[strongSwan] Help with StrongSwan 4.3.4 and NAT-T
Hello, First, I'm no expert at StrongSwan and IPsec, so this is probably a configuration error on my part, so on that understanding I would appreciate any help or advice you can offer on this problem... Two OpenSUSE (11.2 x86_64) servers forming tunnel, one behind nat. Tunnel established ok, but if one of the servers is restarted or reloaded then tunnel goes down. Tunnel won't come back up until the other server is restarted or reloaded. It looks to me like both endpoints elevate the status to NAT-T and thereafter expect all communication to come over port 4500. If one is restarted, only one knows to use 4500, and thereafter both refuse to take each other's messages. Overview: (All subnets are /24, and the 192.168.88.0/24 is my imaginary public internet.) eth1 - 192.168.21.1 --- | VPN1 | --- eth0 - 192.168.88.221 | | eth0 - 192.168.88.222 --- | NAT|(Port forwarding UDP500 and UDP4500 to 192.168.20.2) --- eth1 - 192.168.20.1 | | eth0 - 192.168.20.2 --- | VPN2 | --- eth1 - 192.168.22.1 Configuration: ipsec.secrets (same on both machines): 192.168.88.221 192.168.88.222: PSK "test" ipsec.conf (VPN1): config setup nat_traversal=yes charonstart=yes plutostart=yes interfaces="ipsec0=eth0" conn %default left=192.168.88.221 leftsourceip=192.168.21.1 leftsubnet=192.168.21.0/24 leftnexthop=192.168.88.222 conn vpn2 type=tunnel authby=psk right=192.168.88.222 rightsubnet=192.168.22.0/24 keyexchange=ikev1 auto=start ipsec.conf (VPN2): config setup nat_traversal=yes charonstart=yes plutostart=yes interfaces="ipsec0=eth0" conn %default left=192.168.20.2 leftid=192.168.88.222 leftsourceip=192.168.22.1 leftsubnet=192.168.22.0/24 leftnexthop=192.168.20.1 conn vpn1 type=tunnel authby=psk right=192.168.88.221 rightsubnet=192.168.21.0/24 keyexchange=ikev1 auto=start Symptoms: When the tunnel comes up, ipsec status looks like this: VPN1:~ # ipsec status 000 "vpn2": 192.168.21.0/24===192.168.88.221:4500...192.168.88.222:4500===192.168.22.0/24; erouted; eroute owner: #40 000 "vpn2": newest ISAKMP SA: #37; newest IPsec SA: #40; 000 000 #39: "vpn2" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 3315s 000 #39: "vpn2" esp.70cc0...@192.168.88.222 (84 bytes) esp.c065c...@192.168.88.221 (84 bytes); tunnel 000 #38: "vpn2" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 10515s 000 #40: "vpn2" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2953s; newest IPSEC; eroute owner 000 #40: "vpn2" esp.86f90...@192.168.88.222 (0 bytes) esp.ec6af...@192.168.88.221 (0 bytes); tunnel 000 #37: "vpn2" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 9766s; newest ISAKMP 000 Security Associations: None VPN2:~ # ipsec status 000 "vpn1": 192.168.22.0/24===192.168.20.2:4500[192.168.88.222]---192.168.88.20.1...192.168.88.221:4500===192.168.21.0/24; erouted; eroute owner: #40 000 "vpn1": newest ISAKMP SA: #39; newest IPsec SA: #40; 000 000 #40: "vpn1" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2725s; newest IPSEC; eroute owner 000 #40: "vpn1" esp.c065c...@192.168.88.221 (84 bytes) esp.70cc0...@192.168.88.222 (84 bytes); tunnel 000 #39: "vpn1" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 9802s; newest ISAKMP 000 Security Associations: None After ipsec reload on VPN1: VPN1:~ # ipsec status 000 "vpn2": 192.168.21.0/24===192.168.88.221...192.168.88.222===192.168.22.0/24; unrouted; eroute owner: #0 000 "vpn2": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 000 #41: "vpn2" STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 9s 000 #41: pending Phase 2 for "vpn2" replacing #0 000 Security Associations: None VPN2:~ # ipsec status 000 "vpn1": 192.168.22.0/24===192.168.20.2:4500[192.168.88.222]---192.168.20.1...192.168.88.221:4500===192.168.21.0/24; prospective erouted; erouted owner: #0 000 "vpn1": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 000 #43: "vpn1" STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 16s 000 #43: pending Phase 2 for "vpn1" replacing #0 000 Security Associations: None Can anyone suggest anything or spot any mistakes in my configuration? This is set up as a test environment so I can change anything that is suggested without hesitation. Regards, Bob McChesney ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Help with StrongSwan 4.3.4 and NAT-T
