Re: [strongSwan] [HELP]:swanctl in context of strongswan

2020-06-01 Thread Noel Kuntze
Hi Kuna, > I want to check above network ping but the ping is blocked at my internal > network so I can not > ping to node b. That statement is pretty ambiguous and without corresponding explanation. Keep in mind that your own interpretation of your collected data is flawed because you your

Re: [strongSwan] Effect of xfrm_acq_expires mismatch retransmit timeout?

2020-06-01 Thread Noel Kuntze
Hello Micahel, xfrm_acq_expires is the time the kernel holds an acquire event before it drops it. The kernel only sends one acquire event for a policy, not several ones. When it receives packets with a matching policy but without a corresponding IPsec SA, it checks if it already sent an acquire

Re: [strongSwan] Duplicate IKE_SA?

2020-06-01 Thread Noel Kuntze
Hello Michael, It might be that both sides use auto=route or auto=start and initiated in parallel and uniqueids=no is set, so duplicate SAs are not deleted. That is pure speculation though. ;) Kind regards Noel Am 31.05.20 um 09:44 schrieb Michael Schwartzkopff: > Hi, > > > we have a centra

Re: [strongSwan] Storngswan and freeradius

2020-06-01 Thread Noel Kuntze
Hello, Yes, you can do that. Looks like you still need to install the package (whichever that is) for the eap-radius plugin. See the FAQ[1]. [1] https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#Plugin-is-missing Kind regards Noel Am 27.05.20 um 10:17 schrieb Клеусов Владимир Сергеевич

Re: [strongSwan] Multiple connections with the same policy

2020-06-01 Thread Noel Kuntze
Hi, You can't have duplicate/identical policies. At all. There's generally something broken in your setup. Kind regards Noel Am 28.05.20 um 18:56 schrieb korsar...@gmail.com: > Hello, > I have 2 endpoints with 2 IP addresses on the each side. I established 2 > connections between them with th

Re: [strongSwan] Effect of xfrm_acq_expires mismatch retransmit timeout?

2020-06-01 Thread Michael Schwartzkopff
On 01.06.20 19:27, Noel Kuntze wrote: > Hello Micahel, > > xfrm_acq_expires is the time the kernel holds an acquire event before it > drops it. > The kernel only sends one acquire event for a policy, not several ones. When > it receives packets with a matching policy but without a corresponding I

Re: [strongSwan] Duplicate IKE_SA?

2020-06-01 Thread Michael Schwartzkopff
On 01.06.20 19:23, Noel Kuntze wrote: > Hello Michael, > > It might be that both sides use auto=route or auto=start and initiated in > parallel and uniqueids=no is set, so duplicate SAs are not deleted. > > That is pure speculation though. ;) > > Kind regards > > Noel side A has auto=start and re