Hi Laurens,
> I've added 'fragmentation=yes' to the server, same issue.
Please have a look at the client log. Does it send an IKE_AUTH
message?
Is it fragmented? If so, check with Wireshark/tcpdump on the server
whether any packets arrive.
>>>
>>> I can send log
Hi Plevin,
>> conn client-1-bypass
>> left=192.168.0.1
>> right=192.168.0.2
>> rightsubnet=192.168.0.2[tcp/5001]
>> leftfirewall=yes
>> type=passthrough
>> authby=secret
>> auto=add
You configured this
Hi Christopher,
> Jul 8 11:47:06 localhost charon: 04[CFG] left=41.60.182.160
You shouldn't set `left` to the public IP address of the NAT, the host
won't be able to send messages from it:
> Jul 8 11:47:11 localhost charon: 03[NET] sending packet: from
> 41.60.182.160[500] to
Hi Tom,
> I am successfully sending UNITY_* attrs to IKEv1 clients which support
> it, but the UNITY_SAVE_PASSWD option does not seem to be accepted
> correctly, it simply doesn't allow the client to save their password.
This has been discussed previously [1]. Basically the attr plugin only
Hi Richard,
> Jul 28 03:24:58 vpn2 charon: 16[NET] received packet: from [..]
>
> Jul 28 03:24:58 vpn2 charon: 02[ENC] parsed INFORMATIONAL_V1 [..]
>
> These 16 and 02, what do they stand for?
The numeric identifier of the thread that logged the message.
Regards,
Tobias
Hi Ryan,
> When acting as a responder, I didn’t have to do this, strongSwan seems to
> choose a mark value for me.
Not unless you configured `mark=%unique`.
> Anything else I should check?
Yes, the traffic selectors. As I wrote on [1] the traffic you route
into a VTI device has to match the
Hi Ryan,
> I had to remove the "key" piece of the "ip link add" command, as the
> PLUTO_MARK_OUT and
> PLUTO_MARK_IN variables (which get set when responder) are not set.
> What am I missing?
You answered that question yourself.
Regards,
Tobias
Hi Richard,
> The {1} {2} {3} and {4} indicate the tunnels defined in ipsec.conf.
These are the unique sequential identifiers of the CHILD_SAs.
> How do I know which tunnel is logging e.g. the following line?:
>
> Jul 28 11:27:18 vpn2 charon: 13[IKE] retransmit 1 of request with
> message ID 0
Hi Sriram,
> But the concern is fragment size, though it is set as 1200,
> fragment_size of 576 is seen in the wireshark.
I'm assuming for packets sent by the gateway. The fragment size is not
negotiated, so the gateway might just default to the minimum datagram
size a host must be able to
Hi Martin,
> I am a bit lost here. Is this a routing or an iptables issue and how can
> I make sure the vpn-second connection is working if I resolve the issues
> (how do I test the tunnel from vpn-second network back to vpn-second)?
Could be any number of things. You should check the traffic
Hi Sriram,
> So I think, since the strongswan file is not proper, charon would have
> defaulted to 576. Please clarify.
Yes, if the file is invalid it gets rejected completely and no options
in it will get applied. You should have seen an error message like
"invalid config file '...'" in the
Hi,
> The serial number of the certificate and the serial number in the OCSP
> request is different. It looks like a bug to me.
Is there _any_ certificate in your PKI with the serial number that was
requested? Perhaps one that has the same identity as this one? Or is
this perhaps the
Hi Emeric,
> I guess the following configuration:
>
> ...
> rightid=%a...@any.com
> ...
>
> in ipsec.conf is parsed as an email address equal to "%a...@any.com" and not
> as "a...@any.com" + no IDr sending ?
>
>
> Am I correct?
No. The % character is parsed by the stroke plugin before the
Hi Eric,
> Sorry. Here is a the complete log. This time, I recompiled Strongswan
> with socket-dynamic plugin.
