[strongSwan] config which worked with 4.3.2 does not work with 4.4.0

Wolfgang Walter wolfgang.walter at stwm.de
Tue Jul 6 13:45:06 CEST 2010 

Hello,

I have two hosts which are connected via ipsec (transport mode). The setup 
does not work any more with strongswan 4.4.0 (debian-package version 4.4.0-2 
from unstable).

I see that both hosts are sending ikev2 messages to establish a connection but 
they seem to ignore any packet they receive from the other side, they do not 
even log an error.

I use rsa authentification where the public-key is stored in a self-signed 
certificate.

/etc/ipsec.conf is:

=============================================
config setup
        # plutodebug=all
        # crlcheckinterval=600
        # strictcrlpolicy=yes
        # cachecrls=yes
        # nat_traversal=yes
        charonstart=yes
        plutostart=no



conn hummel_biene
        auto=start
        type=transport
        left=10.10.10.2
        leftrsasigkey=%cert
        leftcert=hummelCert.der
        leftfirewall=yes
        right=10.10.10.1
        rightrsasigkey=%cert
        rightcert=bieneCert.der
        rightfirewall=yes
        keyexchange=ikev2
        ike=aes128-sha-modp1536!
        esp=aes128-sha1!
=============================================

/etc/ipsec.secrets on hummel is

=============================================
: RSA /etc/ipsec.d/private/hummelKey.der
=============================================

and on biene

=============================================
: RSA /etc/ipsec.d/private/bieneKey.der
=============================================

The (selfsigned) certs are in /etc/ipsec.d/certs/hummelCert.der 
and /etc/ipsec.d/certs/bieneCert.der

strongswan.conf is

=============================================
# strongswan.conf - strongSwan configuration file

charon {

        # number of worker threads in charon
        threads = 16

        # plugins to load in charon
        # load = aes des sha1 md5 sha2 hmac gmp random pubkey xcbc x509 stroke

        plugins {

                sql {
                        # loglevel to log into sql database
                        loglevel = -1

                        # URI to the database
                        # database = sqlite:///path/to/file.db
                        # database = mysql://user:password@localhost/database
                }
        }

        # ...
}

pluto {

        # plugins to load in pluto
        # load = aes des sha1 md5 sha2 hmac gmp random pubkey

}

libstrongswan {

        #  set to no, the DH exponent size is optimized
        #  dh_exponent_ansi_x9_42 = no
}

=============================================


Regards,
-- 
Wolfgang Walter
Studentenwerk München
Anstalt des öffentlichen Rechts

More information about the Users mailing list