Re: [strongSwan] Let's Encrypt CA Expiry & related StrongSWAN trouble

On 2021-10-06 2:27 p.m., Philip Veale wrote: On Wed, 6 Oct 2021 at 17:24, Simon Deziel wrote: On 2021-10-06 12:22 p.m., Simon Deziel wrote: On 2021-10-06 12:08 p.m., Philip Veale wrote: Oct 6 16:43:55 VPN-Server charon: 00[LIB] opening '/etc/letsencrypt/live/vpn.my-hostname/privkey.pem

Re: [strongSwan] Let's Encrypt CA Expiry & related StrongSWAN trouble

On 2021-10-06 12:22 p.m., Simon Deziel wrote: On 2021-10-06 12:08 p.m., Philip Veale wrote: I hadn't tried that, but tried, didn't change anything. I noticed things specifically related to StrongSWAN aren't working since the update to Bullseye and swanctl is not a recognised command. StrongSWAN

Re: [strongSwan] Let's Encrypt CA Expiry & related StrongSWAN trouble

and creates new ones, keeping the old, the newest versions are always symlinked. Debian Stretch didn't have AppArmor but it's been enabled by default in Debian since Buster. So yeah, the dist-upgrade kinda broke things. Thanks to Simon Deziel in this old thread from years ago; https

Re: [strongSwan] "signal of type SIGINT received. Shutting down" ?

On 2018-01-25 12:35 PM, Hoggins! wrote: > I'm just trying to make sure that I'm able to fine select different > types of traffic on outbound UDP 4500 (we use NAT-T), and right now it > seems that I'm still also catching "data" packets. Maybe you can configure IPtables to look for those 4 bytes of

Re: [strongSwan] Windows ikev2 conn, eap_identity ignored

Hi Giuseppe, On 2017-10-23 06:56 AM, Giuseppe De Marco wrote: > I faced that there are no attr_sql support on standard Debian 9 packages. Indeed, Debian doesn't provide the plugin you are looking for. In Ubuntu, it is available in the libstrongswan-extra-plugins package. There is a bug [1] about

Re: [strongSwan] Trying to work out why connection not being established from AWS

On 2017-09-22 02:13 PM, Whit Blauvelt wrote: >> Linux aliases are a deprecated concept. Bind the IP to any local >> interface. Preferably one that can not go down. You can just add it. >> Anyway, charon needs to listen on the IP to be able to send packets from >> it. > > I use the word "alias"

Re: [strongSwan] High latencies

On 2017-09-19 10:05 AM, Turbo Fredriksson wrote: > On 19 Sep 2017, at 14:57, Noel Kuntze > wrote: > >> Did you fix the MSS? Is the MTU on the tunnel correct? Did you maybe break >> PMTU discovery? > > Not sure, can’t remember… How do I check?

Re: [strongSwan] Can't load certificates and keys via symlink

Am 10.02.2017 um 00:22 schrieb Jose Novacho: > > if I replace the symbolic link with the actual file fullchain1.pem > everything works as expected. > > I have also replaced the link, so it points at the > /etc/letsencrypt//archive//trinity.ingames.cz/cert1.pem file. But > that didn't help

Re: [strongSwan] Avoid leakage of packets addressed to/from private IP space

On 09/07/2015 07:31 PM, Noel Kuntze wrote: >> The distribution which I have used did not have ebtables-svae and >> ebtables-restore scripts. >> Strange enough: http://packages.ubuntu.com/precise/amd64/ebtables/filelist >> I agree with your points. I think my script can be useful to initialize the

Re: [strongSwan] strongSwan 5.1.2 on Ubuntu Trusty (14.0.4) and AppArmor

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Fabrice, On 03/19/2015 09:22 AM, Fabrice Barconnière wrote: I've configured VPN on Ubuntu Trusty with strongSwan 5.1.2 and connections are OK. But when i execute ipsec statusall command, it replies : reading from socket failed: Permission

Re: [strongSwan] xauth-pam

Hi Thomas, root@quark:/etc# tail -f /var/log/syslog | egrep -C 2 fail|erro Feb 9 15:35:31 quark charon: 00[LIB] plugin 'xauth-generic': loaded successfully Feb 9 15:35:31 quark charon: 00[DMN] xauth-pam plugin requires CAP_AUDIT_WRITE capability Feb 9 15:35:31 quark charon: 00[LIB]

Re: [strongSwan] dns problem when using the dhcp plugin

On 12/09/2014 02:24 PM, Hasse Hagen Johansen wrote: So I have these rules: Chain zone_wan (1 references) target prot opt source destination ACCEPT udp -- 0.0.0.0/00.0.0.0/0 udp dpt:68 ACCEPT icmp -- 0.0.0.0/00.0.0.0/0

Re: [strongSwan] strongswan without client certifikate

Hi Thomas, Have you looked at [1]? It says: EAP-MSCHAPv2 requires MD4 to generate the NT-Hashes HTH, Simon 1: https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#C-Authentication-using-EAP-MSCHAP-v2 On 12/03/2014 04:59 PM, Thomas wrote: Hi Noel, Hi Imarn thanks for your

Re: [strongSwan] proxmox with strongswan

Hi Karol, For a container to be able to use the host's tunnel, you need to disable the policy check in the container itself. Here is the command to run in the container to achieve this: # Allow IPsec running on the host to communicate with VZ cat EOF /etc/sysctl.d/60-openvz-host-ipsec.conf #

Re: [strongSwan] unable to set IPSEC_POLICY on socket: Operation not supported

Hi Rolf, On 14-05-09 01:31 PM, Rolf Schöpfer wrote: Hi Today I didn't succed to configure site2site VPN with strongSwan. Details: - Server Debian 7.3 32-bit, OpenVZ VM (Host is Proxmox) I believe it's still not possible to run IPsec inside an OpenVZ container. Since you are using

Re: [strongSwan] StrongSwan(optware) on Asus RT-AC66U (merlin build)-can't access LAN IPs

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello Noel and Luka, On 13-11-13 04:46 PM, Noel Kuntze wrote: I have to say, that you're using the -I parameter of iptables incorrectly. It needs the position in which the rule should be put as the second parameter. Like that: iptables -I INPUT