Migrera från ipsec.conf till swanctl.conf

conn pelle
 left=%defaultroute
 leftsourceip=%config
 leftauth=eap-mschapv2
 eap_identity=min user
 right=vpn.kallstrom.me
 rightsubnet=0.0.0.0/0
 rightauth=pubkey
 rightid=%vpn.mindomän
 rightca=/etc/ipsec.d/cacerts/pelle.cer
 keyexchange=ikev2
 type=tunnel
 mobike=yes
 dpdaction=hold
 closeaction=hold
 dpdtimeout=300s
 dpddelay=120s
 keylife=20m
 rekeymargin=3m
 reauth=no
 ikelifetime=60m
 lifetime=1h
 keyingtries=1
 auto=start
 keyexchange=ikev2
 esp=aes128-sha2_256-modp2048!
 ike=aes128-sha2_256-modp2048!

connections {
    vpn {
        version = 2
        proposals = aes128-sha256-modp2048!
        rekey_time = 0s
        fragmentation = allow
        dpd_delay = 300s
        local_addrs = %defaultroute
        remote_addrs = vpn.mindomän 
        vips=0.0.0.0,::
        local {
            auth = eap-mschapv2
            eap_id = min user 
        }
        remote {
            auth = pubkey
            rightca=/etc/ipsec.d/cacerts/pelle.cer
            id = %any
        }
        children {
            vpn {
                mode = tunnel
                remote_ts = 0.0.0.0/0,::/0
                rekey_time = 0s
                dpd_action = clear
                esp_proposals = aes128-sha256-modp2048!
            }
        }
    }
}

secrets {
    eap-vpn {
        id = minuser
        secret = mittlösen
    }
}

Jul  9 10:52:19 pelle-manjaro systemd[1]: Starting strongSwan IPsec IKEv1/IKEv2 daemon using swanctl...
Jul  9 10:52:19 pelle-manjaro swanctl[7737]: no files found matching '/etc/swanctl/conf.d/*.conf'
Jul  9 10:52:19 pelle-manjaro swanctl[7737]: no authorities found, 0 unloaded
Jul  9 10:52:19 pelle-manjaro swanctl[7737]: no pools found, 0 unloaded
Jul  9 10:52:19 pelle-manjaro swanctl[7737]: loading connection 'vpn' failed: invalid value for: proposals, config discarded
Jul  9 10:52:19 pelle-manjaro swanctl[7737]: loaded 0 of 1 connections, 1 failed to load, 0 unloaded
Jul  9 10:52:19 pelle-manjaro swanctl[7737]: loaded eap secret 'eap-vpn'
Jul  9 10:52:19 pelle-manjaro systemd[1]: strongswan.service: Control process exited, code=exited, status=22/n/a
Jul  9 10:52:19 pelle-manjaro systemd[1]: strongswan.service: Failed with result 'exit-code'.
Jul  9 10:52:19 pelle-manjaro systemd[1]: Failed to start strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.

swanctl --initiate --child vpn


[IKE] initiating IKE_SA vpn[2] to xx.xxx.xx.xxx
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 0.0.0.0[500] to xx.xxx.xx.xxx[500] (464 bytes)
[NET] received packet: from xx.xxx.xx.xxx[500] to xxx.xxx.x.x[500] (492 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V ]
[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
[IKE] received MS-Negotiation Discovery Capable vendor ID
[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
[IKE] remote host is behind NAT
[IKE] sending cert request for "C=xx, ST=XXX, L=XXXX, O=XXXXX, CN=XXXXX Root CA"
[IKE] sending cert request for "C=xx, ST=XXX, L=XXXX, O=XXXXX, CN=XXXXX Root CA"
[CFG] no IDi configured, fall back on IP address
[IKE] establishing CHILD_SA vpn{2}
[ENC] generating IKE_AUTH request 1 [ IDi CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from xxx.xxx.x.x[4500] to xx.xxx.xx.xxx[4500] (352 bytes)
[NET] received packet: from xx.xxx.xx.xxx[4500] to xxx.xxx.x.x[4500] (1504 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
[IKE] received end entity cert "C=XX, ST=XXX, L=XXXX, OU=XXX, O=XXXXX, CN=vpn.mydomain.com"
[CFG]   using certificate "C=XX, ST=XXX, L=XXX, OU=XXX, O=XXXXX, CN=vpn.mydomain.com"
[CFG]   using trusted ca certificate "C=XX, ST=XXXX, L=XXX, O=XXXX, CN=XXXXX Root CA"
[CFG] checking certificate status of "C=XX, ST=XXXX, L=XXX, OU=XXX, O=XXXX, CN=vpn.mydomain.com"
[CFG] certificate status is not available
[CFG]   reached self-signed root ca with a path length of 0
[IKE] authentication of 'C=XX, ST=XXXX, L=XXX, OU=XXX, O=XXXXX, CN=vpn.mydomain.com' with RSA signature successful
[CFG] constraint check failed: peer not authenticated with peer cert 'C=XX, ST=XXXX, L=XXXX, O=XXXXX, CN=XXXXX Root CA'
[CFG] selected peer config 'vpn' unacceptable: constraint checking failed
[CFG] no alternative config found
[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
[NET] sending packet: from xxx.xxx.x.x[4500] to xx.xxx.xx.xxx[4500] (80 bytes)
initiate failed: establishing CHILD_SA 'vpn' failed

connections {
    vpn {
        version=2
        proposals =aes128-sha256-modp2048
        rekey_time = 0s
        dpd_delay = 300s
        local_addrs = %defaultroute
        remote_addrs = vpn.mydomain.com
        vips=0.0.0.0,::
        local {
            auth = eap-mschapv2
            eap_id = myuser
        }
        remote {
            auth = pubkey
            certs=/etc/ipsec.d/cacerts/pelle.cer
            id = %any
        }
        children {
            vpn {
                mode = tunnel
                remote_ts = 0.0.0.0/0,::/0
                rekey_time = 0s
                dpd_action = clear
                start_action = start
                esp_proposals =aes128-sha256-modp2048
            }
        }
    }
}

secrets {
    eap-vpn {
        id = myuser 
        secret = mypass
    }
}