[strongSwan] host2host-cert using sql
Michael C. Cambria
mcc at fid4.com
Tue Jun 2 20:52:59 CEST 2015
On 05/29/2015 03:32 PM, Michael C. Cambria wrote:
>
> Hi,
>
> Is there an example of MySQL configuration for host2host?
>
> I'm migrating a working host2host setup from .conf to MySql. To keep
> things simple, only one end is moving to sql.
>
> I've been looking at [0] as a guide and have something "almost" working.
>
> For host2host, I don't know what values to put in the
> traffic_selectors table, if any. In the ipsec.conf case, I just leave
> left|rightsubnet out of the config.
>
> With no values in the traffic_selectors table, or when I use
> start_addr=<IPv4-addr> end_addr=<IPv4-addr>, or other guesses, the
> IKE_SA comes up, but I get:
>
> received TS_UNACCEPTABLE notify, no CHILD_SA built
> failed to establish CHILD_SA, keeping IKE_SA
>
Using the tunnel endpoint as both the start_addr & end_addr works. When
I first tried, I had "kind" set to 0 in both rows of
child_config_traffic_selector table. I have no idea what "kind" means
(it doesn't show up in [1]) , but the sample sql for net2net-cert had
kind=1 in the second child_config_traffic_selector.
[1] https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
> Is there an example, or a document I can look at for host2host using sql?
>
> I also had an issue where the cert sent from the non-sql side wasn't
> accepted by the sql side. I worked around it by putting the CA
> Cert/Key in ipsec.d./cacert, ipsec.d/private for now.
>
> Thanks,
> MikeC
>
>
> [0]
> https://wiki.strongswan.org/projects/strongswan/repository/revisions/master/entry/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql
>
More information about the Users
mailing list