Hi Nathan,
> In the logs I can see, that the private key seems to be loaded correctly:
>
> Jul 19 19:01:53 SuperSam charon: 14[CFG] loading secrets from
> '/etc/ipsec.secrets'
> Jul 19 19:01:53 SuperSam charon: 14[CFG] found key on PKCS#11 token
> 'opensc':0
> Jul 19 19:01:53
Hi Nathan,
> The ids match! So it should be fine!
Only with strongSwan >= 5.5.1, with older releases the cert/key has to
be stored using a CKA_ID that matches the SPKI (i.e. your cert/key with
CKA_ID 3 would never be used).
> Any other help on why this does possibly not work?
Do you have
Hi Vincent,
> We are facing this issue too :
>
> https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1772705
You are not, that bug has been fixed.
> `systemd-resolve --status` show the correct DNS servers in the correct
> order (1st got from the VPN, 2nd from the local DHCP)
There you
Hi Nathan
> charon: 14[CFG] sending DHCP DISCOVER to 255.255.255.255
> charon: 14[CFG] sending DHCP DISCOVER to 255.255.255.255
> charon: 14[CFG] sending DHCP DISCOVER to 255.255.255.255
> dnsmasq-dhcp[27740]: DHCPDISCOVER(eth1) 7a:a7:33:54:e9:78
> dnsmasq-dhcp[27740]: DHCPOFFER(eth1)
Hi James,
> So I moved to Strongswan 5.6.2 during a distribution upgrade.
What distribution? What was the previous version? Do you still have
the same plugins installed and enabled?
> My simple
> setup no longer routes back to the client (I can see the incoming pings
> on the server, but
Hi Alexander,
> Interestingly enough, there are different error messages. When connecting
> with Linux, the key parts of the log seem to be:
>
> Jul 18 15:05:56 below charon: 07[ENC] parsed ID_PROT request 0 [ SA V V V V V
> ]
> Jul 18 15:05:56 below charon: 07[CFG] looking for an ike config
Hi Sven,
> In your example scenario the CA has the policy set too.
> I'm a bit unsure if this is necessary, because a RFC 5280 in section
> 4.2.1.4 (Certificate Policies) states:
>
> "When a CA does not wish to limit the set of policies for certification
> paths that include this certificate,
Hi Sven,
> In other words:
> I have to change to code to make it work this way.
> At least the attr-sql plugin code.
>
> Is this correct?
You can try and see what happens if you don't (i.e. just change the DB).
But I guess you have change some code.
Regards,
Tobias
Hi Marco,
> After nearly 2 months it happened again:
>
> ts-20.96.144.0{126302}: INSTALLED, TUNNEL, reqid 244, ESP SPIs: cd63dff4_i
> 5215984b_o
> ts-20.96.144.0{126302}: AES_CBC_256/HMAC_SHA2_256_128/ECP_384, 2988620
> bytes_i (6591 pkts, 314s ago), 2048852 bytes_o, rekeying in 5 hours
>
Hi Christian,
> You say on [1] that "The native iOS and OS X clients are known to work
> fine with multiple authentication rounds.", yet I have the server
> configured with multiple rounds using xauth but OSX is only requesting EAP
XAuth is only for IKEv1
EAP is only for IKEv2 (unless the
Hi,
> Jul 9 19:24:05 powerwall-34 charon: 04[CFG] received proposals:
> ESP:3DES_CBC/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
> Jul 9 19:24:05 powerwall-34 charon: 04[CFG] configured proposals:
> ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ,
>
> Tue Jul 10 08:44:05 2018 (GMT -0400): [SRX5308] [IKE] INFO: Sending
> Informational Exchange: notify
> payload[ATTRIBUTES-NOT-SUPPORTED]
> Tue Jul 10 08:44:05 2018 (GMT -0400): [SRX5308] [IKE] ERROR: mismatched ID
> was returned.
I suppose this means it doesn't like the returned subnets.
Hi Christian,
> Why would it fail after getting an approved access from RADIUS
>
> ...
