Hi,
Please consider the example given in
http://www.strongswan.org/uml/testresults/ikev2/dpd-clear/index.html.
1) Here, the config on moon has "dpdaction=clear" while carol does not.
Because of this, once the connection is lost, moon clears the connection
but carol does not. On carol, the command
Hi,
I am a bit confused with the parameters "ikelifetime" and "lifetime". I
believe "ikelifetime" re-negotiates phase 1 according to the value we
assign it. What about "lifetime"? The strongSwan wiki says "how long a
particular instance of a connection (a set of encryption/authentication
keys for
Hi,
Happy New Year to all at the strongSwan team!
I have a couple of queries regarding ipsec.conf parameters:
1) How can I change the re-negotiation time of phase 1 and phase 2? Are
there any parameters I can include in ipsec.conf? Also, should these
parameters be used in the config files at bot
j MARK --set-mark 10
>
> sun# iptables -t mangle -A PREROUTING -m dscp --dscp-class BE -j MARK
> --set-mark 10
>
> Regards
>
> Andreas
>
>
> On 11/15/2011 07:14 AM, Meera Sudhakar wrote:
>
>> Hello Andreas,
>> Yes, I agree with you.
>> I have first se
, 2011 at 11:07 AM, Andreas Steffen <
andreas.stef...@strongswan.org> wrote:
> Hello,
>
> you define only mark 10 but not mark 20. No traffic will go through
> the tunnel without a mark (either 10 or 20) set.
>
> Regards
>
> Andreas
>
> On 11/14/2011 08:46 AM, Meer
Hi,
My aim is to create two IPsec tunnels using strongSwan between two
end-points, each having a different dscp marking (like say EF, BE, AF31
etc). Right now, I see that when I set the dscp marking as BE (default),
the traffic goes through the designated IPsec tunnel. When I use anything
else, th
Thanks a lot Martin. It now works.
Regards,
Meera
On Fri, Oct 14, 2011 at 1:19 PM, Martin Willi wrote:
> Hi,
>
> > left=169.254.3.75
> > leftsubnet=169.254.3.0/32
> > right=169.254.4.75
> > rightsubnet=169.254.4.0/32
>
> > root@localhost:/root> ping 169.254.4.75
>
> Your
Hello,
I have established a tunnel between two end-points with ikev2, using psk. I
can see that the tunnel is established, but for some reason the traffic does
not flow through this tunnel. I do not have any blocking firewalls or
anything. I cannot use certificates as there is some bug in our IP-s
l need two different certificates, unless
> you add two subjectAltNames to a common certificate.
> With preshared-keys you could use the same key for both IDs.
>
> Regards
>
> Andreas
>
>
> On 09/08/2011 09:09 AM, Meera Sudhakar wrote:
>
>> Hi Andreas,
>>
e
> to set up the correct SA according to the ID. The
> draw back is that two IKE SAs including authentication
> must be set up. Please check my example scenario
>
> http://www.strongswan.org/uml/testresults/ikev2/net2net-psk-dscp/
>
> which uses two sets of identities.
>
Hi,
I have two end-points, between which I have created two identical tunnels.
However, the command "ipsec status" does not show the two tunnels in the way
I expect. Please find the required info below:
*/etc/ipsec.conf on end-point 1:*
root@vc1_TPC2:~# cat /etc/ipsec.conf
# ipsec.conf - strongSw
Hi strongSwan team,
I am trying to establish a tunnel between two end-points. They do not
support pki, so I had to create the certficates using openssl. When I did
this, gave "ipsec start" and then checked "ipsec listcacerts", it shows
nothing. The following lines are also present in the logs:
Ja
to set the marks in the PREROUTING chain as in my DiffServ
> example scenario:
>
>
> http://www.strongswan.org/uml/testresults/ikev2/net2net-psk-dscp/console.log
>
> And follow Martin's recommendation to use the same marks in the
> inbound and outbound direction.
