Re: [strongSwan] Same config for strongSwan, different outcome between Android and iOS

Hi Laurens, > I've added 'fragmentation=yes' to the server, same issue. Please have a look at the client log. Does it send an IKE_AUTH message? Is it fragmented? If so, check with Wireshark/tcpdump on the server whether any packets arrive. >>> >>> I can send log

Re: [strongSwan] manual bypass policy for client-server architecture using transport mode

Hi Plevin, >> conn client-1-bypass >> left=192.168.0.1 >> right=192.168.0.2 >> rightsubnet=192.168.0.2[tcp/5001] >> leftfirewall=yes >> type=passthrough >> authby=secret >> auto=add You configured this

Re: [strongSwan] Can strongswan work with ip port forwarding and not NAT

Hi Christopher, > Jul 8 11:47:06 localhost charon: 04[CFG] left=41.60.182.160 You shouldn't set `left` to the public IP address of the NAT, the host won't be able to send messages from it: > Jul 8 11:47:11 localhost charon: 03[NET] sending packet: from > 41.60.182.160[500] to

Re: [strongSwan] UNITY_SAVE_PASSWD not honoured?

Hi Tom, > I am successfully sending UNITY_* attrs to IKEv1 clients which support > it, but the UNITY_SAVE_PASSWD option does not seem to be accepted > correctly, it simply doesn't allow the client to save their password. This has been discussed previously [1]. Basically the attr plugin only

Re: [strongSwan] log

Hi Richard, > Jul 28 03:24:58 vpn2 charon: 16[NET] received packet: from [..] > > Jul 28 03:24:58 vpn2 charon: 02[ENC] parsed INFORMATIONAL_V1 [..] > > These 16 and 02, what do they stand for? The numeric identifier of the thread that logged the message. Regards, Tobias

Re: [strongSwan] VTI's as initiator?

Hi Ryan, > When acting as a responder, I didn’t have to do this, strongSwan seems to > choose a mark value for me. Not unless you configured `mark=%unique`. > Anything else I should check? Yes, the traffic selectors. As I wrote on [1] the traffic you route into a VTI device has to match the

Re: [strongSwan] VTI's as initiator?

Hi Ryan, > I had to remove the "key" piece of the "ip link add" command, as the > PLUTO_MARK_OUT and > PLUTO_MARK_IN variables (which get set when responder) are not set. > What am I missing? You answered that question yourself. Regards, Tobias

Re: [strongSwan] log

Hi Richard, > The {1} {2} {3} and {4} indicate the tunnels defined in ipsec.conf. These are the unique sequential identifiers of the CHILD_SAs. > How do I know which tunnel is logging e.g. the following line?: > > Jul 28 11:27:18 vpn2 charon: 13[IKE] retransmit 1 of request with > message ID 0

Re: [strongSwan] [Strongswan-5.3.0] - Ikev2 fragmentation Question

Hi Sriram, > But the concern is fragment size, though it is set as 1200, > fragment_size of 576 is seen in the wireshark. I'm assuming for packets sent by the gateway. The fragment size is not negotiated, so the gateway might just default to the minimum datagram size a host must be able to

Re: [strongSwan] Setup site-to-site VPN via central server

Hi Martin, > I am a bit lost here. Is this a routing or an iptables issue and how can > I make sure the vpn-second connection is working if I resolve the issues > (how do I test the tunnel from vpn-second network back to vpn-second)? Could be any number of things. You should check the traffic

Re: [strongSwan] [Strongswan-5.3.0] - Ikev2 fragmentation Question

Hi Sriram, > So I think, since the strongswan file is not proper, charon would have > defaulted to 576. Please clarify. Yes, if the file is invalid it gets rejected completely and no options in it will get applied. You should have seen an error message like "invalid config file '...'" in the

Re: [strongSwan] OCSP and CRL problem

Hi, > The serial number of the certificate and the serial number in the OCSP > request is different. It looks like a bug to me. Is there _any_ certificate in your PKI with the serial number that was requested? Perhaps one that has the same identity as this one? Or is this perhaps the

