Hi Bidhan,
> I have used Split-Tunneling with IKEv2 and in Linux, mac client it works
> like a charm but in case of windows, routes are not pushed
> automatically. So currently, I have been pushing route manually in
> windows machine through a PowerShell script which I don't want to use
> anymore.
Hi Stephen,
> I
> will send updates for push and pull separately. Sorry for all the emails...
Don't bother with `push`, it's definitely not the way to go.
The problem now are your either the ESP algorithm proposals and/or the
traffic selectors (`left|rightsubnet`). Start with
`rightsubnet=0.0.
Hi Stephen,
> This looks to me like it has worked but I may be wrong. Is there a
> quick test to prove success?
>
> For example should 'ip address' offer a 'PPP' interface or something
> like that?
No, there is no separate interface. The virtual IP address is added to
a local interface (the ou
Hi Harald,
> The laptop should be able to ping 10.19.96.156 again, but
> 10.19.96.156 sends the echo reply to the "old" mac address
> known from the wired connection to the roadwarrior. The
> laptop can access other hosts in the 10.19.96.0/19 network,
> if they hadn't been accessed via the cable n
Hi Jianjun,
According to the log, the configuration is not loaded when the peer is
trying to connect:
> 00[JOB] spawning 16 worker threads
> 05[NET] received packet: from 10.162.19.54[500] to 10.162.19.55[500]
> (660 bytes)
> 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D
Hi,
> And here's the Client connection from the client's /etc/swanctl/swanctl.conf
> ...
> children {
> theclient-theserver {
> ikev2-pubkey {
You see your mistake?
Regards,
Tobias
Hi Houman,
> Is there is a way to disconnect a specific strongswan user from the
> command line?
Not directly (at least not via vici, it might be possible via RADIUS,
depending on the RADIUS server).
> I have found the Vici plugin, but there is no documentation whatsoever.
What do you mean? [1
Hi Houman,
> Do you think that is possible to do via FreeRadius?
See [1].
> Just to be
> clear there is always a 1:1 relationship between IKE_SA and a user at a
> time, correct?
Probably, that is, if you don't allow multiple IKE_SAs per user identity.
> If I end an IKE_SA, I won't be kicking s
Hi,
> I think options like local_ts, remote_ts should be fine by default.
Not if you want to tunnel all traffic to your server. Set
`local_ts=0.0.0.0/0` if that's the case. Regarding forwarding traffic
see [1].
> I grabbed it from strongswan's git
> repository because it's not with Arch's pack
Hi Anthony,
> ? does strongswan support “HTTPS DNS”
>
> Will be using it for: OCSP, CRL and “VICI struct
> s_connection_parameters:remote_address”
strongSwan doesn't resolve hostnames itself but uses getaddrinfo(3). So
it depends on how resolvers are configured on the local machine (and the
abi
Hi,
> What really confuses me is the CN in the error message: "No trusted RSA
> public key found for ‘CN=LANCOM VPN’", because no certificate uses this
> CN, nor any of the config files (see below) or the VPN server config.
> Where does this value come from?
It's the identity the peer sends (I
Hi Anthony,
> ? what are the possible fetcher plugins for CRLs and OCSP
Search for "fetcher" at [1].
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/PluginList
Hi Ben,
> How can we keep this rule from being added?
Route installation may be disabled via charon.install_routes in
strongswan.conf [1].
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/StrongswanConf
Hi Ben,
> Please note, I am wanting the rule itself to not be added, not just no routes
> in the 220 table.
You can avoid the rule by setting charon.routing_table to 0 (but also
disable the route installation or you end up with routes in the main
table). But why is the rule a problem if the rout
Hi Ben,
> Do you know if the routing rules are required to bind the ike and related
> messages to an xfrm device?
strongSwan won't install routes for policies that reference XFRM
interfaces, see [1].
Regards,
Tobias
[1]
https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN#XFRM-Int
Hi Christoph,
> Is the local RADIUS server the recommend approach or would it be
> possible to write a custom xauth-plugin?
Sure, but that's probably a lot more work than using RADIUS.
> Is there a way to load plugins dynamically at runtime?
Load them dynamically after the daemon has already s
Hi Thomas,
> Can anyone please help or give a hint where to look ?
https://wiki.strongswan.org/projects/strongswan/wiki/IntroductionTostrongSwan#Logging-and-Monitoring
Regards,
Tobias
Hi Houman,
> What attributes *should* be in the Disconnect-Request beside User-Name?
