[strongSwan] config which worked with 4.3.2 does not work with 4.4.0
Andreas Steffen
andreas.steffen at strongswan.org
Tue Jul 6 16:42:13 CEST 2010
Hi Wolfgang,
I suspect that either the socket_default (IKEv2 only running)
or socket_raw (IKEv1 & IKEv2 running) plugin is not loaded.
Could you provide a strongSwan log file?
Regards
Andreas
On 06.07.2010 13:45, Wolfgang Walter wrote:
> Hello,
>
> I have two hosts which are connected via ipsec (transport mode). The setup
> does not work any more with strongswan 4.4.0 (debian-package version 4.4.0-2
> from unstable).
>
> I see that both hosts are sending ikev2 messages to establish a connection but
> they seem to ignore any packet they receive from the other side, they do not
> even log an error.
>
> I use rsa authentification where the public-key is stored in a self-signed
> certificate.
>
> /etc/ipsec.conf is:
>
> =============================================
> config setup
> # plutodebug=all
> # crlcheckinterval=600
> # strictcrlpolicy=yes
> # cachecrls=yes
> # nat_traversal=yes
> charonstart=yes
> plutostart=no
>
>
>
> conn hummel_biene
> auto=start
> type=transport
> left=10.10.10.2
> leftrsasigkey=%cert
> leftcert=hummelCert.der
> leftfirewall=yes
> right=10.10.10.1
> rightrsasigkey=%cert
> rightcert=bieneCert.der
> rightfirewall=yes
> keyexchange=ikev2
> ike=aes128-sha-modp1536!
> esp=aes128-sha1!
> =============================================
>
> /etc/ipsec.secrets on hummel is
>
> =============================================
> : RSA /etc/ipsec.d/private/hummelKey.der
> =============================================
>
> and on biene
>
> =============================================
> : RSA /etc/ipsec.d/private/bieneKey.der
> =============================================
>
> The (selfsigned) certs are in /etc/ipsec.d/certs/hummelCert.der
> and /etc/ipsec.d/certs/bieneCert.der
>
> strongswan.conf is
>
> =============================================
> # strongswan.conf - strongSwan configuration file
>
> charon {
>
> # number of worker threads in charon
> threads = 16
>
> # plugins to load in charon
> # load = aes des sha1 md5 sha2 hmac gmp random pubkey xcbc x509 stroke
>
> plugins {
>
> sql {
> # loglevel to log into sql database
> loglevel = -1
>
> # URI to the database
> # database = sqlite:///path/to/file.db
> # database = mysql://user:password@localhost/database
> }
> }
>
> # ...
> }
>
> pluto {
>
> # plugins to load in pluto
> # load = aes des sha1 md5 sha2 hmac gmp random pubkey
>
> }
>
> libstrongswan {
>
> # set to no, the DH exponent size is optimized
> # dh_exponent_ansi_x9_42 = no
> }
>
> =============================================
>
>
> Regards,
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3430 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100706/3e9d92ec/attachment.bin>
More information about the Users
mailing list