Re: [strongSwan] ID parsing

Hi Emeric, > I guess the following configuration: > > ... > rightid=%a...@any.com > ... > > in ipsec.conf is parsed as an email address equal to "%a...@any.com" and not > as "a...@any.com" + no IDr sending ? > > > Am I correct? No. The % character is parsed by the stroke plugin before the

Re: [strongSwan] Changing IKE port

Hi Eric, > Sorry. Here is a the complete log. This time, I recompiled Strongswan > with socket-dynamic plugin. You don't need the socket-dynamic plugin. That's only needed if you want do use multiple different source ports (leftikeport). As you can see in the log the client does not send the

Re: [strongSwan] Tunnel gets disconnected

Hi Matthias, > I've peers where some (all, 2 of 8, etc.) tunnels get disconnected after > some time. How? Is there a delete sent? If so, by whom? > Is there a way to configure StrongSwan to keep all tunnel up all the > time without DPD? auto=route is definitely the best way to ensure the

Re: [strongSwan] VPN with preshared Key between BB10 and Raspberry-Pi

Hi Christian, > No I don't have any error on the startup I was not referring to the console output. Did you check the log? > !! Your strongswan.conf contains manual plugin load options for > charon. > !! This is recommended for experts only, see > !!

Re: [strongSwan] Charon constantly crashing/restarting

Hi Austin, > Have I missed anything obvious? You might be mixing executables/libraries/plugins from different releases. The involvement of libipsec.so.0 is also suspect. Regards, Tobias ___ Users mailing list Users@lists.strongswan.org

Re: [strongSwan] using 500/tcp

Hi Harald, > AFAIU defragmentation is enabled in strongswan for incoming packages, > anyway. That's basically for IKEv1 where the first message may already be fragmented and for misbehaving peers that send fragmented packets even if it wasn't enabled explicitly. It does not mean that the notify

Re: [strongSwan] Same config for strongSwan, different outcome between Android and iOS

Hi Laurens, >> The latter is of course because it does not send any certificate >> requests, whereas 156 of them are sent by the Android app (each a 20 >> byte SHA-1 hash). As I mentioned before, you can avoid that by >> selecting your CA certificate in the VPN profile in the app. This >>

Re: [strongSwan] AUTH FAIL but I cannot figure out the reason

Hi Ariwa, > I see log. but I cannot figure out dubious point. > Is there someone have any hint for it? The log is pretty clear: > Thu Jul 14 21:51:35 2016 daemon.info syslog: 03 [CFG] looking for > peer configs matching 192.168.1.32[openwrt5server]...192.168.1.156[C=JP, > L=Tokyo,

Re: [strongSwan] VPN with preshared Key between BB10 and Raspberry-Pi

Hi Christian, > Nevertheless, by removing: `eap_identity` I got the same result. You might need it, but that depends on the client. > On basis, I wanted to use StrongSwan as simple as possible without > certificates CA. That probably won't work as authenticating clients with EAP requires

Re: [strongSwan] VPN with preshared Key between BB10 and Raspberry-Pi

Hi Christian, > Below the result I got by activating the loglevel "cfg 2" You set it via stroke, which is a bit late as some of the interesting bits would have been the messages after "received stroke: add connection 'BB10'", which list the settings of the loaded config. Either set the log

Re: [strongSwan] Setup site-to-site VPN via central server

Hi Martin, >> I've added some documentation [1]. > I read through the hub-and-spoke setup on the internet. Is my setup > actually a hub-and-spoke type? I connect from the gateways directly to > the internet and only the traffic to 192.68.0.0/16 is routed through > VPN. What traffic you tunnel

Re: [strongSwan] Setup site-to-site VPN via central server

Hi Martin, >> The diagrams show four hosts as I though that illustrates the >> difference between the two approaches a bit better > > Maybe I am not the best reference since I started with strongSwan only 2 > weeks ago, but it is quite hard to understand why there is only A-C > mentioned

Re: [strongSwan] VPN with preshared Key between BB10 and Raspberry-Pi

Hi Christian, > Configuration on my BB10. > Profile Name : home > Server Address : 78.229.20.105 > Gateway Type : Generic IKEv2 VPN Server > Authentication Type : EAP-MSCHAPv2 > Authentication ID Type : email > ID Authentication: alice

