<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body text="#000066" bgcolor="#FFFFFF">
    So using "Usable Examples", exactly as prescribed:<br>
    <br>
    connections {<br>
    <p># Roadwarrior Responder: 
      <a class="moz-txt-link-freetext" href="https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples">https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples</a><br>
      <br>
              ikev2-pubkey {<br>
                      version = 2<br>
                      proposals =
aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default<br>
                      rekey_time = 0s<br>
                      pools = primary-pool-ipv4, primary-pool-ipv6<br>
                      fragmentation = yes<br>
                      dpd_delay = 30s<br>
                      # dpd_timeout doesn't do anything for IKEv2. The
      general IKEv2 packet timeouts are used.<br>
                      local-1 {<br>
                              certs = cygnus-Cert.pem<br>
                              id = cygnus.darkmatter.org<br>
                      }<br>
                      remote-1 {<br>
                              # defaults are fine.<br>
                      }<br>
                      children {<br>
                              ikev2-pubkey {<br>
                              local_ts = 0.0.0.0/0,::/0<br>
                              rekey_time = 0s<br>
                              dpd_action = clear<br>
                              esp_proposals =
      aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072,default<br>
                              }<br>
                      }<br>
              }<br>
      }<br>
    </p>
    <p># systemctl restart strongswan-swanctl</p>
    <p>{Fail}</p>
    <p># journalctl<br>
    </p>
    <p><font color="#cc0000"><font color="#000066">loading connection
          'ikev2-pubkey</font>' failed: invalid value for: proposals,
        config discarded</font></p>
    <p># cat /var/log/charon.log<br>
    </p>
    <p><font color="#cc0000">Tue, 2018-03-27 15:13 15[CFG] classic and
        combined-mode (AEAD) encryption algorithms can't be contained in
        the same IKE proposal<br>
        <br>
      </font></p>
    <p>So the docs are wrong.</p>
    <p>From
      <a class="moz-txt-link-freetext" href="https://wiki.strongswan.org/projects/strongswan/wiki/Swanctlconf">https://wiki.strongswan.org/projects/strongswan/wiki/Swanctlconf</a><br>
    </p>
    <p>connections.<conn>.proposals </p>
    <table>
      <tbody>
        <tr>
          <td class="wiki-class-level3"><br>
          </td>
          <td>default</td>
        </tr>
        <tr>
          <td style="padding-left:2em;" colspan="2">A proposal is a set
            of algorithms. For non-AEAD algorithms, this includes for
            IKE an encryption algorithm, an integrity algorithm, a
            pseudo random function and a Diffie-Hellman group. For AEAD
            algorithms, instead of encryption and integrity algorithms,
            a combined algorithm is used.<br>
            In IKEv2, multiple algorithms of the same kind can be
            specified in a single proposal, from which one gets
            selected. In IKEv1, only one algorithm per kind is allowed
            per proposal, more algorithms get implicitly stripped. Use
            multiple proposals to offer different algorithms
            combinations in IKEv1.<br>
            Algorithm keywords get separated using dashes. Multiple
            proposals may be separated by commas. The special value <em>default</em>
            forms a default proposal of supported algorithms considered
            safe, and is usually a good choice for interoperability.</td>
        </tr>
      </tbody>
    </table>
    <br>
    Ok I do not see what the goddamn problem is with this prescribed
    config, but let's comment out proposals.<br>
    <br>
    connections {<br>
    <br>
    # Roadwarrior Responder: 
    <a class="moz-txt-link-freetext" href="https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples">https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples</a><br>
    <br>
            ikev2-pubkey {<br>
                    version = 2<br>
            #       proposals =
aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default<br>
                    rekey_time = 0s<br>
                    pools = primary-pool-ipv4, primary-pool-ipv6<br>
                    fragmentation = yes<br>
                    dpd_delay = 30s<br>
                    # dpd_timeout doesn't do anything for IKEv2. The
    general IKEv2 packet timeouts are used.<br>
                    local-1 {<br>
                            certs = zeta-Cert.pem<br>
                            id = zeta.darkmtter.org<br>
                    }<br>
                    remote-1 {<br>
                            # defaults are fine.<br>
                    }<br>
                    children {<br>
                            ikev2-pubkey {<br>
                            local_ts = 0.0.0.0/0,::/0<br>
                            rekey_time = 0s<br>
                            dpd_action = clear<br>
                            esp_proposals =
    aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072,default<br>
                            }<br>
                    }<br>
            }<br>
    }<br>
    <br>
    <p># systemctl restart strongswan-swanctl</p>
    <p>{Fail}</p>
    <p># journalctl<br>
    </p>
    <font color="#cc0000"><font color="#000066">Mar 27 15:20:30
        zeta.darkmtter.org swanctl[64348]: loading connection
        'ikev2-pubkey' </font>failed: invalid value for: esp_proposals,
      config discarded</font><br>
    <p># cat /var/log/charon.log<br>
    </p>
    <font color="#cc0000"><font color="#000066">Tue, 2018-03-27 15:20
        16[CFG]</font> classic and combined-mode (AEAD) encryption
      algorithms can't be contained in the same ESP proposal<br>
    </font><br>
    Well this is bad.<br>
    <p>From
      <a class="moz-txt-link-freetext" href="https://wiki.strongswan.org/projects/strongswan/wiki/Swanctlconf">https://wiki.strongswan.org/projects/strongswan/wiki/Swanctlconf</a><br>
    </p>
    connections.<conn>.children.<child>.ah_proposals
    <table>
      <tbody>
        <tr>
          <td class="wiki-class-level3"><br>
          </td>
          <td><br>
          </td>
        </tr>
        <tr>
          <td style="padding-left:2em;" colspan="2">AH proposals to
            offer for the CHILD_SA. A proposal is a set of algorithms.
