Re: [strongSwan] FW: strongSwan installs SPs?
Hi, > Is it possible for a user space program, registered with XFRM, to delete > policies that charon adds? Yes. > Will that create some errors in charon in subsequent processing? Charon expects a policy, so deleting will fail. As charon uses refcounting to handle CHILD_SAs with identical policies, even rekeying won't reinstall your policy. > When does charon delete policies? When the associated CHILD_SA gets deleted. > What happens if charon tries to delete a policy (that it previously added) > that is no longer there (someone else deleted it)? The kernel returns a netlink error. Charon logs this error, but continues as usual. > Note that the assumption is that IPSEC is being performed by some external > device, and not the Linux kernel, so the absence of the policy in the > kernel's SPD is not an issue from the IPSEC perspective. So if I understand correctly, you are using charon to negotiate tunnels, but use a dedicated device to actually process IPsec traffic? Instead of mangling SAs and Policies installed by charon, it is probably a better idea to delegate installation to your IPsec device in the first place. Our kernel interface is abstracted, we have implementations for XFRM, a generic and KLIPS compatible PF_KEY. Maybe it is worth to consider your own implementation of the kernel interface [1] that delegates SA/SP installation to your external device. Regards Martin [1]http://wiki.strongswan.org/repositories/entry/strongswan/src/charon/kernel/kernel_ipsec.h ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] no matching peer config found
Hi, > I can not find the daemon.log on moon side. charon by default logs to the DAEMON syslog facility. But it depends on your syslogger configuration to which file syslogger logs to. > The moon side is Fedora Core 9 Linux. Our (rather old) Fedora box uses /var/log/daemon. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] no trusted RSA public key found
Andreas, Thanks a lot for your help. I have doubt the time difference, but not checked the timezone. I have root permission, I will change the system time. Roger > -Original Message- > From: Andreas Steffen [mailto:andreas.stef...@strongswan.org] > Sent: Thursday, August 27, 2009 1:37 PM > To: Zhang, Long (Roger) > Cc: users@lists.strongswan.org > Subject: Re: [strongSwan] no trusted RSA public key found > > Hi Roger, > > you have a time synchronisation problem on your linux boxes. > The certificate you generated starts to be valid (notBefore) on > > Aug 27 13:45:47 UTC 2009 > > The current time on moon is not known but on sun it is > > Aug 27 10:10:11 (Shandong local time). > > Since in China you are ahead of UTC by a couple of hours > it is certainly not yet 13:45:47 UTC. While writing this email > my watch tells me (Aug 27 5:33:00 UTC 2009) that your certificate > will not become valid for about another 8 hours from now. > So either generate a new certificate [without an email RDN anyway] > or just be patient ;-) > > Best regards > > Andreas > > Zhang, Long (Roger) wrote: > > Hi, > > > > I am trying IPSec with StrongSwan on two Linux. The example is > http://www.strongswan.org/uml/testresults43/ikev2/host2host-cert/ > > > > Currently I see a problem " no trusted RSA public key found". I do not > know why it is reported. My certificate sunCert.pem looks good. And the CA > is shared for sun and mood both sides. Anyone can help? Thanks! > > > > [r...@localhost etc]# /usr/local/sbin/ipsec up host-host > > initiating IKE_SA host-host[1] to 135.252.130.87 > > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > > sending packet: from 135.252.131.87[500] to 135.252.130.87[500] > > received packet: from 135.252.130.87[500] to 135.252.131.87[500] > > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) > CERTREQ N(MULT_AUTH) ] > > received cert request for "C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, > CN=Roger Zhang, e=zha...@alcatel-lucent.com" > > sending cert request for "C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, > CN=Roger Zhang, e=zha...@alcatel-lucent.com" > > authentication of 'moon.strongswan.org' (myself) with RSA signature > successful > > sending end entity cert "C=CN, ST=Shandong, O=ALU, OU=RD, > CN=moon.strongswan.org, e=m...@alcatel-lucent.com" > > establishing CHILD_SA host-host > > generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr > N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ] > > sending packet: from 135.252.131.87[4500] to 135.252.130.87[4500] > > received packet: from 135.252.130.87[4500] to 135.252.131.87[4500] > > parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) > N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ] > > received end entity cert "C=CN, ST=Shandong, O=ALU, OU=RD, > CN=sun.strongswan.org, e=...@alcatel-lucent.com" > > using certificate "C=CN, ST=Shandong, O=ALU, OU=RD, > CN=sun.strongswan.org, e=...@alcatel-lucent.com" > > using trusted ca certificate "C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, > CN=Roger Zhang, e=zha...@alcatel-lucent.com" > > subject certificate invalid (valid from Aug 27 13:45:47 UTC 2009 to Aug > 27 13:45:47 UTC 2011) > > no trusted RSA public key found for 'sun.strongswan.org' > > > > > > The daemon.log on sun side. There are some failure at the beginning, but > I think it does not impact the problem. > > > > Aug 27 10:10:11 qdpat-xp charon: 01[DMN] Starting IKEv2 charon daemon > (strongSwan 4.3.4) > > Aug 27 10:10:11 qdpat-xp charon: 01[LIB] plugin 'curl': failed to load > '/usr/local/libexec/ipsec/plugins/libstrongswan-curl.so' - > /usr/local/libexec/ipsec/plugins/libstrongswan-curl.so: cannot open shared > object file: No such file or directory > > Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading ca certificates from > '/usr/local/etc/ipsec.d/cacerts' > > Aug 27 10:10:11 qdpat-xp charon: 01[LIB] missing passphrase > > Aug 27 10:10:11 qdpat-xp charon: 01[LIB] failed to create a builder for > credential type CRED_CERTIFICATE, subtype (1) > > Aug 27 10:10:11 qdpat-xp charon: 01[LIB] loaded certificate file > '/usr/local/etc/ipsec.d/cacerts/strongswanCert.pem' > > Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading aa certificates from > '/usr/local/etc/ipsec.d/aacerts' > > Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading ocsp signer > certificates from '/usr/local/etc/ipsec.d/ocspcerts' > > Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading attribute certificates > from '/usr/local/etc/ipsec.d/acerts' > > Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading crls from > '/usr/local/etc/ipsec.d/crls' > > Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading secrets from > '/usr/local/etc/ipsec.secrets' > > Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loaded private key file > '/usr/local/etc/ipsec.d/reqs/hostKey.pem' > > Aug 27 10:10:11 qdpat-xp charon: 01[KNL] listening on interfaces: > > Aug 27 10:10:11 qdpat-xp charon: 01[KNL] eth0 > > Aug 27 10:10:11 qdpat-xp charon: 01[KNL] 135.2
Re: [strongSwan] no trusted RSA public key found
Hi Roger, you have a time synchronisation problem on your linux boxes. The certificate you generated starts to be valid (notBefore) on Aug 27 13:45:47 UTC 2009 The current time on moon is not known but on sun it is Aug 27 10:10:11 (Shandong local time). Since in China you are ahead of UTC by a couple of hours it is certainly not yet 13:45:47 UTC. While writing this email my watch tells me (Aug 27 5:33:00 UTC 2009) that your certificate will not become valid for about another 8 hours from now. So either generate a new certificate [without an email RDN anyway] or just be patient ;-) Best regards Andreas Zhang, Long (Roger) wrote: > Hi, > > I am trying IPSec with StrongSwan on two Linux. The example is > http://www.strongswan.org/uml/testresults43/ikev2/host2host-cert/ > > Currently I see a problem " no trusted RSA public key found". I do not know > why it is reported. My certificate sunCert.pem looks good. And the CA is > shared for sun and mood both sides. Anyone can help? Thanks! > > [r...@localhost etc]# /usr/local/sbin/ipsec up host-host > initiating IKE_SA host-host[1] to 135.252.130.87 > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > sending packet: from 135.252.131.87[500] to 135.252.130.87[500] > received packet: from 135.252.130.87[500] to 135.252.131.87[500] > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ > N(MULT_AUTH) ] > received cert request for "C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger > Zhang, e=zha...@alcatel-lucent.com" > sending cert request for "C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger > Zhang, e=zha...@alcatel-lucent.com" > authentication of 'moon.strongswan.org' (myself) with RSA signature successful > sending end entity cert "C=CN, ST=Shandong, O=ALU, OU=RD, > CN=moon.strongswan.org, e=m...@alcatel-lucent.com" > establishing CHILD_SA host-host > generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr > N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ] > sending packet: from 135.252.131.87[4500] to 135.252.130.87[4500] > received packet: from 135.252.130.87[4500] to 135.252.131.87[4500] > parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) > N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ] > received end entity cert "C=CN, ST=Shandong, O=ALU, OU=RD, > CN=sun.strongswan.org, e=...@alcatel-lucent.com" > using certificate "C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, > e=...@alcatel-lucent.com" > using trusted ca certificate "C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, > CN=Roger Zhang, e=zha...