Re: [strongSwan] ipsec update restarting affected tunnels

Hi Stig, > I've recently upgraded our strongswan from 4.5.2 to 5.2.2 and one of the > differences I noticed is with the older version I could regenerate > /etc/ipsec.conf and then do "ipsec rereadall" followed by "ipsec update" > and any tunnels that were affected would restart. Really? I

Re: [strongSwan] VPN with preshared Key between BB10 and Raspberry-Pi

Hi Christian, > Jul 20 13:26:26 raspberrypi charon: 13[IKE] EAP-MS-CHAPv2 verification > failed, retry (1) You might want do double and triple check that you configured the password exactly the same on both sides. Regards, Tobias ___ Users mailing

Re: [strongSwan] using 500/tcp

Hi Harald, As you noticed the IKE_AUTH packet is the one that's problematic. But since Mac OS X supports IKEv2 fragmentation > Notify (IKEv2 Fragmentation Supported) Payload: > No Data there is really no reason not to enable it (unless you use an old strongSwan version that

Re: [strongSwan] Setup site-to-site VPN via central server

Hi Martin, > Should I document this setup somewhere on the Wiki? I've added some documentation [1]. As mentioned there, the hub-and-spoke setup is also demonstrated in an example scenario [2]. Even though its configuration is based on swanctl.conf the concept is the same when setting it up via

Re: [strongSwan] Strongswan doesn't route through VPN on Windows 10, but works on android.

Hi Dirk, > But in Windows, the connection status states "IP 10.1.1.21, Netmask > 255.255.255.255, No Gateway", so that any traffic to the internet is > send unencryptedly via the normal internet connection. > > What do I have to do to let windows route everything through the VPN? You might have

Re: [strongSwan] Setup site-to-site VPN via central server

Hi Martin, > Regarding #1, on the server I have configured another IP address for the > network device: > ip addr add 192.168.1.0/24 dev eth0 > > Do I need to add a route as well? You won't need either of that to connect the two subnets. > Central server internal IP: 192.168.1.0, external IP:

Re: [strongSwan] Strongswan doesn't route through VPN on Windows 10, but works on android.

Hi Dirk, > With active "Use default gateway on remote network" option, windows > seems to use my default internet connection as default gateway, so that > traffic is not encrypted. How did you test that? What hosts did try to access? > I'll attach the routing table: > The local router is

Re: [strongSwan] VPN with preshared Key between BB10 and Raspberry-Pi

Hi Christian, > As highlighted in the same topic : rightauth=eap-mschapv2 (See below) Your log indicates otherwise, though. Check `ipsec statusall` for the correct authentication method for the BB10 connection, or increase the log level for cfg to 2 to see details when the config is loaded. >

Re: [strongSwan] using 500/tcp

Hi Harald, > Problem: The mtu of this tunnel is less than 1500. On the > first run IKEv2 on my Mac fails with icmp6 "Packet Too Big". > Since the protocol is udp there is no packet to fragment and > resend, which means a 10 seconds delay until a higher network > layer wakes up and tries to

Re: [strongSwan] VPN with preshared Key between BB10 and Raspberry-Pi

Hi Christian, > 16[CFG] looking for peer configs matching > 192.168.1.29[%any]...80.12.51.163[alice] > 16[CFG] selected peer config 'BB10' > 16[IKE] peer requested EAP, config inacceptable > 16[CFG] no alternative config found Sounds like the authentication settings of your config are wrong. Do

Re: [strongSwan] Initiator only for certain connections?

Hi, > is it possible to tell StrongSwan that it should act as initiator only, but > only for certain connections auto=add? strongSwan does not initiate such connections unless explicitly told to do so (via `ipsec up`). > or as responder only, but again only for certain connections?

