Yes,
this is correct - the ike and esp settings cannot be configured [yet]
via the database.
Andreas
On 05/20/2010 03:27 AM, J. Tang wrote:
> According to the schema at
> http://wiki.strongswan.org/projects/strongswan/repository/entry/testing/hosts/default/etc/ipsec.d/tables.sql,
> there does not
According to the schema at
http://wiki.strongswan.org/projects/strongswan/repository/entry/testing/hosts/default/etc/ipsec.d/tables.sql,
there does not appear to be any way to specify the esp nor ike
settings. I tried setting them via a conn %setup block in my
ipsec.conf, but it seems that strongS
I have this mostly working, except, Juniper's ScreenOS returns the
INTERNAL_IP4_ADDRESS and INTERNAL_IP4_NETMASK in the XAUTH Status, which is
unexpected and causes a failed XAUTH status. I saw another post mentioning a
Juniper XAUTH problem, and the comment that it is different than the Cisco
Hi Martin,
The behavior I saw is that 5 retransmission in each retry. After 5
retries IKE_SA changes from connecting to destroying
...
May 19 10:00:42 linux1 charon: 15[IKE] giving up after 5 retransmits
May 19 10:00:42 linux1 charon: 15[IKE] peer not responding, trying again
(4/0)
May 19
Hi,
> Is there any parameter in StrongSwan to increase the number of retries
> or this value is hardcoded.
Starting with 4.4.0, charon supports global configuration options in
strongswan.conf to control the retransmission behavior [1]. DPD checks
use the same timeout, as any message exchange in
Hi guys - I'm trying to set up a net-net connection to a customer site
as below - any help would be great, so thanks in advance!
Russ
Remote network --local
network
YY.YY.YY.218 ==172.16.102.0/24 =
192.168.102.0/24XX
Hi all,
I have the following question regarding DPD. I see that the IKE_SA
change the state to DESTROYING and StrongSwan gives up after the fifth
retry when dpdaction is set to restart.
Is there any parameter in StrongSwan to increase the number of retries
or this value is hardcoded.
Any help
Hi,
you probably defined an explicit charon load list (load =) in
/etc/strongswan.conf where the new 'socket-default' plugin
(or 'socket-raw' if the pluto daemon is also running)
is missing.
Regards
Andras
On 05/19/2010 02:05 PM, Mahendra SP wrote:
> Hi,
>
> I was using version 4.3.5 and everyt
Hi,
I was using version 4.3.5 and everything was working fine. I am using Fedora
12. Kernel version 2.6.31.5
I installed 4.4.0
When I try to run the command when it is configured to use certificate
authentication method for IKEv2,
-> ipsec start --nofork --debug-all &
I get the following error
Hi,
> I’ve been trying to find out what is the difference between hold and
> clear in strongswan (IKEv2). The documentation is very vague!
"clear" means: remove policy and state entries from the kernel.
"hold" means: remove the state entries, but keep the policies and
reinitiate the tunnel on m
Hi,
I've been trying to find out what is the difference between hold and
clear in strongswan (IKEv2). The documentation is very vague!
I made a very simple setup, to test a dead peer. After configuring two
ends, start ping to see an established IPSec SA in SAD. Then just "kill
-sigstop" one en
The assignment of a reqid to link IPsec SAs to IPsec policies is
a feature of the Linux kernel so charon needs to provide one.
As mentioned in an earlier posting, strongswan-4.4.1 will allow
you to assign a fixed reqid to each connection definition.
Regards
Andreas
On 05/19/2010 10:40 AM, Ayyash
by the way, when I set the reqid to 2 on the receiving end, it works...
but is this is really the way to go?!! this is a very simple setup, but
there will be cases with hundreds of VPNs to be established...
I still can't understand what is the use of reqid. why does charon
generate a new one? we
Hi,
there is currently no way for charon to control the priorities.
I don't know why the inbound ESP packet does not trigger the
IPsec policy. The commands
ip -s xfrm policy|state
give more information
Regards
Andreas
On 05/17/2010 09:43 AM, Ayyash, Mohammad (NSN - FI/Espoo) wrote:
> hi,
>
14 matches
Mail list logo