> The 6.11 kernel will get the stable paches from 6.12 longterm tree, so
6.11 will include the fix automatically.
Great, thanks.
> Since you are the author of the fix, if you could backport the fix to
6.6 longterm tree, the ubuntu-6.8 kernel will include the fix
automatically as well.
6.6 is not
Public bug reported:
Since kernel v6.7, GRO offloading of UDP-encapsulated ESP packets is
supported. This is enabled for individual UDP sockets via the
UDP_ENCAP_ESPINUDP and UDP_GRO options.
Unfortunately, the original implementation caused issues in some cases.
In particular, if the esp4_offloa
Public bug reported:
In one of our projects we use Mpz_Init_Set_Str(). In the bindings of
previous versions of libgmpada this was defined as follows:
procedure Mpz_Init_Set_Str (Result :out int;
Rop:out Mpz_T;
Str: i
I see. Maybe you could provide them with an installer script (could
perhaps even configure the complete VPN connection via nmcli).
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2076421
Title:
IKev2
As I wrote above, you can avoid the issue with a simple config change
(it's basically the same thing the patch does).
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2076421
Title:
IKev2 VPN generates
Yep, now it worked. Thanks!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2079970
Title:
Debug symbols are unavailable for 3.0.2-0ubuntu1.18 (security update)
To manage notifications about this bug
Hi Eduardo,
Thanks for looking into this issue. Unfortunately, the file
http://ddebs.ubuntu.com/dists/jammy-updates/main/binary-amd64/Packages
still lists 3.0.2-0ubuntu1.17 as version for libssl3-dbgsym. The
timestamp of the file is 2024-08-23 00:44, so I guess it wasn't
updated/synced. Or maybe i
Public bug reported:
The latest debug symbols (libssl3-dbgsym) available are for
3.0.2-0ubuntu1.17. Since they have a hard dependency on that version of
the library, the installation currently fails with:
libssl3-dbgsym : Depends: libssl3 (= 3.0.2-0ubuntu1.17) but
3.0.2-0ubuntu1.18 is to be ins
Since 5.9.12, charon-nm routes traffic via an XFRM interface. To avoid a
routing loop, it installs the routes in a separate routing table and
sets up a routing rule that excludes a specific mark. That is, traffic
with that mark will not get routed via XFRM interface. IKE and ESP
traffic gets that m
The resolve plugin only writes directly to resolv.conf if resolvconf is
not available (see
https://docs.strongswan.org/docs/5.9/plugins/resolve.html for details).
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.n
Looks like your kernel is missing required modules (xfrm_user etc.) or
they were not automatically loaded.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1948044
Title:
charon-systemd fails on raspbe
> Note: I can't see the libtss2-esys runtime dependency that Tobias
mentioned. @Tobias: is this expected, or am I missing some other flag?
Yes, that's correct. The configure script checks for both tss2-sys and
tss2-esys, but eventually, only tss2-sys is used (possible that Andreas
intended to swit
> However this is not something like a separate module: support for TSS2
is builtin in the strongswan tools.
Correct, it's just part of libtpmtss.
> I didn't check but I imagine this requires a libtss2-* runtime dep.
Yes, libtss2-esys0 will be required (libtss2-esys-3.0.2-0 for Hirsute
and Impis
> The stable Ubuntu releases are "feature frozen", which means that it
is unlikely TSS2 will be enabled in Focal (exceptions are possible, but
a very compelling reason is needed).
Is it a new feature, though? Couldn't it be considered a necessary fix
to actually make the already shipped tpm plugin
> what is --enable-tpm option exactly?
It's a plugin in libtpmtss that implements interfaces to provide
certificates, private keys and random numbers from a TPM 2.0 to the IKE
daemon.
> Does it work without --enable-tss-trousers and --enable-tss-tss2?
No, it requires a TSS implementation, in par
--enable-tss-trousers is missing too, so TPM 1.2 support isn't available
either. Which makes enabling the tpm plugin completely useless.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1940079
Title:
As you can see in the log, you receive two IP addresses, but the remote
traffic selector is IPv4 only:
Nov 20 14:32:11 XX-ThinkPad-T500 charon-nm[2427]: 14[IKE] installing new
virtual IP X.X.88.100
...
Nov 20 14:32:11 XX-ThinkPad-T500 charon-nm[2427]: 14[IKE] installing new
virtual IP XX
That error doesn't seem related (looks more like something the bypass-
lan plugin would log). So please post the complete log.
Also, your manual config creates two CHILD_SAs, one for each family.
That's not how the NM plugin operates. It assumes the responder is able
to narrow the traffic selector
Yeah, I think disabling strongswan.service should be enough. If you
want to make sure, uninstall the strongswan-starter package (unless you
need the pool utility, which is contained in that package for some
reason).