Re: [strongSwan] Same config for strongSwan, different outcome between Android and iOS

Hi Laurens, > I've set up a strongSwan server for IKEv2. Connections with the Android > strongSwan app fail, while using the iOS built-in IKEv2 client works > without issues. Any ideas on what might be going on? Looks like it could be an IP fragmentation issue. > Android strongSwan client

Re: [strongSwan] Tunnel traffic transparently through roadwarrior connection

Hi Boris, > -A POSTROUTING -o wlan_cli -j MASQUERADE Your MASQUERADE rule probably NATs the traffic to the physical IP, so it won't match the outbound IPsec policies (VIP -> 0.0.0.0/0) and therefore is not tunneled. If you want to actually NAT to the virtual IP then you have to install an SNAT

Re: [strongSwan] Same config for strongSwan, different outcome between Android and iOS

Hi Laurens, >>> openssl: >>> ... >>> DH:ECP_256 >>> ... >> >> Ah yes. It's because the default IKE proposal in versions before 5.4.0 >> listed ECP_256 after MODP_2048 and the server always preferred its own >> proposals (this can be changed with the upcoming 5.5.0 release). So it >>

Re: [strongSwan] libipsec design decision - using NFQUEUE vs virtual interfaces

Hi Plevin, >"is there any reason one should *not* implement a userspace IPsec stack > using Netfilter and NFQUEUEs in combination > with Strongswan"? Portability. Regards, Tobias ___ Users mailing list Users@lists.strongswan.org

Re: [strongSwan] Same config for strongSwan, different outcome between Android and iOS

Hi Laurens, > openssl: > ... > DH:ECP_256 > ... Ah yes. It's because the default IKE proposal in versions before 5.4.0 listed ECP_256 after MODP_2048 and the server always preferred its own proposals (this can be changed with the upcoming 5.5.0 release). So it insists on using MODP_2048

Re: [strongSwan] Undefined reference to OpenSSL function during SS 5.5.0 building !

Hi, > ../../src/libstrongswan/.libs/libstrongswan.so: undefined reference to > `X509_get0_signature' > How is to resolve this ? According to the OpenSSL docs [1] this function was added with OpenSSL 1.0.2 (it is defined in crypto/asn1/x_x509.c). Only if the OpenSSL headers indicate a version

Re: [strongSwan] authentication with EAP

Hi Yudi, > Is there a way to fine tune this behavior, ie, If the remote peer is > trying to authenticate via EAP-MSCHAPV2 the server should pick the right > method (eap-mschapv2) not the first one in the list. You need to use the eap-dynamic plugin [1]. Regards, Tobias [1]

Re: [strongSwan] Can not create tunnel on Windows 10: no certificate with extensible authentication protocol found

Hi Oliver, > Any help would be appreciated. Please don't cross-post: https://wiki.strongswan.org/issues/2244 Regards, Tobias ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] What enqueues IKE_MOBIKE tasks?

Hi Alexander, > My understanding was that the IKE_MOBIKE task was triggered by changes > to routes/interfaces. > > I'm intermittently seeing the IKE_MOBIKE task be queued at 30 second > intervals, with no interface changes. There is nothing in the syslog or > kernel log in between most of these

Re: [strongSwan] VPN profiles for client

Hi Aanand, > 2. Create the configuration files offline and provide it to an end user > so that the user can import it into the Strongswan client and start > connecting. If you are referring to the strongSwan Android client then, yes, this is possible since the latest release. Refer to [1] for

Re: [strongSwan] Android doesn't support ESP aes256gcm16-modp2048

Hi Piotr, > it seems that Android app doesn't support cipher esp=aes256gcm16-modp2048 Correct. That proposal is not supported by the app, see [1] for the list of currently configured proposals. So you basically have to use a stronger DH group when using aes256gcm16. Regards, Tobias [1]

Re: [strongSwan] IKEv2 retransmission of Android app

Hi Piotr, > But how can I control this on Android? Is it hardcoded somewhere? If > yes, can somebody help me and point me to the right direction? See [1] or [2]. > I'm trying to use OTP to authenticate IKEv2. So far, so good, but the > main issue is to maintain the tunnel as long as possible -

Re: [strongSwan] Pre-Shared Key Conditioning

Hi Michael, > I'm trying to find some documentation on what algorithms, if any, > StrongSwan uses for pre-shared key conditioning. Currently, none. Are there IKE implementations that do? You could obviously pre-process the PSKs before making them available to the daemon (they can be provided

