Hi Alex,
> # Where is this coming from ? The cert on vpn.york.ac.uk
> lives on a host called vpn10.york.ac.uk
> and has multiple SubjAlt Name entries for all
> the real vpn servers we might want to use the cert on.
> # Think this is "wrong " message,
> Dec 1 10:40:13 deadpool charon-nm: 06[TLS]
Hi Alex,
> so you're saying that my radius server also needs to have vpn.york.ac.uk
> as a SubjAltName in it as well ?
Yes, that's one option. Not using the NM plugin is another. With the
config files you can set the AAA identity to vpn.york.ac.uk so it
matches the certificate (or %any so any i
Hi Alex
> So if my client is connecting to vpn.york.ac.uk,
> the cert that needs installing is vpn.york.ac.uk
> . swhere /etc/ipsed.d/aacerts /etc/ipsed.d/certs ?
This refers to configuring the certificate in the GUI (in which case
only that certificate is loaded the certificates in the CA di
Using auto=start on both ends in combination with uniqueids=yes and
closeaction=restart is a bad idea. If a duplicate SA is created and
that's detected and the duplicate is then closed this deletion will
again trigger another SA, causing another duplicate and so on.
Regards,
Tobias
Hi Rich,
> The problem:
>
> When Racoon is the initiator and the connections go through NAT, phase 2
> negotiation fails with the following error on the Racoon side:
>
>ERROR: mismatched IDcr was returned.
With Transport Mode in NAT situations strongSwan will replace the
received traf
Hi Rich,
> I’m not clear on next steps, though — are you saying that this is expected
> behaviour that can’t be worked around, or that the fix needs to be on the
> racoon side?
I think this is actually due to a bug in your strongSwan release. Back
then we sent back the wrong IP address in one
Hi Rajeev,
> Using DAVICI, I did make sure local.id is "C=US,
> O=ARRIS Group, Inc., OU=DCA Remote Device Certificate, CN=FF:FF:05:E6:E7:80"
The comma between "Group" and "Inc." in the O RDN lets the identity
string parser fail and this string will not be treated as ASN.1 DN but
as opaque key ID
Hi Jafar,
> 2- "pki --verify --in certfile " change it to use the "default" trust
> store if no additional arguments are supplied
There is no "default" trust store. It very much depends on the
configuration backend used by the daemon from where certificates are
loaded automatically (if at all
Hi Jafar,
> I did write a script that does that but I thought it is very inefficient
> since you have to sweep through CAs/CRLs with pki --print to figure out
> the correct chain in order to use them with pki --verify.
You can just pass it all the CA certs/CRLs you (or rather the daemon)
trust.
Hi Jafar,
> If I omit the crl option completely no crl check takes place as expected:
Yes, that would require adding the --online option. The --crl option
automatically does that.
> The crl command line options forces a crl check but the locally provided
> crl is completely ignored even though
Hi Marco,
> VPN Client -> Gateway -> internal network with some servers
> The VPN gets an IP from DHCP Server (i.e 192.168.1.100)
> Gateway has IP 192.168.1.10, can ping the VPN client 192.168.1.100
> Pinging the VPN client from a server in the network (e.g. 192.168.1.20) does
> not work.
>
> Wh
Hi Mike,
> Is it possible to use a sql ip pool from the ipsec.conf?
Sure, just configure %nameofthepool in rightsourceip (see [1]).
> If yes, are there examples or HowTo’s to set up a SQL-IP-Pool other than
> the test scenarios?
What are you missing in those examples?
Regards,
Tobias
[1]
http
Hi Karthik,
> CHILD_SA vpn{2} established with SPIs c13091e4_i c869298c_o and TS
> 10.244.15.1/32 === 0.0.0.0/32
This remote traffic selector (0.0.0.0/32) doesn't look right. This
should probably be 0.0.0.0/0. Since your client config looks OK, check
how the server is configured.
Regards,
Tob
Hi,
> 1). public node can create IPsec connection with 2 or more private nodes
> behind NAT?
Sure.
> 2). IPv6 behind NAT?
> https://lists.libreswan.org/pipermail/swan/2018/002489.html shows
> that libreswan does NOT support it because "Linux does not yet have
> support for IPv6-ESP-in-UD
Hi Marco,
> FARP is configured on both client and gateway, and I can reach
> all the internal network from the vpn client (ubuntu linux).
