tags:

views:

8

answers:

0
Q: 

What's wrong with those strongswan config files?

Hi I am trying to setup an ipsec tunnel between 2 linux boxes (archlinux) with strongswan 4.4 but I have got errors on both machines that I couldn't solve.

moon:

ipsec.conf - strongSwan IPsec configuration file

basic configuration

config setup # plutodebug=all crlcheckinterval=180 strictcrlpolicy=no # cachecrls=yes # nat_traversal=yes # charonstart=no plutostart=no

Add connections here.

conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 #ike=aes128-sha256-modp2048! #esp=aes128-sha256-modp2048! left=147.87.107.20 leftsubnet=10.1.0.0/16 leftcert=moonCert.pem leftid="C=CH,O=BFH, CN=gad" leftfirewall=yes

conn rw right=%any rightsourceip=%dhcp auto=add

/etc/ipsec.secrets - strongSwan IPsec secrets file

: RSA moonKey.pem "mypassword"

carol:

ipsec.conf - strongSwan IPsec configuration file

basic configuration

config setup # plutodebug=all crlcheckinterval=180 strictcrlpolicy=no # cachecrls=yes # nat_traversal=yes # charonstart=no plutostart=no

Add connections here.

Sample VPN connections

conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 #ike=aes128-sha256-modp2048! #esp=aes128-sha256-modp2048!

conn home left=147.87.107.19 leftsourceip=%config leftcert=carolCert.pem leftid="C=CH, O=BFH, CN=carol" leftfirewall=yes right=147.87.107.20 rightsubnet=10.1.0.0/16 rightid="C=CH, O=BFH, CN=gad" auto=add

/etc/ipsec.secrets - strongSwan IPsec secrets file

: RSA carolKey.pem "mypassword"

moon error:

[root@moon ~]# ipsec restart Stopping strongSwan IPsec... Starting strongSwan 4.4.0 IPsec [starter]... [root@moon ~]# ipsec up rw unable to initiate to %any

carol error:

[root@carol log]# cat /etc/ipsec.secrets

/etc/ipsec.secrets - strongSwan IPsec secrets file

: RSA carolKey.pem "daniel" [root@carol log]# ^C [root@carol log]# ipsec restart Stopping strongSwan IPsec... Starting strongSwan 4.4.0 IPsec [starter]... [root@carol log]# ipsec up home initiating IKE_SA home[1] to 147.87.107.20 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] sending packet: from 147.87.107.19[500] to 147.87.107.20[500] received packet: from 147.87.107.20[500] to 147.87.107.19[500] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] received cert request for "C=CH, ST=Bern, L=Biel, O=BFH, OU=SEL, CN=gad, [email protected]" sending cert request for "C=CH, ST=Bern, L=Biel, O=BFH, OU=SEL, CN=gad, [email protected]" no private key found for 'C=CH, ST=Bern, O=BFH, OU=SEL, CN=carol, [email protected]' [root@carol log]#

Thank you for your help!

cheers

Daniel

related questions

grep a file, but show several surrounding lines?
VMWare Server Under Linux Secondary NIC connection
Should I move from C++ to Python? ... Or another language?
Globus Toolkit virtual machine
How to avoid redefining VERSION, PACKAGE, etc.
How do I setup Public-Key Authentication?
showing a message box from a bash script in linux
Best Linux Distro for Computer Repair
Mapping my custom keys in Debian
Any IcedTea war stories?
How do you find the age of a long-running Linux process?
Personal Linux web server
Programmatically talking to a Serial Port in OS X or Linux
what's in your .bashrc ?
Linux - files and scripts that execute on boot
Text Editor For Linux (Besides Vi)?
Lightweight IDE for Linux
Shell scripting input redirection oddities
XML Editing/Viewing Software
What should a longtime Windows user know when starting to use Linux?
Gtk SSH client for Linux?
Getting root permissions on a file inside of vi?
Is it possible to drag windows between workspaces when using Compiz?
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?