Hi Andreas and Martin,
Currently I use strongswan4.3.4 and found some un-stable factors in rekey
mechanism implementation of this strongswan release.
Such as:
1) If ipsec SA rekey was set too long, the IPsec tunnel will be deleted
immediately After it is established.
2) If ipsec S
Hi Jessie,
The strongswan implement the 3GPP2 EAP-AKA algorithm. And OP && OPC is used
in 3GPP EAP-AKA algorithm.
These two algorithms are different.
About 3GPP EAP-AKA, you can refer to the standard "3GPP TR35206-600" and
3GPP2 EAP-AKA, you can refer to the standard "S.S0055".
Best Regards,
Da
Hi Martin, Hi Andreas, Hi All,
After I established ipsec tunnel between two linux-pcs, and I found the
following problem:
I initiate ping form HNB (192.168.253.88 --- virtual ip) to GW
(192.168.253.98- additional ip), but from tcpdump, I see:
Only the packages go through normal tunnel (
Hi Martin,
Thank you for your detail information.
Best Regards,
David
-邮件原件-
发件人: Martin Willi [mailto:mar...@strongswan.org]
发送时间: 2009年10月26日 18:10
收件人: weiping deng
抄送: 'users'
主题: Re: 答复: How can I shutdown the NAT-T feture of IKEv2
Hi,
> If I did not select the
-邮件原件-
发件人: weiping deng [mailto:weipi...@picochip.com]
发送时间: 2009年10月26日 17:33
收件人: 'Daniel Mentz'
主题: 答复: [strongSwan] How can I shutdown the NAT-T feture of IKEv2
Hi,
Because If two peer was placed into a no NAT environment, and one peer used
strongswan, another peer us
Hi Martin,
If I did not select the --enable-NAT-Transport when I compile the
strongswan, If NAT-T feature can be shutdown by this above method?
Best Regards,
David,
-邮件原件-
发件人: Martin Willi [mailto:mar...@strongswan.org]
发送时间: 2009年10月26日 17:13
收件人: weiping deng
抄送: 'users&#x
Hi Martin, Hi all,
I have one question:
How can I shutdown the NAT-T feature of IKEv2?
As I known, this feature is opened by default in IKEv2. If I want to
shutdown this feature, How can I do? By configure some item or must modify
code?
Best Regards,
David
Hi Andreas and Martin,
I have one question about the Mutual Authentication and Unilateral
Authentication:
As I know, strongswan obeys the 3GPP 33820 and adopts the Mutual
Authentication.
One Example is: client authenticate server with PUBKEY and server
authenticate client with EAP-AKA.
And
Hi Martin and Andreas, Hi all,
I found the IPsec tunnel will be "broken" unexpectly after a long time no
data pass through it. And I have enabled DPD mechanism in ipsec.conf as
followed:
Keyingtries=%forever
...
dpdaction=clear
dpdtimeout=5m
dpddelay=10
I only configured DPD on
Hi Martin and Andreas, Hi all,
The test scenario is listed as followed:
Alice (IP: 172.19.2.190
Secondary IP: 192.168.253.68) <--->moon (as
gateway, IP: 172.19.2.118
Secondary IP: 192.168.253.98) <> carol (IP: 172.19.2.86
Virtual IP: 19
: Andreas Steffen
抄送: weiping deng; users@lists.strongswan.org
主题: Re: Some Question About NAT-T and DPD
Hi,
> I'm not sure whether our MOBIKE implementation supports this
> but Martin will know.
Yes, we support the detection of changes in the NAT situation, either
using the MOBIKE enabled D
r side and peer
side?
Best Regards,
David
-邮件原件-
发件人: Andreas Steffen [mailto:andreas.stef...@strongswan.org]
发送时间: 2009年9月24日 15:03
收件人: weiping deng
抄送: 'Martin Willi'; users@lists.strongswan.org
主题: Re: Some Question about the configuration payload
weiping deng wrote:
>
Hi Both,
Excuse me. I have the following questions about the configuration payload:
Q1:
In current version of strongswan, whether the internal DNS can be assigned
by server when peer initiates the request for it with the same configuration
payload for virtual IP request?
If internal DNS c
Hi Martin,
About the identity payload
(http://marc.info/?l=strongswan-users&m=125352578718423&w=2), I still have
the following questions:
1) Whether the latest version added "the identity payload handling code for
EAP-AKA" is released?
2) In latest version of strongswan, Identity is default-set
Hi Both,
I have the following questions need your answer. Please help me, thanks.
Q1:
About the NAT-T, whether strongswan supports: “Detecting and Honouring the
NAT device changing its public address”?
Q2:
About the DPD, in IKEv2, the default value of DPD timeout (dpdtimeout) = ?
L
development, thank you.
Best Regards,
David
-邮件原件-
发件人: Martin Willi [mailto:mar...@strongswan.org]
发送时间: 2009年9月21日 17:36
收件人: weiping deng
抄送: users@lists.strongswan.org
主题: Re: question about the handling of identity payload during the
procedure of EAP-SIM and EAP-AKA
Hi,
> In
Hi Martin,
Excuse me. There are two questions about the EAP-SIM and EAP-AKA
implementation as followed, please help me, thanks.
Q1:
In the current implementation of EAP-SIM and EAP-AKA authentication, the
payload of IDENTITY REQ was not handled or handled with only attribute ID.
Is there a
Hi Martin,
Thank you for your help. I have found the root cause (which is caused two
modules were forgotten to be installed.