Re: [strongSwan] IKEv2 retransmission of Android app

> > But how can I control this on Android? Is it hardcoded somewhere? If > > yes, can somebody help me and point me to the right direction? > > See [1] or [2]. > > Where is [1] or [2]? :) Odd, I distinctly remember pasting the links into an email. Anyway, here they are: [1]

Re: [strongSwan] IKEv2 : Tunnel gets established even when local cert startDate is invalid

Hi Sriram, > "ipsec listcerts" says that the above (device)cert is not yet valid. > Still tunnel gets established properly. strongSwan does use seemingly invalid certificates for its own authentication, but won't accept invalid remote certificates. So if the server certificate was also only

Re: [strongSwan] Successfully established connection goes offline after some time

Hi Varun, > I have strongSwan 5.3.5 on Ubuntu 16.04LTS. When I connect iOS VPN > client to it, it connects successfully and I am able to browse the > internet. But after some time, the connection goes offline. iOS doesn't like the NAT-D payloads added to the DPDs so it doesn't respond: > Jan 19

Re: [strongSwan] Broken CHILD_SA following IKE_SA re-auth with FortiGate remote

Hi Tore, > - Is the strongSwan behaving correctly when it is also deleting the ESP > CHILD_SA when receiving the DELETE IKE_SA from the FortiGate, instead > of "moving" it to the other active IKE_SA as it appears the FortiGate > has done? RFC4306, section 2.4 says the following: > >

Re: [strongSwan] Strongswan plugins

Hi Aanand, > I would like to know if some or all of the plugins defined here - are > available on the Strongswan client too. The strongSwan IKE daemon may be used as client or server or both, depending on the configuration. It does not enforce a clear distinction (excluding specific client

Re: [strongSwan] Strongswan plugins

Hi Aanand, > In case of the Android App or the Network Manager - does all this mean > that if I were to add additional EAP plugins they will not show up in > the UI and hence users dialing through the UI wouldn't be able to see > and use them? Most EAP methods can't be selected explicitly in the

Re: [strongSwan] Fortinet vpn client compatibility with strongswan

Hi Akshar, > client receives response IDci=IP ADRESSS > which was sent in request and IDcr=ID_IPV4_ADDR_SUBNET(0400 > 0afe ff00). > Fortinet clinet was printing "VPNmismatched ID > was returned." Looks like you configured leftsubnet=10.254.0.0/24 on the server but the client

Re: [strongSwan] ipsec

Hi John, > What am I missing? That the Red Hat/Fedora package maintainers renamed the script to `strongswan`, as mentioned on [1]. The config files are also located in a subdirectory in /etc. Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/ipseccommand

Re: [strongSwan] StrongSwan Android and PureVPN

Hi Robbie, You have to configure the identity the server is using in the profile explicitly, i.e. the subject DN of the server's certificate: > OU=Domain Control Validated, OU=PositiveSSL Multi-Domain, CN=PointtoServer.com Regards, Tobias ___ Users

Re: [strongSwan] How to define multiple proposals in IKEv1

Hi Steve, > About Q1, for example, remote peer only accept *3des-sha1-modp1024*, and > local Strongswan using the following "ike" config. > > a) ike=aes256-sha1-modp1024,*3des-sha1-modp1024*,aes128-sha2_256-modp1024 > b) ike=aes256-sha1-modp1024,*3des-sha1-modp1024*,aes128-sha2_256-modp1024! >

Re: [strongSwan] Broken CHILD_SA following IKE_SA re-auth with FortiGate remote

Hi Tore, > I was under the impression that enabling "charon.make_before_break" > would only alter how strongSwan behaves when it is the party initiating > the re-authentication procedure. Correct. > In the initiator case, I wouldn't have > thought there was any need for such heuristics and

Re: [strongSwan] Replay window upper limit

Hi Kapil, > What is the upper limit on replay window size ? i didn't find any > documentation on upper limit. is it dependent on Hardware, if so how to > find the limit There is no hard limit. But since storing the window requires a certain amount of memory per SA there is definitely some upper

