Hi Tobias, On Wednesday 21 March 2012 12:44 AM, Vilhelm Jutvik wrote: > Dear Tobias, > > thank you very much. I thought that charon was signalled by the IPsec > stack's SPD when a new SA was to be negotiated, not that it itself set > the policy. > > Your solution didn't work right away though. I found that "ipsec > start" only started the starter process and nothing more. It was not > until I removed the charondebug option of the config section (as seen > below) that it started. It works though if you limit the debugging > level and / or the number of debugging options. I've reproduced this > several times just to be sure. Why is this? > I have observed the same problem recently and posted a patch in issue tracker. Can you please have a check.
http://wiki.strongswan.org/issues/184 Thanks, Gowri Shankar > The problem line was (in full): > charondebug="asn 3,knl 3,mgr 3,ike 3,chd 3,net 3,enc 3" > It works if you change it so (e.g.) charondebug="ike 3" > > My strongswan version is 4.5.2 as included in Ubuntu 11.10 > > Sincerely, > Vilhelm Jutvik > MS Thesis Student at SICS > > 2012/3/13 Tobias Brunner<tob...@strongswan.org>: >> Hi Vilhelm, >> >>> config setup >>> crlcheckinterval=180 >>> strictcrlpolicy=no >>> plutostart=no >>> charondebug="asn 4, knl 4,mgr 4,ike 4,chd 4,net 4,enc 4" >>> >>> conn %default >>> auth=esp >>> authby=psk >>> esp=aes128ctr-aesxcbc! >>> ikelifetime=60m >>> keylife=20m >>> keyingtries=1 >>> rekeymargin=3m >>> keyexchange=ikev2 >>> ike=aes128ctr-aesxcbc-ecp192! >>> type=transport >> Your config file looks incomplete. You have to specify at least one >> conn section (other than %default) with the auto keyword (auto can be >> specified in %default, though). Where auto=route might be what you >> want, as charon will then install policies in the kernel's SPD and an SA >> will automatically be negotiated upon matching traffic. You also need >> to specify right and optionally left (the endpoints of the IKE_SA) in >> that conn section. If you only want specific traffic to be tunneled use >> the left|rightsubnet and left|rightprotoport keywords (see the example >> at [1]). >> >> Also if you want to configure the policies in the kernel yourself make >> sure you use a reqid> 0 and then specify reqid=<reqid> and >> installpolicy=no in the respective conn section. >> >> Regards, >> Tobias >> >> [1] http://www.strongswan.org/uml/testresults/ikev2/protoport-route/ > _______________________________________________ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users > > _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users