[strongSwan] MOBIKE + VTI

Hi, We have a use case where we need to support MOBIKE with VTI interfaces. S Our Current solution involves using strongswan to provide the IKE protocol communication, but we disable route installs in Charon and add routes through our application code to point it to the appropriate VTI interface

[strongSwan] Ubuntu CLI client works Network Manager fails

Hi, I've just built SSwan from 5.6.1 source and tried to build a Network manager plugin ( Ubuntu . 16.04.3 ) . Unfortunately although my CLI settings work, my NM plugin fails every time. I've built sswan using ./configure --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib --disable-aes --disab

Re: [strongSwan] Issuse with VTI packet forwarding

Hello, The IPs of the VTI need to correspond to the IPs of the SAs (not the policies). The exception (0.0.0.0) is described in the wiki article I linked you before. Kind regards Noel On 30.11.2017 02:50, Naveen Neelakanta wrote: > Hi Noel, > > Thanks i got the VTI working after i change the vt

[strongSwan] "ikeIntermediate" flag in the server certificate

Hi, Is the "ikeIntermediate" flag really mandatory in the server certificate? In the wiki, it is mentioned the following: To support versions before 10.7.4 the certificate must contain the *iKEIntermediate* extended key usage flag. Can you confirm there is no issue for recent version if this flag

[strongSwan] Help with understanding traffic selectors match

Hello, I already posted to pfsense mailing list but maybe the issue is strongswan specific. On my side I have a pfsense 2.4.2 and on the other side a checkpoint firewall (I suppose latest available version) where the encryption domain cannot be changed (so I'm told). I have one single netwo

Re: [strongSwan] swanctl.conf EAP credential information

Hi, The problem are the dots in the section names of your EAP secrets. For instance: eap-us...@mydomain.com { id = us...@mydomain.com secret=secret1 } When enumerating the id... keys in these sections the current section name was written to a string buffer instead of using the param

Re: [strongSwan] Lots of reconnections for a rekey/reauth, and packet drops

Hi, Combining reauthentication with closeaction=restart is a bad idea. Note that reauth=no does not disable reauthentication if the other peer has reauth=yes configured, see [1]. Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey#IKEv2-Responder-Behavior

Re: [strongSwan] swanctl.conf EAP credential information

Tobias, Thank you! Indeed your suggested workaround to delete the dots in section names fixed the issue. From: Tobias Brunner Sent: Thursday, November 30, 2017 8:49 AM To: bls s; Noel Kuntze

Re: [strongSwan] "Require" vs "use" levels in StrongSwan-generated policies

> IIRC there also was some patch set from somebody that implemented exactly > what you ask. > I can't find it right now, though. https://github.com/strongswan/strongswan/pull/64 Regards, Tobias

Re: [strongSwan] MOBIKE + VTI

Hi, I am wondering if we could use the “listen” API provided in vici to get notified for “UPDATE_SA_ADDRESSES” events. But I am not sure what is the exact event type to register for. Any help would be appreciated. Thanks Prashanth From: Users on behalf of Prashanth Venugopal Date: Thursday

Re: [strongSwan] Help with understanding traffic selectors match

Probably I simply do not understand IKEv2 traffic selectors at all ... I have servers on my side (behind pfsense) and on the other side (behind Checkpoint that is not under my control). If I initiate traffic between my 172.16.199.0/24 to for instance 10.15.1.0/24 - CHILD_SA gets installed. T