[strongSwan] IPSec connection between Windows XP and Debian

Rafał Jeleśniański rafal.jelesnianski at wp.pl
Tue Sep 7 00:03:14 CEST 2010

I try establish IPSec connection with StrongSwan (4.4.1) between this 
two machines.
Testing environment:
Virtualbox 3.2.8
1st Machine ( - Debian Testing (kernel: 2.6.32-5-686)
2nd Machine ( - Windows XP Pro SP3
Type of connection: bridged
I use this example: 
Steps, that i do on Debian:
1. apt-get update
2. apt-get install build-essential
3. apt-get install libgmp3-dev
4. apt-get install libssl-dev
5. wget http://download.strongswan.org...
6. tar ... ; cd strongswan...
7. ./configure --prefix=/usr --sysconfdir=/etc --enable-openssl
8. make
9. make install
10. Making a CA with this tutorial:
11. i generate separate keys and certs for both machines
12. i convert caKey to pem format (openssl x509 -inform der -in 
caCert.der -out caCert.pem)
13. i convert cert for Windows machine:
openssl pkcs12 -export -inkey /etc/ipsec.d/winxp1pcKey.pem -in 
/etc/ipsec.d/winxp1pcCert.pem -name "winxp1pc" -certfile 
/etc/ipsec.d/cacerts/caCert.pem -caname "Rafal CA" -out winxp1pcCert.p12
14. I edit appropriate files and make changes (i based on moon files - 
ipsec.conf, ipsec.secrets, strongswan.conf)
15. ipsec restart
Steps, that i do on Windows
1. Import certs from pkcs12 file. RootCA cert i move to appropriate folder
2. I create new ip security policy
almost like in this tutor: http://www.freebsddiary.org/ipsec-wireless-xp.php
3. Source adress - My IP Address; Destination adress -; 
Tunnel end-point:;
4. Authentication Method: cerificate, that i imported
5. Assign my new ip security policy
I try to establish connection but dosen't work
When i execute ipsec up host-host on debian i recive messages:
002 "host-host" #2: initiating Main Mode
104 "host-host" #2 STATE_MAIN_I1: initiate
010 "host-host" #2 STATE_MAIN_I1: retransmission; will wait 20s for response
010 "host-host" #2 STATE_MAIN_I1: retransmission; will wait 40s for response
031 "host-host" #2 max number of retransmissions (2) reached 
STATE_MAIN_I1. No response (or no acceptable response) to our first IKE 

On Windows Machine when i try to ping i only recive messages:
negotiating IP security

I don't have experiance in configuring strongswan.
If somebody can explain how (Step by step) configure host to host ipsec 
connection between linux with strongswan and windows xp i be very thankful.

If you need any extra information - just tell me ;)

P.S. Sorry for my horrible english ;)
Rafal from POLAND.

More information about the Users mailing list