Re: [strongSwan] eap-dynamic (eap-tls, eap-mschapv2) and cacerts constraints

ct eap-dynamic->eap-tls clients to that one CA in the presence of multiple connections on the same device that may use a different CA or certificates. Kind regards, Andreas -- ========== Andreas Steffen and

Re: [strongSwan] Memory leak in charon?

Memory leaks are written to the log when the charon daemon exits and all memory is released. Sending a HUP doesn't help. On 05.08.22 15:21, Michael Schwartzkopff wrote: On 05.08.22 14:36, Andreas Steffen wrote: Hi Michael, I'm not aware of any memory leak that we fixed. You could

Re: [strongSwan] Memory leak in charon?

rate. As far as I read the changelog, no memory leak was fixed in 5.9.6 and 5.9.7. Any idea how to proceed to pin down the cause of the leak? 200 kB/h impacts the embedded device. Mit freundlichen Grüßen, == Andreas St

Re: [strongSwan] Failure of chacha algorithm use?

305[openssl] Do we miss a kernel module? As far as I can see, we compiled the necessary module into the kernel, which option would the algorithm be in the kernel? Mit freundlichen Grüßen, -- ==========

Re: [strongSwan] UDP encapsulation

swanctl.conf. Cheers Andreas On 28.09.21 07:06, rathiranair wrote: Hello What is the configuration setup for implementing udp encapsulation? Regards Athira == Andreas Steffen andreas.stef...@strongswan.org

Re: [strongSwan] strict crl policy

uniqueids = no ====== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org strongSec GmbH, 8952 Schlieren (Switzerland) ==

Re: [strongSwan] docker strongswan image

Confidential; Commercially Sensitive Business Data ====== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org strongSec GmbH, 8952 Schlieren (Switzerland) ==

Re: [strongSwan] PGP Key used for signing

D 36B3 515A 211B 6390  60A9 E30D 9B9B 3EBF F1A1 > ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org strongSec GmbH, 8952 Schlieren (Switzerland) ==

Re: [strongSwan] Version numbers

_4.x86_64" > > What is the difference between the two versions? Is one 32-bit and one > 64-bit? > > *Dave Pearce* > > Blue Origin OLS > > dpear...@blueorigin.com <mailto:dpear...@blueorigin.com> > ====

[strongSwan] Archived recording of the joint strongSwan and wolfSSL Webinar

Hi, the recording of the strongSwan and wolfSSL Webinar is now available under the following link: https://www.youtube.com/watch?v=Ul_M3XzRa4Q Best regards Andreas On 28.05.21 13:30, Andreas Steffen wrote: > Please join us for our upcoming webinar with Security Expert Eric > Blank

[strongSwan] Upcoming joint strongSwan and wolfSSL Webinar

Please join us for our upcoming webinar with Security Expert Eric Blankenhorn from wolfSSL and Andreas Steffen from the strongSwan Project. Leveraging the FIPS-certified security of wolfSSL and the power of strongSwan to make a more perfect VPN! strongSwan and wolfSSL are coming together to

Re: [strongSwan] how to increase timeout for "deleting half open IKE_SA with after timeout" ?

is a 30sec timeout on the IPsec gateway. Is there > a chance to increase this timeout (using stroke, ie. ipsec.conf)? > https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection > mentions only the DPD timeout (150 sec per default) and the inac- > tivity timeout (child sa only,

Re: [strongSwan] OpenIKED strongswan question

gards, RG. -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions University of Applied Sciences Rappe

Re: [strongSwan] Unable to establish connection with Fortigate device

18DADC661F7EB7698D90A5ECEC8DB81EC258089F8E48EEBB2313BE63C33FF5 I'm fairly new to strongswan so I might have missed something in the server configuration. Any hint is welcome. Thanks [1] https://wiki.strongswan.org/projects/strongswan/wiki/Fortinet -- =======

Re: [strongSwan] Strongswan with ECDSA certificate

Hello George, you have to enable one of the libstrongswan plugins that support ellicptic curve cryptography. Either the openssl, wolfssl or botan plugin. Best regards Andreas On 05.11.20 20:20, george wrote: eature PUBKEY:ECDSA in plugin 'pem' has unmet dependency: PUBKEY:ECDSA

Re: [strongSwan] IKE Phase 1 and Phase 2 parameters

r confidential or otherwise legally exempt > from disclosure. If you are not the named addressee, you are not > authorized to read, print, retain, copy or disseminate this message or > any part of it. If you have received this message in error, please > notify

Re: [strongSwan] Is there an official docker image for StrongSwan?