Hello Bob, why don't you just switch to IKEv2 (keyexchange=ikev2) which is a much more stable and robust protocol? You won't need the directives nat_traversal=yes leftsourceip=192.168.21.1 leftnexthop=192.168.88.222 since the IKEv2 charon daemon does all this automatically. Don't use the deprecated directive interfaces="ipsec0=eth0" and disable pluto plutostart = no Regards Andreas On 24.03.2010 11:47, Bob McChesney wrote: > Hello, > > First, I'm no expert at StrongSwan and IPsec, so this is probably a > configuration error on my part, so on that understanding I would > appreciate any help or advice you can offer on this problem... > > Two OpenSUSE (11.2 x86_64) servers forming tunnel, one behind nat. > Tunnel established ok, but if one of the servers is restarted or > reloaded then tunnel goes down. Tunnel won't come back up until the > other server is restarted or reloaded. It looks to me like both > endpoints elevate the status to NAT-T and thereafter expect all > communication to come over port 4500. If one is restarted, only one > knows to use 4500, and thereafter both refuse to take each other's > messages. > > Overview: (All subnets are /24, and the 192.168.88.0/24 is my > imaginary public internet.) > > eth1 - 192.168.21.1 > --- > | VPN1 | > --- > eth0 - 192.168.88.221 > | > | > eth0 - 192.168.88.222 > --- > | NAT|(Port forwarding UDP500 and UDP4500 to 192.168.20.2) > --- > eth1 - 192.168.20.1 > | > | > eth0 - 192.168.20.2 > --- > | VPN2 | > --- > eth1 - 192.168.22.1 > > Configuration: > > ipsec.secrets (same on both machines): > 192.168.88.221 192.168.88.222: PSK "test" > > ipsec.conf (VPN1): > config setup > nat_traversal=yes > charonstart=yes > plutostart=yes > interfaces="ipsec0=eth0" > > conn %default > left=192.168.88.221 > leftsourceip=192.168.21.1 > leftsubnet=192.168.21.0/24 > leftnexthop=192.168.88.222 > > conn vpn2 > type=tunnel > authby=psk > right=192.168.88.222 > rightsubnet=192.168.22.0/24 > keyexchange=ikev1 > auto=start > > ipsec.conf (VPN2): > config setup > nat_traversal=yes > charonstart=yes > plutostart=yes > interfaces="ipsec0=eth0" > > conn %default > left=192.168.20.2 > leftid=192.168.88.222 > leftsourceip=192.168.22.1 > leftsubnet=192.168.22.0/24 > leftnexthop=192.168.20.1 > > conn vpn1 > type=tunnel > authby=psk > right=192.168.88.221 > rightsubnet=192.168.21.0/24 > keyexchange=ikev1 > auto=start > > Symptoms: > When the tunnel comes up, ipsec status looks like this: > VPN1:~ # ipsec status > 000 "vpn2": > 192.168.21.0/24===192.168.88.221:4500...192.168.88.222:4500===192.168.22.0/24; > erouted; eroute owner: #40 > 000 "vpn2": newest ISAKMP SA: #37; newest IPsec SA: #40; > 000 > 000 #39: "vpn2" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in > 3315s > 000 #39: "vpn2" esp.70cc0...@192.168.88.222 (84 bytes) > esp.c065c...@192.168.88.221 (84 bytes); tunnel > 000 #38: "vpn2" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); > EVENT_SA_REPLACE in 10515s > 000 #40: "vpn2" STATE_QUICK_I2 (sent QI2, IPsec SA established); > EVENT_SA_REPLACE in 2953s; newest IPSEC; eroute owner > 000 #40: "vpn2" esp.86f90...@192.168.88.222 (0 bytes) > esp.ec6af...@192.168.88.221 (0 bytes); tunnel > 000 #37: "vpn2" STATE_MAIN_I4 (ISAKMP SA established); > EVENT_SA_REPLACE in 9766s; newest ISAKMP > 000 > Security Associations: >None > VPN2:~ # ipsec status > 000 "vpn1": > 192.168.22.0/24===192.168.20.2:4500[192.168.88.222]---192.168.88.20.1...192.168.88.221:4500===192.168.21.0/24; > erouted; eroute owner: #40 > 000 "vpn1": newest ISAKMP SA: #39; newest IPsec SA: #40; > 000 > 000 #40: "vpn1" STATE_QUICK_I2 (sent QI2, IPsec SA established); > EVENT_SA_REPLACE in 2725s; newest IPSEC; eroute owner > 000 #40: "vpn1" esp.c065c...@192.168.88.221 (84 bytes) > esp.70cc0...