Re: [strongSwan] Security vulnerability
If no load statement is given, the plugin configuration depends on your ./configure options. If you didn't --disable-gmp explicitly, it is built and used by default. Does this apply even if we have a different version of gmp library (libgmp.so.3.4.1 in /usr/lib)? On 6/4/2012 10:49 AM, Martin Willi wrote: Hi Andreas, If the plugin gmp is in strongswan.conf not enabled, is it in use or not? If no load statement is given, the plugin configuration depends on your ./configure options. If you didn't --disable-gmp explicitly, it is built and used by default. Is it possible to see all used plugins in strongswan? ipsec statusall lists all loaded plugins of a running daemon. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Dynamic control of enabling/disabling plugins at run time?
Yes, we are using/controlling the strictcrlpolicy when we are enabling 'revocation'. Our systems' engineer wanted to have the plugin not even loaded when the 'revocation' is to be disabled. On 6/1/2012 6:59 AM, Martin Willi wrote: Hi, So, it would be ideal to have some sort of 'dynamic control at run time' in strongswan.conf to indicate which plugin is to be 'enabled/disabled'. Beside the load statement, there is currently no option to enable/disable the revocation plugin globally. Have you seen the ipsec.conf strictcrlpolicy that allows you to accept/reject certificates whose certificate status can not be obtained? Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] configuration error when trying to use --enable-curl
Thank You. Unfortunately, our linux version is for running real-time sw and we do not have all kernel modules. Looking at ours now, we do not have ldconfig... The libexec/ipsec/plugins have all strongswan-*.so plugins and they are being loaded properly. I'm a bit confused why these strongswan-*.so can be loaded but not the libcurl.so? On 5/31/2012 2:52 AM, Martin Willi wrote: Hi, I have libcurl.so in the libexec/ipsec/plugins directory. Your dynamic linker probably doesn't look for libraries, there. All the libstrongswan-* plugins are not loaded implicitly by the linker, but by dlopen(). Any reason why it is failing to load? I tried to put libcurl.so in /usr/lib, /lib but no difference in the error. Have you upgraded your ld cache using ldconfig? man ldconfig for details... Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Dynamic control of enabling/disabling plugins at run time?
Hi, We were trying to work with revocation plugin. In our current system requirement, it is necessary to control the activation of this plugins. The compilation of two separate images are not possible because of the flesh memory device limitation. The only way we could do was to manually use 'load=' to control which plugins to load and proper order. This creates a tremendous upgrade problem. So, it would be ideal to have some sort of 'dynamic control at run time' in strongswan.conf to indicate which plugin is to be 'enabled/disabled'. Could it be possible for enhancement? Thanks Much in advance, -Yong Choo ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] configuration error when trying to use --enable-curl
Thank You. Looks like that solved one problem but produced the following error: configure:15460: checking curl/curl.h usability configure:15460: powerpc-wrs-linux-gnu-ppc_e500v2-glibc_cgl-gcc -c -g -O2 -fomit-frame-pointer -D__USE_STRING_INLINES -pipe -DDEBUG_LEVEL=3 conftest.c5 conftest.c:80:23: error: curl/curl.h: No such file or directory The curl/curl.h file is located in ./INSTALL_STAGE/curl-7.25.0/usr/local/include/curl/curl.h Any config variable that we can use to point to our cross-compilation area? Looks like CPPFLAGS? On 5/29/2012 3:51 AM, Martin Willi wrote: Hi, LDFLAGS=/local/user_data/mkpne_yhc_yhc_ltefdd_la6.0_112784/eccm/build/INSTALL_STAGE/curl-7.25.0/usr/local/li) LDFLAG takes linker options, not only the directory. Try to prepend -L: LDFLAGS=-L/local/... Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] configuration error when trying to use --enable-curl
