Hi Tobias,
OpenSwan ipsec.conf:
config setup
nat_traversal=yes
protostack=netkey
conn psk-nat
rightsubnet=vhost:%priv
also=psk-nonat
conn psk-nonat
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
dpddelay=5
dpdtimeout=10
dpdaction
Hi Alex,
> Thank you for your help and suggestions guys, got it working with
> OpenSwan.
Interesting. Would you care to share the config that enabled you to do
this with OpenSwan? Because I'm pretty sure L2TP/IPsec with destination
NAT (i.e. the responder behind a NAT) is currently not possible
Hello Andreas,
Yes, I agree with you.
I have first set the following rules in the mangle table on both endpoints:
iptables -t mangle -A OUTPUT -j MARK --set-mark 10 -m dscp --dscp-class EF
iptables -t mangle -A PREROUTING -j MARK --set-mark 10 -m dscp --dscp-class
EF
So with these rules, all tra
Hello,
you define only mark 10 but not mark 20. No traffic will go through
the tunnel without a mark (either 10 or 20) set.
Regards
Andreas
On 11/14/2011 08:46 AM, Meera Sudhakar wrote:
> Hi,
>
> My aim is to create two IPsec tunnels using strongSwan between two
> end-points, each having a di
Hello Anand,
your private key is not well formed. The OpenSSL command
openssl rsa -inform der -in caKey.der -noout -check
RSA key error: dmp1 not congruent to d
RSA key error: dmq1 not congruent to d
shows this. If I execute
ipsec pki --gen > caKey1.der
on my system, my key is ok. You someho
Thank you for your help and suggestions guys, got it working with OpenSwan.
On 09/11/11 10:55, Alex Lucas wrote:
> Dears,
> No ideas? I've tried a lot of combinations of config, including
> specifying very specific IPs for "left", "leftsubnet", "right",
> "rightsubnet", "rightid" etc. The docs are
Hi Tobias
Thank you so much for all the help in solving this issue iam facing.
You are right iam getting the same error when i use the -check option for
the priv key files. I will try to see why its so? Will get back to you with
any updates/info.
The surprising thing is that when i use the same
writes:
>
> YES! It was the algorithms! I finally got a tunnel!
> I have no idea which specific algorithm it was that was missing, I just
enabled a bunch of them, but most
> likely AES, which I guess
> is the de facto standard for symmetric cryptography rather than DES.
> By the way, where do I
Hi,
> strongswan4-mod-kernel-klips - 4.5.2-1
Please try to remove this module from your build. The kernel-klips
plugin was done for a very specific (and rather old) KLIPS release. And
depending on whether your kernel actually includes the KLIPS patch or
not might never work. So, do you actuall
Hi Andreas,
>> Did you activate or insert any debug statements writing
>> to stdout either in the strongSwan or OpenSSL code?
Yes. It was my mistake, I added a debug message in openSSL rsa_gen.c in
function RSA_generate_key_ex().
Now I removed the print statement, and command "openssl rsa -info
10 matches
Mail list logo
