Re: [strongSwan] Trouble configuring vpn connection to strongswan using smartcard

Hi Nathan, > In the logs I can see, that the private key seems to be loaded correctly: > > Jul 19 19:01:53 SuperSam charon: 14[CFG] loading secrets from > '/etc/ipsec.secrets' > Jul 19 19:01:53 SuperSam charon: 14[CFG] found key on PKCS#11 token > 'opensc':0 > Jul 19 19:01:53

Re: [strongSwan] Trouble configuring vpn connection to strongswan using smartcard

Hi Nathan, > The ids match! So it should be fine! Only with strongSwan >= 5.5.1, with older releases the cert/key has to be stored using a CKA_ID that matches the SPKI (i.e. your cert/key with CKA_ID 3 would never be used). > Any other help on why this does possibly not work? Do you have

Re: [strongSwan] Bug #1772705 : IKEv2 VPN connections fail to use DNS servers provided by the server / follow-up

Hi Vincent, > We are facing this issue too : > > https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1772705 You are not, that bug has been fixed. > `systemd-resolve --status` show the correct DNS servers in the correct > order (1st got from the VPN, 2nd from the local DHCP) There you

Re: [strongSwan] Trouble with strongswan and dhcp server on same host

Hi Nathan > charon: 14[CFG] sending DHCP DISCOVER to 255.255.255.255 > charon: 14[CFG] sending DHCP DISCOVER to 255.255.255.255 > charon: 14[CFG] sending DHCP DISCOVER to 255.255.255.255 > dnsmasq-dhcp[27740]: DHCPDISCOVER(eth1) 7a:a7:33:54:e9:78 > dnsmasq-dhcp[27740]: DHCPOFFER(eth1)

Re: [strongSwan] Simple road warrior setup no longer routing after upgrade

Hi James, > So I moved to Strongswan 5.6.2 during a distribution upgrade. What distribution? What was the previous version? Do you still have the same plugins installed and enabled? > My simple > setup no longer routes back to the client (I can see the incoming pings > on the server, but

Re: [strongSwan] Can't connect to Strongswan

Hi Alexander, > Interestingly enough, there are different error messages. When connecting > with Linux, the key parts of the log seem to be: > > Jul 18 15:05:56 below charon: 07[ENC] parsed ID_PROT request 0 [ SA V V V V V > ] > Jul 18 15:05:56 below charon: 07[CFG] looking for an ike config

Re: [strongSwan] Checking X509 Extended Key Usage

Hi Sven, > In your example scenario the CA has the policy set too. > I'm a bit unsure if this is necessary, because a RFC 5280 in section > 4.2.1.4 (Certificate Policies) states: > > "When a CA does not wish to limit the set of policies for certification > paths that include this certificate,

Re: [strongSwan] attr-sql - case insensitive?

Hi Sven, > In other words: > I have to change to code to make it work this way. > At least the attr-sql plugin code. > > Is this correct? You can try and see what happens if you don't (i.e. just change the DB). But I guess you have change some code. Regards, Tobias

Re: [strongSwan] ipsec statusall: missing number of packets output

Hi Marco, > After nearly 2 months it happened again: > > ts-20.96.144.0{126302}: INSTALLED, TUNNEL, reqid 244, ESP SPIs: cd63dff4_i > 5215984b_o > ts-20.96.144.0{126302}: AES_CBC_256/HMAC_SHA2_256_128/ECP_384, 2988620 > bytes_i (6591 pkts, 314s ago), 2048852 bytes_o, rekeying in 5 hours >

Re: [strongSwan] Multi rounds

Hi Christian, > You say on [1] that "The native iOS and OS X clients are known to work > fine with multiple authentication rounds.", yet I have the server > configured with multiple rounds using xauth but OSX is only requesting EAP XAuth is only for IKEv1 EAP is only for IKEv2 (unless the

Re: [strongSwan] upgrade from 4.5.2 to 5.2.1 breaks phase 2 authentication

Hi, > Jul 9 19:24:05 powerwall-34 charon: 04[CFG] received proposals: > ESP:3DES_CBC/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ > Jul 9 19:24:05 powerwall-34 charon: 04[CFG] configured proposals: > ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, > ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, >

Re: [strongSwan] upgrade from 4.5.2 to 5.2.1 breaks phase 2 authentication

> Tue Jul 10 08:44:05 2018 (GMT -0400): [SRX5308] [IKE] INFO: Sending > Informational Exchange: notify > payload[ATTRIBUTES-NOT-SUPPORTED] > Tue Jul 10 08:44:05 2018 (GMT -0400): [SRX5308] [IKE] ERROR: mismatched ID > was returned. I suppose this means it doesn't like the returned subnets.

