[strongSwan] DSCP support in new version of strongswan

[David Deng]

Hi Andreas, Hi All,

About the DSCP feature of strongswan, I want to know which patch has been
applied for supporting this feature.

please give me a link for the information about this patch.  Thank you!


Besides the code change of strongswan, if NETKEY need to be modified too? if
so, can you tell me which option should be enabled or how to make linux
kernel(NETKEY) support this feature?

Best wishes,

David Morris
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Interoperate with Juniper SSG 550M failed

[David Deng]

Hi Sajal, Hi Andreas, Hi Laurence, Hi All,

Thank you for your useful document and kind help!

Now we have established the IPsec tunnel between seGW(Juniper SSG550M) and
Client, Thanks a lot!

I think there are still a lot problem need your all help. thank in advance!

Best wishes,
David Morris
2010/9/30 Sajal Malhotra sajalmalho...@gmail.com

 Hi David,

 From what i know this issue of Link Status as down and SA status Active
 in Juniper comes when VPN monitoring is not configured or working in
 Juniper. Please refer to Juniper documentation on configuration/issues in
 VPN monitoring.
 http://kb.juniper.net/KB9522

 *http://kb.juniper.net/KB9503*
 Not sure if this applies to your juniper equipment, but might give some
 hint.


 BR
 Sajal

   On Sat, Sep 18, 2010 at 11:34 AM, David Deng 
 david.live@gmail.comwrote:

   Hi Martin, Hi All,

 I configured strongswan with following items and tried to interoperate
 with Juniper  SSG 550M, but I found no inner IP can be allocated from
 Juniper SSG 550M and the link always indicated as down while the SA status
 was Active.

 THE CONFIGURATION of STRONGSWAN is:

 1) IPSEC.CONF
 config setup
   strictcrlpolicy=no
   plutostart=no
 conn %default
   ike=3des-sha1-modp1024!
   esp=3des-sha1!
   ikelifetime=1440m
   keylife=24m
   rekeymargin=3m
   keyingtries=%forever
   reauth=no
   keyexchange=ikev2
   pfs=yes
   authby=secret
 conn FAP0
   left=172.19.2.169
   leftid=...@juniper.com
   leftfirewall=yes
   right=172.19.2.199
   rightsubnet=0.0.0.0/0
   auto=add

 2) ipsec.secrets
 # /etc/ipsec.secrets - strongswan IPsec secrets file
 p...@juniper.com : PSK PBRVPN0

 IN JUNIPER SSG 550
 1) I create one dailup user and configure the gateway and IKE with
 authenticate as PSK and IKEv2 used.  and then I configure one policy for it.

 2) configuration of Juniper SSG 550 listed as followed:

