[strongSwan] Table 220 route source address determination

2017-01-25 Thread Brian O'Connor
I have a Linux system running strongSwan and OpenVPN. I use the strongSwan VPN for providing inter-site connectivity and the OpenVPN VPN for road-warrior tunnelling through HTTPS from public WiFi library sites using a transparent proxy. When one of my strongSwan peers connects and the OpenVPN s

Re: [strongSwan] XFRM Policy Lookups

2016-12-24 Thread Brian O'Connor
Further to my previous message [1] and Noel's posting at [2], the only way I could make packet marking effective for traffic forwarded back through the VPN gateway to the VPN initiator was to put the iptables marking rule into the PREROUTING chain of the mangle table. Marking in the POSTROUTIN

[strongSwan] XFRM Policy Lookups

2016-12-15 Thread Brian O'Connor
d the ip xfrm man page overwhelming. [1] https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg Regards, Brian O'Connor ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Diagram

2016-10-18 Thread Brian O'Connor
Noel, I note your last message clearly emphasised that packets from a local process are processed twice via the output path of the graphic. So, for forwarded traffic (as distinct from locally source packets), I understand the packet to flow through the mangle and nat postrouting chains twice, a

Re: [strongSwan] Diagram

2016-10-18 Thread Brian O'Connor
Thank you, Noel. I am trying to understand how the inner and outer IP headers for tunneled IPsec packets are processed by iptables, to help troubleshoot an anomalous situation I found. I think I have the decryption process clear but was not clear on the iptables processing for encrypted packets

[strongSwan] Diagram

2016-10-18 Thread Brian O'Connor
Hello, The commonly quoted packet flow diagram at [1] does not show where NAT-T is implemented for IPsec MOBIKE. Questions are: 1. Where in the diagram is NAT-T de-capsulation performed? 2. Where in the diagram is NAT-T encapsulation performed? 3. Does the NAT-T UDP header have to be

Re: [strongSwan] Abbreviations

2016-10-14 Thread Brian O'Connor
Thank you, Andreas. Is there any way I can display the presently set numerical logging levels (-1 to 4) for the 18 daemon subsystems that can originate log messages, please? Thanks, Brian ___ Users mailing list Users@lists.strongswan.org https://list

[strongSwan] Abbreviations

2016-10-13 Thread Brian O'Connor
Hi, In the logging output of IKE exchanges, the terms [ HASH CPRQ(X_USER X_PWD) ] [ HASH CPRP(X_USER X_PWD) ] are often encountered. What does CPRQ and CPRP stand for, please? Is there a dictionary of strongSwan abbreviations somewhere? TIA, Brian __

[strongSwan] IKEv1 XAuth EAP Plugin

2016-09-28 Thread Brian O'Connor
I have the XAuth EAP Plugin enabled in my IPsec VPN responder, along with a number of eap plugins. I did not build this version of strongSwan (5.2.1) but downloaded it from a Raspberry Pi repository. My /etc/ipsec.secrets file contains entries similar to: Fred : EAP "1234567" fred : XAUTH

[strongSwan] kernel-libipsec charon plugin and Android VPN Client

2016-08-03 Thread Brian O'Connor
Hello, I have recently been doing some tests with an Android tablet version of strongSwan. It appears that the Android app uses the kernel-libipsec charon plugin to avoid limitations imposed by the app running in a very restricted user environment in the tablet. My tablet is not rooted. What I