> ...
> Still pinging the vpn client from the internal network does not work.
You mean you are able to e.g. ping hosts in the remote network from the
client (i
Hi Chris,
> Is that option maybe obsolete with IKEv2? Afterall, pfsgroup is listed under
> "Removed parameters (since 5.0.0)":
DH groups for IPsec SAs are configured differently for IKEv2 and since
5.0.0 also for IKEv1. They are added to ESP/AH proposals (esp/ah
setting in ipsec.conf). If you
Hi Dirk,
> Is it possible to add a second connection definition that is identical
> but has
> conn win2018eapmschap
> leftcert=serverCert2018.pem
> leftid="C=DE, O=OUR COMPANY, CN=STRONGSWANSERVER2018"
>
> so that eap clients can connect to the server when they are equiped
> with ei
Hi Dirk,
> left= in ipsec.conf only accepts one argument (ip,fqdn) while
> connections..local_addrs in swanctl.conf allows multiple that is
> a good reason to start with VICI :)
This is the same for left and right. But migrating to swanctl.conf is
still a good idea.
Regards,
Tobias
Hi Harri,
> I had hoped that putting the whole chain into /etc/ipsec.d/certs/mycert.pem
> would help, but apparently it doesn't.
strongSwan reads only the first certificate from PEM encoded files. So
put them in separate files.
Regards,
Tobias
Hi Harri,
>>> I had hoped that putting the whole chain into /etc/ipsec.d/certs/mycert.pem
>>> would help, but apparently it doesn't.
>>
>> strongSwan reads only the first certificate from PEM encoded files. So
>> put them in separate files.
>>
>
> This is unusual, is it?
What is?
> If I do, wi
Hi,
> I am facing a problem of load-tester that "%d" of initiator_id didnot
> start from 1, but from 2.
Yes, that's the case since 5.2.0 (since [1] to be exact). I pushed a
fix to the load-tester-id branch. Is that really a problem, though?
Regards,
Tobias
[1] https://git.strongswan.org/?p=st
Hi Trevor,
> Is PLUTO_XAUTH_ID (as passed to a user-defined updown script) 100%
> trustworthy in an ikev2 / eap-tls / user certs connection scenario?
> What I mean by that, is can it be selected, set, or spoofed by the
> client?
Yes, it's trustworthy. While the client can send an arbitrary value
Hi Harald,
> I had hoped that putting the whole chain into
> /etc/ipsec.d/certs/mycert.pem
> would help, but apparently it doesn't.
strongSwan reads only the first certificate from PEM encoded files. So
put them in separate files.
>>>
>>> This is unusual, is it?
>
Hi,
> If the case you mentioned has been fixed in 5.2.1,
I never said that. What I said is that the behavior changed with 5.2.0.
But it has never been fixed, the fix can only be found in the
load-tester-id branch, which I pushed yesterday, so no released version
contains it.
> What I concern a
Hi Trevor,
>>> So I then tried user certs to select on EAP identity in the user
>>> cert. Set that up then finally found a couple of emails/sites that
>>> said strongswan can't switch conns based on identitiy.
>>
>> That's not entirely true. If you delegate the authentication to a
>> RADIUS ser
Hi Mike,
> gateway ipsec.conf:
>
> ca %default
> certuribase=http://hashandurl.my-server.de/
> auto=add
If that's the only ca section in your config this won't work. The
%default section is never loaded itself it only provides defaults for
other sections of the same type. Also, defining a
Hi Mike,
> What certificate is referenced by the cacert entry, the "leftcert ca" or the
> "leftcert root ca" ?
> Have all certificates in the certificate chain to be accessible from the
> certuribase?
Similar to CRL URIs, the configured base URI is only used for
certificates that are immediate
Hi Mike,
> Is the ca section of the ipsec.conf used only for ca-certificates or also for
> the leftcert itself?
> If so, what is the element cacert referring to?
man ipsec.conf or [1]?
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/CaSection
Hi Naveen,
> 1) The second connection with the below configuration fails .
The log message tells you why. The policies of the two connections
conflict. While you don't get that error message with newer strongSwan
releases (>= 5.3.0) it would not work properly as you'd still have two
connections
Hi Harald,
> Even if Strongswan ignores the additional certs, is it possible that
> some crypto implementation *used* by Strongswan does not, but reads
> all certificates found in the cert files (in /etc/ipsec.d)?
