[strongSwan] host-host ikev2
hello plz help me finding the mistake. here is result of ' syslog ', ' ipsec.conf ', ' ipsec up host-host ' , ' ipsec statusall ' , ' ipsec listall '. i can't understand " failed to create a builder for credential type CRED_CERTIFICATE, subtype (1) " in the syslog. assumption: abhishek [sun] ajay [moon] == [r...@abhishek certs]# tcpdump -i eth0 not port ssh and not port domain and not arp > /tmp/tcpdump.log 2>&1 & [1] 26832 [r...@abhishek certs]# /etc/init.d/iptables start 2> /dev/null [1]+ Exit 127tcpdump -i eth0 not port ssh and not port domain and not arp >/tmp/tcpdump.log 2>&1 [r...@abhishek certs]# ipsec restart Stopping strongSwan IPsec... Starting strongSwan 4.2.11 IPsec [starter] ... [r...@abhishek certs]# ipsec up host-host initiating IKE_SA host-host[4] to 192.168.3.11 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] sending packet: from 192.168.3.4[500] to 192.168.3.11[500] retransmit 1 of request with message ID 0 sending packet: from 192.168.3.4[500] to 192.168.3.11[500] retransmit 2 of request with message ID 0 sending packet: from 192.168.3.4[500] to 192.168.3.11[500] retransmit 3 of request with message ID 0 sending packet: from 192.168.3.4[500] to 192.168.3.11[500] retransmit 4 of request with message ID 0 sending packet: from 192.168.3.4[500] to 192.168.3.11[500] retransmit 5 of request with message ID 0 sending packet: from 192.168.3.4[500] to 192.168.3.11[500] giving up after 5 retransmits establishing IKE_SA failed, peer not responding [r...@abhishek certs]# ipsec statusall 000 interface lo/lo ::1:500 000 interface lo/lo 127.0.0.1:500 000 interface eth0/eth0 192.168.3.4:500 000 %myid = (none) 000 debug none 000 Performance: uptime: 14 minutes, since Mar 15 09:26:45 2009 worker threads: 10 idle of 16, job queue load: 1, scheduled events: 0 loaded plugins: aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown Listening IP addresses: 192.168.3.4 Connections: host-host: 192.168.3.4[CN=IN, O=rvce, CN=abhishek]...192.168.3.11[C=IN, O=rvce, CN=ajay] host-host: public key authentication host-host:dynamic/32 === dynamic/32 Security Associations: none [r...@abhishek certs]# ipsec listall 000 000 List of registered IKE Encryption Algorithms: 000 000 #3 OAKLEY_BLOWFISH_CBC, blocksize: 64, keylen: 128-128-448 000 #5 OAKLEY_3DES_CBC, blocksize: 64, keylen: 192-192-192 000 #7 OAKLEY_AES_CBC, blocksize: 128, keylen: 128-128-256 000 #65004 OAKLEY_SERPENT_CBC, blocksize: 128, keylen: 128-128-256 000 #65005 OAKLEY_TWOFISH_CBC, blocksize: 128, keylen: 128-128-256 000 #65289 OAKLEY_TWOFISH_CBC_SSH, blocksize: 128, keylen: 128-128-256 000 000 List of registered IKE Hash Algorithms: 000 000 #1 OAKLEY_MD5, hashsize: 128 000 #2 OAKLEY_SHA, hashsize: 160 000 #4 OAKLEY_SHA2_256, hashsize: 256 000 #5 OAKLEY_SHA2_384, hashsize: 384 000 #6 OAKLEY_SHA2_512, hashsize: 512 000 000 List of registered IKE DH Groups: 000 000 #2 OAKLEY_GROUP_MODP1024, groupsize: 1024 000 #5 OAKLEY_GROUP_MODP1536, groupsize: 1536 000 #14OAKLEY_GROUP_MODP2048, groupsize: 2048 000 #15OAKLEY_GROUP_MODP3072, groupsize: 3072 000 #16OAKLEY_GROUP_MODP4096, groupsize: 4096 000 #17OAKLEY_GROUP_MODP6144, groupsize: 6144 000 #18OAKLEY_GROUP_MODP8192, groupsize: 8192 000 000 List of registered ESP Encryption Algorithms: 000 000 #2 ESP_DES, blocksize: 8, keylen: 64-64 000 #3 ESP_3DES, blocksize: 8, keylen: 192-192 000 #7 ESP_BLOWFISH, blocksize: 8, keylen: 40-448 000 #11ESP_NULL, blocksize: 0, keylen: 0-0 000 #12ESP_AES, blocksize: 8, keylen: 128-256 000 #252 ESP_SERPENT, blocksize: 8, keylen: 128-256 000 #253 ESP_TWOFISH, blocksize: 8, keylen: 128-256 000 000 List of registered ESP Authentication Algorithms: 000 000 #1 AUTH_ALGORITHM_HMAC_MD5, keylen: 128-128 000 #2 AUTH_ALGORITHM_HMAC_SHA1, keylen: 160-160 000 #5 AUTH_ALGORITHM_HMAC_SHA2_256, keylen: 256-256 000 #251 AUTH_ALGORITHM_NULL, keylen: 0-0 000 000 List of X.509 CA Certificates: 000 000 Mar 15 09:26:45 2009, count: 1 000subject: 'C=IN, O=rvce, CN=ajay' 000issuer: 'C=IN, O=rvce, CN=ajay' 000serial:00:85:02:bb:db:2a:fb:7c:d6 000pubkey:2048 RSA Key AwEAAfnvY 000validity: not before Mar 15 05:11:35 2009 ok 000 not after Mar 14 05:11:35 2013 ok 000subjkey: ee:f4:f8:2d:b7:63:f9:43:47:b0:0e:f2:c5:c1:96:45:a9:89:ff:33 000authkey: ee:f4:f8:2d:b7:63:f9:43:47:b0:0e:f2:c5:c1:96:45:a9:89:ff:33 000aserial: 00:85:02:bb:db:2a:fb:7c:d6 List of X.509 CA Certificates: subject: "C=IN, O=rvce, CN=ajay" issuer: "C=IN, O=rvce, CN=ajay" serial:00:85:02:bb:db:2a:fb:7c:d6 validity: not before Mar 15 05:11:35 2009, ok not after Mar 14 05:11:35 2013, ok pubkey:RSA 2048 bits
Re: [strongSwan] CA