You don't need the socket-dynamic plugin. That's only needed if you
want do use multiple different source ports (leftikeport).
As you can see in the log the client does not send the
Hi Matthias,
> I've peers where some (all, 2 of 8, etc.) tunnels get disconnected after
> some time.
How? Is there a delete sent? If so, by whom?
> Is there a way to configure StrongSwan to keep all tunnel up all the
> time without DPD?
auto=route is definitely the best way to ensure the
Hi Christian,
> No I don't have any error on the startup
I was not referring to the console output. Did you check the log?
> !! Your strongswan.conf contains manual plugin load options for
> charon.
> !! This is recommended for experts only, see
> !!
Hi Austin,
> Have I missed anything obvious?
You might be mixing executables/libraries/plugins from different
releases. The involvement of libipsec.so.0 is also suspect.
Regards,
Tobias
___
Users mailing list
Users@lists.strongswan.org
Hi Harald,
> AFAIU defragmentation is enabled in strongswan for incoming packages,
> anyway.
That's basically for IKEv1 where the first message may already be
fragmented and for misbehaving peers that send fragmented packets even
if it wasn't enabled explicitly. It does not mean that the notify
Hi Laurens,
>> The latter is of course because it does not send any certificate
>> requests, whereas 156 of them are sent by the Android app (each a 20
>> byte SHA-1 hash). As I mentioned before, you can avoid that by
>> selecting your CA certificate in the VPN profile in the app. This
>>
Hi Ariwa,
> I see log. but I cannot figure out dubious point.
> Is there someone have any hint for it?
The log is pretty clear:
> Thu Jul 14 21:51:35 2016 daemon.info syslog: 03 [CFG] looking for
> peer configs matching 192.168.1.32[openwrt5server]...192.168.1.156[C=JP,
> L=Tokyo,
Hi Christian,
> Nevertheless, by removing: `eap_identity` I got the same result.
You might need it, but that depends on the client.
> On basis, I wanted to use StrongSwan as simple as possible without
> certificates CA.
That probably won't work as authenticating clients with EAP requires
Hi Christian,
> Below the result I got by activating the loglevel "cfg 2"
You set it via stroke, which is a bit late as some of the interesting
bits would have been the messages after "received stroke: add connection
'BB10'", which list the settings of the loaded config. Either set the
log
Hi Martin,
>> I've added some documentation [1].
> I read through the hub-and-spoke setup on the internet. Is my setup
> actually a hub-and-spoke type? I connect from the gateways directly to
> the internet and only the traffic to 192.68.0.0/16 is routed through
> VPN.
What traffic you tunnel
Hi Martin,
>> The diagrams show four hosts as I though that illustrates the
>> difference between the two approaches a bit better
>
> Maybe I am not the best reference since I started with strongSwan only 2
> weeks ago, but it is quite hard to understand why there is only A-C
> mentioned
Hi Christian,
> Configuration on my BB10.
> Profile Name : home
> Server Address : 78.229.20.105
> Gateway Type : Generic IKEv2 VPN Server
> Authentication Type : EAP-MSCHAPv2
> Authentication ID Type : email
> ID Authentication: alice
Hi Stig,
> I've recently upgraded our strongswan from 4.5.2 to 5.2.2 and one of the
> differences I noticed is with the older version I could regenerate
> /etc/ipsec.conf and then do "ipsec rereadall" followed by "ipsec update"
> and any tunnels that were affected would restart.
Really? I
Hi Christian,
> Jul 20 13:26:26 raspberrypi charon: 13[IKE] EAP-MS-CHAPv2 verification
> failed, retry (1)
You might want do double and triple check that you configured the
password exactly the same on both sides.
Regards,
Tobias
___
Users mailing
Hi Harald,
As you noticed the IKE_AUTH packet is the one that's problematic. But
since Mac OS X supports IKEv2 fragmentation
> Notify (IKEv2 Fragmentation Supported) Payload:
> No Data
there is really no reason not to enable it (unless you use an old
strongSwan version that
Hi Martin,
> Should I document this setup somewhere on the Wiki?
