> I saw something similar when I neglected to add a subjectAltName
> (gateway.shorewall.net) to the local endpoint's cert.
>
> FWIW, I've attached a log extract of a successful SA establishment.
>
> -Tom
Hm, interesting. I've consistently used scripts from SomeRandomDude on The
Internets, and indeed it does not provide for subjectAltName. Good lead,
thanks, I'll look for SS's procedure for generating certs. There is just a
quagmire haystack of disorganized info out there about this, which I'll bet
quietly defeats 90% of those who try this.
Setting rightsourceip=192.168.11.0/24and restarting SS didn't change anything.
I've never understood the interplay of IP ranges and addresses between left and
right, as in some cases 'left' always means 'me', whether setting in local or
remote, and in other cases it means as I'd understood it, 'left' is ipsec
gateway and 'right' is remote laptop.
Also I notice that everyone always references the -server- cert and key in
ipsec.conf settings, whereas the StrongSwan Android app will only accept a .p12
file. A .p12 file is genned by the RandomDude's scripts for -user- (as well as
cert and key), and it also gens the -server- cert and key. So I can only set
the -user- cert (.p12) in the Android app.
I'll investigate further.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
