On 10.10.22 15:44, Rene Maurer wrote:
Hi
I am using strongSwan U5.4.0/K4.4.107 (embedded device).
The ipsec tunnel is established over a mobile network and it works fine.
Additionally I have an Ethernet interface eth0 with the address
10.162.110.161. eth0 is connected to 10.162.110.165.
I
led as module (m), try to load it manually, I
think module name is "xfrm4_mode_transport".
If it is not Linux, you must check your local OS (or strongswan
module, if not using kernel-netlink) to properly support Transport mode.
Regards,
Carlos Velasco
Thanks. Will check.
Michael Schwartz
Hi,
I googled but I did not find a reasonable answer. We try to set up some
specific strongswan-strongswan connection in transport mode. The log says:
NET received packet: from x.x.x.x[4500] to y.y.y.y[4500] (240 bytes)}
ENC parsed CREATE_CHILD_SA request 7 [ N(USE_TRANSP) SA No KE TSi TSr
On 21.09.22 13:38, Harald Dunkel wrote:
Hi folks,
is there some way to express
if peercert->OU == develop
pool = pool1
else
pool = pool2
in swanctl.conf? Some conditional expressions?
Hopefully I was not too blind to find it in the Wiki.
Regards
Harri
Hi,
I
e.
>
> Kind regards
> Noel
>
> Am 7. Juli 2022 13:15:40 UTC schrieb Michael Schwartzkopff :
>> On 07.07.22 15:07, noel.kuntze+strongswan-users-ml@thermi.consulting wrote:
>>
>>
>>
>>
Hi,
does anyone know what reasonable performance figures with recent
hardware are?
Is encryption offload to the network card an option? Anyone experience
with this?
Mit freundlichen Grüßen,
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333
Hi,
some time ago I did performance measurements for IPsec throughput and
also read some doc about the CPU limits for encrypted throughput.
But this was some time ago.
Does anyone know recent performance figures for strongswan on standard
servers?
What about a throughput that exceeds 1
Hi,
some time ago I did performance measurements for IPsec throughput and
also read some doc about the CPU limits for encrypted throughput.
But this was some time ago.
Does anyone know recent performance figures for strongswan on standard
servers?
What about a throughput that exceeds 1
Hi,
is it possible to set up a strongswan server with a FreeIPA backend as
provider for identity, authentication and authorization?
FreeIPA uses LDAP / kerberos and a quick search did not show any
reasonable results.
Or is the certmonger in FreeIPA the way to got with user-based
On 25.01.22 16:07, VTwin Farriers wrote:
Thank you all for your responses.
I have the same local_ts/remote_ts values on my East and Central swanctl.conf files. I
would think this should work but for some reason I get the TS_UNACCEPTABLE error.
Removing "10.128.0.0/24" from the swanctl.conf
On 25.01.22 03:13, VTwin Farriers wrote:
If I try to add 10.128.0.0/16 to the configuration for East <=> Central, I get:
received TS_UNACCEPTABLE notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
when I attempt to bring up the connection.
This seems to be related to the
On 29.06.21 16:11, Mike Hill wrote:
> Hi,
>
> We use JumpCloud as our directory (as-a-service), which also gives us a
> RADIUS server to authenticate against. We have this working fine (without the
> MFA) for user authentication against JumpCloud’s RADIUS using the built-in
> macOS VPN client
On 26.02.21 19:39, Gregory Edigarov wrote:
> Good day,
>
> some clues wanted.
>
> strongswan -> freeradius -> AD
>
> conn ikev2-vpn
> auto=add
> compress=no
> type=tunnel
> keyexchange=ikev2
> fragmentation=yes
> forceencaps=yes
> dpdaction=clear
> dpddelay=300s
>
On 12.01.21 12:00, fatcha...@gmx.de wrote:
> Hi,
>
> Im using a strongswan-5.7.2-1.el7.x86_64 on a CentOS Linux release 7.9.2009
> (Core)as a vpn-gateway with already some working connections. I got some
> problems with a connection which want's to switch over to certificate
> authentication.
>
Hi,
I have two different VPN servers behind ONE NAT address. Yes, I know it
is nonsense, but it is the situation given here.
One runs with 500/4500. Everything is find. I configured the firewall to
forward packets on these port to the first VPN server.