I've added some documentation [1]. As mentioned there, the
hub-and-spoke setup is also demonstrated in an example scenario [2].
Even though its configuration is based on swanctl.conf the concept is
the same when setting it up via
Hi Dirk,
> But in Windows, the connection status states "IP 10.1.1.21, Netmask
> 255.255.255.255, No Gateway", so that any traffic to the internet is
> send unencryptedly via the normal internet connection.
>
> What do I have to do to let windows route everything through the VPN?
You might have
Hi Martin,
> Regarding #1, on the server I have configured another IP address for the
> network device:
> ip addr add 192.168.1.0/24 dev eth0
>
> Do I need to add a route as well?
You won't need either of that to connect the two subnets.
> Central server internal IP: 192.168.1.0, external IP:
Hi Dirk,
> With active "Use default gateway on remote network" option, windows
> seems to use my default internet connection as default gateway, so that
> traffic is not encrypted.
How did you test that? What hosts did try to access?
> I'll attach the routing table:
> The local router is
Hi Christian,
> As highlighted in the same topic : rightauth=eap-mschapv2 (See below)
Your log indicates otherwise, though. Check `ipsec statusall` for the
correct authentication method for the BB10 connection, or increase the
log level for cfg to 2 to see details when the config is loaded.
>
Hi Harald,
> Problem: The mtu of this tunnel is less than 1500. On the
> first run IKEv2 on my Mac fails with icmp6 "Packet Too Big".
> Since the protocol is udp there is no packet to fragment and
> resend, which means a 10 seconds delay until a higher network
> layer wakes up and tries to
Hi Christian,
> 16[CFG] looking for peer configs matching
> 192.168.1.29[%any]...80.12.51.163[alice]
> 16[CFG] selected peer config 'BB10'
> 16[IKE] peer requested EAP, config inacceptable
> 16[CFG] no alternative config found
Sounds like the authentication settings of your config are wrong. Do
Hi,
> is it possible to tell StrongSwan that it should act as initiator only, but
> only for certain connections
auto=add? strongSwan does not initiate such connections unless
explicitly told to do so (via `ipsec up`).
> or as responder only, but again only for certain connections?
Hi Laurens,
> I've set up a strongSwan server for IKEv2. Connections with the Android
> strongSwan app fail, while using the iOS built-in IKEv2 client works
> without issues. Any ideas on what might be going on?
Looks like it could be an IP fragmentation issue.
> Android strongSwan client
Hi Boris,
> -A POSTROUTING -o wlan_cli -j MASQUERADE
Your MASQUERADE rule probably NATs the traffic to the physical IP, so it
won't match the outbound IPsec policies (VIP -> 0.0.0.0/0) and therefore
is not tunneled. If you want to actually NAT to the virtual IP then you
have to install an SNAT
Hi Laurens,
>>> openssl:
>>> ...
>>> DH:ECP_256
>>> ...
>>
>> Ah yes. It's because the default IKE proposal in versions before 5.4.0
>> listed ECP_256 after MODP_2048 and the server always preferred its own
>> proposals (this can be changed with the upcoming 5.5.0 release). So it
>>
Hi Plevin,
>"is there any reason one should *not* implement a userspace IPsec stack
> using Netfilter and NFQUEUEs in combination
> with Strongswan"?
Portability.
Regards,
Tobias
___
Users mailing list
Users@lists.strongswan.org
Hi Laurens,
> openssl:
> ...
> DH:ECP_256
> ...
Ah yes. It's because the default IKE proposal in versions before 5.4.0
listed ECP_256 after MODP_2048 and the server always preferred its own
proposals (this can be changed with the upcoming 5.5.0 release). So it
insists on using MODP_2048
Hi,
> ../../src/libstrongswan/.libs/libstrongswan.so: undefined reference to
> `X509_get0_signature'
> How is to resolve this ?