--
You received this bug notification because you are a member of Ubuntu
Bugs, w
In 18.04, strongswan.service is the legacy systemd unit that controls
starter/charon and loads configuration from ipsec.conf. The strongswan-
swanctl.service unit instead controls the charon-system daemon and is
configured via swanctl.conf, which the unit loads via `swanctl --load-
all` automatica
@Christian Re: rm_conffile, I don't think this is a config file issue
(or is this command also used to remove shared libs/plugins? If so, then
definitely make sure to remove old plugins). The config snippets in
strongswan.d/charon are actually not relevant for charon-nm by default
(charon-nm uses i
EAP-PEAP (Protected EAP) is one of those protocols that nobody wants to
use (there are nicer, more modern alternatives) but lots of people have
to because it's what Microsoft implements. It's often used in
combination with EAP-MSCHAPv2 to authenticate e.g. WiFi clients (the TLS
connection in EAP-PE
That file is not relevant for swanctl (unless it was manually included,
check the main strongswan.conf file). Check the output of `swanctl
--help` (lists the plugins), use strace to see when exactly that access
happens.
--
You received this bug notification because you are a member of Ubuntu
Bugs
There are only three components in strongSwan that open TUN devices,
charon-xpc (on macOS), the kernel-pfroute plugin (also not on Linux but
macOS and *BSD) and kernel-libipsec, as pointed out by Simon. However,
swanctl has no business loading kernel plugins (it doesn't by default),
as it is no IKE
Enabling the bliss Plugin is probably not such a good idea. There is a
potential local side-channel attack on strongSwan's BLISS implementation
(https://eprint.iacr.org/2017/505).
The ntru plugin should be fine. However, using NTRU with IKEv2 is not
standardized (uses an algorithm identifiers from
It's unlikely that this is a strongSwan issue as IPsec is handled by the
Linux kernel. It's more likely a kernel bug related to that particular
architecture.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bu
*** This bug is a duplicate of bug 1795653 ***
https://bugs.launchpad.net/bugs/1795653
** This bug has been marked a duplicate of bug 1795653
87cdf3148b11 was never backported to 4.15
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubu
Why shouldn't it work in a container? (Granted, I don't know LXD, but
strongSwan runs fine in network namespaces and stuff like Docker.)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1780534
Title:
> To clear this up, it'd be nice if the interface made it clear that the
username field is unused
It is not, it defines the identity of the client (i.e. the local
identity).
> and the password field is the place for the PSK in PSK mode.
The tooltip of that field mentions PSKs (in particular the
> Our Cisco Meraki appliance is expecting both a PSK to with the server,
and a username and password for individual client auth.
I guess you are referring to IKEv1 XAuth/PSK. The strongSwan
NetworkManager plugin does not support this. It only supports IKEv2
(where EAP can be used for username/pass
You don't have a Password field?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1697536
Title:
nm strongswan gui doesn't have a way to enter pre-shared key
To manage notifications about this bug go
> Which means I can't even use the command-line version of StrongSwan
because the "political decision" is baked into the VPN daemon.
That's definitely not true. IKEv1 and PSKs (of arbitrary length) are
supported by the command line version of strongSwan.
--
You received this bug notification bec
> It's not even clear if the code supports IKEv1 via the GUI.
It doesn't and it's not likely that it ever will.
By your own admission, what you (or your admins) are doing isn't a good
idea. So you might want to rethink your setup.
--
You received this bug notification because you are a member o
I've seen this in some Travis CI runs of our test suite. There
occasionally seems to be a lockup (not sure if it is an actual
deadlock). But I was never able to reproduce it. Is it possible to get a
backtrace when the test hangs and gets killed by the builder? Or logon
to the build host and attach
Ah, there was an update to NM 1.1. Then the patches Sebastien referred to will
probably be required (at least some of them). In the strongSwan repository
(https://git.strongswan.org/?p=strongswan.git) you'll find these fixes in the
nm-1.2 branch (not yet finished, see
https://github.com/strongs
>> i think the kernel-libipsec plugin should not be loaded by default
>>
>> the plugin works only with UDP encapsulated packets
>>
>> (look here: https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-
>> libipsec)
>>
>> and this will break most of the "normal"/LAN setups
>>
>
> The kernel-l
strongSwan's NM plugin only supports IKEv2. IKEv1 and in particular L2TP
are not supported by that GUI (they could be configured via config files
though).
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/
Thanks for the example config.
The client will encode the identity as FQDN and the server is forced to
encode it as keyid (the content will be the same but the type is
different). So there won't be a match. Looking at the screenshot I'm not
sure how to configure a FQDN in the pfSense GUI, perhaps
> The current version of Strongswan (5.1.2) does not work with newer versions
> of pfSense (Strongswan 5.3.2 based).
> When using IPsec IKEv2/PSK the identity type is now prefixed leftid and
> rightid for better matching.
Hm, could you elaborate on that? For instance, provide example configs?
At
Your connection fails because you haven't checked the "Request an inner
IP address" checkbox but configured an IP address pool in
`rightsourceip` on the server (which is required if your client is
behind a NAT). So change your connection settings so a virtual IP is
requested from the server.