Thank You. When I used LDFLAGS to point the proper directory, now there is the following problem seen in the process of configuration: Perhaps there is a bug? or some other mechanism that I'm not aware of? (Note that LDFLAGS=/local/user_data/mkpne_yhc_yhc_ltefdd_la6.0_112784/eccm/build/INSTALL_STAGE/curl-7.25.0/usr/local/li) configure:5989: $? = 1 configure:6009: checking whether the C compiler works configure:6031: powerpc-wrs-linux-gnu-ppc_e500v2-glibc_cgl-gcc -g -O2 -fomit-frame-pointer -D__USE_STRING_INLINES -pipe -DDEBUG_LEVEL=3 /local/user_data/mkpne_yhc_yhc_ltefdd_la6.0_112784/eccm/build/INSTALL_STAGE/curl-7.25.0/usr/local/lib conftest.c5 /local/user_data/mkpne_yhc_yhc_ltefdd_la6.0_112784/eccm/build/INSTALL_STAGE/curl-7.25.0/usr/local/lib: file not recognized: Is a directory collect2: ld returned 1 exit status On 5/25/2012 9:01 AM, Martin Willi wrote: Do you mean that strongswan needs this libcurl.so when curl plugin is loaded at runtime? Yes. If so, then where should this libcurl.so be located at run time, e.g. as a part of all other strongswan's .so file location? Wherever your dynamic linker looks for shared libraries, usually /usr/lib, maybe /usr/local/lib. man ld.so and ldconfig for details. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] configuration error when trying to use --enable-curl
Hi, We are trying to have --enable-curl plugin be a part of the image using _*cross-compilation*_ for power-pc (not the native linux host) We have downloaded the latest curl version from http://curl.haxx.se/download.html We were able to compile and generate a libcurl.a in ./INSTALL_STAGE/curl-7.25.0/usr/lib/libcurl.a We tried to compile for strongswan but in the 'configuration' stage, we get the following error: configure:15423: checking for main in -lcurl configure:15442: powerpc-wrs-linux-gnu-ppc_e500v2-glibc_cgl-gcc -o conftest -g -O2 -fomit-frame-pointer -D__USE_STRING_INLINES -pipe -DDEBUG_LEVEL=3 conftest.c -lcurl5 /vobs/ngp_windriver/windriver_pne2.0/gnu/4.1-wrlinux-2.0/x86-linux2/bin/../lib/gcc/powerpc-wrs-linux-gnu/4.1.2/../../../../powerpc-wrs-linux-gnu/bin/ld: cannot find -lcurl How do we specify how to find the library for curl (libcurl.a)? I dont think it is --lib (I tried to build the strongswan in the native linux host machine and everything is fine.) Thanks in advance, -Yong Choo ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] How to disable 'CRL' in strongswan.conf?
Thanks Much! Yes it would be sufficient for 'dynamic purpose' in our situation! So to be sure: charon { ... load = revocation } -- charon would load the 'revocation' plugin charon { ... } -- charon would NOT load the 'revocation' plugin Correct? ps. The statement in the release note was what got me confused, i.e. I thought that without 'load', the statement led me to believe that the revocation plugin is automatically loaded in :) _OCSP/CRL checking in IKEv2 has been moved to the revocation plugin, enabled by default._ -Yong Choo On 1/9/2012 10:43 PM, Andreas Steffen wrote: Hello Yong Choo, you can do that with an explicit load statement in strongswan.conf. Just prepare two versions of strongswan.conf - one with the revocation plugin in the load statement and one without it. Depending on the situation you either start strongSwan with one strongswan.conf or the second one. Is this dynamical enough? Regards Andreas On 09.01.2012 20:59, Yong Choo wrote: Searching in database, I came up on the following in http://www.mail-archive.com/users@lists.strongswan.org/msg03918.html So, the question is 'how not to load the revocation plugin when it is already enabled by default?' -Original Message- From: Andreas Steffen [mailto:andreas.stef...@strongswan.org] Sent: jeudi 24 novembre 2011 12:51 To: ABULIUS, MUGUR (MUGUR) Cc: users@lists.strongswan.org; SCARAZZINI, FABRICE (FABRICE); Pisano, Stephen G (Stephen); WASNIEWSKI, ALAIN (ALAIN) Subject: Re: [strongSwan] How to bypass CRL checks? Hello Mugur, with IKEv2 revocation checks can be easily disabled by not loading the revocation plugin. What is not possible is to disable CRL checking on a per connection definition basis. Regards Andreas On 1/9/2012 12:30 PM, Yong Choo wrote: Hi, Looking at http://wiki.strongswan.org/projects/1/wiki/441, OCSP/CRL checking in IKEv2 has been moved to the revocation plugin, enabled by default. Plase update manual load directives in strongswan.conf. How can I disable this plugin dynamically? We have a need of dynamically controlling the loading of plugin at run-time. Thanks Much, -Yong Choo == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] How to disable 'CRL' in strongswan.conf?