@alcatel-lucent.com" > subject certificate invalid (valid from Aug 27 13:45:47 UTC 2009 to Aug 27 > 13:45:47 UTC 2011) > no trusted RSA public key found for 'sun.strongswan.org' > > > The daemon.log on sun side. There are some failure at the beginning, but I > think it does not impact the problem. > > Aug 27 10:10:11 qdpat-xp charon: 01[DMN] Starting IKEv2 charon daemon > (strongSwan 4.3.4) > Aug 27 10:10:11 qdpat-xp charon: 01[LIB] plugin 'curl': failed to load > '/usr/local/libexec/ipsec/plugins/libstrongswan-curl.so' - > /usr/local/libexec/ipsec/plugins/libstrongswan-curl.so: cannot open shared > object file: No such file or directory > Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading ca certificates from > '/usr/local/etc/ipsec.d/cacerts' > Aug 27 10:10:11 qdpat-xp charon: 01[LIB] missing passphrase > Aug 27 10:10:11 qdpat-xp charon: 01[LIB] failed to create a builder for > credential type CRED_CERTIFICATE, subtype (1) > Aug 27 10:10:11 qdpat-xp charon: 01[LIB] loaded certificate file > '/usr/local/etc/ipsec.d/cacerts/strongswanCert.pem' > Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading aa certificates from > '/usr/local/etc/ipsec.d/aacerts' > Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading ocsp signer certificates > from '/usr/local/etc/ipsec.d/ocspcerts' > Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading attribute certificates from > '/usr/local/etc/ipsec.d/acerts' > Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading crls from > '/usr/local/etc/ipsec.d/crls' > Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading secrets from > '/usr/local/etc/ipsec.secrets' > Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loaded private key file > '/usr/local/etc/ipsec.d/reqs/hostKey.pem' > Aug 27 10:10:11 qdpat-xp charon: 01[KNL] listening on interfaces: > Aug 27 10:10:11 qdpat-xp charon: 01[KNL] eth0 > Aug 27 10:10:11 qdpat-xp charon: 01[KNL] 135.252.130.87 > Aug 27 10:10:11 qdpat-xp charon: 01[KNL] 172.16.25.2 > Aug 27 10:10:11 qdpat-xp charon: 01[KNL] fe80::213:72ff:fe93:850d > Aug 27 10:10:11 qdpat-xp charon: 01[KNL] vmnet1 > Aug 27 10:10:11 qdpat-xp charon: 01[KNL] 172.16.25.1 > Aug 27 10:10:11 qdpat-xp charon: 01[KNL] fe80::250:56ff:fec0:1 > Aug 27 10:10:11 qdpat-xp charon: 01[KNL] vmnet8 > Aug 27 10:10:11 qdpat-xp charon: 01[KNL] 172.16.223.1 > Aug 27 10:10:11 qdpat-xp charon: 01[KNL] fe80::250:56ff:fec0:8 > Aug 27 10:10:11
Re: [strongSwan] no matching peer config found
Andreas, Thanks for your detail explanation. One more question. I can not find the daemon.log on moon side. Seems like it is not generated. Then how can I generate it? The moon side is Fedora Core 9 Linux. Roger > -Original Message- > From: Andreas Steffen [mailto:andreas.stef...@strongswan.org] > Sent: Thursday, August 27, 2009 1:25 PM > To: Zhang, Long (Roger) > Cc: Martin Willi; users@lists.strongswan.org > Subject: Re: [strongSwan] no matching peer config found > > Roger, > > as Martin mentioned in his previous mail, a stupid bug was introduced > some time back in the strongSwan 4.3 branch that incorrectly encodes > the email address in a left|rightid="" statement. There are > the following workarounds: > > 1) Don't use email RDNs in DNs since they are bad practice anyway. > 2) Use a subjectAltName in left|rightid > 3) Apply the patch [1] to your strongSwan 4.3.x distribution. The >patch fixes the ASN.1 email OID encoding. > 4) Use the latest strongSwan developer release 4.3.5dr1 [2] > > [1] http://wiki.strongswan.org/repositories/diff/strongswan?rev=c8b543a6 > [2] http://download.strongswan.org/strongswan-4.3.5dr1.tar.bz2 > > Best regards > > Andreas > > Zhang, Long (Roger) wrote: > > Martin, > > > > I can pass authentication now after I set subjectAltName, but I always > failed when I use the DN. Curious what is wrong. > > > > Thanks, > > Roger > > > >> -Original Message- > >> From: users-boun...@lists.strongswan.org [mailto:users- > >> boun...@lists.strongswan.org] On Behalf Of Zhang, Long (Roger) > >> Sent: Thursday, August 27, 2009 8:58 AM > >> To: Martin Willi > >> Cc: users@lists.strongswan.org > >> Subject: Re: [strongSwan] no matching peer config found > >> > >> Martin, > >> > >> Thanks for your reply. > >> > >> I tried with the full DN, but still failed :-( > >> > >> I tried with DN "C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, > >> e=...@alcatel-lucent.com" and "C=CN, ST=Shandong, O=ALU, OU=RD, > >> CN=moon.strongswan.org, emailaddress=m...@alcatel-lucent.com" and > >> combination of leftid and righted. Still failed. I will try to add > >> subjectAltName to the certificate. > >> > >> Aug 27 08:49:52 qdpat-xp charon: 11[ENC] parsed IKE_AUTH request 1 > [ IDi > >> CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) > >> N(MULT_AUTH) ] > >> Aug 27 08:49:52 qdpat-xp charon: 11[IKE] received cert request for > "C=CN, > >> ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang, e=zha...@alcatel- > >> lucent.com" > >> Aug 27 08:49:52 qdpat-xp charon: 11[IKE] received end entity cert "C=CN, > >> ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, e=m...@alcatel- > >> lucent.com" > >> Aug 27 08:49:52 qdpat-xp charon: 11[CFG] looking for peer configs > matching > >> 135.252.130.87[C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, > >> emailaddress=...@alcatel-lucent.com]...135.252.131.87[c=cn, ST=Shandong, > >> O=ALU, OU=RD, CN=moon.strongswan.org, e=m...@alcatel-lucent.com] > >> Aug 27 08:49:52 qdpat-xp charon: 11[CFG] no matching peer config found > >> Aug 27 08:49:52 qdpat-xp charon: 11[IKE] peer supports MOBIKE > >> Aug 27 08:49:52 qdpat-xp charon: 11[ENC] generating IKE_AUTH response 1 > >> [ N(AUTH_FAILED) ] > >> Aug 27 08:49:52 qdpat-xp charon: 11[NET] sending packet: from > >> 135.252.130.87[4500] to 135.252.131.87[4500] > >> > >> Sun side ipsec.conf > >> # /etc/ipsec.conf - strongSwan IPsec configuration file > >> > >> config setup > >> crlcheckinterval=180 > >> strictcrlpolicy=no > >> plutostart=no > >> > >> conn %default > >> ikelifetime=60m > >> keylife=20m > >> rekeymargin=3m > >> keyingtries=1 > >> keyexchange=ikev2 > >> > >> conn host-host > >> left=135.252.130.87 > >> leftcert=/usr/local/etc/ipsec.d/certs/sunCert.pem > >> #leftid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, > >> e=...@alcatel-lucent.com" > >> leftid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, > >> emailaddress=...@alcatel-lucent.com" > >> #left...@sun.strongswan.org > >> leftfirewall=no > >> right=135.252.131.87 > >> rightid="C=CN, ST=Shandong, O=ALU, OU=RD, > CN=moon.strongswan.org, > >> e=m...@alcatel-lucent.com" > >> #rightid="C=CN, ST=Shandong, O=ALU, OU=RD, > CN=moon.strongswan.org, > >> emailaddress=m...@alcatel-lucent.com" > >> #right...@moon.strongswan.org > >> auto=add > >> > >> > >> moon side ipsec.conf > >> # /etc/ipsec.conf - strongSwan IPsec configuration file > >> > >> config setup > >> crlcheckinterval=180 > >> strictcrlpolicy=no > >> plutostart=no > >> > >> conn %default > >> ikelifetime=60m > >> keylife=20m > >> rekeymargin=3m > >> keyingtries=1 > >> keyexchange=ikev2 > >> > >> conn host-host > >> left=135.252.131.87 > >> leftcert=/etc/ipsec.d/certs/moonCert.pem > >> leftid="C=CN, ST=Shandong
Re: [strongSwan] no matching peer config found
Roger, as Martin mentioned in his previous mail, a stupid bug was introduced some time back in the strongSwan 4.3 branch that incorrectly encodes the email address in a left|rightid="" statement. There are the following workarounds: 1) Don't use email RDNs in DNs since they are bad practice anyway. 2) Use a subjectAltName in left|rightid 3) Apply the patch [1] to your strongSwan 4.3.x distribution. The patch fixes the ASN.1 email OID encoding. 4) Use the latest strongSwan developer release 4.3.5dr1 [2] [1] http://wiki.strongswan.org/repositories/diff/strongswan?rev=c8b543a6 [2] http://download.strongswan.org/strongswan-4.3.5dr1.tar.bz2 Best regards Andreas Zhang, Long (Roger) wrote: > Martin, > > I can pass authentication now after I set subjectAltName, but I always failed > when I use the DN. Curious what is wrong. > > Thanks, > Roger > >> -Original Message- >> From: users-boun...@lists.strongswan.org [mailto:users- >> boun...@lists.strongswan.org] On Behalf Of Zhang, Long (Roger) >> Sent: Thursday, August 27, 2009 8:58 AM >> To: Martin Willi >> Cc: users@lists.strongswan.org >> Subject: Re: [strongSwan] no matching peer config found >> >> Martin, >> >> Thanks for your reply. >> >> I tried with the full DN, but still failed :-( >> >> I tried with DN "C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, >> e=...@alcatel-lucent.com" and "C=CN, ST=Shandong, O=ALU, OU=RD, >> CN=moon.strongswan.org, emailaddress=m...@alcatel-lucent.com" and >> combination of leftid and righted. Still failed. I will try to add >> subjectAltName to the certificate. >> >> Aug 27 08:49:52 qdpat-xp charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi >> CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) >> N(MULT_AUTH) ] >> Aug 27 08:49:52 qdpat-xp charon: 11[IKE] received cert request for "C=CN, >> ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang, e=zha...@alcatel- >> lucent.com" >> Aug 27 08:49:52 qdpat-xp charon: 11[IKE] received end entity cert "C=CN, >> ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, e=m...@alcatel- >> lucent.com" >> Aug 27 08:49:52 qdpat-xp charon: 11[CFG] looking for peer configs matching >> 135.252.130.87[C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, >> emailaddress=...@alcatel-lucent.com]...135.252.131.87[c=cn, ST=Shandong, >> O=ALU, OU=RD, CN=moon.strongswan.org, e=m...@alcatel-lucent.com] >> Aug 27 08:49:52 qdpat-xp charon: 11[CFG] no matching peer config found >> Aug 27 08:49:52 qdpat-xp charon: 11[IKE] peer supports MOBIKE >> Aug 27 08:49:52 qdpat-xp charon: 11[ENC] generating IKE_AUTH response 1 >> [ N(AUTH_FAILED) ] >> Aug 27 08:49:52 qdpat-xp charon: 11[NET] sending packet: from >> 135.252.130.87[4500] to 135.252.131.87[4500] >> >> Sun side ipsec.conf >> # /etc/ipsec.conf - strongSwan IPsec configuration file >> >> config setup >> crlcheckinterval=180 >> strictcrlpolicy=no >> plutostart=no >> >> conn %default >> ikelifetime=60m >> keylife=20m >> rekeymargin=3m >> keyingtries=1 >> keyexchange=ikev2 >> >> conn host-host >> left=135.252.130.87 >> leftcert=/usr/local/etc/ipsec.d/certs/sunCert.pem >> #leftid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, >> e=...