> 12[IKE] EAP method EAP_MSCHAPV2 succeeded, no MSK established
If the EAP method is key-generating, which EAP-MSCHAPv2 is, the
authentication will not succeed without an MSK, which the RADIUS server
should
Hi Harald,
> Jul 13 13:35:57 16[IKE] expected a virtual IP request,
> sending FAILED_CP_REQUIRED
As you already noted, the printer doesn't request a virtual IP. Either
change that, or modify your config so the server doesn't expect the
printer to request one (i.e. remove rightsourceip and
Hi Harald,
> Which one is right? Is the '@' obsolete today? Apparently the PskSecret page
> is pretty old.
Since what you configure before the : are identities, see [1].
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/IdentityParsing
Hi Sven,
> The name in the database matches the name the user configured in
> their settings. So this is very error-prone.
>
> Is it possible to match here case insensitive?
> Or any other ideas?
The `data` column of the `identities` table in the default schema uses a
binary type (BLOB or
Hi Mike,
> What certificate is referenced by the cacert entry, the "leftcert ca" or the
> "leftcert root ca" ?
> Have all certificates in the certificate chain to be accessible from the
> certuribase?
Similar to CRL URIs, the configured base URI is only used for
certificates that are
Hi Mike,
> Is the ca section of the ipsec.conf used only for ca-certificates or also for
> the leftcert itself?
> If so, what is the element cacert referring to?
man ipsec.conf or [1]?
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/CaSection
Hi Mike,
> I hope you mean the ipsec.conf only:
>
> Ipsec.conf:
> config setup
> charondebug="cfg 2, dmn 1, ike 1, net 1, job 0"
>
> conn %default
> keyexchange=ikev2
> ike=aes256-sha256-modp2048,aes256-sha1-modp2048!
>
Hi Mike,
> We use in the ipsec.conf the configuration:
> ike=aes256-sha256-modp2048,aes256-sha1-modp2048!
> esp=aes256-sha256-modp2048,aes256-sha1-modp2048!
>
> How big is the size of the private exponent at least, or could a size of
> 256 bit guaranteed?
Depends on the
Hi Harald,
>>> Question is, how can I tell charon's dhcp plugin to forward either
>>> the FQDN or the CN from the DN entry in the dhcp request?
>>
>> You can't, the plugin simply uses the client's (IKE or EAP) identity, so
>> it's up to the client to use the identity you want to see on the
Hi Harald,
> Question is, how can I tell charon's dhcp plugin to forward either
> the FQDN or the CN from the DN entry in the dhcp request?
You can't, the plugin simply uses the client's (IKE or EAP) identity, so
it's up to the client to use the identity you want to see on the server.
Regards,
Hi Tony,
> Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-2-amd64,
> x86_64):
You might be hitting a kernel bug in 4.15. See [1].
Regards,
Tobias
[1] https://wiki.strongswan.org/issues/2571
Hi Micah,
> 1. Can I configure the strongSwan server to force the clients to send
> the FQDNs as identities?
No, that's a local decision.
> 2. Alternatively, can I generate certificates differently to force the
> clients to send the FQDNs as identities?
Not that I'm aware.
> 3. Am
Hi,
> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr
> N(EAP_ONLY) ]
> sending packet: from 159.*.*.*[500] to 4.*.*.*[500] (220 bytes)
> received packet: from 4.*.*.*[500] to 159.*.*.*[500] (68 bytes)
> parsed IKE_AUTH response 1 [ N(INVAL_SYN) ]
> *received
> Is there any reason why UDP checksum in the packet shows as wrong in the
> wireshark?
Possibly hardware checksum offloading [1].
Regards,
Tobias
[1] https://wiki.wireshark.org/CaptureSetup/Offloading
Hi Sriram,
> What is the reason for SecGw’s charon daemon restart ?
The daemon does not automatically restart itself, so probably a crash.
Do you see any backtrace in the log? Any core dumps?
Did you modify the code in any way? Is there a reason you use different
versions on the two hosts
Hi Mike,
> When many client at the same time want to get a tunnel the Charon crashes.
>
> Do you have seen anything like that before?
Looks like someone had the same issue last year [1] and [2].
> Could it help to use /libmysqlclient.so.20?
Don't know.
> What else can we do?
