[strongSwan] StrongSwan looses connection when reauthenticating

Hello everyone. I've set up StrongSwan and want to use it for site-to-site VPN and for Road Warriors. Almost everything works really great, but I'm always running into the issue that my VPN initiators lose connection when reauthentication happens. My VPN gateway then tells me that it has sent

Re: [strongSwan] Strongswan receive signal 11 on PPC even with mlongcall

Hi Barry, The following is the instruction that causes the segmentation fault: > 0x1fc7a174 <+84>:lwz r25,0(r5) Register r5 stores the third argument to the function (p), which is not defined if group is not MODP_CUSTOM (neither is the second argument, g, but apparently it doesn't point

Re: [strongSwan] StrongSwan looses connection when reauthenticating

Hi Uwe, > All my initiators are behind NAT without a Port forwarding, so this > would make sense. No port forwarding is required if the client originally initiated the connection. The NAT mapping should still be alive during the short time the client will not send NAT keep-alives during a reauth

[strongSwan] Strongswan as a VPN Hub with a single network adapter

Hi, I have just been using Strongswan for the first time and firstly I’d like to say how impressed I was in how easy it was to setup the VPN tunnels. I got my two tunnels working within about 20 minutes of installing Strongswan. I have got a hub and two spokes and once the two tunnels were est

Re: [strongSwan] Strongswan as a VPN Hub with a single network adapter

What is your routing setup on the spokes? Regards, Andy Paton - Bsc. (Hons), MBCS Innovation Engineer andy.pa...@hp.com [HP] From: users-bounces+andy.paton=hp@lists.strongswan.org [mailto:users-bounces+andy.paton=hp@lists.strongswan.org]

Re: [strongSwan] Strongswan as a VPN Hub with a single network adapter

Hi Andy, The routing on the 10.4.0.0 spoke is configured that any communication to the following subnets 10.30.0.0/16,10.7.0.0/16,10.6.0.0/16,10.3.0.0/16,172.16.0.0/16 will be routed to the Strongswan VPN gateway public IP (I've yet to setup the tunnels for 10.30.0.0, 10.7.0.0 and 10.3.0.0) When

Re: [strongSwan] Strongswan as a VPN Hub with a single network adapter

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello, I don't think using rightsubnet is correct in this case, as it only applies to networks that are physically attached to the remote host. You can however, customize the _updown script to set routes to the remote subnets that go through the

[strongSwan] [strongswan] regarding ipsec starter

hi all, i want to know is it possible to establish ipsec connection without entering connection details in ipsec.conf. As it possible in openswan by accessing directly through whack. similarly is there any possibility here with starter to skip writing into file and reading it which is a heav

Re: [strongSwan] [strongswan] regarding ipsec starter

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello Rakesh, This can be done with "charon-cmd". Regards, Noel Kuntze On 30.08.2013 13:27, rakesh bansod wrote: > hi all, > i want to know is it possible to establish ipsec connection without > entering connection details in ipsec.conf. > A

Re: [strongSwan] Strongswan as a VPN Hub with a single network adapter

Hi Kevin, > The routing on the 10.4.0.0 spoke is configured that any communication > to the following subnets > 10.30.0.0/16,10.7.0.0/16,10.6.0.0/16,10.3.0.0/16,172.16.0.0/16 > will be routed to the Strongswan VPN gateway public IP (I've yet to > setup the tunnels for 10.30.0.0, 10.7.0.0 and 10.3.

Re: [strongSwan] Strongswan as a VPN Hub with a single network adapter

I have now managed to get it working (was just a silly mistake on the left subnet for csvnetkp (I used a /24 instead of a /16). I can now get successful pings between nodes which is awesome! However, it all looked great until I tried to actually communicate between spokes.. I seem to be able to d

[strongSwan] ikelifetime maximum?

While perusing the documentation, specifically http://wiki.strongswan.org/projects/strongswan/wiki/ConnSection , I noticed that a 24h maximum is specified for 'lifetime', but there is no maximum specified for 'ikelifetime'. I don't personally want to use a large 'ikelifetime', but for the sake

Re: [strongSwan] Strongswan receive signal 11 on PPC even with mlongcall

Hi Tobias, Thanks for the information. That is an interesting bug. > [1] http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=11d6bc3e I applied the patch (which did apply cleanly) and everything started working. Thanks again for all the help, Barry

[strongSwan] Is there a way to specify an IKE_SA config separately?

When StrongSwan establishes a IKE_SA it appears to look in the config file for the first matching left and right ids. It then uses that to establish the IKE SA which subsequent CHILD SAs (IPSEC SA) are connected to after further "narrowing" when the connection comes up. These two SAs may be using

[strongSwan] Strongswan packages selection

Hi I am new to strongswan, I have been able to successfully establish tunnel between to linux PC . How ever i want to reduce the size of the strongswan image and hence i have used the below compilation options . " --disable-curl --disable-soup --disable-ldap \ --enable-gmp --disable

Re: [strongSwan] Strongswan as a VPN Hub with a single network adapter

On Fri, Aug 30, 2013 at 01:26:42PM +0100, Kevin Palmer wrote: > However, it all looked great until I tried to actually communicate between > spokes.. I seem to be able to do pings and make connections to ports but when > I > try to put some traffic across the VPN I get problems. i.e. I can success

Re: [strongSwan] Strongswan packages selection

HI Noel, Thank you for your reply . Even after using the configuration "--disable-rc2 --disable-md5 --disable-sha1 --disable-sha2 --disable-fips-prf --disable-aes --disable-des --enable-openssl --disable-pkcs1 --disable-pkcs7 --disable-pkcs8 \ - --disable-pkcs12 --disable-pgp --disable-dnskey --dis

Re: [strongSwan] Strongswan packages selection

From: Naveen NeelakantaSent: Freitag, 30. August 2013 20:19To: use

[strongSwan] Inacceptable Traffic selectors...

I am trying to track down a connection issue and I tracked it down to an "inacceptable" traffic selector error on a transport connection with the route=auto. What is very strange is I can bring the connection manually using the "ipsec up" command and the connection is established. I am really stum