On 12/28/2017 11:51 PM, Colony.three via Shorewall-users wrote: > I am at a complete loss. I know this is not the Strongswan forum, but > they are unresponsive with all methods of communication -- and now I see > why. My personal opinion is that Strongswan is only /rumored/ to work, > but actually works in the sense that a puppet does. > > Sure Tom says he got it to work, but I followed his exact process > <https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA> and it > does not work for me. The Scientific Method means that a procedure must > be repeatable. And, I have never heard of anyone besides Tom who says > he's gotten Strongswan actually working. > > I banged my head on the wall for two weeks with it says it 'can't match > the incoming configuration'. Yesterday I discovered that, although the > SS devs put -in- the subdirs strongswan.d and ipsec.d (where local > configs are supposed to go, according to generally accepted > standard)... .conf files in these are not actually picked up by SS > init! Well, at least strongswan.conf and ipsec.conf are not picked up > in these subdirs. > > So when I put my modifications in the cardinal > /etc/strongswan/strongswan.conf and ipsec.conf, I started reaching my > daemon from the remote phone. But now the daemon is completely > unresponsive. Inconsolable. There is absolutely nothing in the log WRT > the connexion, even with logging set to the max: charondebug="cfg 4, dmn > 4, ike 4, net 4" > > I can see the attempts coming in to the ipsec gateway with tcpdump... > but there is no response from the charon daemon. It's not interested, > or deaf, or on vacation. > > I had been building keys of 4096 bits, so I made all new CA and keys > with the default of 2048. Absolutely no change. > > Now; I've run Linux exclusively for 20 years, and I am hyper-persistent > well past the point of unreasonableness. But there comes a point of > 'crazy' and that is time to give up. So I am open to suggestion on what > VPN software others are -actually- able to get working, in practice, for > real. >
As Tom said, OpenVPN is his choice and mine too!: http://shorewall.org/OPENVPN.html I use OpenVPN with dual layer authentication: http://www.uno-code.com/?q=node/120 I use my own pam configuration file though. -Matt -- Matt Darfeuille ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
