is both deliberate and rather evil since
it renders IPSec tethered connections completely worthless. This is
also new; about a month ago it was working perfectly well.
I may have to resort to using something TLS-based which they basically
can't block since it looks like an HTTPS connection
ars
the only "fix" is to have the user enter their email address on each
connection via Windows by telling to let the user change their identity
when connecting.
--
Karl Denninger
k...@denninger.net
/The Market Ticker/
/[S/MIME encrypted email preferred]/
smime.p7s
Description: S/MIME Cryptographic Signature
On 10/10/2022 13:47, Karl Denninger wrote:
On 10/10/2022 13:40, Tobias Brunner wrote:
Hi Karl,
I am running GENERIC on the gateway as the docs say that's now ok; I
used to run a custom kernel for other reasons (mostly PPS which I
don't use anymore as I no longer have a local NTP clock
ve this in it, which implies that it has to be
there in the config, and its NOT in GENERIC but was in my custom kernel
configuration for 12.x and before:
# IPsec interface.
device enc
I'm rebuilding now (its an embedded build so it takes an hour or so on
my build box) to see if putting the &
E] received 129 cert requests
for an unk
nown ca
Oct 10 11:28:36 IpGw charon[1586]: 01[IKE] received end entity cert
"C=US, ST=Te
nnessee, CN=Karl Denninger"
Oct 10 11:28:36 IpGw charon[1586]: 01[CFG] looking for peer configs
matching 97.
81.26.48[%any]...172.58.146.200[C=US, ST=Tennessee
with two or more
connections are you?
--
Karl Denninger
k...@denninger.net
/The Market Ticker/
/[S/MIME encrypted email preferred]/
smime.p7s
Description: S/MIME Cryptographic Signature
Floor, Vivo Building, 30 Stamford Street, London SE1 9LQ
P: 020 3422
• M: *07763 230443
* •
E: *mike.h...@techahoy.com* <mailto:mike.h...@techahoy.com>
*www.techahoy.co* <https://www.techahoy.com/>m
--
Karl Denninger
k...@denninger.net <mailto:k...@denninger.n
ou can find a way to force Redmond to get its
head out of its posterior.
I wound up moving to OpenVPN for Windows clients as a result of this
problem which (sadly) requires I run a second server process (and manage
that) on the server end.
--
Karl Denninger
k...@denninger.net <mailto:k...@denn
On 7/20/2017 17:30, peljasz wrote:
>
>
> On 20/07/17 22:57, Karl Denninger wrote:
>>
>> On 7/20/2017 16:46, peljasz wrote:
>>>
>>>
>>> On 20/07/17 21:57, Karl Denninger wrote:
>>>>
>>>> That can be made to work provid
On 7/20/2017 16:46, peljasz wrote:
>
>
> On 20/07/17 21:57, Karl Denninger wrote:
>>
>> That can be made to work provided you do not need inbound connections
>> to things on the client side.
>>
>>
> exactly like that.
> How to even phrase a query to
d have to); the same key and
certificate work fine with the Android client and the "Strongswan" config.
--
Karl Denninger
k...@denninger.net <mailto:k...@denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
smime.p7s
Description: S/MIME Cryptographic Signature
ablish CHILD_SA,
keeping IKE_SA
What they recommended was... (from Powershell)
Set-VpnConnectionIPsecConfiguration -ConnectionName ""
-AuthenticationTransformConstants GCMAES128 -CipherTransformConstants
GCMAES128 -EncryptionMethod AES128 -IntegrityCheckMethod SHA384 -DHGroup
ECP256 -PfsGroup
> Regards,
> Tobias
That works; the only (rational) thing to do there is to set the leftid
on the server, which does work (and is rational since it isn't going to
change anyway.)
Now if I can get a Win10 config that also doesn't need frag passing to
work until the authentication is complete (
he server with the switch turned on.) I recently
regenerated the RSA one in an attempt to kill the frag issue (it was a
4k RSA cert, is now a 2k RSA cert)
I'll email you privately with the two certificate files as attachments.
--
Karl Denninger
k...@denninger.net <mailto:k...@denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
smime.p7s
Description: S/MIME Cryptographic Signature
cts/strongswan/wiki/Windows7#AES-256-CBC-and-MODP2048
Thanks -- will look at that once I get this sorted... if I can get
Windows to *also* cut back the response size through a similar trick
(e.g. importing the gateway's cert into Windows' certificate store) I
might be able to get it to reliably come up.
--
Karl Denninger
k...@denninger.net <mailto:k...@denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
smime.p7s
Description: S/MIME Cryptographic Signature
On 7/3/2017 12:00, Karl Denninger wrote:
>
> There is now a new "Send certificate requests" toggle available in the
> Android client which defaults on and gives the old behavior. The
> switch's note is that it will only work if the server always sends
> whatever cer
ike a very interesting path forward that might require only
a modest amount of work on the StrongSwan Android client end but I'm
not sure whether you can actually pull off the DNS redirection from a
tethered device at that level.
Thoughts?
--
Karl Denninger
k...@denninger.net <mailto:k...@
On 6/30/2017 12:09, Karl Denninger wrote:
>
>
>
> On 6/26/2017 10:46, Tobias Brunner wrote:
>> Hi Karl,
>>
>>> StrongSwan never gets this packet. I assume the problem here is the
>>> length mismatch, but not certain. What is certain is that StrongSwan
led to import (with no useful error message as to why on the phone
end, of course.)
