Re: [strongSwan] mobileconfig file - do i need to install a root CA

-ml@thermi.consulting> wrote: > Put the root CA and the intermediate CAs into /etc/ipsec.d/cacerts, then > run `ipsec stroke rereadcacerts` and then retry. > If that does not help, check the logs of iOS. You can get access to them > via Apple's SDK. > > On 11.01.2018 13:13, Alex Shar

Re: [strongSwan] mobileconfig file - do i need to install a root CA

ient's certificate > store. > A client needs to be able to verify the server's certificate from the root > to the server certificate. That includes CRLs and OCSP. > > That's PKI 101. > > Kind regards > > Noel > > On 10.01.2018 12:44, Alex Sharaz wrote: > > Hi,

[strongSwan] mobileconfig file - do i need to install a root CA

Hi, I've got a .mobileconfig file set up that will allow a macOS/iOS user to connect to my SSwan VPN server (5.6.1) In it I have a cert payload defined containing both the intermediate and root cert of the server certificate. This all works just fine However, our security people are objecting to

[strongSwan] Assigning ipv6 address out of a pool

Hi, I've created a pair of ip pools name start end timeout size online usage itservices 172.18.64.2 172.18.64.127 static126 1 ( 0%) 28 (22%) itservicesIPv6 2001:630:61:6000::f 2001:630:61:6000::fff static 4081 0 ( 0%) 2 ( 0%) My ipsec

[strongSwan] Calling station id incorrect

Hi, I've configured my vpn server ( 5.6.1) to use eap-radius to pass auths to our RADIUS service . I've also configured eap-radius.conf to pass the Calling-Station-Id and Framed-IP-Address to the RADIUS server. Unfortunately what appears at the radius server seems to be the IPv4/IPv6 address of

[strongSwan] example ipv6 pool

Anyone got an example of defining an ipv6 pool using ipsec pool .. ? Rgds Alex

Re: [strongSwan] Ubuntu CLI client works Network Manager fails

o.k. so guess I'll build a freeradius server on the SSwan VPN box using vpn.york.ac.uk cert and then proxy stuff to the mail auth service A On 4 December 2017 at 10:31, Tobias Brunner wrote: > Hi Alex > > > So if my client is connecting to vpn.york.ac.uk, > > the cert

Re: [strongSwan] Ubuntu CLI client works Network Manager fails

On 1 December 2017 at 16:05, Alex Sharaz <alex.sha...@york.ac.uk> wrote: > or I could install freeradius on the strongswan server and let it handle > the eap side of things and then there is a virtual server that proxies off > the inner tunnel stuff to another server for authentication.

Re: [strongSwan] Ubuntu CLI client works Network Manager fails

. Would be better than changing code and sswan config still uses eap-radius but points to itself A On 1 December 2017 at 15:21, Alex Sharaz <alex.sha...@york.ac.uk> wrote: > o.k lots of options ... > Think I need the charon-nm for our Ubuntu network manager users .. keeps > it s

Re: [strongSwan] Ubuntu CLI client works Network Manager fails

o.k lots of options ... Think I need the charon-nm for our Ubuntu network manager users .. keeps it simple Think Il'l try patching charon-nm first Thanks A On 1 December 2017 at 14:34, Tobias Brunner wrote: > Hi Alex, > > > so you're saying that my radius server also

Re: [strongSwan] Ubuntu CLI client works Network Manager fails

So just to check, our radius server has a cert with a CN=radius.york.ac.uk and its SubjAltNames are X509v3 Subject Alternative Name: DNS:radius.york.ac.uk, DNS:www.radius.york.ac.uk so you're saying that my radius server also needs to have vpn.york.ac.uk as a SubjAltName in it

Re: [strongSwan] Ubuntu CLI client works Network Manager fails

o.k deleted source tree and started again. It now looks as if there's a difference between what happens when talking to the RADIUS server used by the VPN server Below is a snippet from /var/log/syslog for the charon-nm process. As before CLI VPN connections just work. I've run the following

[strongSwan] Ubuntu CLI client works Network Manager fails

Hi, I've just built SSwan from 5.6.1 source and tried to build a Network manager plugin ( Ubuntu . 16.04.3 ) . Unfortunately although my CLI settings work, my NM plugin fails every time. I've built sswan using ./configure --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib --disable-aes

Re: [strongSwan] Selecting eap-mschapv2 for use by NM plugin

... and I now have an a NetworkManager defined VPN working. Many thanks A On 8 September 2017 at 10:48, Tobias Brunner wrote: > Hi Alex, > > > In my strongswan build, how do I tell NM to use eap-mschapv2? > > > > At the moment, by default its using eap-md5 > > The

[strongSwan] mobileconfig configuration

Hi, quick question about incorporating te CA chain in a .mobileconfig file I've used the apple configurator to create a .mobileconfig file for use against our SSwan 5.5.3 VPN service. Initially we used a locally generated server cert from our internal CA so I included the intermediate and root

