Re: [strongSwan] dpd not getting triggered

Hi, Thanks a lot for the reply. It worked. I see the dpd triggering now. I am working on a case when dpd from strongswan sends the nat detection payloads. I wanted to know upon which conditions strongswan would send dpd request with nat_detection_src_ip and nat_detection_dst_ip. Is it done

Re: [strongSwan] Reconnect failed with android phone

Nothing logged when android disconnect. Android does not send any message to strongswan. EAP-MSCHAPv2 works find on my PC. Jan 12 09:07:20 03[NET] <4> received packet: from 223.104.3.235[26141] to 172.31.2.1[500] (476 bytes) Jan 12 09:07:20 03[ENC] <4> parsed ID_PROT request 0 [ SA V V V V V V

[strongSwan] dpd not getting triggered

Hi, I am using strongswan version 5.6.1 I found that even though I configured dpd using dpddelay and dpdtimeout, dpd is not getting triggered from strongswan client at all even though there is no traffic passing. Please let me know how to debug this. config setup charondebug=all

Re: [strongSwan] IPSec Tunnel IP

you also have to delete the setting at the AP side, just get rid of this:   ipsec     primary tunnel peer tunnel ip         :1.1.1.127 --Jafar On 1/11/2018 2:06 AM, Yusuf Güngör wrote: Hi Jafar, I have tried both deleting "rightsubnet=0.0.0.0/0 " and adding

Re: [strongSwan] mobileconfig file - do i need to install a root CA

Sorted, in the .mobileconfig I had Server Certificate Issuer Common name set to the root ca name. Removed that config, deletes the root ca and it worked BTW had the root/intermed certs in cacerts Rgds Alex On 11 January 2018 at 12:17, Noel Kuntze <

Re: [strongSwan] mobileconfig file - do i need to install a root CA

Actually not. Just refer to the right file in your system's CA store. (e.g. /etc/ca-certificates/extracted/cadir/bla.pem). Or play around with symlinking /etc/ipsec.d/cacerts or a subdirectory of it to your system's CA store. Kind regards Noel On 11.01.2018 13:29, Giuseppe De Marco wrote: >

Re: [strongSwan] checkpoint interoperability problem

Hi, That's weird behaviour that I've seen with checkpoints, too. I think the right solution is to stop the checkpoint from initiating main mode on its own. Kind regards Noel On 05.01.2018 16:59, Marco Berizzi wrote: > Hello everyone, > > I have a very nasty problem with an ipsec tunnel

Re: [strongSwan] mobileconfig file - do i need to install a root CA

You can even use charon-cmd this way: charon-cmd --host SERVER_HOSTNAME --profile ikev2-eap --identity LOGIN --cert /PATH/TO/ca.crt Using a valid CA lets Windows10 and MacOSX clients run without CA.crt, with GNU/Linux we have to have ca.crt instead 2018-01-11 13:17 GMT+01:00 Noel Kuntze <

Re: [strongSwan] Dual IPSEC SA after re-auth

Hi, Use the site-to-site config for IKEv1 and two subnets from the UsableExamples page on the wiki. Kind regards Noel On 04.01.2018 17:53, Loic Chabert wrote: > Hello Strongswan list, > > I have a trouble with an IPSEC site-to-site VPN from a Cisco ASA and > strongswan version 5.5.3, Linux

Re: [strongSwan] How to set some strongswan parameters for all connections at once?

CentOS also has `ipsec`. They just renamed it to `strongswan`, so it does not conflict with libreswan's `ipsec` tool for controling their pluto daemon. You can use the file inclusion mechanism to load text from other files into parts of the configuration. The man page mentions how to do that.

Re: [strongSwan] OpenWRT. IPSec server

Hi, Create and provide logs. List all information in the format and with the commands as described on the HelpRequests page. Kind regards Noel On 06.01.2018 07:15, Sujoy wrote: > Hi All, > > We are able to connect to StrongSwan IPSec using LAN IP. But in the same > system which is having

Re: [strongSwan] mobileconfig file - do i need to install a root CA

Put the root CA and the intermediate CAs into /etc/ipsec.d/cacerts, then run `ipsec stroke rereadcacerts` and then retry. If that does not help, check the logs of iOS. You can get access to them via Apple's SDK. On 11.01.2018 13:13, Alex Sharaz wrote: > Thats what is  confusing, its the

[strongSwan] Fwd: CRL validation failing

I am running 5.6.1 and trying to establish a site to site vlan to a F5 bigip using ikev2 and certificates. The tunnel works ok with psk but when using certificates I get the following in the log: 11[CFG] checking certificate status of "C=gb, ST=anglesey, L=benllech, O=f5, OU=es,