According to the OpenSSL docs [1] this function was added with OpenSSL
1.0.2 (it is defined in crypto/asn1/x_x509.c). Only if the OpenSSL
headers indicate a version
Hi Yudi,
> Is there a way to fine tune this behavior, ie, If the remote peer is
> trying to authenticate via EAP-MSCHAPV2 the server should pick the right
> method (eap-mschapv2) not the first one in the list.
You need to use the eap-dynamic plugin [1].
Regards,
Tobias
[1]
Hi Oliver,
> Any help would be appreciated.
Please don't cross-post: https://wiki.strongswan.org/issues/2244
Regards,
Tobias
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Hi Alexander,
> My understanding was that the IKE_MOBIKE task was triggered by changes
> to routes/interfaces.
>
> I'm intermittently seeing the IKE_MOBIKE task be queued at 30 second
> intervals, with no interface changes. There is nothing in the syslog or
> kernel log in between most of these
Hi Aanand,
> 2. Create the configuration files offline and provide it to an end user
> so that the user can import it into the Strongswan client and start
> connecting.
If you are referring to the strongSwan Android client then, yes, this is
possible since the latest release. Refer to [1] for
Hi Piotr,
> it seems that Android app doesn't support cipher esp=aes256gcm16-modp2048
Correct. That proposal is not supported by the app, see [1] for the
list of currently configured proposals. So you basically have to use a
stronger DH group when using aes256gcm16.
Regards,
Tobias
[1]
Hi Piotr,
> But how can I control this on Android? Is it hardcoded somewhere? If
> yes, can somebody help me and point me to the right direction?
See [1] or [2].
> I'm trying to use OTP to authenticate IKEv2. So far, so good, but the
> main issue is to maintain the tunnel as long as possible -
Hi Michael,
> I'm trying to find some documentation on what algorithms, if any,
> StrongSwan uses for pre-shared key conditioning.
Currently, none. Are there IKE implementations that do? You could
obviously pre-process the PSKs before making them available to the
daemon (they can be provided
> > But how can I control this on Android? Is it hardcoded somewhere? If
> > yes, can somebody help me and point me to the right direction?
>
> See [1] or [2].
>
> Where is [1] or [2]? :)
Odd, I distinctly remember pasting the links into an email. Anyway,
here they are:
[1]
Hi Sriram,
> "ipsec listcerts" says that the above (device)cert is not yet valid.
> Still tunnel gets established properly.
strongSwan does use seemingly invalid certificates for its own
authentication, but won't accept invalid remote certificates. So if the
server certificate was also only
Hi Varun,
> I have strongSwan 5.3.5 on Ubuntu 16.04LTS. When I connect iOS VPN
> client to it, it connects successfully and I am able to browse the
> internet. But after some time, the connection goes offline.
iOS doesn't like the NAT-D payloads added to the DPDs so it doesn't respond:
> Jan 19
Hi Tore,
> - Is the strongSwan behaving correctly when it is also deleting the ESP
> CHILD_SA when receiving the DELETE IKE_SA from the FortiGate, instead
> of "moving" it to the other active IKE_SA as it appears the FortiGate
> has done? RFC4306, section 2.4 says the following:
>
>
Hi Aanand,
> I would like to know if some or all of the plugins defined here - are
> available on the Strongswan client too.
The strongSwan IKE daemon may be used as client or server or both,
depending on the configuration. It does not enforce a clear distinction
(excluding specific client
Hi Aanand,
> In case of the Android App or the Network Manager - does all this mean
> that if I were to add additional EAP plugins they will not show up in
> the UI and hence users dialing through the UI wouldn't be able to see
> and use them?
Most EAP methods can't be selected explicitly in the
Hi Akshar,
> client receives response IDci=IP ADRESSS
> which was sent in request and IDcr=ID_IPV4_ADDR_SUBNET(0400
> 0afe ff00).
> Fortinet clinet was printing "VPNmismatched ID
> was returned."