Only the pem plugin reads PEM encoded files, and it only parses one
credential per
Hi Harald,
> Question is, how can I tell charon's dhcp plugin to forward either
> the FQDN or the CN from the DN entry in the dhcp request?
You can't, the plugin simply uses the client's (IKE or EAP) identity, so
it's up to the client to use the identity you want to see on the server.
Regards,
T
Hi Harald,
>>> Question is, how can I tell charon's dhcp plugin to forward either
>>> the FQDN or the CN from the DN entry in the dhcp request?
>>
>> You can't, the plugin simply uses the client's (IKE or EAP) identity, so
>> it's up to the client to use the identity you want to see on the server.
Hi Mike,
> If you need more installation or configuration details please let me know.
The (complete) server config might help.
Regards,
Tobias
Hi Mike,
> I hope you mean the ipsec.conf only:
>
> Ipsec.conf:
> config setup
> charondebug="cfg 2, dmn 1, ike 1, net 1, job 0"
>
> conn %default
> keyexchange=ikev2
> ike=aes256-sha256-modp2048,aes256-sha1-modp2048!
> esp=aes256-sha256-modp2048,aes256-sha1-modp2
Hi Mike,
> We use in the ipsec.conf the configuration:
> ike=aes256-sha256-modp2048,aes256-sha1-modp2048!
> esp=aes256-sha256-modp2048,aes256-sha1-modp2048!
>
> How big is the size of the private exponent at least, or could a size of
> 256 bit guaranteed?
Depends on the dh_expone
Hi Mike,
> Did you find something that could help us?
You gave the answer basically yourself by considering the very old
strongSwan version (which you claimed to be 5.5.3 on both ends in your
original mail btw.). If you didn't stop there but e.g. checked the
changelog [1] to see since when IKEv2
Hi Alex,
> I am in the need to verify that a Strongswan Responder is initiating a
> IKE SA reauthentication in case the Initiator doesn‘t.
The responder might not be able to initiate a reauthentication (depends
on the config, e.g. whether EAP or virtual IPs are used).
> Therefore, would you see
Hi Mike,
> But after disconnecting, waiting 15 seconds and connecting again in the
> reversed order, each roadwarrior get the ip as it got in the first
> connection order.
Offline leases for the same identity are reused (you see "acquired
existing lease for address ... in pool '...'" in the log).
Hi,
> I am not able to establish a connection with the Android app yet and so
> have no proposed ciphers in my log.
Did you check the server log?
> I infer that which ciphers are supported by the app depend on the
> Android kernel, at least for encryption.
No, IPsec is handled completely in use
Hi,
> I've made its cert with --san quantum-equities.com,cygnus.darkmatter.org,
> because the LAN gateway is known outside as quantum-equities.com and the
> IPSec gateway is known in the LAN as cygnus.darkmatter.org.
That syntax is not valid. Just use --san multiple times for each SAN
(as the
Hi,
> I'm looking to VPN every machine in a LAN. I infer that this would be
> something like a host-to-host config.
Did you have a look at the trap-any scenario?
Regards,
Tobias
[1] https://www.strongswan.org/testing/testresults/ikev2/trap-any/
Hi Andrii,
> I see the problem on IKE side, but don’t know how to debug and fix it.
The log tells you _exactly_ what the problem is:
> 12[ENC] parsed INFORMATIONAL_V1 request 2090615229 [ HASH N(NO_PROP) ]
> 12[IKE] received NO_PROPOSAL_CHOSEN error notify
The peer doesn't like the crypto propo
Hi,
>>> I also tried to set --dn "C=US, O=Quantum,
>>> CN=quantum-equities.com,cygnus.darkmatter.org" -- but strongswan pki wasn't
>>> having it so I had to settle for just quantum-equities.com.
>> That's because commas separate RDNs (and `cygnus.darkmatter.org` is no
>> proper RDN) and strongSw
Hi Andrii,
ike-scan won't help you here as it only reports on Phase 1 (IKE SA), but
your problem is during Phase 2 (Quick Mode, IPsec SA).
> Remote side is not supporting pfs.