None, that's fine. If you receive a NAK that means no IKE_SA was found
with a matching remote identity. You should see something like this in
the strongSwan log:
> received RADIUS DAE Disconnect-Request for h
Hi Julian,
> Mon, 2019-10-14 17:16 07[JOB] <1> deleting half open IKE_SA with
> 123.123.123.123 after timeout
This means the IKE_AUTH message somehow doesn't get through. Either
because required UDP ports (4500) are blocked, or the message is too
large and gets fragmented (IP fragments are ofte
Hi Houman,
> That's great news. You are right, I can see those entries in sys logs.
> But there is still a strange issue. At 12:09:27 despite the initial
> disconnect request and acknowledgement, StrongSwan doesn't disconnect
> the user.
You can't use this method for IKE_SAs that are concurrentl
Hi Michael,
> found the reason. I had rightid="muc.XXX.de" in my client config. The
> logs do not show that the gateway ID is quoted. After removing the
> quotes the connection came up.
The quotes do not matter, unless they are some kind of typographic
quotes like “ = U+201C or ” = U+201D (i.e. n
Hi Glen,
> Such inverted ts is really huge
Huge? Excluding 1.0.0.0/8 from 0.0.0.0/0 results in eight subnets:
0.0.0.0/8,2.0.0.0/7,4.0.0.0/6,8.0.0.0/5,16.0.0.0/4,32.0.0.0/3,64.0.0.0/2,128.0.0.0/1
I think that should be workable.
> I can probably manually manipulate the routing table on the cl
Hi,
> Is the problem caused be my certificates being crafted in a way which
> did not comply with what Strongswan requires?
Yep.
> Or this can be resolved with configuration?
No. Either don't add any keyUsage flags to the certificate, or include
at least one of the mentioned flags.
Regards,
T
Hi,
> but when I do:
>
> $ strongswan pki --issue --flag nonRepudiation
That's not a flag value supported by strongSwan (it will just be ignored).
> and then:
>
> $ strongswan pki --print --in ipsec.d/certs/suc...@openstack.der.new
>
> ...
>
> flags:
> ..
>
> nothing gets there?
Hi Christian,
> Is it possible to dynamically set the *local_ts* based on the group the
> user is a member of?
Sure, it's straight-forward given users are already assigned the
appropriate groups (i.e. just configure a second connection, maybe using
references, with different groups and local_ts s
Hi Christian,
> How would that work? Because a user can be a member of one or more groups and
> thus how does strongswan select the connection with all the groups.
Since a single group match is currently enough to satisfy the group
constraint (there is also no "best"-match based on groups), you'
Hi Noel, Todd,
> The default proposal depends on which ciphers are available on your system,
> so they won't change.
Not the ESP proposal, which is hard-coded (no AEAD, no PFS) as there is
currently no API to query which algorithms the IPsec stack (usually the
kernel) supports.
So yeah, there i
Hi Glen,
> If I set dpd_delay to something like 20s, does that make charon.keep_alive
> unnecessary, since the client now is guaranteed to receive packets at least
> once every 20s?
DPDs are sent only if no IKE or ESP traffic has been *received from* the
peer, on the other hand, NAT keepalives
Hi Anthony,
> When using OCSP, ? is the nonce parameter always set.
Yes, the x509 plugin always adds a random nonce. It doesn't seem to be
used/checked later, though.
Regards,
Tobias
Hi Glen,
> So I guess NAT keepalives maybe send by either side as long as it's NATed?
You are right. I thought we disabled that on responders at some point
as a NAT on that end usually has to be static so keepalives are not
necessary. But it's possible that we left it as is with dynamic double
Hi Santiago,
> I'm not an expert, but according to the logs it seems it might have
> something to do with rekeying.
Yep, looks that way. First, I've never seen this message before:
> Nov 9 23:31:17 RouterA charon: 15[IKE] peer didn't accept DH group
> MODP_1024, it requested MODP_NONE
It se
Hi Bart,
> I've noticed that the order of the 'conn' statements in ipsec.conf
> determines which of the conns will work as expected (the first one) and
> which will be aliased to the previous one.
