> -------- Original Message --------
> Subject: Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)
> Local Time: December 27, 2017 3:51 PM
> UTC Time: December 27, 2017 11:51 PM
> From: teas...@shorewall.net
> To: shorewall-users@lists.sourceforge.net
>
> On 12/27/2017 03:46 PM, Colony.three via Shorewall-users wrote:
>
>>> -------- Original Message --------
>>> Subject: Re: [Shorewall-users] UDP Getting Blocked When Unblocked
>>> (StrongSwan)
>>> Local Time: December 27, 2017 3:31 PM
>>> UTC Time: December 27, 2017 11:31 PM
>>> From: teas...@shorewall.net
>>> To: shorewall-users@lists.sourceforge.net
>>> On 12/27/2017 03:27 PM, Colony.three via Shorewall-users wrote:
>>>
>>> Dec 27 15:20:49 zeta charon: 00[CFG] loading secrets from
>>> '/etc/strongswan/ipsec.secrets'
>>> Dec 27 15:20:49 zeta charon: 00[LIB] opening
>>> '/etc/strongswan/ipsec.d/private/quantumKey.pem' failed: No such file
>>> or directory
>>> Dec 27 15:20:49 zeta charon: 00[LIB] building CRED_PRIVATE_KEY - RSA
>>> failed, tried 4 builders
>>> Dec 27 15:20:49 zeta charon: 00[CFG] loading private key from
>>> '/etc/strongswan/ipsec.d/private/quantumKey.pem' failed
>>>
>>>
>>> The above messages certainly aren't good!
>>>
>>> -Tom
>>
>> Understand. I was in the middle of something as noted in my prior
>> (). Here it is again stabilized but still the same problem as all along:
>> Dec 27 15:38:59 zeta strongswan: ipsec starter stopped
>> Dec 27 15:39:02 zeta systemd: Started strongSwan IPsec IKEv1/IKEv2
>> daemon using ipsec.conf.
>> Dec 27 15:39:02 zeta systemd: Starting strongSwan IPsec IKEv1/IKEv2
>> daemon using ipsec.conf...
>> Dec 27 15:39:02 zeta strongswan: Starting strongSwan 5.5.3 IPsec
>> [starter]...
>> Dec 27 15:39:02 zeta strongswan: !! Your strongswan.conf contains
>> manual plugin load options for charon.
>> Dec 27 15:39:02 zeta strongswan: !! This is recommended for experts
>> only, see
>> Dec 27 15:39:02 zeta strongswan: !!
>> http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
>> Dec 27 15:39:02 zeta charon: 00[DMN] Starting IKE charon daemon
>> (strongSwan 5.5.3, Linux 4.13.0-1.el7.elrepo.x86_64, x86_64)
>> Dec 27 15:39:02 zeta charon: 00[CFG] loading ca certificates from
>> '/etc/strongswan/ipsec.d/cacerts'
>> Dec 27 15:39:02 zeta charon: 00[CFG] loaded ca certificate "C=US,
>> O=QuantumEquities, CN=QuantumCA" from
>> '/etc/strongswan/ipsec.d/cacerts/cacert.pem'
>> Dec 27 15:39:02 zeta charon: 00[CFG] loading aa certificates from
>> '/etc/strongswan/ipsec.d/aacerts'
>> Dec 27 15:39:02 zeta charon: 00[CFG] loading ocsp signer certificates
>> from '/etc/strongswan/ipsec.d/ocspcerts'
>> Dec 27 15:39:02 zeta charon: 00[CFG] loading attribute certificates
>> from '/etc/strongswan/ipsec.d/acerts'
>> Dec 27 15:39:02 zeta charon: 00[CFG] loading crls from
>> '/etc/strongswan/ipsec.d/crls'
>> Dec 27 15:39:02 zeta charon: 00[CFG] loading secrets from
>> '/etc/strongswan/ipsec.secrets'
>> Dec 27 15:39:02 zeta charon: 00[CFG] loaded RSA private key from
>> '/etc/strongswan/ipsec.d/private/carlsKey.pem'
>> Dec 27 15:39:02 zeta charon: 00[LIB] loaded plugins: charon random
>> nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke
>> kernel-netlink socket-default updown
>> Dec 27 15:39:02 zeta charon: 00[JOB] spawning 16 worker threads
>> Dec 27 15:39:02 zeta strongswan: charon (32155) started after 20 ms
>
> In by case, it goes on...
>
> loaded plugins: charon aesni aes rc2 sha2 sha1 md5 random nonce x509
> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
> pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve
> socket-default connmark stroke updown
> Dec 27 15:04:56 irssi charon: 00[LIB] dropped capabilities, running as
> uid 0, gid 0
> Dec 27 15:04:56 irssi charon: 00[JOB] spawning 16 worker threads
> Dec 27 15:04:56 irssi charon: 05[CFG] received stroke: add connection 'ipv4'
> Dec 27 15:04:56 irssi charon: 05[CFG] adding virtual IP address pool
> 172.20.3.0/24
> Dec 27 15:04:56 irssi charon: 05[CFG] loaded certificate "C=US,
> O=Shorewall, CN=irssi" from 'irssiCert.der'
> Dec 27 15:04:56 irssi charon: 05[CFG] added configuration 'ipv4'
> Dec 27 15:04:56 irssi charon: 07[CFG] received stroke: add connection 'ipv6'
> Dec 27 15:04:56 irssi charon: 07[CFG] virtual IP pool too large,
> limiting to 2601:601:a000:16f7::/97
> Dec 27 15:04:56 irssi charon: 07[CFG] adding virtual IP address pool
> 2601:601:a000:16f7::/64
> Dec 27 15:04:56 irssi charon: 07[CFG] loaded certificate "C=US,
> O=Shorewall, CN=irssi" from 'irssiCert.der'
> Dec 27 15:04:56 irssi charon: 07[CFG] added configuration 'ipv6'
>
> This was on my DNATed endpoint.
>
> -Tom
Hm, I am not seeing any evidence that the daemon is picking up my
/etc/strongswan/strongswan.d/bills-strongswan.conf nor
/etc/strongswan/ipdec.d/bills-ipsec.conf . But then, it's not noting yours
either, assuming you have your own ipsec.conf and strongswan.conf .
These are my main configuration files. In my case there's virtually nothing in
/etc/strongswan/strongswan.conf and /etc/strongswan/ipsec.conf .
Not picking up my config files would explain the consistent error I'm getting
and why almost no one else seems to have this.
I also see that you're using .der certs and keys. I don't understand this as,
before you can pile the key and cert into a .p12 file (which is required by the
Android app), they must be in .pem format. And even when I copy my user's cert
to the phone and import using the CACert interface, the cert ends up in
Imported, and not in User.
I don't understand what's wrong.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
