast, even I discarded left and rightsubnets to state before. Second: Intinially there is no nbns at strongswan.conf, that is Wins server is not appeared at Windows client connection properties. But after 'reinject' value is set, Wins server is appeared at appropriate properties. Moreover, after comment out the value and reistablishing connection, Wins server is not disappeared. And after comment out all plug-in values, Wins server remained at properties. Is it right behaviour ? I think no. I disabled forecast at load line at strongswan.conf. After it without reinject turning on, Wins server is not appeared. But after second time connection is appeared again. By the way, Wins presented or not at Windows connection properties changes NetBios behaviour quite strong. As following, it it very important. 2015-01-23 11:52 GMT+03:00 Martin Willi <[email protected]>: > > > 0.2131s / 2079 times in lock created at: dumping 7 stack frame addresses: > > /usr/lib/ipsec/libstrongswan.so.0 @ 0xb7708000 [0xb774aee5] > > This is a lock profiler backtrace. It is usually required only if you > want to find lock bottlenecks, but for normal operation/testing you > should build without the --enable-lock-profiler ./configure option. > > > leftsubnet=192.168.0.0/24 > > rightsourceip=192.168.0.201-192.168.0.215 > > First, the forecast plugin requires that you set mark=%unique on the > connection you want to forward broadcasts to/from. Second, your traffic > selectors must include the broadcast/multicast addresses you want to > forward in each direction, as IPsec policy matching is still in place. > Refer to the configuration of moon in the forecast test case [1] for an > example. Windows sends some broadcasts as 255.255.255.255 over the IPsec > tunnel, so you might want to include that address as well. > > Regards > Martin > > [1]http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=f1c218d6 > >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
