Is it just me or is strongswan & ipsec quite difficult to configure?
Also maybe trying to link my home computer into a 6to4 subnet hosted elsewhere via a ipv4 ipsec tunnel to get around the crummy AT&T internet gateway filtering isn't the easiest place to start.
@alienghic but why 6to4 ...?!
@saper Because the university I work at doesn't have any better ipv6 offerings. 6to4 was easy to set up, and worked really well for making it easier to connect VMs on different hosts in the same corporate network.
@saper After a long struggle I eventually figured out how to generate certificates correctly and I can get ipv4 host to host to work, but I'm still at a loss on how to any version using virtual ips.
@alienghic how is "subject" encoded in your certificates? There are at least three ways to encode the identity there.
And if your IPs are static you can always ditch ISAKMP altogether and just hardwire the keys using setkey (define static ESP tunnels).
@saper Auth wouldn't work until I encoded the host name in the subject alternative name. Strongswan seemed to ignore the CN field.
@alienghic ISAKMP is the worst protocol ever. I usually had to run racoon with a debug level three and there was an online decoder of ISAKMP packet dumps somewhere. Once you get Phase 1 working, Phase 2 won't...