I want to use port 510 and 4510 for the
On 26.10.20 05:47, TomK wrote:
> Hey All,
>
> I've configured the VTI's and routing is now fully working between the
> 9 VLAN's.
>
> XFRM, as far as I can tell, isn't as well documented. I might try
> this later on o see if OpenWRT supprots it.
>
> Thx,
>
> On 10/25/2020 9:48 PM, TomK wrote:
>>
On 22.10.20 16:00, Grischa Stegemann wrote:
> Hello All
>
> We are connecting hardware IP phones with their built-in IPsec client
> to our strongSwan server.
> The phones can do IKEv2 with PSK plus EAP authentication.
>
> Everything is working fine until two "road warrior phones" happen do
> have
events
> for a policy.
>
> Kind regards
>
> Noel
Thanks for the explanation.
>
> Am 29.05.20 um 15:41 schrieb Michael Schwartzkopff:
>> Hi,
>>
>> what would be the effect if the charon.plugins.xfrm_acq_expires does not
>> fit the charon.retransmit_
On 01.06.20 19:23, Noel Kuntze wrote:
> Hello Michael,
>
> It might be that both sides use auto=route or auto=start and initiated in
> parallel and uniqueids=no is set, so duplicate SAs are not deleted.
>
> That is pure speculation though. ;)
>
> Kind regards
>
> Noel
side A has auto=start and
Hi,
we have a central gateway and several remote gateways. The setup should
be very simple, all fixed IP Addresses, PSK authentication.
When I look to the status of the connections, I see that EVERY IKE_SA
exists duplicate. The expiry times are far from being close to the timeout.
Sample
Hi,
what would be the effect if the charon.plugins.xfrm_acq_expires does not
fit the charon.retransmit_* options?
I tried to understand what the xfrm_acq_expires exactrly does, but the
docs in the internet are very limited. As far as I understood, it sets a
timer when the SPI times out. Every
On 06.03.20 15:58, Tobias Brunner wrote:
> Hi Felipe,
>
>> I see that the first packet in matching
>> traffic is always lost: in a ping session, packet with seq=1 never makes
>> it to the other side, only from seq=2 onwards.
>>
>> Why does this happen?
> It's a known property of the Linux kernel.
On 03.03.20 15:06, Stefan Hartmann wrote:
> Hello list,
>
> I 'm trying to set up a VPN Remote Access aka Road Warrior with
> EAP-TLS similar as the scenario
> https://www.strongswan.org/testing/testresults/swanctl/rw-eap-tls-radius/.
>
> I want to switch from Cisco ASA to Strongswan.
>
> I use
On 26.02.20 23:50, Mark wrote:
> Hi,
>
> I have a couple of random seeming problems between Meraki MX devices and
> Strongswan via pfsense and I'm at a bit of a loss on how to gather more
> information. Hoping for some pointers here
>
> The Meraki side is their latest firmware and the pfsense is
Hi,
with the RADIUS module authentication and accounting can be achieved
easily against every backend RADIUS can talk to. Policying is possible
with RADIUS. So everything works nicely.
I want to deal with authorization in a strongswan / RADIUS setup. As far
as I understood the docu, the
On 24.01.20 15:14, korsar...@gmail.com wrote:
> Hi,
> I try to connect strongswan client on Ubuntu 18.04 to the strongswan
> server using EAP-PEAP on Windows Network Policy Server, but it doesn't
> work. Windows clients connect fine.
>
> Server logs:
> charon: 11[CFG] RADIUS Access-Request timed
On 20.12.19 17:42, Marco Berizzi wrote:
> Hello everyone,
>
> I need to setup a 0.0.0.0/0 to 0.0.0.0/0 ipsec tunnel.
> I was thinking to setup it with the new xfrm interfaces:
> I don't need route all the 0.0.0.0/0 throught this vpn.
>
> My question is how 'route based' and 'policies based'
> VPNs
On 30.10.19 14:53, Christoph Harder wrote:
> Hello everybody,
>
> is it possible to define multiple EAP identities per connection,
> without using %any ?
>
> For example in the swanctl.conf I define two connections and in the
> secrets section I define multiple EAP secrets/identities.
> Is there
On 18.10.19 10:53, Tobias Brunner wrote:
> Hi Michael,
>
>> found the reason. I had rightid="muc.XXX.de" in my client config. The
>> logs do not show that the gateway ID is quoted. After removing the
>> quotes the connection came up.
