Re: [strongSwan] vici initiator only or responder per connection

Hi Tobias, Thank you for taking the time to reply to my request, How can I get the same behavior for Per connection via vici. I believe dropping the connection when global initiator_only is marked as yes is done in Charon code and not via iptables . Please guide me on the per-connection option

[strongSwan] vici initiator only or responder per connection

Hi All, I am using the vici plugin to configure strongswan and load and initiate connection . I see that we have a global " *initiator_only = yes/no* " configuration in charon.conf, is it possible to configure this for per connection via vici, so that the initiator is only responsible for

Re: [strongSwan] spi allocation failed

lgs) and check how that could occur. > Maybe file a bug with the project that maintains the library or something. > It's up to you. > > Kind regards > > Noel > > Am 03.01.20 um 02:52 schrieb Naveen Neelakanta: > > Hi Noel and Tobias, > > > > I saw my s

[strongSwan] spi allocation failed

Hi Noel and Tobias, I saw my session was down and see the below message in strongswan logs saying SPI allocation had failed, after restarting Charon, the session came up. I was running as root. I believe the session was flapping if that is the reason for the below message or are there other

[strongSwan] Frequent childsa close and open

Hi I am seeing this continuous close and create for the childsa. My logs are overrun, any clue on what might cause this and any way to prevent this from happening?. 2019-08-11T05:43:45.275Z inf charon local1 @dGzD9B text:14[IKE] CHILD_SA sl3childsa{300113} established with SPIs

[strongSwan] ikev1 Main mode

Hi All, I am using ikev1 main mode, after rekey, i see the below error message and ike session goes to the connecting state. any clue to resolve this issue? This happens only for ikev1. message parsing failed", "_fac": "local1", "_level": "info" } sl2: #14, CONNECTING, IKEv1,

[strongSwan] Sa not getting deleted

Hi All, I see an issue where, when I unload a connection from the vici API, and reload a connection, the old Sa's are not getting deleted immediately, but I see a soft expire or 3077(sec). src 10.24.18.209 dst 199.168.148.132 proto esp spi 0x36e072cf(920679119) reqid 1(0x0001) mode tunnel

Re: [strongSwan] Strongswan responds to scan attack

Thanks Tobias The vulnerability is : ISAKMP endpoint allows short key lengths or insecure encryption algorithms to be negotiated. This could allow remote attackers to compromise the confidentiality and integrity of the data by decrypting and modifying individual ESP and AH packets. Thanks,

[strongSwan] Strongswan responds to scan attack

Hi Is there a configuration to avoid strongswan from responding to unsolicited request from scans, even when strongswan is not configured with an endpoint configuration, This was detected with PCI auditing tools Thanks, Naveen

[strongSwan] XfrmInStateProtoError

Hi All, When i send ping request with packet size larger that 1500 , i see on the receiver side XfrmInStateProtoError counter increment , any clue on this. Thanks, Naveen

Re: [strongSwan] Multiple ChildSA

": "local1", "_level": "info" } { "_ts": "2018-05-08T18:30:02.719Z", "_prog": "charon", "_msgid": "@sBphOC", "text": "06[CFG]hw_offload = 0", "_fac": "local1", "

[strongSwan] Multiple ChildSA

Hi I have a ikev1 session up, however i also see multiple child SA, if leave the seesion for a log run. Would like to understand on this scenario and should i take any actions if these scenarios is seen . sl1childsa: #726, reqid 368, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_SHA1_96

Re: [strongSwan] Notification

On Thu, May 3, 2018 at 4:02 PM, Naveen Neelakanta < naveen.b.neelaka...@gmail.com> wrote: > Thank you Tobias > > On Thu, May 3, 2018 at 2:05 AM, Tobias Brunner <tob...@strongswan.org> > wrote: > >> Hi Naveen, >> >> > I am using the vici plugin to

Re: [strongSwan] Notification

Thank you Tobias On Thu, May 3, 2018 at 2:05 AM, Tobias Brunner wrote: > Hi Naveen, > > > I am using the vici plugin to handle the events and configure the > > tunnels, however in case of errors like the "no proposal " or auth > > failure, can this information be

[strongSwan] Notification

Hi Noel, I am using the vici plugin to handle the events and configure the tunnels, however in case of errors like the "no proposal " or auth failure, can this information be retrieved from vici messages . That will help a lot for debugging, if this is already present please point me to the

Re: [strongSwan] second connection from the same machine fails

Thanks Tobias, I changed the marking for the connections to be unique and changed also added mark_in. Now i see that ssh issue is also resolved , but need to get the return tarffic routed to vti interface based on the marking. Regards, Naveen On Fri, Mar 2, 2018 at 12:54 AM, Tobias Brunner

[strongSwan] second connection from the same machine fails

Hi Noel, Need some guidance on the below issues using strongswan . 1) The second connection with the below configuration fails . config setup conn %default ikelifetime=8h keylife=8h rekeymargin=3m keyingtries=2 keyexchange=ikev1

