<div dir="ltr">Another small step:<div>by adding the parameter:</div><div><br></div><div>ike=3des-sha1-modp1024</div><div><br></div><div>I got past to the previous problem. Now I got these logs (only relevant part is attached):</div><div><br></div><div>===================================================<br></div><div><br></div><div><div>Mon, 2017-08-07 16:33 06[CFG] added configuration 'home'</div><div>Mon, 2017-08-07 16:33 08[CFG] received stroke: initiate 'home'</div><div>Mon, 2017-08-07 16:33 08[IKE] <home|1> queueing ISAKMP_VENDOR task</div><div>Mon, 2017-08-07 16:33 08[IKE] <home|1> queueing ISAKMP_CERT_PRE task</div><div>Mon, 2017-08-07 16:33 08[IKE] <home|1> queueing MAIN_MODE task</div><div>Mon, 2017-08-07 16:33 08[IKE] <home|1> queueing ISAKMP_CERT_POST task</div><div>Mon, 2017-08-07 16:33 08[IKE] <home|1> queueing ISAKMP_NATD task</div><div>Mon, 2017-08-07 16:33 08[IKE] <home|1> queueing QUICK_MODE task</div><div>Mon, 2017-08-07 16:33 08[IKE] <home|1> activating new tasks</div><div>Mon, 2017-08-07 16:33 08[IKE] <home|1> activating ISAKMP_VENDOR task</div><div>Mon, 2017-08-07 16:33 08[IKE] <home|1> activating ISAKMP_CERT_PRE task</div><div>Mon, 2017-08-07 16:33 08[IKE] <home|1> activating MAIN_MODE task</div><div>Mon, 2017-08-07 16:33 08[IKE] <home|1> activating ISAKMP_CERT_POST task</div><div>Mon, 2017-08-07 16:33 08[IKE] <home|1> activating ISAKMP_NATD task</div><div>Mon, 2017-08-07 16:33 08[IKE] <home|1> sending XAuth vendor ID</div><div>Mon, 2017-08-07 16:33 08[IKE] <home|1> sending DPD vendor ID</div><div>Mon, 2017-08-07 16:33 08[IKE] <home|1> sending FRAGMENTATION vendor ID</div><div>Mon, 2017-08-07 16:33 08[IKE] <home|1> sending NAT-T (RFC 3947) vendor ID</div><div>Mon, 2017-08-07 16:33 08[IKE] <home|1> sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID</div><div>Mon, 2017-08-07 16:33 08[IKE] <home|1> initiating Main Mode IKE_SA home[1] to CP_FW_IP_ADDRESS</div><div>Mon, 2017-08-07 16:33 08[IKE] <home|1> IKE_SA home[1] state change: CREATED => CONNECTING</div><div>Mon, 2017-08-07 16:33 08[CFG] <home|1> configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_MD5_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024, IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024</div><div>Mon, 2017-08-07 16:33 08[ENC] <home|1> generating ID_PROT request 0 [ SA V V V V V ]</div><div>Mon, 2017-08-07 16:33 08[NET] <home|1> sending packet: from 192.168.1.122[500] to CP_FW_IP_ADDRESS[500] (236 bytes)</div><div>Mon, 2017-08-07 16:33 10[NET] <home|1> received packet: from CP_FW_IP_ADDRESS[500] to 192.168.1.122[500] (80 bytes)</div><div>Mon, 2017-08-07 16:33 10[ENC] <home|1> parsed ID_PROT response 0 [ SA ]</div><div>Mon, 2017-08-07 16:33 10[CFG] <home|1> selecting proposal:</div><div>Mon, 2017-08-07 16:33 10[CFG] <home|1> proposal matches</div><div>Mon, 2017-08-07 16:33 10[CFG] <home|1> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024</div><div>Mon, 2017-08-07 16:33 10[CFG] <home|1> configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_MD5_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024, IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024</div><div>Mon, 2017-08-07 16:33 10[CFG] <home|1> selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024</div><div>Mon, 2017-08-07 16:33 10[IKE] <home|1> reinitiating already active tasks</div><div>Mon, 2017-08-07 16:33 10[IKE] <home|1> ISAKMP_VENDOR task</div><div>Mon, 2017-08-07 16:33 10[IKE] <home|1> ISAKMP_CERT_PRE task</div><div>Mon, 2017-08-07 16:33 10[IKE] <home|1> MAIN_MODE task</div><div>Mon, 2017-08-07 16:33 10[LIB] <home|1> size of DH secret exponent: 1023 bits</div><div>Mon, 2017-08-07 16:33 10[ENC] <home|1> generating ID_PROT request 0 [ KE No ]</div><div>Mon, 2017-08-07 16:33 10[NET] <home|1> sending packet: from 192.168.1.122[500] to CP_FW_IP_ADDRESS[500] (196 bytes)</div><div>Mon, 2017-08-07 16:33 05[NET] <home|1> received packet: from