@alcatel-lucent.com" >> leftid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, >> emailaddress=...@alcatel-lucent.com" >> #left...@sun.strongswan.org >> leftfirewall=no >> right=135.252.131.87 >> rightid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, >> e=m...@alcatel-lucent.com" >> #rightid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, >> emailaddress=m...@alcatel-lucent.com" >> #right...@moon.strongswan.org >> auto=add >> >> >> moon side ipsec.conf >> # /etc/ipsec.conf - strongSwan IPsec configuration file >> >> config setup >> crlcheckinterval=180 >> strictcrlpolicy=no >> plutostart=no >> >> conn %default >> ikelifetime=60m >> keylife=20m >> rekeymargin=3m >> keyingtries=1 >> keyexchange=ikev2 >> >> conn host-host >> left=135.252.131.87 >> leftcert=/etc/ipsec.d/certs/moonCert.pem >> leftid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, >> e=m...@alcatel-lucent.com" >> #leftid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, >> emailaddress=m...@alcatel-lucent.com" >> #left...@moon.strongswan.org >> leftfirewall=no >> right=135.252.130.87 >> rightid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, >> e=...@alcatel-lucent.com" >> #rightid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, >> emailaddress=...@alcatel-lucent.com" >> #right...@sun.strongswan.org >> auto=add >> >> Thanks, >> Roger >> >>> -Original Message- >>> From: Martin Willi [mailto:mar...@strongswan.org] >>> Sent: Wednesday, August 26, 2009 10:10 PM >>> To
[strongSwan] no trusted RSA public key found
Hi, I am trying IPSec with StrongSwan on two Linux. The example is http://www.strongswan.org/uml/testresults43/ikev2/host2host-cert/ Currently I see a problem " no trusted RSA public key found". I do not know why it is reported. My certificate sunCert.pem looks good. And the CA is shared for sun and mood both sides. Anyone can help? Thanks! [r...@localhost etc]# /usr/local/sbin/ipsec up host-host initiating IKE_SA host-host[1] to 135.252.130.87 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] sending packet: from 135.252.131.87[500] to 135.252.130.87[500] received packet: from 135.252.130.87[500] to 135.252.131.87[500] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] received cert request for "C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang, e=zha...@alcatel-lucent.com" sending cert request for "C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang, e=zha...@alcatel-lucent.com" authentication of 'moon.strongswan.org' (myself) with RSA signature successful sending end entity cert "C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, e=m...@alcatel-lucent.com" establishing CHILD_SA host-host generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ] sending packet: from 135.252.131.87[4500] to 135.252.130.87[4500] received packet: from 135.252.130.87[4500] to 135.252.131.87[4500] parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ] received end entity cert "C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, e=...@alcatel-lucent.com" using certificate "C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, e=...@alcatel-lucent.com" using trusted ca certificate "C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang, e=zha...@alcatel-lucent.com" subject certificate invalid (valid from Aug 27 13:45:47 UTC 2009 to Aug 27 13:45:47 UTC 2011) no trusted RSA public key found for 'sun.strongswan.org' The daemon.log on sun side. There are some failure at the beginning, but I think it does not impact the problem. Aug 27 10:10:11 qdpat-xp charon: 01[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.4) Aug 27 10:10:11 qdpat-xp charon: 01[LIB] plugin 'curl': failed to load '/usr/local/libexec/ipsec/plugins/libstrongswan-curl.so' - /usr/local/libexec/ipsec/plugins/libstrongswan-curl.so: cannot open shared object file: No such file or directory Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts' Aug 27 10:10:11 qdpat-xp charon: 01[LIB] missing passphrase Aug 27 10:10:11 qdpat-xp charon: 01[LIB] failed to create a builder for credential type CRED_CERTIFICATE, subtype (1) Aug 27 10:10:11 qdpat-xp charon: 01[LIB] loaded certificate file '/usr/local/etc/ipsec.d/cacerts/strongswanCert.pem' Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts' Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts' Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts' Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading crls from '/usr/local/etc/ipsec.d/crls' Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading secrets from '/usr/local/etc/ipsec.secrets' Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loaded private key file '/usr/local/etc/ipsec.d/reqs/hostKey.pem' Aug 27 10:10:11 qdpat-xp charon: 01[KNL] listening on interfaces: Aug 27 10:10:11 qdpat-xp charon: 01[KNL] eth0 Aug 27 10:10:11 qdpat-xp charon: 01[KNL] 135.252.130.87 Aug 27 10:10:11 qdpat-xp charon: 01[KNL] 172.16.25.2 Aug 27 10:10:11 qdpat-xp charon: 01[KNL] fe80::213:72ff:fe93:850d Aug 27 10:10:11 qdpat-xp charon: 01[KNL] vmnet1 Aug 27 10:10:11 qdpat-xp charon: 01[KNL] 172.16.25.1 Aug 27 10:10:11 qdpat-xp charon: 01[KNL] fe80::250:56ff:fec0:1 Aug 27 10:10:11 qdpat-xp charon: 01[KNL] vmnet8 Aug 27 10:10:11 qdpat-xp charon: 01[KNL] 172.16.223.1 Aug 27 10:10:11 qdpat-xp charon: 01[KNL] fe80::250:56ff:fec0:8 Aug 27 10:10:11 qdpat-xp charon: 01[DMN] loaded plugins: aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown Aug 27 10:10:11 qdpat-xp charon: 01[JOB] spawning 16 worker threads Aug 27 10:10:11 qdpat-xp charon: 03[CFG] received stroke: add connection 'host-host' Aug 27 10:10:11 qdpat-xp charon: 03[LIB] loaded certificate file '/usr/local/etc/ipsec.d/certs/sunCert.pem' Aug 27 10:10:11 qdpat-xp charon: 03[CFG] added configuration 'host-host' Aug 27 10:10:15 qdpat-xp charon: 10[NET] received packet: from 135.252.131.87[500] to 135.252.130.87[500] Aug 27 10:10:15 qdpat-xp charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Aug 27 10:10:15 qdpat-xp charon: 10[IKE] 135.252.131.87 is initiating an IKE_SA Aug 27 10:10:15 qdpat-xp charon: 10[IKE] sen
Re: [strongSwan] no matching peer config found
Martin, I can pass authentication now after I set subjectAltName, but I always failed when I use the DN. Curious what is wrong. Thanks, Roger > -Original Message- > From: users-boun...@lists.strongswan.org [mailto:users- > boun...@lists.strongswan.org] On Behalf Of Zhang, Long (Roger) > Sent: Thursday, August 27, 2009 8:58 AM > To: Martin Willi > Cc: users@lists.strongswan.org > Subject: Re: [strongSwan] no matching peer config found > > Martin, > > Thanks for your reply. > > I tried with the full DN, but still failed :-( > > I tried with DN "C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, > e=...@alcatel-lucent.com" and "C=CN, ST=Shandong, O=ALU, OU=RD, > CN=moon.strongswan.org, emailaddress=m...@alcatel-lucent.com" and > combination of leftid and righted. Still failed. I will try to add > subjectAltName to the certificate. > > Aug 27 08:49:52 qdpat-xp charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi > CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) > N(MULT_AUTH) ] > Aug 27 08:49:52 qdpat-xp charon: 11[IKE] received cert request for "C=CN, > ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang, e=zha...@alcatel- > lucent.com" > Aug 27 08:49:52 qdpat-xp charon: 11[IKE] received end entity cert "C=CN, > ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, e=m...@alcatel- > lucent.com" > Aug 27 08:49:52 qdpat-xp charon: 11[CFG] looking for peer configs matching > 135.252.130.87[C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, > emailaddress=...@alcatel-lucent.com]...135.252.131.87[c=cn, ST=Shandong, > O=ALU, OU=RD, CN=moon.strongswan.org, e=m...@alcatel-lucent.com] > Aug 27 08:49:52 qdpat-xp charon: 11[CFG] no matching peer config found > Aug 27 08:49:52 qdpat-xp charon: 11[IKE] peer supports MOBIKE > Aug 27 08:49:52 qdpat-xp charon: 11[ENC] generating IKE_AUTH response 1 > [ N(AUTH_FAILED) ] > Aug 27 08:49:52 qdpat-xp charon: 11[NET] sending packet: from > 135.252.130.87[4500] to 135.252.131.87[4500] > > Sun side ipsec.conf > # /etc/ipsec.conf - strongSwan IPsec configuration file > > config setup > crlcheckinterval=180 > strictcrlpolicy=no > plutostart=no > > conn %default > ikelifetime=60m > keylife=20m > rekeymargin=3m > keyingtries=1 > keyexchange=ikev2 > > conn host-host > left=135.252.130.87 > leftcert=/usr/local/etc/ipsec.d/certs/sunCert.pem > #leftid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, > e=...@alcatel-lucent.com" > leftid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, > emailaddress=...@alcatel-lucent.com" > #left...@sun.strongswan.org > leftfirewall=no > right=135.252.131.87 > rightid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, > e=m...@alcatel-lucent.com" > #rightid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, > emailaddress=m...@alcatel-lucent.com" > #right...@moon.strongswan.org > auto=add > > > moon side ipsec.conf > # /etc/ipsec.conf - strongSwan IPsec configuration file > > config setup > crlcheckinterval=180 > strictcrlpolicy=no > plutostart=no > > conn %default > ikelifetime=60m > keylife=20m > rekeymargin=3m > keyingtries=1 > keyexchange=ikev2 > > conn host-host > left=135.252.131.87 > leftcert=/etc/ipsec.d/certs/moonCert.pem > leftid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, > e=m...@alcatel-lucent.com" > #leftid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, > emailaddress=m...@alcatel-lucent.com" > #left...@moon.strongswan.org > leftfirewall=no > right=135.252.130.87 > rightid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, > e=...@alcatel-lucent.com" > #rightid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, > emailaddress=...@alcatel-lucent.com" > #right...@sun.strongswan.org > auto=add > > Thanks, > Roger > > > -Original Message- > > From: Martin Willi [mailto:mar...@strongswan.org] > > Sent: Wednesday, August 26, 2009 10:10 PM > > To: Zhang, Long (Roger) > > Cc: users@lists.strongswan.org > > Subject: Re: [strongSwan] no matching peer config found > > > > Hi Roger, > > > > > peerid sun.strongswan.org not confirmed by certificate, defaulting to > > > subject DN: C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, > > > e=...@alcatel-lucent.com > > > > strongSwan requires the peer ID to be contained in the certificate > > (either the complete DN, or as a subjectAltName, a matching CN= is > > insufficient). > > > > Either add your peer identities as subjectAltName, or use the complete > > DN of your certificate as peer identity. > > > > If you have E= in your peer DN identities, make sure to apply [1], there > > was is regression in 4.3.4 with email OID handling. > > > > Regards > > Martin > > > > [1]http://wiki.strongswan.
