[strongSwan] Can a route based VPN instance, and a policy based VPN instance, coexist on the same box?

A client has an existing strongSwan VPN installation that bridges two sites. They are attempting to set up a second site to site VPN connection to an external partner that uses a Juniper VPN/firewall box and has what sounds like a route based ipsec VPN set up. We've set up our side using a policy

Re: [strongSwan] VPN for iOS 10, "deleting half open IKE_SA after timeout"

Excellent Tobias, now it connects! Thank you. The only remaining question is how to get to the internet beyond the VPN server. I am using it to appear with a different IP address. After connection nothing is reachable. I use this configuration: — config setup charondebug="cfg 2, dmn

Re: [strongSwan] Host to Network IPSec PSK Vpn tunnel

That will work if there's no NAT in between the hosts. Otherwise the proposed TSi and TSr will not match, because the perceived remote peer's IP will be different from what it proposes as TS. On 16.03.2017 19:37, Muhammad Yousuf Khan wrote: > Thanks you for your input Noel. it is really

Re: [strongSwan] Host to Network IPSec PSK Vpn tunnel

Thanks you for your input Noel. it is really appreciated. So you mean i delete leftsubnet parameter thats is sufficient and tunnel will work. Thanks, Yousuf On Thu, Mar 16, 2017 at 10:36 PM, Noel Kuntze wrote: > On 16.03.2017 07:29, Muhammad Yousuf Khan wrote: > > > >

Re: [strongSwan] Host to Network IPSec PSK Vpn tunnel

On 16.03.2017 07:29, Muhammad Yousuf Khan wrote: > > There is a requriment from our client that we need a ipsec tunnel for > communication. > as per our experience with Openvpn we can do that very easily however IPsec > works very differently therefore i need your assistence. Policy based

Re: [strongSwan] VPN for iOS 10, "deleting half open IKE_SA after timeout"

Hi Klaus, > Is that necessary? I use > username/password authentication of the clients and the clients don’t > care about the server certificate. Yes, the CA certificate (caCert.der) has to be installed on the clients. They won't trust the server certificate otherwise. Regards, Tobias

Re: [strongSwan] VPN for iOS 10, "deleting half open IKE_SA after timeout"

OK thank you, tried leftsendcert=always but same problem. I have not installed the cert on the clients. Is that necessary? I use username/password authentication of the clients and the clients don’t care about the server certificate. > On Mar 16, 2017, at 3:40 PM, Tobias Brunner

Re: [strongSwan] VPN for iOS 10, "deleting half open IKE_SA after timeout"

Hi Klaus, > What is missing to make it work? As documented on [1], try adding `leftsendcert=always`. If that doesn't work, the CA certificate is probably not installed (or trusted) on the clients. Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients

[strongSwan] VPN for iOS 10, "deleting half open IKE_SA after timeout"

I am trying to set up StrongSwan VPN on Ubuntu for iPhone (iOS 10) road warriors. I want my iOS clients to authenticate with username and password. After a couple of days of trial-and-error I believe I am close, but the client is not completing the connection. This is the end of the log:

Re: [strongSwan] Traffic selectors routing issue for IPv6 TS with 128 prefix

Hi Tobias, Thanks for the response, will try them. For more info, actually ours is a multi tunnel setup. We have three tunnels. For the first time when all three tunnel comes up, its working fine. But when one of the tunnel bounces(down and up), the problem triggers. We observed that the route

Re: [strongSwan] Traffic selectors routing issue for IPv6 TS with 128 prefix

Hi Sachin, > We are facing problem in reaching traffic selectors when we use IPv6 > TS(Single host IP) with /128 prefix BUT whereas when we use subnets, its > working fine. Since the determining factor for the source IP is the local traffic selector, i.e. fc01:eab:xx::xx/128 (which I suppose is

[strongSwan] packaged versions of StrongSwan 5.5.1

Hi I'm currently using packaged version of strongswan 5.3.5 on Ubuntu 16.04.02. Would anyone know if there are any 5.5.1 equivalent packages available for Ubuntu ... saves me building them Rgds Alex ___ Users mailing list Users@lists.strongswan.org

Re: [strongSwan] How to restrict IKE and ESP proposals in VICI

Hi Marc, > Is there a way to limit the proposals in VICI ? You just have to define your proposals. To actually add the default proposal with VICI, as was done automatically with stroke if ! was not added, you have to explicitly add "default" to the proposal list. Regards, Tobias

[strongSwan] Host to Network IPSec PSK Vpn tunnel

Hi, There is a requriment from our client that we need a ipsec tunnel for communication. as per our experience with Openvpn we can do that very easily however IPsec works very differently therefore i need your assistence. here is the scenario

[strongSwan] How to restrict IKE and ESP proposals in VICI

We are trying to limit the set of algorithms to negotiate for IKE and ESP. In IPSEC.CONF this is done by adding “!”. If we apply the same “!” at the end of list, are get a message “loading connection TEST failed : invalid value for: proposals, config discarded “ Here is an example: