[strongSwan] Questions for setting up host-host configuration.

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Sep 1 19:41:18 CEST 2021 

Hello Jason,

You're entirely on your own there.
The project does not support such old versions in any capacity.

Kind regards
Noel

Am 21.08.21 um 09:54 schrieb Jason Choi:
> I used StrongSwan-4.2.17 and tried to set up host-host configuration following the explanation from https://www.strongswan.org/docs/readme4.htm <https://www.strongswan.org/docs/readme4.htm>.
> 
> My configuration is like this.
> 
>     [ 192.168.1.207 ] ===== [192.168.1.206]
> 
>       ss_client                           ss_server
> 
> << Configuration on host ss_client >>
> 
> /etc/ipsec.d/cacerts/strongswanCert.pem
> 
> /etc/ipsec.d/certs/ss_client.pem
> 
> /etc/ipsec.d/private/ss_client.key
> 
> /etc/ipsec.secrets:
> 
> : RSA ss_client.key
> 
> /etc/ipsec.conf
> 
> conn  host-host
> 
>        left=%defaultroute
> 
>        leftcert=ss_client.pem
> 
>        right=192.168.1.206
> 
>        rightid="C=US, O=Home, CN=ss_server.research-this-that.com"
> 
>        auto=start
> 
> << Configuration on host ss_server >>
> 
> /etc/ipsec.d/cacerts/strongswanCert.pem
> 
> /etc/ipsec.d/certs/ss_server.pem
> 
> /etc/ipsec.d/private/ss_server.key
> 
> /etc/ipsec.secrets:
> 
> : RSA ss_server.key
> 
> /etc/ipsec.conf
> 
> conn  host-host
> 
>        left=%defaultroute
> 
>        leftcert=ss_server.pem
> 
>        right=192.168.1.207
> 
>        rightid="C=US, O=Home, CN=ss_client.research-this-that.com"
> 
>        auto=start
> 
> And this is a message when I run ipsec statusall from each host.
> 
> Would someone can give me any idea what was wrong?
> 
> Or if you need more information from my settings and configuration, please let me know.
> 
> << ipsec statusall from ss_client >>
> 
> # ipsec statusall
> 
> 000 interface lo/lo ::1:500
> 
> 000 interface lo/lo 127.0.0.1:500
> 
> 000 interface eth0/eth0 192.168.1.207:500
> 
> 000 interface virbr0/virbr0 192.168.122.1:500
> 
> 000 %myid = (none)
> 
> 000 debug none
> 
> 000
> 
> 000 "host-host": 192.168.1.207[C=US, O=Home, CN=ss_client.research-this-that.com]---192.168.1.1...192.168.1.206[C=US, O=Home, CN=ss_server.research-this-that.com]; unrouted; eroute owner: #0
> 
> 000 "host-host":   CAs: 'C=US, O=Home, CN=ss_server.research-this-that.com'...'%any'
> 
> 000 "host-host":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
> 
> 000 "host-host":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 32,32; interface: eth0;
> 
> 000 "host-host":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 
> 000 "host-host":   IKE algorithms wanted: 7_128-2-14,
> 
> 000 "host-host":   IKE algorithms found:  7_128-2_160-14,
> 
> 000 "host-host":   ESP algorithms wanted: 12_128-2, 3_000-1,
> 
> 000 "host-host":   ESP algorithms loaded: 12_128-2_160, 3_192-1_128,
> 
> 000
> 
> 000 #1: "host-host" STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 30s
> 
> 000 #1: pending Phase 2 for "host-host" replacing #0
> 
> 000
> 
> << ipsec statusall from ss_server >>
> 
> # ipsec statusall
> 
> 000 interface lo/lo ::1:500
> 
> 000 interface lo/lo 127.0.0.1:500
> 
> 000 interface eth0/eth0 192.168.1.206:500
> 
> 000 interface virbr0/virbr0 192.168.122.1:500
> 
> 000 %myid = (none)
> 
> 000 debug none
> 
> 000
> 
> 000 "host-host": 192.168.1.206[C=US, O=Home, CN=ss_server.research-this-that.com]---192.168.1.1...192.168.0.1[C=US, O=Home, CN=ss_client.research-this-that.com]; unrouted; eroute owner: #0
> 
> 000 "host-host":   CAs: 'C=US, O=Home, CN=ss_server.research-this-that.com'...'%any'
> 
> 000 "host-host":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
> 
> 000 "host-host":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 32,32; interface: eth0;
> 
> 000 "host-host":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 
> 000 "host-host":   IKE algorithms wanted: 7_128-2-14,
> 
> 000 "host-host":   IKE algorithms found:  7_128-2_160-14,
> 
> 000 "host-host":   ESP algorithms wanted: 12_128-2, 3_000-1,
> 
> 000 "host-host":   ESP algorithms loaded: 12_128-2_160, 3_192-1_128,
> 
> 000
> 
> 000 #1: "host-host" STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 1s
> 
> 000 #1: pending Phase 2 for "host-host" replacing #0
> 
> 000
> 
> Windows の メール <https://go.microsoft.com/fwlink/?LinkId=550986> から送信
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210901/8beef8f7/attachment.sig>

More information about the Users mailing list