[strongSwan] Where to specify -no-undefined?
I am building strongSwan natively on Windows with MSYS2 and MinGW-w64 following the instructions at https://wiki.strongswan.org/projects/strongswan/wiki/Windows. The make terminates with messages: libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../../../.. -I../../../../src/libstrongswan -I../../../../src/libstrongswan/plugins/pubkey -I../../../../src/libcharon -I../../../../src/libcharon/plugins/counters -DSWANCTLDIR=\"swanctl\" -DIPSEC_PIDDIR=\"/var/run\" -I/mingw64/include -g -O2 -Wall -Wno-pointer-sign -Wno-format-security -Wno-format -mno-ms-bitfields -D_WIN32 -D_WIN64 -DOPENSSL_SYS_WIN32 -DOPENSSL_SYS_WIN64 -I/C:/OpenSSL-Win64/include/openssl -include /home/IEUser/strongswan-5.8.4/config.h -MT libvici.lo -MD -MP -MF .deps/libvici.Tpo -c libvici.c -DDLL_EXPORT -DPIC -o .libs/libvici.o /bin/sh ../../../../libtool --tag=CC --mode=link gcc -g -O2 -Wall -Wno-pointer-sign -Wno-format-security -Wno-format -mno-ms-bitfields -D_WIN32 -D_WIN64 -DOPENSSL_SYS_WIN32 -DOPENSSL_SYS_WIN64 -I/C:/OpenSSL-Win64/include/openssl -include /home/IEUser/strongswan-5.8.4/config.h -L/C:/OpenSSL-Win64/lib -L/mingw64/lib -o libvici.la -rpath /mingw64/lib/ipsec vici_message.lo vici_builder.lo vici_cert_info.lo libvici.lo ../../../../src/libstrongswan/libstrongswan.la libtool: error: can't build x86_64-pc-mingw64 shared library unless -no-undefined is specified make[6]: *** [Makefile:737: libvici.la] Error 1 make[6]: Leaving directory '/home/IEUser/strongswan-5.8.4/src/libcharon/plugins/vici' make[5]: *** [Makefile:975: all-recursive] Error 1 make[5]: Leaving directory '/home/IEUser/strongswan-5.8.4/src/libcharon/plugins/vici' make[4]: *** [Makefile:1983: all-recursive] Error 1 make[4]: Leaving directory '/home/IEUser/strongswan-5.8.4/src/libcharon' make[3]: *** [Makefile:1279: all] Error 2 make[3]: Leaving directory '/home/IEUser/strongswan-5.8.4/src/libcharon' make[2]: *** [Makefile:537: all-recursive] Error 1 make[2]: Leaving directory '/home/IEUser/strongswan-5.8.4/src' make[1]: *** [Makefile:598: all-recursive] Error 1 make[1]: Leaving directory '/home/IEUser/strongswan-5.8.4' make: *** [Makefile:509: all] Error 2 Where and how do I specify -no-undefined? Sent with ProtonMail Secure Email.
Re: [strongSwan] How to use letsencrypt certificate in swanctl?
I got StrongSwan working with Let’s Encrypt. It’s a good idea, since it makes the client work with no extra software or certificates to install. Here’s my documentation of the method I used: https://dc77312.wordpress.com/2019/02/01/strongswan-with-lets-encrypt-ssl-certificate-for-server/ Derek. On Fri, Feb 1, 2019 at 5:40 AM, Glen Huang wrote: > I’m trying to use the certificate generated by letsencrypt for my ikev2 > vpn, and I use swanctl.conf > > I copied either cert.pem or fullchain.pem to swanctl/x509 as cert.pem, and > specify certs.pem to local.certs. When starting charon, it fails with > > loading ‘/path/to/cert.pem’ failed: parsing X509 certificate failed > > It seems swanctl doesn’t directly support the certificate generated > by letsencrypt? Is it possible to convert manually? > > Another quick question, if I name the pem file as mydomain.com.pem, charon > fails with invalid syntax for certs, and it also fails with the same reason > if I put it in a subfolder in x509 and specify mydomain.com/cert.pem to > certs. Does that main cert file shouldn’t contain more than two dots in the > file name? And subfolder isn’t supported? > > Thanks a lot. >
Re: [strongSwan] A couple of offerings for the community
On Mon, Jan 28, 2019 at 2:29 AM Tobias Brunner wrote: > Does Windows require the complete chain for the client > certificate? If you deliberately delete the CA certificate of the client certificate on Windows, then when you try to connect, you will get an error message in red, "Invalid certificate type." This is an "all-purpose" error message Windows gives when it does not like something about your certificates. If you look in Windows Event Viewer, you will see an error from source RasClient saying, "The error code returned on failure is 13819." Again, this is an "all-purpose" error code for certificates. Derek.
[strongSwan] A couple of offerings for the community
Good afternoon, A couple of offerings that might interest you: (1) An IKEv2 profile importer for Windows 10, modeled on the strongSwan profile importer for Android: https://github.com/dcamero2016/vpn-importer (2) Step-by-step, end-to-end tutorial for installing strongSwan 5.7.2 on Debian 10 Buster server and Android client: https://dc77312.wordpress.com Kind regards, Derek Cameron.
Re: [strongSwan] ikev2 server without cert
Yes, you can use username and password. In this tutorial, the strongSwan server authenticates with a certificate, and the various clients authenticate with a user name and password: http://xpu.ca/strongswan-ubuntu/ This procedure was tested on an Amazon EC2 t2.micro instance running Ubuntu 16.04. The version of the strongSwan package installed was 5.3.5-1ubuntu3. On Sun, Nov 6, 2016 at 3:11 PM, robert k Wildwrote: > hi all, > > im trying to create an ikev2 server but this how-to guide says i need to > create certs for the server and client, can i just not use normal username > and password for authentication? > > https://raymii.org/s/tutorials/IPSEC_vpn_with_CentOS_7.html > > many thanks, > > rob > > -- > Regards, > > Robert K Wild. > > ___ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Apple IOS 10 VPN
Jim, Here is a configuration that works for iOS 10: http://xpu.ca/strongswan-ubuntu/ Derek. > Can anyone share a working configuration between Strongswan and > Apple IOS 10? > > ___ > > > Jim Buttafuoco > jim at contacttelecom.com > 603-647-7170 > 603-490-3409 - Cell > jimbuttafuoco - Skype ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] using eap-tls and eap-mschapv2 simultaneously
Hi, Josh, Thank you. You can probably just have two "conn" sections where they differ, with a shared "%default" conn where they are the same, but I have not tried this myself. The certificates issued by "Let's Encrypt" work fine as server certificates if you are going to use user/password authentication (eap-mschapv2) on the iOS client side. sudo openssl x509 -in /etc/letsencrypt/live/vpn.example.com/fullchain.pem -text Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X1 . . . Subject: CN=vpn.example.com . . . X509v3 Subject Alternative Name: DNS:vpn.example.com The special rules for iOS and OS X are, of course, imposed by Apple rather than by Strongswan. They are described in the Strongswan wiki on the page https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple) especially in the sections "Certificate requirements for iOS interoperability" and "Certificate examples using strongSwan PKI tool" Derek. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Using StrongSwan for IPSec VPN on CentOS 7 - no matching peer config found.
Hi, Josh, I am using Debian 8 rather than CentOS 7, but it works fine for iOS 9 clients. Here is what I did: https://dcamero.github.io Regards, Derek. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users