Re: [strongSwan] verification of AUTH payload without EAP MSK failed

Hi Christian, > Why would it fail after getting an approved access from RADIUS > > ... > 12[IKE] EAP method EAP_MSCHAPV2 succeeded, no MSK established If the EAP method is key-generating, which EAP-MSCHAPv2 is, the authentication will not succeed without an MSK, which the RADIUS server should

Re: [strongSwan] problem connecting to Kyocera printer

Hi Harald, > Jul 13 13:35:57 16[IKE] expected a virtual IP request, > sending FAILED_CP_REQUIRED As you already noted, the printer doesn't request a virtual IP. Either change that, or modify your config so the server doesn't expect the printer to request one (i.e. remove rightsourceip and

Re: [strongSwan] syntax question about PSKs in ipsec.secrets (and Wiki)

Hi Harald, > Which one is right? Is the '@' obsolete today? Apparently the PskSecret page > is pretty old. Since what you configure before the : are identities, see [1]. Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/IdentityParsing

Re: [strongSwan] attr-sql - case insensitive?

Hi Sven, > The name in the database matches the name the user configured in > their settings. So this is very error-prone. > > Is it possible to match here case insensitive? > Or any other ideas? The `data` column of the `identities` table in the default schema uses a binary type (BLOB or

Re: [strongSwan] strongswan gateway does not send hash-link of its own certificate

Hi Mike, > What certificate is referenced by the cacert entry, the "leftcert ca" or the > "leftcert root ca" ? > Have all certificates in the certificate chain to be accessible from the > certuribase? Similar to CRL URIs, the configured base URI is only used for certificates that are

Re: [strongSwan] strongswan gateway does not send hash-link of its own certificate

Hi Mike, > Is the ca section of the ipsec.conf used only for ca-certificates or also for > the leftcert itself? > If so, what is the element cacert referring to? man ipsec.conf or [1]? Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/CaSection

Re: [strongSwan] RSA_EMSA_PKCS1_SHA1 not acceptable

Hi Mike, > I hope you mean the ipsec.conf only: > > Ipsec.conf: > config setup > charondebug="cfg 2, dmn 1, ike 1, net 1, job 0" > > conn %default > keyexchange=ikev2 > ike=aes256-sha256-modp2048,aes256-sha1-modp2048! >

Re: [strongSwan] Diffie Hellman group 14 private exponent size

Hi Mike, > We use in the ipsec.conf the configuration: >     ike=aes256-sha256-modp2048,aes256-sha1-modp2048! >     esp=aes256-sha256-modp2048,aes256-sha1-modp2048! > > How big is the size of the private exponent at least, or could a size of > 256 bit guaranteed? Depends on the

Re: [strongSwan] dhcp plugin using CN or FQDN as the client host name?

Hi Harald, >>> Question is, how can I tell charon's dhcp plugin to forward either >>> the FQDN or the CN from the DN entry in the dhcp request? >> >> You can't, the plugin simply uses the client's (IKE or EAP) identity, so >> it's up to the client to use the identity you want to see on the

Re: [strongSwan] dhcp plugin using CN or FQDN as the client host name?

Hi Harald, > Question is, how can I tell charon's dhcp plugin to forward either > the FQDN or the CN from the DN entry in the dhcp request? You can't, the plugin simply uses the client's (IKE or EAP) identity, so it's up to the client to use the identity you want to see on the server. Regards,

Re: [strongSwan] Unable to receive traffic over link

Hi Tony, > Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-2-amd64, > x86_64): You might be hitting a kernel bug in 4.15. See [1]. Regards, Tobias [1] https://wiki.strongswan.org/issues/2571

Re: [strongSwan] Calculating the generated MAC address when identity_lease is enabled

Hi Micah, > 1. Can I configure the strongSwan server to force the clients to send > the FQDNs as identities? No, that's a local decision. > 2. Alternatively, can I generate certificates differently to force the > clients to send the FQDNs as identities? Not that I'm aware. > 3. Am

Re: [strongSwan] Can't connect to peer network(showing INVALID_SYNTAX error)