And then on the Windows side is there another client known that properly
does IkeV2 fragmentation *with* ECDSA cert support? That would give me
a nice consistent option for both phones and laptops (well, at least
Windows ones.)
Than
f course, doesn't want you blocking ads that way and it would
be trivial to do so!)
If anyone has seen this one before or has an idea what's going on I'd
appreciate it.
Thanks.
--
Karl Denninger
k...@denninger.net <mailto:k...@denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
smime.p7s
Description: S/MIME Cryptographic Signature
That makes sense and is easy - thanks.
On 5/6/2017 13:38, Noel Kuntze wrote:
> Use a seperate subnet that is routed over the host strongSwan is running on
> or enable proxy arp and setup proxy arp in the updown script.
>
> On 06.05.2017 20:33, Karl Denninger wrote:
>> I've had
On 1/24/2017 04:12, Yudi V wrote:
>
>
> On Wed, Jan 18, 2017 at 1:12 AM, Karl Denninger <k...@denninger.net
> <mailto:k...@denninger.net>> wrote:
>
>
> On 1/17/2017 07:10, Yudi V wrote:
>> Hi,
>>
>> Error 13806
>> Authe
hm: sha256WithRSAEncryption
62:07:a3:25:ba:0c:58:25:d7:1c:0f:c6:e8:67:fb:bc:77:c5:
Note that BOTH SAN and CN are set in the user certificate. SAN is there
because I use this cert/key pair for S/MIME as well. However, if you
don't set CN to the same thing (which is usually not done
On 12/17/2016 15:08, Karl Denninger wrote:
>
> On 12/17/2016 14:55, Karl Denninger wrote:
>>
>> Setting up a connection from a DIFFERENT Win10 machine works fine, so
>> it's computer-specific. It never gets to the point of checking
>> certificates, so whateve
On 12/17/2016 14:55, Karl Denninger wrote:
>
> Setting up a connection from a DIFFERENT Win10 machine works fine, so
> it's computer-specific. It never gets to the point of checking
> certificates, so whatever it is that's making it angry is happening on
> the client side
logs that generates, and I can't find an exception in
the system event log either.
My other clients are working fine; Android and Windows
--
Karl Denninger
k...@denninger.net <mailto:k...@denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
smime.p7s
Description: S/MI
know offhand about other common mobile clients? Does the current iOS 8
IKEv1 client support MODP2048? How about the stock Android client?
Kind regards,
Gerd
BlackBerry's BB10 also only proposes MODP1024 :(
--
Karl Denninger
k...@denninger.net mailto:k...@denninger.net
/The Market Ticker
matching to the CN= or E= fields of
the certificate's subjectDistinguishedName.
Best regards
Andreas
On 03/25/2015 05:36 AM, Karl Denninger wrote:
I'm having a problem getting PKI-authenticated connections from BB10
smartphones to work.
PSK-authentication works; I have the following stanza
DNS DNS NBNS NBNS VER) N(INIT_CONTACT)
N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Mar 24 23:30:19 NewFS charon: 16[IKE] received end entity cert C=US,
ST=Florida, O=Cuda Systems LLC, CN=Karl Denninger, E=k...@denninger.net
Mar 24 23:30:19 NewFS charon: 16[CFG] looking for peer configs matching
%SPAMBLOCK-SYS: Matched [strongswan.org], message ok
--
Karl Denninger
k...@denninger.net
/Cuda Systems LLC/
smime.p7s
Description: S/MIME Cryptographic Signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org
authenticator or tell the Android client to use EAP instead of PKI to
authenticate itself.
Sep 21 18:27:17 barney charon: 04[CFG] constraint requires EAP
authentication, but public key was used
--
Karl Denninger
k...@denninger.net
/Cuda Systems LLC/
smime.p7s
Description: S/MIME Cryptographic
: from
70.169.168.7[4500] to 208.54.70.231[47985] (284 bytes)
Ideas?
--
-- Karl Denninger
/The Market Ticker ®/ http://market-ticker.org
Cuda Systems LLC
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
?
(PS: The non-IPSEC/IKEv2 way to do this for Win7 which uses PPTP is also
configured on this host and works as expected, so I may be a bit
polluted in my thinking in this regard. Please be a bit gentle if you
can for that reason :-))
--
-- Karl Denninger
/The Market Ticker ®/ http://market
on where to start trying to get this thing operational? Once
I have this working I'll worry about multi-client (e.g. PAM-based)
authentication -- right now I'm just trying to get ANY connection
operational.
Thanks in advance.
--
-- Karl Denninger
/The Market Ticker ®/ http://market-ticker.org
Cuda
.
To test with Windows 7 against IKEv2 (to eliminate server problems) do I
need to generate certs and such along with a means to handle MSCHAP? It
appears so from the docs; is there a cookbook for setting that up?
--
-- Karl Denninger
/The Market Ticker ®/ http://market-ticker.org
Cuda Systems LLC
On 4/19/2013 10:24 AM, Karl Denninger wrote:
On 4/19/2013 9:31 AM, Martin Willi wrote:
Hi Karl,
11[IKE] ignoring IKE_AUTH in established IKE_SA state
That message is triggered by a bug, see [1]. It prevents charon as a
responder to retransmit the last IKE_AUTH message. Applying the patch
36 matches
Mail list logo