@192.168.88.222 (84 bytes); tunnel > 000 #39: "vpn1" STATE_MAIN_I4 (ISAKMP SA established); > EVENT_SA_REPLACE in 9802s; newest ISAKMP > 000 > Security Associations: >None > > After ipsec reload on VPN1: > VPN1:~ # ipsec status > 000 "vpn2": > 192.168.21.0/24===192.168.88.221...192.168.88.222===192.168.22.0/24; > unrouted; eroute owner: #0 > 000 "vpn2": newest ISAKMP SA: #0; newest IPsec SA: #0; > 000 > 000 #41: "vpn2" STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in > 9s > 000 #41: pending Phase 2 for "vpn2" replacing #0 > 000 > Security Associations: >None > VPN2:~ # ipsec status > 000 "vpn1": > 192.168.22.0/24===192.168.20.2:4500[192.168.88.222]---192.168.20.1...192.168.88.221:4500===192.168.21.0/24; > prospective erouted; erouted owner: #0 > 000 "vpn1": newest ISAKMP SA: #0; newest IPsec SA: #0; > 000 > 000 #43: "vpn1" STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in > 16s > 000 #43: pending Phase 2 for
Re: [strongSwan] strongswan with EAP-OTP support
Hello Sunil, strongSwan currently does not support EAP-OTP but you could model an eap_otp charon plugin after the existing eap_gtc plugin which handles plain-text passwords. http://wiki.strongswan.org/projects/strongswan/repository/revisions/master/show/src/libcharon/plugins/eap_gtc Best regards Andreas On 22.03.2010 13:42, Sunil Kumar wrote: > Hi All > I want to understand whether strongswan supports EAP-OTP as secure IKEv2 > EAP user authentication or not...if yes please help me to provide the > details of client and gateway configurations... > > -- > Thanks n Regards, > Sunil Kumar == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] need help for host2host-cert setup
Hello All, I'm trying to setup host2host-cert example but very basic steps are not going through. plm56:~/abhishek # ipsec up host-host initiating IKE_SA host-host[1] to 9.182.176.61 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) (NATD_D_IP) ] sending packet: from 9.182.176.56[500] to 9.182.176.61[500] received packet: from 9.182.176.61[500] to 9.182.176.56[500] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) (NATD_D_IP) N(MULT_AUTH) ] no private key found for 'plm56.in.ibm.com' plm56:~/abhishek # I have used all conf files as mentioned in the example ipsec listcerts is not showing my certificates that i generated using this doc http://www.ipsec-howto.org/x595.html This is how my secrets file looks plm56:~/abhishek # cat /etc/ipsec.secrets # /etc/ipsec.secrets - strongSwan IPsec secrets file : RSA newkey.pem "abhishek" following is my dir listing http://pastebin.com/PZUgn6zQ this is my /etc/ssl/openssl.cnf http://pastebin.com/w3v2zymm i have gone through https://lists.strongswan.org/pipermail/users/2009-August/003771.html and verified modulus for newcert.pem and newkey.pem Please take a look at these and let me know what more should I do to get through. regards Abhishek Misra ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] need help for host2host-cert setup
Hello All, Sorry for a messed up mail earlier. I'm trying to setup host2host-cert example but very basic steps are not going through. plm56:~/abhishek # ipsec up host-host initiating IKE_SA host-host[1] to 9.182.176.61 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] sending packet: from 9.182.176.56[500] to 9.182.176.61[500] received packet: from 9.182.176.61[500] to 9.182.176.56[500] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] no private key found for 'plm56.in.ibm.com' plm56:~/abhishek # I have used all conf files as mentioned in the example ipsec listcerts is not showing my certificates that i generated using this doc http://www.ipsec-howto.org/x595.html This is how my secrets file looks plm56:~/abhishek # cat /etc/ipsec.secrets # /etc/ipsec.secrets - strongSwan IPsec secrets file : RSA newkey.pem "abhishek" following is my dir listing http://pastebin.com/PZUgn6zQ this is my /etc/ssl/openssl.cnf http://pastebin.com/w3v2zymm i have gone through https://lists.strongswan.org/pipermail/users/2009-August/003771.html and verified modulus for newcert.pem and newkey.pem Please take a look at these and let me know what more should I do to get through. regards Abhishek Misra ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] need help for host2host-cert setup
plm56:~/abhishek # rpm -qf /usr/sbin/ipsec strongswan-4.3.4-9 plm56:~/abhishek # ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] need help for host2host-cert setup
