[strongSwan] Forecast plug-in.

CpServiceSPb . cpservicespb at gmail.com
Fri Jan 23 13:29:04 CET 2015


So, I put mark=%unique and local broadcast 255.255.255.255 to ipsec.conf.
But for my tests, local broadcasg 255.255.255.255 was necessary to put to
leftsubnet only and enough so.
I didn' t put 255.255.255.255 to rightsubnet and I didn' t put net
broadcast 192.168.0.255 to any subnets all worked.

But there are 2 questions again. :)

First:
Double password query is appeared. That is thw right password at my Win7
connection, but after it passes for the first time, there is

parsed IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
05[IKE] EAP-MS-CHAPv2 username: '%any'
05[IKE] no EAP key found for hosts '%any' - '%any'
05[IKE] EAP-MS-CHAPv2 verification failed, retry (1)
10[MGR] ignoring request with ID 2, already processing
05[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]

and password query is appeared again and after pass password secondly
connection is established.
There wasn' t it before.
Quite strange, I turned forecast off but such doubled passwording remained.
But I didn' t change anything except settings for forecast, even I
discarded left and rightsubnets to state before.

Second: Intinially there is no nbns at strongswan.conf, that is Wins server
is not appeared at Windows client connection properties.
But after 'reinject' value is set, Wins server is appeared at appropriate
properties.
Moreover, after comment out the value and reistablishing connection, Wins
server is not disappeared.
And after comment out all plug-in values, Wins server remained at
properties.
Is it right behaviour ? I think no.
I disabled forecast at load line at strongswan.conf. After it without
reinject turning on, Wins server is not appeared.
But after second time connection is appeared again.

By the way, Wins presented or not at Windows connection properties changes
NetBios behaviour quite strong.
As following, it it very important.


2015-01-23 11:52 GMT+03:00 Martin Willi <martin at strongswan.org>:

>
> > 0.2131s / 2079 times in lock created at: dumping 7 stack frame addresses:
> >   /usr/lib/ipsec/libstrongswan.so.0 @ 0xb7708000 [0xb774aee5]
>
> This is a lock profiler backtrace. It is usually required only if you
> want to find lock bottlenecks, but for normal operation/testing you
> should build without the --enable-lock-profiler ./configure option.
>
> > leftsubnet=192.168.0.0/24
> > rightsourceip=192.168.0.201-192.168.0.215
>
> First, the forecast plugin requires that you set mark=%unique on the
> connection you want to forward broadcasts to/from. Second, your traffic
> selectors must include the broadcast/multicast addresses you want to
> forward in each direction, as IPsec policy matching is still in place.
> Refer to the configuration of moon in the forecast test case [1] for an
> example. Windows sends some broadcasts as 255.255.255.255 over the IPsec
> tunnel, so you might want to include that address as well.
>
> Regards
> Martin
>
> [1]http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=f1c218d6
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150123/76456249/attachment.html>


More information about the Users mailing list