[strongSwan] left ID, right ID and no matching peer config

? I hope I am not missing something basic/obvious. Thanks. -- Piyush Agarwal Life can only be understood backwards; but it must be lived forwards. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] left ID, right ID and no matching peer config

o find peer config when rightid has been specified as %any? I hope I am not missing something basic/obvious. On Mon, Apr 24, 2017 at 6:19 PM, Piyush Agarwal wrote: > Hi, > I am trying to establish strongswan between two ubuntu 14.04 machines. > I can get things to work if I specify both

Re: [strongSwan] left ID, right ID and no matching peer config

#x27;t match "client". So > either set `rightid=client` or don't set `leftid` on the client so the > client's own identity defaults to the subject DN of the certificate. > > Regards, > Tobias > -- Piyush Agarwal Life

[strongSwan] Multiple charon daemons mininet namespaces

re no way to achieve this? No environment variable that can be set? Appreciate any comments/directions/pointers. Thank you. Piyush -- Piyush Agarwal Life can only be understood backwards; but it must be lived forwards. ___ Users mailing list

Re: [strongSwan] Multiple charon daemons mininet namespaces

, 2017 at 11:23 AM, Noel Kuntze wrote: > You can't do that when you start charon using "ipsec" (which implicitely > calls "ipsec starter". > You can do it with charon-systemd, though (but then you need to start it > using systemd and you get a similiar pro

Re: [strongSwan] Multiple charon daemons mininet namespaces

D file is hard coded during build time. > > Take a look at the source code of starter[1] and track the > > variable assignments down. > > > > [1] https://github.com/strongswan/strongswan/tree/master/src/starter > > > > Kind regards, > > Noel > &g

Re: [strongSwan] Multiple charon daemons mininet namespaces

pr 26, 2017 at 5:18 PM, Noel Kuntze < noel.kuntze+strongswan-users-ml@thermi.consulting> wrote: > Hello Piyush, > > Did you try copying the files, instead of symlinking? > > On 27.04.2017 01:04, Piyush Agarwal wrote: > > Hi Noel, > > Many thanks for the pointer. Your s

Re: [strongSwan] Multiple charon daemons mininet namespaces

Would appreciate some help on this. Given the need to disable strongswan tests, I doubt there is a better place to go ask this. Thanks in advance once again. Piyush On Wed, Apr 26, 2017 at 5:27 PM, Piyush Agarwal wrote: > Yes I did. Did not help, got same issue. > > I guess I'll

[strongSwan] listen interface specification

start strongSwan -- fatal errors in config* -- Piyush Agarwal Life can only be understood backwards; but it must be lived forwards. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] listen interface specification

want to listen on is actually on the lo interface: ip -d addr show lo | grep 104.100.x.x inet 104.100.x.x/32 scope global lo Not that it should matter, but all this is being done inside a ip/mininet network namespace. Thanks. Piyush On Mon, May 1, 2017 at 4:13 PM, Piyush Agarwal wrote: >

Re: [strongSwan] listen interface specification

for debugging would be great. Thanks. On Mon, May 1, 2017 at 8:03 PM, Piyush Agarwal wrote: > I don't see any loopback addresses listed in the "known interfaces": > > 8150 00[KNL] known interfaces and IP addresses: > 8151 00[KNL] p2p1 > 8152 00[KNL] 169.x.x.x

Re: [strongSwan] listen interface specification

didn't find ANY ip for the loopback (not even 127.0.0.1). Any help for debugging would be great. Thanks. On Tue, May 2, 2017 at 10:13 AM, Piyush Agarwal wrote: > Noel, > Thank for pointing out my mistake -- my bad I should have read the > ipsec.conf carefully. > > Having said

Re: [strongSwan] listen interface specification

stening IP addresses:* Connections: Security Associations (0 up, 0 connecting): none On Tue, May 2, 2017 at 10:13 AM, Piyush Agarwal wrote: > Noel, > Thank for pointing out my mistake -- my bad I should have read the > ipsec.conf carefully. > > Having said that, I have