CP_FW_IP_ADDRESS[500] to 192.168.1.122[500] (305 bytes)</div><div>Mon, 2017-08-07 16:33 05[ENC] <home|1> parsed ID_PROT response 0 [ KE No CERTREQ CERTREQ CERTREQ CERTREQ ]</div><div>Mon, 2017-08-07 16:33 05[IKE] <home|1> received cert request for 'O=my_ca'</div><div>Mon, 2017-08-07 16:33 05[IKE] <home|1> received cert request for unknown ca 'O=another_ca'</div><div><b>Mon, 2017-08-07 16:33 05[IKE] <home|1> ANY CERTREQ not supported - ignored</b></div><div>Mon, 2017-08-07 16:33 05[IKE] <home|1> ignoring certificate request without data</div><div>Mon, 2017-08-07 16:33 05[IKE] <home|1> reinitiating already active tasks</div><div>Mon, 2017-08-07 16:33 05[IKE] <home|1> ISAKMP_VENDOR task</div><div>Mon, 2017-08-07 16:33 05[IKE] <home|1> ISAKMP_CERT_PRE task</div><div>Mon, 2017-08-07 16:33 05[IKE] <home|1> MAIN_MODE task</div><div>Mon, 2017-08-07 16:33 05[IKE] <home|1> sending cert request for "O=my_ca"</div><div>Mon, 2017-08-07 16:33 05[IKE] <home|1> authentication of 'O=my_ca, OU=users, CN=my_name' (myself) successful</div><div>Mon, 2017-08-07 16:33 05[IKE] <home|1> sending end entity cert "O=my_ca, OU=users, CN=my_name"</div><div>Mon, 2017-08-07 16:33 05[ENC] <home|1> generating ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]</div><div>Mon, 2017-08-07 16:33 05[NET] <home|1> sending packet: from 192.168.1.122[500] to CP_FW_IP_ADDRESS[500] (956 bytes)</div><div>Mon, 2017-08-07 16:33 11[NET] <home|1> received packet: from CP_FW_IP_ADDRESS[500] to 192.168.1.122[500] (1084 bytes)</div><div>Mon, 2017-08-07 16:33 11[ENC] <home|1> parsed ID_PROT response 0 [ ID CERT SIG ]</div><div>Mon, 2017-08-07 16:33 11[IKE] <home|1> received end entity cert "O=my_ca, CN=cp_fw_certificate"</div><div>Mon, 2017-08-07 16:33 11[CFG] <home|1> certificate "O=my_ca, CN=cp_fw_certificate" key: 1024 bit RSA</div><div>Mon, 2017-08-07 16:33 11[CFG] <home|1> using trusted ca certificate "O=my_ca"</div><div><b>Mon, 2017-08-07 16:33 11[CFG] <home|1> subject certificate invalid (valid from Nov 08 09:59:53 2007 to Nov 07 09:59:53 2012)</b></div><div><b>Mon, 2017-08-07 16:33 11[CFG] <home|1> using certificate "O=my_ca, CN=cp_fw_certificate"</b></div><div>Mon, 2017-08-07 16:33 11[CFG] <home|1> certificate "O=my_ca, CN=cp_fw_certificate" key: 2048 bit RSA</div><div>Mon, 2017-08-07 16:33 11[CFG] <home|1> using trusted ca certificate "O=my_ca"</div><div>Mon, 2017-08-07 16:33 11[CFG] <home|1> checking certificate status of "O=my_ca, CN=cp_fw_certificate"</div><div>Mon, 2017-08-07 16:33 11[CFG] <home|1> ocsp check skipped, no ocsp found</div><div>Mon, 2017-08-07 16:33 11[CFG] <home|1> fetching crl from 'O=my_ca, CN=ICA_CRL4' ...</div><div>Mon, 2017-08-07 16:33 11[LIB] <home|1> unable to fetch from O=my_ca, CN=ICA_CRL4, no capable fetcher found</div><div>Mon, 2017-08-07 16:33 11[CFG] <home|1> crl fetching failed</div><div>Mon, 2017-08-07 16:33 11[CFG] <home|1> fetching crl from '<a href="http://managenetwork1:18264/ICA_CRL4.crl">http://managenetwork1:18264/ICA_CRL4.crl</a>' ...</div><div>Mon, 2017-08-07 16:33 11[LIB] <home|1> sending request to '<a href="http://managenetwork1:18264/ICA_CRL4.crl'.">http://managenetwork1:18264/ICA_CRL4.crl'.</a>..</div><div>Mon, 2017-08-07 16:33 11[LIB] <home|1> libcurl request failed [6]: Could not resolve host: managenetwork1</div><div>Mon, 2017-08-07 16:33 11[CFG] <home|1> crl fetching failed</div><div>Mon, 2017-08-07 16:33 11[CFG] <home|1> certificate status is not available</div><div>Mon, 2017-08-07 16:33 11[CFG] <home|1> certificate "O=my_ca" key: 1024 bit RSA</div><div>Mon, 2017-08-07 16:33 11[CFG] <home|1> reached self-signed root ca with a path length of 0</div><div>Mon, 2017-08-07 16:33 11[IKE] <home|1> authentication of 'CP_FW_IP_ADDRESS' with RSA_EMSA_PKCS1_NULL successful</div><div><b>Mon, 2017-08-07 16:33 11[CFG] <home|1> constraint check failed: peer not authenticated with peer cert 'O=my_ca, CN=cp_fw_certificate'</b></div><div>Mon, 2017-08-07 16:33 11[IKE] <home|1> queueing ISAKMP_DELETE task</div><div>Mon, 2017-08-07 16:33 11[IKE] <home|1> activating new tasks</div><div>Mon, 2017-08-07 16:33 11[IKE] <home|1> activating ISAKMP_DELETE task</div><div>Mon, 2017-08-07 16:33 11[IKE] <home|1> deleting IKE_SA home[1] between 192.168.1.122[O=my_ca, OU=users, CN=my_name]...CP_FW_IP_ADDRESS[CP_FW_IP_ADDRESS]</div><div>Mon, 2017-08-07 16:33 11[IKE] <home|1> sending DELETE for IKE_SA home[1]</div><div>Mon, 2017-08-07 16:33 11[IKE] <home|1> IKE_SA home[1] state change: CONNECTING => DELETING</div><div>Mon, 2017-08-07 16:33 11[ENC] <home|1> generating INFORMATIONAL_V1 request 2838696763 [ HASH D ]</div><div>Mon, 2017-08-07 16:33 11[NET] <home|1> sending packet: from 192.168.1.122[500] to CP_FW_IP_ADDRESS[500] (84 bytes)</div><div>Mon, 2017-08-07 16:33 11[IKE] <home|1> IKE_SA home[1] state change: DELETING => DESTROYING</div></div><div><br></div><div>===================================================</div><div><br></div><div>So, the problem now seems that the CP Firewall certificate is expired. I checked it with openssl I can confirm that the cert is expired. Is athere any way to skip this check and go on with the VPN?</div><div><br></div><div>Thanks.</div><div>larzeni</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Aug 7, 2017 at 4:23 PM, Luca Arzeni <span dir="ltr"><<a href="mailto:l.arzeni@gmail.com" target="_blank">l.arzeni@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Noel,<div>thanks for your help.</div><div>I've set a Debian 9 pc, so I am now using Strongswan 5.5.1-4 as you suggested. I cannot get 5.5.3 since is not available under debian. As a bonus, now my linux kernel is 4.9.0-3.</div><div><br></div><div>This are my ipsec.conf (I followed your hints and semplified whatever I could) and charon_debug.log:</div><div><br></div><div><div class="gmail_extra">=== ipsec.conf ======================</div></div><div><br></div><div><div>config setup</div><div><span class="m_6173119039829126522gmail-Apple-tab-span" style="white-space:pre-wrap"> </span># strictcrlpolicy=yes</div><div><span class="m_6173119039829126522gmail-Apple-tab-span" style="white-space:pre-wrap"> </span># uniqueids = no</div><div><br></div><div>conn home</div><div> ikelifetime=60m</div><div> keylife=20m</div><div> rekeymargin=3m</div><div> keyingtries=1</div><div> keyexchange=ikev1</div><div><span class="m_6173119039829126522gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>#</div><div><span class="m_6173119039829126522gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>leftcert=my_crt.pem</div><div><span class="m_6173119039829126522gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>leftsourceip=192.168.145.128 # CP-known client IP</div><div><span class="m_6173119039829126522gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>leftfirewall=yes</div><div><span class="m_6173119039829126522gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>#</div><div><span class="m_6173119039829126522gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>right=CP_FW_IP</div><div><span class="m_6173119039829126522gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>rightid=CP_FW_IP</div><div><span class="m_6173119039829126522gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>rightsubnet= <a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a>, <a href="http://192.168.3.0/24" target="_blank">192.168.3.0/24</a></div><div><span class="m_6173119039829126522gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>rightcert=cp_fw_crt.pem</div><div><span class="m_6173119039829126522gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>#</div><div><span class="m_6173119039829126522gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>auto=start</div></div><div><br></div><div class="gmail_extra"><div class="gmail_extra">=== charon_debug.log =============<wbr>=========</div><div><div