>
> IKE Phase One Parameters:
> Encryption Algorithm: AES 256
> Hash Algorithm: SHA
> Authentication
Hi Andrii,
> Remote side is asking disable PFS Group 5:
>
> PFS Group 5 is not configured on our end and is not enabled by default.
> If this is currently required on the Andrii end then we will open a
> change to have this added.
>
> Can it cause this problem?
Sounds strange, as you
Hi,
> No port 4500 packet hitting its own interface. Only a keep-alive.
That's the only packet that's sent from port 4500 (as also stated in the
log, where it clearly states that kepp-alive is being sent, nothing
else). Since no request to port 4500 ever makes it to the daemon (the
log tells yo
Hi Marco,
> I'm running strongswan 5.6.2 on Slackware linux 64 bit
Check the current master. It includes fixes for issues like these (see
[1]).
Regards,
Tobias
[1] https://wiki.strongswan.org/issues/2536
Hi Rich,
> 1. IKE and ESP SAs are established normally with NAT-T, i.e. 500:4500.
> 2. NAT remapping occurs within Azure, at which point StrongSwan sees IKE
> packets come from port 1027 instead of 500. (i.e. instead of 500:500 it’s
> 500:1027).
And what happens to port 4500? Why would there e
ngswan.git;a=commitdiff;h=f5fe52bf
>From 9577915278ccc7f78ddf6690698392951c515e3f Mon Sep 17 00:00:00 2001
From: Tobias Brunner
Date: Tue, 30 Jul 2013 18:44:50 +0200
Subject: [PATCH] host: Properly initialize struct sockaddr_in[6] when parsing
strings
---
src/libstrongswan/networking/host.c |
Hi,
> Looks like the Second Solution is Not working. Even though I configured
> /etc/strongswan.conf with charon.keep_alive = 0 on both initiator and
> responder, it looks like this configuration is Not reflecting at all.
> Still I see Keep-alive Packets are going over Standard NAT-T Ports every
>
>Now I am learning the IPSec. So i build a strongSwan server and use
> the VPN Client for Android 4.x for testing. Otherwise i want to learn
> the process of VPN Client for Android.But i don't find a link to load
> the code.
> Thus, i wonder if you can send me a set of code about VPN Client f
Hi,
> On debugging, I noticed that Strongwan on the gateway detects that there
> is a NAT and tries to detect NAT mapping changes via DPD. The pkt that
> it sends out however
> has a source address of 192.168.1.1, which cannot reach the 10.8.14.111
> address. It should have used the 192.168.10.8 a
Hi Barry,
The following is the instruction that causes the segmentation fault:
> 0x1fc7a174 <+84>:lwz r25,0(r5)
Register r5 stores the third argument to the function (p), which is not
defined if group is not MODP_CUSTOM (neither is the second argument, g,
but apparently it doesn't point
Hi Uwe,
> All my initiators are behind NAT without a Port forwarding, so this
> would make sense.
No port forwarding is required if the client originally initiated the
connection. The NAT mapping should still be alive during the short time
the client will not send NAT keep-alives during a reauth
Hi Kevin,
> The routing on the 10.4.0.0 spoke is configured that any communication
> to the following subnets
> 10.30.0.0/16,10.7.0.0/16,10.6.0.0/16,10.3.0.0/16,172.16.0.0/16
> will be routed to the Strongswan VPN gateway public IP (I've yet to
> setup the tunnels for 10.30.0.0, 10.7.0.0 and 10.3.
Hi,
You didn't write what strongSwan version you are using. But I suspect
it's something like 4.5.2, certainly before 4.6.3 because this problem here
> Sep 3 21:39:19 firebrand charon: 12[ENC] invalid X509 hash length (0)
> in certreq
> Sep 3 21:39:19 firebrand charon: 12[ENC] CERTIFICATE_REQU
Hi,
> It looks like I can't communicate with the server at all from the z10,
> and vice versa. I will try and work this out on my own when I have more
> time. Let me know if you have any suggestions to improve my current config.
leftsourceip has no effect on the server. Due to your leftsubnet
Hi André,
> 09-19 09:11:30.800 I/charon (12923): 16[NET] received packet: from
> X.Y.Z.65[4500] to 10.27.3.195[49398] (1836 bytes)
> 09-19 09:11:30.800 I/charon (12923): 16[ENC] parsed IKE_AUTH response 1 [
> IDr CERT AUTH CP(ADDR ADDR6 DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) ]
> 09-19 09:
Hi Lawrence,
> barney etc # grep eap /etc/ipsec.conf
> rightauth=eap-mschapv2
> eap_identity=%any
When you select "IKEv2 Certificate + EAP" on the client what you
actually want on the server is:
leftauth=pubkey
rightauth=pubkey
rightauth2=eap-mschapv2
ea
Hi Lance,
> It is said that the strongswan android app only supports EAP-MSCHAPv2,
> EAP-MD5 and EAP-GTC.
