Hi, conn %default is not a real conn. You need to define at least one. Just move all that stuff into some conn with an arbitrary name. E.g. "conn foo". All other things: Check the UsableExamples[1] article on the wiki.
Kind regards Noel [1] https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples On 25.01.2018 01:26, Newton, Benjamin David wrote: > > I am trying to set up a site-to-site VPN using StrongSwan. The requirements > for the VPN are: > > > − Encapsulation Security Payload (ESP) > − Encryption: AES-256 > − Authentication: SHA-1 > − IPSec / IKE Authentication: Pre-shared secret and digital certificate > − IKE: Version 1 > − IKE phase 1: Diffie-Hellman group 5 > − Perfect Forward Secrecy (PFS): Diffie-Hellman group 1 > − Pre-shared secret key > > > I have the following as a start in my ipsec.conf file > > > conn %default > ikelifetime=60m > keylife=20m > rekeymargin=3m > keyingtries=1 > keyexchange=ikev1 > ike=aes256-sha1-modp1536 > esp=aes256-sha1-modp1536 > authby=secret > > > > However, I don't know how to specify the Perfect Forward Secrecy (PFS) as DH > group 1. > > > I'm also uncertain if the other entries are correct for the requirements > above. (Do I need to specify the digital certificate?) (Do I need both an > ike and esp line?) > > > Any suggestions, or help would be greatly appreciated. > > > Thanks, > > Ben Newton >
signature.asc
Description: OpenPGP digital signature
