Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)

Wed, 27 Dec 2017 15:04:25 -0800 

Simple CA is the procedure I've been using too.

>> Dec 27 14:29:54 zeta charon: 05[NET] received packet: from 
>> 172.58.43.66[21321] to 192.168.111.16[500] (704 bytes)
>> Dec 27 14:29:54 zeta charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No 
>> N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
>> Dec 27 14:29:54 zeta charon: 05[IKE] no IKE config found for 
>> 192.168.111.16...172.58.43.66, sending NO_PROPOSAL_CHOSEN
>> Dec 27 14:29:54 zeta charon: 05[ENC] generating IKE_SA_INIT response 0 [ 
>> N(NO_PROP) ]
>> Dec 27 14:29:54 zeta charon: 05[NET] sending packet: from 
>> 192.168.111.16[500] to 172.58.43.66[21321] (36 bytes)
>>
>> Well NAT-T definitely does not work.  I can not make this work, following 
>> the SimpleCA instructions to a T.  I did import the proper .p12, and 
>> separately the caCert.pem into Imported like you did.  172.58.43.66 has 
>> nothing to do with my phone (100.196.9.93), and I think that is a clue to 
>> the problem.
>>
>> Maybe I should give up and put StrongSwan on the router and let the router 
>> have access to the rest of the LAN.  That just seems like a stupid thing to 
>> do but I simply have not been able to fix this problem after 2 weeks of 
>> trying full time.  I can't believe that this is impossible.
>
> As well, for cert generation I added --san:
> # strongswan pki --pub --in private/quantumKey.pem --type rsa | strongswan 
> pki --issue --cacert certs/caCert.pem --cakey private/caKey.pem --san 
> quantum-equities.com --dn "C=US, O=Quantum, CN=quantum-equities.com" 
> --outform pem > certs/quantumCert.pem
>
> ... and in the SS Android app I put quantum-equities.com in Server Identity 
> like you did.

I've never had any cert end up in User certs, by importing the .p12 using the 
connexion Edit.  Maybe that's the actual problem.

It pretends like it imports the .p12 just fine.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to