>
> If I build the code myself, can I add extra EAP types to the configure
> script ? -- say EAP-TLS
Theoretically yes, but the EAP-TLS method in particular is not an EAP
method in the app'
Hi Robert,
Please don't cross-post issues. I responded at [1].
Regards,
Tobias
[1] http://wiki.strongswan.org/issues/425
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Hi Dan,
> parsed IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]
> no trusted RSA public key found for 'vpn.enrfin.com'
It looks like you configured leftsendcert=never, that is, the gateway
does not send its certificate. Either remove that option or try
installing the gateway certificate as trusted
Hi Max,
> As result have policy:
> >src 192.168.3.0/24 dst 192.168.5.0/24
> >dir out priority 1859
> >tmpl src 77.72.134.75 dst 195.96.165.70
> >proto esp reqid 16412 mode tunnel
> >src 192.168.3.0/24 dst 192.168.0.0/18
> >dir out priority 1859
> >
Hi Kris,
> The server has public IP on eth0, private subnet 10.11.1.0/24 on eth1,
> how can I config Strongswan to let my remote VPN client could access
> 10.11.1.0/24, or it requires some other iptables firewalls tweaks?
Please have a look at [1].
Regards,
Tobias
[1]
http://wiki.strongswan.org
Hi Dan,
> The server side is configured with leftsendcert=never (took some time to
> confirm that). I think that the server presents the cert, but my Mac
> doesn't trust it, despite having the CA cert in the keychain (and set to
> be universally trusted).
No, with leftsendcert=never the server d
Hi Dan,
> What I meant to write was "The server side is *not* configured with
> leftsendcert=never"
I see :)
> I'm considering this resolved, even with the slight mystery
> around it not working with the lack of config.
No mystery at all, actually. I now had a look at the code of charon-xpc
an
Hi Kris,
> Is it possible to use received Reply-Message from RADIUS backend as
> UNITY banner?
No currently not. Please have a look at [1] for a list of forwarded
attributes.
Regards,
Tobias
[1]
http://wiki.strongswan.org/projects/strongswan/wiki/EapRadius#RADIUS-attribute-forwarding
Hi Igor,
> So from reading the man page I would expect that I can set IPSEC_CONFDIR
> and when I invoke ipsec, that it would use my defined IPSEC_CONFDIR
> variable.
None of the programs called by the ipsec script (starter, stroke, etc.)
currently use any of these environment variables, instead t
Hi Adrian,
> Is it possible to setup ipsec.secrets to allow only certain subnets to
> use certain PSKs
>
> 24.177.*.* : PSK “tempskforme”
>
> Is this at all possible? How can I control which subnets are allowed to
> access my GW?
With the just released strongSwan 5.1.1 this should be possible.
Hi Lawrence,
It's not the XAuth users but the certificate's DN that is equal and
causes the deletion of the previous SA:
> Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios"[3] 166.147.65.85:28107
> #3: Peer ID is ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=win7.mycompany.local'
> Nov 5 12:16:19 vmwar
Hi Guru,
Thanks for the detailed report. It is in fact a deadlock caused by
thread 3 holding the lock in bus.c and trying to acquire the lock in
trap_manager.c that is currently being held by thread 14, which in turn
wants to acquire the lock in bus.c held by thread 3.
This situation may occur i
Hi Kimmo,
> Did not help, is there any other patches for this issue?
I successfully built strongSwan 5.1.1 (without the patch) on a freshly
installed and fully updated CentOS 6.5 (2.6.32-431.1.2.0.1.el6.x86_64).
Regards,
Tobias
___
Users mailing list
Hi Kimmo,
> update 2: fixed the issue, capabilities.h is the one that needs fixing.
