<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000066" bgcolor="#FFFFFF">
Trying again, a month and a half and counting, back to the simpler
swanctl config, <a moz-do-not-send="true"
href="https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests">pro
forma</a>:<br>
<br>
Anyone know why CentOS 7.4 with kernel 4.13.0-1.el7.elrepo.x86_64
makes an:<br>
<font color="#3333ff">ipsec0:
flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1400<br>
inet6 fe80::8ad2:285b:b89d:44ea prefixlen 64 scopeid
0x20<link><br>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
txqueuelen 500 (UNSPEC)<br>
RX packets 0 bytes 0 (0.0 B)<br>
RX errors 0 dropped 0 overruns 0 frame 0<br>
TX packets 0 bytes 0 (0.0 B)<br>
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0</font><br>
... interface, when ipsec tunnels were supposed to have gone out
years ago? Could some of my traffic be getting diverted here?
Should this be set up in the firewall?<br>
<br>
Anyone know why Strongswan seems to consider this the correct
location for CA certs:<br>
<font color="#3333ff">Mar 23 10:40:35 cygnus.darkmatter.org
charon-systemd[41093]: loading ca certificates from</font> '<font
color="#990000">/etc/strongswan/ipsec.d/cacerts</font>'<br>
... rather than:<br>
<font color="#3333ff">Mar 23 10:40:35 cygnus.darkmatter.org
charon-systemd[41093]: loaded certificate 'C=US, O=Quantum,
CN=quantum-equities.com CA'<br>
Mar 23 10:40:35 cygnus.darkmatter.org charon-systemd[41093]:
11[CFG] loaded certificate 'C=US, O=Quantum,
CN=quantum-equities.com CA'<br>
Mar 23 10:40:36 cygnus.darkmatter.org swanctl[41112]: loaded
certificate from '/etc/strongswan/swanctl/x509ca/aries-CAcert.pem'</font><br>
<br>
Anyone know why the phone is making four consecutive attempts, with
no response from the daemon?<br>
<br>
<br>
Attached hereto: charon.log and iptables-save. SELinux is
Permissive, and no firewall on the IPSec gateway. No change.<br>
<br>
-------------------------------------------------------------------------------------------------------<u><br>
<br>
strongswan.conf:</u><br>
charon {<br>
load_modular = yes<br>
plugins {<br>
include strongswan.d/charon/*.conf<br>
}<br>
}<br>
include strongswan.d/*.conf<br>
<br>
<u>charon.conf</u><br>
charon {<br>
<br>
<br>
# two defined file loggers<br>
filelog {<br>
/var/log/charon.log {<br>
time_format = %a, %Y-%m-%d %R<br>
ike_name = yes<br>
append = no<br>
default = 2<br>
flush_line = yes<br>
}<br>
stderr {<br>
mgr = 0<br>
net = 1<br>
enc = 1<br>
asn = 1<br>
job = 1<br>
knl = 1<br>
}<br>
}<br>
<br>
<br>
<u>swanctl.conf:<br>
</u>connections {<br>
ikev2-pubkey {<br>
version = 2<br>
rekey_time = 0s<br>
local {<br>
id = quantum-equities.com<br>
id = cygnus.darkmatter.org<br>
}<br>
remote {<br>
# defaults are fine.<br>
}<br>
children {<br>
ikev2-pubkey {<br>
local_ts = %any<br>
remote_ts = %any<br>
mode = transport<br>
}<br>
}<br>
}<br>
}<br>
<br>
<br>
<br>
# swanctl -L<br>
ikev2-pubkey: IKEv2, no reauthentication, no rekeying<br>
local: %any<br>
remote: %any<br>
local unspecified authentication:<br>
id: cygnus.darkmatter.org<br>
remote unspecified authentication:<br>
ikev2-pubkey: TRANSPORT, rekeying every 3600s<br>
local: 0.0.0.0/32<br>
remote: 0.0.0.0/32<br>
# swanctl -l<br>
#<br>
<br>
<br>
# ip route show table all<br>
default via 192.168.1.1 dev eth0 <br>
169.254.0.0/16 dev eth0 scope link metric 1002 <br>
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.16 <br>
broadcast 127.0.0.0 dev lo table local proto kernel scope link src
127.0.0.1 <br>
local 127.0.0.0/8 dev lo table local proto kernel scope host src
127.0.0.1 <br>
local 127.0.0.1 dev lo table local proto kernel scope host src
127.0.0.1 <br>
broadcast 127.255.255.255 dev lo table local proto kernel scope link
src 127.0.0.1 <br>
broadcast 192.168.1.0 dev eth0 table local proto kernel scope link
src 192.168.1.16 <br>
local 192.168.1.16 dev eth0 table local proto kernel scope host src
192.168.1.16 <br>
broadcast 192.168.1.255 dev eth0 table local proto kernel scope link
src 192.168.1.16 <br>
unreachable ::/96 dev lo metric 1024 error -113 <br>
unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 error -113 <br>
unreachable 2002:a00::/24 dev lo metric 1024 error -113 <br>
unreachable 2002:7f00::/24 dev lo metric 1024 error -113 <br>
unreachable 2002:a9fe::/32 dev lo metric 1024 error -113 <br>
unreachable 2002:ac10::/28 dev lo metric 1024 error -113 <br>
unreachable 2002:c0a8::/32 dev lo metric 1024 error -113 <br>
unreachable 2002:e000::/19 dev lo metric 1024 error -113 <br>
unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113 <br>
fe80::/64 dev eth0 proto kernel metric 256 <br>
fe80::/64 dev ipsec0 proto kernel metric 256 <br>
local ::1 dev lo table local proto kernel metric 0 <br>
local fe80::5054:ff:fec0:9330 dev lo table local proto kernel metric
0 <br>
local fe80::8ad2:285b:b89d:44ea dev lo table local proto kernel
metric 0 <br>
ff00::/8 dev eth0 table local metric 256 <br>
ff00::/8 dev ipsec0 table local metric 256<br>
<br>
<br>
# ip address<br>
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state
UNKNOWN qlen 1000<br>
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br>
inet 127.0.0.1/8 scope host lo<br>
valid_lft forever preferred_lft forever<br>
inet6 ::1/128 scope host <br>
valid_lft forever preferred_lft forever<br>
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
pfifo_fast state UP qlen 1000<br>
link/ether 52:54:00:c0:93:30 brd ff:ff:ff:ff:ff:ff<br>
inet 192.168.1.16/24 brd 192.168.1.255 scope global eth0<br>
valid_lft forever preferred_lft forever<br>
inet6 fe80::5054:ff:fec0:9330/64 scope link <br>
valid_lft forever preferred_lft forever<br>
58: ipsec0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400
qdisc pfifo_fast state UNKNOWN qlen 500<br>
link/none <br>
inet6 fe80::8ad2:285b:b89d:44ea/64 scope link flags 800 <br>
valid_lft forever preferred_lft forever<br>
<br>
<br>
<br>
<br>
</body>
</html>