Re: [strongSwan] Remote site dies for no reason?

2022-10-20 Thread Rene Maurer
that the remote station is no longer responding or am I wrong? Kind regards René On 21.10.2022 Rene Maurer wrote: Hi Noel Thank you very much. With IKEv2 the global ikev2 timeouts are used. See https://docs.strongswan.org/docs/6.0/config/retransmission.htm Ok. Does this mean that dpddelay

Re: [strongSwan] Remote site dies for no reason?

2022-10-20 Thread Rene Maurer
/docs/6.0/config/retransmission.html for details Kind regards Noel Kuntze On 20.10.22 10:45, Rene Maurer wrote: Hello We are  using strongSwan U5.4.0/K4.4.107 (embedded device) and making an ipec connection to a remote CISCO system.  From time to time we see the following behavior (tunnel seams

[strongSwan] Remote site dies for no reason?

2022-10-20 Thread Rene Maurer
Hello We are using strongSwan U5.4.0/K4.4.107 (embedded device) and making an ipec connection to a remote CISCO system. From time to time we see the following behavior (tunnel seams to stop working): Oct 20 09:32:33 EGV

Re: [strongSwan] Local network (routing)

2022-10-10 Thread Rene Maurer
On 10.10.2022 Noel Kuntze wrote: Please provide the output of `ipsec statusall` as well as `ip x p`.  Also, what are your firewall rules (iptables-save, nft list ruleset). On 10.10.22 15:44, Rene Maurer wrote: I am looking for a way to access the devices connected to eth0 also locally

Re: [strongSwan] Local network (routing)

2022-10-10 Thread Rene Maurer
On 10.10.2022 Michael Schwartzkopff wrote: On 10.10.22 15:44, Rene Maurer wrote: Hi I am using strongSwan U5.4.0/K4.4.107 (embedded device). The ipsec tunnel is established over a mobile network and it works fine. Additionally I have an Ethernet interface eth0 with the address 10.162.110.161

[strongSwan] Local network (routing)

2022-10-10 Thread Rene Maurer
Hi I am using strongSwan U5.4.0/K4.4.107 (embedded device). The ipsec tunnel is established over a mobile network and it works fine. Additionally I have an Ethernet interface eth0 with the address 10.162.110.161. eth0 is connected to 10.162.110.165. I am looking for a way to access the

Re: [strongSwan] Connect to a Cisco VPN Terminator

2022-01-28 Thread Rene Maurer
Done, so I answer to myself. rm...@mailc.net wrote: But I get an AUTHENTICATION_FAILED notify error. Changing left id from leftid="C=**, ST=**, L=***, O=***, OU=***, CN=***, E=***" to a very simple level leftid=CN-part (e.g. leftid=abc.xxx.ch) solved the problem (it was additionally

[strongSwan] Connect to a Cisco VPN Terminator

2022-01-28 Thread Rene Maurer
Hello I am trying to connect to a Cisco VPN Terminator. Unfortunately I do not have access to this point. I have obtained certificate and key and entered them in /etc/ipsec.d/certs, /etc/ipsec.d/cacerts and /etc/ipsec.d/private. But I get an AUTHENTICATION_FAILED notify error. I don't know

Re: [strongSwan] Tunnel over [slow] GPRS link

2017-05-01 Thread Rene Maurer
Hello Noel > set net.ipv4.ip_no_pmtu_disc=1 Doesn't help. > Try to enable IKE fragmentation, if you can, by setting "fragmentation=yes". > That will enable fragmentation if the remote peer supports it. Fragmentation isn't supported by the peer AFAIK. > The problem is that the message gets

[strongSwan] Tunnel over [slow] GPRS link

2017-04-28 Thread Rene Maurer
Hello I have strongSwan 5.3.0 installed on a embedded Linux system with Kernel 3.14.43. The embedded system has three network interfaces: 1. eth0 => connected to my local network (10.4.48.0/20). 2. eth1 => connected to the Ethernet (DHCP) if cable plugged in. 3. ppp0 => connected to the Ethernet

Re: [strongSwan] Don't know where to start

2017-04-27 Thread Rene Maurer
Hello Noel On 27.04.2017 15:12, Noel Kuntze wrote: > On 27.04.2017 14:12, Rene Maurer wrote: >> Unfortunately the problem is still pending. > Obviously the remote peer does not respond to the request. Finally I have the tunnel up. ipsec status Routed Connections: home

Re: [strongSwan] Don't know where to start

2017-04-27 Thread Rene Maurer
Hello Noel Noel Kuntze wrote: >> But when I look at the log on my site together with >> "tcpdump -i ppp0", I have the impression that ikev2_auth >> is sent (once). > > This looks good. Check if that packet makes it there. Some IKE implementations > just drop all

Re: [strongSwan] Don't know where to start

2017-04-27 Thread Rene Maurer
(Sorry email again with fixed from-address) Hello Noel Noel Kuntze wrote: >> But when I look at the log on my site together with >> "tcpdump -i ppp0", I have the impression that ikev2_auth >> is sent (once). > > This looks good. Check if that packet makes it there.

Re: [strongSwan] Don't know where to start

2017-04-25 Thread Rene Maurer
Hello Noel Noel Kuntze wrote : > (I'm answering this from my original email account now.) And I see your email now in my email account. >> But when I look at the log on my site together with >> "tcpdump -i ppp0", I have the impression that ikev2_auth >> is sent (once).

[strongSwan] Don't know where to start

2017-04-25 Thread Rene Maurer
Hello I am new to strongSwan and I try to establish a connection between an embedded Linux box (using Linux strongSwan U5.3.0/K3.14.43) and a MOXA switch located on remote site. On the embedded Linux box I have two interfaces: ppp0 connects to the internet (using GPRS). eth0 (10.4.48.1) connects