On Thu, Dec 28, 2017 at 05:51:38PM -0500, Colony.three via Shorewall-users wrote: > I am at a complete loss. I know this is not the Strongswan forum, but they > are unresponsive with all methods of communication -- and now I see why. My > personal opinion is that Strongswan is only rumored to work, but actually > works in the sense that a puppet does. > > Sure Tom says he got it to work, but I followed his [exact > process](https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) and > it does not work for me. The Scientific Method means that a procedure must > be repeatable. And, I have never heard of anyone besides Tom who says he's > gotten Strongswan actually working. > > I banged my head on the wall for two weeks with it says it 'can't match the > incoming configuration'. Yesterday I discovered that, although the SS devs > put -in- the subdirs strongswan.d and ipsec.d (where local configs are > supposed to go, according to generally accepted standard)... .conf files in > these are not actually picked up by SS init! Well, at least strongswan.conf > and ipsec.conf are not picked up in these subdirs. > > So when I put my modifications in the cardinal > /etc/strongswan/strongswan.conf and ipsec.conf, I started reaching my daemon > from the remote phone. But now the daemon is completely unresponsive. > Inconsolable. There is absolutely nothing in the log WRT the connexion, even > with logging set to the max: charondebug="cfg 4, dmn 4, ike 4, net 4" > > I can see the attempts coming in to the ipsec gateway with tcpdump... but > there is no response from the charon daemon. It's not interested, or deaf, > or on vacation. > > I had been building keys of 4096 bits, so I made all new CA and keys with the > default of 2048. Absolutely no change. > > Now; I've run Linux exclusively for 20 years, and I am hyper-persistent well > past the point of unreasonableness. But there comes a point of 'crazy' and > that is time to give up. So I am open to suggestion on what VPN software > others are -actually- able to get working, in practice, for real.
Well you could always ask the libreswan list for help. It is supposed to do nat-t just fine, and the developers there are quite responsive and helpful. -- Len Sorensen ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