Best Regards,
David
-邮件原件-
发件人: Martin Willi [mailto:mar...@strongswan.org]
发送时间: 2009年9月18日 20:24
收件人: weiping deng
抄送: users@lists.strongswan.org
主题: Re: 答复
weiping deng
发送时间: 2009年9月18日 20:11
收件人: 'Martin Willi'
抄送: users@lists.strongswan.org
主题: [strongSwan] 答复: 答复: How to peel off strongswan code for running
in an space-stressed ARM
Hi Martin,
reduced from 131M to 67M. But the error still exists. If error code "93" is
EPROTONOSU
, Live 0xbf078000
ipcomp 3232 0 - Live 0xbf072000
xfrm_ipcomp 5384 1 ipcomp, Live 0xbf06e000
xfrm_user 20544 0 - Live 0xbf063000
esp4 6528 0 - Live 0xbf05c000
ah4 5248 0 - Live 0xbf055000
af_key 32464 0 - Live 0xbf048000
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<&l
und :and :outbound : unable to install IPsec
SA(SAD) in kernel
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
t;<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Is it the same as the old on
Hi Martin,
Excuse me. I have one question about the EAP-SIM authentication. When I read
the code of EAP-SIM authentication, I found RAND was read from triplet.dat
rather than received from Server. And I refer to some materials for EAP-SIM
authentication, and found RAND is an input parameter (recei
Hi Both,
I have one question about the SubjectID and SubjectAltName to ask
you:
Now I want to configure the SubjectID or SubjectAltName automatically
while not configure these items manually..
Today, I try the following method: reading the result generated by
the command
Hi Andreas and Martin,
I have one question bout the rightsubnet, ie:
>>
left|rightsubnet =
private subnet behind the left participant, expressed as network/netmask
(actually, any form acceptable to
ttosubnet(3));
Hi Roger,
You can try the virtual machine; maybe it will resolve your problem.
Best Regards,
David
-邮件原件-
发件人: users-boun...@lists.strongswan.org
[mailto:users-boun...@lists.strongswan.org] 代表 Zhang, Long (Roger)
发送时间: 2009年9月8日 22:03
收件人: 'Martin Willi'
抄送: users@lists.strongswan.org
主题:
Hi Martin,
If I want to add an abstraction layer between the EAP-AKA protocol and
corresponding parameter calculation, how can I do? And what should be
noticed?
Besides, as the triplets for EAP-SIM, the following key will be read from
USIM card for EAP-KAK, is it right?
>
Hi Martin, Hi Andreas, Hi All,
When I set the "left=%defaultroute" in ipsec.conf and start the ipsec, the
following item was always indicated:
<<
Starting strongswan 4.3.3 IPsec [starter] ...
no default route - cannot co
e send"? if not supported, is there
a plan for supporting this?
Best Regards,
David
-邮件原件-
发件人: users-boun...@lists.strongswan.org
[mailto:users-boun...@lists.strongswan.org] 代表 weiping deng
发送时间: 2009年8月28日 10:24
收件人: 'Andreas Steffen'
抄送: users@lists.strongswan.org
主题: [st
ds,
David
-邮件原件-
发件人: Andreas Steffen [mailto:andreas.stef...@strongswan.org]
发送时间: 2009年8月27日 18:58
收件人: weiping deng
抄送: 'Martin Willi'; users@lists.strongswan.org
主题: Re: [strongSwan] unable to initiate to %any
Hi David,
with right=%any you cannot actively initiate a connection as
Hi Martin, Hi all,
When I try to find out the mechanism of virtual IP and initiate the
strongswan with the following configuration, but I always got the error
indication: "unable to initiate to %any".
Please give me a clue to trace down this problem , thanks.
Configuration of two peers:
o:mar...@strongswan.org]
发送时间: 2009年7月8日 18:39
收件人: weiping deng
抄送: users@lists.strongswan.org
主题: Re: [strongswan] -- probem on EAP-AKA authentication case
Hi,
> [...] test case: ikev2/rw-eap-aka-rsa [...]
> Received MAC does not match XMAC, sending AKA_AUTHENTICATION_REJECT
> ca.
After checked all the procedure of EAP-AKA, it seems that the AK calculated
from F5(...) is not equal in two peers. So who can give me some clue for
this problem? Please help, thanx!
-邮件原件-
发件人: users-boun...@lists.strongswan.org
[mailto:users-boun...@lists.strongswan.org] 代表 weiping deng
Hi all,
When I verifying the test case: ikev2/rw-eap-aka-rsa, I encountered the
following error:
~~~
Parsed IKE_AUTH response 1 [IDr CERT AUTH EAP]
…..
Server requested EAP_AKA authentication
Received M
Hi all,
When I want to run strongswan on the basis of NETKEY, I encountered the
following problem. Please help to check. Thanks!
Issue description: =>
Linux Kernel: 2.6.18
Selected module:
1) user configuration interface
2) PF_key sockets
3) Advanced router
4) Policy
, O=PICOCHIP, OU=SECURITY,
CN=STRONGSWAN, e=strongs...@picochip.com"..."C=CN, ST=BEIJING, O=PICOCHIP,
OU=SECURITY, CN=STRONGSWAN, e=strongs...@picochip.com"
host-host: public key authentication
host-host:dynamic === dynamic
Security Associations:
None
----
Hi All,
I am trying to use certificates to authenticate strongswan peers. I followed
the steps mentioned in configuration documentation of strongswan to generate
CA and end entity certificates using openssl. After all certificates have
been created, I "ipsec start" in two hosts and "ipsec up host
37 matches
Mail list logo
