[strongSwan] xAuth request for VICI

Sam Johnson sam at 80pct.com
Wed Feb 25 18:07:51 CET 2015


I have not tested the configuration in swanctl.conf yet, but my goal is to
move away from configuration files so I can dynamically add/remove
connections remotely. I will add it in to see if perhaps my dictionary has
a syntax issue.

The output of `ipsec statusall`:

test:  %any...%any  IKEv1/2
test:   local:  [xxxxx.amazonaws.com] uses public key authentication
test:    cert:  "C=US, O=xxxxx, CN=xxxxxx.amazonaws.com"
test:   remote: uses XAuth authentication: any
test:   remote: [C=US, O=xxxxxx, CN=test] uses public key authentication
test:   child:  31.13.69.80/32 === dynamic TUNNEL

I have loaded in the serverCert/key and caCert/key using the vici commands
as well. All returned a successfull completion message and are listed in
`ipsec listcerts`.
Additionally I loaded in a value for the xAuth connection.

Best,

Sam

On Wed, Feb 25, 2015 at 11:49 AM, Martin Willi <martin at strongswan.org>
wrote:

> Hi,
>
> > I have attempted to create the same configuration using a call to the
> VICI
> > with this dictionary:
>
> Have you tried to configure that in swanctl.conf to avoid any problems
> with your "dictionary"? Here such an XAuth configuration works fine when
> defined in swanctl.conf.
>
> > This keeps returning this error: `1 config found, none that allow
> > xAuthInitRSA using MainMode`
>
> Not sure what exactly goes on. Can you confirm the the connection has
> been successfully loaded. What's the output of "ipsec statusall" (or
> "swanctl --list-conns")?
>
> >                 'vips' : ['10.0.0.5'],
>
> This is probably not what you want, "vips" requests a virtual IP. Use
> the "pools" keyword and the appropriate "pools" section to define
> virtual IP pools, refer to swanctl.conf(5) for details. This is probably
> not the root cause of your issue, though.
>
> Regards
> Martin
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150225/9c5e0aec/attachment.html>


More information about the Users mailing list