Re: [strongSwan] Same credentials, different IDs

2016-11-21 Thread Noel Kuntze 
On 22.11.2016 01:41, Alexander Hill wrote:
> Is there any way of achieving this?
Nope. Credentials are invariable connected to the ID they authenticate the peer 
for.

-- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658




signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Same credentials, different IDs

2016-11-21 Thread Alexander Hill 
Hi list,

I have many effectively identical roadwarrior clients being assigned
dynamic virtual IPs. What I'd like is to have clients use the same
certificate/key, but identify themselves differently (e.g. by their
hostname). Essentially I just want each client to be able to give itself an
arbitrary id so that when I do `ipsec leases` on the server, I can see
which device is which, without having to reissue certificates or assign a
new PSK every time a device is added to the fleet.

Is there any way of achieving this?

Cheers,
Alex
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] StrongSWAN 5.3.5 <-> Dell Sonicwall showing multiple connections

2016-11-21 Thread Mahesh Neelakanta 
I am trying to setup a IkeV2 VPN connection between a StrongSWAN 5.3.5
system and a Dell Sonicwall. In doing so, it seems like the strongswan side
sees the connection as up but  sonicwall side does not. Furthermore, the
statusall output shows what looks like a second connection/tunnel trying to
be established.

Any ideas/suggestions appreciated. Logs are large so I've put them on
pastebin.

*Log output (level 2)*

http://pastebin.com/mZEkRTTp

*Config*

config setup
   uniqueids=no

conn %default
   left=%defaultroute
   leftid=51.15.85.15
   keyingtries=%forever
   keyexchange=ikev1
   type=tunnel
   compress=no
   authby=secret
   auto=start
   dpdaction=none

conn vpn-basf-prd  #NOAUTO
   leftsubnet=51.76.21.161/32   # enterprise-mirth-01
   right=191.25.81.121
   rightid=191.25.81.121
   rightsubnet=10.10.10.105/32
   ike=aes256-sha1-modp1024
   esp=aes256-sha1-modp1024
   keyexchange=ikev2
   ikelifetime=86400s
   keylife=28800s


*ipsec statusall output*

vpn-basf-prd:  %any...191.25.81.121  IKEv2
vpn-basf-prd:   local:  [51.15.85.15] uses pre-shared key authentication
vpn-basf-prd:   remote: [191.25.81.121] uses pre-shared key authentication
vpn-basf-prd:   child:  51.76.21.161/32 === 10.10.10.105/32 TUNNEL
vpn-basf-prd[73]: ESTABLISHED 2 seconds ago,
10.20.1.18[51.15.85.15]...191.25.81.121[191.25.81.121]
vpn-basf-prd[73]: IKEv2 SPIs: 41cb5d5c3cb88170_i 51f00949b54db925_r*,
pre-shared key reauthentication in 23 hours
vpn-basf-prd[73]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
vpn-basf-prd{141}:  INSTALLED, TUNNEL, reqid 128, ESP in UDP SPIs:
cb81da30_i 84d00d14_o
vpn-basf-prd{141}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 168 bytes_o (2
pkts, 1s ago), rekeying in 7 hours
vpn-basf-prd{141}:   51.76.21.161/32 === 10.10.10.105/32
vpn-basf-prd[19]: CONNECTING,
10.20.1.18[51.15.85.15]...191.25.81.121[191.25.81.121]
vpn-basf-prd[19]: IKEv2 SPIs: 5e925fa468fc0409_i* f367cd479c87f8a7_r
vpn-basf-prd[19]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
vpn-basf-prd[19]: Tasks active: IKE_CERT_PRE IKE_AUTH IKE_CERT_POST
IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIK
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] leftsubnet and loopback problem

2016-11-21 Thread John Brown 
2016-11-21 11:10 GMT+01:00 John Brown :

>
>
> 2016-11-21 11:03 GMT+01:00 Tobias Brunner :
>
>> Hi John,
>>
>> > ip address add dev lo 10.2.3.4/32
>> > ...
>> > Nov 17 10:56:43 127 daemon.info charon: 16[KNL] no local address found
>> in traffic selector 10.2.3.4/32
>> > ...
>> > I'm using: Linux strongSwan U4.5.2/K3.4.113
>>
>> That's really old.  Back then loopback interfaces were not considered.
>> You need at least 5.0.1 for that.
>>
>> Regards,
>> Tobias
>>
>> ___
>> Users mailing list
>> Users@lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
>
>
Hi Tobias,
Sorry for previous empty message, sent by mistake.

Thank you for your answer.

I was just going to write here, that I've tested this on sswan 5.2.1 and it
works.

Regards,
John
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] leftsubnet and loopback problem

2016-11-21 Thread John Brown 
2016-11-21 11:03 GMT+01:00 Tobias Brunner :

> Hi John,
>
> > ip address add dev lo 10.2.3.4/32
> > ...
> > Nov 17 10:56:43 127 daemon.info charon: 16[KNL] no local address found
> in traffic selector 10.2.3.4/32
> > ...
> > I'm using: Linux strongSwan U4.5.2/K3.4.113
>
> That's really old.  Back then loopback interfaces were not considered.
> You need at least 5.0.1 for that.
>
> Regards,
> Tobias
>
> ___
> Users mailing list
> Users@lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] leftsubnet and loopback problem

2016-11-21 Thread Tobias Brunner 
Hi John,

> ip address add dev lo 10.2.3.4/32
> ...
> Nov 17 10:56:43 127 daemon.info charon: 16[KNL] no local address found in 
> traffic selector 10.2.3.4/32
> ...
> I'm using: Linux strongSwan U4.5.2/K3.4.113

That's really old.  Back then loopback interfaces were not considered.
You need at least 5.0.1 for that.

Regards,
Tobias

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users