[strongSwan] Exclude protocol from IPsec
Piyush Agarwal
agarwalpiyush at gmail.com
Wed May 24 02:02:48 CEST 2017
After some googling, I tried two things:
1) changed strongswan.conf to set allow_swap = no:
charon {
install_routes = no
load_modular = yes
plugins {
stroke {
allow_swap = no
}
include strongswan.d/charon/*.conf
}
filelog {
/var/run/charon.log {
default = 2
flush_line = yes
}
}
}
2) added "allow_swap = no" in stroke.conf in /etc/strongswan.d/charon/
But they did not help and I still see this log message in server's
charon.log (and not client's):
*10[CFG] left is other host, swapping ends*
On Tue, May 23, 2017 at 4:25 PM, Piyush Agarwal <agarwalpiyush at gmail.com>
wrote:
> Exactly, but nowhere in my config file do I find a mistake. How can I
> correct the TS?
>
> Again, my config "skip" for passthrough only specifies leftsubnet and
> rightsubnet (and they are indeed correct):
>
> Client's skip conn:
> leftsubnet=1.100.0.9/32
> rightsubnet=1.100.0.5/32
>
>
> Server's skip conn:
> leftsubnet=1.100.0.5/32
> rightsubnet=1.100.0.9/32
>
> Why is the server's TS wrong then? Is this a bug? Right now I am running
> 5.1.2 (but I also tried 5.3.5).
>
> Thanks.
>
> On Tue, May 23, 2017 at 4:20 PM, Noel Kuntze <noel at familie-kuntze.de>
> wrote:
>
>> TS is oriented the wrong way.
>>
>>
>> Am 24. Mai 2017 00:12:17 MESZ schrieb Piyush Agarwal <
>> agarwalpiyush at gmail.com>:
>>>
>>> I see this in server's log, is that a red flag? The local address on
>>> server 1.100.0.5 (client is 1.100.0.9).
>>>
>>> 13[CFG] received stroke: route 'skip'
>>> 13[CFG] proposing traffic selectors for us:
>>> 13[CFG] 1.100.0.9/32[icmp] <http://1.100.0.9/32%5Bicmp%5D>
>>> 13[CFG] proposing traffic selectors for other:
>>> 13[CFG] 1.100.0.5/32[icmp] <http://1.100.0.5/32%5Bicmp%5D>
>>> 13[KNL] adding policy 1.100.0.9/32[icmp] <http://1.100.0.9/32%5Bicmp%5D>
>>> === 1.100.0.5/32[icmp] <http://1.100.0.5/32%5Bicmp%5D> out (mark
>>> 0/0x00000000)
>>> 13[KNL] adding policy 1.100.0.5/32[icmp] <http://1.100.0.5/32%5Bicmp%5D>
>>> === 1.100.0.9/32[icmp] <http://1.100.0.9/32%5Bicmp%5D> in (mark
>>> 0/0x00000000)
>>> 13[KNL] adding policy 1.100.0.5/32[icmp] <http://1.100.0.5/32%5Bicmp%5D>
>>> === 1.100.0.9/32[icmp] <http://1.100.0.9/32%5Bicmp%5D> fwd (mark
>>> 0/0x00000000)
>>> 13[KNL] getting a local address in traffic selector 1.100.0.9/32[icmp]
>>> <http://1.100.0.9/32%5Bicmp%5D>
>>> *13[KNL] no local address found in traffic selector 1.100.0.9/32[icmp]
>>> <http://1.100.0.9/32%5Bicmp%5D>*
>>>
>>>
>>> On Tue, May 23, 2017 at 2:48 PM, <agarwalpiyush at gmail.com> wrote:
>>>
>>>> Hi,
>>>> Thanks for the suggestion. With the change you recommended, I do see
>>>> some progress. But here are the issues:
>>>>
>>>> 1) client -> server ping: I do see echo request is un-encrypted as seen
>>>> by tcpdump on server's interface. But tcpdump on the server's interface
>>>> shows no reply being generated (if I remove passthrough policy, the
>>>> encrypted replies work just fine). I saw threads about strongswan using
>>>> route table 220, but I don't see any output of "ip route show table 220".