Interesting. Here is a quote from the sys/capability.h header on CentOS
6.5 that is included by utils/capabilities.h:
> #include
> #include
>
> /*
> * Make sure we can be included from userland by preventing
Hi Chinmaya,
> Program terminated with signal 6, Aborted.
> #0 0x00555abfbda0 in raise () from /lib64/libc.so.6
> (gdb) bt
> #0 0x00555abfbda0 in raise () from /lib64/libc.so.6
> #1 0x00555ac0069c in abort () from /lib64/libc.so.6
> #2 0x00555abf3388 in __assert_fail () from /l
Hi,
> but if they choose the proposals aes128-sha384-modp2048 or
> aes128-sha512-modp2048,wreshark check the ike messages (captured from
> the two strongswan servers) integrity checksum data fail;
This is due to a bug in Wireshark. They use SHA-256 to compute the
SHA-384 and SHA-512 ICVs for IKE
Hi Stephen,
> loaded plugins: charon *pkcs11* aes des rc2 sha1 sha2 md5 random nonce
> *x509* revocation constraints pubkey *pkcs1* pkcs7 pkcs8 pkcs12 pgp
> dnskey sshkey *pem* fips-prf gmp xcbc cmac hmac attr kernel-netlink
> resolve socket-default stroke updown xauth-generic
In general, the o
Hi Arun,
The pfs option has no effect on IKEv2 connections. It's an option used
by the legacy IKEv1 daemon pluto, where it only affected Quick Mode SAs
because ISAKMP SAs are always reestablished from scratch, so there
always is a DH exchange.
IKEv2 does support inline rekeying of IKE_SAs (reaut
Hi Harvinder,
> leftsourceip=10.0.33.17
This is probably not what you want (or what the Sonicwall expects). If
you configure an IP like that charon will send it in a configuration
payload to the gateway to request it as virtual IP [1]. If you simply
want to use that IP inside the tunnel
Hi Chinmaya,
> Even if nobody is listening for these logs, vlog acquires the log
> lock.
Fixed two weeks ago [1]. Details can be found in this [2] thread on the
dev mailing list.
Regards
Tobias
[1] http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=73c33ff42
[2] https://lists.strongswa
Hi Mark,
> 17:03:45 06[CFG] CA certificate *"C=US, O=Entrust, Inc.,
> OU=www.entrust.net/rpa is incorporated by
> reference, OU=(c) 2009 Entrust, Inc., CN=Entrust Certification Authority
> - L1C" not found, discarding CA constraint*
That's due to a limitation of the DN string parser: It can't ha
Hi Peter,
> I have compiled the strongswan source using the Android (ARM) make
> system (using Android.mk instead of the Linux autoconf Makefiles) with
> the intent of running it on Android the same way like it does on an
> Ubuntu PC.
Unless you run strongSwan on a rooted device (possibly with a
Hi Peter,
> I used the strongswan-1.5.2 source. Then copied over the missing
> file src/libimcv/Android.mk from git checkout of 5.1.2RC1 code base.
Do you mean strongswan-5.1.2? And the fix from 5.2.0dr2? Why didn't
you use 5.1.3 (the latest stable release)?
> Place the strongswan-1.5.2 direc
Hi Peter,
> This call is invoked from strongswan/src/pki/pki.c. I see in other
> places of the source, this call can be replaced by adding
> #ifdef HAVE_GEPTASS to replace 'secret = getpass(buf);'
> with 'secret = "";' Is this the right thing to do?
Unfortunately, until we have a portable replace
Hi Matthias,
> The problem here is not the updown script itself but higher up in the
> chain already. The caller should not pass %any6 as a parameter. That is
> unsupported by the script and clearly a bug in the calling code. That's
> all that needs fixing. ;)
Should be fixed by [1].
Regards,
To
Hi Carl,
> Have xauth-pam working great with a OS X Maverick client, but when
> connecting from Android 4.4.2 with the same shared key and credentials
> it fails. If I configure strongswan to use xauth-generic and the same
> password but as a secret in ipsec.secret then it works, it's only
> xauth
Hi Jakob,
> charon: 06[CFG] peer config match remote: 0 (ID_KEY_ID -> 6b:72:30:35)
The peer identity types don't match, the client uses ID_KEY_ID whereas
you use FQDN with your rightid setting of
> rightid=kr05
Try the following to force the identity type to ID_KEY_ID:
rightid=@#6
Hi Martin,
> @Tobias: What do you think about reverting [1]? Could we use a less
> aggressive mechanism to close these FDs for Android?
