<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body text="#000066" bgcolor="#FFFFFF">
<p>Nothing has worked. So starting over again, with another new
config, <a moz-do-not-send="true"
href="https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests">pro
forma</a>.</p>
<p>Running CentOS 7.4 with IPSec gateway as OpenStack VM, DNATted to
and SNATted from by LAN gateway. Certs only, SELinux permissive,
firewall down.</p>
The remote Android Strongswan app (initiator) is set:<br>
Server: quantum-equities.com VPN Type IKEv2
certificate<br>
User certificate: aries User Identity:
Default<br>
CA cert: Select automatically Profile name: cygnus<br>
Adv. Server ID: cygnus.darkmatter.org Send cert requests<br>
Custom subnets: 192.168.1.0/24<br>
<p><br>
</p>
<p><u>strongswan.conf:</u><br>
charon {<br>
load_modular = yes<br>
plugins {<br>
include strongswan.d/charon/*.conf<br>
}<br>
}<br>
include strongswan.d/*.conf<br>
<br>
<u>charon.conf</u></p>
<p> # Needed to avoid in journalctl "fragmented IKE message is
too large"<br>
max_packet = 30000<br>
<br>
filelog {<br>
/var/log/charon.log {<br>
time_format = %a, %Y-%m-%d %R<br>
ike_name = yes<br>
append = no<br>
default = 2<br>
flush_line = yes<br>
<br>
mgr = 0<br>
net = 1<br>
enc = 1<br>
asn = 1<br>
job = 1<br>
knl = 1<br>
}<br>
}<br>
}<br>
</p>
<p><br>
</p>
<p><u>swanctl.conf</u></p>
<p>connections {<br>
<br>
ikev2-pubkey {<br>
remote_addrs = %any<br>
local {<br>
}<br>
remote {<br>
}<br>
<br>
children {<br>
remote_ts = 192.168.1.0/24<br>
local_ts = 192.168.1.0/24<br>
local_addrs = 192.168.1.16<br>
remote_addrs = 192.168.1.5<br>
mode = transport<br>
}<br>
}<br>
}<br>
<br>
</p>
<p># swanctl -L<br>
ikev2-pubkey: IKEv1/2, no reauthentication, rekeying every 14400s<br>
local: %any<br>
remote: %any<br>
local unspecified authentication:<br>
remote unspecified authentication:<br>
# swanctl -l<br>
#</p>
<p># ip route show table all<br>
default via 192.168.1.1 dev eth0 <br>
169.254.0.0/16 dev eth0 scope link metric 1002 <br>
192.168.111.0/24 dev eth0 proto kernel scope link src 192.168.1.16
<br>
broadcast 127.0.0.0 dev lo table local proto kernel scope link src
127.0.0.1 <br>
local 127.0.0.0/8 dev lo table local proto kernel scope host src
127.0.0.1 <br>
local 127.0.0.1 dev lo table local proto kernel scope host src
127.0.0.1 <br>
broadcast 127.255.255.255 dev lo table local proto kernel scope
link src 127.0.0.1 <br>
broadcast 192.168.1.0 dev eth0 table local proto kernel scope link
src 192.168.1.16 <br>
local 192.168.1.16 dev eth0 table local proto kernel scope host
src 192.168.1.16 <br>
broadcast 192.168.1.255 dev eth0 table local proto kernel scope
link src 192.168.1.16 <br>
unreachable ::/96 dev lo metric 1024 error -113 <br>
unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 error -113 <br>
unreachable 2002:a00::/24 dev lo metric 1024 error -113 <br>
unreachable 2002:7f00::/24 dev lo metric 1024 error -113 <br>
unreachable 2002:a9fe::/32 dev lo metric 1024 error -113 <br>
unreachable 2002:ac10::/28 dev lo metric 1024 error -113 <br>
unreachable 2002:c0a8::/32 dev lo metric 1024 error -113 <br>
unreachable 2002:e000::/19 dev lo metric 1024 error -113 <br>
unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113 <br>
fe80::/64 dev eth0 proto kernel metric 256 <br>
local ::1 dev lo table local proto kernel metric 0 <br>
local fe80::5054:ff:fec0:9330 dev lo table local proto kernel
metric 0 <br>
ff00::/8 dev eth0 table local metric 256<br>
</p>
<p><br>
</p>
<p># ip address<br>
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state
UNKNOWN qlen 1000<br>
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br>
inet 127.0.0.1/8 scope host lo<br>
valid_lft forever preferred_lft forever<br>
inet6 ::1/128 scope host <br>
valid_lft forever preferred_lft forever<br>
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
pfifo_fast state UP qlen 1000<br>
link/ether 52:54:00:c0:93:30 brd ff:ff:ff:ff:ff:ff<br>
inet 192.168.1.16/24 brd 192.168.1.255 scope global eth0<br>
valid_lft forever preferred_lft forever<br>
inet6 fe80::5054:ff:fec0:9330/64 scope link <br>
valid_lft forever preferred_lft forever<br>
</p>
<p><br>
</p>
<p># iptables-save<br>
# Generated by iptables-save v1.4.21 on Tue Mar 27 11:19:49 2018<br>
*nat<br>
:PREROUTING ACCEPT [21:3556]<br>
:INPUT ACCEPT [21:3556]<br>
:OUTPUT ACCEPT [25:1200]<br>
:POSTROUTING ACCEPT [25:1200]<br>
COMMIT<br>
# Completed on Tue Mar 27 11:19:49 2018<br>
# Generated by iptables-save v1.4.21 on Tue Mar 27 11:19:49 2018<br>
*mangle<br>
:PREROUTING ACCEPT [195:20990]<br>
:INPUT ACCEPT [195:20990]<br>
:FORWARD ACCEPT [0:0]<br>
:OUTPUT ACCEPT [143:13859]<br>
:POSTROUTING ACCEPT [142:13775]<br>
COMMIT<br>
# Completed on Tue Mar 27 11:19:49 2018<br>
# Generated by iptables-save v1.4.21 on Tue Mar 27 11:19:49 2018<br>
*raw<br>
:PREROUTING ACCEPT [195:20990]<br>
:OUTPUT ACCEPT [142:13775]<br>
COMMIT<br>
# Completed on Tue Mar 27 11:19:49 2018<br>
# Generated by iptables-save v1.4.21 on Tue Mar 27 11:19:49 2018<br>
*filter<br>
:INPUT ACCEPT [195:20990]<br>
:FORWARD ACCEPT [0:0]<br>
:OUTPUT ACCEPT [142:13775]<br>
COMMIT<br>
# Completed on Tue Mar 27 11:19:49 2018<br>
</p>
</body>
</html>