Simple CA is the procedure I've been using too.
> Dec 27 14:29:54 zeta charon: 05[NET] received packet: from
> 172.58.43.66[21321] to 192.168.111.16[500] (704 bytes)
> Dec 27 14:29:54 zeta charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> Dec 27 14:29:54 zeta charon: 05[IKE] no IKE config found for
> 192.168.111.16...172.58.43.66, sending NO_PROPOSAL_CHOSEN
> Dec 27 14:29:54 zeta charon: 05[ENC] generating IKE_SA_INIT response 0 [
> N(NO_PROP) ]
> Dec 27 14:29:54 zeta charon: 05[NET] sending packet: from 192.168.111.16[500]
> to 172.58.43.66[21321] (36 bytes)
>
> Well NAT-T definitely does not work. I can not make this work, following the
> SimpleCA instructions to a T. I did import the proper .p12, and separately
> the caCert.pem into Imported like you did. 172.58.43.66 has nothing to do
> with my phone (100.196.9.93), and I think that is a clue to the problem.
>
> Maybe I should give up and put StrongSwan on the router and let the router
> have access to the rest of the LAN. That just seems like a stupid thing to
> do but I simply have not been able to fix this problem after 2 weeks of
> trying full time. I can't believe that this is impossible.
As well, for cert generation I added --san:
# strongswan pki --pub --in private/quantumKey.pem --type rsa | strongswan pki
--issue --cacert certs/caCert.pem --cakey private/caKey.pem --san
quantum-equities.com --dn "C=US, O=Quantum, CN=quantum-equities.com" --outform
pem > certs/quantumCert.pem
... and in the SS Android app I put quantum-equities.com in Server Identity
like you did.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
