Simple CA is the procedure I've been using too.
Dec 27 14:29:54 zeta charon: 05[NET] received packet: from 172.58.43.66[21321]
to 192.168.111.16[500] (704 bytes)
Dec 27 14:29:54 zeta charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Dec 27 14:29:54 zeta charon: 05[IKE] no IKE config found for
192.168.111.16...172.58.43.66, sending NO_PROPOSAL_CHOSEN
Dec 27 14:29:54 zeta charon: 05[ENC] generating IKE_SA_INIT response 0 [
N(NO_PROP) ]
Dec 27 14:29:54 zeta charon: 05[NET] sending packet: from 192.168.111.16[500]
to 172.58.43.66[21321] (36 bytes)
Well NAT-T definitely does not work. I can not make this work, following the
SimpleCA instructions to a T. I did import the proper .p12, and separately the
caCert.pem into Imported like you did. 172.58.43.66 has nothing to do with my
phone (100.196.9.93), and I think that is a clue to the problem.
Maybe I should give up and put StrongSwan on the router and let the router have
access to the rest of the LAN. That just seems like a stupid thing to do but I
simply have not been able to fix this problem after 2 weeks of trying full
time. I can't believe that this is impossible.
> -------- Original Message --------
> Subject: Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)
> Local Time: December 24, 2017 2:20 PM
> UTC Time: December 24, 2017 10:20 PM
> From: teas...@shorewall.net
> To: shorewall-users@lists.sourceforge.net
>
> On 12/24/2017 12:59 PM, Tom Eastep wrote:
>
>> On 12/24/2017 12:45 PM, Colony.three via Shorewall-users wrote:
>>
>>>> I saw something similar when I neglected to add a subjectAltName
>>>> (gateway.shorewall.net <http://gateway.shorewall.net>) to the
>>>> local endpoint's cert.
>>>>
>>>> FWIW, I've attached a log extract of a successful SA establishment.
>>>>
>>>> -Tom
>>>
>>> Hm, interesting. I've consistently used scripts from SomeRandomDude on
>>> The Internets, and indeed it does not provide for subjectAltName. Good
>>> lead, thanks, I'll look for SS's procedure for generating certs. There
>>> is just a quagmire haystack of disorganized info out there about this,
>>> which I'll bet quietly defeats 90% of those who try this.
>>> Setting rightsourceip=192.168.11.0/24and restarting SS didn't change
>>> anything.
>>> I've never understood the interplay of IP ranges and addresses between
>>> left and right, as in some cases 'left' always means 'me', whether
>>> setting in local or remote, and in other cases it means as I'd
>>> understood it, 'left' is ipsec gateway and 'right' is remote laptop.
>>> Also I notice that everyone always references the -server- cert and key
>>> in ipsec.conf settings, whereas the StrongSwan Android app will only
>>> accept a .p12 file. A .p12 file is genned by the RandomDude's scripts
>>> for -user- (as well as cert and key), and it also gens the -server- cert
>>> and key. So I can only set the -user- cert (.p12) in the Android app.
>>> I'll investigate further.
>>
>> I'm just installing the StrongSwan Android app and will play with it as
>> well.
>
> After a bit of a hassle with certs, I got it working.
>
> a) I used the StrongSwan Simple CA
> (https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA) to
> generate my certs, with a subjectAltName. The subjectAltName of the
> local endpoint is gateway.shorewall.net. On the Android, that must be
> placed in the Server Identity setting (Advanced Settings). I imported by
> CA cert separately (shows up under 'Imported' on the Android).
>
> b) Local Endpoint Configuration:
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=3
> keyexchange=ikev2
> authby=pubkey
>
> conn ipv4
> left=70.90.191.121
> leftid=gateway.shorewall.net
>
> leftsubnet=172.20.1.0/24,172.20.2.0/24,70.90.191.122/31,70.90.191.124/31
> leftcert=gatewayCert.der
> right=%any
> rightsourceip=172.20.3.0/24
> rightdns=172.20.1.253
> auto=add
>
> c) Android configuration:
>
> Server: 70.90.191.121
> VPN Type: IKEv2 Certificate
> User certificate: (CN=phone,O=Shorewall,C=US)
> Ca certificate: Imported CA cert
> Profile name: Shorewall IPv4
> Server Identity: gateway.shorewall.net
>
> -Tom
>
> Tom Eastep \ Q: What do you get when you cross a mobster with
> Shoreline, \ an international standard?
> Washington, USA \ A: Someone who makes you an offer you can't
> http://shorewall.org \ understand
> _______________________________________________
>
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org!
> http://sdm.link/slashdot_______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