Hi, > generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr > N(EAP_ONLY) ] > sending packet: from 159.*.*.*[500] to 4.*.*.*[500] (220 bytes) > received packet: from 4.*.*.*[500] to 159.*.*.*[500] (68 bytes) > parsed IKE_AUTH response 1 [ N(INVAL_SYN) ] > *received

Re: [strongSwan] IKE_SA_INIT response with notification data missing

> Is there any reason why UDP checksum in the packet shows as wrong in the > wireshark? Possibly hardware checksum offloading [1]. Regards, Tobias [1] https://wiki.wireshark.org/CaptureSetup/Offloading

Re: [strongSwan] [strongswan-5.6.0] - Rekey issue

Hi Sriram, > What is the reason for SecGw’s charon daemon restart ? The daemon does not automatically restart itself, so probably a crash. Do you see any backtrace in the log? Any core dumps? Did you modify the code in any way? Is there a reason you use different versions on the two hosts

Re: [strongSwan] attr_sql-plugin mysql_client crash when IP_pooling

Hi Mike, > When many client at the same time want to get a tunnel the Charon crashes. > > Do you have seen anything like that before? Looks like someone had the same issue last year [1] and [2]. > Could it help to use /libmysqlclient.so.20? Don't know. > What else can we do? Don know that

Re: [strongSwan] Clarifying behaviour around NAT-T and remapping

Hi Rich, > Mar 27 15:47:35 stg-vault-zk04 charon: 14[NET] sending > packet: from 172.17.128.86[500] to 13.88.23.150[500] (160 bytes) > Mar 27 15:47:35 stg-vault-zk04 charon: 07[NET] > received packet: from 13.88.23.150[1031] to 172.17.128.86[500]

Re: [strongSwan] Calculating the generated MAC address when identity_lease is enabled

Hi Micah, > However, I became confused here, because the MAC address I am seeing on my > DHCP server is 7a:a7:bc:8b:b5:ec. After the hardcoded 0x7A and 0xA7 bytes, > there are only four bytes, but the SipHash-2-4 documentation I'm reading, as > well as the commit message for commit >

Re: [strongSwan] Prevent strongswan Initiator to reauthenticate

Hi Alex, > I am in the need to verify that a Strongswan Responder is initiating a > IKE SA reauthentication in case the Initiator doesn‘t. The responder might not be able to initiate a reauthentication (depends on the config, e.g. whether EAP or virtual IPs are used). > Therefore, would you see

Re: [strongSwan] connecting identities get always the same ip from sql-pool

Hi Mike, > But after disconnecting, waiting 15 seconds and connecting again in the > reversed order, each roadwarrior get the ip as it got in the first > connection order. Offline leases for the same identity are reused (you see "acquired existing lease for address ... in pool '...'" in the

Re: [strongSwan] One to Many VPN (Host-Host)

Hi, >>> I also tried to set --dn "C=US, O=Quantum, >>> CN=quantum-equities.com,cygnus.darkmatter.org" -- but strongswan pki wasn't >>> having it so I had to settle for just quantum-equities.com. >> That's because commas separate RDNs (and `cygnus.darkmatter.org` is no >> proper RDN) and

Re: [strongSwan] Strong swan IKE issue.

Hi Andrii, ike-scan won't help you here as it only reports on Phase 1 (IKE SA), but your problem is during Phase 2 (Quick Mode, IPsec SA). > Remote side is not supporting pfs. > > IKE Phase One Parameters: > Encryption Algorithm: AES 256 > Hash Algorithm: SHA > Authentication

Re: [strongSwan] RSA_EMSA_PKCS1_SHA1 not acceptable

Hi Mike, > Did you find something that could help us? You gave the answer basically yourself by considering the very old strongSwan version (which you claimed to be 5.5.3 on both ends in your original mail btw.). If you didn't stop there but e.g. checked the changelog [1] to see since when

Re: [strongSwan] Android Ciphers

Hi, > I am not able to establish a connection with the Android app yet and so > have no proposed ciphers in my log. Did you check the server log? > I infer that which ciphers are supported by the app depend on the > Android kernel, at least for encryption. No, IPsec is handled completely in

Re: [strongSwan] One to Many VPN (Host-Host)

Hi, > I've made its cert with --san quantum-equities.com,cygnus.darkmatter.org, > because the LAN gateway is known outside as quantum-equities.com and the > IPSec gateway is known in the LAN as cygnus.darkmatter.org. That syntax is not valid. Just use --san multiple times for each SAN (as the

Re: [strongSwan] Strong swan IKE issue.