Looks like you configured leftsubnet=10.254.0.0/24 on the server but the
client
Hi John,
> What am I missing?
That the Red Hat/Fedora package maintainers renamed the script to
`strongswan`, as mentioned on [1]. The config files are also located in
a subdirectory in /etc.
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/ipseccommand
Hi Robbie,
You have to configure the identity the server is using in the profile
explicitly, i.e. the subject DN of the server's certificate:
> OU=Domain Control Validated, OU=PositiveSSL Multi-Domain, CN=PointtoServer.com
Regards,
Tobias
___
Users
Hi Steve,
> About Q1, for example, remote peer only accept *3des-sha1-modp1024*, and
> local Strongswan using the following "ike" config.
>
> a) ike=aes256-sha1-modp1024,*3des-sha1-modp1024*,aes128-sha2_256-modp1024
> b) ike=aes256-sha1-modp1024,*3des-sha1-modp1024*,aes128-sha2_256-modp1024!
>
Hi Tore,
> I was under the impression that enabling "charon.make_before_break"
> would only alter how strongSwan behaves when it is the party initiating
> the re-authentication procedure.
Correct.
> In the initiator case, I wouldn't have
> thought there was any need for such heuristics and
Hi Kapil,
> What is the upper limit on replay window size ? i didn't find any
> documentation on upper limit. is it dependent on Hardware, if so how to
> find the limit
There is no hard limit. But since storing the window requires a certain
amount of memory per SA there is definitely some upper
Hi Luke,
> With the above setup, multiple devices are able to connect with ease,
> however they all devices with the same user authentication credentials
> receive the same Virtual IP from strongswan.
What strongSwan version do you use?
Regards,
Tobias
Hi Luke,
Have you set `uniqueids=never` [1]? Otherwise, any existing SA with the
same client ID is terminated and the virtual IP gets released and
reassigned on the new SA.
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/ConfigSetupSection
Hi Laurens,
> Is it possible to use EAP-GTC with the StrongSwan macOS app?
Yes, the plugin is enabled. But it is not included in the default
plugin list that's used by charon-xpc (which is hard-coded for some
reason [1]). You could try setting `charon-xpc.load` in
Hi Amit,
> Here I expect client to send UPDATE_SA_ADDRESS notification for new IP
> address 85.1.96.159 before actually start using this new IP address.
> However, client start sending DPD messages using new IP
> to which CISCO GW is not responding (As GW is not aware of new IP
> address)
And
Hi,
> But in the strongswan-master code repo, i see no reference to open-ssl
> plugin .
>
> eg. openssl_crypter_create function in openssl_crypter.c
That's the whole point of our plugin system. All this is hidden from
the users in other components, they just create a crypter of a specific
type
Hi Sridhar,
> We have configured two proposals one with PFS enabled and another with
> PFS disabled. With this configuration, strongswan is sharing only one
> PFS enabled proposal to peer in quick mode.
> ...
> With the above configuration, strongswan is sending only one proposal
>
Hi Fabrice,
> Now, just one test is failed :
> Running case 'include/load_files[_section]': ++-
> Failure in 'test_load_files_section':
> !settings->load_files_section(settings, include1".no", TRUE, "")
> (suites/test_settings.c:650, i = 0)
>
> Have you an idea why it fails ?
That happens
Hi Shreyas
> Is there a way to use strongswan for IKE only without using the linux
> IPsec stacks ? I want to export the SAs that get negotiated through
> IKE and use my hardware IPsec stack for IPsec implementation. Is that
> possible? Also, some pointers to such would be very helpful.
Yes, see
Hi Joe,
> I was under the impression that strongswan was using the mysql DB to obtain
> the PSK for Cisco IPsec connections but it seems that I was wrong.
> Would you happen to know if that is possible ?
Yes, that should be possible. You'll find several examples using PSKs
at [1]. However,
Hi Fabrice
> When revocation plugin is disabled, it's OK.