>
> It should also be noted that the logs show the second conn being added
> as a child of an existi
Hi Valeri,
> Here is tcpdump from what I think is the ping and its response (pinging
> 10.166.47.12 which is assigned to Lancom on ethernet port 1):
> 22:03:20.304824 IP (tos 0x0, ttl 64, id 1894, offset 0, flags [DF],
> proto ESP (50), length 140)
> A.A.A.A > B.B.B.B: ESP(spi=0xbf3e0bb5,seq=0
Hi Anthony,
> Our security department is insisting that strongswan validate the nonce
> parameter when received.
>
> Is there a way strongswan can accommodate this request.
I pushed some changes to that effect to the ocsp-nonce branch [1].
> If not we need a way to disable OCSP.
You can do so
Hi Volodymyr,
> So, the question is - what I'm doing wrong and how to do in order to get
> the desired result?
You can't use the same session you are currently streaming on (i.e.
enumerating SAs) to send another request (i.e. terminating SAs).
So either store the IDs of the SAs you want to termi
Hi Volodymyr,
> thanks a lot, it works. It worth to say, that timeout must be set to
> reasonable value to allow Strongswan to finish the task. If set to -1 or
> few milliseconds, it returns failure as well :)
If you are referring to the returned error "terminating SA failed",
that's because with
Hi Volodymyr,
> Processing starts only upon iterating of "t". This is every-time
> reproduceable behaviour.
That's because terminate() (and any other command wrapper that uses
streamed_request()) returns a Python generator, which is only evaluated
once you enumerate it. If you are not interested
Hi Anthony,
> ? can strongswan be a OCSP or CDP server
Theoretically yes, but you'd have to program a plugin that does that
yourself.
It would theoretically also be possible to transmit CRLs (RFC 7296) and
OCSP (RFC 4806) via IKEv2 certificate payloads, but strongSwan currently
doesn't support t
Hi Anthony,
> ? is there a developers guide for writing plugins
[1] has some general information and there are a lot of plugins you
could have a look at.
> ? what would the plugin do
Process OCSP requests and return responses (probably via HTTP) and/or do
the same for CRLs.
> ? does (RFC 6960)
Hi Anthony,
> ? was the nonce parameter fixed in 5.5.8
If you mean 5.8.2 [1], then yes.
Regards,
Tobias
[1] https://wiki.strongswan.org/versions/75
Hi,
> When I'm trying to connect from MacOS 10.15 I get an error:
Apparently, it's still not possible to use DNs as identities with Apple
clients, see [1].
Regards,
Tobias
[1]
https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile#Known-Issues
Hi,
> How I can change leftid for strongswan? It always CN=123.123.123.123 no
> matter what I configure in ipsec.conf, even leftid=%any doesn't work.
You need to include that IP address (or alternatively a hostname) as
subjectAltName extension in the certificate.
Regards,
Tobias
Hi Victor,
> esp=3des-sha1!
PFS is enabled if you add a DH group to the ESP proposal.
Regards,
Tobias
Hi Anthony,
> Which parameter controls the below ?
See `swanctl --terminate --help` and [1].
Regards,
Tobias
[1]
https://github.com/strongswan/strongswan/blob/master/src/libcharon/plugins/vici/README.md#terminate
Hi Anthony,
> If configuration files (like: swanctl.conf, etc…) are created before
> charon starts, ? will they be over written.
Existing config files are never overwritten my `make install`.
Regards,
Tobias
Hi Anthony,
> Can openssl 1.0.2 support ESP SHA2 ?
Since IPsec is usually processed by the kernel, OpenSSL is irrelevant
for ESP handling. But any version of OpenSSL currently in use supports
SHA-2.
Regards,
Tobias
Hi Rodrigo,
I pushed some (untested) changes to the ed448-certs branch. The first
one adds support to parse Ed448 public keys to the pkcs1 plugin (as used
by the x509 plugin, the openssl plugin is still required to parse the
actual key). The second patch adds support for Ed25519/448 keys when
ce
Hi Pankaj,
> I am facing issue with load-tester. I have taken key and certificate
> from **src/libcharon/plugins/load_tester/load_tester_creds.c** but when
> I try to print this key and certificate using **pki** command, I am
> getting error as follows
Don't forget to copy the "-BEGIN..." and
Hi Rodrigo,
> I have been running a number of test and everything seems to work. The
> use of the "pki" tool has been minimal an only to check the certificates
> and not generate then: so there could hide a problem I have not see.