Re: [strongSwan] Separate devices connecting with same user-based credentials (Virtual IP)

Hi Luke, > With the above setup, multiple devices are able to connect with ease, > however they all devices with the same user authentication credentials > receive the same Virtual IP from strongswan. What strongSwan version do you use? Regards, Tobias

Re: [strongSwan] Separate devices connecting with same user-based credentials (Virtual IP)

Hi Luke, Have you set `uniqueids=never` [1]? Otherwise, any existing SA with the same client ID is terminated and the virtual IP gets released and reassigned on the new SA. Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/ConfigSetupSection

Re: [strongSwan] EAP-GTC with macOS app

Hi Laurens, > Is it possible to use EAP-GTC with the StrongSwan macOS app? Yes, the plugin is enabled. But it is not included in the default plugin list that's used by charon-xpc (which is hard-coded for some reason [1]). You could try setting `charon-xpc.load` in

Re: [strongSwan] Strongswan MOBIKE support

Hi Amit, > Here I expect client to send UPDATE_SA_ADDRESS notification for new IP > address 85.1.96.159 before actually start using this new IP address. > However, client start sending DPD messages using new IP > to which CISCO GW is not responding (As GW is not aware of new IP > address) And

Re: [strongSwan] [strongSwan-dev] need for openssl plugin use case

Hi, > But in the strongswan-master code repo, i see no reference to open-ssl > plugin . > > eg. openssl_crypter_create function in openssl_crypter.c That's the whole point of our plugin system. All this is hidden from the users in other components, they just create a crypter of a specific type

Re: [strongSwan] Strongswan is proposing only PFS enabled proposals as part of quick mode

Hi Sridhar, > We have configured two proposals one with PFS enabled and another with > PFS disabled. With this configuration, strongswan is sharing only one > PFS enabled proposal to peer in quick mode. > ... > With the above configuration, strongswan is sending only one proposal >

Re: [strongSwan] Crash strongSwan

Hi Fabrice, > Now, just one test is failed : > Running case 'include/load_files[_section]': ++- > Failure in 'test_load_files_section': > !settings->load_files_section(settings, include1".no", TRUE, "") > (suites/test_settings.c:650, i = 0) > > Have you an idea why it fails ? That happens

Re: [strongSwan] Use strongswan for Ike only

Hi Shreyas > Is there a way to use strongswan for IKE only without using the linux > IPsec stacks ? I want to export the SAs that get negotiated through > IKE and use my hardware IPsec stack for IPsec implementation. Is that > possible? Also, some pointers to such would be very helpful. Yes, see

Re: [strongSwan] Issue establishing a connection with strongswan

Hi Joe, > I was under the impression that strongswan was using the mysql DB to obtain > the PSK for Cisco IPsec connections but it seems that I was wrong. > Would you happen to know if that is possible ? Yes, that should be possible. You'll find several examples using PSKs at [1]. However,

Re: [strongSwan] Crash strongSwan

Hi Fabrice > When revocation plugin is disabled, it's OK. This didn't seem to be a problem previously, where you complained about CRLs not getting saved on 16.04 - which I can't reproduce, by the way - but the revocation plugin seemed to have worked fine on both 14.04 and 16.04. So what

Re: [strongSwan] Android identity

Hi Mihaly, > But anyway I setp up left/rightid on the server side, I always get "no > matching peer config found". > > How is Android "Server identity" matched on server side? Exactly as you'd suspect I guess, it's matched against the local identity on the server (presumably leftid). Check

Re: [strongSwan] Phase 2 ESP Failing between StrongSWAN 5.3.5 and Cisco VPN 3000

Hi Mahesh, > It seems that phase 1 IKE is working but not phase 2 ESP. I've tried > different settings for ike= to no avail. Config and brief log below and > extended log attached. You should check the responder's log. It seems to immediately delete the IKE_SA after receiving the Quick Mode

Re: [strongSwan] Issue establishing a connection with strongswan

Hi Joe, > Sep 16 17:42:13 vmi82861 charon: 05[ENC] invalid ID_V1 payload length, > decryption failed? > Sep 16 17:42:13 vmi82861 charon: 05[ENC] could not decrypt payloads > Sep 16 17:42:13 vmi82861 charon: 05[IKE] message parsing failed Looks like a mismatching PSK [1]. Regards, Tobias [1]

