Hi,
On Thursday, 15 February 2018 17:37:24 CET Thomas Jarosch wrote:
> Feb 15 17:20:11.324390: "companyserver" #1: Peer ID is ID_DER_ASN1_DN:
> 'CN=firewall.company.com, O=Company, OU=HQ' Feb 15 17:20:11.324416: |
> checking for CERT payloads
> Feb 15 17:20:11.
Hello together,
I'm currently trying to set up a IKEv1 connection with strongswan 5.6.0 on
Fedora 27.
It uses a local nssdb in /etc/ipsec.d to handle certificates / private keys.
The connection definition loads fine. When I tell the client
to connect, it fails to verify the certificate from the
Hi,
On Thursday, 31. May 2012 17:23:43 Martin Willi wrote:
> To exploit the vulnerability, a connection definition using RSA
> authentication is required. An attacker presenting a forged signature
> and/or certificate can authenticate as any legitimate user. strongSwan
> version back to 4.2.0 and
Hi Chris,
On Thursday, 24. May 2012 17:05:46 Chris Arnold wrote:
> Can anyone help me get strongswan going with PSK? My config is below. I
> see on the router logs (strongswan behind it) that I am making it to the
> router and the router is passing the connection to the strongswan server
> but the
On Wednesday, 16. May 2012 00:00:55 Clarence wrote:
> I've been trying to get My android tablet to connect to the StrongSwan
> Server all day today...
I don't know the brand or model of your tablet, but our HTC Sensation phone
in the lab has a software bug and only works via UMTS. IPSEC over WLA
Hi Kushagra,
there was an issue with XAUTH + Android 4,
see this discussion and patch for the solution:
https://lists.strongswan.org/pipermail/dev/2012-April/000551.html
Thomas
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan
Hi Martin,
On Friday, 24. February 2012 10:58:54 Martin Willi wrote:
> Hm, might make sense in some setups, try the attached patch.
While looking at the patch out of curiosity, I noticed two things
regarding the snprintf() usage:
- If the source string is larger than the destination buffer,
ze
On Friday, 22. July 2011 09:42:41 Andreas Steffen wrote:
> Hello Thomas,
>
> this NAT-T bug affects IKEv2 only.
Thanks for the info.
Thomas
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
On Thursday, 21. July 2011 15:09:27 Andreas Steffen wrote:
> Please be aware that a serious NAT-T bug was fixed in strongSwan
> 4.5.1 and later versions which in the case of a responder sitting
> behind a NAT router, caused the host to answer requests sent on
> port 4500 on port 500 instead.
Quick
de available for 4.3.x users
Whoops. Thanks for providing the patches! Testing 4.3.7 right now.
Best regards,
Thomas Jarosch
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
On Friday, 16. July 2010 20:43:39 Andreas Steffen wrote:
> the debugging level shouldn't have any influence at all with
> the establishment of the tunnel.
May be a timing issue? The debug stuff usually slows down things a lot.
Cheers,
Thomas
___
Users
Hello,
I've upgraded from strongswan 4.2.17 to strongswan 4.3.6dr5.
>From time to time I see this message in the logs:
"pluto[6277]: netlink recvfrom() of response to our XFRM_MSG_DELPOLICY
message for policy %hold was too long: 100 > 36"
or
"pluto[6277]: netlink recvfrom() of response to our
Hello Robert,
On Tuesday, 22. December 2009 00:26:51 Robert Markula wrote:
> Good idea, I just tested it - the PSK authentication works flawlessly.
> But as soon as RSA is involved, the phone's VPN client (I use the latest
> version) is deaf.
>
> Some posts on the internet (e.g. [1]) suggest that
Hello Kalaj,
On Friday, 18. December 2009 10:43:06 Kalaj wrote:
> Running IPSEC cisco VPN, is it possible to config UNITY_BANNER string
> in config file?
The banner is a fixed define. You have to alter the source for now,
that's what we do here ;)
Cheers,
Thomas
_
Hello,
attached is a small patch to improve one DPD error message
which occured when we debugged an obscure setup:
Multiple tunnels to the same fixed IP address endpoint using
a different x.509 key for phase 1, DPD went crazy sometimes.
Now all tunnels to the same fixed IP address share one x.509
Hello Daniel,
On Wednesday, 3. June 2009 11:12:48 Daniel Mentz wrote:
> The question comes down to whether strongSwan should misbehave to
> achieve interoperability out of the box with a broken peer. I think no.
> Please keep in mind that strongSwan *does* inter operate with this
> product *if* th
Hello Andreas,
On Tuesday, 2. June 2009 18:25:56 you wrote:
> Jumping from 2.8 to 4.x was a giant step, so we deliberately took the
> liberty to change the certificate send default policy from "always"
> or "yes" to "ifasked". With IKEv1 it was only Cisco which did not send
> certificates without
28 #79: we have a cert but are not sending it
without request"
The default behavior is documented as ALWAYS_SEND in the code (constants.h)
and the manual. Attached patch changes the default policy
of strongswan 4.x to actually do that ;-)
Best regards,
Thomas Jarosch
diff -u -r -p strongsw
Hello together,
attached is a patch to start charon/pluto only if they were built.
Best regards,
Thomas Jarosch
diff -u -r -p strongswan-4.2.13/src/starter/Makefile.am strongswan.starter/src/starter/Makefile.am
--- strongswan-4.2.13/src/starter/Makefile.am Tue Dec 23 07:24:01 2008
-01-01 01:00:00.0 +0100
+++ strongswan-4.2.9.memrchr/src/libstrongswan/utils/memrchr.c 2008-12-23 11:55:22.0 +0100
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2008 Thomas Jarosch
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU
On Tuesday, 2. December 2008 10:05:10 you wrote:
> Thanks, applied to [4735].
>
> I slightly modified the patch that this option affects pluto only. I
> think it might be somewhat confusing for a user if --disable-threads
> completely removes IKEv2 support.
Fine with me. I thought threads are need
Hello together,
attached is a patch to implement refcount handling
using atomic memory operations if supported by
the compiler (gcc >= 4.1) and platform.
It was really tricky to get the configure.in part right
as __sync_fetch_and_add() is defined on i386
but will result in a link error later on.
Hello together,
attached is a patch to make compilation without threads easier.
Cheers,
Thomas
diff -u -r -p strongswan-4.2.9/configure.in strongswan-4.2.9.no_threads/configure.in
--- strongswan-4.2.9/configure.in 2008-11-16 23:34:47.0 +0100
+++ strongswan-4.2.9.no_threads/configure.in 2
Hello together,
attached patch fixes a small compile error of "struct tm" not being defined.
Cheers,
Thomas
diff -u -r -p strongswan-4.2.9/src/libstrongswan/utils.c strongswan.include/src/libstrongswan/utils.c
--- strongswan-4.2.9/src/libstrongswan/utils.c 2008-09-17 23:10:35.0 +0200
+++
24 matches
Mail list logo