Thanks for testing. I did some tests today, too, including genera
Hi Thomas,
> root@strongswan:/home/rudt/projects/vpn-server# swanctl -i --ike conn1
With this you initiate a childless IKE_SA. Without IPsec/CHILD_SA you
obviously won't be able to tunnel any traffic. Try with `--child
child1` (or use `start_action=trap` in that child config to trigger the
crea
Hi David,
> I am populating the Action, Extra and Package in the Tasker "Send
> Intent" definition as per the wiki. When I run the task nothing happens.
Typo perhaps?
> Is the wiki out of date? Did I miss something required for this to
> work? Is anyone using this successfully?
I never tried
Hi,
> Anyone know how do I get more message about the "UNREACHABLE" error? Is
> it that because the client can't ping the server or the server is loaded?
There is really nothing more about this error. It simply means that the
server was not reachable, i.e. there was no response to several
retran
Hi David,
> Neither of the above does anything when I run them. If you see an error
> in the above please let me know.
arg0 and arg4 seem to be OK, but not sure about arg7. Maybe the package
name should actually be in arg6. But it's difficult to say because I've
not found any documentation of
Hi David,
> Target:Broadcast Receiver
That doesn't sound right. The receiver will be an activity.
Regards,
Tobias
Hi Roee,
> I notice that I always get the VICI ike-updown event before child-updown when
> a tunnel goes down.
>
> Is there a way to change that order?
Not without changing the code in bus_t::ike_updown().
Regards,
Tobias
Hi David,
> Changing the target to Activity now has the Exit_VPN task working as
> expected.
Great!
> Unfortunately the Enter_VPN task still does nothing. Is it
> possible that the Action should be something other than "START_PROFILE"
> or that I need to issue another intent to connect it?
Nop
Hi Edward,
> - Can one set up Strongswan to forward password from user?
Only via EAP-GTC [1] are cleartext passwords from the client available.
Practically no clients other than strongSwan support this.
If you find an IKEv2 client that supports EAP-TTLS/PAP (strongSwan
itself does not), it might
Hi Chris,
> "excluded-apps": "com.azure.authenticator"
This has to be an array (see [1]), i.e.
"excluded-apps": ["com.azure.authenticator"]
Regards,
Tobias
[1]
https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVPNClientProfiles
Hi Victor,
> I'd like to understand why.
Then read the log. What's definitely missing from your config is
`keyingtries=%forever`. And there could have been a fatal error, after
which no further attempts will be made at all. Also, using `auto=route`
(with `dpdaction=clear`) would also recreate
Hi Claude,
> Is this a known issue ?
Yes, see [1].
Regards,
Tobias
[1] https://wiki.strongswan.org/issues/974
Hi Victor,
> That could be the case, thanks for the hint. Strongswan could have made 3
> attempts after detecing a dead peer and given up, is that what you
> imply?
Yes.
> What's the timeout between keyingtries?
No timeout between them, regular retransmission timeouts apply for each
attempt.
>
Hi Felipe,
> I see that the first packet in matching
> traffic is always lost: in a ping session, packet with seq=1 never makes
> it to the other side, only from seq=2 onwards.
>
> Why does this happen?
It's a known property of the Linux kernel. Packets, in particular the
triggering one, are no
Hi Oleksandr,
> May you, please, help me?
Disable the duplicheck plugin [1].
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/Duplicheck
Hi,
> Is it possible to setup a split tunnel while using Strongswan via the
> NetworkManger plug-in (charon-nm)?
See my response to a similar question at [1].
Regards,
Tobias
[1] https://superuser.com/a/1535002/98749
Hi,
> When I ping machine A from machine B, and I do 'tcpdump -i esp ‘
> I dont see ESP packets going bi directional but rather only the replies
> from B to A. Is this the expected behavior of tcpdump in that case?
No. While you'll only see inbound plaintext packets (see [1]), you
should see b
Hi Marco,
> What should I do to debug it?
First, not stripping symbols/debug information from binaries probably
would help. Then you might already see what the problem is. Otherwise
try attaching a debugger or use one to analyze the core dump (if one is
created).
Regards,
Tobias
Hi Marco,
> Here is the charon.log: I hope it will be useful for you.