 set clock timezone 0
 set vrouter trust-vr sharable
 set vrouter untrust-vr
 exit
 set vrouter trust-vr
 unset auto-route-export
 exit
 set alg appleichat enable
 unset alg appleichat re-assembly enable
 set alg sctp enable
 set auth-server Local id 0
 set auth-server Local server-name Local
 set auth default auth server Local
 set auth radius accounting port 1646
 set admin name netscreen
 set admin password nKVUM2rwMUzPcrkG5sWIHdCtqkAibn
 set admin auth web timeout 10
 set admin auth server Local
 set admin format dos
 set zone Trust vrouter trust-vr
 set zone Untrust vrouter trust-vr
 set zone DMZ vrouter trust-vr
 set zone VLAN vrouter trust-vr
 set zone Untrust-Tun vrouter trust-vr
 set zone Trust tcp-rst
 set zone Untrust block
 unset zone Untrust tcp-rst
 set zone MGT block
 set zone DMZ tcp-rst
 set zone VLAN block
 unset zone VLAN tcp-rst
 set zone Untrust screen tear-drop
 set zone Untrust screen syn-flood
 set zone Untrust screen ping-death
 set zone Untrust screen ip-filter-src
 set zone Untrust screen land
 set zone V1-Untrust screen tear-drop
 set zone V1-Untrust screen syn-flood
 set zone V1-Untrust screen ping-death
 set zone V1-Untrust screen ip-filter-src
 set zone V1-Untrust screen land
 set interface ethernet0/0 zone Trust
 set interface ethernet0/1 zone Trust
 set interface ethernet0/2 zone Untrust
 set interface ethernet0/3 zone Trust
 set interface tunnel.1 zone Trust
 set interface ethernet0/0 ip 192.168.1.1/24
 set interface ethernet0/0 route
 unset interface vlan1 ip
 set interface ethernet0/1 ip 192.168.52.253/24
 set interface ethernet0/1 nat
 set interface ethernet0/2 ip 172.19.2.199/24
 set interface ethernet0/2 route
 set interface ethernet0/3 ip 192.168.54.253/24
 set interface ethernet0/3 nat
 set interface tunnel.1 ip unnumbered interface ethernet0/2
 set interface ethernet0/2 bandwidth egress mbw 5000 ingress mbw 5000
 set interface tunnel.1 mtu 1500
 set interface ethernet0/1 pmtu ipv4
 unset interface vlan1 bypass-others-ipsec
 unset interface vlan1 bypass-non-ip
 set interface ethernet0/0 ip manageable
 set interface ethernet0/1 ip manageable
 set interface ethernet0/2 ip manageable
 set interface ethernet0/3 ip manageable
 set interface ethernet0/1 manage ident-reset
 set interface ethernet0/2 manage ping
 set interface ethernet0/2 manage snmp
 set interface ethernet0/2 manage ssl
 set interface ethernet0/2 manage web
 unset interface ethernet0/3 manage ssh
 unset interface ethernet0/3 manage telnet
 unset interface ethernet0/3 manage snmp
 unset interface ethernet0/3 manage ssl
 unset interface ethernet0/3 manage web
 set interface ethernet0/0 dhcp server service
 set interface ethernet0/0 dhcp server enable
 set interface ethernet0/0 dhcp server option lease 144
 set interface ethernet0/0 dhcp server ip 192.168.1.200 to 192.168.1.250
 set interface ethernet0/0 dhcp server config next-server-ip
 unset interface ethernet0/0 dhcp server config updatable
 unset flow no-tcp-seq-check
 set flow tcp-syn-check
 unset flow tcp-syn-bit-check
 set flow reverse-route clear-text prefer
 set flow reverse-route tunnel always
 set domain zte.com.cn
 

Re: [strongSwan] No known IPsec stacks found on Freebsd 8.1

[Tobias Brunner]

Yatong Cui wrote:
 Yet I cannot start the daemon because the system cannot identify any IPsec 
 stack.

That's not really a problem, the detection code is Linux specific and
not actually executed by the daemon, but by a wrapper tool called
starter.  The daemon charon (with the proper plugin loaded) should
be able to communicate with the kernel, just fine.

The actual problem you seem to have is that starter and charon are
either already running or have crashed and the pid files are still lying
around:

 charon is already running (/var/run/charon.pid exists) -- skipping charon 
 start
 starter is already running (/var/run/starter.pid exists) -- no fork done

Check that they are not running and then delete these pid files and try
to start them again with ipsec start.

Regards,
Tobias

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] DSCP support in new version of strongswan

[Andreas Steffen]

Hello,

The DSCP feature using XFRM marks as shown in the scenario

   http://www.strongswan.org/uml/testresults44/ikev2/net2net-psk-dscp/

is supported by strongswan-4.4.1 or newer. The Linux 2.6.35 kernel
or newer include the XFRM_MARK patch whereas the Linux 2.6.34 kernel
must be patched with

   http://download.strongswan.org/uml/xfrm_mark.patch.bz2

Kind regards

Andreas

On 10/15/2010 11:42 AM, David Deng wrote:
 Hi Andreas, Hi All,
 About the DSCP feature of strongswan, I want to know which patch has
 been applied for supporting this feature.
 please give me a link for the information about this patch.  Thank you!
 Besides the code change of strongswan, if NETKEY need to be modified
 too? if so, can you tell me which option should be enabled or how to
 make linux kernel(NETKEY) support this feature?
 Best wishes,
 David Morris

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users