[strongSwan] StrongSwan Setup Questions

Julian Poschmann julian.poschmann at rwth-aachen.de
Sat Mar 31 17:10:22 CEST 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am 31.03.2012 05:17, schrieb Chris Arnold:
> conn host-host left=192.168.123.3 
> leftcert=/etc/ipsec.d/cacerts/self_teknerds.pem 
> leftid=@servername.electricdomain.com leftfirewall=yes
You said the hosts themselfs don't use software firewall (i.e.
iptables). Therefore "leftfirewall" is useless here. Please read about
the options you are using in the man page.

Ok, for certificates: Don't know if self-signed certificates will
work, never tried. But for left/rightcert you don't want to specify a
ca-certificate. They are used to verify the certificates used for the
connection. Normally, you will want to use three certificates, one ca
and one for each host, signed by the ca. Put the ca-certicate in
/etc/ipsec.d/cacert/ and your host certificate in /etc/ipsec.d/certs/
and you can omit the paths in ipsec.conf. You should end up with
something like on host1:

ca teknerds
	cacert=self_teknerds.pem

conn host-host
	[...]
	leftcert=host1.pem
	[...]

Also, if you override leftid, the certifacte must certify the value
you set, so the cert would have to have either CN or a subjectAltName
with servername.electricdomain.com


> 
> -ipsec.secrets: : RSA /etc/ipsec.d/cacerts/self_teknerds.pem
You have to point to the private key used for the certificate, which
should be stored in /etc/ipsec.d/private/. Using the above, you should
end up with something like

: RSA host1.key

> 
> and the strongswan conf is below.
> 
> -Results of ipsec up host-host: no socket implementation
> registered, receiving failed
Have a look at this:
<https://lists.strongswan.org/pipermail/dev/2010-May/000204.html>

> Is this right for the log file? I also restarted ipsec and looked
> in /var/log to see if i see the charon file and do not.
You are defining two charon{...} sections, don't do that. Merge the
filelog{...} section into the existing one.


- -- 
Julian Poschmann
Zeppelinstr. 31
52068 Aachen

Telefon: +49 170 3295135
E-Mail: julian.poschmannn at rwth-aachen.de
PGP-ID: 0x7D51DD8B
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iEYEARECAAYFAk93Hl4ACgkQJmSm8H1R3YsJ/gCeO4Kw8NJFzKN/q/rW/a8WrvLi
VbcAn23G9j7eRwLp1FC6sGcM68wc5/iU
=ACNQ
-----END PGP SIGNATURE-----




More information about the Users mailing list