Oh, I have to specify all... On your statement of in the correct order -- What is the best way of determining the correct order? Will the output list of strongswan be sufficient for the proper order, e.g. aes des sha1 sha2 md5 random ... as in your example? -- If the order is not proper, how can I determine the proper order? What error messages would I get? What debug level should I set at (currently it is set to 0)? Perhaps it would be another 'feature' to have a simpler way of identifying/controlling the plugin loading capability? Thanks Much, -Yong Choo On 1/10/2012 7:54 AM, Martin Willi wrote: Correct? No, you'll have to define the complete list of plugins you'd like to load, in the correct order. The best way to get this list for your configuration is to start strongswan and look for the line loaded plugins: aes des sha1 sha2 md5 random ... Then use this plugin list in the load statement. To skip loading of the revocation plugin, remove it from the list. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] How to disable 'CRL' in strongswan.conf?
Hi, Looking at http://wiki.strongswan.org/projects/1/wiki/441, OCSP/CRL checking in IKEv2 has been moved to the revocation plugin, enabled by default. Plase update manual load directives in strongswan.conf. How can I disable this plugin dynamically? We have a need of dynamically controlling the loading of plugin at run-time. Thanks Much, -Yong Choo ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] How to disable 'CRL' in strongswan.conf?
Searching in database, I came up on the following in http://www.mail-archive.com/users@lists.strongswan.org/msg03918.html So, the question is 'how not to load the revocation plugin when it is already enabled by default?' -Original Message- From: Andreas Steffen [mailto:andreas.stef...@strongswan.org] Sent: jeudi 24 novembre 2011 12:51 To: ABULIUS, MUGUR (MUGUR) Cc: users@lists.strongswan.org; SCARAZZINI, FABRICE (FABRICE); Pisano, Stephen G (Stephen); WASNIEWSKI, ALAIN (ALAIN) Subject: Re: [strongSwan] How to bypass CRL checks? Hello Mugur, with IKEv2 revocation checks can be easily disabled by not loading the revocation plugin. What is not possible is to disable CRL checking on a per connection definition basis. Regards Andreas On 1/9/2012 12:30 PM, Yong Choo wrote: Hi, Looking at http://wiki.strongswan.org/projects/1/wiki/441, OCSP/CRL checking in IKEv2 has been moved to the revocation plugin, enabled by default. Plase update manual load directives in strongswan.conf. How can I disable this plugin dynamically? We have a need of dynamically controlling the loading of plugin at run-time. Thanks Much, -Yong Choo ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] IPV6 'connection' bug? (in 4.3.3 with linux 2.6.21)
Hi all, I progressed much further. I had to manually load additional modules for IPV6 operation (For IPv4 type, ipsec automatically loads 'ah4, esp4, tunnel4, xfrm4_tunnel') modprobe ah6 modprobe esp6 modprobe tunnel6 modprobe xfrm6_tunnel Are there any other modules that I need to load for IPV6? Yong Choo wrote: Hi, I'm getting the following errors on my linux 2.6.21 based using strongswan 4.3.3 version: Any Help would be appreciated! (The host that I'm communicating with has 2.6.27 and it has no problem) I configured/checked all required IPV6 kernel protocols in linux 2.6.21 as defined in the installation document url also. eCCM-root-/etc ipsec up enb12v6 initiating IKE_SA enb12v6[1] to fd00::410:172:21:10:181 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] sending packet: from fd00::410:172:21:10:12[500] to fd00::410:172:21:10:181[500] received packet: from fd00::410:172:21:10:181[500] to fd00::410:172:21:10:12[500] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] authentication