[strongSwan] Questions for setting up host-host configuration.

Sat Aug 21 09:54:46 CEST 2021

I used StrongSwan-4.2.17 and tried to set up host-host configuration following the explanation from https://www.strongswan.org/docs/readme4.htm.

My configuration is like this.
   [ 192.168.1.207 ] ===== [192.168.1.206]
     ss_client		    ss_server

<< Configuration on host ss_client >>
/etc/ipsec.d/cacerts/strongswanCert.pem
/etc/ipsec.d/certs/ss_client.pem
/etc/ipsec.d/private/ss_client.key
/etc/ipsec.secrets:
 : RSA ss_client.key

/etc/ipsec.conf
conn  host-host
      left=%defaultroute
      leftcert=ss_client.pem
      right=192.168.1.206
      rightid="C=US, O=Home, CN=ss_server.research-this-that.com"
      auto=start

<< Configuration on host ss_server >>
/etc/ipsec.d/cacerts/strongswanCert.pem
/etc/ipsec.d/certs/ss_server.pem
/etc/ipsec.d/private/ss_server.key
/etc/ipsec.secrets:
 : RSA ss_server.key

/etc/ipsec.conf
conn  host-host
      left=%defaultroute
      leftcert=ss_server.pem
      right=192.168.1.207
      rightid="C=US, O=Home, CN=ss_client.research-this-that.com"
      auto=start

And this is a message when I run ipsec statusall from each host.
Would someone can give me any idea what was wrong?
Or if you need more information from my settings and configuration, please let me know.

<< ipsec statusall from ss_client >>
# ipsec statusall
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 192.168.1.207:500
000 interface virbr0/virbr0 192.168.122.1:500
000 %myid = (none)
000 debug none
000
000 "host-host": 192.168.1.207[C=US, O=Home, CN=ss_client.research-this-that.com]---192.168.1.1...192.168.1.206[C=US, O=Home, CN=ss_server.research-this-that.com]; unrouted; eroute owner: #0
000 "host-host":   CAs: 'C=US, O=Home, CN=ss_server.research-this-that.com'...'%any'
000 "host-host":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "host-host":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 32,32; interface: eth0;
000 "host-host":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "host-host":   IKE algorithms wanted: 7_128-2-14,
000 "host-host":   IKE algorithms found:  7_128-2_160-14,
000 "host-host":   ESP algorithms wanted: 12_128-2, 3_000-1,
000 "host-host":   ESP algorithms loaded: 12_128-2_160, 3_192-1_128,
000
000 #1: "host-host" STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 30s
000 #1: pending Phase 2 for "host-host" replacing #0
000

<< ipsec statusall from ss_server >>
# ipsec statusall
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 192.168.1.206:500
000 interface virbr0/virbr0 192.168.122.1:500
000 %myid = (none)
000 debug none
000
000 "host-host": 192.168.1.206[C=US, O=Home, CN=ss_server.research-this-that.com]---192.168.1.1...192.168.0.1[C=US, O=Home, CN=ss_client.research-this-that.com]; unrouted; eroute owner: #0
000 "host-host":   CAs: 'C=US, O=Home, CN=ss_server.research-this-that.com'...'%any'
000 "host-host":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "host-host":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 32,32; interface: eth0;
000 "host-host":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "host-host":   IKE algorithms wanted: 7_128-2-14,
000 "host-host":   IKE algorithms found:  7_128-2_160-14,
000 "host-host":   ESP algorithms wanted: 12_128-2, 3_000-1,
000 "host-host":   ESP algorithms loaded: 12_128-2_160, 3_192-1_128,
000
000 #1: "host-host" STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 1s
000 #1: pending Phase 2 for "host-host" replacing #0
000

Windows の メール から送信

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210821/b59048f4/attachment.html>