Bug #197
strongswan doesn't do certs for some reason
| Status: | In Progress | Start date: | 06/05/2011 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | - | Spent time: | 3.50 hours | |
| Target version: | Cerowrt-Next |
Description
I have built strongswan but thus far have been unable to get it to
connect via certificates to other servers.
Strongswan has many positive attributes - notably full ipv6 support, support for a more 'mesh-like'
configuration, and integration with many off-the-shelf tools.
But it needs certs to work well. Perhaps there is a flaw in the socket implementation or there is a
missing component from openssl?
The symptom is that a strongswan client will issue an ike request but there is no response at all from
the the reciever. This is occuring on ubuntu 10.10 and the cerowrt builds. Lacking another OS or experience
I'm very puzzled.
History
Updated by Dave Täht almost 2 years ago
ubuntu is putting two socket implemenations in where only one is neede.d
Updated by Dave Täht almost 2 years ago
- Status changed from New to In Progress
router side
config setupplutostart=no
charonstart=yes
charondebug="ike 3"
- charondebug="ike 3,mgr 3,job 3,knl 3,net 3,enc 3,lib 3,dmn 3"
ca bismark
cacert=bismarkCA.pem
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
leftcert=cero1.pem
left=192.168.42.1
leftid="cero1.taht.net"
conn vpn-test2
left=fe02::3
right=fe02::1
rightid="cruithne2.taht.net"
leftsubnet=fe03::/64
dpdaction=hold
type=tunnel
auto=route
Connecting side
nfig setupstrictcrlpolicy=no
crlcheckinterval=180
plutodebug=control
nat_traversal=yes
charonstart=yes
plutostart=no
- charondebug="ike 3,mgr 3,job 3,knl 3,net 3,enc 3,lib 3,dmn 3"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
left=192.168.42.123
leftcert=cruithne.pem
leftid="cruithne2.taht.net"
ca bismark
cacert=bismarkCA.pem
conn vpn-test2
right=fe02::3
rightsubnet=fe03::/64
rightid="cero1.taht.net"
dpdaction=hold
type=tunnel
auto=route
Updated by Dave Täht almost 2 years ago
- Target version set to 13
I ultimately did get this to more or less work, but I think having a better out of the box experience, where you could get a ca from various competing outsourced providers and allow for various levels of privledge into the box, is necessary.
And that that is too hard to get done fast.
Also, the charon 16 threads eats 54% of virtual memory on a 64MB box - not physical! -
and there should be a gui front end to a server somewhere that doesn't exist.
That said, the universal evaluation from multiple experts is that strongswan is the way to go, over openvpn, openswan, and other lesser known alternatives.
Updated by Dave Täht over 1 year ago
I just saw a patch go by on the openwrt list doing something to enable certs differently in openssl...
Updated by Dave Täht about 1 year ago
- Target version changed from 13 to Cerowrt-Next