class="gmail_extra"><br></div><div class="gmail_extra"><div class="gmail_extra">Mon, 2017-08-07 15:57 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, Linux 4.9.0-3-amd64, x86_64)</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'test-vectors': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'ldap': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'pkcs11': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'aesni': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'aes': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'rc2': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'sha2': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'sha1': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'md5': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'rdrand': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] detected RDRAND support, enabled</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'random': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'nonce': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'x509': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'revocation': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'constraints': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'pubkey': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'pkcs1': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'pkcs7': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'pkcs8': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'pkcs12': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'pgp': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'dnskey': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'sshkey': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'pem': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'openssl': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'gcrypt': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'af-alg': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'fips-prf': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'gmp': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'agent': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'xcbc': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'cmac': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'hmac': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'ctr': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'ccm': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'gcm': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'curl': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'attr': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'kernel-netlink': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'resolve': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'socket-default': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'connmark': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'farp': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'stroke': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'updown': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-identity': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-aka': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-md5': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-gtc': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-mschapv2': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-radius': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-tls': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-ttls': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-tnc': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'xauth-generic': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'xauth-eap': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'xauth-pam': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'tnc-tnccs': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'dhcp': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'ha': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'lookip': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'error-notify': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'certexpire': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'led': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'addrblock': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] plugin 