This didn't seem to be a problem previously, where you complained about
CRLs not getting saved on 16.04 - which I can't reproduce, by the way -
but the revocation plugin seemed to have worked fine on both 14.04 and
16.04. So what
Hi Mihaly,
> But anyway I setp up left/rightid on the server side, I always get "no
> matching peer config found".
>
> How is Android "Server identity" matched on server side?
Exactly as you'd suspect I guess, it's matched against the local
identity on the server (presumably leftid). Check
Hi Mahesh,
> It seems that phase 1 IKE is working but not phase 2 ESP. I've tried
> different settings for ike= to no avail. Config and brief log below and
> extended log attached.
You should check the responder's log. It seems to immediately delete
the IKE_SA after receiving the Quick Mode
Hi Joe,
> Sep 16 17:42:13 vmi82861 charon: 05[ENC] invalid ID_V1 payload length,
> decryption failed?
> Sep 16 17:42:13 vmi82861 charon: 05[ENC] could not decrypt payloads
> Sep 16 17:42:13 vmi82861 charon: 05[IKE] message parsing failed
Looks like a mismatching PSK [1].
Regards,
Tobias
[1]
Hi Fabrice,
> Yes, revocation plugin works fine on 14.04, but crashes are sometimes
> once a day and othertimes several times a minute.
> It seems to be at strongswan start (not each time) and at IKE_SA
> reauthentication (not each time).
Considering that, the version your are using (5.1.2) and
Hi Mihaly,
> Does it assigned and missing from the log, or this is not implemented yet?
If valid DNS servers are received (check for corresponding configuration
attributes in the IKE_AUTH message) they are added to the
VpnService.Builder instance used to create the TUN device. There is
just no
Hi Mihaly,
> So I guess need to put altName in the cert if I want to use same cert
> for multiple peers configs.
You'd have to do that anyway as the client wouldn't accept the
certificate otherwise.
Regards,
Tobias
___
Users mailing list
Hi Isaac,
> Sep 6 17:12:17 ec2vsswp01 charon: 09[IKE] unable to reauthenticate
> IKE_SA, no CHILD_SA to recreate
Check the log for information why there is no CHILD_SA. Maybe it was
deleted by the other peer (e.g. due to inactivity). You might want to
consider using `auto=route` and reading
Hi Andreas,
Thanks for the detailed report. I was able to reproduce the issue. The
problem is caused by the FWD policies in the outbound direction that are
installed since 5.5.0. Or rather an incomplete update of the cached
data when adding/removing policies to/from the kernel and a
Hi Tore,
> That said, it seems to me that even if we're talking specifically about
> reauthentications, strongSwan's default "break before make"
> behaviour still violates the standard:
>
>Reauthentication is done by creating a new IKE SA from scratch (using
>IKE_SA_INIT/IKE_AUTH
Hi Steve,
> Question 1) Can I define multiple proposals for 'ike' and adding '!' to
> restrict Strongswan to accept the defined proposals only? Since the
> initiator is not fixed, local Strongswan can be the responder or
> initiator depends on different scenario.
Yes, adding ! in ipsec.conf will
Hi Marc,
> after upgrading from Ubuntu 14.04 to 16.04 I ran into the problem that seems
> to be related to bug 824 (https://wiki.strongswan.org/issues/824).
Doesn't look like it's related as you only have one interface and the
route installation fails. Since you are using the kernel-libipsec
Hi David,
> Then strongSwan will try to initiate a connection using the link-local
> address of the pppoe-wan interface (which fails), presumably because it
> is the device used for outgoing IPv6 traffic. But pppoe-wan doesn't have
> a global IPv6 address assigned.
Yes, the found route gives us
Hi Tore,
> There was one thing you mentioned above that gave me some pause though:
>
> «some heuristics might have to be used to avoid destroying the old SAs
> as duplicates»
>
> Could you elaborate on how this might be a problem?
