On 12/27/2017 03:02 PM, Colony.three via Shorewall-users wrote: > Simple CA is the procedure I've been using too. >>> >>> Dec 27 14:29:54 zeta charon: 05[NET] received packet: from >>> 172.58.43.66[21321] to 192.168.111.16[500] (704 bytes) >>> Dec 27 14:29:54 zeta charon: 05[ENC] parsed IKE_SA_INIT request 0 [ >>> SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] >>> Dec 27 14:29:54 zeta charon: 05[IKE] no IKE config found for >>> 192.168.111.16...172.58.43.66, sending NO_PROPOSAL_CHOSEN >>> Dec 27 14:29:54 zeta charon: 05[ENC] generating IKE_SA_INIT response >>> 0 [ N(NO_PROP) ] >>> Dec 27 14:29:54 zeta charon: 05[NET] sending packet: from >>> 192.168.111.16[500] to 172.58.43.66[21321] (36 bytes) >>> >>> Well NAT-T definitely does not work. I can not make this work, >>> following the SimpleCA instructions to a T. I did import the proper >>> .p12, and separately the caCert.pem into Imported like you did. >>> 172.58.43.66 has nothing to do with my phone (100.196.9.93), and I >>> think that is a clue to the problem. >>> >>> Maybe I should give up and put StrongSwan on the router and let the >>> router have access to the rest of the LAN. That just seems like a >>> stupid thing to do but I simply have not been able to fix this >>> problem after 2 weeks of trying full time. I can't believe that this >>> is impossible. >> >> As well, for cert generation I added --san: >> # strongswan pki --pub --in private/quantumKey.pem --type rsa | >> strongswan pki --issue --cacert certs/caCert.pem --cakey >> private/caKey.pem --san quantum-equities.com --dn "C=US, O=Quantum, >> CN=quantum-equities.com" --outform pem > certs/quantumCert.pem >> >> ... and in the SS Android app I put quantum-equities.com in Server >> Identity like you did. > > I've never had any cert end up in User certs, by importing the .p12 > using the connexion Edit. Maybe that's the actual problem. > > It pretends like it imports the .p12 just fine.
The Cert isn't involved in the IKE_SA_INIT request. Verification of the cert occurs in the IKE_AUTH request. What are the messages generated when you start your local StrongSwan config? -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