> > Thank you for advice, > Houman ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions HSR University of Applied Scienc

Re: [strongSwan] eap auth with 5.8 - how?

But I think the remote side is not configured for EAP-based client authentication or cannot find its private signature key so AUTHENTICATION FAILED ensues. Any chance of getting the remote log? Andreas On 11.05.20 08:45, Andreas Steffen wrote: > Hi, > > in the remote section you ha

Re: [strongSwan] eap auth with 5.8 - how?

UP) > N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) > N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] > [NET] sending packet: from xx.XX.yy.YY[4500] to > xx.XX.zz.ZZ[4500] (432 bytes) > [NET] received packet: from xx.XX.zz.ZZ[4500] to > xx.XX.yy.YY[4500] (80 bytes)

Re: [strongSwan] Password protection on private key using PKI tool

of the key install on a client one still > needs the password to use them. > >   > > Regards > > Dries ====== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN So

Re: [strongSwan] configuring android StrongSwan VPN Client 2.2.1

gt; change: CONNECTING => DESTROYING > > What do I need to change in the android client configuration?  I would > prefer not to touch the linux server as it is working with windows > clients, but will do so if absolutely necessary.  Thank you for your > assistance in this matter

Re: [strongSwan] Regarding Strongswan and AD

stuck somewhere or missing something. > > My setup is: > client -> Strongswan(centos 7) -> radius(free radius,centos 7) -> > AD(Microsoft) > > Can you provide some guidance regarding this? I've to complete this > project this month.  > > Thank

Re: [strongSwan] How to determine how many connections are currently active?

between them in this > context? > > Many Thanks, > Houman > > On Wed, 31 Jul 2019 at 11:14, Andreas Steffen > mailto:andreas.stef...@strongswan.org>> > wrote: > > Hi Houman, > > you can get the number of active IKE SAs via > >   swanctl --l

Re: [strongSwan] How to determine how many connections are currently active?

t; today and have a acctstoptime that is null.  The count of these records > would be the approximate number of active connections to the server. > > > Is there a better way to achieve this or do you agree to this approach? > > > > Many Thanks, > > Houman >

Re: [strongSwan] Strongswan 5.8 broke my setup

t; ipsec[1592]: charon (1601) started after 20 ms > ipsec_starter[1592]: charon (1601) started after 20 ms > charon[1601]: 07[CFG] received stroke: add connection 'myvpn' > charon[1601]: 07[CFG] added configuration 'myvpn' > > > Why did you

Re: [strongSwan] Certificate-based IPsec tunnel failing to complete

nprem-to-azure' inacceptable: constraint > checking failed > [CFG] no alternative config found > [ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ] > [NET] sending packet: from 172.26.0.85[4500] to $MY_ON_PREM_EXT_IP[4500] (65 > bytes) > initiate failed: establishing CH

Re: [strongSwan] Can strongswan tnc be used with TPM 2.0 ?

NC/PTS feature compliant with TPM 1.2 and TPM 2.0 ? > > Thanks > > > > -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Soluti

Re: [strongSwan] Removing individual certs

t; > Thanks. ====== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions HSR University of Applied Sciences Rapperswil CH-

Re: [strongSwan] Error connecting from Fortigate VPN to Strongswan

transmit 5 of request with message ID 1 Mar 15 00:37:41 klick001 charon: 14[NET] sending packet: from 10.138.0.4[4500] to 200.10.1**.***[4500] (988 bytes) Please assist as we are about to go live soon. Thanks in advan

Re: [strongSwan] How to improve connection loss when moving from 4G to Wifi?

hat seamlessly? > > Many Thanks, > -- ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions HSR University of Applied Sciences R

Re: [strongSwan] length of TRAFFIC_SELECTOR_SUBSTRUCTURE substructure list invalid

t; And what does 'length of TRAFFIC_SELECTOR_SUBSTRUCTURE substructure > list invalid' means, I tried finding it in RFC, but could not find > the same. > > > Thanks & Regards, > > Yogesh Purohit > > > >

Re: [strongSwan] PEAP

us --enable-openssl \ > --enable-eap-peap > > NPS > > > > > > Windows 10 reports: > -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Op