Don know that
Hi Rich,
> Mar 27 15:47:35 stg-vault-zk04 charon: 14[NET] sending
> packet: from 172.17.128.86[500] to 13.88.23.150[500] (160 bytes)
> Mar 27 15:47:35 stg-vault-zk04 charon: 07[NET]
> received packet: from 13.88.23.150[1031] to 172.17.128.86[500]
Hi Micah,
> However, I became confused here, because the MAC address I am seeing on my
> DHCP server is 7a:a7:bc:8b:b5:ec. After the hardcoded 0x7A and 0xA7 bytes,
> there are only four bytes, but the SipHash-2-4 documentation I'm reading, as
> well as the commit message for commit
>
Hi Alex,
> I am in the need to verify that a Strongswan Responder is initiating a
> IKE SA reauthentication in case the Initiator doesn‘t.
The responder might not be able to initiate a reauthentication (depends
on the config, e.g. whether EAP or virtual IPs are used).
> Therefore, would you see
Hi Mike,
> But after disconnecting, waiting 15 seconds and connecting again in the
> reversed order, each roadwarrior get the ip as it got in the first
> connection order.
Offline leases for the same identity are reused (you see "acquired
existing lease for address ... in pool '...'" in the
Hi,
>>> I also tried to set --dn "C=US, O=Quantum,
>>> CN=quantum-equities.com,cygnus.darkmatter.org" -- but strongswan pki wasn't
>>> having it so I had to settle for just quantum-equities.com.
>> That's because commas separate RDNs (and `cygnus.darkmatter.org` is no
>> proper RDN) and
Hi Andrii,
ike-scan won't help you here as it only reports on Phase 1 (IKE SA), but
your problem is during Phase 2 (Quick Mode, IPsec SA).
> Remote side is not supporting pfs.
>
> IKE Phase One Parameters:
> Encryption Algorithm: AES 256
> Hash Algorithm: SHA
> Authentication
Hi Mike,
> Did you find something that could help us?
You gave the answer basically yourself by considering the very old
strongSwan version (which you claimed to be 5.5.3 on both ends in your
original mail btw.). If you didn't stop there but e.g. checked the
changelog [1] to see since when
Hi,
> I am not able to establish a connection with the Android app yet and so
> have no proposed ciphers in my log.
Did you check the server log?
> I infer that which ciphers are supported by the app depend on the
> Android kernel, at least for encryption.
No, IPsec is handled completely in
Hi,
> I've made its cert with --san quantum-equities.com,cygnus.darkmatter.org,
> because the LAN gateway is known outside as quantum-equities.com and the
> IPSec gateway is known in the LAN as cygnus.darkmatter.org.
That syntax is not valid. Just use --san multiple times for each SAN
(as the
Hi Andrii,
> I see the problem on IKE side, but don’t know how to debug and fix it.
The log tells you _exactly_ what the problem is:
> 12[ENC] parsed INFORMATIONAL_V1 request 2090615229 [ HASH N(NO_PROP) ]
> 12[IKE] received NO_PROPOSAL_CHOSEN error notify
The peer doesn't like the crypto
Hi,
> I'm looking to VPN every machine in a LAN. I infer that this would be
> something like a host-to-host config.
Did you have a look at the trap-any scenario?
Regards,
Tobias
[1] https://www.strongswan.org/testing/testresults/ikev2/trap-any/
Hi Andrii,
> Remote side is asking disable PFS Group 5:
>
> PFS Group 5 is not configured on our end and is not enabled by default.
> If this is currently required on the Andrii end then we will open a
> change to have this added.
>
> Can it cause this problem?
Sounds strange, as you
Hi,
> No port 4500 packet hitting its own interface. Only a keep-alive.
That's the only packet that's sent from port 4500 (as also stated in the
log, where it clearly states that kepp-alive is being sent, nothing
else). Since no request to port 4500 ever makes it to the daemon (the
log tells
Hi Marco,
> I'm running strongswan 5.6.2 on Slackware linux 64 bit
Check the current master. It includes fixes for issues like these (see
[1]).
