Dear Tobias, thank you very much. I thought that charon was signalled by the IPsec stack's SPD when a new SA was to be negotiated, not that it itself set the policy.
Your solution didn't work right away though. I found that "ipsec start" only started the starter process and nothing more. It was not until I removed the charondebug option of the config section (as seen below) that it started. It works though if you limit the debugging level and / or the number of debugging options. I've reproduced this several times just to be sure. Why is this? The problem line was (in full): charondebug="asn 3,knl 3,mgr 3,ike 3,chd 3,net 3,enc 3" It works if you change it so (e.g.) charondebug="ike 3" My strongswan version is 4.5.2 as included in Ubuntu 11.10 Sincerely, Vilhelm Jutvik MS Thesis Student at SICS 2012/3/13 Tobias Brunner <tob...@strongswan.org>: > Hi Vilhelm, > >> config setup >> crlcheckinterval=180 >> strictcrlpolicy=no >> plutostart=no >> charondebug="asn 4, knl 4,mgr 4,ike 4,chd 4,net 4,enc 4" >> >> conn %default >> auth=esp >> authby=psk >> esp=aes128ctr-aesxcbc! >> ikelifetime=60m >> keylife=20m >> keyingtries=1 >> rekeymargin=3m >> keyexchange=ikev2 >> ike=aes128ctr-aesxcbc-ecp192! >> type=transport > > Your config file looks incomplete. You have to specify at least one > conn section (other than %default) with the auto keyword (auto can be > specified in %default, though). Where auto=route might be what you > want, as charon will then install policies in the kernel's SPD and an SA > will automatically be negotiated upon matching traffic. You also need > to specify right and optionally left (the endpoints of the IKE_SA) in > that conn section. If you only want specific traffic to be tunneled use > the left|rightsubnet and left|rightprotoport keywords (see the example > at [1]). > > Also if you want to configure the policies in the kernel yourself make > sure you use a reqid > 0 and then specify reqid=<reqid> and > installpolicy=no in the respective conn section. > > Regards, > Tobias > > [1] http://www.strongswan.org/uml/testresults/ikev2/protoport-route/ _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users