Re: [strongSwan] Crash strongSwan

Hi Fabrice, > Yes, revocation plugin works fine on 14.04, but crashes are sometimes > once a day and othertimes several times a minute. > It seems to be at strongswan start (not each time) and at IKE_SA > reauthentication (not each time). Considering that, the version your are using (5.1.2) and

Re: [strongSwan] Android identity

Hi Mihaly, > Does it assigned and missing from the log, or this is not implemented yet? If valid DNS servers are received (check for corresponding configuration attributes in the IKE_AUTH message) they are added to the VpnService.Builder instance used to create the TUN device. There is just no

Re: [strongSwan] Android identity

Hi Mihaly, > So I guess need to put altName in the cert if I want to use same cert > for multiple peers configs. You'd have to do that anyway as the client wouldn't accept the certificate otherwise. Regards, Tobias ___ Users mailing list

Re: [strongSwan] Ikev2 rekeying failure on EC2 site2site tunnel

Hi Isaac, > Sep 6 17:12:17 ec2vsswp01 charon: 09[IKE] unable to reauthenticate > IKE_SA, no CHILD_SA to recreate Check the log for information why there is no CHILD_SA. Maybe it was deleted by the other peer (e.g. due to inactivity). You might want to consider using `auto=route` and reading

Re: [strongSwan] unable to install policy ... the same policy for reqid XXX exists

Hi Andreas, Thanks for the detailed report. I was able to reproduce the issue. The problem is caused by the FWD policies in the outbound direction that are installed since 5.5.0. Or rather an incomplete update of the cached data when adding/removing policies to/from the kernel and a

Re: [strongSwan] Broken CHILD_SA following IKE_SA re-auth with FortiGate remote

Hi Tore, > That said, it seems to me that even if we're talking specifically about > reauthentications, strongSwan's default "break before make" > behaviour still violates the standard: > >Reauthentication is done by creating a new IKE SA from scratch (using >IKE_SA_INIT/IKE_AUTH

Re: [strongSwan] How to define multiple proposals in IKEv1

Hi Steve, > Question 1) Can I define multiple proposals for 'ike' and adding '!' to > restrict Strongswan to accept the defined proposals only? Since the > initiator is not fixed, local Strongswan can be the responder or > initiator depends on different scenario. Yes, adding ! in ipsec.conf will

Re: [strongSwan] 02[KNL] error installing route with policy after upgrading strongswan 5.1.3->5.3.5

Hi Marc, > after upgrading from Ubuntu 14.04 to 16.04 I ran into the problem that seems > to be related to bug 824 (https://wiki.strongswan.org/issues/824). Doesn't look like it's related as you only have one interface and the route installation fails. Since you are using the kernel-libipsec

Re: [strongSwan] %any picks IPv6 link-local address

Hi David, > Then strongSwan will try to initiate a connection using the link-local > address of the pppoe-wan interface (which fails), presumably because it > is the device used for outgoing IPv6 traffic. But pppoe-wan doesn't have > a global IPv6 address assigned. Yes, the found route gives us

Re: [strongSwan] Broken CHILD_SA following IKE_SA re-auth with FortiGate remote

Hi Tore, > There was one thing you mentioned above that gave me some pause though: > > «some heuristics might have to be used to avoid destroying the old SAs > as duplicates» > > Could you elaborate on how this might be a problem? > > If I understand correctly: if make-before-break reauth is

Re: [strongSwan] IKEv1 XAuth EAP Plugin

Hi Brian, > Fred : EAP "1234567" > > fred : XAUTH "deadbeef1234567" > > Please note the different capitalisation of the letter f for the two > different > usernames. Matching these identities is not case sensitive (simple names are parsed as FQDN). So both secrets can be used by both

Re: [strongSwan] Question about charon.interfaces_ignore/charon.interfaces_use

Hi Michael, > I'm trying to configure StrongSwan on a Linux platform that has three > interfaces (for simplicity, I'll call them a, b, and c). I only want to > do IPsec on interface a and I want interfaces b and c to be unaffected. > In the strongswan.conf file I added the line interfaces_ignore