>>>> Why is "auto=route" required? How is it messing with the server side's echo
>>>> reply, assuming that is the case? I tried with auto=start but that still
>>>> had ICMP packets encrypted.
>>>>
>>>> 2) server -> client ping: I see server's ping show up encrypted on the
>>>> client's interface. Client's interface tcpdump sees un-unencrypted echo
>>>> reply. But this reply is not seen on server's interface at all!!
>>>>
>>>> Does the order of IP addresses in output of "Shunted policies" have any
>>>> significance? I see server side is showing shunted connected as "client/32
>>>> == server/32" which is not what I expected.
>>>>
>>>> *Client output:*
>>>> *client$:ipsec status*
>>>> Shunted Connections:
>>>> * skip: 1.100.0.9/32[icmp] <http://1.100.0.9/32%5Bicmp%5D> ===
>>>> 1.100.0.5/32[icmp] <http://1.100.0.5/32%5Bicmp%5D> PASS*
>>>> Security Associations (1 up, 0 connecting):
>>>> 1.100.0.5[1]: ESTABLISHED 8 minutes ago, 1.100.0.9[C=US, ST=CA,
>>>> L=Mountain View, O=OWCA, OU=AgentC, CN=owca.com]...1.100.0.5[C=US,
>>>> ST=CA, L=Mountain View, O=OWCA, OU=AgentC, CN=owca.com]
>>>> 1.100.0.5{1}: INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c5067855_i
>>>> cfc50c8b_o
>>>> 1.100.0.5{1}: 1.100.0.9/32 === 1.100.0.5/32
>>>>
>>>> *Server output:*
>>>> *server$:ipsec status*
>>>> Shunted Connections:
>>>> * skip: 1.100.0.9/32[icmp] <http://1.100.0.9/32%5Bicmp%5D> ===
>>>> 1.100.0.5/32[icmp] <http://1.100.0.5/32%5Bicmp%5D> PASS*
>>>> Security Associations (1 up, 0 connecting):
>>>> 1.100.0.9[1]: ESTABLISHED 9 minutes ago, 1.100.0.5[C=US, ST=CA,
>>>> L=Mountain View, O=OWCA, OU=AgentC, CN=owca.com]...1.100.0.9[C=US,
>>>> ST=CA, L=Mountain View, O=OWCA, OU=AgentC, CN=owca.com]
>>>> 1.100.0.9{1}: INSTALLED, TRANSPORT, reqid 1, ESP SPIs: cfc50c8b_i
>>>> c5067855_o
>>>> 1.100.0.9{1}: 1.100.0.5/32 === 1.100.0.9/32
>>>>
>>>> Much appreciate any help. Racoon/setkey was very straightforward to get
>>>> this working :( Hopefully it is a mistake I am making/misconfiguring etc.
>>>>
>>>> Reprinting the ipsec.conf (after changes were done):
>>>> *Client:*
>>>>
>>>> conn skip
>>>> type=passthrough
>>>> left=127.0.0.1
>>>> leftsubnet=1.100.0.9/32[icmp/] <http://1.100.0.9/32%5Bicmp/%5D>
>>>> leftcert=client_cert.pem
>>>> leftsendcert=always
>>>> rightcert=server_cert.pem
>>>> right=127.0.0.1
>>>> rightsubnet=1.100.0.5/32[icmp/] <http://1.100.0.5/32%5Bicmp/%5D>
>>>> auto=route
>>>>
>>>> conn 1.100.0.5
>>>> type=transport
>>>> left=1.100.0.9
>>>> leftcert=client_cert.pem
>>>> leftsendcert=always
>>>> rightcert=server_cert.pem
>>>> right=1.100.0.5
>>>> reauth=no
>>>> dpdaction=restart
>>>> auto=start
>>>>
>>>> *Server:*
>>>>
>>>> conn skip
>>>> type=passthrough
>>>> left=127.0.0.1
>>>> leftsubnet=1.100.0.5/32[icmp/] <http://1.100.0.5/32%5Bicmp/%5D>
>>>> leftcert=server_cert.pem
>>>> leftsendcert=always
>>>> rightcert=client_cert.pem
>>>> right=127.0.0.1
>>>> rightsubnet=1.100.0.9/32[icmp/] <http://1.100.0.9/32%5Bicmp/%5D>
>>>> auto=route
>>>>
>>>> conn 1.100.0.9
>>>> type=transport
>>>> left=1.100.0.5
>>>> leftcert=server_cert.pem
>>>> leftsendcert=always
>>>> rightcert=client_cert.pem
>>>> right=1.100.0.9
>>>> reauth=no
>>>> dpdaction=restart
>>>> auto=add
>>>>
>>>>
>>>> Thanks!