Hi Andrii, > I see the problem on IKE side, but don’t know how to debug and fix it. The log tells you _exactly_ what the problem is: > 12[ENC] parsed INFORMATIONAL_V1 request 2090615229 [ HASH N(NO_PROP) ] > 12[IKE] received NO_PROPOSAL_CHOSEN error notify The peer doesn't like the crypto

Re: [strongSwan] One to Many VPN (Host-Host)

Hi, > I'm looking to VPN every machine in a LAN.  I infer that this would be > something like a host-to-host config. Did you have a look at the trap-any scenario? Regards, Tobias [1] https://www.strongswan.org/testing/testresults/ikev2/trap-any/

Re: [strongSwan] Strong swan IKE issue.

Hi Andrii, > Remote side is asking  disable PFS Group 5: > > PFS Group 5 is not configured on our end and is not enabled by default. > If this is currently required on the Andrii end then we will open a > change to have this added. >   > Can it cause this problem? Sounds strange, as you

Re: [strongSwan] IKE2 4500 Reply Not Making it Out

Hi, > No port 4500 packet hitting its own interface.  Only a keep-alive. That's the only packet that's sent from port 4500 (as also stated in the log, where it clearly states that kepp-alive is being sent, nothing else). Since no request to port 4500 ever makes it to the daemon (the log tells

Re: [strongSwan] infinite loop for ipsec up/down command

Hi Marco, > I'm running strongswan 5.6.2 on Slackware linux 64 bit Check the current master. It includes fixes for issues like these (see [1]). Regards, Tobias [1] https://wiki.strongswan.org/issues/2536

Re: [strongSwan] Clarifying behaviour around NAT-T and remapping

Hi Rich, > 1. IKE and ESP SAs are established normally with NAT-T, i.e. 500:4500. > 2. NAT remapping occurs within Azure, at which point StrongSwan sees IKE > packets come from port 1027 instead of 500. (i.e. instead of 500:500 it’s > 500:1027). And what happens to port 4500? Why would there

Re: [strongSwan] how to send/request the intermediate CAs?

Hi Harald, > Even if Strongswan ignores the additional certs, is it possible that > some crypto implementation *used* by Strongswan does not, but reads > all certificates found in the cert files (in /etc/ipsec.d)? Only the pem plugin reads PEM encoded files, and it only parses one credential per

Re: [strongSwan] "%d" of initiator_id of load-tester does not start from 1 but 2.

Hi, > I am facing a problem of load-tester that "%d" of initiator_id didnot > start from 1, but from 2. Yes, that's the case since 5.2.0 (since [1] to be exact). I pushed a fix to the load-tester-id branch. Is that really a problem, though? Regards, Tobias [1]

Re: [strongSwan] how to send/request the intermediate CAs?

Hi Harald, > I had hoped that putting the whole chain into > /etc/ipsec.d/certs/mycert.pem > would help, but apparently it doesn't. strongSwan reads only the first certificate from PEM encoded files. So put them in separate files. >>> >>> This is unusual, is it?

Re: [strongSwan] PLUTO_XAUTH_ID trustworthy (by cert)?

Hi Trevor, > Is PLUTO_XAUTH_ID (as passed to a user-defined updown script) 100% > trustworthy in an ikev2 / eap-tls / user certs connection scenario? > What I mean by that, is can it be selected, set, or spoofed by the > client? Yes, it's trustworthy. While the client can send an arbitrary

Re: [strongSwan] strongswan gateway does not send hash-link of its own certificate

Hi Mike, > gateway ipsec.conf: > > ca %default >   certuribase=http://hashandurl.my-server.de/ >   auto=add If that's the only ca section in your config this won't work. The %default section is never loaded itself it only provides defaults for other sections of the same type. Also, defining a

Re: [strongSwan] 答复: "%d" of initiator_id of load-tester does not start from 1 but 2.

Hi, > If the case you mentioned has been fixed in 5.2.1, I never said that. What I said is that the behavior changed with 5.2.0. But it has never been fixed, the fix can only be found in the load-tester-id branch, which I pushed yesterday, so no released version contains it. > What I concern

Re: [strongSwan] PLUTO_XAUTH_ID trustworthy (by cert)?