Re: [strongSwan] (no subject)

tack mentioned for PSK based auth (irrespective of the PSK > chosen by the user)? > > > Thanks, > > Sandesh > > > On Fri, Aug 31, 2018 at 3:50 PM Andreas Steffen > mailto:andreas.stef...@strongswan.org>> > wrote: > > Hi Sandesh, > >

Re: [strongSwan] (no subject)

ws.com/2018/08/20/ipsec-vpn-connections-broken-using-20-year-old-flaw/ > https://securityaffairs.co/wordpress/75352/hacking/key-reuse-ipsec-attack.html > > Thanks, > Sandesh ========== Andreas Steffen an

Re: [strongSwan] help with ext-auth plugin

1 pkcs7 pkcs8 pkcs12 pgp > dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac attr > kernel-netlink resolve socket-default stroke vici updown xauth-generic > counters > 00[JOB] spawning 16 worker threads > > Please guide me on what did i miss? > > -- > Regards, >

Re: [strongSwan] Security Comparison

v/csrc/media/publications/sp/800-131a/rev-1/final/documents/sp800-131a_r1_draft.pdf > [2] > https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-57pt1r4.pdf > [3] > https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations > -- =

Re: [strongSwan] strongSwan plugins - openssl and x509

f x509 certificates supported by both the above plugins? > So, if I am enabling openssl plugin, can x509 plugin be disabled? > My use case requires using x509 certificates, without CRL or OCSP support. > > - Divya > -- =========

Re: [strongSwan] TPM2.0 and ESAPI

from it, that switching to > ESAPI is possible but not in the nearest future as ESAPI is quite new > and require some significant time to learn how to use it. Am I correct? > > Pozdrowienia/Regards, > > Piotr Parus > > > > W dniu 26.06.2018 o 17:07, Andreas St

Re: [strongSwan] TPM2.0 and ESAPI

; Best regards, > > Piotr Parus > -- ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions HSR Universi

Re: [strongSwan] Checking X509 Extended Key Usage

:43 schrieb Andreas Steffen: >> Hi Sven, >> >> you can use certificate policies which are based on OIDs. >> >> With swanctl.conf: >> >> remote { >> auth = pubkey >> cert_policy = >> ... >> } >> >> or w

Re: [strongSwan] Checking X509 Extended Key Usage

um 18:47 schrieb Andreas Steffen: >> Hi Sven, >> >> according to section 5.1.3.12. "ExtendedKeyUsage" of RFC 4945 >> "The Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX" >> the IPsec User EKU is deprecated: >> >&g

Re: [strongSwan] Checking X509 Extended Key Usage

c, if it is set. We may use some other flags > out of our own space too. > > How can I check in StrongSwan, if a certain EKU exists? > > Regards > Sven Anders > -- == Andreas Steffen

Re: [strongSwan] Loading certificate fails

509_parse_generalNames() to fail). Regards, Tobias -- ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions University of Applied

Re: [strongSwan] Loading certificate fails

'my.C_NK_VPN.pem' failed Kind regards, Mike. -- ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Sol

Re: [strongSwan] VICI and PSK

:58, Modster, Anthony wrote: Hello ? how to configure VICI for PSK Thanks -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Instit

Re: [strongSwan] starting strongswan without starter

correct way to start strongswan without 'ipsec start' ? -- ====== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for

Re: [strongSwan] IKE_SA_INIT response with notification data missing

6 rightauth=psk esp=3des-aes-sha1-md5-modp1024 ike=3des-sha1-md5-modp1024 auto=add type=tunnel Thanks, Balaji -- ========== Andreas Steffen andreas.stef...@strongswan.

Re: [strongSwan] Not Able to Connect

server has to be configured. Regards Andreas On 29.03.2018 20:12, Info wrote: > > On 03/29/2018 10:21 AM, Andreas Steffen wrote: >> Hi, >> >> yes you can fully integrate a remote host into a LAN by using the >> farp and dhcp plugins on the VPN gateway so that the gatew

Re: [strongSwan] Not Able to Connect

ransitioning the LAN to > IPV6.  As my ISP will not foreseeably have IPV6 (Frontier Comm)  I'll > need to use a tunnel broker.  Will this be a problem with Strongswan, > and can the Android app do IPV6? > > > On 03/28/2018 02:35 PM, Andreas Steffen wrote: >> The co

Re: [strongSwan] Not Able to Connect

it also doesn't explain > "classic and combined-mode algos" nor not to mix them.  I can't know > these things by instinct. > > Something else is wrong with the example.  I copied it -exactly- (except > I used your esp_proposals), and the error log is attached.

