Re: [strongSwan] Query for Mobike responder behavior

Thanks Tobias... That clears a lot... Besides mobike, you mentioned that when exchange is done on 4500 and no NATT detected. Strong swan sends ESP as non-UDP encapsulated. Going by some reference earlier, I recall, even if no NATT detected and still initiator using port 4500 for Ikev2. It can be

[strongSwan] Query for Mobike responder behavior

HI All, I have a query for scenario mentioned in RFC 4555 Sectoin 3.3. Any input or reference will be appreciated... Query is regarding Responder's behavior w.r.t to UDP encapsulation of Ikev2/ESP when all exchange till IKE_Auth completion is done on port 500... Details: *"The addresses are

[strongSwan] Query reg UDP encapsulation for IPv6

HI, My question is more towards IKEv2 standard rather strongswan explicitly. UDP encasulation is used for NATT traversal in IPsec for both ESP/IKE. RFC 5996, says even if NATT is not detection sending IKE/ESP on 4500 is optional but receiving should be handled. RFC 5666 reference: *When either

Re: [strongSwan] Query reg UDP encapsulation for IPv6

NAT IPv6. But why? /Ryan From: Mukesh Yadav write2mukes...@gmail.com Date: Wednesday, April 15, 2015 at 9:56 AM To: users@lists.strongswan.org users@lists.strongswan.org Subject: [strongSwan] Query reg UDP encapsulation for IPv6 HI, My question is more towards IKEv2 standard rather

Re: [strongSwan] Query reg UDP encapsulation for IPv6

HI, What is behavior when Strong-swan is used for IKE exchange and tunnel end points are IPv6. Does it allow/process UDP-encapsulated Ipv6 packets when NATT is not detected? Thanks Mukesh On 15 April 2015 at 21:46, Mukesh Yadav write2mukes...@gmail.com wrote: Hi Ryan, Definitely NAT

[strongSwan] Encoding of IDi in ASN1Dn format

HI, Mail below is for IKEv2 standard, posting on Strong-swan mailer with hope that may be I can get some pointer... I have a query regarding encoding of IDi(ASN1DN) in IKE_AUTH payload as per RFC 5996. Tried to find online, what encoding mechanism shall be used for IDi(ASN1DN) format. Couldn't

[strongSwan] Query for derivation of MSk key in EAP-MSCHAPv2

Hi, Need some info on MSK key derivation when strongswan uses EAP-MSCHAPv2 when used in Ikev2. Any pointer or info will be helpful.. Thanks Mukesh ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Query regarding Ca-Cert list

Hi, This is question more specifc to Openssl, but being generic scenario posting this on stongswan if some one can provide info.. Query for Ca-Cert list. If at gateway we have configured two CA-certs A1 and A2 both having same subject and content except time-stamp of generation. If peer sends

[strongSwan] Behavior of responder if Four Bytes SPI is not present in IKE_AUTH req's proposal Substructure

Hi, We have a doubt regarding behavior of Responder during initial tunnel setup where IKE_AUTH request’s proposal substructure(in SA Payload) does not contain SPI for child-sa creation. From RFC 5996 : *3.3.1* http://tools.ietf.org/search/rfc5996#section-3.3.1*. Proposal Substructure*

[strongSwan] Ipv6 over Ikev2 compliance

Hi, Want to know about standard compliance for IPv6 over IKEv2. RFC 5996 mentions about RFC 5739(IPv6 Configuration in Internet Key Exchange Protocol Version 2 (IKEv2)) RFC 5739 is experimental as of now...Can this be treated as standard one for implementation and compliance... Thanks Mukesh

[strongSwan] query for behaviour of DPD

Hi, I want to seek behaviour confirmation on particular scenario of DPD... If tunnel is created with peer and we send keep-alive message to peer with msgid as 0. and peer responds with wrong message ID(lets say 10)... This happens for X times(configured number of re-tries for DPD) On receiving

[strongSwan] Reg: Installing strongswan on machine not with GCC

Hi, I want to install and run strong-swan on Mips Hardware with no GCC. I approach it as doing cross compile it on some Intel Linux machine and then installing it on Mips. Is there way to get the zip(tgz format) image of all the required binaries/files that we can untar on other hardware,,, Please

Re: [strongSwan] Reg: 16 unknown bytes in ESp packet(IPSEC)

debug or stats mechanism from which I can confirm about the ESP packet processing result on Linux kernel? Thanks Mukesh On 26/04/2012, Mukesh Yadav write2mukes...@gmail.com wrote: Thanks Andreas, That means when I create a encrypted packet using some application, at other for successful

[strongSwan] Reg: 16 unknown bytes in ESp packet(IPSEC)

Hi, Not able to understand 16 byetes in ESP packet present after sequence no and before Original IP header while doing tunnel mode Ipsec with ESP. Details are as below. I am trying to achieve Ipsec functionality using fast-path application which will do encryption/decryption using some

Re: [strongSwan] Reg: 16 unknown bytes in ESp packet(IPSEC)

Mukesh, please be aware that AES in Cipher Block Chaining (CBC) mode inserts into each ESP packet a 16 byte (128 bit) Initialization Vector (IV) right after the sequence number and in front of the encrypted payload. Regards Andreas On 26.04.2012 19:29, Mukesh Yadav wrote: Hi, Not able

[strongSwan] Strong swan support for IPSEC on Cavium

Hi, I have some basic know-how on IPSEC using Strong swan for IKE on Linux. I have question about how to use IPSEC on Cavium blade where IKE will done on Cavium blade with Linux running core and encryption/decryption of packet will be done on Cavium accelarater's core's designed for IPSEC

Re: [strongSwan] Strong swan support for IPSEC on Cavium

Thanks Martin for quick reply.. I have question about how to use IPSEC on Cavium blade where IKE will done on Cavium blade with Linux running core and encryption/decryption of packet will be done on Cavium accelarater's core's designed for IPSEC performance running with simple executive.