>>>>
>>>> On Tuesday, May 23, 2017 at 12:30:15 PM UTC-7, Dusan Ilic wrote:
>>>>>
>>>>> Try following
>>>>>
>>>>> type=passthrough
>>>>> left=127.0.0.1
>>>>> leftsubnet=1.100.0.9/32[icmp/]
>>>>> right=127.0.0.1
>>>>> rightsubnet=1.100.0.5/32[icmp/]
>>>>> auto=route
>>>>>
>>>>>
>>>>>
>>>>> ---- agarwa... at gmail.com skrev ----
>>>>>
>>>>>
>>>>> Reading another thread, I changed "right" of "skip" connection on both
>>>>> client and server to be "127.0.0.1" and that fixed up a few things:
>>>>> 1) The IPsec installed is type transport (as desired)
>>>>> 2) I do see shunted policies list ICMP PASS
>>>>>
>>>>> *However, I still have my pings from client to server encrypted :(*
>>>>>
>>>>> *Client:*
>>>>> # ipsec statusall
>>>>> Status of IKE charon daemon (strongSwan 5.1.2, Linux 4.4.0-75-generic,
>>>>> x86_64):
>>>>> uptime: 10 minutes, since May 23 12:02:46 2017
>>>>> malloc: sbrk 2564096, mmap 0, used 393728, free 2170368
>>>>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
>>>>> scheduled: 3
>>>>> loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 rdrand
>>>>> random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem
>>>>> openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve
>>>>> socket-default stroke updown eap-identity addrblock
>>>>> Listening IP addresses:
>>>>> 1.100.0.9
>>>>> Connections:
>>>>> skip: %any...127.0.0.1 IKEv2
>>>>> skip: local: [C=US, ST=CA, L=Mountain View, O=TEST,
>>>>> OU=AgentC, CN=test.com] uses public key authentication
>>>>> skip: cert: "C=US, ST=CA, L=Mountain View, O=TEST,
>>>>> OU=AgentC, CN=test.com"
>>>>> skip: remote: [C=US, ST=CA, L=Mountain View, O=TEST,
>>>>> OU=AgentC, CN=test.com] uses public key authentication
>>>>> skip: cert: "C=US, ST=CA, L=Mountain View, O=TEST,
>>>>> OU=AgentC, CN=test.com"
>>>>> skip: child: 0.0.0.0/0[icmp] === 0.0.0.0/0[icmp] PASS
>>>>> 1.100.0.5: 1.100.0.9...1.100.0.5 IKEv2, dpddelay=60s
>>>>> 1.100.0.5: local: [C=US, ST=CA, L=Mountain View, O=TEST,
>>>>> OU=AgentC, CN=test.com] uses public key authentication
>>>>> 1.100.0.5: cert: "C=US, ST=CA, L=Mountain View, O=TEST,
>>>>> OU=AgentC, CN=test.com"
>>>>> 1.100.0.5: remote: [C=US, ST=CA, L=Mountain View, O=TEST,
>>>>> OU=AgentC, CN=test.com] uses public key authentication
>>>>> 1.100.0.5: cert: "C=US, ST=CA, L=Mountain View, O=TEST,
>>>>> OU=AgentC, CN=test.com"
>>>>> 1.100.0.5: child: dynamic === dynamic *TRANSPORT*,
>>>>> dpdaction=restart
>>>>> *Shunted Connections:*
