ion key blob and generates a Quote signature over a certain
> number of PCR registers.
>
> Hope this helps.
>
> Andreas
>
> On 31.08.2017 10:46, John Brown wrote:
> > Hi Tobias/Hi all,
> > After some reading I have a conclusion that TPM 2.0 can only be used
> > with
se
TPM 1.2 only for key storage in strongswan? If yes, which version of
strongswan is the oldest that can be used for this?
Best regards,
John
2017-07-18 12:46 GMT+02:00 John Brown :
> Hi Tobias,
> Thank you for your answer. I'm on the first stage of learning TPM but as
> far as
:07, Dusan Ilic wrote:
>> With iptables you can set marks on traffic and that way decide which
>> tunnel to use. Automatic switch will not be supported, unless you write a
>> script that checka the health of the current actively tunnel and then
>> change mark.
>>
>>
obably but with libipsec rather that vti devices
> (kernel too old for vti). As far as I understand the solution you've
> proposed I can add priorities to the tunnels by adding a metrics to routes
> (and prefer conn1 over conn2). Am I correct?
>
> Best regards,
> John
>
&g
as I understand the solution you've
proposed I can add priorities to the tunnels by adding a metrics to routes
(and prefer conn1 over conn2). Am I correct?
Best regards,
John
2017-08-24 11:34 GMT+02:00 Vincent Bernat :
> ❦ 24 août 2017 11:27 +0200, John Brown :
>
> > I'm search
Hello all,
I'm searching the net but cannot find reliable answer for problem:
Is this possible in strongswan to have two connections with the same
rightsubnet entry and prefer one connection over another?
For example:
...
conn1
...
rightsubnet=10.10.0.0/16
conn2
...
rightsubne
Hello all,
I know this is security issue but because of some other factors in one
particular case during setup we consider disabling root ca checking in
strongswan during tunnel establishement process. In other words: strongswan
is an IKEv2 initiatior. We would like to have tunnel established even
Hi Tobias,
Thank you for your answer. I'm on the first stage of learning TPM but as
far as I understand the general rule the private key should not be
accessible and that was a reason that aforementioned log message drew my
attention. This wiki page I've read is the only way I can learn TPM and
str
Hello all,
I'm currently looking for some information how strongswan can utilize TPM
chips. I've read
https://wiki.strongswan.org/projects/strongswan/wiki/TpmPlugin
and I conclude from this example, that private key stored in TPM is loaded
to program memory the same way as if it was stored in
ubt that. What did you do to fix it?
>
> On 16.02.2017 09:25, John Brown wrote:
> > Hi Tobias,
> > Sorry for delay, I didn't notice your message.
> >
> > In the meantime my experiments has shown that the problem was not
> associated with certificates at all. T
Hi Tobias,
Sorry for delay, I didn't notice your message.
In the meantime my experiments has shown that the problem was not
associated with certificates at all. This message about bad signature was a
result of missing some strongswan basic plugins (so it was an unexpected
strongswan installation p
Hi all,
We have problems with certificate authentication and see "RSA signature
verification failed: Bad signature" during strongswan connection try. We
would like to retrieve all remote certificate chain to "manually" check
this issue. Is this possible using strongswan (for example by enabling som
gards,
John
2016-11-25 14:46 GMT+01:00 John Brown :
> Hi Tobias,
> I didn't notice this warning but I'm going to test not only this scenario
> but also others, hoping that with your hints, I'll manage to set this up.
> Thank you for your help!
>
> Regards,
> J
Hi Tobias,
I didn't notice this warning but I'm going to test not only this scenario
but also others, hoping that with your hints, I'll manage to set this up.
Thank you for your help!
Regards,
John
2016-11-25 14:37 GMT+01:00 Tobias Brunner :
> Hi John,
>
> > Did you mean that when using rightca
Hi Tobias,
Thank you for your answer. But I'm not sure I've understood you well. Did
you mean that when using rightca, I should have locally installed the
certificate with DN the same as provided for rightca option otherwise the
option is igmored?
Regards,
John
2016-11-25 9:46 GMT+01:00 Tobias
7;ve done this consistently.
Are there any log or info accessible informing that rightca is checked
during authentication process?
Regards,
John
2016-11-23 19:50 GMT+01:00 Andreas Steffen :
> Hi John,
>
> could you send me a log file showing that a CA different from the CA
> request
Hello all,
I'm using Linux strongSwan U5.2.1/K3.4.112 and I'm trying to implement
rightca option in ipsec.conf file but without a success.
As far as I understand the documentation, if rightca contains DN of a
certificate authority which lies in the trust path from the end device cert
to rootca, a
2016-11-21 11:10 GMT+01:00 John Brown :
>
>
> 2016-11-21 11:03 GMT+01:00 Tobias Brunner :
>
>> Hi John,
>>
>> > ip address add dev lo 10.2.3.4/32
>> > ...
>> > Nov 17 10:56:43 127 daemon.info charon: 16[KNL] no local address found
>> in tr
2016-11-21 11:03 GMT+01:00 Tobias Brunner :
> Hi John,
>
> > ip address add dev lo 10.2.3.4/32
> > ...
> > Nov 17 10:56:43 127 daemon.info charon: 16[KNL] no local address found
> in traffic selector 10.2.3.4/32
> > ...
> > I'm using: Linux strongSwan U4.5.2/K3.4.113
>
> That's really old. Back t
Hello all,
Is this possible to set leftsubnet=10.2.3.4/32 and install this address on
loopback interface?
When I try to do this by:
ip address add dev lo 10.2.3.4/32
and have leftsubnet=10.2.3.4/32 in connection configuration, I receive
below logs:
Nov 17 10:56:43 127 daemon.info charon: 16[KN
Hi all,
Does anybody has some experience in StrongSwan working with cisco
router which has to do Remote Route Injection?
I was able to have working RRI on cisco router when I've configured
leftsubnet=1.2.3.4/32 on StrongSwan side.
But using leftsubnet is a small problem on our device as (as far
Hello all,
I have some problems with keeping my roadwarrior to keep trying to connect
to vpn gateway forever. It works when vpn gateway is lost or when
connection was fully established and was then lost.
But I have problem with situation like that: vpn gateway has some bad
config and beacuse of
d save. So using pfs does not mean
automatically that your data are safe.
Regads,
John
2016-03-04 9:18 GMT+01:00 Harald Dunkel :
> Hi John,
>
> On 03/01/2016 12:55 PM, John Brown wrote:
> > Hi,
> >
> > I can give you two links with some small amount information
Hi,
Did you try to remove "include strongswan.d/charon/*.conf" line for
testing? If swan would stops complaining in that scenario then you can add
the line again and remove some/all *conf file from include directory to
test. Then add some, etc.
2016-03-03 15:45 GMT+01:00 Nicolas Göddel :
> Am
Hello all,
I'm using ocsp for certificate checks and this works ok. But I have
explicitly specified cacert parameter in ca section of ipsec.conf. CA chain
may looks like this: (devcert)<-subca1<-subca2<...<-rootca. All of them are
installed in /etc/ipsec.d/cacerts (with exception of devcert of cou
Hi,
I can give you two links with some small amount information about your
question:
http://www.juniper.net/documentation/en_US/junos12.1x46/topics/concept/vpn-security-phase-2-ipsec-proposal-understanding.html
and
https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations#Pe
Hi all,
I am facing some problems with strongswan 4.5.2 or 5.2.1 (currenty tested)
on debian wheezy (armel). One of these problems is having multiple CHILD_SA
created under Security Association
For example, fragment of the output from "ipsec statusall" taken from
remote device looks like this:
27 matches
Mail list logo