Regards,
Tobias
[1] https://wiki.strongswan.org/issues/2536
Hi Rich,
> 1. IKE and ESP SAs are established normally with NAT-T, i.e. 500:4500.
> 2. NAT remapping occurs within Azure, at which point StrongSwan sees IKE
> packets come from port 1027 instead of 500. (i.e. instead of 500:500 it’s
> 500:1027).
And what happens to port 4500? Why would there
Hi Harald,
> Even if Strongswan ignores the additional certs, is it possible that
> some crypto implementation *used* by Strongswan does not, but reads
> all certificates found in the cert files (in /etc/ipsec.d)?
Only the pem plugin reads PEM encoded files, and it only parses one
credential per
Hi,
> I am facing a problem of load-tester that "%d" of initiator_id didnot
> start from 1, but from 2.
Yes, that's the case since 5.2.0 (since [1] to be exact). I pushed a
fix to the load-tester-id branch. Is that really a problem, though?
Regards,
Tobias
[1]
Hi Harald,
> I had hoped that putting the whole chain into
> /etc/ipsec.d/certs/mycert.pem
> would help, but apparently it doesn't.
strongSwan reads only the first certificate from PEM encoded files. So
put them in separate files.
>>>
>>> This is unusual, is it?
Hi Trevor,
> Is PLUTO_XAUTH_ID (as passed to a user-defined updown script) 100%
> trustworthy in an ikev2 / eap-tls / user certs connection scenario?
> What I mean by that, is can it be selected, set, or spoofed by the
> client?
Yes, it's trustworthy. While the client can send an arbitrary
Hi Mike,
> gateway ipsec.conf:
>
> ca %default
> certuribase=http://hashandurl.my-server.de/
> auto=add
If that's the only ca section in your config this won't work. The
%default section is never loaded itself it only provides defaults for
other sections of the same type. Also, defining a
Hi,
> If the case you mentioned has been fixed in 5.2.1,
I never said that. What I said is that the behavior changed with 5.2.0.
But it has never been fixed, the fix can only be found in the
load-tester-id branch, which I pushed yesterday, so no released version
contains it.
> What I concern
Hi Trevor,
>>> So I then tried user certs to select on EAP identity in the user
>>> cert. Set that up then finally found a couple of emails/sites that
>>> said strongswan can't switch conns based on identitiy.
>>
>> That's not entirely true. If you delegate the authentication to a
>> RADIUS
Hi Naveen,
> 1) The second connection with the below configuration fails .
The log message tells you why. The policies of the two connections
conflict. While you don't get that error message with newer strongSwan
releases (>= 5.3.0) it would not work properly as you'd still have two
Hi Marwan,
> 3. Client1 connects multiple devices to the VPN, each device has a
> unique virtual IP address and can be accessed through Client1’s VPN
How does it do that? Do you mean it allocates addresses from
10.0.0.0/24 to those clients? (Without the server being aware of that,
which is not
Hi Marwan,
> I am wondering if it is possible for multiple connections to have
> the same pool without being shared?
Not when configuring via ipsec.conf, you can probably do this via
vici/swanctl or attr-sql.
> E.g. client1 on conn1 and client2 on
> conn2 are both assigned 10.10.0.1.
What
> only something like (I have had no debug):
> 2018-10-14T19:27:57.322435+02:00 alfa charon-systemd[6721]: sending DHCP
> DISCOVER to 192.168.200.200
> 2018-10-14T19:27:57.322643+02:00 alfa charon-systemd[6721]: received DHCP
> OFFER %any from 192.168.200.200
> 2018-10-14T19:27:57.324271+02:00
Hi Loyc,
> Here is mine. Where am I wrong please?
Well, what does the log say?
> leftsubnet=my.local.subnet
What's "my.local.subnet" exactly? Is the other end configured
appropriately?
> rightsubnet=the.remote.subnet
And that as well. Is that related to the "VPN Access
Hi Kamil,
> and received dhcp-ack.
> And ... again send dhcp-request, received dhcp-ack, and we end with
> infinite loop.
Do you have the strongSwan log that goes with this? And what strongSwan
and FreeRADIUS versions are you using?
