Good evening,

well I am one of those problematic users. I have first encountered the problems when I installed RC1 on our productive environment. My problems were posted to forum, yes without any helpful logfiles, did not know which would be helpsome.

Then after core66 got officially released I tried again with installing, in the hope there won't be any failures anymore. I was sure anyone else would have encountered the same problems and our problems would block the core66 from release before it is fixed properly.

Okay it has not been that way but who could know.

Also I am using linux servers(which is open source) where new releases also show up from time to time, but never found such big problems anywhere around.

If I had a test environment for Net2Net - connections with ipsec in the exact same constellation as the productive environment is, I would be so glad. But that thingie will cost many thousend euro. Can't make my boss friend with that, will say "just stick with the current version".

But as I know it is security related in upgrading firewall solutions, it is essential to be up to date.

If anyone could help with ipsec net2net, please let me know. Would be great.

After one week of failure I downgraded the main productive ipfire back to core65, there is still one ipfire in productive which has one Net2Net conn but no such problems!

So I just could figure out that it really depends hard on the peer side if you get problems or not!

There are many different manufacturers of VPN-solution hardware AND software.

My problems have been with Microsoft and Cisco-Peers.

On the working ipfire it is also a Cisco-Peer but a different model!

Regards

Jan

2013/3/7 Bernhard Bitsch <Bernhard.Bitsch@gmx.de>

Hi Michael,

you are right in your complaints. But on the other hand, why can not these users without problems with Strongswan 5, help these with issues?
As I see it, there are ways to do VPN wrong and ways to do it right.
And we should provide as community hints for the right ways.

-Bernhard

> Gesendet: Donnerstag, 07. März 2013 um 13:21 Uhr
> Von: "Michael Tremer" <michael.tremer@ipfire.org>
> An: development@lists.ipfire.org
> Betreff: Strongswan 5 issues in IPFire 2.13

>
> Hey,
>
> when IPFire 2.13 was released, the latest version of strongswan was
> shipped with it. Apparently, some people have problems operating their
> VPN connections with it.
>
> This is a brief summary from my point of view:
>
> The first version with these changes that might cause trouble has been
> released in August 2012 with a big headline which said: Testers needed.
>
> * http://planet.ipfire.org/post/testers-needed-strongswan-5-0-0
> * http://lists.ipfire.org/pipermail/development/2012-August/000039.html
>
> My mail on the mailing list states:
> > It should not require any manual interaction at all. Please install
> > and give me feedback about the connection stability and the
> > interoperability with other (proprietary) implementations.
>
> It's as if someone had known...
>
> If you think, we didn't have people who actually tested this, you are
> wrong. There were a lot of people and the reports I got of them were all
> like: "Yeah, this made my VPN tunnels more stable".
> Especially when the configuration of one connection has been edited, the
> other connections remained established all the time. A big advantage
> over the implementation in IPFire 2.11!
>
> Eight days before the final version of IPFire 2.13 was released, people
> started complaining. It was not a real bug report, but just a shout out
> "something went wrong, I could not be bothered, so I downgraded!". No
> technical details, no logs, no what-so-ever.
>
> Since the release, a bunch of more people complained about similar
> problems. Again, no one provided (or was willing to provide) information
> that helps to solve the problem. Nobody was even bothered to create a
> proper bug report in bugzilla.
>
> My VPN connections run for more than six months with strongswan 5 and I
> never had any problems since then.
>
> If someone really has interest in solving this, maybe it is time that
> you start the action and help the developers. This is not a project
> where you can tell people what they should do (for you). This is an Open
> Source project - so everyone is able to read the source code, check what
> changes have been made and to provide a fix.
>
> -Michael
>
> _______________________________________________
> Development mailing list
> Development@lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/development
>
_______________________________________________
Development mailing list
Development@lists.ipfire.org
http://lists.ipfire.org/mailman/listinfo/development