-ml@thermi.consulting> wrote:
> Put the root CA and the intermediate CAs into /etc/ipsec.d/cacerts, then
> run `ipsec stroke rereadcacerts` and then retry.
> If that does not help, check the logs of iOS. You can get access to them
> via Apple's SDK.
>
> On 11.01.2018 13:13, Alex Shar
ient's certificate
> store.
> A client needs to be able to verify the server's certificate from the root
> to the server certificate. That includes CRLs and OCSP.
>
> That's PKI 101.
>
> Kind regards
>
> Noel
>
> On 10.01.2018 12:44, Alex Sharaz wrote:
> > Hi,
Hi,
I've got a .mobileconfig file set up that will allow a macOS/iOS user to
connect to my SSwan VPN server (5.6.1)
In it I have a cert payload defined containing both the intermediate and
root cert of the server certificate. This all works just fine
However, our security people are objecting to
Hi,
I've created a pair of ip pools
name start end timeout size online
usage
itservices 172.18.64.2 172.18.64.127 static126 1 ( 0%)
28 (22%)
itservicesIPv6 2001:630:61:6000::f 2001:630:61:6000::fff static 4081
0 ( 0%) 2 ( 0%)
My ipsec
Hi,
I've configured my vpn server ( 5.6.1) to use eap-radius to pass auths to
our RADIUS service .
I've also configured eap-radius.conf to pass the Calling-Station-Id and
Framed-IP-Address to the RADIUS server.
Unfortunately what appears at the radius server seems to be the IPv4/IPv6
address of
Anyone got an example of defining an ipv6 pool using ipsec pool .. ?
Rgds
Alex
o.k. so guess I'll build a freeradius server on the SSwan VPN box using
vpn.york.ac.uk cert and then proxy stuff to the mail auth service
A
On 4 December 2017 at 10:31, Tobias Brunner wrote:
> Hi Alex
>
> > So if my client is connecting to vpn.york.ac.uk,
> > the cert
On 1 December 2017 at 16:05, Alex Sharaz <alex.sha...@york.ac.uk> wrote:
> or I could install freeradius on the strongswan server and let it handle
> the eap side of things and then there is a virtual server that proxies off
> the inner tunnel stuff to another server for authentication.
.
Would be better than changing code and sswan config still uses eap-radius
but points to itself
A
On 1 December 2017 at 15:21, Alex Sharaz <alex.sha...@york.ac.uk> wrote:
> o.k lots of options ...
> Think I need the charon-nm for our Ubuntu network manager users .. keeps
> it s
o.k lots of options ...
Think I need the charon-nm for our Ubuntu network manager users .. keeps it
simple
Think Il'l try patching charon-nm first
Thanks
A
On 1 December 2017 at 14:34, Tobias Brunner wrote:
> Hi Alex,
>
> > so you're saying that my radius server also
So just to check, our radius server has a cert with a CN=radius.york.ac.uk
and its SubjAltNames are
X509v3 Subject Alternative Name:
DNS:radius.york.ac.uk, DNS:www.radius.york.ac.uk
so you're saying that my radius server also needs to have vpn.york.ac.uk as
a SubjAltName in it
o.k deleted source tree and started again. It now looks as if there's a
difference between what happens when talking to the RADIUS server used by
the VPN server
Below is a snippet from /var/log/syslog for the charon-nm process. As
before CLI VPN connections just work. I've run the following
Hi,
I've just built SSwan from 5.6.1 source and tried to build a Network
manager plugin ( Ubuntu . 16.04.3 ) . Unfortunately although my CLI
settings work, my NM plugin fails every time.
I've built sswan using
./configure --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib
--disable-aes
... and I now have an a NetworkManager defined VPN working.
Many thanks
A
On 8 September 2017 at 10:48, Tobias Brunner wrote:
> Hi Alex,
>
> > In my strongswan build, how do I tell NM to use eap-mschapv2?
> >
> > At the moment, by default its using eap-md5
>
> The
Hi,
quick question about incorporating te CA chain in a .mobileconfig file
I've used the apple configurator to create a .mobileconfig file for use
against our SSwan 5.5.3 VPN service.
Initially we used a locally generated server cert from our internal CA so
I included the intermediate and root
Anyone using chromeos to talk to sswan ?
