Re: [strongSwan] High latencies

On 19 Sep 2017, at 18:28, Turbo Fredriksson wrote: > I’ve really never been a friend of tcpdump. I could never get it to give > me what I needed. Well, running: sudo tcpdump -i eth0 port 6379 2>&1 | tee /tmp/y & and then the redis client after that: strace -s

Re: [strongSwan] High latencies

On 19 Sep 2017, at 18:08, Noel Kuntze wrote: > Likely has to do with pmtu discovery. You can use tcpdump and alike to try to > figure out what > actually happens on the network or continue wondering about what the strange > machines do. I’ve really never been a friend of tcpdump. I could neve

Re: [strongSwan] High latencies

On 19 Sep 2017, at 16:00, Noel Kuntze wrote: > Check the tcp metrics (ip tcp_metrics) and look at the MSS. There’s no metrics at all related to mss on either of the VPN instances: root@jumpbox-london:~# ip tcp_metrics | grep -i mss root@jumpbox-london:~# root@jumpbox:~# ip tcp_metrics 2>&1 |

Re: [strongSwan] High latencies

On 19 Sep 2017, at 15:57, Turbo Fredriksson wrote: > all of a sudden it worked!! Does anyone know a priest in London? It stopped working again! I hate when things like this happens!! :) signature.asc Description: Message signed with OpenPGP

Re: [strongSwan] High latencies

This is spooky!! I ran ip link set dev eth0 mtu 1500 on all instances in the chain. Then run iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 128 on both the VPN i

Re: [strongSwan] High latencies

On 19 Sep 2017, at 15:16, Noel Kuntze wrote: > Usage of the MSS target in iptables, usage of kernel-netlink.mtu or of MTUs > on the routes in the routing tables root@jumpbox-london:~# iptables-save | grep -i MSS root@jumpbox-london:~# ip route show default via 10.110.3.1 dev eth0 10.110.3.0/24

Re: [strongSwan] High latencies

Copying a file from ‘London VPN’ to ‘Redis client London’ via scp completes without any problem and I don’t see any “hiccups” or stop-and-start of the copy. The file downloads at 13MB/s, which isn’t fast, but good enough I’m sure.

Re: [strongSwan] High latencies

On 19 Sep 2017, at 14:57, Noel Kuntze wrote: > Did you fix the MSS? Is the MTU on the tunnel correct? Did you maybe break > PMTU discovery? Not sure, can’t remember… How do I check?

[strongSwan] High latencies

I’m not sure if this is a Strongswan problem, but I see some indications that it might be, so I’m posting it here. If this is not the right place, let me know and I’ll take it elsewhere. I have setup a new region (London) in our AWS environment and are trying to connect one of instances in there

Re: [strongSwan] 24/7/365 tunnel?

On 14 Sep 2017, at 11:23, Eric Germann wrote: > I’ve found auto=route to be much more stable in AWS. Spins up when it’s down > but needed and starts passing traffic. Ok, thanx! I’ll let it run like this for a couple of days so I get a feel for how it works and then try that if I have to.. s

Re: [strongSwan] 24/7/365 tunnel?

m 17:33 schrieb Eric Germann: >>> Usually if it "takes down the tunnel" it's due to no traffic. Keep >>> interesting traffic going and it will stay up. >>> >>> If you have the ability to set "auto = route" it will reestablish the &g

[strongSwan] 24/7/365 tunnel?

I’m trying to setup a tunnel between two regions in AWS. Works fine, other than the fact that Strongswan seems to take down the tunnel automatically (?) after a few hours. How can I 1) make sure there’s no timeout (?) and 2) that IF the tunnel goes down, for whatever reason, that it will reinitia

[strongSwan] Commercial support?

I’m having some trouble with my VPN connections, and I’d like to get some commercial support. Anyone feel up to helping me out? ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Successfully established connection goes offline after some time

On 19 Jan 2017, at 12:18, Varun Singh wrote: > I have strongSwan 5.3.5 on Ubuntu 16.04LTS. When I connect iOS VPN client to > it, it connects successfully and I am able to browse the internet. But after > some time, the connection goes offline. If it helps, I have the same problem. I just have

[strongSwan] strongSwan behind loadbalancers? (Was: Can strongSwan support 100k concurrent connections?)

On 16 Jan 2017, at 12:34, Michael Schwartzkopff wrote: > I think further scaling might be possible with loadbalancers. But this is > topic of deeper investigation of the project. Actually, I’ve been thinking in those terms myself. At the moment, my VPN endpoint is a single-point-of-failure, whi

[strongSwan] MultiOS to strongSwan host to network VPN?

