On Sun, 19 May 2019, Madhan Raj wrote:
Oh, you do have a conn...
> conn 772007410_x509 left=10.63.101.19
> leftcert=ipsec-db
> leftrsasigkey=%cert
> leftprotoport=tcp/0
> leftid="C=RS, O=home, OU=cup, CN=esc-imppub-12.burren.pst,
ST=serbia,
L=belgrade"
> right=10.63.101.18
> rightcert=esc-cucm-12.burren.pst
> rightrsasigkey=%cert
> rightprotoport=tcp/0
> rightid=""
use rightid=%fromcert
> type=transport
> auth=esp
> authby=rsasig
> keyexchange=ike
> keyingtries=%forever
> rekey=yes
> ike=3des-sha1-modp1024
very old fashion and dh1024 is too weak and not allowed anymore. At the
minimum use ike=3des-sha1-modp1536, better is ike=aes-sha2-modp2048
you can run: ipsec auto --add 772007410_x509
to see if the connection loaded fine. If it does, you can run: ipsec auto
--up
772007410_x509
You did not yet show me this step?
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
