[strongSwan] swanctl.conf debugging-- fails to load certificates

Stephen Ayotte stephen.ayotte at gmail.com
Thu May 11 18:39:13 CEST 2017

Thanks Tobias!! That did the trick. Specifically I added this to the config
    --disable-gmp --enable-openssl

In my defense regarding that load statement, I was working from this
example: https://www.strongswan.org/testing/testresults/swanctl/frags-ipv4/

Everything's loading successfully now, and I see the beginning of an IKEv2
negotiation when I ping from one host to the other. Great progress!

> but the local_addrs/remote_addrs/local_ts/remote_ts +
> > start_action=trap in swanctl.conf looks like it should get the job done.
> You can do the same thing with ipsec.conf.

I'm missing how... it seems like all the examples include both a "left" and
a "right", the rvals for which can be IP addresses but not CIDR blocks.

Could you nudge me in the right direction with a keyword or something I can
search / read on to figure out how to do that?

Semi-related observation: there are more examples / richer documentation
for ipsec.conf, including web search results, than for swanctl.conf. All
else being equal, I'd rather be in the mainstream so I can use other
people's known-good configs as a reference point. Is the intent to
eventually deprecate ipsec.conf in favor of swanctl, or is swanctl just an
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170511/71b78f4c/attachment-0001.html>

More information about the Users mailing list