[Swan] updown script not called with mast
Paul Wouters
paul at nohats.ca
Fri Dec 12 17:44:51 EET 2014
On Fri, 12 Dec 2014, Michael Schwartzkopff wrote:
>> seems to work for me. The logs show:
>> | executing spdadd-client: 2>&1 PLUTO_MY_REF=3 PLUTO_PEER_REF=1
> It seems to work for klips. See the logs:
The logs i provided was with protostack=mast on both ends....
> But it does not work for mast protostack. The log here:
It did for me, so something else must be going on?
Possible for transport mode, not all "verb" commands are executed?
> See the relevant parts of both logs (klips / mast) above.
>
>> Can I ask why you want to use the mast stack? It was mostly to support
>> multiple L2TP/Transport connections with NAT, and those deployments are
>> best upgraded to IPsec/XAUTH ("Cisco IPsec mode"). The only known client
>> not to support IPsec/XAUTH is Windows, for which free clients such as
>> the Shrew software client is available that supports it.
>
> Yes. You hit exactly the one use case.
I guess we should really look into the current XFRM capabilities and fix
this for NETKEY. It seems those old Windows machines aren't going away
soon :(
> We have windows OS where we cannot interfere too deeply with the clients
> computer. Especially we have to use what the Windows provides and are not
> allowed to install additional software. Thanks for your help.
If these are Windows 6 (?) or higher, they could possibly use the native
IKEv2 instead?
Paul
More information about the Swan
mailing list