> Now I (temporarily) configure dhcp server not to send offer
Hi Marwan,
> In my use case, client1 and client2 are specifying which virtual pool they
> want assigned to their VPN connection. I was hoping that multiple clients
> (connections) could select the same pool without any conflicts.
What do you mean with that? If they select a different pool but
Hi Peter,
> I tried using the strongswan version of openssl from strongswan.org:
>
> https://git.strongswan.org/?p=android-ndk-openssl.git;a=summary
>
> but it seems this version of openssl is old and does not have some
> functions used by strongswan 5.6.1:
Yeah, that repository is not really
Hi Marwan,
>> How does it do that? Do you mean it allocates addresses from
>> 10.0.0.0/24 to those clients? (Without the server being aware of that,
>> which is not a good idea.) Or does it NAT traffic from these devices to
>> the IP address it received from the VPN server?
>
> The idea is
Hi James,
> However when I attempt to ping, I see the ping on the ppp0 interface,
> and the source isn't 172.16.0.1:
> 2018-07-25 18:26:37.085194521 8.0.0.1 → 192.168.1.1 ICMP 100 Echo
> (ping) request id=0x0004, seq=1/256, ttl=64
That indicates you ran into a bug in the 4.15 kernel. See
Hi Yogesh,
> No it is not strongswan on peer end. I am using third party VPN.
Which probably means the peer sends an invalid TS payload.
> So is the IKE_AUTH packet size is fixed to 204 bytes for PSK mode and
> anything exceeding that can be Invalid length.
There are no fixed sizes for any
Hi Fred,
> Yes, it works.
Great, thanks for testing.
> Will it be included in an upcoming Strongswan release?
Yes, will be included in the next release.
Regards,
Tobias
Hi Fred,
> When the remote peer address changes,
> strongswan correctly processes the XFRM_MSG_MAPPING message, and updates
> the xfrm SA and SP in the Linux kernel, except the traffic selector.
Yes, updating that selector was, in fact, missing in the responsible
function. I pushed a potential
Hi,
Your rightsourceip setting is incorrect:
> Virtual IP pools (size/online/offline):
> 0.0.0.0/0: 2147483646/1/0
> ...
>ikev2-vpn{4}: 0.0.0.0/0 === 0.0.0.1/32
You don't want to use 0.0.0.0/0 for that pool, but a private subnet (the
tutorial sets it to 10.10.10.0/24).
Regards,
Tobias
Hi,
> in my scenario i wont all the Android clients to be able to access the
> vpn from any source IP so i set it to all (0.0.0.0/0) .
> Is there any other way to make this scenario work ...
Yes, read the documentation [1] and (hopefully) come to the realization
that the rightsourceip setting
Hi Alexander,
> How do I set
>
> leftauth=eap-mschapv2
>
> via NetworkManager Strongswan plugin?
Just select "EAP" in the GUI and make sure the eap-mschapv2 plugin is
loaded by charon-nm (plus probably the eap-identity plugin). The actual
EAP method is requested by the server (the client
Hi,
> so is there a way to make both of client and server use random ports
Using random ports on the server does not really work because the client
has to know the port.
> (i
> tried to set port_nat_t = 0 but the client doesn't understand it).
What do you mean "doesn't understand it"?
See
Hi Peter,
Your description of DPDs and the role strongSwan plays in this is a bit
confusing. I assume you are referring to the Android/libipsec
implementation where strongSwan handles IKE as well as ESP (otherwise,
ESP is handled by the kernel, not strongSwan).
> Given that the normal traffic
Hi Pavel,
> I use openresolv (https://roy.marples.name/projects/openresolv) as my
> resolvconf implementation.
Does that provide /sbin/resolvconf?
> I there any way to get more verbose output from resolve plugin?
No, but errors returned from resolvconf are logged (which doesn't seem
to be the
Hi Chris,
> Oct 30 18:06:43 pfSense_2.4.4 charon: 06[NET] received packet:
> from 198.51.100.49[500] to 203.0.113.121[500] (460 bytes)
> Oct 30 18:06:43 pfSense_2.4.4 charon: 06[ENC] parsed QUICK_MODE
> request 3072107701 [ HASH SA No KE ID ID ]
> Oct 30 18:06:43 pfSense_2.4.4 charon: 06[CFG]
Hi Peter,
> Would Google also reject app compiled with this version of boringssl
> when uploading to Play?
