Hi Andraw,
I am trying to bring multiple tunnels using PSK between same peers
Is this option available in strongswan
The config files I used was as below.
Could you please let me know how can we modify the below file to setup
multiple tunnels between same peers
I search in the net adn I am un
Hi,
I have created two tunnels between the same peers, using Strongswan.
root@vc1:~# ipsec status
Security Associations:
tunnel1[1]: ESTABLISHED 52 minutes ago, 10.58.113.37[C=CH,
O=strongSwan, CN=10.58.113.37]...10.58.113.118[C=CH, O=strongSwan,
CN=10.58.113.118]
tunnel1{1}: IN
Hi Arun,
either define multiple connections:
conn %default
type=tunnel
authby=secret
left=10.1.1.2
leftid=sswan
rightid=chamundi
right=10.1.1.5
esp=3des-md5-9
keyexchange=ikev2
ike=aes128-sha1-modp1024,3des-sha1-md5-modp1024
Arun Raj wrote:
> I am trying to bring multiple tunnels using PSK between same peers
> Is this option available in strongswan
> leftsubnet=192.168.10.0/24
> rightsubnet=172.16.10.0/24
I guess you can specify multiple subnets with leftsubnet= and rightsubnet=
Here's a quote from th
@lists.strongswan.org
Subject: Re: [strongSwan] Multiple tunnels between same peer
Hi Arun,
either define multiple connections:
conn %default
type=tunnel
authby=secret
left=10.1.1.2
leftid=sswan
rightid=chamundi
right=10.1.1.5
esp=3des-md5-9
Hi Arun,
strongSwan does not support DH group 9 (EC2N group over GF[2^283]).
Using the openssl plugin the IKEv2 charon daemon supports the
following ECP groups
19 (ecp256)
20 (ecp384)
21 (ecp521)
25 (ecp192)
26 (ecp224)
Configuration is e.g.
ike=aes128-sha1-ecp256
Best regards
Andre
-
From: Arun Raj
Sent: Tuesday, May 05, 2009 8:30 PM
To: 'Andreas Steffen'
Cc: users@lists.strongswan.org
Subject: RE: [strongSwan] Multiple tunnels between same peer
Thanks a Lot Andreas,
Let me try this in my setup
esp=3des-md5-9 is not a syntax error
Here is 9 represents the
> When I try to ping one peer from the other, the packets go across
> without encryption. In other words, it does not go through either
> tunnel.
Does your ping use the correct addresses to match your tunnel
(192.168.10.0/24 === 172.16.10.0/24)?
> can I specify which tunnel should be used for wh
Hi Martin,
Sorry for the late response. I was caught up with some other tasks and did
not get time to work on this.
As you mentioned, my IPs did not match initially. Now they do, and I see
that encrypted traffic is passing between the end points. But I see that all
the traffic uses tunnel 2 and n
> But I would like to know what these values mean (10, 11, 20, 21) and
> how they help in sending traffic through a particular tunnel only. I
> need to try and set up multiple tunnels, and then send traffic through
> each one of them, and then all of them together, in order to compare
> performan
Hello Martin/All,
I had a look at the things you mentioned below, I also had a look at some of
the test cases in http://www.strongswan.org/uml/testresults/ikev2/. I see
that there are some scenarios where one node (say Sun) is the destination
for more than one tunnel (as in, both Alice and Venus e
Hi Meera,
> But is it possible to have multiple tunnels between the same endpoints
> (say between Alice and Sun)? I looked around but couldn't find any
> particular scenario in the link I've mentioned above. Also, even if it
> is possible to have more than one tunnel between the same end points,
>
Hi Martin,
Sorry for the delay in replying. I didn't get a chance to try this out
for sometime.
Thanks for confirming that. I now have two identical tunnels with markings.
I want to send icmp packets (ping) through tunnel 1 and tcp packets through
tunnel 2. Below is an excerpt of ipsec.conf files
Hi,
> leftsubnet=192.168.255.0/24
> rightsubnet=192.168.255.0/24
How should the routing work if you have the same subnet on both ends of
the tunnel? Where should a gateway send such packets to?
> mark_in=11
> mark_out=10
Using the same mark for in and out is prob
Hi Martin,
Well I'm not exactly sure how but it does not seem to have any problem in
sending the packets correctly. When there is no marking, the packets go just
fine with the values I have given for the subnets (the ones you've pasted in
your mail). So I thought this wouldn't be a problem.
Pasti
Hi Meera,
try to set the marks in the PREROUTING chain as in my DiffServ
example scenario:
http://www.strongswan.org/uml/testresults/ikev2/net2net-psk-dscp/console.log
And follow Martin's recommendation to use the same marks in the
inbound and outbound direction.
Regards
Andreas
On 13.07.2011
Hi Andreas,
Thanks for the suggestion. I tried it out, but marking in PREROUTING does
not send the packets through the tunnel (tcpdump shows it is not encrypted).
00:24:54.806215 IP 192.168.255.75 > 192.168.255.77: ICMP echo request, id
9330, seq 40, length 64
00:24:55.814320 IP 192.168.255.75 >
Hi Meera,
Do you resolve your problem?
I meet a problem same like you. And I just setup one tunnel with mark
support.
If I mark it in the PREROUTING chain, the icmp request isn't sent in tunnel.
But if I set MARK in OUTPUT chain, the icmp request is packed in ESP but no
reply.
I think maybe
Andreas Steffen writes:
>
> Hi Arun,
>
> either define multiple connections:
>
> conn %default
> type=tunnel
> authby=secret
> left=10.1.1.2
> leftid=sswan
> rightid=chamundi
> right=10.1.1.5
> esp=3des-md5-9
> keyexchange=ikev2
>
19 matches
Mail list logo