            For AH, this includes an integrity algorithm and an optional
            Diffie-Hellman group. If a DH group is specified,
            CHILD_SA/Quick Mode rekeying and initial negotiation uses a
            separate Diffie-Hellman exchange using the specified group
            (refer to <em>esp_proposals</em> for details).<br>
            In IKEv2, multiple algorithms of the same kind can be
            specified in a single proposal, from which one gets
            selected. In IKEv1, only one algorithm per kind is allowed
            per proposal, more algorithms get implicitly stripped. Use
            multiple proposals to offer different algorithms
            combinations in IKEv1.<br>
            Algorithm keywords get separated using dashes. Multiple
            proposals may be separated by commas. The special value <em>default</em>
            forms a default proposal of supported algorithms considered
            safe, and is usually a good choice for interoperability. By
            default no AH proposals are included, instead ESP is
            proposed.</td>
        </tr>
      </tbody>
    </table>
    <br>
    Why doesn't this work either?  Whatever, comment it out.<br>
    <br>
    The daemon now starts.  But looking at the initiator recommendation
    from here: 
    <a class="moz-txt-link-freetext" href="https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples">https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples</a><br>
    ... they do not have an ikev2-pubkey, which would correspond with
    the responder recommended configuration, for my remote mailserver. 
    But synthesizing from the next closest thing:<br>
    <br>
    connections {<br>
        ikev2-pubkey {
    <pre>        version = 2
        remote_addrs = quantum-equities.com
        vips = 0.0.0.0, ::
        local-1 {
                certs = hydrus-Cert.pem
                id = mail.quantum-equities.com
        }
        remote-1 {
            # The following settings depend on if you've got the CA that issued the
            # responder's certificate or just the certificate.
            # if you've got the CA certificate, put it into /etc/swanctl.d/cacerts/. Also
            # read the notes in the beginning of the page about certificates.
            rightca="aries.darkmatter.org" 
            # if you've only got the responder's certificate
            #  certs = thisisthepathtothecertificate
            # if the remote peer sends a wrong ID, set that wrong ID here or make them fix it.
            # id = remoteIDGoesHere
        }
        children {
            remote_ts = 0.0.0.0/0,::/0
        }
    }
</pre>
    }<br>
    <br>
    <br>
    Restarting the daemon on the initiator shows no indication in the
    responder that any attempt has been made to connect from anyone.<br>
    <br>
    Tue, 2018-03-27 15:26 11[CFG] vici client 1 requests: load-key<br>
    Tue, 2018-03-27 15:26 11[CFG] loaded ANY private key<br>
    Tue, 2018-03-27 15:26 15[CFG] vici client 1 requests:
    get-authorities<br>
    Tue, 2018-03-27 15:26 07[CFG] vici client 1 requests: get-pools<br>
    Tue, 2018-03-27 15:26 12[CFG] vici client 1 requests: get-conns<br>
    Tue, 2018-03-27 15:26 15[CFG] vici client 1 requests: load-conn<br>
    Tue, 2018-03-27 15:26 15[CFG]  conn ikev2-pubkey:<br>
    Tue, 2018-03-27 15:26 15[CFG]   child ikev2-pubkey:<br>
    Tue, 2018-03-27 15:26 15[CFG]    rekey_time = 0<br>
    Tue, 2018-03-27 15:26 15[CFG]    life_time = 0<br>
    Tue, 2018-03-27 15:26 15[CFG]    rand_time = 0<br>
    Tue, 2018-03-27 15:26 15[CFG]    rekey_bytes = 0<br>