Hi Trevor, >>> So I then tried user certs to select on EAP identity in the user >>> cert. Set that up then finally found a couple of emails/sites that >>> said strongswan can't switch conns based on identitiy. >> >> That's not entirely true. If you delegate the authentication to a >> RADIUS

Re: [strongSwan] second connection from the same machine fails

Hi Naveen, > 1) The second connection with the below configuration fails . The log message tells you why. The policies of the two connections conflict. While you don't get that error message with newer strongSwan releases (>= 5.3.0) it would not work properly as you'd still have two

Re: [strongSwan] Multiple connections same virtual pool without sharing FIXED

Hi Marwan, > 3. Client1 connects multiple devices to the VPN, each device has a > unique virtual IP address and can be accessed through Client1’s VPN How does it do that? Do you mean it allocates addresses from 10.0.0.0/24 to those clients? (Without the server being aware of that, which is not

Re: [strongSwan] Multiple connections same virtual pool without sharing FIXED

Hi Marwan, > I am wondering if it is possible for multiple connections to have > the same pool without being shared? Not when configuring via ipsec.conf, you can probably do this via vici/swanctl or attr-sql. > E.g. client1 on conn1 and client2 on > conn2 are both assigned 10.10.0.1. What

Re: [strongSwan] DHCP plugin + freeradius - strange behavior when no proposals

> only something like (I have had no debug): > 2018-10-14T19:27:57.322435+02:00 alfa charon-systemd[6721]: sending DHCP > DISCOVER to 192.168.200.200 > 2018-10-14T19:27:57.322643+02:00 alfa charon-systemd[6721]: received DHCP > OFFER %any from 192.168.200.200 > 2018-10-14T19:27:57.324271+02:00

Re: [strongSwan] Strongswan and Cisco ASA 5585x

Hi Loyc, > Here is mine. Where am I wrong please? Well, what does the log say? >         leftsubnet=my.local.subnet What's "my.local.subnet" exactly? Is the other end configured appropriately? >         rightsubnet=the.remote.subnet And that as well. Is that related to the "VPN Access

Re: [strongSwan] DHCP plugin + freeradius - strange behavior when no proposals

Hi Kamil, > and received dhcp-ack. > And ... again send dhcp-request, received dhcp-ack, and we end with > infinite loop. Do you have the strongSwan log that goes with this? And what strongSwan and FreeRADIUS versions are you using? > Now I (temporarily) configure dhcp server not to send offer

Re: [strongSwan] Multiple connections same virtual pool without sharing FIXED

Hi Marwan, > In my use case, client1 and client2 are specifying which virtual pool they > want assigned to their VPN connection. I was hoping that multiple clients > (connections) could select the same pool without any conflicts. What do you mean with that? If they select a different pool but

Re: [strongSwan] Which version of openssl to use with strongswan

Hi Peter, > I tried using the strongswan version of openssl from strongswan.org: > > https://git.strongswan.org/?p=android-ndk-openssl.git;a=summary > > but it seems this version of openssl is old and does not have some > functions used by strongswan 5.6.1: Yeah, that repository is not really

Re: [strongSwan] Multiple connections same virtual pool without sharing FIXED

Hi Marwan, >> How does it do that?  Do you mean it allocates addresses from >> 10.0.0.0/24 to those clients?  (Without the server being aware of that, >> which is not a good idea.)  Or does it NAT traffic from these devices to >> the IP address it received from the VPN server? > > The idea is

Re: [strongSwan] Simple road warrior setup no longer routing after upgrade

Hi James, > However when I attempt to ping, I see the ping on the ppp0 interface, > and the source isn't 172.16.0.1: > 2018-07-25 18:26:37.085194521  8.0.0.1 → 192.168.1.1 ICMP 100 Echo > (ping) request  id=0x0004, seq=1/256, ttl=64 That indicates you ran into a bug in the 4.15 kernel. See

Re: [strongSwan] length of TRAFFIC_SELECTOR_SUBSTRUCTURE substructure list invalid

Hi Yogesh, > No it is not strongswan on peer end. I am using third party VPN. Which probably means the peer sends an invalid TS payload. > So is the IKE_AUTH packet size is fixed to 204 bytes for PSK mode and > anything exceeding that can be Invalid length. There are no fixed sizes for any

Re: [strongSwan] IKE update does not correctly change the SA traffic selector in GRE transport mode

