[strongSwan] swanctl unloads private key on startup (not desired)

I'm using 5.5.2; my configs are here: https://gist.github.com/sayotte/1fd19aba0043cb20821cde42535486d7 On startup, swanctl seems to load and then immediately unload the private key associated with the "local" cert: 10[CFG] loaded RSA private key 10[CFG] unloaded private key with id

Re: [strongSwan] VPN Performance over WAN (jitter)

Hello Christian, > Then I simulate a *varying delay* in the network cards and this seems to be > the problem because when I make a ping between the two networks over vpn and > internet latency is around*70ms (30ms deviation)*. The two servers have ping > times around 32ms (3ms deviations).

Re: [strongSwan] VPN Performance over WAN (jitter)

On Thu, May 11, 2017 at 04:00:17PM +0200, Christian Hanster wrote: > Hi all, > > at the moment I’m trying to optimize the network performance in a site-to-site > setup (see config below). The connection is structured as follows > > <—> VPN-Router A <—> Internet (WAN) <—> VPN-Router B <—> b> >

Re: [strongSwan] swanctl.conf debugging-- fails to load certificates

Hi Stephen, On 11.05.2017 20:32, Stephen Ayotte wrote: > The "Usable Examples"[1] page contains no swanctl examples at all; at > the time I was looking at that I probably lacked sufficient > understanding to see that the ipsec example (probably) represented > what I needed, and I kept looking. >

Re: [strongSwan] swanctl.conf debugging-- fails to load certificates

Thanks very much for the response / support here guys, I appreciate it. @Noel, I'll give the host-to-host example you linked a try, that looks right on the money. On Thu, May 11, 2017 at 1:47 PM, Noel Kuntze wrote: > > > In my defense regarding

[strongSwan] Tunnel failing when rekeying

Hi everyone, Someone care to explain why this tunnel always fail after rekey? It works again when I down and up the tunnel manually. May 11 08:37:04 10[IKE] authentication of '137.135.x.x' with pre-shared key successful May 11 08:37:04 10[IKE] authentication of '85.24.x.x'

Re: [strongSwan] swanctl.conf debugging-- fails to load certificates

Hi Stephen, On 11.05.2017 18:39, Stephen Ayotte wrote: > Thanks Tobias!! That did the trick. Specifically I added this to the config > flags: > --disable-gmp --enable-openssl > > In my defense regarding that load statement, I was working from this example: >

Re: [strongSwan] swanctl.conf debugging-- fails to load certificates

Thanks Tobias!! That did the trick. Specifically I added this to the config flags: --disable-gmp --enable-openssl In my defense regarding that load statement, I was working from this example: https://www.strongswan.org/testing/testresults/swanctl/frags-ipv4/ Everything's loading successfully

Re: [strongSwan] multiple subnet in local_ts and remote_ts in swanctl.conf

Hi Tobias, Yes you are right. I was using version1. As soon as I switched to version 2 is began to work correctly. Tested multiple subnet for both local_ts and remote_ts. Works as expected. Thanks, Guylain On Thu, May 11, 2017 at 1:57 AM, Tobias Brunner wrote: > Hi

[strongSwan] VPN Performance over WAN (jitter)

Hi all, at the moment I’m trying to optimize the network performance in a site-to-site setup (see config below). The connection is structured as follows <—> VPN-Router A <—> Internet (WAN) <—> VPN-Router B <—> The problem is that the network performance between networks a and b is only

Re: [strongSwan] swanctl.conf debugging-- fails to load certificates

Hi Stephen, > but the local_addrs/remote_addrs/local_ts/remote_ts + > start_action=trap in swanctl.conf looks like it should get the job done. You can do the same thing with ipsec.conf. > I was having trouble > understanding how to ensure that swanctl.conf was being used and > ipsec.conf being

[strongSwan] swanctl.conf debugging-- fails to load certificates

First, please check my reasoning for using swanctl: I want ad-hoc host-to-host transport level connections between all hosts which are A) in the same subnet and B) have an X509 cert signed by the same CA. I don't see a syntax that expresses this in ipsec.conf (only specific, known endpoints), but