Re: [strongSwan] Issuse with VTI packet forwarding

Hi Noel, Thanks i got the VTI working after i change the vti local and remote ip to match to the SPD IPs. How ever Is it possible to configure VTI interface with different Ip other than the policys. Working config: ip tunnel add ipsec0 local 10.24.18.209 remote 10.24.18.35 mode vti okey 32

Re: [strongSwan] Isolate clients and force local network traffic toan interface

Hi, I have 3 interfaces: WAN, where clients are connecting. LAN/10.11.0.0/16, this is network where clients get IP address. FILTER/eth2, where all clients traffic are routed here. I have 2 clients, client 1 IP 10.11.0.55 and client 2 IP 10.11.0.56. Here are ip route and iptables rules. ip

Re: [strongSwan] swanctl.conf EAP credential information

Thanks. Here is swanctl –stats (after a service restart). 2 charon_debug logfiles attached, one with a successful connection (the userid in question at the end of the list) and one with a failed connection (userid in question at the front of the list). Xunil/var/log# swanctl --stats uptime:

Re: [strongSwan] Isolate clients and force local network traffic to an interface

Hi, I can't tell what exactly you want. You can tell if traffic was protected with ipsec by using the iptables policy match module. You can use a VTI[1], too. Kind regards Noel [1] https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN On 28.11.2017 20:37, Loc Nguyen wrote: > >

Re: [strongSwan] "Require" vs "use" levels in StrongSwan-generated policies

Hi, That's not supported. You can maybe use connections..children..policies to disable the installation of the policies and manage them outside of charon. IIRC there also was some patch set from somebody that implemented exactly what you ask. I can't find it right now, though. Kind regards

Re: [strongSwan] Using xfrm marks to select right tunnels based on uid

Hi, > I have set charon.install_routes = 0 to avoid installing default route to > route table 220, so I can actually setup the second tunnel. Set it to "no". > So it seems that the kernel's source address selection does not work > correctly in my case. I am able to workaround my troubles by

Re: [strongSwan] Issuse with VTI packet forwarding

Hi, Please follow the RouteBasedVPN article[1] to the letter and keep your routes in the main routing table to keep it simple. As soon as you have a working setup, THEN you can start making changes. Kind regards Noel [1] https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN On

Re: [strongSwan] swanctl.conf EAP credential information

Hi, Please provide a log file created with the logger configuration from the HelpRequests[1] page and the output of `swanctl --stats`. Kind regards Noel [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests On 29.11.2017 19:27, bls s wrote: > > Curiously, if eap-user1 is at

Re: [strongSwan] swanctl.conf EAP credential information

Curiously, if eap-user1 is at the end of the list, it authenticates correctly, but not if first or second in the list. From: bls s Sent: Tuesday, November 28, 2017 4:43 PM To: users@lists.strongswan.org Subject: [strongSwan]

Re: [strongSwan] Lots of reconnections for a rekey/reauth, and packet drops

Hello Noel, Thanks for these insights ! Le 28/11/2017 à 23:30, Noel Kuntze a écrit : > Hi, > >> Nov 28 16:52:29 yomama charon: 06[KNL] creating delete job for >> CHILD_SA ESP/0xc4bd0735/192.168.1.72 >> Nov 28 16:52:29 yomama charon: 06[JOB] CHILD_SA >> ESP/0xc4bd0735/192.168.1.72

[strongSwan] Issuse with VTI packet forwarding

Hi All, Need some guidance and help in getting the traffic routed via VTI ( ipsec0 ) interface.I am using the VTI interface to just mark the traffic and forward. I am not able to get the traffic forwarding via VTI( ipsec0) interface and getting the traffic marked, so that it gets protected. i