It hasn't so far.
> Building with the Android's build tools (Android repo, and not just
> NDK), the system's boringssl library is built and the object files for
> 'libcrypto' goes to the
Hi Peter,
> Do we have porting guidelines for integrating strongswan with boringssl for
> Android P?
Nope. You shouldn't use the system's libraries from an app anyway.
> I see there is an older version of boringssl
> https://git.strongswan.org/?p=android-ndk-boringssl.git;a=log
That's
Hi Kseniya,
> So my question is: is it a default behavior for strongswan to list all
> subnets in Traffic Selector fields even if their CHILD SAs are not
> expired yet? Is it possible to change this behavior to include only
> those subnets, which need rekeying, into proposals?
You are not
Hi Marco,
> openssl 1.1.1 added support for X448 and Ed448.
> Is there a way to configure it with strongSwan?
No, the openssl plugin currently doesn't have a wrapper for X/Ed25519 or
X/Ed448.
Regards,
Tobias
> Honestly, I thought that for IKEv2 multiple traffic selectors
> are possible anyway.
Unfortunately, there are implementations that don't support it.
> Also, I was confused about the subnets because with
> ipsec statusall it shows different rekey time values for different
> policies which
Hi Anthony,
> !!!Selected user cert is CN=TDY Test SCA 4
> 2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[CFG] certificate
> \"C=US, O=Teledyne Controls Engineering, OU=Systems Engineering, CN=TDY Test
> SCA 4\" key: 2048 bit RSA
That's the server's certificate, selected to verify the
Hi Alexander,
> (I follow strictly https://nordvpn.com/ru/tutorials/linux/ikev2ipsec/ but the
> only place they differ I think is "leftauth=eap-mschapv2".)
No, that's not it, the authentication works fine (albeit with EAP-MD5).
The problem is this:
> Nov 5 18:59:40 node-calculate2
Hi Lev,
> But when client connects via IPv6, StrongSwan try to add very strange
> route (and fails):
>
> installing route failed: 192.168.27.1/32 via fe80::fc00:1ff:feb1:8578
> src %any dev vtnet0
>
> I think, it is bug :-)
That's just the log message. The daemon doesn't actually install
> Why did it log such nonsense? Did it TRY to install it or simpy report
> failure without trying? :)
No, it does install a route, just without the next hop. The code that
logs the message is in a different plugin (kernel-pfkey) than the code
that actually installs the route (kernel-pfroute),
Hi Simon,
> Strongswan (well, I'm pretty sure it's Strongswan) adds a /32 IP to my
> loopback interface when bringing up the connection.
I don't think it is. strongSwan only adds virtual IPs (assigned from
the other peer, and since you don't request one with leftsourceip, there
won't be any) to
> Forgot to mention that the eap_identity issue is most likely related
> to https://wiki.strongswan.org/issues/1183
See my comment at [1].
Regards,
Tobias
[1] https://wiki.strongswan.org/issues/2719#note-1
Hi Yogesh,
> To make it work I had to configure 'E' for emailAddress in rightid field
> of ipsec.conf.
Hm, that seems strange.
> I know it is not a big issue and it is working for me with 'E', but
> ideally it should work with exact Subject of x.509 certificate which has
> 'emailAddress' as the
Hi,
> I've had my certs okey but now (I admit I've not used this tunnel in
> long time) this connection fails and it seems due to some cert issues.
Not directly, but it could be related.
> But am I right to blame some change in my strongswan package? What can
> be the problem?
Your config?
Hi Venu,
> The above get_usestats funtion above gets called with packets, bytes as
> NULL.
There are lots of places where they are not NULL. But yes, for DPDs
that's currently the case.
> In that case is it intended that we first do update_usetime {
> which sends policy query to kernel } , if
Hi Venu,
Sorry, I don't understand what you are asking. Please try to clarify
what confuses you or doesn't meet your expectations.
Regards,
Tobias
Hi Stephan,
> we are using radius authentication with user certificates.