Re: [strongSwan] no matching peer config found
Martin, Thanks for your reply. I tried with the full DN, but still failed :-( I tried with DN "C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, e=...@alcatel-lucent.com" and "C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, emailaddress=m...@alcatel-lucent.com" and combination of leftid and righted. Still failed. I will try to add subjectAltName to the certificate. Aug 27 08:49:52 qdpat-xp charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ] Aug 27 08:49:52 qdpat-xp charon: 11[IKE] received cert request for "C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang, e=zha...@alcatel-lucent.com" Aug 27 08:49:52 qdpat-xp charon: 11[IKE] received end entity cert "C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, e=m...@alcatel-lucent.com" Aug 27 08:49:52 qdpat-xp charon: 11[CFG] looking for peer configs matching 135.252.130.87[C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, emailaddress=...@alcatel-lucent.com]...135.252.131.87[c=cn, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, e=m...@alcatel-lucent.com] Aug 27 08:49:52 qdpat-xp charon: 11[CFG] no matching peer config found Aug 27 08:49:52 qdpat-xp charon: 11[IKE] peer supports MOBIKE Aug 27 08:49:52 qdpat-xp charon: 11[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Aug 27 08:49:52 qdpat-xp charon: 11[NET] sending packet: from 135.252.130.87[4500] to 135.252.131.87[4500] Sun side ipsec.conf # /etc/ipsec.conf - strongSwan IPsec configuration file config setup crlcheckinterval=180 strictcrlpolicy=no plutostart=no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn host-host left=135.252.130.87 leftcert=/usr/local/etc/ipsec.d/certs/sunCert.pem #leftid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, e=...@alcatel-lucent.com" leftid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, emailaddress=...@alcatel-lucent.com" #left...@sun.strongswan.org leftfirewall=no right=135.252.131.87 rightid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, e=m...@alcatel-lucent.com" #rightid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, emailaddress=m...@alcatel-lucent.com" #right...@moon.strongswan.org auto=add moon side ipsec.conf # /etc/ipsec.conf - strongSwan IPsec configuration file config setup crlcheckinterval=180 strictcrlpolicy=no plutostart=no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn host-host left=135.252.131.87 leftcert=/etc/ipsec.d/certs/moonCert.pem leftid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, e=m...@alcatel-lucent.com" #leftid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, emailaddress=m...@alcatel-lucent.com" #left...@moon.strongswan.org leftfirewall=no right=135.252.130.87 rightid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, e=...@alcatel-lucent.com" #rightid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, emailaddress=...@alcatel-lucent.com" #right...@sun.strongswan.org auto=add Thanks, Roger > -Original Message- > From: Martin Willi [mailto:mar...@strongswan.org] > Sent: Wednesday, August 26, 2009 10:10 PM > To: Zhang, Long (Roger) > Cc: users@lists.strongswan.org > Subject: Re: [strongSwan] no matching peer config found > > Hi Roger, > > > peerid sun.strongswan.org not confirmed by certificate, defaulting to > > subject DN: C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, > > e=...@alcatel-lucent.com > > strongSwan requires the peer ID to be contained in the certificate > (either the complete DN, or as a subjectAltName, a matching CN= is > insufficient). > > Either add your peer identities as subjectAltName, or use the complete > DN of your certificate as peer identity. > > If you have E= in your peer DN identities, make sure to apply [1], there > was is regression in 4.3.4 with email OID handling. > > Regards > Martin > > [1]http://wiki.strongswan.org/repositories/diff/strongswan?rev=c8b543a6 > ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] FW: strongSwan installs SPs?
Hi Andreas: Is it possible for a user space program, registered with XFRM, to delete policies that charon adds? Will that create some errors in charon in subsequent processing? When does charon delete policies? What happens if charon tries to delete a policy (that it previously added) that is no longer there (someone else deleted it)? Note that the assumption is that IPSEC is being performed by some external device, and not the Linux kernel, so the absence of the policy in the kernel's SPD is not an issue from the IPSEC perspective. Thanks, Stephen >-Original Message- >From: Andreas Steffen [mailto:andreas.stef...@strongswan.org] >Sent: Monday, July 27, 2009 1:52 PM >To: Stephen Pisano >Cc: users@lists.strongswan.org >Subject: Re: [strongSwan] FW: strongSwan installs SPs? > >Hi Stephen, > >strongSwan can assign a preliminary IPsec SA and a corresponding >reqid using auto=route without installing an SPD in the kernel >(installpolicy=no). This is used in our Mobile IPv6 scenario: > >http://wiki.strongswan.org/wiki/strongswan/MobileNodeSetup > >The current disadvantage is that the XFRM_ACQUIRE message which >will trigger the actual IKE negotiation must use the correct reqid. >This is not a problem if only one tunnel is managed but might be tricky >with multiple tunnel definitions pre-started with auto=route. As an >alternative we could create the SA definition on demand applying a >closest match on the traffic selectors that are received via the >XFRM_ACQUIRE message. > >Best regards > >Andreas > >Stephen Pisano wrote: >> Hi Andreas, >> >> That is just the kind of solution I had in mind. >> >> Are you aware of any other SPD dependencies? >> >> I think I found one, which I wanted to get your view on. >> >> The area of functionality is SA establishment via a kernel ACQUIRE. >> >> In ike_sa.c:acquire(), there is the following snippet: >> >> /* find CHILD_SA */ >> iterator = this->child_sas->create_iterator(this->child_sas, >TRUE); >> while (iterator->iterate(iterator, (void**)¤t)) >> { >> if (current->get_reqid(current) == reqid) >> { >> child_sa = current; >> break; >> } >> } >> iterator->destroy(iterator); >> if (!child_sa) >> { >> DBG1(DBG_IKE, "acquiring CHILD_SA {reqid %d} failed: " >> "CHILD_SA not found", reqid); >> return FAILED; >> } >> >> I interpret this to mean that you can only initiate an SA establishment >via >> a kernel ACQUIRE if there is an existing SA (which was generated with a >> policy in the SPD, having a certain reqid). >> >> Is this a correct interpretation? >> >> Thanks, >> Stephen >> >> >> >>> -Original Message- >>> From: Andreas Steffen [mailto:andreas.stef...@strongswan.org] >>> Sent: Wednesday, July 22, 2009 7:20 AM >>> To: Stephen Pisano >>> Cc: users@lists.strongswan.org >>> Subject: Re: [strongSwan] FW: strongSwan installs SPs? >>> >>> Hi Stephen, >>> >>> we could introduce e.g. a new charon.no_spd_available configuration >>> option in /etc/strongswan.conf that would redefine the >>> child_sa_t.get_usetime() method: >>> >>> >http://wiki.strongswan.org/repositories/entry/strongswan/src/charon/sa/chil >>> d_sa.c#L357 >>> >>> Instead of using the kernel_interface->query_policy() method >>> a new kernel_interface->query_sa() method that we wanted to >>> implement anyway in one of the next releases, would retrieve >>> the current number of packets/bytes and compare it with the >>> previously retrieved value cached in the child_sa_t object. >>> I think I even implemented such an approach in pluto's KLIPS >>> kernel interface many years ago. >>> >>> Best regards >>> >>> Andreas >>> >>> Stephen Pisano wrote: Thanks Andreas, please see my comment below. > -Original Message- > From: Andreas Steffen [mailto:andreas.stef...@strongswan.org] > Sent: Wednesday, July 22, 2009 2:12 AM > To: Stephen Pisano > Cc: users@lists.strongswan.org > Subject: Re: [strongSwan] FW: strongSwan installs SPs? > > Hello Stephen, > > installpolicy=no just means the the IKEv2 charon daemon does not > use the add_policy() and del_policy() methods of the kernel interface > to actively manage the IPsec policies but delegates these tasks to > another process on the same host. charon still uses the query_policy() > method to get the use_time status information for liveliness checks. [pisano] Ah, yes, I understand what you're saying, but consider an application where the SPD is not used and the IKE daemon is to be used >>> for SA management alone. With the current behavior, this places a >dependency between the IKE daemon and the presence of a policy in the SPD. > Concerning your question why we don't query the SA's use_time instead, > you are not the only wond
Re: [strongSwan] charon supports ipv4 or ipv6?