of 'fd00::410:172:21:10:12' (myself) with pre-shared key establishing CHILD_SA enb12v6 generating IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MULT_AUTH) ] sending packet: from fd00::410:172:21:10:12[500] to fd00::410:172:21:10:181[500] received packet: from fd00::410:172:21:10:181[500] to fd00::410:172:21:10:12[500] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ] authentication of 'fd00::410:172:21:10:181' with pre-shared key successful scheduling rekeying in 50s maximum IKE_SA lifetime 370s IKE_SA enb12v6[1] established between fd00::410:172:21:10:12[fd00::410:172:21:10:12]...fd00::410:172:21:10:181[fd00::410:172:21:10:181] received netlink error: Protocol not supported (93) unable to add SAD entry with SPI c05a60aa received netlink error: Protocol not supported (93) unable to add SAD entry with SPI c48cd085 unable to install inbound and outbound IPsec SA (SAD) in kernel The ipsec.conf has the following entries: config setup plutostart=no conn %default auth=esp dpdaction=restart dpddelay=50s esp=aes128-sha1-modp1024,3des-sha1-modp1024 forceencaps=no ike=aes128-sha-modp1024,3des-sha-modp1024 ikelifetime=500s installpolicy=yes keyexchange=ikev2 keyingtries=%forever keylife=400s mobike=no pfs=yes reauth=no rekey=yes rekeymargin=320s type=tunnel leftauth=psk rightauth=psk config setup plutostart=no conn %default auth=esp dpdaction=restart dpddelay=50s esp=aes128-sha1-modp1024,3des-sha1-modp1024 forceencaps=no ike=aes128-sha-modp1024,3des-sha-modp1024 ikelifetime=500s installpolicy=yes keyexchange=ikev2 keyingtries=%forever keylife=400s mobike=no pfs=yes reauth=no rekey=yes rekeymargin=320s type=tunnel leftauth=psk rightauth=psk conn enb12v4 left=135.112.41.22 right=135.112.40.181 auto=add conn enb12v6 left=fd00:::410:172:21:10:12 #leftsourceip=fd00:::410:172:21:10:12 leftsubnet=fd00::12/64 right=fd00:::410:172:21:10:181 rightsubnet=fd00::181/64 auto=add conn enb12v6 left=fd00:::410:172:21:10:12 #leftsourceip=fd00:::410:172:21:10:12 leftsubnet=fd00::12/64 right=fd00:::410:172:21:10:181 rightsubnet=fd00::181/64 auto=add ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] IPV6 'connection' bug? (in 4.3.3 with linux 2.6.21)
Hi, I'm getting the following errors on my linux 2.6.21 based using strongswan 4.3.3 version: Any Help would be appreciated! (The host that I'm communicating with has 2.6.27 and it has no problem) I configured/checked all required IPV6 kernel protocols in linux 2.6.21 as defined in the installation document url also. eCCM-root-/etc ipsec up enb12v6 initiating IKE_SA enb12v6[1] to fd00::410:172:21:10:181 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] sending packet: from fd00::410:172:21:10:12[500] to fd00::410:172:21:10:181[500] received packet: from fd00::410:172:21:10:181[500] to fd00::410:172:21:10:12[500] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] authentication of 'fd00::410:172:21:10:12' (myself) with pre-shared key establishing CHILD_SA enb12v6 generating IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MULT_AUTH) ] sending packet: from fd00::410:172:21:10:12[500] to fd00::410:172:21:10:181[500] received packet: from fd00::410:172:21:10:181[500] to fd00::410:172:21:10:12[500] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ] authentication of 'fd00::410:172:21:10:181' with pre-shared key successful scheduling rekeying in 50s maximum IKE_SA lifetime 370s IKE_SA enb12v6[1] established between fd00::410:172:21:10:12[fd00::410:172:21:10:12]...fd00::410:172:21:10:181[fd00::410:172:21:10:181] received netlink error: Protocol not supported (93) unable to add SAD entry with SPI c05a60aa received netlink error: Protocol not supported (93) unable to add SAD entry with SPI c48cd085 unable to