    Tue, 2018-03-27 15:26 15[CFG]    life_bytes = 0<br>
    Tue, 2018-03-27 15:26 15[CFG]    rand_bytes = 0<br>
    Tue, 2018-03-27 15:26 15[CFG]    rekey_packets = 0<br>
    Tue, 2018-03-27 15:26 15[CFG]    life_packets = 0<br>
    Tue, 2018-03-27 15:26 15[CFG]    rand_packets = 0<br>
    Tue, 2018-03-27 15:26 15[CFG]    updown = (null)<br>
    Tue, 2018-03-27 15:26 15[CFG]    hostaccess = 0<br>
    Tue, 2018-03-27 15:26 15[CFG]    ipcomp = 0<br>
    Tue, 2018-03-27 15:26 15[CFG]    mode = TUNNEL<br>
    Tue, 2018-03-27 15:26 15[CFG]    policies = 1<br>
    Tue, 2018-03-27 15:26 15[CFG]    policies_fwd_out = 0<br>
    Tue, 2018-03-27 15:26 15[CFG]    dpd_action = clear<br>
    Tue, 2018-03-27 15:26 15[CFG]    start_action = clear<br>
    Tue, 2018-03-27 15:26 15[CFG]    close_action = clear<br>
    Tue, 2018-03-27 15:26 15[CFG]    reqid = 0<br>
    Tue, 2018-03-27 15:26 15[CFG]    tfc = 0<br>
    Tue, 2018-03-27 15:26 15[CFG]    priority = 0<br>
    Tue, 2018-03-27 15:26 15[CFG]    interface = (null)<br>
    Tue, 2018-03-27 15:26 15[CFG]    mark_in = 0/0<br>
    Tue, 2018-03-27 15:26 15[CFG]    mark_out = 0/0<br>
    Tue, 2018-03-27 15:26 15[CFG]    inactivity = 0<br>
    Tue, 2018-03-27 15:26 15[CFG]    proposals =
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ<br>
    Tue, 2018-03-27 15:26 15[CFG]    local_ts = 0.0.0.0/0 ::/0<br>
    Tue, 2018-03-27 15:26 15[CFG]    remote_ts = dynamic<br>
    Tue, 2018-03-27 15:26 15[CFG]    hw_offload = 0<br>
    Tue, 2018-03-27 15:26 15[CFG]    sha256_96 = 0<br>
    Tue, 2018-03-27 15:26 15[CFG]   version = 2<br>
    Tue, 2018-03-27 15:26 15[CFG]   local_addrs = %any<br>
    Tue, 2018-03-27 15:26 15[CFG]   remote_addrs = %any<br>
    Tue, 2018-03-27 15:26 15[CFG]   local_port = 500<br>
    Tue, 2018-03-27 15:26 15[CFG]   remote_port = 500<br>
    Tue, 2018-03-27 15:26 15[CFG]   send_certreq = 1<br>
    Tue, 2018-03-27 15:26 15[CFG]   send_cert = CERT_SEND_IF_ASKED<br>
    Tue, 2018-03-27 15:26 15[CFG]   mobike = 1<br>
    Tue, 2018-03-27 15:26 15[CFG]   aggressive = 0<br>
    Tue, 2018-03-27 15:26 15[CFG]   dscp = 0x00<br>
    Tue, 2018-03-27 15:26 15[CFG]   encap = 0<br>
    Tue, 2018-03-27 15:26 15[CFG]   dpd_delay = 30<br>
    Tue, 2018-03-27 15:26 15[CFG]   dpd_timeout = 0<br>
    Tue, 2018-03-27 15:26 15[CFG]   fragmentation = 2<br>
    Tue, 2018-03-27 15:26 15[CFG]   unique = UNIQUE_NO<br>
    Tue, 2018-03-27 15:26 15[CFG]   keyingtries = 1<br>
    Tue, 2018-03-27 15:26 15[CFG]   reauth_time = 0<br>
    Tue, 2018-03-27 15:26 15[CFG]   rekey_time = 0<br>
    Tue, 2018-03-27 15:26 15[CFG]   over_time = 0<br>
    Tue, 2018-03-27 15:26 15[CFG]   rand_time = 0<br>
    Tue, 2018-03-27 15:26 15[CFG]   proposals =
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_1024,
IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_1024<br>
    Tue, 2018-03-27 15:26 15[CFG]   local:<br>
    Tue, 2018-03-27 15:26 15[CFG]    id = cygnus.darkmatter.org<br>
    Tue, 2018-03-27 15:26 15[CFG]   remote:<br>
    Tue, 2018-03-27 15:26 15[CFG] added vici connection: ikev2-pubkey<br>
    Tue, 2018-03-27 15:26 07[CFG] vici client 1 disconnected<br>
    <br>
    <br>
    So long story short, the reason that no one can get swanctl actually
    working is that the docs are chaotic and busted.  I say again:  the
    docs and examples do not work for swanctl.  Docs are supposed to
    make it possible to get something to function, without the
    destructive condescension of frustrated fuctionaries with low
    self-esteem.  But apparently some like it this way.<br>
    <br>
    <br>
    <br>
    <br>
    <br>
    <br>
    <br>
  </body>
</html>