ipsec statusall shows the connection definitions. Andreas Yong Choo wrote: > > Will the charon's log show the auto-detected ipv4 .vs. ipv6 per connection? > > I looked at the daemon.log & auth.log example but did not see. Perhaps I > need to enable more charon debug level? > > Yong Choo wrote: >> Auto Detect! The Best! >> Thank You! >> >> Andreas Steffen wrote: >>> Hi Yong Choo, >>> >>> we don't use the --ipv4, --ipv6, --tunnelipv4, and --tunnelipv6 >>> options at all. I think they are FreeS/WAN legacy and should be >>> removed from our man pages. >>> >>> Both strongSwan pluto and strongSwan charon detect IPv4 and IPv6 >>> addresses automatically, so you don't have to give any explicit >>> IP address family hints. >>> >>> Here are a couple of charon IPv4 and IPv6 example configurations: >>> >>> http://wiki.strongswan.org/wiki/strongswan/IKEv2Examples >>> >>> Regards >>> >>> Andreas >>> >>> Yong Choo wrote: >>> Hi all, I want to enable charon and disable pluto in order to limit to IKEv2 without 'mobike'. When I enable charon in ipsec.conf, - does charon support only ipv6? (It was not clear whether this is the default behavior for 'charon' in the description http://www.strongswan.org/index.htm) - I read pluto man page where the usage of ipv4/6 can be controlled by --ipv4 --ipv6, --tunnelipv4, --tunnelipv6 options but it was not clear on the charon. - man page on the ipsec.config did not mention about controlling ipv4 .vs. ipv6. Thanks Again, -Yong Choo == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] charon supports ipv4 or ipv6?
Will the charon's log show the auto-detected ipv4 .vs. ipv6 per connection? I looked at the daemon.log & auth.log example but did not see. Perhaps I need to enable more charon debug level? Yong Choo wrote: > Auto Detect! The Best! > Thank You! > > Andreas Steffen wrote: >> Hi Yong Choo, >> >> we don't use the --ipv4, --ipv6, --tunnelipv4, and --tunnelipv6 >> options at all. I think they are FreeS/WAN legacy and should be >> removed from our man pages. >> >> Both strongSwan pluto and strongSwan charon detect IPv4 and IPv6 >> addresses automatically, so you don't have to give any explicit >> IP address family hints. >> >> Here are a couple of charon IPv4 and IPv6 example configurations: >> >> http://wiki.strongswan.org/wiki/strongswan/IKEv2Examples >> >> Regards >> >> Andreas >> >> Yong Choo wrote: >> >>> Hi all, >>> I want to enable charon and disable pluto in order to limit to IKEv2 >>> without 'mobike'. >>> When I enable charon in ipsec.conf, >>> - does charon support only ipv6? >>> >>> (It was not clear whether this is the default behavior for 'charon' >>> in the description http://www.strongswan.org/index.htm) >>> >>> - I read pluto man page where the usage of ipv4/6 can be controlled >>> by --ipv4 --ipv6, --tunnelipv4, --tunnelipv6 options but it was not >>> clear on the charon. >>> - man page on the ipsec.config did not mention about controlling >>> ipv4 .vs. ipv6. >>> >>> Thanks Again, >>> -Yong Choo >>> >> >> == >> Andreas Steffen andreas.stef...@strongswan.org >> strongSwan - the Linux VPN Solution!www.strongswan.org >> >> Institute for Internet Technologies and Applications >> University of Applied Sciences Rapperswil >> CH-8640 Rapperswil (Switzerland) >> ===[ITA-HSR]== >> >> > ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] charon supports ipv4 or ipv6?
Auto Detect! The Best! Thank You! Andreas Steffen wrote: > Hi Yong Choo, > > we don't use the --ipv4, --ipv6, --tunnelipv4, and --tunnelipv6 > options at all. I think they are FreeS/WAN legacy and should be > removed from our man pages. > > Both strongSwan pluto and strongSwan charon detect IPv4 and IPv6 > addresses automatically, so you don't have to give any explicit > IP address family hints. > > Here are a couple of charon IPv4 and IPv6 example configurations: > > http://wiki.strongswan.org/wiki/strongswan/IKEv2Examples > > Regards > > Andreas > > Yong Choo wrote: > >> Hi all, >> I want to enable charon and disable pluto in order to limit to IKEv2 >> without 'mobike'. >> When I enable charon in ipsec.conf, >> - does charon support only ipv6? >> >> (It was not clear whether this is the default behavior for 'charon' in >> the description http://www.strongswan.org/index.htm) >> >> - I read pluto man page where the usage of ipv4/6 can be controlled by >> --ipv4 --ipv6, --tunnelipv4, --tunnelipv6 options but it was not clear >> on the charon. >> - man page on the ipsec.config did not mention about controlling ipv4 >> .vs. ipv6. >> >> Thanks Again, >> -Yong Choo >> > > == > Andreas Steffen andreas.stef...@strongswan.org > strongSwan - the Linux VPN Solution!www.strongswan.org > > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===[ITA-HSR]== > > ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] charon supports ipv4 or ipv6?
Hi Yong Choo, we don't use the --ipv4, --ipv6, --tunnelipv4, and --tunnelipv6 options at all. I think they are FreeS/WAN legacy and should be removed from our man pages. Both strongSwan pluto and strongSwan charon detect IPv4 and IPv6 addresses automatically, so you don't have to give any explicit IP address family hints. Here are a couple of charon IPv4 and IPv6 example configurations: http://wiki.strongswan.org/wiki/strongswan/IKEv2Examples Regards Andreas Yong Choo wrote: > Hi all, > I want to enable charon and disable pluto in order to limit to IKEv2 > without 'mobike'. > When I enable charon in ipsec.conf, > - does charon support only ipv6? > > (It was not clear whether this is the default behavior for 'charon' in > the description http://www.strongswan.org/index.htm) > > - I read pluto man page where the usage of ipv4/6 can be controlled by > --ipv4 --ipv6, --tunnelipv4, --tunnelipv6 options but it was not clear > on the charon. > - man page on the ipsec.config did not mention about controlling ipv4 > .vs. ipv6. > > Thanks Again, > -Yong Choo == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] charon supports ipv4 or ipv6?
Hi all, I want to enable charon and disable pluto in order to limit to IKEv2 without 'mobike'. When I enable charon in ipsec.conf, - does charon support only ipv6? (It was not clear whether this is the default behavior for 'charon' in the description http://www.strongswan.org/index.htm) - I read pluto man page where the usage of ipv4/6 can be controlled by --ipv4 --ipv6, --tunnelipv4, --tunnelipv6 options but it was not clear on the charon. - man page on the ipsec.config did not mention about controlling ipv4 .vs. ipv6. Thanks Again, -Yong Choo ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] unroute problem
Hi, there is no established IPsec SA between the two hosts. You must start the IKE negotiation with the command ipsec up host-host if the setting in ipsec.conf is auto=add or change the setting to auto=start which will start the negotiation automatically. Regards Andreas Sushil Chaudhari wrote: > Hello Everyone, > > I am trying to establish static SA between two hosts. But when I run the > command ipsec status, it gives me > > r...@sushil:/etc# ipsec status > 000 "host-host": 192.168.1.143[C=us, ST=ma, O=mzeal, OU=op, > CN=192.168.1.143]---192.168.1.1...192.168.1.124[C=us, O=mzeal, > CN=192.168.1.124]; unrouted; eroute owner: #0 > 000 "host-host": newest ISAKMP SA: #0; newest IPsec SA: #0; > 000 > > same thing on sun host. > can anybody tell me how to establish route between the two hosts. Sorry for > bothering for such a basic question. > > Thanks. == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] unroute problem
Hello Everyone, I am trying to establish static SA between two hosts. But when I run the command ipsec status, it gives me r...@sushil:/etc# ipsec status 000 "host-host": 192.168.1.143[C=us, ST=ma, O=mzeal, OU=op, CN=192.168.1.143]---192.168.1.1...192.168.1.124[C=us, O=mzeal, CN=192.168.1.124]; unrouted; eroute owner: #0 000 "host-host": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 same thing on sun host. can anybody tell me how to establish route between the two hosts. Sorry for bothering for such a basic question. Thanks. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] strongswan dropping encapsulated ESP packet...