Re: [strongSwan] Not Able to Connect

AC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_1024 > Tue, 2018-03-27 15:26 15[CFG]   local: > Tue, 2018-03-27 15:26 15[CFG]    id = cygnus.darkmatter.org > Tue,

Re: [strongSwan] Cipher Suite proposals changed in the course of 5.6.0 to 5.6.2

nectivity. >>> >>> I know the iPhone 4 is almost 8 years old, however, mine looks like I >>> bought it yesterday, and the battery is still in a perfect shape, and I >>> don't want to buy a new one in the foreseeable future. Please may I ask to >>> pick the best cipher from

Re: [strongSwan] Strongswan IPSec VPN is up but does not pass traffic

, hard 0(sec) >       expire use: soft 0(sec), hard 0(sec) >     lifetime current: >       0(bytes), 0(packets) >       add 2018-03-12 18:15:44 use - > src ::/0 dst ::/0 uid 0 >     socket out action allow index 20 priority 0 share any flag  (0x) >     lifetime c

Re: [strongSwan] problem: fetching from hash_and_url

, > scheduled: 0 > >   loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 > pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp > curve25519 xcbc cmac hmac attr kernel-netlink socket-default stroke vici > updown xauth-generic > >   >

Re: [strongSwan] pki --verify Command

7;t work that way, other than nobody gotten around to doing it? > > Regards, > Jafar == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswa

Re: [strongSwan] Strongswan 5.5

t; > > Thanks in advance, > > Rajeev > -- ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions HSR Univer

Re: [strongSwan] Separate files for crt and key

-- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland

Re: [strongSwan] dpd not getting triggered

t >     left=10.127.47.104 >     leftsubnet=10.127.47.104/32 >     leftid=10.127.47.104 >     right=10.104.108.110 >     rightsubnet=10.104.108.110/32 >     rightid=10.104.108.110 >     auto=start > > ~ > Regards, > kalyani > --

Re: [strongSwan] OSCP

] On Behalf Of Andreas Steffen Sent: Saturday, December 16, 2017 2:23 AM To: Modster, Anthony ; users@lists.strongswan.org Subject: Re: [strongSwan] OSCP Hello Anthony, if the OCSP URI is not included via an authorityInfoAccess extension in the end entity certificate itself then an authority

Re: [strongSwan] Autorisation in vici?

> > > I did not find anything the docs. > > > Mit freundlichen Grüßen, > -- ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www

Re: [strongSwan] OSCP

e needed on the host > >   > > Thanks > >   > -- ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions HSR

Re: [strongSwan] Fwd: Re: Validating Local Host Own Certificate

7:34 +0100 From: Andreas Steffen To: Jafar Al-Gharaibeh , users@lists.strongswan.org Hi Jafar, locally loaded certificates are always trusted. Regards Andreas On 07.12.2017 07:44, Jafar Al-Gharaibeh wrote: Hi, I have noticed that when configuring the local certificate in a connection via

Re: [strongSwan] Validating Local Host Own Certificate

ugh a CA tustchain. Thanks, Jafar -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions Universi

Re: [strongSwan] StrongSwan Android app, NO_PROPOSAL_CHOSEN error & Digital Ocean's VPN tutorial

> rightsourceip=10.10.10.0/24 > rightsendcert=never > eap_identity=%identity > > My /etc/ipsec.secrets contains: > > 128.199.36.88 : RSA "/etc/ipsec.d/private/vpn-server-key.pem" > vpnusername %any% : EAP "vpnpasswordredacted" > > What might b

Re: [strongSwan] what the use (effect) of "righthostaccess=yes"

ither in GW1 or in GW2 - So my query is: whats the use of the option "righthostaccess=yes"...where and when do we use this option? thanks & regards Rajiv -- == Andreas Steffen and

Re: [strongSwan] Remote Attestation through Cisco ASA

as to be decrypted once by the device. Many thanks, Mario -- ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for N

Re: [strongSwan] No private key found

T Root CA01, CN=TEST CableLabs > Root Certification Authority" > >   issuer:   "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs > Root Certification Authority" > >   validity:  not before Nov 11 17:19:44 2014, ok > >          