>>>>> * skip: 0.0.0.0/0[icmp] === 0.0.0.0/0[icmp] PASS*
>>>>> Security Associations (1 up, 0 connecting):
>>>>> 1.100.0.5[1]: ESTABLISHED 10 minutes ago, 1.100.0.9[C=US, ST=CA,
>>>>> L=Mountain View, O=TEST, OU=AgentC, CN=test.com]...1.100.0.5[C=US,
>>>>> ST=CA, L=Mountain View, O=TEST, OU=AgentC, CN=test.com]
>>>>> 1.100.0.5[1]: IKEv2 SPIs: be5caa6cea2281c2_i* 79bb5ad924d8d919_r,
>>>>> rekeying in 44 minutes
>>>>> 1.100.0.5[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_H
>>>>> MAC_SHA1/MODP_2048
>>>>> 1.100.0.5{1}: INSTALLED, *TRANSPORT*, ESP SPIs: c989f733_i
>>>>> c3f6a42e_o
>>>>> 1.100.0.5{1}: AES_CBC_128/HMAC_SHA1_96, 520206 bytes_i (2551
>>>>> pkts, 1s ago), 1691623 bytes_o (2986 pkts, 10s ago), rekeying in 5
>>>>> minutes
>>>>> 1.100.0.5{1}: *1.100.0.9/32 === 1.100.0.5/32*
>>>>>
>>>>>
>>>>> *Client setkey -DP output:*
>>>>> 1.100.0.5[any] 1.100.0.9[any] 255
>>>>> in prio high + 1073740029 ipsec
>>>>> esp/transport//unique:1
>>>>> created: May 23 12:18:12 2017 lastused: May 23 12:18:52 2017
>>>>> lifetime: 0(s) validtime: 0(s)
>>>>> spid=2248 seq=1 pid=176401
>>>>> refcnt=11
>>>>> 1.100.0.9[any] 1.100.0.5[any] 255
>>>>> out prio high + 1073740029 ipsec
>>>>> esp/transport//unique:1
>>>>> created: May 23 12:18:12 2017 lastused: May 23 12:18:47 2017
>>>>> lifetime: 0(s) validtime: 0(s)
>>>>> spid=2241 seq=2 pid=176401
>>>>> refcnt=11
>>>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>>>> fwd prio high + 1073739774 none
>>>>> created: May 23 12:02:46 2017 lastused:
>>>>> lifetime: 0(s) validtime: 0(s)
>>>>> spid=2130 seq=3 pid=176401
>>>>> refcnt=1
>>>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>>>> in prio high + 1073739774 none
>>>>> created: May 23 12:02:46 2017 lastused: May 23 12:02:50 2017
>>>>> lifetime: 0(s) validtime: 0(s)
>>>>> spid=2120 seq=4 pid=176401
>>>>> refcnt=1
>>>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>>>> out prio high + 1073739774 none
>>>>> created: May 23 12:02:46 2017 lastused:
>>>>> lifetime: 0(s) validtime: 0(s)
>>>>> spid=2113 seq=5 pid=176401
>>>>> refcnt=1
>>>>>
>>>>>
>>>>> On Tuesday, May 23, 2017 at 11:29:04 AM UTC-7, agarwa... at gmail.com
>>>>> wrote:
>>>>>>
>>>>>> Hi Noel,
>>>>>> Many thanks for the pointer. Looks like I am missing something more
>>>>>> or perhaps making a mistake.
>>>>>>
>>>>>> Client [1.100.0.9] -- Server [1.100.0.5]
>>>>>>
>>>>>> Goal: All non-ICMP traffic to be over IPsec tunnel between these two
>>>>>> machines.