Hi Fred, > Yes, it works. Great, thanks for testing. > Will it be included in an upcoming Strongswan release? Yes, will be included in the next release. Regards, Tobias

Re: [strongSwan] IKE update does not correctly change the SA traffic selector in GRE transport mode

Hi Fred, > When the remote peer address changes, > strongswan correctly processes the XFRM_MSG_MAPPING message, and updates > the xfrm SA and SP in the Linux kernel, except the traffic selector. Yes, updating that selector was, in fact, missing in the responsible function. I pushed a potential

Re: [strongSwan] no payload on android application

Hi, Your rightsourceip setting is incorrect: > Virtual IP pools (size/online/offline): > 0.0.0.0/0: 2147483646/1/0 > ... >ikev2-vpn{4}: 0.0.0.0/0 === 0.0.0.1/32 You don't want to use 0.0.0.0/0 for that pool, but a private subnet (the tutorial sets it to 10.10.10.0/24). Regards, Tobias

Re: [strongSwan] no payload on android application

Hi, > in my scenario i wont all the Android clients to be able to access the > vpn from any source IP so i set it to all (0.0.0.0/0) . > Is there any other way to make this scenario work ... Yes, read the documentation [1] and (hopefully) come to the realization that the rightsourceip setting

Re: [strongSwan] EAP-MSCHAPv2 via NetworkManager Strongswan plugin

Hi Alexander, > How do I set > > leftauth=eap-mschapv2 > > via NetworkManager Strongswan plugin? Just select "EAP" in the GUI and make sure the eap-mschapv2 plugin is loaded by charon-nm (plus probably the eap-identity plugin). The actual EAP method is requested by the server (the client

Re: [strongSwan] Non-standard IKE ports

Hi, > so is there a way to make both of client and server use random ports Using random ports on the server does not really work because the client has to know the port. > (i > tried to set port_nat_t = 0 but the client doesn't understand it).  What do you mean "doesn't understand it"? See

Re: [strongSwan] Handling DPD outside of strongswan

Hi Peter, Your description of DPDs and the role strongSwan plays in this is a bit confusing. I assume you are referring to the Android/libipsec implementation where strongSwan handles IKE as well as ESP (otherwise, ESP is handled by the kernel, not strongSwan). > Given that the normal traffic

Re: [strongSwan] Looking for a way to debug resolve plugin

Hi Pavel, > I use openresolv (https://roy.marples.name/projects/openresolv) as my > resolvconf implementation. Does that provide /sbin/resolvconf? > I there any way to get more verbose output from resolve plugin? No, but errors returned from resolvconf are logged (which doesn't seem to be the

Re: [strongSwan] No matching CHILD_SA config found - but it's right there

Hi Chris, > Oct 30 18:06:43 pfSense_2.4.4 charon: 06[NET] received packet: > from 198.51.100.49[500] to 203.0.113.121[500] (460 bytes) > Oct 30 18:06:43 pfSense_2.4.4 charon: 06[ENC] parsed QUICK_MODE > request 3072107701 [ HASH SA No KE ID ID ] > Oct 30 18:06:43 pfSense_2.4.4 charon: 06[CFG]

Re: [strongSwan] Which version of openssl to use with strongswan

Hi Peter, > Would Google also reject app compiled with this version of boringssl > when uploading to Play? It hasn't so far. > Building with the Android's build tools (Android repo, and not just > NDK), the system's boringssl library is built and the object files for > 'libcrypto' goes to the

Re: [strongSwan] Which version of openssl to use with strongswan

Hi Peter, > Do we have porting guidelines for integrating strongswan with boringssl for > Android P? Nope. You shouldn't use the system's libraries from an app anyway. > I see there is an older version of boringssl > https://git.strongswan.org/?p=android-ndk-boringssl.git;a=log That's

Re: [strongSwan] question on ikev2 rekey

Hi Kseniya, > So my question is: is it a default behavior for strongswan to list all > subnets in Traffic Selector fields even if their CHILD SAs are not > expired yet? Is it possible to change this behavior to include only > those subnets, which need rekeying, into proposals? You are not

Re: [strongSwan] openssl 1.1.1: support for ed448

Hi Marco, > openssl 1.1.1 added support for X448 and Ed448. > Is there a way to configure it with strongSwan? No, the openssl plugin currently doesn't have a wrapper for X/Ed25519 or X/Ed448. Regards, Tobias

