Hi Am 28.12.2017 um 22:51 schrieb Colony.three via Shorewall-users: > I am at a complete loss. I know this is not the Strongswan forum,
Yes it is not and Tom in his incredible helpfulness tried to get you through shallows of networking. Now it appears that you had problems understanding the build process of certificates and the basic set up of IPSEC. Indeed this is not a trivial task but needs to be addressed in the strongswan list/forum. but > they are unresponsive with all methods of communication -- and now I see > why. My personal opinion is that Strongswan is only /rumored/ to work, > but actually works in the sense that a puppet does. I doubt they do see it your way. There is a user list for strongswan and there are actually people using it. > > Sure Tom says he got it to work, but I followed his exact process > <https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA> and it > does not work for me. If Tom got it working then you better believe it does. The Scientific Method means that a procedure must > be repeatable. And, I have never heard of anyone besides Tom who says > he's gotten Strongswan actually working. Go to the Strongswan list. > > I banged my head on the wall for two weeks with it says it 'can't match > the incoming configuration'. It can't obviously. Yesterday I discovered that, although the > SS devs put -in- the subdirs strongswan.d and ipsec.d (where local > configs are supposed to go, according to generally accepted > standard)... .conf files in these are not actually picked up by SS > init! Well, at least strongswan.conf and ipsec.conf are not picked up > in these subdirs. Maybe it is time to read the fine manual? > > So when I put my modifications in the cardinal > /etc/strongswan/strongswan.conf and ipsec.conf, I started reaching my > daemon from the remote phone. But now the daemon is completely > unresponsive. Inconsolable. There is absolutely nothing in the log WRT > the connexion, even with logging set to the max: charondebug="cfg 4, dmn > 4, ike 4, net 4" Are you sure your phone's IPSEC stack is compatible? > > I can see the attempts coming in to the ipsec gateway with tcpdump... > but there is no response from the charon daemon. It's not interested, > or deaf, or on vacation. > > I had been building keys of 4096 bits, so I made all new CA and keys > with the default of 2048. Absolutely no change. > > Now; I've run Linux exclusively for 20 years, and I am hyper-persistent > well past the point of unreasonableness. But there comes a point of > 'crazy' and that is time to give up. So I am open to suggestion on what > VPN software others are -actually- able to get working, in practice, for > real. I used to use FreeSwan, then OpenSwan for quite some time between Linux nodes. None on Android as the client would not match for a long time. For our embedded systems I suggested StrongSwan as Tobias Brunner is one of the original authors of the X.508 interface. There are other implementations for VPN's like OpenVPN but this is strictly off topic in this list. You need to search a little on the net. My 0.02 over and out ET
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users