Re: [strongSwan] Same credentials, different IDs
On 22.11.2016 01:41, Alexander Hill wrote: > Is there any way of achieving this? Nope. Credentials are invariable connected to the ID they authenticate the peer for. -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Same credentials, different IDs
Hi list, I have many effectively identical roadwarrior clients being assigned dynamic virtual IPs. What I'd like is to have clients use the same certificate/key, but identify themselves differently (e.g. by their hostname). Essentially I just want each client to be able to give itself an arbitrary id so that when I do `ipsec leases` on the server, I can see which device is which, without having to reissue certificates or assign a new PSK every time a device is added to the fleet. Is there any way of achieving this? Cheers, Alex ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] StrongSWAN 5.3.5 <-> Dell Sonicwall showing multiple connections
I am trying to setup a IkeV2 VPN connection between a StrongSWAN 5.3.5 system and a Dell Sonicwall. In doing so, it seems like the strongswan side sees the connection as up but sonicwall side does not. Furthermore, the statusall output shows what looks like a second connection/tunnel trying to be established. Any ideas/suggestions appreciated. Logs are large so I've put them on pastebin. *Log output (level 2)* http://pastebin.com/mZEkRTTp *Config* config setup uniqueids=no conn %default left=%defaultroute leftid=51.15.85.15 keyingtries=%forever keyexchange=ikev1 type=tunnel compress=no authby=secret auto=start dpdaction=none conn vpn-basf-prd #NOAUTO leftsubnet=51.76.21.161/32 # enterprise-mirth-01 right=191.25.81.121 rightid=191.25.81.121 rightsubnet=10.10.10.105/32 ike=aes256-sha1-modp1024 esp=aes256-sha1-modp1024 keyexchange=ikev2 ikelifetime=86400s keylife=28800s *ipsec statusall output* vpn-basf-prd: %any...191.25.81.121 IKEv2 vpn-basf-prd: local: [51.15.85.15] uses pre-shared key authentication vpn-basf-prd: remote: [191.25.81.121] uses pre-shared key authentication vpn-basf-prd: child: 51.76.21.161/32 === 10.10.10.105/32 TUNNEL vpn-basf-prd[73]: ESTABLISHED 2 seconds ago, 10.20.1.18[51.15.85.15]...191.25.81.121[191.25.81.121] vpn-basf-prd[73]: IKEv2 SPIs: 41cb5d5c3cb88170_i 51f00949b54db925_r*, pre-shared key reauthentication in 23 hours vpn-basf-prd[73]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 vpn-basf-prd{141}: INSTALLED, TUNNEL, reqid 128, ESP in UDP SPIs: cb81da30_i 84d00d14_o vpn-basf-prd{141}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 168 bytes_o (2 pkts, 1s ago), rekeying in 7 hours vpn-basf-prd{141}: 51.76.21.161/32 === 10.10.10.105/32 vpn-basf-prd[19]: CONNECTING, 10.20.1.18[51.15.85.15]...191.25.81.121[191.25.81.121] vpn-basf-prd[19]: IKEv2 SPIs: 5e925fa468fc0409_i* f367cd479c87f8a7_r vpn-basf-prd[19]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 vpn-basf-prd[19]: Tasks active: IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIK ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] leftsubnet and loopback problem
2016-11-21 11:10 GMT+01:00 John Brown : > > > 2016-11-21 11:03 GMT+01:00 Tobias Brunner : > >> Hi John, >> >> > ip address add dev lo 10.2.3.4/32 >> > ... >> > Nov 17 10:56:43 127 daemon.info charon: 16[KNL] no local address found >> in traffic selector 10.2.3.4/32 >> > ... >> > I'm using: Linux strongSwan U4.5.2/K3.4.113 >> >> That's really old. Back then loopback interfaces were not considered. >> You need at least 5.0.1 for that. >> >> Regards, >> Tobias >> >> ___ >> Users mailing list >> Users@lists.strongswan.org >> https://lists.strongswan.org/mailman/listinfo/users > > > Hi Tobias, Sorry for previous empty message, sent by mistake. Thank you for your answer. I was just going to write here, that I've tested this on sswan 5.2.1 and it works. Regards, John ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] leftsubnet and loopback problem
2016-11-21 11:03 GMT+01:00 Tobias Brunner : > Hi John, > > > ip address add dev lo 10.2.3.4/32 > > ... > > Nov 17 10:56:43 127 daemon.info charon: 16[KNL] no local address found > in traffic selector 10.2.3.4/32 > > ... > > I'm using: Linux strongSwan U4.5.2/K3.4.113 > > That's really old. Back then loopback interfaces were not considered. > You need at least 5.0.1 for that. > > Regards, > Tobias > > ___ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] leftsubnet and loopback problem
Hi John, > ip address add dev lo 10.2.3.4/32 > ... > Nov 17 10:56:43 127 daemon.info charon: 16[KNL] no local address found in > traffic selector 10.2.3.4/32 > ... > I'm using: Linux strongSwan U4.5.2/K3.4.113 That's really old. Back then loopback interfaces were not considered. You need at least 5.0.1 for that. Regards, Tobias ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users