Hi,
Please consider the example given in
http://www.strongswan.org/uml/testresults/ikev2/dpd-clear/index.html.
1) Here, the config on moon has dpdaction=clear while carol does not.
Because of this, once the connection is lost, moon clears the connection
but carol does not. On carol, the command
Hi,
I am a bit confused with the parameters ikelifetime and lifetime. I
believe ikelifetime re-negotiates phase 1 according to the value we
assign it. What about lifetime? The strongSwan wiki says how long a
particular instance of a connection (a set of encryption/authentication
keys for user
Hi,
Happy New Year to all at the strongSwan team!
I have a couple of queries regarding ipsec.conf parameters:
1) How can I change the re-negotiation time of phase 1 and phase 2? Are
there any parameters I can include in ipsec.conf? Also, should these
parameters be used in the config files at
/15/2011 07:14 AM, Meera Sudhakar wrote:
Hello Andreas,
Yes, I agree with you.
I have first set the following rules in the mangle table on both
endpoints:
iptables -t mangle -A OUTPUT -j MARK --set-mark 10 -m dscp --dscp-class EF
iptables -t mangle -A PREROUTING -j MARK --set-mark 10 -m dscp
, 2011 at 11:07 AM, Andreas Steffen
andreas.stef...@strongswan.org wrote:
Hello,
you define only mark 10 but not mark 20. No traffic will go through
the tunnel without a mark (either 10 or 20) set.
Regards
Andreas
On 11/14/2011 08:46 AM, Meera Sudhakar wrote:
Hi,
My aim is to create
Hi,
My aim is to create two IPsec tunnels using strongSwan between two
end-points, each having a different dscp marking (like say EF, BE, AF31
etc). Right now, I see that when I set the dscp marking as BE (default),
the traffic goes through the designated IPsec tunnel. When I use anything
else,
Hello,
I have established a tunnel between two end-points with ikev2, using psk. I
can see that the tunnel is established, but for some reason the traffic does
not flow through this tunnel. I do not have any blocking firewalls or
anything. I cannot use certificates as there is some bug in our
Thanks a lot Martin. It now works.
Regards,
Meera
On Fri, Oct 14, 2011 at 1:19 PM, Martin Willi mar...@strongswan.org wrote:
Hi,
left=169.254.3.75
leftsubnet=169.254.3.0/32
right=169.254.4.75
rightsubnet=169.254.4.0/32
root@localhost:/root ping 169.254.4.75
is that two IKE SAs including authentication
must be set up. Please check my example scenario
http://www.strongswan.org/uml/testresults/ikev2/net2net-psk-dscp/
which uses two sets of identities.
Regards
Andreas
On 07.09.2011 12:37, Meera Sudhakar wrote:
Hi,
I have two end-points, between
in the PREROUTING chain as in my DiffServ
example scenario:
http://www.strongswan.org/uml/testresults/ikev2/net2net-psk-dscp/console.log
And follow Martin's recommendation to use the same marks in the
inbound and outbound direction.
Regards
Andreas
On 13.07.2011 12:45, Meera Sudhakar wrote:
Hi
Hi Martin,
Sorry for the delay in replying. I didn't get a chance to try this out
for sometime.
Thanks for confirming that. I now have two identical tunnels with markings.
I want to send icmp packets (ping) through tunnel 1 and tcp packets through
tunnel 2. Below is an excerpt of ipsec.conf
Hi Martin,
Well I'm not exactly sure how but it does not seem to have any problem in
sending the packets correctly. When there is no marking, the packets go just
fine with the values I have given for the subnets (the ones you've pasted in
your mail). So I thought this wouldn't be a problem.
Hi Martin,
Sorry for the late response. I was caught up with some other tasks and did
not get time to work on this.
As you mentioned, my IPs did not match initially. Now they do, and I see
that encrypted traffic is passing between the end points. But I see that all
the traffic uses tunnel 2 and
the IKEv2 Hash-and-URL mechanism
http://wiki.strongswan.org/projects/strongswan/wiki/HashAndUrl
to fetch the certificates from a HTTP server
or
- set leftsendcert=no and load the peer certificate locally
with rightcert=peerCert.pem
Best regards
Andreas
On 05/09/2011 12:45 PM, Meera
to have started both sides with auto=start resulting
in two concurrent IPsec SAs. Although this does not cause any
harm if you upgrade to strongSwan 4.5.1 one of the redundant
IKE_SA/CHILD_SA pairs will be automatically deleted.
On 29.03.2011 14:02, Meera Sudhakar wrote
Hi Andreas
Hi Andreas,
Thanks a lot for your reply. Please find my replies inline.
On Thu, Mar 17, 2011 at 10:08 PM, Andreas Steffen
andreas.stef...@strongswan.org wrote:
On 17.03.2011 12:33, Meera Sudhakar wrote:
Hi Andreas,
This problem was solved by the solution provided in
http://www.mail
Hi,
I am new to strongswan, and would really appreciate some help in setting up
the SAs. For some reason, packets being sent are not being received by the
other machine. After retries, it says peer not responding, try again.
Please fine below an excerpt of my log file:
Mar 9 13:25:59
:08 AM, Meera Sudhakar wrote:
Hi,
I am new to strongswan, and would really appreciate some help in setting
up the SAs. For some reason, packets being sent are not being received
by the other machine. After retries, it says peer not responding, try
again. Please fine below an excerpt of my log
18 matches
Mail list logo