Re: [strongSwan] Permission Denied error

s me the following error: > > > bash: caKey.der: Permission denied > > > I tried to run it with sudo and I get the same error.   I assume the key > would be populated in: > >   /etc/ipsec.d/private > > > Any help is appreciated! > > -- ========

Re: [strongSwan] nonce Length

byte number. Thanks for confirming that. I also came across nonce plugin configuration: nonce { } Is there really any thing configurable here or is that just there for completeness? Kind Regards, Jafar On 9/14/2017 1:56 AM, Andreas Steffen wrote: Hi Jafar, section 2.10 of IKEv2 RFC

Re: [strongSwan] nonce Length

Al-Gharaibeh wrote: > Hi, > >What is the default length of the nonce used to establish and rekey > IKE/Child SAs? is that based on the DH group? and is the length > configurable? > > Thanks, > Jafar ==========

Re: [strongSwan] Default value of inactivity in ipsec.conf

nks, Terry -- ====== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions University of Applied Sciences Rapperswil CH-8640 Rapperswil (S

Re: [strongSwan] Strongswan and TPM

y the configuration backend, whether that private key is > actually loaded into memory or it's just a reference to a key > (as is the > case here). Private keys on PKCS#11 tokens or in a TPM can't be > accessed directly, so they never end up i

Re: [strongSwan] SHA1 vs SHA256

; Den 2017-08-04 kl. 19:04, skrev Noel Kuntze: >> Hi, >> >> IIRC pfkey still uses the old truncation (It's mentioned in some >> relatively recent ticket). >> Try using kernel-netlink instead. >> >> Kind regards >> >> Noel >> >>

Re: [strongSwan] SHA1 vs SHA256

) Regards Andreas On 04.08.2017 16:41, Dusan Ilic wrote: > Hi Andreas > > One side is 2.6.36 and the other 3.10.20 > > > Den 2017-08-04 kl. 12:48, skrev Andreas Steffen: >> Hi Dusan, >> >> this is a Linux kernel issue. Which kernel versions are you running >

Re: [strongSwan] SHA1 vs SHA256

aes256-sha256-modp2048! >>> esp=aes256-sha256-modp2048! >>> >>> Below combo doesn't work either: >>> >>> ike=aes256-sha256-modp2048! >>> esp=aes128-sha256-modp2048! >>> >>> >>> Also, are above settings good?

Re: [strongSwan] Question on

s not insert the Authentication > payload in its IKE_AUTH response and this seems to make the initiator to > send Authentication Failed." > > So, my question - What is EAP_ONLY sent? Is this configurable not to > send it? > > - Shreyas ==

Re: [strongSwan] charon unmet dependency on native android build

ritical plugin features > 00[DMN] initialization failed - aborting charon root@kltetmo:/ # pki --help strongSwan 5.5.2 PKI tool loaded plugins: aes des rc2 sha2 sha1 md5 random x509 revocation pkcs1 pkcs7 pkcs8 pkcs12 dnskey sshkey pem gmp hmac ========

Re: [strongSwan] listen interface specification

forwards. -- Piyush Agarwal Life can only be understood backwards; but it must be lived forwards. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users -- ==

Re: [strongSwan] remote_addrs with more than one IP address

ou pls clarify this. > > cheers, > vijaya ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions HSR University of Applied

Re: [strongSwan] Security Associations

Security Associations (0 up, 0 connecting): > none > > Problem is I have no SA Associations. > > > I attach conf file from both sites. I have strongswan 5.2.1 on Debian 8 x64 > > Thank you for any help. > > -- ===

Re: [strongSwan] Config/Install compiled strongswan

it's still not binding to port 500. Is > there any other place I should look at? > > Thanks, > Di > > > 2017-03-07 14:36 GMT-08:00 Andreas Steffen > mailto:andreas.stef...@strongswan.org>>: > > Hi, > > selecting the --enable-all option is no

Re: [strongSwan] Config/Install compiled strongswan

ome help on this, anything l missed or I should configure? > > Thanks, > Di == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked So

Re: [strongSwan] Android TNC server basic setup

(ADDR) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) ] 08[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.11[33660] (272 bytes) 11[NET] received packet: from 192.168.1.11[33660] to 192.168.1.5[4500] (80 bytes) 11[ENC] parsed INFORMATIONAL request 12 [ N(AUTH_FAILED) ]

