Re: [strongSwan] Davici library configure shell?

2019-02-13 Thread Martin Willi
> Where is configure shell in the git? As with most autotools based packages, ./configure is generated and therefore not part of git. When building from git sources, you'll have to generate it using autoreconf. Alternatively, use the distribution tarballs from [1], which include the generated f

Re: [strongSwan] Error : remote host is behind NAT - received proposals inacceptable - generating IKE_SA_INIT response 0 [ N(NO_PROP) ]

2019-02-13 Thread IL Ka
Try "cfg 9" for charondebug , and check your logs Без вирусов. www.avg.com

Re: [strongSwan] Error : remote host is behind NAT - received proposals inacceptable - generating IKE_SA_INIT response 0 [ N(NO_PROP) ]

2019-02-13 Thread IL Ka
Please also check Tobias's advice: you may increase charon log level and check why proposal is not accepted or check his link about windows client settings and DH group. Без вирусов. w

Re: [strongSwan] Error : remote host is behind NAT - received proposals inacceptable - generating IKE_SA_INIT response 0 [ N(NO_PROP) ]

2019-02-13 Thread Kostya Vasilyev
Based on this in an earlier message: "you disabled log message for cfg, so you didn't see the details of the proposal negotiation" ... you may want to enable "cfg" logging under "charondebug" https://wiki.strongswan.org/projects/strongswan/wiki/ConfigSetupSection And then you should be able to se

[strongSwan] Davici library configure shell?

2019-02-13 Thread Jaehong Park
I am trying to build davici lib, but it seems like there are some missing files according to the INSTALL. Where is configure shell in the git?

Re: [strongSwan] Error : remote host is behind NAT - received proposals inacceptable - generating IKE_SA_INIT response 0 [ N(NO_PROP) ]

2019-02-13 Thread MOSES KARIUKI
Thanks Tobias for the quick response. I set this up, the Registry value and below configuration, but still the same error. config setup charondebug="ike 1, knl 1, cfg 0" uniqueids=no conn ikev2-vpn auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes

Re: [strongSwan] Error : remote host is behind NAT - received proposals inacceptable - generating IKE_SA_INIT response 0 [ N(NO_PROP) ]

2019-02-13 Thread MOSES KARIUKI
Let me try this and get back to you. On Wed, Feb 13, 2019 at 5:33 PM IL Ka wrote: > Try setting > rightfirewall = yes > leftfirewall = yes > fragmentation=yes >

Re: [strongSwan] Host to host with certs - where to put own private key?

2019-02-13 Thread Kostya Vasilyev
Tobias, On Wed, Feb 13, 2019, at 4:31 PM, Tobias Brunner wrote: > > Removing "strongswan" package seems like a bad idea. > > Nah, that's fine. It's just a meta package that pulls in those other > two legacy packages and installs some files in /usr/share/doc (README, > NEWS, etc.) that you don't

Re: [strongSwan] Error : remote host is behind NAT - received proposals inacceptable - generating IKE_SA_INIT response 0 [ N(NO_PROP) ]

2019-02-13 Thread Tobias Brunner
Hi Moses, Configure an IKE proposal that's accepted by your peer (you disabled log message for cfg, so you didn't see the details of the proposal negotiation). Most likely the problem is that modp1024 is proposed, a DH group strongSwan doesn't include in its default IKE proposal anymore. So to u

Re: [strongSwan] Error : remote host is behind NAT - received proposals inacceptable - generating IKE_SA_INIT response 0 [ N(NO_PROP) ]

2019-02-13 Thread IL Ka
Try setting rightfirewall = yes leftfirewall = yes fragmentation=yes

[strongSwan] Error : remote host is behind NAT - received proposals inacceptable - generating IKE_SA_INIT response 0 [ N(NO_PROP) ]

2019-02-13 Thread MOSES KARIUKI
Dear Users, https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-18-04-2 I am trying to set up a VPN server on an Ubuntu 18.04 Cloud VPS. Above is the tutorial I was following. All goes well and I can see the VPN server up and running. The p

Re: [strongSwan] Host to host with certs - where to put own private key?

2019-02-13 Thread Tobias Brunner
Hi Kostya, > Now I'm wondering if it's possible to uninstall this legacy service (which > supports ipsec.conf format configuration files). > > apt-get remove strongswan-starter Sure, go ahead. > The following packages will be REMOVED: > strongswan strongswan-charon strongswan-starter > > Re

Re: [strongSwan] Host to host with certs - where to put own private key?

2019-02-13 Thread Kostya Vasilyev
Tobias, On Wed, Feb 13, 2019, at 3:24 PM, Kostya Vasilyev wrote: > Tobias, > > On Wed, Feb 13, 2019, at 3:11 PM, Tobias Brunner wrote: > > Hi Kostya, > > > > > Hmm, there is no strongswan-swanctl service on Debian (buster / > > > testing)... > > > > There is if you install it [1]. Thank you f

Re: [strongSwan] Host to host with certs - where to put own private key?

2019-02-13 Thread Kostya Vasilyev
Tobias, On Wed, Feb 13, 2019, at 3:11 PM, Tobias Brunner wrote: > Hi Kostya, > > > Hmm, there is no strongswan-swanctl service on Debian (buster / testing)... > > There is if you install it [1]. > > > systemctl start strongswan > > That's the legacy service provided by strongswan-starter (i.e.

Re: [strongSwan] Host to host with certs - where to put own private key?

2019-02-13 Thread Tobias Brunner
Hi Kostya, > Hmm, there is no strongswan-swanctl service on Debian (buster / testing)... There is if you install it [1]. > systemctl start strongswan That's the legacy service provided by strongswan-starter (i.e. it starts starter, which parses ipsec.conf etc.). > Does this look like a Debian

Re: [strongSwan] Host to host with certs - where to put own private key?

2019-02-13 Thread Kostya Vasilyev
On Wed, Feb 13, 2019, at 2:25 PM, Kostya Vasilyev wrote: > Tobias > > On Wed, Feb 13, 2019, at 11:39 AM, Tobias Brunner wrote: > > Hi Kostya, > > > > > It was the conf syntax I was after :) > > > > > > I now see it in the docs for swanctl.conf under "secrets.private > > > section". > > > > You

Re: [strongSwan] Host to host with certs - where to put own private key?

2019-02-13 Thread Kostya Vasilyev
Tobias On Wed, Feb 13, 2019, at 11:39 AM, Tobias Brunner wrote: > Hi Kostya, > > > It was the conf syntax I was after :) > > > > I now see it in the docs for swanctl.conf under "secrets.private > > section". > > You only have to configure private keys in such sections if they are > password pr

Re: [strongSwan] does Chinese ascii characters accepted in 'Subject' of certificates by strongswan

2019-02-13 Thread Tobias Brunner
Hi Yogesh, > Is Chinese Ascii characters allowed in subject of certificates used in > authentication while negotiating the ipsec tunnel in ikev2 ? I'd disagree that these are ASCII characters, but sure you can use UTF8String as type for the RDNs in the subject DN. > So can I configure this certi

Re: [strongSwan] Host to host with certs - where to put own private key?

2019-02-13 Thread Tobias Brunner
Hi Kostya, > It was the conf syntax I was after :) > > I now see it in the docs for swanctl.conf under "secrets.private > section". You only have to configure private keys in such sections if they are password protected (and you can't or don't want to provide the password interactively) or if t