> The quotes do not matter, unless they are some kind of
On 17.10.19 19:01, Michael Schwartzkopff wrote:
> Hi,
>
> I have a problem with one specific ipsec client. It cannot connect. The
> logs on the server side say:
>
> Oct 17 18:50:15 muc charon: 11[CFG] <111> looking for peer configs
> matching 192.168.178.8[muc.XXX.de].
Hi,
I have a problem with one specific ipsec client. It cannot connect. The
logs on the server side say:
Oct 17 18:50:15 muc charon: 11[CFG] <111> looking for peer configs
matching 192.168.178.8[muc.XXX.de]...46.81.179.210[m...@xxx.de]
Oct 17 18:50:15 muc charon: 11[CFG] <111> no matching peer
at runtime.
>
> (Yeah, mixed top and bottom posting like pros)
>
> Kind regards
>
> Noel
>
> Am 30.09.19 um 10:39 schrieb Michael Schwartzkopff:
>> Am 30.09.19 um 10:00 schrieb Christoph Harder:
>>> Hello,
>>>
>>> thank you for the h
Am 30.09.19 um 10:00 schrieb Christoph Harder:
> Hello,
>
> thank you for the help so far.
>
> Is the local RADIUS server the recommend approach or would it be
> possible to write a custom xauth-plugin?
>
> I suspect most RADIUS servers do provide a way to do authentication by
> database (e.g. a
Am 21.08.19 um 08:20 schrieb Houman:
> Hello,
>
> I have multiple StrongSwan VPN servers setup and each of them has its own
> FreeRadius server. Each of the freeradius servers then points to the
> central database in a separate location. This works without any problem.
> But I wonder if this is
Am 12.08.19 um 16:02 schrieb brent s.:
> On 8/12/19 9:55 AM, Tobias Brunner wrote:
>> Hi Brent,
>>
>>> 1.) The named connection that listens (and serves as a tunneled gateway)
>>> on 203.0.113.1 should route through 203.0.113.1 to the RADIUS server,
>>> and 203.0.113.2 should route through
Am 25.04.19 um 15:52 schrieb Marwan Khalili:
> Hi,
>
> We currently have a host-to-site (roadwarrior) IKEv2 solution that we wish to
> expand further. Our clients are calling for a solution that allows multiple
> sites and hosts to connect to the same VPN.
>
> Example of a use case would be that
Am 29.03.19 um 16:54 schrieb Tony Phillips:
> When my tunnel comes up, locations at the destination of the VPN are
> reachable as desired.
>
> However, in my use case, I want to prevent anything talking to the client on
> its real interface (bypassing the tunnel). Right now, even with the
Am 18.03.19 um 10:19 schrieb Tobias Brunner:
> Hi Michael,
>
>> Any additional ideas?
> Read the log on the Sophos side.
>
> Regards,
> Tobias
Thanks. I am already in the process to get access to that device.
Mit freundlichen Grüßen,
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Hi,
we see a strange problem when trying to establish a VPN to a sophos.
Initially strongswan sets up the the child SAs:
charon: 10[NET] received packet: from x.x.x.x[500] to y.y.y.y[500] (1902
bytes)
charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N((16430))
answers inline.
Am 19.02.19 um 00:43 schrieb MOSES KARIUKI:
> Dear Team,
>
> I have been having long days trying to configure Strongswan on Ubuntu
> 18.04. I am not able to connect to the VPN from Windows 10 client, after
> following the instructions on this link :
>
Hi,
In some projects the problem of dynamic routing in combination with VPN
came up.
I went to my lab and found a solution with route based VPN and BGP. The
software I used was strongSwan and bird for BGP.
If you are interested you can find the documentation
VPN part:
Am 04.12.18 um 14:09 schrieb Dmitry Soloshenko:
> Hello, Tobias.
>
> Thank you for response.
>
>>> As an example, on Cisco router I would create 2 access groups and
>>> have 2
>>> profiles on Cisco VPN client: one for local auth, one for RADIUS.
>> And how/when does it switch between the two?
> In
Hi,
what does the ipsec client exactly do when the dpd action "restart" is
configured? Ok, it tries to reestablish the VPN connection. But does the
client to a new DNS resolution if a FQDN is configured as the "right"
parameter?