Dear Andreas, Thanks for reply. There was problem with packet encapsulation. Now, it is working fine. Regards, Sunilkumar On Wed, Aug 26, 2009 at 12:20 PM, Andreas Steffen < andreas.stef...@strongswan.org> wrote: > Hi, > > dropped ESP packets will not appear in the strongSwan logs because > they are either blocked by the firewall (check the firewall logs) > or by the IPsec stack in the kernel which can be checked with the > command > > ip -s xfrm state > > src 192.168.0.1 dst 192.168.0.200 >proto esp spi 0xca40e7a5(3393251237) reqid 2(0x0002) mode tunnel >replay-window 32 seq 0x flag 20 (0x0010) >auth hmac(sha1) 0xb3bb1b1a0d6bb1a79c6a009332dd8283719ae369 (160 > bits) >enc cbc(aes) 0x91652eba63520959132f2967fd03e393 (128 bits) >lifetime config: > limit: soft (INF)(bytes), hard (INF)(bytes) > limit: soft (INF)(packets), hard (INF)(packets) > expire add: soft 0(sec), hard 1200(sec) > expire use: soft 0(sec), hard 0(sec) >lifetime current: > 84(bytes), 1(packets) > add 2009-08-18 15:50:33 use 2009-08-18 15:50:36 >stats: > replay-window 0 replay 0 failed 0 > > If the 'failed' count is not 0 then something is wrong with your IPsec > SA. > > Best regards > > Andreas > > sunil kumar wrote: > > Hi, > > > > I established SA from a peer to strongswan. > > Peer is behind NAT. > > After SA is established, When peer sends encapsulated ESP packet, > strongswan > > is dropping it. > > I am not getting, why the packet is dropped. > > I checked ../log/secure and ../log/message files for any information, but > i > > am not getting any. > > > > Where to get error information .. > > > > Regards, > > Sunilkumar > > == > Andreas Steffen andreas.stef...@strongswan.org > strongSwan - the Linux VPN Solution!www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===[ITA-HSR]== > ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] no matching peer config found
Hi Roger, > peerid sun.strongswan.org not confirmed by certificate, defaulting to > subject DN: C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, > e=...@alcatel-lucent.com strongSwan requires the peer ID to be contained in the certificate (either the complete DN, or as a subjectAltName, a matching CN= is insufficient). Either add your peer identities as subjectAltName, or use the complete DN of your certificate as peer identity. If you have E= in your peer DN identities, make sure to apply [1], there was is regression in 4.3.4 with email OID handling. Regards Martin [1]http://wiki.strongswan.org/repositories/diff/strongswan?rev=c8b543a6 ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] no matching peer config found
Hi, I am trying IPSec with StrongSwan on two Linux. The example is http://www.strongswan.org/uml/testresults43/ikev2/host2host-cert/ Currently I see a problem "no matching peer config found" from daemon.log. I think the problem is in the ipsec.conf righted and leftid, I tried many ways, but it always failed. Anyone can help? [r...@localhost etc]# ipsec start Starting strongSwan 4.3.4 IPsec [starter]... [r...@localhost etc]# /usr/local/sbin/ipsec up host-host initiating IKE_SA host-host[1] to 135.252.130.87 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] sending packet: from 135.252.131.87[500] to 135.252.130.87[500] received packet: from 135.252.130.87[500] to 135.252.131.87[500] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] received cert request for "C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang, e=zha...@alcatel-lucent.com" sending cert request for "C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang, e=zha...@alcatel-lucent.com" authentication of 'C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, e=m...@alcatel-lucent.com' (myself) with RSA signature successful sending end entity cert "C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, e=m...@alcatel-lucent.com" establishing CHILD_SA host-host generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ] sending packet: from 135.252.131.87[4500] to 135.252.130.87[4500] received packet: from 135.252.130.87[4500] to 135.252.131.87[4500] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] received AUTHENTICATION_FAILED notify error The daemon.log on sun side, it always complains "no matching peer config found" Aug 26 21:34:16 qdpat-xp charon: 01[DMN] loaded plugins: aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown Aug 26 21:34:16 qdpat-xp charon: 01[JOB] spawning 16 worker threads Aug 26 21:34:16 qdpat-xp charon: 03[CFG] received stroke: add connection 'host-host' Aug 26 21:34:16 qdpat-xp charon: 03[LIB] loaded certificate file '/usr/local/etc/ipsec.d/certs/sunCert.pem' Aug 26 21:34:16 qdpat-xp charon: 03[CFG] peerid sun.strongswan.org not confirmed by certificate, defaulting to subject DN: C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, e=...@alcatel-lucent.com Aug 26 21:34:16 qdpat-xp charon: 03[CFG] added configuration 'host-host' Aug 26 21:34:21 qdpat-xp charon: 10[NET] received packet: from 135.252.131.87[500] to 135.252.130.87[500] Aug 26 21:34:21 qdpat-xp charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Aug 26 21:34:21 qdpat-xp charon: 10[IKE] 135.252.131.87 is initiating an IKE_SA Aug 26 21:34:21 qdpat-xp charon: 10[IKE] sending cert request for "C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang, e=zha...@alcatel-lucent.com" Aug 26 21:34:21 qdpat-xp charon: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] Aug 26 21:34:21 qdpat-xp charon: 10[NET] sending packet: from 135.252.130.87[500] to 135.252.131.87[500] Aug 26 21:34:21 qdpat-xp charon: 11[NET] received packet: from 135.252.131.87[4500] to 135.252.130.87[4500] Aug 26 21:34:21 qdpat-xp charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ] Aug 26 21:34:21 qdpat-xp charon: 11[IKE] received cert request for "C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang, e=zha...@alcatel-lucent.com" Aug 26 21:34:21 qdpat-xp charon: 11[IKE] received end entity cert "C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, e=m...@alcatel-lucent.com" Aug 26 21:34:21 qdpat-xp charon: 11[CFG] looking for peer configs matching 135.252.130.87[sun.strongswan.org]...135.252.131.87[C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, e=m...@alcatel-lucent.com] Aug 26 21:34:21 qdpat-xp charon: 11[CFG] no matching peer config found Aug 26 21:34:21 qdpat-xp charon: 11[IKE] peer supports MOBIKE Aug 26 21:34:21 qdpat-xp charon: 11[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Aug 26 21:34:21 qdpat-xp charon: 11[NET] sending packet: from 135.252.130.87[4500] to 135.252.131.87[4500] My ipsec.conf on sun side # /etc/ipsec.conf - strongSwan IPsec configuration file config setup crlcheckinterval=180 strictcrlpolicy=no plutostart=no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn host-host left=135.252.130.87 leftcert=/usr/local/etc/ipsec.d/certs/sunCert.pem #leftid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, e=...@alcatel-lucent.com" #leftid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, emailaddress=...@alcatel-lucent.com" left...@sun.strongswan.org leftfirewall=no right=135.252.131.87 #rightid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.str
