Hi, On 05.08.2017 02:27, Luca Arzeni wrote: > [...] > I'm on a debian jessie 8.0, openswan 2.6.37 and I need to migrate to > StrongSWAN 5.2.1 You better get 5.5.3 right away. 5.2.1 is already pretty old.
> [...] > ============================================================== > > Now I'm trying to use StrongSWAN to setup a connection, but I'm not able to > connect. > This is my StrongSWAN ipsec.conf: > > ============================================================== > > # ipsec.conf - strongSwan IPsec configuration file > > config setup > # strictcrlpolicy=yes > # uniqueids = no > charondebug = dmn 2, mgr 2, ike 2, chd 2, job 0, cfg 2, knl 2, net 2, asn 0, > enc 0, lib 0, esp 2, tls 2, tnc 2, imc 2, imv 2, pts 2 Remove that. Use the logger configuration from the HelpRequests page instead and pastebin us that, after you made the following changes. > > conn home > ikelifetime=60m > keylife=20m > rekeymargin=3m > keyingtries=1 > keyexchange=ikev1 > # > left=%any Remove left. It is unnecessary. > leftcert=my_cert.pem > leftrsasigkey=%cert > leftid="my certificate subject" leftrsasigkey and leftid are unnecessary, if not counterproductive. > #leftauth=pubkey > leftfirewall=yes > # > leftsourceip=A.B.C.D # CP-known client IP (not necessarily my ip), I need to > set it because I'm using also a "rightsubnets" list > leftsubnet=A.B.C.D/32 # CP-known client IP(not necessarily my ip), I need to > set it because I'm using also a "rightsubnets" list Remove leftsubnet. > # > rightcert=fwncest_2012-11-07_cert.pem > rightrsasigkey=%cert Remove rightrsasigkey. > right=X.Y.Z.W (FW1_IP_ADDESS) > rightid=X.Y.Z.W (I cannot use FW cert or other values, I MUST use the > firewall public IP) > rightsubnet= 192.168.1.0/24 <http://192.168.1.0/24>, 192.168.2.0/24 > <http://192.168.2.0/24>, ecc... > rightcert=firewall_cert.pem > rightrsasigkey=%cert Duplicate settings. Pick one of the certs, remove rightrsasigkey anyway. > # > auto=start Careful: Charon does not try to reestablish IKE_SAs or CHILD_SAs if the remote peer deletes them. This behaves differently than openswan. > # after establishing the vpn, run these script to allow routes from > my client to server behind the firevall > # > # /sbin/iptables -t nat -I POSTROUTING -d 192.168.1.0/24 > <http://192.168.1.0/24> -j SNAT --to my_ip > # /sbin/iptables -t nat -I POSTROUTING -d 192.168.2.0/24 > <http://192.168.2.0/24> -j SNAT --to my_ip > > include /var/lib/strongswan/ipsec.conf.inc Remove the include. > =========================================================================== > > But this setup is not working. Provide all the information from the HelpRequests page, please. Kind regards Noel  https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
Description: OpenPGP digital signature