> Hm, I am not seeing any evidence that the daemon is picking up my
> /etc/strongswan/strongswan.d/bills-strongswan.conf nor
> /etc/strongswan/ipdec.d/bills-ipsec.conf . But then, it's not noting yours
> either, assuming you have your own ipsec.conf and strongswan.conf .
>
> These are my main configuration files. In my case there's virtually nothing
> in /etc/strongswan/strongswan.conf and /etc/strongswan/ipsec.conf .
>
> Not picking up my config files would explain the consistent error I'm getting
> and why almost no one else seems to have this.
>
> I also see that you're using .der certs and keys. I don't understand this
> as, before you can pile the key and cert into a .p12 file (which is required
> by the Android app), they must be in .pem format. And even when I copy my
> user's cert to the phone and import using the CACert interface, the cert ends
> up in Imported, and not in User.
>
> I don't understand what's wrong.
Ok, now I am starting to get errors that make sense.
I have moved my strongswan.d/*.conf and ipsec.d/*.conf files (where they are
SUPPOSED to be) to /etc/strongswan/strongswan.conf and ipsec.conf respectively.
Looks like the devs have not implemented these PROPER .d subdirs like they
should have. (GDammit) That's a loss of confidence in them...
Now startup looks like this:
Dec 27 16:17:37 zeta strongswan: charon stopped after 200 ms
Dec 27 16:17:37 zeta strongswan: ipsec starter stopped
Dec 27 16:17:37 zeta systemd: Started strongSwan IPsec IKEv1/IKEv2 daemon using
ipsec.conf.
Dec 27 16:17:37 zeta systemd: Starting strongSwan IPsec IKEv1/IKEv2 daemon
using ipsec.conf...
Dec 27 16:17:37 zeta strongswan: Starting strongSwan 5.5.3 IPsec [starter]...
Dec 27 16:17:37 zeta charon: 00[DMN] Starting IKE charon daemon (strongSwan
5.5.3, Linux 4.13.0-1.el7.elrepo.x86_64, x86_64)
Dec 27 16:17:37 zeta charon: 00[LIB] openssl FIPS mode(2) - enabled
Dec 27 16:17:38 zeta charon: 00[CFG] loading ca certificates from
'/etc/strongswan/ipsec.d/cacerts'
Dec 27 16:17:38 zeta charon: 00[CFG] loaded ca certificate "C=US,
O=QuantumEquities, CN=QuantumCA" from
'/etc/strongswan/ipsec.d/cacerts/cacert.pem'
Dec 27 16:17:38 zeta charon: 00[CFG] loading aa certificates from
'/etc/strongswan/ipsec.d/aacerts'
Dec 27 16:17:38 zeta charon: 00[CFG] loading ocsp signer certificates from
'/etc/strongswan/ipsec.d/ocspcerts'
Dec 27 16:17:38 zeta charon: 00[CFG] loading attribute certificates from
'/etc/strongswan/ipsec.d/acerts'
Dec 27 16:17:38 zeta charon: 00[CFG] loading crls from
'/etc/strongswan/ipsec.d/crls'
Dec 27 16:17:38 zeta charon: 00[CFG] loading secrets from
'/etc/strongswan/ipsec.secrets'
Dec 27 16:17:38 zeta charon: 00[CFG] loaded RSA private key from
'/etc/strongswan/ipsec.d/private/billsKey.pem'
Dec 27 16:17:38 zeta charon: 00[LIB] loaded plugins: charon aes des rc2 sha2
sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8
pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 xcbc cmac
hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke
vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap
xauth-generic xauth-eap xauth-pam xauth-noauth dhcp unity
Dec 27 16:17:38 zeta charon: 00[JOB] spawning 16 worker threads
Dec 27 16:17:38 zeta strongswan: charon (32350) started after 40 ms
Dec 27 16:17:38 zeta charon: 05[CFG] received stroke: add connection 'ipv4'
Dec 27 16:17:38 zeta charon: 05[CFG] left nor right host is our side, assuming
left=local
Dec 27 16:17:38 zeta charon: 05[CFG] adding virtual IP address pool
192.168.11.0/24
Dec 27 16:17:38 zeta charon: 05[CFG] loaded certificate "C=US, O=Quantum,
CN=cac...@quantum-equities.com" from 'billsCert.pem'
Dec 27 16:17:38 zeta charon: 05[CFG] added configuration 'ipv4'
NOW I can make some frickin' gol' damned SENSE out of this. I'll resume
tomorrow, when I am less drunk.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