'unity': loaded successfully</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency: PUBKEY:DSA</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] feature PRIVKEY:DSA in plugin 'pem' has unmet dependency: PRIVKEY:DSA</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] feature PRIVKEY:BLISS in plugin 'pem' has unmet dependency: PRIVKEY:BLISS</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] feature CERT_DECODE:OCSP_REQUEST in plugin 'pem' has unmet dependency: CERT_DECODE:OCSP_REQUEST</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_<wbr>SHA3_224 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_224</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_<wbr>SHA3_256 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_256</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_<wbr>SHA3_384 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_384</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_<wbr>SHA3_512 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_512</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_<wbr>SHA3_224 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_224</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_<wbr>SHA3_256 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_256</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_<wbr>SHA3_384 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_384</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_<wbr>SHA3_512 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_512</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[CFG] loaded ca certificate "O=my_ca" from '/etc/ipsec.d/cacerts/ca_crt.<wbr>pem'<br></div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[CFG] loading crls from '/etc/ipsec.d/crls'</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[CFG] loading secrets from '/etc/ipsec.secrets'</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/my_key.<wbr>der'</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[CFG] loaded 0 RADIUS server configurations</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[CFG] HA config misses local/remote address</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] feature CUSTOM:ha in plugin 'ha' failed to load</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] unloading plugin 'ha' without loaded features</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 aesni aes rc2 sha2 sha1 md5 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] unable to load 13 plugin features (12 due to unmet dependencies)</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[LIB] dropped capabilities, running as uid 0, gid 0</div><div class="gmail_extra">Mon, 2017-08-07 15:57 00[JOB] spawning 16 worker threads</div><div class="gmail_extra">Mon, 2017-08-07 15:57 01[LIB] created thread 01 [2935]</div><div class="gmail_extra">Mon, 2017-08-07 15:57 02[LIB] created thread 02 [2936]</div><div class="gmail_extra">Mon, 2017-08-07 15:57 03[LIB] created thread 03 [2937]</div><div class="gmail_extra">Mon, 2017-08-07 15:57 04[LIB] created thread 04 [2938]</div><div class="gmail_extra">Mon, 2017-08-07 15:57 05[LIB] created thread 05 [2939]</div><div class="gmail_extra">Mon, 2017-08-07 15:57 06[LIB] created thread 06 [2940]</div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[LIB] created thread 07 [2941]</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[LIB] created thread 08 [2942]</div><div class="gmail_extra">Mon, 2017-08-07 15:57 