Re: [strongSwan] listen interface specification

at 11:00 AM, Andreas Steffen < andreas.stef...@strongswan.org> wrote: > Hi Piyush, > > have you tried > > interfaces_use = lo > > without the double quotes? > > Regards > > Andreas > > On 02.05.2017 19:27, Piyush Agarwal wrote: > >> Ok, I had miss

[strongSwan] host to host auto start recommendation

ki.strongswan.org/issues/431 ? Is my understanding right? Is A->B tunnel different from B->A? Could someone please give some pointers to help me understand this. Thanks. -- Piyush Agarwal Life can only be understood backwards; but it must be lived forwards. ___

[strongSwan] disable generation of myKey.der

and then call "ipsec reload" to have the config loaded and tunnel established. I couldn't find any configuration option to do this. I hope I don't need a compilation change to make this happen? Thanks. -- Piyush Agarwal Life can only be understood backwards; but it mu

[strongSwan] signature validation failed error

dation failed, looking for another key* Appreciate any guidance. -- Piyush Agarwal Life can only be understood backwards; but it must be lived forwards.

Re: [strongSwan] signature validation failed error

ing on when server came up). Thanks. Piyush On Mon, May 15, 2017 at 10:40 AM, Piyush Agarwal wrote: > Hi, > I am running into a strange issue and would appreciate any help in > debugging what could be going wrong. > > I am using self-signed certs for both my client and server. Client s

Re: [strongSwan] signature validation failed error

Apologies. Turns out the issue was a messy filesystem due to using overlayfs() and yet modifying the underlying filesystem directly. Please ignore this thread. On Mon, May 15, 2017 at 4:25 PM, Piyush Agarwal wrote: > I made some progress debugging this. For a start, I changed the DN of

[strongSwan] Exclude protocol from IPsec

I was using racoon where I could use setkey to manually update the SPD to exclude icmp alone. Please advise if there is any way to achieve this with strongswan. Thanks. -- Piyush Agarwal Life can only be understood backwards; but it must be lived forwards.

Re: [strongSwan] Exclude protocol from IPsec

cmp >>> fwd prio high + 1073740030 ipsec >>> esp/tunnel/1.100.0.5-1.100.0.9/unique:1 >>> created: May 23 11:21:42 2017 lastused: >>> lifetime: 0(s) validtime: 0(s) >>> spid=1834 seq=1 pid=103981 >>>

Re: [strongSwan] Exclude protocol from IPsec

t;>>>> reauth=no >>>>> auto=start >>>>> >>>>> *Server ipsec.conf <http://ipsec.conf>:* >>>>> >>>>> config setup >>>>> charondebug = "dmn 0,mgr 1, ike 2, job 2, cfg 2, knl 1, net

Re: [strongSwan] Exclude protocol from IPsec

l see this log message in server's charon.log (and not client's): *10[CFG] left is other host, swapping ends* On Tue, May 23, 2017 at 4:25 PM, Piyush Agarwal wrote: > Exactly, but nowhere in my config file do I find a mistake. How can I > correct the TS? > > Again, my co

Re: [strongSwan] Exclude protocol from IPsec

Turns out charon.plugins.stroke.allow_swap handling is missing (or there is a bug) in 5.1.2. I moved to 5.3.5 and I have unencrypted ping now working. Thanks. On Tue, May 23, 2017 at 5:02 PM, Piyush Agarwal wrote: > After some googling, I tried two things: > 1) changed strongswan.conf

[strongSwan] "the same policy exists for reqid Y" error

ndcert=always rightcert=client1_cert.pem right=1.100.0.13 reauth=no dpdaction=restart auto=add conn 1.100.0.9 type=transport left=1.100.0.5 leftcert=server_cert.pem leftsendcert=always rightcert=client0_cert.pem right=1.100.0.9 reauth=no dpdaction=restart auto=add -- Piyush Agarwal Life can only be understood backwards; but it must be lived forwards.