[strongSwan] swanctl.conf debugging-- fails to load certificates

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Thu May 11 19:47:08 CEST 2017


Hi Stephen,

On 11.05.2017 18:39, Stephen Ayotte wrote:
> Thanks Tobias!! That did the trick. Specifically I added this to the config flags:
>     --disable-gmp --enable-openssl
>
> In my defense regarding that load statement, I was working from this example: https://www.strongswan.org/testing/testresults/swanctl/frags-ipv4/

That's a test scenario and you're not supposed to use that anyway. Use configuration examples from here: https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples

>
> Everything's loading successfully now, and I see the beginning of an IKEv2 negotiation when I ping from one host to the other. Great progress!
>
>     > but the local_addrs/remote_addrs/local_ts/remote_ts +
>     > start_action=trap in swanctl.conf looks like it should get the job done.
>
>     You can do the same thing with ipsec.conf.
>
>
> I'm missing how... it seems like all the examples include both a "left" and a "right", the rvals for which can be IP addresses but not CIDR blocks.

Look at https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples#Host-To-Host-transport-mode
TL;DR: Use rightsubnet instead of right. Don't set right.

>
> Could you nudge me in the right direction with a keyword or something I can search / read on to figure out how to do that?
>
> Semi-related observation: there are more examples / richer documentation for ipsec.conf, including web search results, than for swanctl.conf. All else being equal, I'd rather be in the mainstream so I can use other people's known-good configs as a reference point. Is the intent to eventually deprecate ipsec.conf in favor of swanctl, or is swanctl just an alternative?

ipsec.conf will coexist with swanctl and it will be eventually (maybe in some years) removed. Right now, swanctl is a (more powerful and better) alternative to ipsec.conf

Kind regards,
Noel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170511/9d8a0f12/attachment.sig>


More information about the Users mailing list