Re: [strongSwan] can not find private key for certificate
But your private key seems to be protected by a passphrase: > [r...@localhost reqs]# openssl rsa -in hostKey.pem -noout -text > Enter pass phrase for hostKey.pem: > Private-Key: (1024 bit) You must add this passphrase to the key entry in ipsec.secrets: : RSA /etc/ipsec.d/reqs/hostKey.pem "" Regards Andreas Zhang, Long (Roger) wrote: > Andreas, > > Thanks for your reply. > > I checked the modulus of the private key and the certificate. They are > matched. Below is my execution output. > > [r...@localhost etc]# ipsec listcerts > > List of X.509 End Entity Certificates: > > subject: "C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, > e=m...@alcatel-lucent.com" > issuer: "C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang, > e=zha...@alcatel-lucent.com" > serial:02 > validity: not before Aug 26 11:35:21 2009, ok > not after Aug 26 11:35:21 2011, ok > pubkey:RSA 1024 bits > keyid: f8:2a:8c:e8:f3:2e:2b:c4:7f:30:fd:92:8f:0d:89:23:14:a3:ee:e2 > subjkey: 00:a5:d7:c3:cf:b7:f0:c3:fa:e4:70:0f:f3:96:ce:99:cc:58:1a:be > authkey: c4:6d:f2:07:c9:c1:2d:6c:b7:5e:e9:92:bd:97:a6:61:c2:23:e6:23 > [r...@localhost etc]# cd ipsec.d > [r...@localhost ipsec.d]# ls > aacerts acerts cacerts certs crls ocspcerts private reqs > [r...@localhost ipsec.d]# cd reqs > [r...@localhost reqs]# ls > hostKey.pem hostReq.pem > [r...@localhost reqs]# openssl rsa -in hostKey.pem -noout -text > Enter pass phrase for hostKey.pem: > Private-Key: (1024 bit) > modulus: > 00:c1:21:20:a3:88:b7:bd:87:03:6e:0b:31:8a:77: > eb:93:ba:5f:75:6f:7b:83:f3:84:28:60:3b:12:e5: > 2c:f3:ce:c3:72:a9:4a:72:e7:03:86:bf:83:1f:73: > 3c:14:47:79:27:b6:1b:bf:92:5a:42:5b:8c:62:f1: > c4:23:54:98:13:53:a3:e5:a9:9e:82:69:c6:3d:8e: > 66:10:73:46:48:50:24:93:ae:98:d7:61:93:54:01: > c4:0a:19:4e:31:42:c8:68:0b:79:c4:39:00:5b:5e: > 63:5e:e6:8f:91:1b:0a:a8:07:4c:32:2d:a5:72:61: > 18:7d:94:3b:22:f1:1c:25:51 > publicExponent: 65537 (0x10001) > privateExponent: > 51:3f:91:8e:9a:ee:c9:c2:2a:14:3a:8b:4d:f8:a3: > 57:d3:d9:62:fb:52:98:31:73:50:d5:23:25:10:da: > f7:7a:ed:c8:a8:25:d4:ef:11:11:b8:31:fe:a2:29: > 0d:53:00:4a:4f:97:9e:e1:80:2d:58:7c:58:07:e3: > ff:05:10:b0:9c:85:bd:e2:13:5a:4a:de:72:08:88: > 80:7f:85:a1:9e:3b:0c:dd:5e:06:eb:88:52:a4:fd: > 29:55:d2:16:5f:1a:4f:b8:7d:cf:ba:84:f2:04:a7: > 56:d9:cb:eb:ea:16:71:7a:a7:d3:d7:13:95:17:90: > ab:57:8e:6c:bc:e5:f1:d1 > prime1: > 00:f8:ac:54:d5:bf:2a:b0:05:1b:18:1a:a6:c7:df: > 4c:ad:79:09:31:55:9c:a8:58:30:e6:fd:a9:ac:64: > bc:e0:05:d3:39:c5:8e:96:fd:87:cc:2b:66:5e:83: > 5f:4a:4e:4f:67:50:04:a9:63:cc:17:c1:fc:71:85: > 8b:ff:13:92:75 > prime2: > 00:c6:d1:d8:87:6d:05:58:91:cc:cc:3b:90:12:93: > ca:a8:5f:cd:27:0f:82:34:59:73:8e:a7:ad:53:30: > 2f:d7:5d:94:56:91:ad:15:34:8b:13:a1:9c:ba:6b: > e8:84:c0:95:8f:f0:02:7b:22:70:d2:46:ec:c4:3e: > a5:00:07:73:ed > exponent1: > 2f:49:25:c0:97:5f:58:a5:3f:e7:af:79:b3:5c:04: > ca:9f:cf:5d:b0:37:df:d3:15:49:77:46:c2:5f:4d: > 83:13:d8:7c:8d:d2:75:67:b4:60:e0:87:d0:c5:0e: > 63:a4:cc:78:8a:c0:b8:2d:1f:ec:0c:99:22:45:10: > bf:ea:4a:d9 > exponent2: > 15:52:ea:6b:53:f9:0f:cf:cb:6c:58:33:12:9b:01: > 50:5f:be:0c:23:70:ae:96:ad:7b:2e:66:bb:96:5e: > 7b:35:d1:34:1b:b9:b9:9d:82:11:1f:f3:44:57:50: > 7f:f4:7b:d6:0d:42:e6:dc:01:c7:bb:cd:a7:1a:a4: > ed:c4:de:dd > coefficient: > 57:32:84:ba:ea:15:a7:62:08:6b:11:ce:79:fa:63: > 2b:41:34:a5:f2:9f:c5:24:31:4c:fa:36:b2:1f:17: > c6:e1:5e:53:76:6a:cc:36:48:86:1a:10:72:fd:96: > 8b:91:f2:b2:db:99:de:6d:70:3b:68:fb:b1:ca:e3: > f0:01:23:41 > [r...@localhost reqs]# ls > hostKey.pem hostReq.pem > [r...@localhost reqs]# cd ../certs > [r...@localhost certs]# ls > demoCA moonCert.pem > [r...@localhost certs]# openssl x509 -in moonCert.pem -noout -text > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 2 (0x2) > Signature Algorithm: sha1WithRSAEncryption > Issuer: C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger > Zhang/emailaddress=zha...@alcatel-lucent.com > Validity > Not Before: Aug 26 03:35:21 2009 GMT > Not After : Aug 26 03:35:21 2011 GMT > Subject: C=CN, ST=Shandong, O=ALU, OU=RD, > CN=moon.strongswan.org/emailaddress=m...@alcatel-lucent.com > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > RSA Public Key: (1024 bit) > Modulus (1024 bit): > 00:c1:21:20:a3:88:b7:bd:87:03:6e:0b:31:8a:77: > eb:93:ba:5f:75:6f:7b:83:f3:84:28:60:3b:12:e5: > 2c:f3:ce:c3:72:a9:4a:72:e7:03:86:bf:83:1f:73: > 3c:14:47:79:27:b6:1b:bf:92:5a:42:5b:8c:62:f1: > c4:23:54:98:13:53:a3:e5:a9:9e:82:69:c6:3d:8e: > 66:10:73:46:48:50:24:93:ae:98:d7:61:93:54:01: > c4:0a:19:4e:31:42:c8:68:0
Re: [strongSwan] can not find private key for certificate
Andreas, I added the passphrase to private key in ipsec.secrets, it works now. Curious it works now, I tried this way this morning. [r...@localhost etc]# cat ipsec.secrets # /etc/ipsec.secrets - strongSwan IPsec secrets file : RSA /etc/ipsec.d/reqs/hostKey.pem "123456" Thanks, Roger > -Original Message- > From: users-boun...@lists.strongswan.org [mailto:users- > boun...@lists.strongswan.org] On Behalf Of Zhang, Long (Roger) > Sent: Wednesday, August 26, 2009 3:20 PM > To: Andreas Steffen > Cc: users@lists.strongswan.org > Subject: Re: [strongSwan] can not find private key for certificate > > Andreas, > > Thanks for your reply. > > I checked the modulus of the private key and the certificate. They are > matched. Below is my execution output. > > [r...@localhost etc]# ipsec listcerts > > List of X.509 End Entity Certificates: > > subject: "C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, > e=m...@alcatel-lucent.com" > issuer: "C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang, > e=zha...@alcatel-lucent.com" > serial:02 > validity: not before Aug 26 11:35:21 2009, ok > not after Aug 26 11:35:21 2011, ok > pubkey:RSA 1024 bits > keyid: f8:2a:8c:e8:f3:2e:2b:c4:7f:30:fd:92:8f:0d:89:23:14:a3:ee:e2 > subjkey: 00:a5:d7:c3:cf:b7:f0:c3:fa:e4:70:0f:f3:96:ce:99:cc:58:1a:be > authkey: c4:6d:f2:07:c9:c1:2d:6c:b7:5e:e9:92:bd:97:a6:61:c2:23:e6:23 > [r...@localhost etc]# cd ipsec.d > [r...@localhost ipsec.d]# ls > aacerts acerts cacerts certs crls ocspcerts private reqs > [r...@localhost ipsec.d]# cd reqs > [r...@localhost reqs]# ls > hostKey.pem hostReq.pem > [r...