Config example would be helpful if possible
Rgds
Alex
Hi,
Been looking for details on cow to configure a chromebook to connect to
sswan 5.5.3
Found an ONC spec document and came up with
{
"Type": "UnencryptedConfiguration",
"NetworkConfigurations": [
{
"GUID":"{818743ad-2d62-4602-bc6b-d77a7d3ad828}",
"Type": "VPN",
"Name": "UoY
>Yes, IPs are assigned based on the remote identity. If an existing
>lease for an identity is found, which is not currently assigned to a
>client, it will be reused.
Sigh! my fault. Just tested again and stuff working as expected
Rgds
Alex
On 5 July 2017 at 11:35, Tobias Brunner
Hi,
Running 5.5.3 and using attr-sql to assign ip addresses out of an ip pool
Built a .mobilconfig flle which users can download from a website to instal
on their machine.
Everything works except when i connect to SSWan from multiple apple devices
with same .mobielconfig each remote client gets
Hi,
Can anyone point me at an appropriate client for ChromeOS .. or is there
built in support for ikev2 rsa/ eap-peap
Rgds
Alex
Hi,
Having configured Ubuntu and Win 10 to successfully connect to our SSwan
5.5.3 server, I thought I was on a roll and tried a Win 7 machine using
x509 certs.
Installed a client cert on the win 7 machine along with root and
intermediate certs.
Configured win 7 as per the sswan wiki page
Hi
Many thanks for the quick response ... its easy to change the table size
... which I've done ... and it now works !
Rgds
Alex
On 29 June 2017 at 14:52, Tobias Brunner wrote:
> Hi Alex,
>
> > Jun 29 13:49:12 06[LIB] executing MySQL statement
> >
Hi,
I’m trying to establish a VPN link using x.509 certificates on an Ubuntu
client talking to an Ubuntu SSwan server. Both ends are using Vsn 5.5.3.
and are running on Ubuntu 16.04.02
I’m also trying to use the attr-sql module to assign an ip address from a
managed ip pool and have built a
Hi,
Seem to have a problem assigning an IP address to a client from our
campus dhcp server
Running strongswan 5.5.2
loaded plugins: charon unbound pkcs11 aes des rc2 sha2 sha1 md5 random
nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey dnscert ipseckey
Hi
I'm currently using packaged version of strongswan 5.3.5 on Ubuntu
16.04.02. Would anyone know if there are any 5.5.1 equivalent packages
available for Ubuntu ... saves me building them
Rgds
Alex
___
Users mailing list
Users@lists.strongswan.org
Now that I've found some info on muiti factor auth and its been suggested
that we use ikev1 +xauth to roll this out, how might I do this on Win 10?
The strongswan pages I've seen seem to imply that windows supports ikev2
but not ike v1
Rgds
Alex
___
many thanks,
found that page :-))
A
On 9 March 2017 at 16:27, Noel Kuntze <n...@familie-kuntze.de> wrote:
> That one's easy
> https://wiki.strongswan.org/projects/strongswan/wiki/
> EapRadius#Multiple-rounds
>
> On 09.03.2017 16:09, Alex Sharaz wrote:
> > Would certa
Would certainly like to hear if anyone has managed it using ikev1 and XAUTH
A
On 9 March 2017 at 11:54, Alex Sharaz <alex.sha...@york.ac.uk> wrote:
> o.k. Was wondering because on our Juniper box a user logs on using their
> normal credentials using the pulse secure app and then g
onders
> to specify several form fields in the user interface. Maybe some other
> person knows how to do that
> and how to implement it in IKEv2.
>
> On 09.03.2017 12:32, Alex Sharaz wrote:
> > ikev2
> >
> >
> > On 9 March 2017 at 11:31, N
Probably too generic a question but has anyone integrated a StronghSwan
VPN service with the DUO Mobile TimeBase One Time Password (TOTP) feature?
Ideally want
1). x.509 cert to identify our VPN service to client
2). use eap-radius method for ikev2 connections for user auth
3). TOTP on top of
Hi,
Looking for some help setting up my 1st strong swan vpn server and having
some IPTABLES lack of knowledge issues.
I've an Ubuntu 16.04 server with strongswan 5.3.5 packages installed. The
plan is to have external user to connect to the server via a public IP
address from outside the
31 matches
Mail list logo