With EAP (EAP-TLS in your case) Windows insists on using the local IP
address as IKE identity. Unfortunately, that identity won't change when
RADIUS is used (even if the RADIUS server does an EAP-Identity
exchange). Did
Hi,
> The log lines for the match show
> candidate "site2site", match: 1/20/1048 (me/other/ike)
> candidate "rw", match: 1/1/1052 (me/other/ike)
>
> .Candidate "rw" has higher ike match (1052) resulting in "rw" being chosen.
Yes, that's how it currently works. The IKE match (which also
Hi Andreas,
> ### who does this and why, or how to prevent?
>
> Jan 16 14:27:24 nx03 charon: 06[CFG] changing proposed traffic selectors
> for us:
> Jan 16 14:27:24 nx03 charon: 06[CFG] 0.0.0.0/0
Disable the unity plugin [1] completely, or just don't set
charon.cisco_unity.
Regards,
Tobias
Hi Naveen,
> I see an issue where, when I unload a connection from the vici API, and
> reload a connection, the old Sa's are not getting deleted immediately,
> but I see a soft expire or 3077(sec).
Why should it? Unless you have a start_action configured (which is
reversed if a config is
Hi,
> I found this: https://wiki.strongswan.org/issues/294
>
> Both ends of my tunnel are Fedora29, so version of Strongswan should be
> that-bug-free, it's: Linux strongSwan U5.7.1/K4.19.10-300.fc29.x86_64
Why would you think that issue has anything to do with your problem?
> But still when
Hi Yogesh,
> I have two ends of site to site VPN where both are configured with
> strongswan and version IKEv1.
Please use IKEv2 if you have strongSwan on both sides, no reason to use
a deprecated protocol.
> Is it normal behavior of strongswan, that we can establish only one
> tunnel at a time
Hi Stephan,
> we’ve two windows 10 clients which got the identical IP-address from
> their dsl router at home. Now they are fighting against each other in
> catching the vpn tunnel. Is there a way to fix that beside reconfiguring
> the home router?
What type of authentication are you using? It
Hi,
This is probably the more serious issue:
> 03[KNL] setting WFP SA SPI failed: 0x80320035
> 03[IKE] unable to install IPsec policies (SPD) in kernel
See [1].
Regards,
Tobias
[1] https://wiki.strongswan.org/issues/2750
Hi Josh,
> Question: why do I need do explicitly extract letsencrypt parent
>
> Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3
>
> certificate from /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
> (found after # DST Root CA X3) and load into configuration dialog?
strongSwan only
Hi,
> And all, well, two, three clients I connect (at the same time) get the
> same 10.3.1.220 IP, why?
Do they all use the same client identity? Also, check the log for details.
Regards,
Tobias
Hi Yogesh,
> so I tried configuring right id as strongswan is expecting, and tunnel was
> established.
You mean with E instead of emailAddress? No other changes?
> So why is strongswan not using complete '*emailAddress*' field of
> Subject distinguished name and only '*E*' instead ?
Hi,
> I tried forking the slow functions in my script, but it appears that
> strongswan waits for them to exit too :(
To avoid that, it's important to remember to redirect STDOUT and STDERR.
For instance, if you want to start a sub-script or program for which
you don't want to wait from your
Hi,
> This produce an error INTERNAL_ADDRESS_FAILURE (identities anonymized):
> ...
> Do you know what I need to correct to prevent this error?
Did you load the address pool with swanctl --load-pools? (Using
--load-all also works.) Check with --list-pools if the pool is loaded.
Regards,
Hi Florian,
> Unfortunately, after the 64 bit build two of the unit tests fail:
The failing tests require ::1 to be available. So either change the
network config on your build host, or disable the tests when building
the package (look for dh_auto_test in debian/rules).
Regards,
Tobias
Hi,
> I think the reason why it doesn't work is the following error
Correct.
> According to the
> bugtracker there is a feature missing in the linux kernel
That is a possible reason, yes. But it's not in this case. The problem
is this:
> Thu, 2018-11-22 18:04 02[IKE] <2> faking NAT
701 - 800 of 1123 matches
Mail list logo