install inbound and outbound IPsec SA (SAD) in kernel The ipsec.conf has the following entries: config setup plutostart=no conn %default auth=esp dpdaction=restart dpddelay=50s esp=aes128-sha1-modp1024,3des-sha1-modp1024 forceencaps=no ike=aes128-sha-modp1024,3des-sha-modp1024 ikelifetime=500s installpolicy=yes keyexchange=ikev2 keyingtries=%forever keylife=400s mobike=no pfs=yes reauth=no rekey=yes rekeymargin=320s type=tunnel leftauth=psk rightauth=psk config setup plutostart=no conn %default auth=esp dpdaction=restart dpddelay=50s esp=aes128-sha1-modp1024,3des-sha1-modp1024 forceencaps=no ike=aes128-sha-modp1024,3des-sha-modp1024 ikelifetime=500s installpolicy=yes keyexchange=ikev2 keyingtries=%forever keylife=400s mobike=no pfs=yes reauth=no rekey=yes rekeymargin=320s type=tunnel leftauth=psk rightauth=psk conn enb12v4 left=135.112.41.22 right=135.112.40.181 auto=add conn enb12v6 left=fd00:::410:172:21:10:12 #leftsourceip=fd00:::410:172:21:10:12 leftsubnet=fd00::12/64 right=fd00:::410:172:21:10:181 rightsubnet=fd00::181/64 auto=add conn enb12v6 left=fd00:::410:172:21:10:12 #leftsourceip=fd00:::410:172:21:10:12 leftsubnet=fd00::12/64 right=fd00:::410:172:21:10:181 rightsubnet=fd00::181/64 auto=add ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] setkey equivalent tool available?
Is there a tool in strongSwan which performs the functions as in 'setkey' in racoon? Thanks, -Yong Cho ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] MODP_2048?
Thank you! I will look into my build area and the target board. -Yong Choo Andreas Steffen wrote: Hi, the error message: *configured DH group MODP_2048 not supported* means that neither the gmp nor the openssl plugin could be loaded successfully which implement the big number arithmetic required for the Diffie-Hellman groups. The command ipsec statusall should list either gmp and|or opensss in the line loaded plugins: and the command ipsec listalgs should list all Diffie Hellman groups: dh-group: MODP_2048 MODP_1536 MODP_3072 MODP_4096 MODP_6144 MODP_8192 MODP_1024 MODP_768 with the gmp plugin plus ECP_192 ECP_224 ECP_256 ECP_384 ECP_521 with the openssl plugin. By default strongSwan compiles and loads the gmp plugin which in turn requires the GNU Multiprecision library (libgmp3) including the header file /usr/include/gmp.h. Alternatively you can activate the openssl plugin (./configure --enable-openssl) which requires the libcrypto-0.9.8 library plus the /usr/include/openssl/ header files. Best regards Andreas Yong Choo wrote: Hi all, I'm trying to 'execute' the following (on a cross-compiled PowerPC Linux for a telecommunication board): ipsec up net-enb40 (where I have the connectivity setup in the ipsec.config) I'm getting the following error: *configured DH group MODP_2048 not supported* I think I'm missing a kernel option?. We are using Wind River Linux PNE2.0 version. Does anyone know how to turn this 'MODP_2048' on? Thanks Much! == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] MODP_2048?
FYI: The linux version for the board is 2.6.21.7. And the snip of the ipsec.conf for this is (very simple): conn net-enb40 left=135.39.111.226 right=135.185.91.86 auto=add and I'm using Predefined Key for these two. Yong Choo wrote: Hi all, I'm trying to 'execute' the following (on a cross-compiled PowerPC Linux for a telecommunication board): ipsec up net-enb40 (where I have the connectivity setup in the ipsec.config) I'm getting the following error: *configured DH group MODP_2048 not supported* I think I'm missing a kernel option?. We are using Wind River Linux PNE2.0 version. Does anyone know how to turn this 'MODP_2048' on? Thanks Much! ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] charon supports ipv4 or ipv6?