[strongSwan] routing traffic back to VTI interface

Hi Noel, I am trying to ping vti interfaces, when i ping i see the traffic coming back but i don't see it on ipsec0, however i see the traffic on eth3 interface after it is decrypted, don't see the same reaching ipsec0. # tcpdump -ni eth3 icmp tcpdump: verbose output suppressed, use -v or -vv

Re: [strongSwan] Issuse with VTI packet forwarding

/wiki/RouteBasedVPN > > > On 29.11.2017 09:16, Naveen Neelakanta wrote: >> Hi All, >> >> Need some guidance and help in getting the traffic routed via VTI ( >> ipsec0 ) interface.I am using the VTI interface to just mark the >> traffic and forward. >> &

[strongSwan] Issuse with VTI packet forwarding

Hi All, Need some guidance and help in getting the traffic routed via VTI ( ipsec0 ) interface.I am using the VTI interface to just mark the traffic and forward. I am not able to get the traffic forwarding via VTI( ipsec0) interface and getting the traffic marked, so that it gets protected. i

[strongSwan] Issuse with VTI packet forwarding .

Hi All, Need some guidance and help in getting the traffic routed via VTI ( ipsec0 ) interface.I am using the VTI interface to just mark the traffic and forward. I am not able to get the traffic forwarding via VTI( ipsec0) interface and getting the traffic marked, so that it gets protected. i

[strongSwan] Get Expired Certificate

Hello, Is there a configuration to save the expired certificates received from client. Thanks, Naveen ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Remove default policy

On Tue, Mar 22, 2016 at 8:02 PM, Naveen Neelakanta < naveen.b.neelaka...@gmail.com> wrote: > Hello, > > Is it possible to configure strongswan not to add the below default > policy rules. > I am running strong swan in TEST namespace on linux and i don't see > the arp working

Re: [strongSwan] Remove default policy

dev vnet1 proto kernel scope link src 10.8.13.2 Let me know for any other information required. Thanks Naveen On Wed, Mar 23, 2016 at 12:23 AM, Thomas Egerer <hakke_...@gmx.de> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On March 23, 2016 4:02:48 AM G

[strongSwan] Remove default policy

Hello, Is it possible to configure strongswan not to add the below default policy rules. I am running strong swan in TEST namespace on linux and i don't see the arp working from the root name space to namespace interface. I would like to know why ARP between the root namespace and Test namespace

[strongSwan] Routing traffic from veth pair to other veth pair in Namesapce

Hi All, I would like run strongswan in linux namespace between veth pair and protect all the traffic from lan to wan traffic.I need some help in getting routing between veth pairs of interfaces in the linux name space . I am unable to route packets between to different veth pairs . I have the

[strongSwan] VPN and NAT

Hello , Can IPsec VPN and NAT be on the same device . Should NAT be by passed if we have ipsec vpn enabled. Just wanted to know if a router acts has a client and strongswan is used has server, strongswan assigns a virtual ip . In this case all the lan ip behind the router need to be source natted

Re: [strongSwan] virtual ip

10.43.135.221 : PSK 0s123456789abcxyzABCXYZ+/ it it is to be interpreted as a Base64-encoded value. Regards Andreas On 09/14/2013 05:47 AM, Naveen Neelakanta wrote: Hi All, I have installed both strongswan server and client . I am trying the virtual ip scenario with PSK auth method

Re: [strongSwan] virtual ip

Thanks Anderas, I got it working. Thanks Naveen On Sat, Sep 14, 2013 at 4:16 PM, Naveen Neelakanta nbnopens...@gmail.comwrote: Hi Andreas, I have changed the ipsec.secrets file and saw that secret values where read properly by both client and server, I still get the authentication Failure

Re: [strongSwan] reduce size

Hi Martin, I would keep ikev1and ikev2 , but how can i disable . * updown: if you don't need leftfirewall/leftupdown options * attr: if you don't set IKE attributes in strongswan.conf * x509: openssl has its own (but simpler) certificate support * constraints: if you don't

[strongSwan] virtual ip

Hi All, I have installed both strongswan server and client . I am trying the virtual ip scenario with PSK auth method, but the i am not able to get it working with the attached configuration files used. Please find the attached server and client configuration file. I have installed the

[strongSwan] reduce size

Hi All, i have compiled the latest strongswan with the configuration below and installed the same to a specific location, Below are the steps followed. # export DESTDIR=/local/mnt/workspace/NBN/VPN/STRONGSWAN/Latest/install/ #./configure CPPFLAGS=-Os --prefix=/usr --disable-rc2 --disable-md5

[strongSwan] config payload support in openswan

Hi, I was using openswan for vpn client on linux, i was able to establish the tunnels with static ip address, however i could not find a way to get ip address assigned from the server ip pool. Wanted to know if this is possible using openswan. I was trying to have a pure ipsec vpn not tied with

[strongSwan] Strongswan packages selection

Hi I am new to strongswan, I have been able to successfully establish tunnel between to linux PC . How ever i want to reduce the size of the strongswan image and hence i have used the below compilation options . --disable-curl --disable-soup --disable-ldap \ --enable-gmp