I guess we could. I don't remember what the problem was exactly,
probably that charon was still attached to the shell somehow. Looking
at the time stamp, this
Hi Dirk,
>> Not sure why the behavior changed between 5.1.3 and 5.2.0 in this
>> regard; likely that it is related to the replaced ipsec.conf parser.
>
> It's probably the new parser.
> Checking the logs on the gateway running 5.1.3 I discovered that the
> rightsendcert = never wasn't honoured f
Hi Dirk,
Not sure why the behavior changed between 5.1.3 and 5.2.0 in this
regard; likely that it is related to the replaced ipsec.conf parser.
>>>
>>> It's probably the new parser.
>>> Checking the logs on the gateway running 5.1.3 I discovered that the
>>> rightsendcert = never wasn't h
Hi Andre,
> diff --git a/src/include/linux/types.h b/src/include/linux/types.h
> index 22cfdc0..02e5719 100644
> --- a/src/include/linux/types.h
> +++ b/src/include/linux/types.h
> @@ -9,22 +9,22 @@
>
> typedef __u32 __kernel_dev_t;
>
> -typedef __kernel_fd_setfd_set;
> +//type
Hi Noel,
> I just noticed, that the strongSwan app still displays the tunnel as
> active, although a CHILD rekey event failed, because of a DH
> group/algorithm mismatch.
As long as the original CHILD_SA is still established the connection is
not broken, so displaying the connection as active is
Hi Claude,
> The phone is an Sony Xperia Z1C with Android 4.4.2.
The app won't work properly on 4.4 before 4.4.3, see [1] and related issues.
> Aug 12 13:38:37 00[JOB] spawning 16 worker threads
Hm, never seen it stop so early. Does that happen every time? What
about after a reboot of the phon
Hi Claude,
> Yes, I still get the exact same error after reboot.
Hm, strange. Not sure what changes could have caused that. And it
actually runs fine in the 4.4.2 emulator image, at least until [1] is
hit (I have no real device that still runs on 4.4.2 to test it).
> So I have to downgrade str
Hi David,
> We also can't create a tunnel again after
> disconnecting without rebooting the device.
As mentioned, that's a known issue on Android 4.4 before 4.4.3 [1].
Regards,
Tobias
[1] https://wiki.strongswan.org/issues/462
___
Users mailing list
U
Hi Noel,
> I use bypass policies and just found out that strongSwan installs those with
> a lower priority than the tunnel policies.
> So bypass policies don't actually work some times.
The Linux kernel actually prefers policies with lower priorities (by
their numeric value).
> In this particul
Hi Amy,
> Is this error cause ping fail?
> error uninstalling route installed with policy
> 192.168.168.0/24 === 172.16.1.20/32 fwd
That's normal. Because the interface that was referenced in this route
(eth1) disappeared, the route was already removed by the kernel when
charon eventually tries
Hi Amy,
> I don't know how to add DBG statements to get_replay_state() for I don't
> quite know the C language, could you give me some DBG statements?
You can try the attached patch. You'll have to compile strongSwan from
sources [1] and apply the patch after extracting the tarball with:
patc
Hi Noel,
> Is there a way to limit the mss that is encapsulated into the ESP packets
> and/or cause fragmentation on either of the endpoints?
You can do so via iptables [1] or the patches at [2].
Regards,
Tobias
[1] http://lartc.org/howto/lartc.cookbook.mtu-mss.html
[2] https://wiki.strongswan.
Hi Vivek,
> I have a server with kernel 2.4.21-47.EL. and I
> need to install strongswan on that…
As far as I can tell that kernel includes a backported version of the
NETKEY stack from the 2.6+ kernel. So you should be able to use a
current strongSwan release.
Regards,
Tobias
Hi Johannes,
> # create pubkey for win7 "klapperkasten"
> ipsec pki --pub --in /etc/ipsec.d/private/klapperkastenKey.pem | ipsec
> pki --issue --cacert /etc/ipsec.d/cacerts/caCert.der --cakey
> /etc/ipsec.d/private/caKey.der --dn "C=DE, O=Heim, CN=klapperkasten"
> --san klapperkasten --san "192.16
601 - 700 of 1241 matches
Mail list logo
