Re: [strongSwan] mobileconfig file - do i need to install a root CA

You can even use charon-cmd this way: charon-cmd --host SERVER_HOSTNAME --profile ikev2-eap --identity LOGIN --cert /PATH/TO/ca.crt Using a valid CA lets Windows10 and MacOSX clients run without CA.crt, with GNU/Linux we have to have ca.crt instead 2018-01-11 13:17 GMT+01:00 Noel Kuntze <

[strongSwan] Fwd: Windows native VPN client routing problem

def gw Route's metric in Windows can be changed runtime. If you want to fix the def gw from vpn in windows 10 just go in NIC propriety of the vpn network interface, network, ipv4 -> Propriety, Advanced, Use default gateway, then apply :) https://goo.gl/Zj5ktL 2018-01-11 9:35 GMT+01:00 Marian

Re: [strongSwan] Strongswan + Radius + MySQL + Hashed Passwords: Possible?

NAS-IP-Address = x.x.x.x > NAS-Port = 10 > Message-Authenticator = 0x > rad_recv: Access-Accept packet from host x.x.x.x port 1812, id=237, > length=20 > > Do I need to make any changes on the radius or Strongswan side to make > them w

Re: [strongSwan] Strongswan + Radius + MySQL + Hashed Passwords: Possible?

Hi RA, Yes you can, I use NT-Password instead. I get this working on LDAP and Freeradius 2018-01-09 14:07 GMT+01:00 RA : > Hi. > > I have been able to follow the guides and tutorials online and > successfully setup a Strongswan IKEv2 server which authenticates with a > Freeradius

Re: [strongSwan] roadwarrior ike/esp SA are not dropped after lifetime expiration

Ciao Marco, Probably I'm wrong but I think that the Dead Peer Detection feature could be helpfull for you # dead-peer detection to clear any "dangling" connections in case the client unexpectedly disconnects dpdaction=clear # If the tunnel has no traffic for this long (default 30 secs),

Re: [strongSwan] OpenWRT. IPSec server

ers-ml@thermi.consulting>: > Not on openwrt. But you need plaintext or AD like passwords in LDAP. > Otherwise you can't auth with mschap(v2). > > On 04.01.2018 14:38, Giuseppe De Marco wrote: > > Yes Noel and thank you, my question is: > > Is there any experiences about

Re: [strongSwan] OpenWRT. IPSec server

mmand line tool. It's not a daemon (or generally a > service). > Are there any open questions? > > Kind regards > > Noel > > On 04.01.2018 14:14, Giuseppe De Marco wrote: > > Hi and thank you Noel, > > I meant to run ipsec and charon in the embedded openwrt router,

Re: [strongSwan] OpenWRT. IPSec server

Hi and thank you Noel, I meant to run ipsec and charon in the embedded openwrt router, I use dpd as well # dead-peer detection to clear any "dangling" connections in case the client unexpectedly disconnects dpdaction=clear # If the tunnel has no traffic for this long (default 30 secs), Charon

Re: [strongSwan] OpenWRT. IPSec server

Hi, Do you compile firmware by yourself or install packages in a stable release using opkg command? If you open the 4500 port means that you use ikev2/charon, isn't it? I customize openwrt and lede firmwares for specific purposes, my packages are here:

Re: [strongSwan] Couldn't establish IKEv2 vpn connection using strongswan, log shows timeout

Hi Joshua, from client side you should also read some auth failures. Probably it means that the ca.crt is not valid or client doesn't understand the auth-type because of missing plugin dependencies, It could depend by the client type as well, if Linux with charon-cmd you have to specify the

Re: [strongSwan] preparing MySQL statement failed: Commands out of sync; you can't run this command now

Thank you Tobias, we really appreciate your time on it. We are actually in production with stable 5.6.0 and we would also like to know when next the stable release will have this patch deployed, to decide when to drive the migration with patched stable release. At this moment this is not a

Re: [strongSwan] preparing MySQL statement failed: Commands out of sync; you can't run this command now

I just had to tell you these informations, I do not use mysql but mariadb as Debian9 standard introduces. So, the development files upon the code was compiled are these: libmariadbclient-dev-compat/stable,stable,now 10.1.26-0+deb9u1 amd64 2017-11-06 10:32 GMT+01:00 Tobias Brunner

Re: [strongSwan] Windows ikev2 conn, eap_identity ignored

charon[24548]: 14[IKE] assigning virtual IP 10.9.10.27 to peer 'giuseppe_dm' 2017-10-23 16:14 GMT+02:00 Simon Deziel <simon.dez...@gmail.com>: > Hi Giuseppe, > > On 2017-10-23 06:56 AM, Giuseppe De Marco wrote: > > I faced that there are no attr_sql support on stand

[strongSwan] preparing MySQL statement failed: Commands out of sync; you can't run this command now

Using Linux strongSwan U5.6.0/K4.9.0-4-amd64 compiled from sources on a Debian9, using mysql as database. ipsec pool works very well, everything but --replace command that fails: ipsec pool --replace net1_pool --addresses /etc/ipsec.pools preparing MySQL statement failed: Commands out of sync;

Re: [strongSwan] Host-to-Host Windows to Debian (StrongSwan)

I used Debian as Server and windows as clients in ike2 conn. working setup can be found here https://github.com/peppelinux/UniTools/blob/master/IPSec/ipsec.fw.sh I never used ike1, sorry 2017-10-27 11:13 GMT+02:00 Ben Lavender : > Anyone think they could assist

Re: [strongSwan] Windows ikev2 conn, eap_identity ignored

strongswan with --enable--attr-sql Thank you, I'll bring more usefull informations after all this, such the setup notes A huge setup migration is gonna to begin! 2017-10-16 22:08 GMT+02:00 Giuseppe De Marco <giuseppe.dema...@unical.it>: > Hi all, > > I'm using Debian GNU/Lin

[strongSwan] attr_sql in Debian 9

Hi all, Is there someone that used attr_sql in Debian 9? I cannot find this plugin into Debian 9 official strongswan packages. If someone knows some workaround over this it would be very appreciated, otherwise I think that I have to compile strongswan from sources. Thank you

[strongSwan] Windows ikev2 conn, eap_identity ignored

Hi all, I'm using Debian GNU/Linux 9.2 (stretch) with standard strongswan package from stretch apt repository (5.5.1-4+deb9u1). The tunnel is a ikev2 with eap-radius authentication. I'm facing the problem that Windows 10 clients doesn't send their right identity. Linux and Android clients works