Execute ipsec rereadsecrets and look for error messages in the log. It might be that your passphrase is not correct. ipsec listcerts should show your certificate with the comment .., has private key Best regards Andreas On 24.03.2010 14:01, Abbhishek Misra wrote: > Hello All, > > I'm trying to setup host2host-cert example but very basic steps are > not going through. > > > plm56:~/abhishek # ipsec up host-host > initiating IKE_SA host-host[1] to 9.182.176.61 > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) (NATD_D_IP) ] > sending packet: from 9.182.176.56[500] to 9.182.176.61[500] > received packet: from 9.182.176.61[500] to 9.182.176.56[500] > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) (NATD_D_IP) > N(MULT_AUTH) ] > no private key found for 'plm56.in.ibm.com' > plm56:~/abhishek # > > > I have used all conf files as mentioned in the example > > ipsec listcerts is not showing my certificates that i generated using > this doc http://www.ipsec-howto.org/x595.html > > This is how my secrets file looks > > plm56:~/abhishek # cat /etc/ipsec.secrets > # /etc/ipsec.secrets - strongSwan IPsec secrets file > : RSA newkey.pem "abhishek" > > > following is my dir listing http://pastebin.com/PZUgn6zQ > > this is my /etc/ssl/openssl.cnf http://pastebin.com/w3v2zymm > > i have gone through > https://lists.strongswan.org/pipermail/users/2009-August/003771.html > and verified modulus for newcert.pem and newkey.pem > > Please take a look at these and let me know what more should I do to > get through. > > > regards > Abhishek Misra == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] IPV6 'connection' bug? (in 4.3.3 with linux 2.6.21)
Hi, I'm getting the following errors on my linux 2.6.21 based using strongswan 4.3.3 version: Any Help would be appreciated! (The host that I'm communicating with has 2.6.27 and it has no problem) I configured/checked all required IPV6 kernel protocols in linux 2.6.21 as defined in the installation document url also. eCCM-root-/etc> ipsec up enb12v6 initiating IKE_SA enb12v6[1] to fd00::410:172:21:10:181 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] sending packet: from fd00::410:172:21:10:12[500] to fd00::410:172:21:10:181[500] received packet: from fd00::410:172:21:10:181[500] to fd00::410:172:21:10:12[500] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] authentication of 'fd00::410:172:21:10:12' (myself) with pre-shared key establishing CHILD_SA enb12v6 generating IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MULT_AUTH) ] sending packet: from fd00::410:172:21:10:12[500] to fd00::410:172:21:10:181[500] received packet: from fd00::410:172:21:10:181[500] to fd00::410:172:21:10:12[500] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ] authentication of 'fd00::410:172:21:10:181' with pre-shared key successful scheduling rekeying in 50s maximum IKE_SA lifetime 370s IKE_SA enb12v6[1] established between fd00::410:172:21:10:12[fd00::410:172:21:10:12]...fd00::410:172:21:10:181[fd00::410:172:21:10:181] received netlink error: Protocol not supported (93) unable to add SAD entry with SPI c05a60aa received netlink error: Protocol not supported (93) unable to add SAD entry with SPI c48cd085 unable to install inbound and outbound IPsec SA (SAD) in kernel The ipsec.conf has the following entries: config setup plutostart=no conn %default auth=esp dpdaction=restart dpddelay=50s esp=aes128-sha1-modp1024,3des-sha1-modp1024 forceencaps=no ike=aes128-sha-modp1024,3des-sha-modp1024 ikelifetime=500s installpolicy=yes keyexchange=ikev2 keyingtries=%forever keylife=400s mobike=no pfs=yes reauth=no rekey=yes rekeymargin=320s type=tunnel leftauth=psk rightauth=psk config setup plutostart=no conn %default auth=esp dpdaction=restart dpddelay=50s esp=aes128-sha1-modp1024,3des-sha1-modp1024 forceencaps=no ike=aes128-sha-modp1024,3des-sha-modp1024 ikelifetime=500s installpolicy=yes keyexchange=ikev2 keyingtries=%forever keylife=400s mobike=no pfs=yes reauth=no rekey=yes rekeymargin=320s type=tunnel leftauth=psk rightauth=psk conn enb12v4 left=135.112.41.22 right=135.112.40.181 auto=add conn enb12v6 left=fd00:::410:172:21:10:12 #leftsourceip=fd00:::410:172:21:10:12 leftsubnet=fd00::12/64 right=fd00:::410:172:21:10:181 rightsubnet=fd00::181/64 auto=add conn enb12v6 left=fd00:::410:172:21:10:12 #leftsourceip=fd00:::410:172:21:10:12 leftsubnet=fd00::12/64 right=fd00:::410:172:21:10:181 rightsubnet=fd00::181/64 auto=add ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] IPV6 'connection' bug? (in 4.3.3 with linux 2.6.21)
