Re: [strongSwan] Strongswan caching CRL's when setting is set to "no"

Hi Eric, 16[IKE] received end entity cert "CN=pfsense.semperen.net , C=US, ST=OH, L=Van Wert, O=The Semperen Group, OU=Network Operations" 16[CFG]   using certificate "CN=pfsense.semperen.net , C=US, ST=OH, L=Van Wert, O=The Semperen

Re: [strongSwan] Strongswan caching CRL's when setting is set to "no"

Hi Eric, Does ".reauth_time” and leaving “break_before_make” alone force a reauth and certificate validity check on IKE/ISAKMP from non-cached crl’s? Could you please clarify your question (e.g. why do you mention break_before_make in this context? what do you mean with "from non-cached

Re: [strongSwan] Strongswan caching CRL's when setting is set to "no"

Hi Eric,  When IKE reauthenticates the log says it is loading crl from the directory (which has nothing in it). What exactly are you referring to here? Logs?  Also forcing “rereadcrls” doesn’t cause a new fetch.  “files” and “curl” plugins are loaded. If there is a cached CRL (note that

Re: [strongSwan] Fwd: [tpm2] tpm2_import is modifying the keyid of my private key

Cross-posted at [1]. Regards, Tobias [1] https://www.linuxquestions.org/questions/linux-software-2/tpm2_import-is-modifying-the-keyid-of-my-private-key-4175712044/

Re: [strongSwan] iphone-to-strongswan configuration - working example.

Hi Kamil, It has to be: --8<---cut here---start->8--- openssl pkcs12 -export -legacy -inkey private/key -in cert -out cert.p12 --8<---cut here---end--->8--- and then profile was installed correctly. Note that `-legacy` is

Re: [strongSwan] MacOS Cert authentication failing

Hi, Jul 05 12:09:42 pvn charon-systemd[39509]: no trusted certificate found for 'len-mac-...@mypvn.net' to verify TLS peer Looks like there is a typo in the Local Identity on the client (mypvn.net vs. myvpn.net) Regards, Tobias

Re: [strongSwan] LIST_SA child_sa bytes-in values for passive connections

Hi Philip, 1. How can I detect whether a LIST_SA is reporting an active or passive IKE_SA (Child_SA) connection? The IKE_SA should have state PASSIVE set on the passive host and state ESTABLISHED on the active one. 2. Are the Child_SA byte and packet counters always set to zero for

Re: [strongSwan] Strongswan caching CRL's when setting is set to "no"

Hi Eric, Does ".reauth_time” and leaving “break_before_make” alone force a reauth and certificate validity check on IKE/ISAKMP from non-cached crl’s? Could you please clarify your question (e.g. why do you mention break_before_make in this context? make_before_break defaults to no. 1) no

Re: [strongSwan] TPM 2.0 - unknown hash algorithm not supported by TPM

Hi, And the scheme detected is SIGN_RSA_EMSA_PKCS1_NULL 0x1 You can't use IKEv1 with TPM 2.0 because the latter doesn't support the former's legacy signature schemes. Regards, Tobias

Re: [strongSwan] how to tell charon-nm to use 500/udp and 4500/udp

Hi Harald, is there some way to tell charon-nm to use 4500/udp for the outgoing connection, instead of an arbitrary port, if available? Same for 500/udp. You can explicitly configure the ports via strongswan.conf (charon-nm.port and charon-nm.port_nat_t). Just make sure you don't use charon

Re: [strongSwan] how to tell charon-nm to use 500/udp and 4500/udp

Hi Harald, is there some way to tell charon-nm to use 4500/udp for the outgoing connection, instead of an arbitrary port, if available? Same for 500/udp. You can explicitly configure the ports via strongswan.conf (charon-nm.port and charon-nm.port_nat_t). Just make sure you don't use

Re: [strongSwan] Connect to one site through another

Hi, unless I'm missing something else I need to add in my configuration. You seem to be using kernel-libipsec [1], don't! Just use kernel-netlink instead. Regards, Tobias [1] https://docs.strongswan.org/docs/5.9/plugins/kernel-libipsec.html

Re: [strongSwan] Strongswan network manager plugin 1.5.2 on linux doesn't clear resolv.conf on disconnection

Hi Ettore, Everything works great but on diconnect the resolv.conf file remains populated with dns adresses obtained from server on connection. What can I do? The NetworkManager backend (charon-nm), which is independent of the GUI plugin whose version you reference, does not load the

Re: [strongSwan] FreeBSD 12.x .vs. 13.x - change in strongswan as well?

Hi Karl, And, it appears, Windows is insisting on using the CN when presenting the identity (instead of the field(s) in the SAN) unless you set the option on the VPN profile to allow an override -- and then you have to hand-key it on each connection.  I don't believe there is any way to tell

Re: [strongSwan] FreeBSD 12.x .vs. 13.x - change in strongswan as well?

Hi Karl, Using the "stroke" interface does not impact this; it appears to be something changed between 5.9.5 and 5.9.6 and the release notes imply this is likely the cause: * The client identity (e.g. the IKE or EAP identity for EAP-TLS) is again enforced by libtls. Yes, this was a

Re: [strongSwan] conditional expressions in swanctl.conf?

Hi Harri, is there some way to express if peercert->OU == develop pool = pool1 else pool = pool2 You can match identities with wildcards, see [1]. Regards, Tobias [1] https://www.strongswan.org/testing/testresults/ikev2/wildcards/

Re: [strongSwan] charon-systemd: 11[KNL] received netlink error: No such file or directory (2)

Hi Michael, fips_mode is default, i.e. disabled. At least according to charon/openssl.conf. I was not referring to the openssl plugin, but clearly to the kernel. Check e.g. via `cat /proc/sys/crypto/fips_enabled` if it runs in FIPS mode. Note that this can only be changed via `fips` kernel

Re: [strongSwan] FreeBSD 13.1-STABLE / StrongSwan 5.9?

Update: The kldload is not automatically initiated by the strongswan rc file; this is an obvious omission since GENERIC now includes only a stub and the actual ipsec driver must dynamically loaded. > I'll put a note in "bugzila" on it since the kernel config now requires you kldload the module

Re: [strongSwan] FreeBSD 13.1-STABLE / StrongSwan 5.9?

Hi Karl, I am running GENERIC on the gateway as the docs say that's now ok; I used to run a custom kernel for other reasons (mostly PPS which I don't use anymore as I no longer have a local NTP clock) and the only material difference I can see is that the 12.2-STABLE custom kernel has the

[strongSwan] Server Migration and Changes to the Services at strongswan.org

Dear strongSwan Community, We are currently in the process of migrating the server hosting strongswan.org. However, not all services it currently provides will be migrated. First and foremost, we are discontinuing our mailing lists (users, dev and the long unused announce). For community

Re: [strongSwan] Error Message: "unsupported mode"?

Hi Michael, What exactly does "IPsec SA: unsupported mode" mean? unsupported mode "transport"? You are using the kernel-libipsec plugin, which implements IPsec in userland and requires tunnel mode. You probably don't want to use that, see [1] for details. Regards, Tobias [1]

Re: [strongSwan] transform policy without SPI?

Hi Michael, In the transform policy we see the connection but without SPIs in "in" and "fwd" direction. An SPI does only exist for the "out" direction. How is that possible? That's normal and always the case. Regards, Tobias

Re: [strongSwan] transform policy without SPI?

Hi Michael, In the transform policy we see the connection but without SPIs in "in" and "fwd" direction. An SPI does only exist for the "out" direction. How is that possible? That's normal and always the case. Under what circumstance is that normal? After the termination of the child

<    7   8   9   10   11   12