Re: [strongSwan] question on ikev2 rekey

> Honestly, I thought that for IKEv2 multiple traffic selectors > are possible anyway. Unfortunately, there are implementations that don't support it. > Also, I was confused about the subnets because with > ipsec statusall it shows different rekey time values for different > policies which

Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

Hi Anthony, > !!!Selected user cert is CN=TDY Test SCA 4 > 2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[CFG] certificate > \"C=US, O=Teledyne Controls Engineering, OU=Systems Engineering, CN=TDY Test > SCA 4\" key: 2048 bit RSA That's the server's certificate, selected to verify the

Re: [strongSwan] EAP-MSCHAPv2 via NetworkManager Strongswan plugin

Hi Alexander, > (I follow strictly https://nordvpn.com/ru/tutorials/linux/ikev2ipsec/ but the > only place they differ I think is "leftauth=eap-mschapv2".) No, that's not it, the authentication works fine (albeit with EAP-MD5). The problem is this: > Nov 5 18:59:40 node-calculate2

Re: [strongSwan] StrongSwan 5.7.0 try to add route to IPv4 via IPv6 gateway

Hi Lev, > But when client connects via IPv6, StrongSwan try to add very strange > route (and fails): > > installing route failed: 192.168.27.1/32 via fe80::fc00:1ff:feb1:8578 > src %any dev vtnet0 > > I think, it is bug :-) That's just the log message. The daemon doesn't actually install

Re: [strongSwan] StrongSwan 5.7.0 try to add route to IPv4 via IPv6 gateway

> Why did it log such nonsense? Did it TRY to install it or simpy report > failure without trying? :) No, it does install a route, just without the next hop. The code that logs the message is in a different plugin (kernel-pfkey) than the code that actually installs the route (kernel-pfroute),

Re: [strongSwan] Avoiding adding IP to loopback interface

Hi Simon, > Strongswan (well, I'm pretty sure it's Strongswan) adds a /32 IP to my > loopback interface when bringing up the connection. I don't think it is. strongSwan only adds virtual IPs (assigned from the other peer, and since you don't request one with leftsourceip, there won't be any) to

Re: [strongSwan] Help! I can't configure Windows 10 to send remote id (leftid) for IKEv2

> Forgot to mention that the eap_identity issue is most likely related > to https://wiki.strongswan.org/issues/1183 See my comment at [1]. Regards, Tobias [1] https://wiki.strongswan.org/issues/2719#note-1

Re: [strongSwan] Discrepancy in distinguished name for x.509 authentication

Hi Yogesh, > To make it work I had to configure 'E' for emailAddress in rightid field > of ipsec.conf. Hm, that seems strange. > I know it is not a big issue and it is working for me with 'E', but > ideally it should work with exact Subject of x.509 certificate which has > 'emailAddress' as the

Re: [strongSwan] no IDr configured, fall back on IP address

Hi, > I've had my certs okey but now (I admit I've not used this tunnel in > long time) this connection fails and it seems due to some cert issues. Not directly, but it could be related. > But am I right to blame some change in my strongswan package? What can > be the problem? Your config?

Re: [strongSwan] Question of get_use_time to trigger dpd from libcharon

Hi Venu, > The above get_usestats funtion above gets called with packets, bytes as > NULL. There are lots of places where they are not NULL. But yes, for DPDs that's currently the case. > In that case is it intended that we first do update_usetime { > which sends policy query to kernel } , if

Re: [strongSwan] Question of get_use_time to trigger dpd from libcharon

Hi Venu, Sorry, I don't understand what you are asking. Please try to clarify what confuses you or doesn't meet your expectations. Regards, Tobias

Re: [strongSwan] problem with identical local peers addresses of two clients

Hi Stephan, > we are using radius authentication with user certificates. With EAP (EAP-TLS in your case) Windows insists on using the local IP address as IKE identity. Unfortunately, that identity won't change when RADIUS is used (even if the RADIUS server does an EAP-Identity exchange). Did

Re: [strongSwan] peer config match

Hi, > The log lines for the match show > candidate "site2site", match: 1/20/1048 (me/other/ike)   > candidate "rw", match: 1/1/1052 (me/other/ike)   > > .Candidate "rw" has higher ike match (1052) resulting in "rw" being chosen. Yes, that's how it currently works. The IKE match (which also

Re: [strongSwan] What causes: changing proposed traffic selectors for us?

