The current version of Strongswan (5.1.2) does not work with newer versions of pfSense (Strongswan 5.3.2 based). When using IPsec IKEv2/PSK the identity type is now prefixed leftid and rightid for better matching. The change requires at least Strongswan 5.2.2 but newest upstream is 5.3.2.
Source: https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection left|rightid = <id> Since 5.2.2 it is possible to enforce a specific identity type. For this a prefix may be used, followed by a colon (:). If the number sign (#) follows the colon, the remaining data is interpreted as hex encoding, otherwise the string is used as-is as the identification data. Note that this implies that no conversion is performed for non-string identities. For example, ipv4:10.0.0.1 does not create a valid ID_IPV4_ADDR IKE identity, as it does not get converted to binary 0x0a000001. Instead, one could use ipv4:#0a000001 to get a valid identity, but just using the implicit type with automatic conversion is usually simpler. The same applies to the ASN.1 encoded types. The following prefixes are known: ipv4, ipv6, rfc822, email, userfqdn, fqdn, dns, asn1dn, asn1gn and keyid. Custom type prefixes may be specified by surrounding the numerical type value with curly brackets. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to strongswan in Ubuntu. https://bugs.launchpad.net/bugs/1451091 Title: new upstream version 5.2.2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1451091/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