>>>>>>
>>>>>> Strongswan 5.1.2
>>>>>>
>>>>>> The client and server are using self-signed certificates and have
>>>>>> each other's certs in /etc/ipsec.d/certs/
>>>>>>
>>>>>> *Client ipsec.conf <http://ipsec.conf>:*
>>>>>>
>>>>>> config setup
>>>>>> charondebug = "dmn 0,mgr 1, ike 2, job 2, cfg 2, knl 1, net 1,
>>>>>> tls 1, lib 0, enc 0, tnc 0"
>>>>>> uniqueids=no
>>>>>>
>>>>>> conn %default
>>>>>> ikelifetime=60m
>>>>>> keylife=20m
>>>>>> rekeymargin=3m
>>>>>> keyingtries=1
>>>>>> keyexchange=ikev2
>>>>>> authby=rsasig
>>>>>>
>>>>>> conn skip
>>>>>> type=*passthrough*
>>>>>> left=1.100.0.9
>>>>>> leftsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
>>>>>> leftcert=client_cert.pem
>>>>>> leftsendcert=always
>>>>>> rightcert=server_cert.pem
>>>>>> right=1.100.0.5
>>>>>> rightsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
>>>>>> auto=route
>>>>>>
>>>>>> conn 1.100.0.5
>>>>>> type=*transport*
>>>>>> left=1.100.0.9
>>>>>> leftcert=client_cert.pem
>>>>>> leftsendcert=always
>>>>>> rightcert=server_cert.pem
>>>>>> right=1.100.0.5
>>>>>> reauth=no
>>>>>> auto=start
>>>>>>
>>>>>> *Server ipsec.conf <http://ipsec.conf>:*
>>>>>>
>>>>>> config setup
>>>>>> charondebug = "dmn 0,mgr 1, ike 2, job 2, cfg 2, knl 1, net 1,
>>>>>> tls 1, lib 0, enc 0, tnc 0"
>>>>>> uniqueids=no
>>>>>>
>>>>>> conn %default
>>>>>> ikelifetime=60m
>>>>>> keylife=20m
>>>>>> rekeymargin=3m
>>>>>> keyingtries=1
>>>>>> keyexchange=ikev2
>>>>>> authby=rsasig
>>>>>>
>>>>>> conn skip
>>>>>> type=*passthrough*
>>>>>> left=1.100.0.5
>>>>>> leftsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
>>>>>> leftcert=server_cert.pem
>>>>>> leftsendcert=always
>>>>>> rightcert=client_cert.pem
>>>>>> right=1.100.0.9
>>>>>> rightsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
>>>>>> auto=route
>>>>>>
>>>>>> conn 1.100.0.9
>>>>>> type=*transport*
>>>>>> left=1.100.0.5
>>>>>> leftcert=server_cert.pem
>>>>>> leftsendcert=always
>>>>>> rightcert=client_cert.pem
>>>>>> right=1.100.0.9
>>>>>> reauth=no
>>>>>> auto=add
>>>>>>
>>>>>> =============
>>>>>> Output of setkey -DP on client:
>>>>>> root at agarwalpiyush0:/usr/local/google/home/agarwalpiyush/work/agent-v#
>>>>>> ./sbin/nfv_cli dm_carl0 setkey -DP
>>>>>> 1.100.0.5 1.100.0.9 icmp
>>>>>> fwd prio high + 1073740030 ipsec
>>>>>> esp/tunnel/1.100.0.5-1.100.0.9/unique:1
>>>>>> created: May 23 11:21:42 2017 lastused:
>>>>>> lifetime: 0(s) validtime: 0(s)
>>>>>> spid=1834 seq=1 pid=103981
>>>>>> refcnt=1
>>>>>> 1.100.0.5 1.100.0.9 icmp
>>>>>> in prio high + 1073740030 ipsec
>>>>>> esp/tunnel/1.100.0.5-1.100.0.9/unique:1
>>>>>> created: May 23 11:21:42 2017 lastused:
>>>>>> lifetime: 0(s) validtime: 0(s)
>>>>>> spid=1824 seq=2 pid=103981
>>>>>> refcnt=1
>>>>>> 1.100.0.9 1.100.0.5 icmp
>>>>>> out prio high + 1073740030 ipsec
>>>>>> esp/tunnel/1.100.0.9-1.100.0.5/unique:1
>>>>>> created: May 23 11:21:42 2017 lastused:
>>>>>> lifetime: 0(s) validtime: 0(s)
>>>>>> spid=1817 seq=3 pid=103981
>>>>>> refcnt=1
>>>>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>>>>> fwd prio high + 1073739774 none
>>>>>> created: May 23 11:21:31 2017 lastused:
>>>>>> lifetime: 0(s) validtime: 0(s)
>>>>>> spid=1698 seq=4 pid=103981
>>>>>> refcnt=1
>>>>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>>>>> in prio high + 1073739774 none
>>>>>> created: May 23 11:21:31 2017 lastused: May 23 11:21:35 2017
>>>>>> lifetime: 0(s) validtime: 0(s)
>>>>>> spid=1688 seq=5 pid=103981
>>>>>> refcnt=2
>>>>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>>>>> out prio high + 1073739774 none
>>>>>> created: May 23 11:21:31 2017 lastused:
>>>>>> lifetime: 0(s) validtime: 0(s)
>>>>>> spid=1681 seq=6 pid=103981
>>>>>> refcnt=1
>>>>>>
>>>>>>
>>>>>> Questions:
>>>>>> 1) I'd like a transport type IPsec session for all non-ICMP traffic
>>>>>> between client and server. As soon as I specify "passthrough" policy, my
>>>>>> IPsec session changes to type "tunnel" from output of ipsec status. Clearly
>>>>>> I am not specifying passthrough policy correctly.
