Re: [strongSwan] EAP-MSCHAPv2 via NetworkManager Strongswan plugin

2018-11-05 Thread Alexander Kurakin
Tobias, big thanks about your reply. I'd be very pleased if you have a look why it doesn't work for me. Via NetworkManager-Strongswan (doesn't work): https://gist.github.com/kuraga/18bb0b6746acc958de343cfa9ba8ce4f Without NetworkManager (works):

Re: [strongSwan] Problem connecting to L2TP/IPSec VPN

2018-11-05 Thread Jonas Koperdraat
So I've sat down with a colleague from support today, and found out that the VPN server is configured to propose the following for phase 1 and phase 2: IKE (Phase 1) proposal: * CH Group: Group 2 * Encryption: 3DES * Authentication SHA1 * Life Time (seconds): 28800 Ipsec (Phase 2) proposal: *

Re: [strongSwan] No matching CHILD_SA config found - but it's right there

2018-11-05 Thread Tobias Brunner
Hi Chris, > Oct 30 18:06:43 pfSense_2.4.4 charon: 06[NET] received packet: > from 198.51.100.49[500] to 203.0.113.121[500] (460 bytes) > Oct 30 18:06:43 pfSense_2.4.4 charon: 06[ENC] parsed QUICK_MODE > request 3072107701 [ HASH SA No KE ID ID ] > Oct 30 18:06:43 pfSense_2.4.4 charon: 06[CFG]

Re: [strongSwan] Handling DPD outside of strongswan

2018-11-05 Thread Tobias Brunner
Hi Peter, Your description of DPDs and the role strongSwan plays in this is a bit confusing. I assume you are referring to the Android/libipsec implementation where strongSwan handles IKE as well as ESP (otherwise, ESP is handled by the kernel, not strongSwan). > Given that the normal traffic

Re: [strongSwan] Looking for a way to debug resolve plugin

2018-11-05 Thread Tobias Brunner
Hi Pavel, > I use openresolv (https://roy.marples.name/projects/openresolv) as my > resolvconf implementation. Does that provide /sbin/resolvconf? > I there any way to get more verbose output from resolve plugin? No, but errors returned from resolvconf are logged (which doesn't seem to be the

Re: [strongSwan] Non-standard IKE ports

2018-11-05 Thread eyas barhouk
Thanks for your kind feedback Tobias I mean by saying the client doesn't understand the port_nat=0 that the client fails to connect to the vpn server . And I think it's like what u say" a client issue ". Many thanks Regards Get Outlook for Android

Re: [strongSwan] Non-standard IKE ports

2018-11-05 Thread Tobias Brunner
Hi, > so is there a way to make both of client and server use random ports Using random ports on the server does not really work because the client has to know the port. > (i > tried to set port_nat_t = 0 but the client doesn't understand it).  What do you mean "doesn't understand it"? See

Re: [strongSwan] EAP-MSCHAPv2 via NetworkManager Strongswan plugin

2018-11-05 Thread Tobias Brunner
Hi Alexander, > How do I set > > leftauth=eap-mschapv2 > > via NetworkManager Strongswan plugin? Just select "EAP" in the GUI and make sure the eap-mschapv2 plugin is loaded by charon-nm (plus probably the eap-identity plugin). The actual EAP method is requested by the server (the client