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

On 16.01.2017 20:39, Varun Singh wrote: On Mon, Jan 16, 2017 at 6:04 PM, Michael Schwartzkopff wrote: Am Montag, 16. Januar 2017, 20:06:45 schrieb Andreas Steffen: Hi Varun, we have customers who have successfully been running up to 60k concurrent tunnels. In order to maximize performance

Re: [strongSwan] Can strongSwan support 100k concurrent connections?

ation. -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switze

Re: [strongSwan] Android TNC server basic setup

, Mark On Thursday, January 12, 2017 6:09 AM, Andreas Steffen wrote: Hi Mark, you can find a [little-outdated] TNC server configuration HOWTO under the following link: https://wiki.strongswan.org/projects/strongswan/wiki/TNCS In the meantime the TNC measurement policies are not hard-coded any

Re: [strongSwan] strongTNCpolicy manager page not rendering properly

@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet

Re: [strongSwan] Android TNC server basic setup

== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil

Re: [strongSwan] Resubmission as plaintext - Strongswan with ESP-NULL and ESP-NONE , NULL encryption and NONE integrity

P traffic so it was working. Regards, SSAdmin Sent: Saturday, January 07, 2017 at 1:19 AM From: "Andreas Steffen" To: "ss admin" , users@lists.strongswan.org Subject: Re: [strongSwan] Resubmission as plaintext - Strongswan with ESP-NULL and ESP-NONE , NULL encryption and

Re: [strongSwan] Resubmission as plaintext - Strongswan with ESP-NULL and ESP-NONE , NULL encryption and NONE integrity

roup = 10.1.9.119, IP = 10.1.9.119, Generating secret keys: unknown encryption algorithm! Jan 06 16:19:44 [IKEv1]Group = 10.1.9.119, IP = 10.1.9.119, Security negotiation complete for LAN-to-LAN Group (10.1.9.119) Initiator, Inbound SPI = 0xae679c9a, Outbound SPI = 0xcef968c7 Jan 06 16:19:4

Re: [strongSwan] IKEv2 Extensions to Support RoHC (RFC 5857)

appear to currently implement support RoHC over IKEv2 (RFC 5857). I need to support this mode/extension and am trying to understand the best approach. Any suggestions? Thanks Jordan ====== Andreas Steffen an

Re: [strongSwan] No proposal chosen / No IKE config found

esp-sha-hmac > > crypto ipsec security-association lifetime seconds 3600 > > > > crypto map revengemap 1 match address interestingtraffic > > crypto map revengemap 1 set peer 104.x.x.x > > crypto map revengemap 1 set ikev1 transform-set myVPN > > crypto map

Re: [strongSwan] AH Transport AES CMAC PSK

omes this limitation? > Does it come from StrongSwan implementation or from Linux kernel (as > suggested by the error message)? > Does anybody have ideas? > > Best regards, > Gyula Kovacs ========== Andreas Steffen

Re: [strongSwan] how to use 'rightca' connection option?

ssing something obvious, or does not understand this feature, but I have no idea, what this can be. Does anybody knows? Best regards, John, ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan

Re: [strongSwan] triggering MOBIKE in strongswan

vvnrk.vanapa...@gmail.com <mailto:vvnrk.vanapa...@gmail.com> > > > ___ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users > -- ==

Re: [strongSwan] libhydra

king >>> to the kernel would require a kernel_ipsec_t as well. Is this correct? >> >> Yes. >> >> Regards, >> Tobias >> > ___ > Users mailing list > Users@lists.strongswan.org > https://lis

Re: [strongSwan] Why doesn't table 220 change forwarded packets source IP address?

ble 220 is working!) - FORWARD chain sees the source IP address as 192.168.2.X (host cannot be reached until these packets are SNAT'ed to 10.2.0.3) Richard Chan ========== Andreas Steffen andreas.stef...@

[strongSwan] Testing

Testing the availability of the strongSwan mailing list server. Please disregard Andreas == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution

Re: [strongSwan] Abbreviations

Brian ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open S

Re: [strongSwan] Duplicate log entries using default configuration

strongswan.org https://lists.strongswan.org/mailman/listinfo/users -- ========== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Int

  1   2   3   4   5   6   7   8   9   10   >