On 12/24/2017 12:59 PM, Tom Eastep wrote: > On 12/24/2017 12:45 PM, Colony.three via Shorewall-users wrote: >> >>> I saw something similar when I neglected to add a subjectAltName >>> (gateway.shorewall.net <http://gateway.shorewall.net>) to the >>> local endpoint's cert. >>> >>> FWIW, I've attached a log extract of a successful SA establishment. >>> >>> -Tom >>> >> >> Hm, interesting. I've consistently used scripts from SomeRandomDude on >> The Internets, and indeed it does not provide for subjectAltName. Good >> lead, thanks, I'll look for SS's procedure for generating certs. There >> is just a quagmire haystack of disorganized info out there about this, >> which I'll bet quietly defeats 90% of those who try this. >> >> Setting rightsourceip=192.168.11.0/24and restarting SS didn't change >> anything. >> >> I've never understood the interplay of IP ranges and addresses between >> left and right, as in some cases 'left' always means 'me', whether >> setting in local or remote, and in other cases it means as I'd >> understood it, 'left' is ipsec gateway and 'right' is remote laptop. >> >> Also I notice that everyone always references the -server- cert and key >> in ipsec.conf settings, whereas the StrongSwan Android app will only >> accept a .p12 file. A .p12 file is genned by the RandomDude's scripts >> for -user- (as well as cert and key), and it also gens the -server- cert >> and key. So I can only set the -user- cert (.p12) in the Android app. >> >> I'll investigate further. >> > > I'm just installing the StrongSwan Android app and will play with it as > well. >
After a bit of a hassle with certs, I got it working. a) I used the StrongSwan Simple CA (https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) to generate my certs, with a subjectAltName. The subjectAltName of the local endpoint is gateway.shorewall.net. On the Android, that must be placed in the Server Identity setting (Advanced Settings). I imported by CA cert separately (shows up under 'Imported' on the Android). b) Local Endpoint Configuration: conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=3 keyexchange=ikev2 authby=pubkey conn ipv4 left=70.90.191.121 leftid=gateway.shorewall.net leftsubnet=172.20.1.0/24,172.20.2.0/24,70.90.191.122/31,70.90.191.124/31 leftcert=gatewayCert.der right=%any rightsourceip=172.20.3.0/24 rightdns=172.20.1.253 auto=add c) Android configuration: Server: 70.90.191.121 VPN Type: IKEv2 Certificate User certificate: (CN=phone,O=Shorewall,C=US) Ca certificate: Imported CA cert Profile name: Shorewall IPv4 Server Identity: gateway.shorewall.net -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