Hi, Here is a good site on how to work OpenSSL: http://www.madboa.com/geek/openssl/ - Original Message From: Daniel Mentz To: abhishek kumar Cc: users@lists.strongswan.org Sent: Saturday, 14 March, 2009 14:10:35 Subject: Re: [strongSwan] CA You can create all certificates, keys etc. on one machine. As soon as you're done with creating all certificates you copy the appropriate files to the corresponding machines. Search the web for a detailed tutorial on how to create a CA and issue certificates with OpenSSL. Get back to the mailing list if you have questions. Please include error messages as well. I don't see the reason why you copy strongswanKey.pem (the key of the CA) from moon to sun. This key should be kept secret. You can create the CA infrastructure on a completely different machine. None of the IPsec peers has (or say should) be involved. abhishek kumar wrote: > hello.. > plz tell me how to create host certificate and key. > > this how i have done in the case of host-host case: > > 1. created strongswanCert.pem, strongswanKey.pem [at moon] using the README > file. > 2. then i pasted strongswanCert.pem, strongswanKey.pem at sun. > 3. created hostCert.pem, hostReq.pem at the respective moon and sun. > 4. certificate request is signed by CA [ in openssl.conf , it is > CA=strongswanCert.pem ] both at moon and sun. > 5. then it created hostKey.pem both at moon and sun. > > is above five step right? if not plz help me finding the mistake. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] CA
You can create all certificates, keys etc. on one machine. As soon as you're done with creating all certificates you copy the appropriate files to the corresponding machines. Search the web for a detailed tutorial on how to create a CA and issue certificates with OpenSSL. Get back to the mailing list if you have questions. Please include error messages as well. I don't see the reason why you copy strongswanKey.pem (the key of the CA) from moon to sun. This key should be kept secret. You can create the CA infrastructure on a completely different machine. None of the IPsec peers has (or say should) be involved. abhishek kumar wrote: > hello.. > plz tell me how to create host certificate and key. > > this how i have done in the case of host-host case: > > 1. created strongswanCert.pem, strongswanKey.pem [at moon] using the README > file. > 2. then i pasted strongswanCert.pem, strongswanKey.pem at sun. > 3. created hostCert.pem, hostReq.pem at the respective moon and sun. > 4. certificate request is signed by CA [ in openssl.conf , it is > CA=strongswanCert.pem ] both at moon and sun. > 5. then it created hostKey.pem both at moon and sun. > > is above five step right? if not plz help me finding the mistake. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] First suc6
j.witvl...@mindef.nl wrote: > Mar 13 12:48:35 wt8510w pluto[7844]: "client1": cannot initiate > connection with ID wildcards Did you solve this problem already? If not, then try to get rid of ID wildcards and specify the complete DN in leftid or rightid. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] docu
j.witvl...@mindef.nl wrote: > When trying to picture out the differences between tunnels, might this > be a nice scheme (probably highly-simplified) Your document looks like an interesting way to visualize the protocol stack. I've got some comments: There's no BIND protocol. You're talking about DNS. BIND is a product name. Not every paket that results from web browsing does contain an HTTP header. Also, the HTTP header could be split up into two or more seperate packets. What's an SSL-Tunnel? You're depicting a TLS-Header inside a UDP datagram which I've never seen before because TLS runs on top of TCP. I know DTLS (Datagram TLS) but this is rarely used. Btw, this discussion is a bit off topic. Not sure if the strongSwan people want to see that on this list. Also, please refrain from attaching Disclaimers to your e-mails as they make little sense when sent to a public mailing list. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] ipsec IKEv2 host-host
Dirk Hartmann wrote: > just a guess: try switching the left and right in ipsec.conf on sun to: > conn host-host > left=192.168.3.4 > right=192.168.3.3 abhishek kumar, did that solve the problem? If not, please resend the following files because I've got doubts that you sent the current ipsec.conf of abhishek. So please send the following pieces of data again and double check that they are all up-to-date: logfiles ipsec.conf ipsec statusall ipsec listall Get all this data from abhishek. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users