Is there any hook to force the client to do a new DNS lookup?
Mit
wrappers for load
> distribution and failover, but I'd rather get rid of as much individual code
> as I can.
>
> Best Regards
>
> Markus
>
>
>
> Am 16.09.18, 10:42 sch
Am 16.09.2018 um 09:34 schrieb Markus P. Beckhaus:
> Dear all,
>
> we are thinking about using a DNS Load-Balancer to distribute a huge count of
> strongswan clients to multiple VPN gatweways. Also, the DNS Load-Balancer
> should detect the failure of VPN gateways and remove them from the DNS
>
Am 14.01.2018 um 15:34 schrieb Noel Kuntze:
> Hi,
>
> A wrapper script or some patches to strongSwan and add a feature to VICI to
> specify a different destination IP for the CHILD_SA you want to initiate.
>
> Kind regards
>
> Noel
>
> On 12.01.2018 20:56, Mich
Hi,
is it possible to configure several / multiple VPN servers as entry
points to a data center?
My idea is to have several VPN servers with different IP addresses. The
client checks which one is available and connets to it to get a
connection to the data center.
Is this scenario possible
Am 10.01.2018 um 04:39 schrieb RA:
> Hi.
>
> Thanks for your reply. 'NT-Password' isn't working with Strongswan
> though radtest is checking it just fine:
>
> # smbencrypt mypass
> LM Hash NT Hash
>
>
Hi,
is there any kind of authentication / autorization in the vici
interface? Or does everybody that has access to the socket (or tcp
socket) full control over charon?
I did not find anything the docs.
Mit freundlichen Grüßen,
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
t; Michael
Sounds good. I will give it a try. Thanks
>
>> On 14. Dec 2017, at 11:43, Michael Schwartzkopff <m...@sys4.de> wrote:
>>
>> Am 14.12.2017 um 11:40 schrieb Michael Stiller:
>>> Hi.
>>>
>>> What i do is, that i have another strongs
Hi,
What is the best way to do a fault monitoring of a strongswan server? In
the first place, my monitoring service should check if the server is
able to offer the VPN service, which means i.e. that UDP/500 will send a
correct answer if checked from the outside.
Any ideas?
Mit freundlichen
lude strongswan.d/*.conf
> }
>
>
>
> *vim /etc/freeradius/clients.conf*
>
> client 0.0.0.0 {
> secret = 123456
> nas_type= other
> shortname = 0.0.0.0
> require_message_authenticator = no
> }
>
>
>
> On Wed, Nov 15, 201
Am 15.11.2017 um 08:24 schrieb Houman:
> Hi,
>
> I'm new to the concept of EAP and might be misunderstanding something.
> Apologies up front.
>
> I have finally been able to install FreeRadius and enable the SQL module.
> I have created a user in the database and was hoping to establish a VPN
>
fact that Strongswan seems to take
>> down the tunnel automatically (?) after a few hours.
>>
>> How can I 1) make sure there’s no timeout (?) and 2) that IF
>> the tunnel goes down, for whatever reason, that it will reinitiate
>> the connection automaticall
the site C.
Is such a scenario possible? How? Any hints?
Mit freundlichen Grüßen,
Michael Schwartzkopff
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter
Hi,
are there any reliable performance figures for IPsec throughput on x86_64 Linux
machines?
Is 10 GBit/s feasable? If yes, how?
Mit freundlichen Grüßen,
Michael Schwartzkopff
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München
Sitz der
opic was discussed
here on the list.
Mit freundlichen Grüßen,
Michael Schwartzkopff
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Schleißheimer Straße 26/MG, 80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schi
stood what the expert was saying. If not, I
> > should discuss this with him.
>
> Neither strongSwan, nor openvpn do that. I have never seen something like
> that.
Old versions of openswan / freeswan did create interfaces.
Mit freundlichen Grüßen,
Michael Schwartzkopff
--
[*] sys4 AG
Am Montag, 16. Januar 2017, 18:55:35 schrieben Sie:
> On Mon, Jan 16, 2017 at 6:32 PM, Michael Schwartzkopff <m...@sys4.de> wrote:
> > Am Montag, 16. Januar 2017, 18:30:15 schrieb Varun Singh:
> >> On Mon, Jan 16, 2017 at 6:18 PM, Michael Schwartzkopff <m...@sys4.de>
Am Montag, 16. Januar 2017, 18:30:15 schrieb Varun Singh:
> On Mon, Jan 16, 2017 at 6:18 PM, Michael Schwartzkopff <m...@sys4.de> wrote:
> > Am Montag, 16. Januar 2017, 18:09:00 schrieb Varun Singh:
> >> On Mon, Jan 16, 2017 at 6:04 PM, Michael Schwartzkopff <m...@sys4
alell?
