Apologies, forgot to cc the list... ----- Forwarded message -----
> If you added it verbatim, it will have failed to load on a missing > certificate. > > You have never indicated how your nodes are going to identify themselves > to each other. So I assumed you used a private CA and generate > certificates for all nodes using some certificate issueing system that > can create PKCS#12 files. Those files when created ask for a "friendly > name" to use to identity the certificate as. That is the name you need > to put in the leftcert= option. Your assumptions are right. I am sorry for the unnecessary hassle. The point is that I simply overlooked pluto complaining about the missing certificate (it was one line without a 'WARNING' or 'ERROR' and I did not read carefully enough). Yes, I've got certificates and I assume they are properly stored in the NSS. So, after getting the cert name right and switching from %opportunisticgroup to %group (otherwise pluto complained about not having ike2=insist), I get pluto[20148]: added connection description "private" pluto[20148]: added connection description "clear" pluto[20148]: listening for IKE messages pluto[20148]: adding interface enp2s3/enp2s3 10.0.10.3:500 pluto[20148]: adding interface enp2s3/enp2s3 10.0.10.3:4500 pluto[20148]: adding interface lo/lo 127.0.0.1:500 pluto[20148]: adding interface lo/lo 127.0.0.1:4500 pluto[20148]: | setup callback for interface lo:4500 fd 18 pluto[20148]: | setup callback for interface lo:500 fd 17 pluto[20148]: | setup callback for interface enp2s3:4500 fd 16 pluto[20148]: | setup callback for interface enp2s3:500 fd 15 pluto[20148]: forgetting secrets pluto[20148]: loading secrets from "/etc/ipsec.secrets" pluto[20148]: no secrets filename matched "/etc/ipsec.d/*.secrets" pluto[20148]: loading group "/etc/ipsec.d/policies/clear" pluto[20148]: loading group "/etc/ipsec.d/policies/private" pluto[20148]: "private#10.0.10.254/32": cannot route template policy of RSASIG+ENCRYPT+TUNNEL+PFS+GROUPINSTANCE+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN Everything fine up to the last line. I searched the web a little, but found nothing useful (in most cases, the message was a follow-up of different primary problems rather than a root cause). Other than that, everything stays the same - packets going out in clear, no xfrm policies installed (apart from those for SSH and the default 'zeros'). Best regards, Phil ----- End forwarded message ----- _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
