On Mon, 28 Dec 2020, Alex wrote:
How can I tell what type of cert I'm using?
openssl x509 -noout -text -in /your/cert.pem
Based on the strongswan page, I've added the following: ike=aes256-sha384-prfsha384-modp2048 esp=aes256gcm16-modp2048
strongswan is not fullt compatible with libreswan. the ike= and esp= line take a different format. The above two strongswan lines translate to libreswan as: ike=aes256-sha2_384;modp2048 esp=aes_gcm256;modp2048
Can I ask you to review this pastebin output from an attempt to connect? https://pastebin.com/D83HRJnW This is with "plutodebug = all crypt". In addition to the NO_PROPOSAL_CHOSEN messages, the highlights appear to include: find_host_connection local=68.195.111.42:500 remote=192.168.1.35:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports find_host_connection local=68.195.111.42:500 remote=192.168.1.35:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports find_host_connection local=68.195.111.42:500 remote=192.168.1.35:500 policy=PSK+IKEV2_ALLOW but ignoring ports
This is just our debugging the loop over the existing authentication methods and IPs. It seems you do not have a connection loaded that satisfies all of these: - has ikev2=yes - uses left=68.195.111.42 (or left=%defaultroute) [provided you use left as your local machine, and right for the remote machine options. if you flipped that, you don't have a right= matching these] - uses right=192.168.1.35 or right=%any - uses authby=ecdsa or authby=rsa or authby=secret (or a combination thereof, or it is not set in which case the defaults would include rsa and/or rsa+ecdsa depending on the version of libreswan) - an ike= line that matches the remote client proposal list (or the client uses something that is not a default ike parameter when no ike= line is specified) You might want to manually add the connection to see if it loads at all: ipsec auto --add yourconnname Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