Hi Andreas, > ### who does this and why, or how to prevent? > > Jan 16 14:27:24 nx03 charon: 06[CFG] changing proposed traffic selectors > for us: > Jan 16 14:27:24 nx03 charon: 06[CFG]  0.0.0.0/0 Disable the unity plugin [1] completely, or just don't set charon.cisco_unity. Regards, Tobias

Re: [strongSwan] Sa not getting deleted

Hi Naveen, > I see an issue where, when I unload a connection from the vici API, and > reload a connection, the old Sa's are not getting deleted immediately, > but I see a soft expire or 3077(sec). Why should it? Unless you have a start_action configured (which is reversed if a config is

Re: [strongSwan] Interface can't be the loopback interface (lo). Sorry. - problem

Hi, > I found this: https://wiki.strongswan.org/issues/294 > > Both ends of my tunnel are Fedora29, so version of Strongswan should be > that-bug-free, it's: Linux strongSwan U5.7.1/K4.19.10-300.fc29.x86_64 Why would you think that issue has anything to do with your problem? > But still when

Re: [strongSwan] having issue while establishing tunnel with public key authentication mode

Hi Yogesh, > I have two ends of site to site VPN where both are configured with > strongswan and version IKEv1. Please use IKEv2 if you have strongSwan on both sides, no reason to use a deprecated protocol. > Is it normal behavior of strongswan, that we can establish only one > tunnel at a time

Re: [strongSwan] problem with identical local peers addresses of two clients

Hi Stephan, > we’ve two windows 10 clients which got the identical IP-address from > their dsl router at home. Now they are fighting against each other in > catching the vpn tunnel. Is there a way to fix that beside reconfiguring > the home router? What type of authentication are you using? It

Re: [strongSwan] INTERNAL_ADDRESS_FAILURE on StrongSwan Windows Server

Hi, This is probably the more serious issue: > 03[KNL] setting WFP SA SPI failed: 0x80320035 > 03[IKE] unable to install IPsec policies (SPD) in kernel See [1]. Regards, Tobias [1] https://wiki.strongswan.org/issues/2750

Re: [strongSwan] NetworkManager-strongswan-gnome IKEv2 configuration question.

Hi Josh, > Question: why do I need do explicitly extract letsencrypt parent > > Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3 > > certificate from /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem > (found after # DST Root CA X3) and load into configuration dialog? strongSwan only

Re: [strongSwan] Virtual IPs range - but clients get the same one - problem

Hi, > And all, well, two, three clients I connect (at the same time) get the > same 10.3.1.220 IP, why? Do they all use the same client identity? Also, check the log for details. Regards, Tobias

Re: [strongSwan] Discrepancy in distinguished name for x.509 authentication

Hi Yogesh, > so I tried configuring right id as strongswan is expecting, and tunnel was > established. You mean with E instead of emailAddress? No other changes? > So why is strongswan not using complete '*emailAddress*' field of > Subject distinguished name and only '*E*' instead ?

Re: [strongSwan] Slow script called by leftupdown causes clients to fail connection

Hi, > I tried forking the slow functions in my script, but it appears that > strongswan waits for them to exit too :( To avoid that, it's important to remember to redirect STDOUT and STDERR. For instance, if you want to start a sub-script or program for which you don't want to wait from your

Re: [strongSwan] INTERNAL_ADDRESS_FAILURE on StrongSwan Windows Server

Hi, > This produce an error INTERNAL_ADDRESS_FAILURE (identities anonymized): > ... > Do you know what I need to correct to prevent this error? Did you load the address pool with swanctl --load-pools? (Using --load-all also works.) Check with --list-pools if the pool is loaded. Regards,

Re: [strongSwan] Unit test failure on Ubuntu package build

Hi Florian, > Unfortunately, after the 64 bit build two of the unit tests fail: The failing tests require ::1 to be available. So either change the network config on your build host, or disable the tests when building the package (look for dh_auto_test in debian/rules). Regards, Tobias

Re: [strongSwan] connecting with IPv6

Hi, > I think the reason why it doesn't work is the following error Correct. > According to the > bugtracker there is a feature missing in the linux kernel That is a possible reason, yes. But it's not in this case. The problem is this: > Thu, 2018-11-22 18:04 02[IKE] <2> faking NAT

<    3   4   5   6   7   8   9   10   11   12   >