What bandwidth (aggregated)?
How many re-authentications per second (or minute)?
Any recent CPU should be able to handle "normal" internet connection speeds up
to 100 MBit/s and user figures as given above.
Mit freundlichen Grüßen,
Michael Schwartzkopff
--
[*] sys4 AG
http://sys
d trust the hardware
vendors.
Also have an eye on the VPN setup rate. Establishing a VPN link needs
performance ,so you would like to have as few renegitiations per second as
possible.
If you have 10k clients and a tunnel lifetime of 3600 sec, you would have
about 3 IPsec SA negotioations per sec. Th
le to hand out it own IP
adresses.
See:
https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp
https://wiki.strongswan.org/projects/strongswan/wiki/Dhcpplugin
Is this an otion in your setup? Or do the IP addresses really have to be
passed on to the central DHCP server?
Mit freundlichen Grüßen,
M
local
gateway?
Any ideas? Thanks.
Mit freundlichen Grüßen,
Michael Schwartzkopff
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc
) and N(NATD_D_IP) in the first packet I do not see
anything about NAT.
So it seems the other VPN endpoint does not support NATed connections?
Mit freundlichen Grüßen,
Michael Schwartzkopff
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669
in clear text.
Any ideas what might be wrong?
Mit freundlichen Grüßen,
Michael Schwartzkopff
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben
Hi,
I tried to find a gocumentation of the entries in the strongswan log file.
Especially I am looking to the dokumentation of the IKE attributes like
NATD_S_IP, NATD_D_IP, INVAL_KE, IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr
N(EAP_ONLY).
An good hints?
Mit freundlichen Grüßen,
Michael
show in GUI and make
custom reports. But, unfortunately, this was taking too much long time.
So, this development was stopped.
I'd be glad if you were able to revive that project and I could contribute.
Mit freundlichen Grüßen,
Michael Schwartzkopff
--
[*] sys4 AG
http://sys4.de, +49 (89) 30
to contact me for further questions or for the integration into OpenNMS.
Mit freundlichen Grüßen,
Michael Schwartzkopff
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand
. But I used to write in perl. net-snmp has a nice API.
MIBs: you can get inspired by other VPN vendors: Check Point, Cisco, Juniper.
I will send you some slides how I did create a subagent for the Linux Cluster
Manager. I gave that talk on a Linux conference.
Mit freundlichen Grüßen,
Michael
-Agent ist quite a task. But I could help you a
little bit. But beware, I do not have too much time.
Mit freundlichen Grüßen,
Michael Schwartzkopff
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München
,
Michael Schwartzkopff
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
to set up such a config, you have to configure the correct MAC
address in the switches in the ports. Atherwise you could have loops and you
will see much traffic.
(...)
Mit freundlichen Grüßen,
Michael Schwartzkopff
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
of the authentication protocol and password storage
compatibility matrix?
http://deployingradius.com/documents/protocols/compatibility.html
Do you do a ldapbind oder ldapsearch?
Mit freundlichen Grüßen,
Michael Schwartzkopff
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
=never
rightsubnet=192.168.56.0/24
#
auto = add
Anybody here who could help me why this authentication is failing?
Mit freundlichen Grüßen,
Michael Schwartzkopff
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München
Am Mittwoch, 14. Januar 2015, 10:24:06 schrieb Michael Schwartzkopff:
Hi,
I have a IPv4 transport network. so moon (responder) and carol machines have
IPv4 adresses. The IPv4 IPsec tunnel works.
Can I assign IPv6 addresses to my carol host? Something like
rightsourceip = 192.168.100.0
?
Mit freundlichen Grüßen,
Michael Schwartzkopff
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender
/WAN distuingish between both boxes? If yes, how?
Thanks for any hints.
Mit freundlichen Grüßen,
Michael Schwartzkopff
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
78 matches
Mail list logo