09[LIB] created thread 09 [2943]</div><div class="gmail_extra">Mon, 2017-08-07 15:57 10[LIB] created thread 10 [2944]</div><div class="gmail_extra">Mon, 2017-08-07 15:57 11[LIB] created thread 11 [2945]</div><div class="gmail_extra">Mon, 2017-08-07 15:57 12[LIB] created thread 12 [2946]</div><div class="gmail_extra">Mon, 2017-08-07 15:57 13[LIB] created thread 13 [2947]</div><div class="gmail_extra">Mon, 2017-08-07 15:57 14[LIB] created thread 14 [2948]</div><div class="gmail_extra">Mon, 2017-08-07 15:57 15[LIB] created thread 15 [2949]</div><div class="gmail_extra">Mon, 2017-08-07 15:57 16[LIB] created thread 16 [2950]</div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[CFG] received stroke: add connection 'home'</div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[CFG] conn home</div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[CFG] left=%any</div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[CFG] leftsourceip=192.168.145.128</div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[CFG] leftcert=my_crt.pem</div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[CFG] leftupdown=ipsec _updown iptables</div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[CFG] right=CP_FW_IP</div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[CFG] rightsubnet=<a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a>, <a href="http://192.168.3.0/24" target="_blank">192.168.3.0/24</a></div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[CFG] rightid=CP_FW_IP</div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[CFG] rightcert=cp_fw_crt.pem</div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[CFG] ike=aes128-sha256-modp3072</div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[CFG] esp=aes128-sha256</div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[CFG] dpddelay=30</div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[CFG] dpdtimeout=150</div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[CFG] mediation=no</div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[CFG] keyexchange=ikev1</div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[CFG] loaded certificate "O=my_ca, OU=users, CN=my_name" from 'my_crt.pem'</div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[CFG] id '%any' not confirmed by certificate, defaulting to 'O=my_ca, OU=users, CN=my_name'</div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[CFG] loaded certificate "O=my_ca, OU=users, CN=cp_fw_cert" from 'cp_fw_crt.pem'</div><div class="gmail_extra">Mon, 2017-08-07 15:57 07[CFG] added configuration 'home'</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[CFG] received stroke: initiate 'home'</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[IKE] <home|1> queueing ISAKMP_VENDOR task</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[IKE] <home|1> queueing ISAKMP_CERT_PRE task</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[IKE] <home|1> queueing MAIN_MODE task</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[IKE] <home|1> queueing ISAKMP_CERT_POST task</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[IKE] <home|1> queueing ISAKMP_NATD task</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[IKE] <home|1> queueing QUICK_MODE task</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[IKE] <home|1> activating new tasks</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[IKE] <home|1> activating ISAKMP_VENDOR task</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[IKE] <home|1> activating ISAKMP_CERT_PRE task</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[IKE] <home|1> activating MAIN_MODE task</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[IKE] <home|1> activating ISAKMP_CERT_POST task</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[IKE] <home|1> activating ISAKMP_NATD task</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[IKE] <home|1> sending