Re: [strongSwan] $PLUTO_HOST_ACCESS variable

Hi Mihály, > Where from is getting its value? lefthostaccess=yes Regards, Tobias ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] EAP-GTC with macOS app

> I do not seem to have a /usr/local/etc/strongswan.conf file. Can I just > create it? Yes. Regards, Tobias ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] eap-gtc

Hi Slava, > I am trying configure ikev2 for IOS devices with eap-gtc. iOS does not support EAP-GTC: > Sep 26 14:33:19 11[IKE] initiating EAP_GTC method (id 0x7D) > ... > Sep 26 14:33:19 16[IKE] received EAP_NAK, sending EAP_FAILURE Regards, Tobias

Re: [strongSwan] AH Transport AES-128 GMAC

Hi Gyula, > Anybody have an idea what could be wrong? That's due to a recently fixed bug that mapped the aes*gmac keywords incorrectly for AH proposals. You may either update to 5.5.1, which includes the fix, or try to apply the patch at [1] (won't apply cleanly to any older version as it is

Re: [strongSwan] AH Transport AES-128 GMAC

Hi Gyula, > I'm running the test between two identical Debian 8.6 VMs. > Both have the same version of strongSwan (v5.5.1), compiled withe the > same switches. I was able to reproduce this in our testing environment. On the responder you should have seen the following messages: > [CHD] no

Re: [strongSwan] AH Transport AES-128 GMAC

Hi Gyula, > Thank you for the idea, but I'm using version 5.5.1 (see below). I see. The other end might not, though. Regards, Tobias ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Sending INIT_CONTACT during "ipsec up .... "

Hi Marko, > Shouldn't the same apply when you use wildcards then ? Because in this > case also is not determined on what the exact peer identity is, but > still the INIT_CONTACT is being sent...? The code currently just checks if there is an IDr before checking for existing connections. With

Re: [strongSwan] Sending INIT_CONTACT during "ipsec up .... "

Hi Marko, > What is the reason for this ? Is it the expected behaviour ? Yes, how could the client know that this is the first IKE_SA with the peer if it doesn't know the peer's identity (rightid=%any)? Regards, Tobias ___ Users mailing list

Re: [strongSwan] libhydra

Hi Joy, > Any new plugin for talking > to the kernel would require a kernel_ipsec_t as well. Is this correct? Yes. Regards, Tobias ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] strongswan on android phone does nothing (select profile, does nothing)

Hi Don, > I'm not sure what else to try, can anyone suggest? If you are using Google's Project Fi, please have a look at [1]. Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVPNClient#Known-LimitationsIssues ___ Users

Re: [strongSwan] leftsubnet and loopback problem

Hi John, > ip address add dev lo 10.2.3.4/32 > ... > Nov 17 10:56:43 127 daemon.info charon: 16[KNL] no local address found in > traffic selector 10.2.3.4/32 > ... > I'm using: Linux strongSwan U4.5.2/K3.4.113 That's really old. Back then loopback interfaces were not considered. You need at

Re: [strongSwan] StrongSwan not responding to DPD messages when modeconfig=push.

Hi, > 1. Why does strongswan wait for the response in spite of assigning > the IP requested by client ? You configured `modeconfig=push`, so strongSwan pushed config attributes to the client and waits for a response. If that's not what the client expects change the config to

Re: [strongSwan] ipsec routes removed when interface down and not reinstated

Hi Alex, > But when there's no immediate path, e.g. if the only network adapter has > a cable unplugged or if switching WiFi networks takes too long, the > route is deleted and when an interface comes back up, it isn't re-added. The latter should be the case if an interface that was down is

Re: [strongSwan] ipsec routes removed when interface down and not reinstated

Hi Alex, > All is working. I then unplug my network cable, wait a few seconds, and > plug it back in. Now table 220 is empty. The tunnel still says it's > connected, and I suppose it is - but because the route isn't there any > more, I get no traffic over the VPN. You should check the log with

<    1   2   3   4   5   6   7   8   9   10   >