I’ve been trying for a couple of days now to make my strongSwan setup to connect to my LDAP/KerberosV servers. From what I can tell there’s [at least] two ways to do this: 1. PAM - this works fine in the os/sshd etc so that was my first try -> My OSX/Windows7 [native] clie

Re: [strongSwan] Running on AWS behind Elastic IP

On 16 Nov 2016, at 19:42, Mathew Marulla wrote: > Confused now... Is your VPN entirely within AWS? Yes. > If not, how are you connecting over the public internet with a private IP? I don’t. I connect to the EIP. But StrongSWAN don’t need to know that. ___

Re: [strongSwan] Running on AWS behind Elastic IP

On 16 Nov 2016, at 17:56, Mathew Marulla wrote: > If I am reading your reply correctly, it seems you are getting this to work > by not using an elastic IP, but just the public IP of your instance. Then > using a script to update it as needed. Maybe that’s the only way… > > I will try removin

Re: [strongSwan] Running on AWS behind Elastic IP

On 16 Nov 2016, at 05:27, Mathew Marulla wrote: > Although I have read just about every tutorial and similar posting I can find > about running StrongSwan on an EC2 instance, I still can not seem to get it > to work. I’m doing the same thing, but I started “from scratch” (didn’t have any exist

[strongSwan] Design comments - site to site connection

I want/need to create a site to site connection between my own VPN server and the work server I’ve setup. The work server runs StrongSWAN v5.3.5 and my own runs v5.2.1 and we both have our own, individual private CAs. So I have full control of both sides certificate generation. Should I use a P

Re: [strongSwan] No VPN connection

> On 4 Nov 2016, at 20:03, Turbo Fredriksson wrote: > Nov 4 20:50:38 ip-10-203-0-15 charon: 05[MGR] checkin IKE_SA client[1] > Nov 4 20:50:38 ip-10-203-0-15 charon: 05[MGR] check-in of IKE_SA successful. > Nov 4 20:50:38 ip-10-203-0-15 charon: 03[NET] sending packet: from >

Re: [strongSwan] No VPN connection

On 4 Nov 2016, at 20:03, Turbo Fredriksson wrote: > Nov 4 19:46:51 ip-10-203-0-15 charon: 06[NET] sending packet: from > [4500] to [4500] (372 bytes) Enabling some debugging, the next lines after this is: Nov 4 20:50:38 ip-10-203-0-15 charon: 05[MGR] checkin IKE_SA client[1] Nov 4 20

[strongSwan] No VPN connection

I’m trying to setup a new StrongSWAN server for work, so I’m using my own, private setup as base for this. This server is located on a Ubuntu 16.04/LTS server in AWS. Eventually I got as far as it (my client) actually trying to do the connection. But the client ‘just stops’. It never finishes t

Re: [strongSwan] Apple IOS 10 VPN

On 30 Oct 2016, at 16:59, Turbo Fredriksson wrote: > I’ve been following this myself and it works on my Android phone, but not on > my > new OSX 10.12.1. Oops, sorry for vasting space and oxygen.. The keyword here is “new OSX”. I forgot to add my CA to the list of accepted CAs. Did

Re: [strongSwan] Apple IOS 10 VPN

On 30 Oct 2016, at 01:09, Derek Cameron wrote: > Here is a configuration that works for iOS 10: > http://xpu.ca/strongswan-ubuntu/ I’ve been following this myself and it works on my Android phone, but not on my new OSX 10.12.1. I get looking for peer

[strongSwan] Promote routes to the VPN client?

I installed my NAT/IPSEC/GW many, many years ago with OpenSWAN and "a while" (also probably "many, many years ago" :) ago, I upgraded that to StrongSWAN. My config is almost entirely still OpenSWAN, but that seems to be ok.. However, my use-case have slightly changed since that time in the far aw

Re: [strongSwan] expected record boundary in key

On Tue, 07 Feb 2012 16:44:41 +0200, Turbo Fredriksson wrote: >conn %default > ... > leftcert=host_domain_tld.pem > > [...] > >"C=SE, O=Bayour.COM, OU=System, CN=host.domain.tld, > E=tu...@bayour.com" %any : PSK "aNothEERseCreT" An

[strongSwan] expected record boundary in key

I'm trying to setup the usage of certificates etc with strongSWAN, but there might be something I've missed. I have had my own CA for many years, genererating working certificates for a bunch of services (ldaps, https, etc). When I try to add 'leftcert', I can no longer use PSK. conn %

[strongSwan] Net2Net w/ StrongSWAN/OpenBSD

I'm trying to connect to a friends OpenBSD firewall using OpenSWAN on my Linux, kernel 2.6.32 but it keeps failing. After 8h, we got this far (on the OpenBSD side): 160024.269867 Default attribute_unacceptable: life attribute received, none in policy 160024.269873 Negt 20 ike_phase_1_valid