Re: [strongSwan] Question related to ESP_TFC_PADDING_NOT_SUPPORTED

TFC padding is only used if you set "tfc=$value" in ipsec.conf. By default it is disabled. TFC increases the packet size of ESP packets to be at least $value. It significantly degrades performance, because of the humongous overhead. ESP_TFC_PADDING_NOT_SUPPORTED means that the other peer does not

Re: [strongSwan] mobileconfig file - do i need to install a root CA

Thats what is confusing, its the QuoVadis root CA which is one we use on a whole batch of servers and my osx machine validates those certs just fine. ... and I can see them ( root and intermediate) in the system root keystore... but certainly if I remove it from the mobileconfig file I don't

Re: [strongSwan] Issue with IKE_SA rekey towards Cisco

Hi, I'm absolutely baffled why you choose a weak PSK-Xauth authentication scheme with aggressive mode. You're basically doing everything wrong. At least use Pubkey-Xauth with hybrid mode authentication. That way, the clients don't need a certificate and an attacker listening in on the KEX can

Re: [strongSwan] Reconnect failed with android phone

What's happening in between those two lines? On 10.01.2018 15:34, JWD wrote: > Jan 10 22:22:37 04[NET]  sending packet: from 172.31.2.1[4500]  > to 117.100.110.176[4500] (108 bytes) >   > Jan 10 22:22:55 15[NET] <4> received packet: from 117.100.110.176[500] to  > 172.31.2.1[500] 

Re: [strongSwan] mobileconfig file - do i need to install a root CA

Hi, You only need to install a root certificate, if the issuer of your server certificate or its root certificate are not in the client's certificate store. A client needs to be able to verify the server's certificate from the root to the server certificate. That includes CRLs and OCSP. That's

Re: [strongSwan] roadwarrior ike/esp SA are not dropped after lifetime expiration

AFAIK you can use `inactivity=$time`, but it only pertains the CHILD_SAs (unless charon.inactivity_close_ike is set to "yes"). DPD only pertains IKE_SAs. If an IKE_SA is deleted (and not rekeyed), its CHILD_SAs are deleted, too. It probably works if you use both inactivity and set

Re: [strongSwan] Multiple IKE SA between same pair of address

Hi, Set uniqueids = no in config setup. Better, use swanctl.conf with swanctl. There, you can set it per conn and not globally. Kind regards Noel On 06.01.2018 01:15, Jun Hu wrote: > Hi, > Does strongswan support multiple IKE SA (each with its own CHILD_SA) between > single pair of address?

Re: [strongSwan] IPSec Tunnel Up, No Traffic Passed to End Destination

Disable the source check in the VPC for the strongSwan server in the VPC. Check if forwarding is enabled in sysctl globally for IPv4, too. > sysctl net.ipv6.conf.all.forwarding=1 That is IPv6 only. You're tunneling IPv4 packets though. BTW, your cipher suite sucks. use something better and use

Re: [strongSwan] How to set some strongswan parameters for all connections at once?

OK, so I set up an experimental VPN and started playing with it, as not to break the production VPN. CentOS uses swanctl as a lightweight controller, so ipsec.conf is not really loaded. I was able to set up DPD, Proposals etc. on a user-by-user basis, but not globally. Is there any way how to

Re: [strongSwan] Fwd: Windows native VPN client routing problem

Giuseppe De Marco writes: > def gw Route's metric in Windows can be changed runtime. > If you want to fix the def gw from vpn in windows 10 just go in NIC propriety > of the vpn network interface, network, ipv4 -> Propriety, Advanced,

[strongSwan] Fwd: Windows native VPN client routing problem

def gw Route's metric in Windows can be changed runtime. If you want to fix the def gw from vpn in windows 10 just go in NIC propriety of the vpn network interface, network, ipv4 -> Propriety, Advanced, Use default gateway, then apply :) https://goo.gl/Zj5ktL 2018-01-11 9:35 GMT+01:00 Marian

[strongSwan] How to set some strongswan parameters for all connections at once?

Hi all, I would like to ask a question with regard to StrongSwan server configuration. We are running a VPN server based on StrongSwan 5.5.3 on CentOS 7. The settings are as follows: * ipsec.conf is completely empty, except for comments (the default state of the file after a fresh

[strongSwan] Windows native VPN client routing problem

Hi all, this is a description of a problem that I spent a better part of yesterday struggling with. I am sending a description of the problem and the solution for anyone who might be interested. I also have the feeling that this might be suited for the StrongSwan Wiki. Please let me know whether

Re: [strongSwan] IPSec Tunnel IP

Hi Jafar, I have tried both deleting "rightsubnet=0.0.0.0/0" and adding " rightsubnet=%dynamic" now. AP still gets "1.1.1.127" as peer tunnel ip. ipsec primary tunnel peer tunnel ip:1.1.1.127 ipsec primary tunnel ap tunnel ip :10.254.0.1 The problem caused from AP