@localhost reqs]# openssl rsa -in hostKey.pem -noout -text > Enter pass phrase for hostKey.pem: > Private-Key: (1024 bit) > modulus: > 00:c1:21:20:a3:88:b7:bd:87:03:6e:0b:31:8a:77: > eb:93:ba:5f:75:6f:7b:83:f3:84:28:60:3b:12:e5: > 2c:f3:ce:c3:72:a9:4a:72:e7:03:86:bf:83:1f:73: > 3c:14:47:79:27:b6:1b:bf:92:5a:42:5b:8c:62:f1: > c4:23:54:98:13:53:a3:e5:a9:9e:82:69:c6:3d:8e: > 66:10:73:46:48:50:24:93:ae:98:d7:61:93:54:01: > c4:0a:19:4e:31:42:c8:68:0b:79:c4:39:00:5b:5e: > 63:5e:e6:8f:91:1b:0a:a8:07:4c:32:2d:a5:72:61: > 18:7d:94:3b:22:f1:1c:25:51 > publicExponent: 65537 (0x10001) > privateExponent: > 51:3f:91:8e:9a:ee:c9:c2:2a:14:3a:8b:4d:f8:a3: > 57:d3:d9:62:fb:52:98:31:73:50:d5:23:25:10:da: > f7:7a:ed:c8:a8:25:d4:ef:11:11:b8:31:fe:a2:29: > 0d:53:00:4a:4f:97:9e:e1:80:2d:58:7c:58:07:e3: > ff:05:10:b0:9c:85:bd:e2:13:5a:4a:de:72:08:88: > 80:7f:85:a1:9e:3b:0c:dd:5e:06:eb:88:52:a4:fd: > 29:55:d2:16:5f:1a:4f:b8:7d:cf:ba:84:f2:04:a7: > 56:d9:cb:eb:ea:16:71:7a:a7:d3:d7:13:95:17:90: > ab:57:8e:6c:bc:e5:f1:d1 > prime1: > 00:f8:ac:54:d5:bf:2a:b0:05:1b:18:1a:a6:c7:df: > 4c:ad:79:09:31:55:9c:a8:58:30:e6:fd:a9:ac:64: > bc:e0:05:d3:39:c5:8e:96:fd:87:cc:2b:66:5e:83: > 5f:4a:4e:4f:67:50:04:a9:63:cc:17:c1:fc:71:85: > 8b:ff:13:92:75 > prime2: > 00:c6:d1:d8:87:6d:05:58:91:cc:cc:3b:90:12:93: > ca:a8:5f:cd:27:0f:82:34:59:73:8e:a7:ad:53:30: > 2f:d7:5d:94:56:91:ad:15:34:8b:13:a1:9c:ba:6b: > e8:84:c0:95:8f:f0:02:7b:22:70:d2:46:ec:c4:3e: > a5:00:07:73:ed > exponent1: > 2f:49:25:c0:97:5f:58:a5:3f:e7:af:79:b3:5c:04: > ca:9f:cf:5d:b0:37:df:d3:15:49:77:46:c2:5f:4d: > 83:13:d8:7c:8d:d2:75:67:b4:60:e0:87:d0:c5:0e: > 63:a4:cc:78:8a:c0:b8:2d:1f:ec:0c:99:22:45:10: > bf:ea:4a:d9 > exponent2: > 15:52:ea:6b:53:f9:0f:cf:cb:6c:58:33:12:9b:01: > 50:5f:be:0c:23:70:ae:96:ad:7b:2e:66:bb:96:5e: > 7b:35:d1:34:1b:b9:b9:9d:82:11:1f:f3:44:57:50: > 7f:f4:7b:d6:0d:42:e6:dc:01:c7:bb:cd:a7:1a:a4: > ed:c4:de:dd > coefficient: > 57:32:84:ba:ea:15:a7:62:08:6b:11:ce:79:fa:63: > 2b:41:34:a5:f2:9f:c5:24:31:4c:fa:36:b2:1f:17: > c6:e1:5e:53:76:6a:cc:36:48:86:1a:10:72:fd:96: > 8b:91:f2:b2:db:99:de:6d:70:3b:68:fb:b1:ca:e3: > f0:01:23:41 > [r...@localhost reqs]# ls > hostKey.pem hostReq.pem > [r...@localhost reqs]# cd ../certs > [r...@localhost certs]# ls > demoCA moonCert.pem > [r...@localhost certs]# openssl x509 -in moonCert.pem -noout -text > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 2 (0x2) > Signature Algorithm: sha1WithRSAEncryption > Issuer: C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger > Zhang/emailaddress=zha...@alcatel-lucent.com > Validity > Not Before: Aug 26 03:35:21 2009 GMT > Not After : Aug 26 03:35:21 2011 GMT > Subject: C=CN, ST=Shandong, O=ALU, OU=RD, > CN=moon.strongswan.org/emailaddress=m...@alcatel-lucent.com > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > RSA Public Key: (1024 bit) > Modulus (1024 bit): > 00:c1:21:20:a3:88:b7:bd:87:03:6e:0b:31:8a:77: > eb:93:ba:5f:75:6f:7b:83:f3:84:28:60:3b:12:e5: > 2c:f3:ce:c3:72:a9:4a:72:e7:03:86:bf:83
Re: [strongSwan] can not find private key for certificate
Andreas, Thanks for your reply. I checked the modulus of the private key and the certificate. They are matched. Below is my execution output. [r...@localhost etc]# ipsec listcerts List of X.509 End Entity Certificates: subject: "C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, e=m...@alcatel-lucent.com" issuer: "C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang, e=zha...@alcatel-lucent.com" serial:02 validity: not before Aug 26 11:35:21 2009, ok not after Aug 26 11:35:21 2011, ok pubkey:RSA 1024 bits keyid: f8:2a:8c:e8:f3:2e:2b:c4:7f:30:fd:92:8f:0d:89:23:14:a3:ee:e2 subjkey: 00:a5:d7:c3:cf:b7:f0:c3:fa:e4:70:0f:f3:96:ce:99:cc:58:1a:be authkey: c4:6d:f2:07:c9:c1:2d:6c:b7:5e:e9:92:bd:97:a6:61:c2:23:e6:23 [r...@localhost etc]# cd ipsec.d [r...@localhost ipsec.d]# ls aacerts acerts cacerts certs crls ocspcerts private reqs [r...@localhost ipsec.d]# cd reqs [r...@localhost reqs]# ls hostKey.pem hostReq.pem [r...@localhost reqs]# openssl rsa -in hostKey.pem -noout -text Enter pass phrase for hostKey.pem: Private-Key: (1024 bit) modulus: 00:c1:21:20:a3:88:b7:bd:87:03:6e:0b:31:8a:77: eb:93:ba:5f:75:6f:7b:83:f3:84:28:60:3b:12:e5: 2c:f3:ce:c3:72:a9:4a:72:e7:03:86:bf:83:1f:73: 3c:14:47:79:27:b6:1b:bf:92:5a:42:5b:8c:62:f1: c4:23:54:98:13:53:a3:e5:a9:9e:82:69:c6:3d:8e: 66:10:73:46:48:50:24:93:ae:98:d7:61:93:54:01: c4:0a:19:4e:31:42:c8:68:0b:79:c4:39:00:5b:5e: 63:5e:e6:8f:91:1b:0a:a8:07:4c:32:2d:a5:72:61: 18:7d:94:3b:22:f1:1c:25:51 publicExponent: 65537 (0x10001) privateExponent: 51:3f:91:8e:9a:ee:c9:c2:2a:14:3a:8b:4d:f8:a3: 57:d3:d9:62:fb:52:98:31:73:50:d5:23:25:10:da: f7:7a:ed:c8:a8:25:d4:ef:11:11:b8:31:fe:a2:29: 0d:53:00:4a:4f:97:9e:e1:80:2d:58:7c:58:07:e3: ff:05:10:b0:9c:85:bd:e2:13:5a:4a:de:72:08:88: 80:7f:85:a1:9e:3b:0c:dd:5e:06:eb:88:52:a4:fd: 29:55:d2:16:5f:1a:4f:b8:7d:cf:ba:84:f2:04:a7: 56:d9:cb:eb:ea:16:71:7a:a7:d3:d7:13:95:17:90: ab:57:8e:6c:bc:e5:f1:d1 prime1: 00:f8:ac:54:d5:bf:2a:b0:05:1b:18:1a:a6:c7:df: 4c:ad:79:09:31:55:9c:a8:58:30:e6:fd:a9:ac:64: bc:e0:05:d3:39:c5:8e:96:fd:87:cc:2b:66:5e:83: 5f:4a:4e:4f:67:50:04:a9:63:cc:17:c1:fc:71:85: 8b:ff:13:92:75 prime2: 00:c6:d1:d8:87:6d:05:58:91:cc:cc:3b:90:12:93: ca:a8:5f:cd:27:0f:82:34:59:73:8e:a7:ad:53:30: 2f:d7:5d:94:56:91:ad:15:34:8b:13:a1:9c:ba:6b: e8:84:c0:95:8f:f0:02:7b:22:70:d2:46:ec:c4:3e: a5:00:07:73:ed exponent1: 2f:49:25:c0:97:5f:58:a5:3f:e7:af:79:b3:5c:04: ca:9f:cf:5d:b0:37:df:d3:15:49:77:46:c2:5f:4d: 83:13:d8:7c:8d:d2:75:67:b4:60:e0:87:d0:c5:0e: 63:a4:cc:78:8a:c0:b8:2d:1f:ec:0c:99:22:45:10: bf:ea:4a:d9 exponent2: 15:52:ea:6b:53:f9:0f:cf:cb:6c:58:33:12:9b:01: 50:5f:be:0c:23:70:ae:96:ad:7b:2e:66:bb:96:5e: 7b:35:d1:34:1b:b9:b9:9d:82:11:1f:f3:44:57:50: 7f:f4:7b:d6:0d:42:e6:dc:01:c7:bb:cd:a7:1a:a4: ed:c4:de:dd coefficient: 57:32:84:ba:ea:15:a7:62:08:6b:11:ce:79:fa:63: 2b:41:34:a5:f2:9f:c5:24:31:4c:fa:36:b2:1f:17: c6:e1:5e:53:76:6a:cc:36:48:86:1a:10:72:fd:96: 8b:91:f2:b2:db:99:de:6d:70:3b:68:fb:b1:ca:e3: f0:01:23:41 [r...@localhost reqs]# ls hostKey.pem hostReq.pem [r...@localhost reqs]# cd ../certs [r...@localhost certs]# ls demoCA moonCert.pem [r...@localhost certs]# openssl x509 -in moonCert.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha1WithRSAEncryption Issuer: C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang/emailaddress=zha...@alcatel-lucent.com Validity Not Before: Aug 26 03:35:21 2009 GMT Not After : Aug 26 03:35:21 2011 GMT Subject: C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org/emailaddress=m...@alcatel-lucent.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:c1:21:20:a3:88:b7:bd:87:03:6e:0b:31:8a:77: eb:93:ba:5f:75:6f:7b:83:f3:84:28:60:3b:12:e5: 2c:f3:ce:c3:72:a9:4a:72:e7:03:86:bf:83:1f:73: 3c:14:47:79:27:b6:1b:bf:92:5a:42:5b:8c:62:f1: c4:23:54:98:13:53:a3:e5:a9:9e:82:69:c6:3d:8e: 66:10:73:46:48:50:24:93:ae:98:d7:61:93:54:01: c4:0a:19:4e:31:42:c8:68:0b:79:c4:39:00:5b:5e: 63:5e:e6:8f:91:1b:0a:a8:07:4c:32:2d:a5:72:61: 18:7d:94:3b:22:f1:1c:25:51 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 00:A5:D7:C3:CF:B7:F0:C3:FA:E4:70:0F:F3:96:CE:99:CC:58:1A:BE X509v3 Authority Key Identifier: keyid:C4:6D:F2:07:C9:C1:2D:6C:B7:5E:E9:92