Hi all, I want to enable charon and disable pluto in order to limit to IKEv2 without 'mobike'. When I enable charon in ipsec.conf, - does charon support only ipv6? (It was not clear whether this is the default behavior for 'charon' in the description http://www.strongswan.org/index.htm) - I read pluto man page where the usage of ipv4/6 can be controlled by --ipv4 --ipv6, --tunnelipv4, --tunnelipv6 options but it was not clear on the charon. - man page on the ipsec.config did not mention about controlling ipv4 .vs. ipv6. Thanks Again, -Yong Choo ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] charon supports ipv4 or ipv6?
Auto Detect! The Best! Thank You! Andreas Steffen wrote: Hi Yong Choo, we don't use the --ipv4, --ipv6, --tunnelipv4, and --tunnelipv6 options at all. I think they are FreeS/WAN legacy and should be removed from our man pages. Both strongSwan pluto and strongSwan charon detect IPv4 and IPv6 addresses automatically, so you don't have to give any explicit IP address family hints. Here are a couple of charon IPv4 and IPv6 example configurations: http://wiki.strongswan.org/wiki/strongswan/IKEv2Examples Regards Andreas Yong Choo wrote: Hi all, I want to enable charon and disable pluto in order to limit to IKEv2 without 'mobike'. When I enable charon in ipsec.conf, - does charon support only ipv6? (It was not clear whether this is the default behavior for 'charon' in the description http://www.strongswan.org/index.htm) - I read pluto man page where the usage of ipv4/6 can be controlled by --ipv4 --ipv6, --tunnelipv4, --tunnelipv6 options but it was not clear on the charon. - man page on the ipsec.config did not mention about controlling ipv4 .vs. ipv6. Thanks Again, -Yong Choo == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] charon supports ipv4 or ipv6?
Will the charon's log show the auto-detected ipv4 .vs. ipv6 per connection? I looked at the daemon.log auth.log example but did not see. Perhaps I need to enable more charon debug level? Yong Choo wrote: Auto Detect! The Best! Thank You! Andreas Steffen wrote: Hi Yong Choo, we don't use the --ipv4, --ipv6, --tunnelipv4, and --tunnelipv6 options at all. I think they are FreeS/WAN legacy and should be removed from our man pages. Both strongSwan pluto and strongSwan charon detect IPv4 and IPv6 addresses automatically, so you don't have to give any explicit IP address family hints. Here are a couple of charon IPv4 and IPv6 example configurations: http://wiki.strongswan.org/wiki/strongswan/IKEv2Examples Regards Andreas Yong Choo wrote: Hi all, I want to enable charon and disable pluto in order to limit to IKEv2 without 'mobike'. When I enable charon in ipsec.conf, - does charon support only ipv6? (It was not clear whether this is the default behavior for 'charon' in the description http://www.strongswan.org/index.htm) - I read pluto man page where the usage of ipv4/6 can be controlled by --ipv4 --ipv6, --tunnelipv4, --tunnelipv6 options but it was not clear on the charon. - man page on the ipsec.config did not mention about controlling ipv4 .vs. ipv6. Thanks Again, -Yong Choo == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] cross-compilation
I've updated gmp to 4.2.1 on the cross-compilation build (under WindRiver Linux Distribution for the mpc arch). The gmp.h file is put into ./build/INSTALL_STAGE/gmp-4.2.1/usr/include/gmp.h (by looking at the build log) When I tried to do package installation/compilation (under WindRiver) for strongswan 4.3.2, I get the following error: checking gmp.h version = 4.1.4... no configure: error: No usable gmp.h found! Any suggestion on what I can give as an option to recognize the proper location/version of 'gmp.h'? (or not possible) The .configure options that are used are: + ./configure --host=powerpc-wrs-linux-gnu --build=i686-crosscompile-linux-gnu --program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man --infodir=/usr/share/info --cache-file=wrs_config_cache Thanks Much! -Yong Choo ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users