Thanks for the update. This is a bug introduced with the changes that
attempt to keep the proposal selection for IKEv1 more consistent
(returning the lifetimes of the actually selected transform and the
correct proposal and tr
Hi Claude,
> Before diving deeper into logs etc. Do these connection settings look
> good to you ? Thinking of all sorts of timers.
There is lots of questionable stuff in that config.
>>> ikelifetime=60m
That's quite low, in particular since you didn't change margintime and
rekeyfuzz (s
Hi Marco,
>> I pushed a fix to master [1]. I guess we'll be releasing 5.8.4 soon.
>
> I have applied your fix and after 5 hours, everything is in good shape.
> Thanks a lot Tobias for the quick response and fix.
Thanks for testing and sorry for the inconvenience.
Regards,
Tobias
Hi Makarand,
> Is the system behaving correctly? i.e. the DH group is used only during reneg
> after expiry of lifetime?
Yes, see [1].
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey#IKEv2
Hi Makarand,
> Is there a way I can force a CHILD_SA delete when the Proposal mismatch
> occurs?
No, but plugins can listen for alerts of type
ALERT_PROPOSAL_MISMATCH_CHILD, which is also possible via error-notify
plugin [1].
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/
Hi Philipp,
> Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 03[IKE] no acceptable
> traffic selectors found
> Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 03[IKE] failed to
> establish CHILD_SA, keeping IKE_SA
>
> However the "selected proposal:" line didn't change and I was unable to
>
Hi Philipp,
> thanks for the quick reply! I increased the log level for cfg to 4, but
> I still don't see a problem (aka "error") in the logs:
Looks like you forgot to check the "Request an inner IP address" box.
Regards,
Tobias
Hi Naveen,
> I see that we have a global " *initiator_only = yes/no* " configuration
> in charon.conf, is it possible to configure this for per connection via
> vici, so that the initiator is only responsible for initiating the
> connection.
That option is global because it causes any initial IKE
Hi Matt,
> I've been trying to make a connection between my home PC and the
> Watchguard XTM330 we have at the office.
It seems that box supports IKEv2 (at least the GUI has a version
dropdown field). If possible, switch to that version.
> could anyone shed some light on this one for me ? woul
Hi Chris,
> What we are seeing is
> the client sending a CREATE_CHILD request around 10 mins before disconnect:
Sounds like [1].
> Phase 1 negotiates with a lifetime of 86400 (24 hours):
Lifetimes are not negotiated with IKEv2.
> MS doesn't seem to understand what's going on, they
> are keying
Hi,
> rightid="DNS:vpn.remote.fqdn"
> rightid=%any
Obviously not the same as configuring `id="DNS:remote.fqdn"`.
Also, setting `mode="pass"` is probably not what you want.
Regards,
Tobias
Hi,
> Having only:
>
> remote {
> certs = "remote.fqdn.crt"
> auth = "pubkey"
> }
>
> does not help.
Again, not the same thing as configuring %any as remote identity (there
is a fallback to the certificate's subject identity if a certificate but
no identity is configured -
Hi,
> I cant connect from Ubuntu 20.04 using network-manager-strongswan, there
> is no more support for eap-peap(I cant see configuration file at
> /etc/strongswan.d/charon/). I have libcharon-extra-plugins installed.
> On Ubuntu 18.04 everything works fine.
Yes, looks like the eap-peap plugi
Hi Michael,
> xfrm_acq_expires is the time the kernel holds an acquire event before it
> drops it.
The kernel currently uses the same timeout for SPIs allocated from the
kernel for inbound SAs (as done before sending IKE_AUTH/CREATE_CHILD_SA
requests), which creates a temporary state that is late
Hi Marco,
Please read [1].
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey#IKEv2
Hi Marco,
> I have patched the configuration like this:
>
> from esp_proposals = aes256-sha512-ecp521
> to esp_proposals = aes256-sha512-ecp521,aes256-sha512
You don't have to change the config as long as both peers agree to use a
DH group when rekeying or creating the SA with a CREATE_CHILD_SA
Hi Marco,
> It looks like the other peer (which should be a checkpoint) when acting
> as a responder claim the dhgroup. Instead when acting as initiator is
> going to drop the dh group request.
You didn't clarify if that happens during a CHILD_SA initiation with
IKE_AUTH or with CREATE_CHILD_SA.