[strongSwan] Configuring chromos to use estrongswan

Anyone using chromeos to talk to sswan ? Config example would be helpful if possible Rgds Alex

[strongSwan] Valid onc file for ikev2 psk eap-peap

Hi, Been looking for details on cow to configure a chromebook to connect to sswan 5.5.3 Found an ONC spec document and came up with { "Type": "UnencryptedConfiguration", "NetworkConfigurations": [ { "GUID":"{818743ad-2d62-4602-bc6b-d77a7d3ad828}", "Type": "VPN", "Name": "UoY

Re: [strongSwan] ip address allocation .. same ip for different machines

>Yes, IPs are assigned based on the remote identity. If an existing >lease for an identity is found, which is not currently assigned to a >client, it will be reused. Sigh! my fault. Just tested again and stuff working as expected Rgds Alex On 5 July 2017 at 11:35, Tobias Brunner

[strongSwan] ip address allocation .. same ip for different machines

Hi, Running 5.5.3 and using attr-sql to assign ip addresses out of an ip pool Built a .mobilconfig flle which users can download from a website to instal on their machine. Everything works except when i connect to SSWan from multiple apple devices with same .mobielconfig each remote client gets

[strongSwan] client for Chrome OS

Hi, Can anyone point me at an appropriate client for ChromeOS .. or is there built in support for ikev2 rsa/ eap-peap Rgds Alex

[strongSwan] Win 7 connection issue

Hi, Having configured Ubuntu and Win 10 to successfully connect to our SSwan 5.5.3 server, I thought I was on a roll and tried a Win 7 machine using x509 certs. Installed a client cert on the win 7 machine along with root and intermediate certs. Configured win 7 as per the sswan wiki page

Re: [strongSwan] SSwan 5.5.3 , X.509 certs and attr-sql issue

Hi Many thanks for the quick response ... its easy to change the table size ... which I've done ... and it now works ! Rgds Alex On 29 June 2017 at 14:52, Tobias Brunner wrote: > Hi Alex, > > > Jun 29 13:49:12 06[LIB] executing MySQL statement > >

[strongSwan] SSwan 5.5.3 , X.509 certs and attr-sql issue

Hi, I’m trying to establish a VPN link using x.509 certificates on an Ubuntu client talking to an Ubuntu SSwan server. Both ends are using Vsn 5.5.3. and are running on Ubuntu 16.04.02 I’m also trying to use the attr-sql module to assign an ip address from a managed ip pool and have built a

[strongSwan] client virtual ip address assignment issue with dhcp

Hi, Seem to have a problem assigning an IP address to a client from our campus dhcp server Running strongswan 5.5.2 loaded plugins: charon unbound pkcs11 aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey

[strongSwan] packaged versions of StrongSwan 5.5.1

Hi I'm currently using packaged version of strongswan 5.3.5 on Ubuntu 16.04.02. Would anyone know if there are any 5.5.1 equivalent packages available for Ubuntu ... saves me building them Rgds Alex ___ Users mailing list Users@lists.strongswan.org

[strongSwan] windows 7 upwards and ikev1

Now that I've found some info on muiti factor auth and its been suggested that we use ikev1 +xauth to roll this out, how might I do this on Win 10? The strongswan pages I've seen seem to imply that windows supports ikev2 but not ike v1 Rgds Alex ___

Re: [strongSwan] DUO TOTP and Strongswan

many thanks, found that page :-)) A On 9 March 2017 at 16:27, Noel Kuntze <n...@familie-kuntze.de> wrote: > That one's easy > https://wiki.strongswan.org/projects/strongswan/wiki/ > EapRadius#Multiple-rounds > > On 09.03.2017 16:09, Alex Sharaz wrote: > > Would certa

Re: [strongSwan] DUO TOTP and Strongswan

Would certainly like to hear if anyone has managed it using ikev1 and XAUTH A On 9 March 2017 at 11:54, Alex Sharaz <alex.sha...@york.ac.uk> wrote: > o.k. Was wondering because on our Juniper box a user logs on using their > normal credentials using the pulse secure app and then g

Re: [strongSwan] DUO TOTP and Strongswan

onders > to specify several form fields in the user interface. Maybe some other > person knows how to do that > and how to implement it in IKEv2. > > On 09.03.2017 12:32, Alex Sharaz wrote: > > ikev2 > > > > > > On 9 March 2017 at 11:31, N

[strongSwan] DUO TOTP and Strongswan

Probably too generic a question but has anyone integrated a StronghSwan VPN service with the DUO Mobile TimeBase One Time Password (TOTP) feature? Ideally want 1). x.509 cert to identify our VPN service to client 2). use eap-radius method for ikev2 connections for user auth 3). TOTP on top of

[strongSwan] simple leftupdown script required

Hi, Looking for some help setting up my 1st strong swan vpn server and having some IPTABLES lack of knowledge issues. I've an Ubuntu 16.04 server with strongswan 5.3.5 packages installed. The plan is to have external user to connect to the server via a public IP address from outside the