XAuth vendor ID</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[IKE] <home|1> sending DPD vendor ID</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[IKE] <home|1> sending FRAGMENTATION vendor ID</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[IKE] <home|1> sending NAT-T (RFC 3947) vendor ID</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[IKE] <home|1> sending draft-ietf-ipsec-nat-t-ike-02\<wbr>n vendor ID</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[IKE] <home|1> initiating Main Mode IKE_SA home[1] to CP_FW_IP</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[IKE] <home|1> IKE_SA home[1] state change: CREATED => CONNECTING</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[CFG] <home|1> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_<wbr>128/PRF_HMAC_SHA2_256/MODP_<wbr>3072, IKE:AES_CBC_128/AES_CBC_192/<wbr>AES_CBC_256/AES_CTR_128/AES_<wbr>CTR_192/AES_CTR_256/CAMELLIA_<wbr>CBC_128/CAMELLIA_CBC_192/<wbr>CAMELLIA_CBC_256/CAMELLIA_CTR_<wbr>128/CAMELLIA_CTR_192/CAMELLIA_<wbr>CTR_256/3DES_CBC/HMAC_SHA2_<wbr>256_128/HMAC_SHA2_384_192/<wbr>HMAC_SHA2_512_256/AES_XCBC_96/<wbr>AES_CMAC_96/HMAC_MD5_96/HMAC_<wbr>SHA1_96/PRF_AES128_XCBC/PRF_<wbr>AES128_CMAC/PRF_HMAC_SHA2_256/<wbr>PRF_HMAC_SHA2_384/PRF_HMAC_<wbr>SHA2_512/PRF_HMAC_MD5/PRF_<wbr>HMAC_SHA1/ECP_256/ECP_384/ECP_<wbr>521/ECP_256_BP/ECP_384_BP/ECP_<wbr>512_BP/MODP_3072/MODP_4096/<wbr>MODP_8192/MODP_2048/MODP_2048_<wbr>256/MODP_1024, IKE:AES_CCM_16_128/AES_CCM_16_<wbr>192/AES_CCM_16_256/AES_GCM_16_<wbr>128/AES_GCM_16_192/AES_GCM_16_<wbr>256/CAMELLIA_CCM_16_128/<wbr>CAMELLIA_CCM_16_192/CAMELLIA_<wbr>CCM_16_256/AES_CCM_8_128/AES_<wbr>CCM_8_192/AES_CCM_8_256/AES_<wbr>CCM_12_128/AES_CCM_12_192/AES_<wbr>CCM_12_256/AES_GCM_8_128/AES_<wbr>GCM_8_192/AES_GCM_8_256/AES_<wbr>GCM_12_128/AES_GCM_12_192/AES_<wbr>GCM_12_256/CAMELLIA_CCM_8_128/<wbr>CAMELLIA_CCM_8_192/CAMELLIA_<wbr>CCM_8_256/CAMELLIA_CCM_12_128/<wbr>CAMELLIA_CCM_12_192/CAMELLIA_<wbr>CCM_12_256/PRF_AES128_XCBC/<wbr>PRF_AES128_CMAC/PRF_HMAC_SHA2_<wbr>256/PRF_HMAC_SHA2_384/PRF_<wbr>HMAC_SHA2_512/PRF_HMAC_MD5/<wbr>PRF_HMAC_SHA1/ECP_256/ECP_384/<wbr>ECP_521/ECP_256_BP/ECP_384_BP/<wbr>ECP_512_BP/MODP_3072/MODP_<wbr>4096/MODP_8192/MODP_2048/MODP_<wbr>2048_256/MODP_1024</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[ENC] <home|1> generating ID_PROT request 0 [ SA V V V V V ]</div><div class="gmail_extra">Mon, 2017-08-07 15:57 08[NET] <home|1> sending packet: from 192.168.1.122[500] to CP_FW_IP[500] (240 bytes)</div><div class="gmail_extra">Mon, 2017-08-07 15:57 10[NET] <home|1> received packet: from CP_FW_IP[500] to 192.168.1.122[500] (40 bytes)</div><div class="gmail_extra">Mon, 2017-08-07 15:57 10[ENC] <home|1> parsed INFORMATIONAL_V1 request 111406742 [ N(NO_PROP) ]</div><div class="gmail_extra">Mon, 2017-08-07 15:57 10[IKE] <home|1> received NO_PROPOSAL_CHOSEN error notify</div><div class="gmail_extra">Mon, 2017-08-07 15:57 10[IKE] <home|1> IKE_SA home[1] state change: CONNECTING => DESTROYING</div><div><br></div></div><div class="gmail_extra">==============================<wbr>=========</div></div><div><br></div></div><div class="gmail_extra">So now the problems seems to be that no proposal is choosen... any hint?</div><div class="gmail_extra"><br></div><div class="gmail_extra">Thanks,</div><div class="gmail_extra">larzeni</div><div class="gmail_extra"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Aug 5, 2017 at 11:20 AM, Noel Kuntze <span dir="ltr"><<a href="mailto:noel.kuntze+strongswan-users-ml@thermi.consulting" target="_blank">noel.kuntze+strongswan-users-<wbr>ml@thermi.consulting</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi,<br>
<br>
On 05.08.2017 02:27, Luca Arzeni wrote:<br>
> [...]<br>
> I'm on a debian jessie 8.0, openswan 2.6.37 and I need to migrate to StrongSWAN 5.2.1<br>
You better get 5.5.3 right away. 5.2.1 is already pretty old.<br>
<br>
> [...]<br>