Hello, I'm not the very specialist on 2.6.21, but when I see the following, it makes me some trouble: On Wednesday 24 March 2010 16:35:40 Yong Choo wrote: > conn enb12v6 > left=fd00:::410:172:21:10:12 > leftsubnet=fd00::12/64 > right=fd00:::410:172:21:10:181 > rightsubnet=fd00::181/64 > auto=add Please f.e, if you use expanded IPv6-Adresses, then you can see immediately: You have the same /64 on both ends. Hmm. You probably will have other trouble after the kernel accepts th IKE SAs. From my experience using IPv4, leftsubnet and rightsubnet better are disjunct. Did you mean /128 ? (for left- and rightsubnet) Greetings, Johannes signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] need help for host2host-cert setup
Thanks for a quick reply Andreas. It able to read secret as shown below but does not list it. There is nothing in /var/log/messages related to listing secrets plm56:~/abhishek # ipsec rereadsecrets plm56:~/abhishek # plm56:~/abhishek # tail /var/log/messages Mar 25 05:00:03 plm56 su: (to nobody) root on none Mar 25 05:00:03 plm56 su: pam_unix_session(su:session): session opened for user nobody by (uid=0) Mar 25 05:00:03 plm56 su: pam_unix_session(su:session): session closed for user nobody Mar 25 05:00:03 plm56 su: (to nobody) root on none Mar 25 05:00:03 plm56 su: pam_unix_session(su:session): session opened for user nobody by (uid=0) Mar 25 05:00:17 plm56 su: pam_unix_session(su:session): session closed for user nobody Mar 25 05:00:18 plm56 /usr/sbin/cron[4251]: pam_unix_session(crond:session): session closed for user root Mar 25 05:11:37 plm56 charon: 16[CFG] rereading secrets Mar 25 05:11:37 plm56 charon: 16[CFG] loading secrets from '/etc/ipsec.secrets' Mar 25 05:11:37 plm56 charon: 16[CFG] loaded private key file '/etc/ipsec.d/private/newkey.pem' plm56:~/abhishek # On Wed, Mar 24, 2010 at 7:07 PM, Andreas Steffen wrote: > Execute > > ipsec rereadsecrets > > and look for error messages in the log. It might be that your passphrase > is not correct. > > ipsec listcerts > > should show your certificate with the comment > > .., has private key > > Best regards > > Andreas > > On 24.03.2010 14:01, Abbhishek Misra wrote: >> Hello All, >> >> I'm trying to setup host2host-cert example but very basic steps are >> not going through. >> >> >> plm56:~/abhishek # ipsec up host-host >> initiating IKE_SA host-host[1] to 9.182.176.61 >> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) (NATD_D_IP) ] >> sending packet: from 9.182.176.56[500] to 9.182.176.61[500] >> received packet: from 9.182.176.61[500] to 9.182.176.56[500] >> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) (NATD_D_IP) >> N(MULT_AUTH) ] >> no private key found for 'plm56.in.ibm.com' >> plm56:~/abhishek # >> >> >> I have used all conf files as mentioned in the example >> >> ipsec listcerts is not showing my certificates that i generated using >> this doc http://www.ipsec-howto.org/x595.html >> >> This is how my secrets file looks >> >> plm56:~/abhishek # cat /etc/ipsec.secrets >> # /etc/ipsec.secrets - strongSwan IPsec secrets file >> : RSA newkey.pem "abhishek" >> >> >> following is my dir listing http://pastebin.com/PZUgn6zQ >> >> this is my /etc/ssl/openssl.cnf http://pastebin.com/w3v2zymm >> >> i have gone through >> https://lists.strongswan.org/pipermail/users/2009-August/003771.html >> and verified modulus for newcert.pem and newkey.pem >> >> Please take a look at these and let me know what more should I do to >> get through. >> >> >> regards >> Abhishek Misra > > == > Andreas Steffen andreas.stef...@strongswan.org > strongSwan - the Linux VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===[ITA-HSR]== > > ___ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users > ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users