>
Hi Martin,
Well I'm not exactly sure how but it does not seem to have any problem in
sending the packets correctly. When there is no marking, the packets go just
fine with the values I have given for the subnets (the ones you've pasted in
your mail). So I thought this wouldn't be a problem.
Pasti
Hi Martin,
Sorry for the delay in replying. I didn't get a chance to try this out
for sometime.
Thanks for confirming that. I now have two identical tunnels with markings.
I want to send icmp packets (ping) through tunnel 1 and tcp packets through
tunnel 2. Below is an excerpt of ipsec.conf files
Hello Martin/All,
I had a look at the things you mentioned below, I also had a look at some of
the test cases in http://www.strongswan.org/uml/testresults/ikev2/. I see
that there are some scenarios where one node (say Sun) is the destination
for more than one tunnel (as in, both Alice and Venus e
Hi Martin,
Sorry for the late response. I was caught up with some other tasks and did
not get time to work on this.
As you mentioned, my IPs did not match initially. Now they do, and I see
that encrypted traffic is passing between the end points. But I see that all
the traffic uses tunnel 2 and n
certificate locally
>with rightcert=peerCert.pem
>
> Best regards
>
> Andreas
>
>
>
> On 05/09/2011 12:45 PM, Meera Sudhakar wrote:
>
>> Hi,
>> I have a very peculiar problem. My endpoints can ping each other, but
>> for some reason, the tunnel i
Hi,
I have a very peculiar problem. My endpoints can ping each other, but for
some reason, the tunnel is not getting established. There are no error
messages in the log file. Please find the relevant details below. Can
someone please help me solve this problem? My strongswan version is 4.4.0.
PS:
Hi,
I have created two tunnels between the same peers, using Strongswan.
root@vc1:~# ipsec status
Security Associations:
tunnel1[1]: ESTABLISHED 52 minutes ago, 10.58.113.37[C=CH,
O=strongSwan, CN=10.58.113.37]...10.58.113.118[C=CH, O=strongSwan,
CN=10.58.113.118]
tunnel1{1}: IN
f the redundant
> IKE_SA/CHILD_SA pairs will be automatically deleted.
>
> On 29.03.2011 14:02, Meera Sudhakar wrote
> > Hi Andreas
> >
> > I was able to setup an IKE_SA and its CHILD_SA between my initiator and
> > responder. Just pasting the result of 'i
Hi Andreas,
I was able to setup an IKE_SA and its CHILD_SA between my initiator and
responder. Just pasting the result of 'ipsec statusall' here:
*root@cip-Latitude-D520* *:~# ipsec statusall
*Status of IKEv2 charon daemon (strongSwan 4.4.0):
uptime: 3 minutes, since Mar 28 18:54:41 2011
work
Hi Andreas,
Thanks a lot for your reply. Please find my replies inline.
On Thu, Mar 17, 2011 at 10:08 PM, Andreas Steffen <
andreas.stef...@strongswan.org> wrote:
> On 17.03.2011 12:33, Meera Sudhakar wrote:
> > Hi Andreas,
> >
> > This problem was solved by the so
KE_SA_INIT
> request or that the IKE_SA_INIT reply gets lost on the way back.
> You should check the log on the peer side.
>
> Regards
>
> Andreas
>
>
> On 03/09/2011 08:08 AM, Meera Sudhakar wrote:
>
>> Hi,
>> I am new to strongswan, and would really apprec
the peer side.
>
> Regards
>
> Andreas
>
>
> On 03/09/2011 08:08 AM, Meera Sudhakar wrote:
>
>> Hi,
>> I am new to strongswan, and would really appreciate some help in setting
>> up the SAs. For some reason, packets being sent are not being received
>> b
Hi,
I am new to strongswan, and would really appreciate some help in setting up
the SAs. For some reason, packets being sent are not being received by the
other machine. After retries, it says "peer not responding, try again".
Please fine below an excerpt of my log file:
Mar 9 13:25:59 cip-Latit
26 matches
Mail list logo