Regar
While debian/strongswan-plugin-kernel-libipsec.install lists
usr/lib/ipsec/plugins/libstrongswan-kernel-libipsec.so the strongswan-
plugin-kernel-libipsec package does not actually include that file.
The reason for this is how dh_install is called in debian/rules, due to
the -Xlibstrongswan-kernel
Man pages for the pki tool and its subcommands have been committed to
the master branch and will be available with the next release (5.1.1).
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1206263
Title
** Changed in: strongswan (Ubuntu)
Status: New => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1206263
Title:
/usr/sbin/ipsec is missing a lot of docs
To manage notifications
*** This bug is a duplicate of bug 872824 ***
https://bugs.launchpad.net/bugs/872824
** This bug has been marked a duplicate of bug 872824
Network-manager locks up when adding strongSwan VPN connection
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
Is this perhaps related to http://askubuntu.com/questions/30115/root-
cannot-access-dev-urandom?
Does it work if you use
$ sudo ipsec start
$ sudo ipsec up remote
instead of running these commands from a root shell?
--
You received this bug notification because you are a member of Ubuntu
Bugs,
** Description changed:
I'm having issue's getting strongswan to work on Ubuntu. First of all, I
find it quite weird that ipsec is not capable of running as an
unprivileged user (like in Gentoo). But I guess this has something todo
with the fact that Ubuntu distributes binary packages.
*** This bug is a duplicate of bug 711606 ***
https://bugs.launchpad.net/bugs/711606
** This bug has been marked a duplicate of bug 711606
package strongswan-starter 4.3.2-1.1ubuntu1 failed to install/upgrade:
underprocess installerade post-installation-skript gav felkod 1
--
You receive
*** This bug is a duplicate of bug 711606 ***
https://bugs.launchpad.net/bugs/711606
Thank you for taking the time to report this bug and helping to make
Ubuntu better. This particular bug has already been reported and is a
duplicate of bug 711606, so it is being marked as such. Please look at
*** This bug is a duplicate of bug 711606 ***
https://bugs.launchpad.net/bugs/711606
Thank you for taking the time to report this bug and helping to make
Ubuntu better. This particular bug has already been reported and is a
duplicate of bug 711606, so it is being marked as such. Please look at
Hi Kees,
the attached patch (also committed to master [1]) fixes the "keeps
adding entries for the same connection" problem. This happens when only
one of the daemons is installed (strongswan-ikev1 or strongswan-ikev2)
but both are enabled in ipsec.conf. With the patch starter now verifies
that t
Hi Kees,
first, I can't really reproduce the "it keeps adding entries for the
same connection" part. Not sure what that might be cause by. Could you
post the full logs here?
Then about your configs. The left-/rightsourceip options are not really
intended for what you are using them for. What's
** Changed in: strongswan (Ubuntu)
Status: Confirmed => Fix Committed
--
pluto crashes with segfault
https://bugs.launchpad.net/bugs/664371
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@l
Hi Rene,
> Is there any chance of this being exploitable other than by causing
> a DoS based on admin-created configuration?
No. As far as I can see, this only happens if multiple certificates are
stored with the same ID on one smartcard. That's the only case the
added certificate object is act
Great.
Could you try the attached patch (after reverting the previous one).
This should fix the root cause of the problem.
** Patch added: "0001-pluto-Fixed-a-regression-introduced-in-f565d0c575.patch"
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/664371/+attachment/1706460/+file
** Patch added: "dont_free_cert_if_equal.patch"
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/664371/+attachment/1705165/+files/dont_free_cert_if_equal.patch
--
pluto crashes with segfault
https://bugs.launchpad.net/bugs/664371
You received this bug notification because you are a
Thanks.
The cause of this segfault seems to be how pluto handles the storage of
two certificates with the same ID.
>From your log:
| found cert in slot: 1 with id: 46, label: 'Verschluesselungs Zertifikat 1'
...
| found cert in slot: 1 with id: 46, label: 'Telesec Verschluesselungs
Zertifikat'
Thanks for the backtrace. It is indeed a different bug.
>From the backtrace it looks like the list of certificates somehow gets
corrupted.
Could you attach the log output with "plutodebug=all" set in ipsec.conf.
** Changed in: strongswan (Ubuntu)
Status: Fix Committed => Confirmed
--
pl
I think this has been fixed upstream:
http://wiki.strongswan.org/issues/116
http://git.strongswan.org/?p=strongswan.git;a=commit;h=4de8398f
** Changed in: strongswan (Ubuntu)
Status: New => Fix Committed
--
pluto crashes with segfault
https://bugs.launchpad.net/bugs/664371
You received
** Changed in: strongswan (Ubuntu)
Status: New => Invalid
--
Problem with installation
https://bugs.launchpad.net/bugs/351616
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.co
** Changed in: strongswan (Ubuntu)
Status: New => Fix Released
--
strongswan's charon crashes shortly after authentication
https://bugs.launchpad.net/bugs/574664
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mail
60 matches
Mail list logo
