**Diane** @alienghic@octodon.social · Jun 10, 2018, 06:44

**Diane** @alienghic@octodon.social · Jun 10, 2018, 06:44

Diane @alienghic@octodon.social

Is it just me or is strongswan & ipsec quite difficult to configure?

Also maybe trying to link my home computer into a 6to4 subnet hosted elsewhere via a ipv4 ipsec tunnel to get around the crummy AT&T internet gateway filtering isn't the easiest place to start.

**Marcin Cieślak** @saper · Jun 10, 2018, 07:16

**Marcin Cieślak** @saper · Jun 10, 2018, 07:16

@alienghic ISAKMP is the worst protocol ever. I usually had to run racoon with a debug level three and there was an online decoder of ISAKMP packet dumps somewhere. Once you get Phase 1 working, Phase 2 won't...

**Diane** @alienghic@octodon.social · Jun 10, 2018, 16:17

**Diane** @alienghic@octodon.social · Jun 10, 2018, 16:17

@saper After a long struggle I eventually figured out how to generate certificates correctly and I can get ipv4 host to host to work, but I'm still at a loss on how to any version using virtual ips.

**Marcin Cieślak** @saper · 2018-06-10T16:45:48Z

Marcin Cieślak @saper

@alienghic how is "subject" encoded in your certificates? There are at least three ways to encode the identity there.

And if your IPs are static you can always ditch ISAKMP altogether and just hardwire the keys using setkey (define static ESP tunnels).

Jun 10, 2018, 16:45 · Amaroq · 0 · 0

**Diane** @alienghic@octodon.social · Jun 11, 2018, 04:06

**Diane** @alienghic@octodon.social · Jun 11, 2018, 04:06

@saper Auth wouldn't work until I encoded the host name in the subject alternative name. Strongswan seemed to ignore the CN field.