Hi,

On 05.08.2017 02:27, Luca Arzeni wrote:
> [...]
> I'm on a debian jessie 8.0, openswan 2.6.37 and I need to migrate to 
> StrongSWAN 5.2.1
You better get 5.5.3 right away. 5.2.1 is already pretty old.

> [...]
> ==============================================================
>
> Now I'm trying to use StrongSWAN to setup a connection, but I'm not able to 
> connect.
> This is my StrongSWAN ipsec.conf:
>
> ==============================================================
>
> # ipsec.conf - strongSwan IPsec configuration file
>
> config setup
> # strictcrlpolicy=yes
> # uniqueids = no
> charondebug =  dmn 2, mgr 2, ike 2, chd 2, job 0, cfg 2, knl 2, net 2, asn 0, 
> enc 0, lib 0, esp 2, tls 2, tnc 2, imc 2, imv 2, pts 2
Remove that. Use the logger configuration from the HelpRequests[1] page instead 
and pastebin us that, after you made the following changes.
>
> conn home
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=3m
>         keyingtries=1
>         keyexchange=ikev1
> #
> left=%any
Remove left. It is unnecessary.
> leftcert=my_cert.pem
> leftrsasigkey=%cert
> leftid="my certificate subject"
leftrsasigkey and leftid are unnecessary, if not counterproductive.

> #leftauth=pubkey
>         leftfirewall=yes
> #
> leftsourceip=A.B.C.D # CP-known client IP (not necessarily my ip), I need to 
> set it because I'm using also a "rightsubnets" list
> leftsubnet=A.B.C.D/32 # CP-known client IP(not necessarily my ip), I need to 
> set it because I'm using also a "rightsubnets" list
Remove leftsubnet.
> #
> rightcert=fwncest_2012-11-07_cert.pem
> rightrsasigkey=%cert
Remove rightrsasigkey.
>         right=X.Y.Z.W (FW1_IP_ADDESS)
>         rightid=X.Y.Z.W (I cannot use FW cert or other values, I MUST use the 
> firewall public IP)
>         rightsubnet= 192.168.1.0/24 <http://192.168.1.0/24>, 192.168.2.0/24 
> <http://192.168.2.0/24>, ecc... 
>         rightcert=firewall_cert.pem
>         rightrsasigkey=%cert
Duplicate settings. Pick one of the certs, remove rightrsasigkey anyway.
> #
> auto=start
Careful: Charon does not try to reestablish IKE_SAs or CHILD_SAs if the remote 
peer deletes them. This behaves differently than openswan.

>         # after establishing the vpn, run these script to allow routes from 
> my client to server behind the firevall
>         #
>         # /sbin/iptables -t nat -I POSTROUTING -d 192.168.1.0/24 
> <http://192.168.1.0/24> -j SNAT --to my_ip
>         # /sbin/iptables -t nat -I POSTROUTING -d 192.168.2.0/24 
> <http://192.168.2.0/24> -j SNAT --to my_ip
>
> include /var/lib/strongswan/ipsec.conf.inc
Remove the include.

> ===========================================================================
>
> But this setup is not working.

Provide all the information from the HelpRequests[1] page, please.

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to