> ==============================<wbr>==============================<wbr>==<br>
><br>
> Now I'm trying to use StrongSWAN to setup a connection, but I'm not able to connect.<br>
> This is my StrongSWAN ipsec.conf:<br>
><br>
> ==============================<wbr>==============================<wbr>==<br>
><br>
> # ipsec.conf - strongSwan IPsec configuration file<br>
><br>
> config setup<br>
> # strictcrlpolicy=yes<br>
> # uniqueids = no<br>
> charondebug = dmn 2, mgr 2, ike 2, chd 2, job 0, cfg 2, knl 2, net 2, asn 0, enc 0, lib 0, esp 2, tls 2, tnc 2, imc 2, imv 2, pts 2<br>
Remove that. Use the logger configuration from the HelpRequests[1] page instead and pastebin us that, after you made the following changes.<br>
><br>
> conn home<br>
> ikelifetime=60m<br>
> keylife=20m<br>
> rekeymargin=3m<br>
> keyingtries=1<br>
> keyexchange=ikev1<br>
> #<br>
> left=%any<br>
Remove left. It is unnecessary.<br>
> leftcert=my_cert.pem<br>
> leftrsasigkey=%cert<br>
> leftid="my certificate subject"<br>
leftrsasigkey and leftid are unnecessary, if not counterproductive.<br>
<br>
> #leftauth=pubkey<br>
> leftfirewall=yes<br>
> #<br>
> leftsourceip=A.B.C.D # CP-known client IP (not necessarily my ip), I need to set it because I'm using also a "rightsubnets" list<br>
> leftsubnet=A.B.C.D/32 # CP-known client IP(not necessarily my ip), I need to set it because I'm using also a "rightsubnets" list<br>
Remove leftsubnet.<br>
> #<br>
> rightcert=fwncest_2012-11-07_c<wbr>ert.pem<br>
> rightrsasigkey=%cert<br>
Remove rightrsasigkey.<br>
> right=X.Y.Z.W (FW1_IP_ADDESS)<br>
> rightid=X.Y.Z.W (I cannot use FW cert or other values, I MUST use the firewall public IP)<br>
> rightsubnet= <a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">192.168.1.0/24</a> <<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a>>, <a href="http://192.168.2.0/24" rel="noreferrer" target="_blank">192.168.2.0/24</a> <<a href="http://192.168.2.0/24" rel="noreferrer" target="_blank">http://192.168.2.0/24</a>>, ecc...<br>
> rightcert=firewall_cert.pem<br>
> rightrsasigkey=%cert<br>
Duplicate settings. Pick one of the certs, remove rightrsasigkey anyway.<br>
> #<br>
> auto=start<br>
Careful: Charon does not try to reestablish IKE_SAs or CHILD_SAs if the remote peer deletes them. This behaves differently than openswan.<br>
<br>
> # after establishing the vpn, run these script to allow routes from my client to server behind the firevall<br>
> #<br>
> # /sbin/iptables -t nat -I POSTROUTING -d <a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">192.168.1.0/24</a> <<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a>> -j SNAT --to my_ip<br>
> # /sbin/iptables -t nat -I POSTROUTING -d <a href="http://192.168.2.0/24" rel="noreferrer" target="_blank">192.168.2.0/24</a> <<a href="http://192.168.2.0/24" rel="noreferrer" target="_blank">http://192.168.2.0/24</a>> -j SNAT --to my_ip<br>
><br>
> include /var/lib/strongswan/ipsec.conf<wbr>.inc<br>
Remove the include.<br>
<br>
> ==============================<wbr>==============================<wbr>===============<br>
><br>
> But this setup is not working.<br>
<br>
Provide all the information from the HelpRequests[1] page, please.<br>
<br>
Kind regards<br>
<br>
Noel<br>
<br>
[1] <a href="https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests" rel="noreferrer" target="_blank">https://wiki.strongswan.org/pr<wbr>ojects/strongswan/wiki/HelpReq<wbr>uests</a><br>
<br><span class="HOEnZb"><font color="#888888">
</font></span></blockquote></div><span class="HOEnZb"><font color="#888888"><br><br clear="all"><div><br></div>-- <br><div class="m_6173119039829126522gmail_signature"><div dir="ltr"><div><div dir="ltr"><span style="font-size:12.8px">Luca Arzeni</span></div></div></div></div>
</font></span></div></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><span style="font-size:12.8px">Luca Arzeni</span></div></div></div></div>
</div>