>
> If I understand correctly: if make-before-break reauth is
Hi Brian,
> Fred : EAP "1234567"
>
> fred : XAUTH "deadbeef1234567"
>
> Please note the different capitalisation of the letter f for the two
> different
> usernames.
Matching these identities is not case sensitive (simple names are parsed
as FQDN). So both secrets can be used by both
Hi Michael,
> I'm trying to configure StrongSwan on a Linux platform that has three
> interfaces (for simplicity, I'll call them a, b, and c). I only want to
> do IPsec on interface a and I want interfaces b and c to be unaffected.
> In the strongswan.conf file I added the line interfaces_ignore
Hi Mihály,
> Where from is getting its value?
lefthostaccess=yes
Regards,
Tobias
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
> I do not seem to have a /usr/local/etc/strongswan.conf file. Can I just
> create it?
Yes.
Regards,
Tobias
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Hi Slava,
> I am trying configure ikev2 for IOS devices with eap-gtc.
iOS does not support EAP-GTC:
> Sep 26 14:33:19 11[IKE] initiating EAP_GTC method (id 0x7D)
> ...
> Sep 26 14:33:19 16[IKE] received EAP_NAK, sending EAP_FAILURE
Regards,
Tobias
Hi Gyula,
> Anybody have an idea what could be wrong?
That's due to a recently fixed bug that mapped the aes*gmac keywords
incorrectly for AH proposals. You may either update to 5.5.1, which
includes the fix, or try to apply the patch at [1] (won't apply cleanly
to any older version as it is
Hi Gyula,
> I'm running the test between two identical Debian 8.6 VMs.
> Both have the same version of strongSwan (v5.5.1), compiled withe the
> same switches.
I was able to reproduce this in our testing environment. On the
responder you should have seen the following messages:
> [CHD] no
Hi Gyula,
> Thank you for the idea, but I'm using version 5.5.1 (see below).
I see. The other end might not, though.
Regards,
Tobias
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Hi Marko,
> Shouldn't the same apply when you use wildcards then ? Because in this
> case also is not determined on what the exact peer identity is, but
> still the INIT_CONTACT is being sent...?
The code currently just checks if there is an IDr before checking for
existing connections. With
Hi Marko,
> What is the reason for this ? Is it the expected behaviour ?
Yes, how could the client know that this is the first IKE_SA with the
peer if it doesn't know the peer's identity (rightid=%any)?
Regards,
Tobias
___
Users mailing list
Hi Joy,
> Any new plugin for talking
> to the kernel would require a kernel_ipsec_t as well. Is this correct?
Yes.
Regards,
Tobias
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Hi Don,
> I'm not sure what else to try, can anyone suggest?
If you are using Google's Project Fi, please have a look at [1].
Regards,
Tobias
[1]
https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVPNClient#Known-LimitationsIssues
___
Users
Hi John,
> ip address add dev lo 10.2.3.4/32
> ...
> Nov 17 10:56:43 127 daemon.info charon: 16[KNL] no local address found in
> traffic selector 10.2.3.4/32
> ...
> I'm using: Linux strongSwan U4.5.2/K3.4.113
That's really old. Back then loopback interfaces were not considered.
You need at
Hi,
> 1. Why does strongswan wait for the response in spite of assigning
> the IP requested by client ?
You configured `modeconfig=push`, so strongSwan pushed config attributes
to the client and waits for a response. If that's not what the client
expects change the config to
Hi Alex,
> But when there's no immediate path, e.g. if the only network adapter has
> a cable unplugged or if switching WiFi networks takes too long, the
> route is deleted and when an interface comes back up, it isn't re-added.
The latter should be the case if an interface that was down is
Hi Alex,
> All is working. I then unplug my network cable, wait a few seconds, and
> plug it back in. Now table 220 is empty. The tunnel still says it's
> connected, and I suppose it is - but because the route isn't there any
> more, I get no traffic over the VPN.
You should check the log with
401 - 500 of 1123 matches
Mail list logo