Hi Tobias,
> I could nail down the tunnel traffic by adding just the 192.168.200.1/24
> as remote/right network on the Draytek config, but then I am not able to
> process the occasional traffic to the internet (if routing from a
> certain source via the tunnel is enabled on the Draytek) without a
Hi Gisbert,
> In:
>
> /usr/local/etc/strongswan.d/charon/addrblock.conf I've set
>
> load=no
>
> but when I check using
That only works if modular plugin loading is enabled and that config
snippet is included in the strongswan.conf file actually loaded by the
daemon (see e.g. [1]).
> ipsec l
Hi,
> children {
> net {
> local_ts = 172.28.10.0/24
>
> if_id_out = 42
> if_id_in = 42
> }
> }
> ...
> charon-systemd[134046]: traffic selectors 5.2.2.2.2/32 ===
> 192.168.0.2/32 unacceptable
You haven't specified a re
Hi Yogesh,
> I tried to look through the strongswan code to see what is triggering
> this lert which isn't handled. But I could not find it.
That's because that log message is not part of our code base (our log
messages don't start with upper case letters). Whatever version of
strongSwan you are
Hi Tas,
> Do you think this strange behaviour can be cause by our strongswan
> configuration?
One thing that comes to mind in regards to TCP over IPsec are MTU/MSS
issues [1]. But those would only have an effect on larger transmits,
not on the initial TCP handshake. That is, you should be able
Hi Tas,
> If I stop the nmap loop cycle after a few ldapsearch runs I got
> problems, connection to ldap stuck and nmap test returns 389 port filtered.
Are new TCP connections created or is the same connection used for
several searches? Are there constantly packets exchanged in these
tests? If
Hi Kajetan,
> So why is charon-nm choosing different source address than every other
> program? Can I somehow influence it?
Try enabling charon-nm.prefer_temporary_addrs in strongswan.conf. I
guess it could even make sense to change that default for the NM backend.
Regards,
Tobias
Hi Saloni,
In case Martin doesn't pick it up from here and for future patches,
please file a pull request at [1].
Regards,
Tobias
[1] https://github.com/strongswan/davici/pulls
Hi Wessel,
> It looks like the server doesn’t want to proceed to the EAP phase. How
> can I troubleshoot this?
Read the server log. Only the server knows why exactly it returned that
error notify. If you don't have access to the server, it's a guessing
game. One possible issue could be the rem
Hi Philippe,
> My question: what is the best/recommended way of escaping my trafic which
> needs protection from masquerading?
Use the policy module, see [1].
Regards,
Tobias
[1]
https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#General-NAT-problems
Hi Houman,
> systemctl status strongswan
> Unit strongswan.service could not be found.
>
> What am I missing please?
If you are using the legacy configuration backend via ipsec.conf and
starter daemon, then the name of the systemd unit has changed with the
5.8.0 release [1] (from strongswan to s
Hi Tom,
> ipsec0 receives the packet from the ping request but nothing comes back:
Is there any particular reason you are using the kernel-libipsec plugin
(see [1])? You might want to try just using kernel-netlink.
> Jun 19 19:57:07 10[KNL] error installing route with policy 10.3.0.0/24
> ===
Hi Matthew,
> Is there anything within the config that I need
> to set in order to enable this feature ?
No, but the IKEV2_MESSAGE_ID_SYNC_SUPPORTED notify is not sent in
IKE_SA_INIT. It's sent in the first IKE_AUTH message.
Regards,
Tobias
Hi,
> Would you know how to catch the following in updown script
> variables?
>
> remote_ts = "172.16.0.0/12, 10.5.2.10/32"
>
> With 'PLUTO_PEER_CLIENT' I get only the latter IP/net.
If you actually have a CHILD_SA negotiated with both remote subnets,
then the script will be called mult
Hi,
> Is it possible to configure
> strongswan with this configuration ?If so why ?
Yes, strongSwan is not directly involved in the authentication if you
use the eap-radius plugin. The EAP messages are exchanged between
client and RADIUS server, strongSwan only forwards them. So any EAP
method
Hi Tom,
> This is a DD-WRT router. Uses a pre-built kernel I might not have too
> much option in customizing it. But I tried removing it
kernel-libipsec is a userland IPsec implementation (read the wiki page),
it has nothing to do with the kernel (except that it has to be able to
create TUN dev
Hi,
> Does the standard Mac os vpn client work via mschapv2 ?
Yes.
Regards,
Tobias
1001 - 1100 of 1241 matches
Mail list logo