>>>>>>
>>>>>> 1) Do I need to specify left/right for my "skip" passthrough conn? If
>>>>>> I do NOT specify left and right for skip connection, I see the IPsec type
>>>>>> remains transport (which is good and what I want), I do see shunted
>>>>>> policies in "ipsec status" but I still see ping packets are encrypted.
>>>>>>
>>>>>> Thank you for any help!
>>>>>> Piyush
>>>>>>
>>>>>> On Monday, May 22, 2017 at 12:19:17 PM UTC-7, Noel Kuntze wrote:
>>>>>>>
>>>>>>> Add a passthrough policy for the protocol.
>>>>>>>
>>>>>>> Am 22. Mai 2017 19:09:03 MESZ schrieb Piyush Agarwal <
>>>>>>> agarwa... at gmail.com>:
>>>>>>>>
>>>>>>>> Hi,
>>>>>>>> Reading through the left|rightsubnet, it seems like there is no way
>>>>>>>> to *exclude* a protocol from getting encrypted?
>>>>>>>>
>>>>>>>> I have a host to host tunnel and I want to encrypt everything
>>>>>>>> between these except ICMP since I'd like to do out-of-tunnel
>>>>>>>> ping/traceroute.
>>>>>>>>
>>>>>>>> Prior to using strongswan, I was using racoon where I could use
>>>>>>>> setkey to manually update the SPD to exclude icmp alone.
>>>>>>>>
>>>>>>>> Please advise if there is any way to achieve this with strongswan.
>>>>>>>>
>>>>>>>> Thanks.
>>>>>>>>
>>>>>>>> --
>>>>>>>> Piyush Agarwal
>>>>>>>> Life can only be understood backwards; but it must be lived
>>>>>>>> forwards.
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Sent from mobile
>>>>>>>
>>>>>>
>>>
>>>
>>> --
>>> Piyush Agarwal
>>> Life can only be understood backwards; but it must be lived forwards.
>>>
>>
>> --
>> Sent from mobile
>>
>> --
>> You received this message because you are subscribed to a topic in the
>> Google Groups "strongswan-users" group.
>> To unsubscribe from this topic, visit https://groups.google.com/d/to
>> pic/strongswan-users/xLYdnbbn71U/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to
>> strongswan-users+unsubscribe at googlegroups.com.
>> To post to this group, send email to strongswan-users at googlegroups.com.
>> To view this discussion on the web visit https://groups.google.com/d/ms
>> gid/strongswan-users/02D99C08-5DEC-463B-AC3B-C58B570D9F5E%
>> 40familie-kuntze.de
>> <https://groups.google.com/d/msgid/strongswan-users/02D99C08-5DEC-463B-AC3B-C58B570D9F5E%40familie-kuntze.de?utm_medium=email&utm_source=footer>
>> .
>>
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
>
> --
> Piyush Agarwal
> Life can only be understood backwards; but it must be lived forwards.
>
--
Piyush Agarwal
Life can only be understood backwards; but it must be lived forwards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170523/053eb7a5/attachment-0001.html>
More information about the Users
mailing list