date:20090826

Re: [strongSwan] FW: strongSwan installs SPs?

2009-08-26 Thread Martin Willi

Hi,

> Is it possible for a user space program, registered with XFRM, to delete
> policies that charon adds?

Yes.

> Will that create some errors in charon in subsequent processing?

Charon expects a policy, so deleting will fail. As charon uses
refcounting to handle CHILD_SAs with identical policies, even rekeying
won't reinstall your policy.

> When does charon delete policies? 

When the associated CHILD_SA gets deleted.

> What happens if charon tries to delete a policy (that it previously added)
> that is no longer there (someone else deleted it)?

The kernel returns a netlink error. Charon logs this error, but
continues as usual.

> Note that the assumption is that IPSEC is being performed by some external
> device, and not the Linux kernel, so the absence of the policy in the
> kernel's SPD is not an issue from the IPSEC perspective.

So if I understand correctly, you are using charon to negotiate tunnels,
but use a dedicated device to actually process IPsec traffic?

Instead of mangling SAs and Policies installed by charon, it is probably
a better idea to delegate installation to your IPsec device in the first
place.
Our kernel interface is abstracted, we have implementations for XFRM, a
generic and KLIPS compatible PF_KEY. Maybe it is worth to consider your
own implementation of the kernel interface [1] that delegates SA/SP
installation to your external device.

Regards
Martin

[1]http://wiki.strongswan.org/repositories/entry/strongswan/src/charon/kernel/kernel_ipsec.h


___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] no matching peer config found

2009-08-26 Thread Martin Willi

Hi,

> I can not find the daemon.log on moon side. 

charon by default logs to the DAEMON syslog facility. But it depends on
your syslogger configuration to which file syslogger logs to.

> The moon side is Fedora Core 9 Linux.

Our (rather old) Fedora box uses /var/log/daemon.

Regards
Martin

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] no trusted RSA public key found

2009-08-26 Thread Zhang, Long (Roger)

Andreas,

Thanks a lot for your help. I have doubt the time difference, but not checked 
the timezone. I have root permission, I will change the system time.

Roger

> -Original Message-
> From: Andreas Steffen [mailto:andreas.stef...@strongswan.org]
> Sent: Thursday, August 27, 2009 1:37 PM
> To: Zhang, Long (Roger)
> Cc: users@lists.strongswan.org
> Subject: Re: [strongSwan] no trusted RSA public key found
>
> Hi Roger,
>
> you have a time synchronisation problem on your linux boxes.
> The certificate you generated starts to be valid (notBefore) on
>
> Aug 27 13:45:47 UTC 2009
>
> The current time on moon is not known but on sun it is
>
> Aug 27 10:10:11 (Shandong local time).
>
> Since in China you are ahead of UTC by a couple of hours
> it is certainly not yet 13:45:47 UTC. While writing this email
> my watch tells me (Aug 27 5:33:00 UTC 2009) that your certificate
> will not become valid for about another 8 hours from now.
> So either generate a new certificate [without an email RDN anyway]
> or just be patient ;-)
>
> Best regards
>
> Andreas
>
> Zhang, Long (Roger) wrote:
> > Hi,
> >
> > I am trying IPSec with StrongSwan on two Linux. The example is
> http://www.strongswan.org/uml/testresults43/ikev2/host2host-cert/
> >
> > Currently I see a problem " no trusted RSA public key found".  I do not
> know why it is reported. My certificate sunCert.pem looks good. And the CA
> is shared for sun and mood both sides. Anyone can help? Thanks!
> >
> > [r...@localhost etc]# /usr/local/sbin/ipsec up host-host
> > initiating IKE_SA host-host[1] to 135.252.130.87
> > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> > sending packet: from 135.252.131.87[500] to 135.252.130.87[500]
> > received packet: from 135.252.130.87[500] to 135.252.131.87[500]
> > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> CERTREQ N(MULT_AUTH) ]
> > received cert request for "C=CN, ST=Shandong, L=QD, O=ALU, OU=RD,
> CN=Roger Zhang, e=zha...@alcatel-lucent.com"
> > sending cert request for "C=CN, ST=Shandong, L=QD, O=ALU, OU=RD,
> CN=Roger Zhang, e=zha...@alcatel-lucent.com"
> > authentication of 'moon.strongswan.org' (myself) with RSA signature
> successful
> > sending end entity cert "C=CN, ST=Shandong, O=ALU, OU=RD,
> CN=moon.strongswan.org, e=m...@alcatel-lucent.com"
> > establishing CHILD_SA host-host
> > generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr
> N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ]
> > sending packet: from 135.252.131.87[4500] to 135.252.130.87[4500]
> > received packet: from 135.252.130.87[4500] to 135.252.131.87[4500]
> > parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT)
> N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
> > received end entity cert "C=CN, ST=Shandong, O=ALU, OU=RD,
> CN=sun.strongswan.org, e=...@alcatel-lucent.com"
> >   using certificate "C=CN, ST=Shandong, O=ALU, OU=RD,
> CN=sun.strongswan.org, e=...@alcatel-lucent.com"
> >   using trusted ca certificate "C=CN, ST=Shandong, L=QD, O=ALU, OU=RD,
> CN=Roger Zhang, e=zha...@alcatel-lucent.com"
> > subject certificate invalid (valid from Aug 27 13:45:47 UTC 2009 to Aug
> 27 13:45:47 UTC 2011)
> > no trusted RSA public key found for 'sun.strongswan.org'
> >
> >
> > The daemon.log on sun side. There are some failure at the beginning, but
> I think it does not impact the problem.
> >
> > Aug 27 10:10:11 qdpat-xp charon: 01[DMN] Starting IKEv2 charon daemon
> (strongSwan 4.3.4)
> > Aug 27 10:10:11 qdpat-xp charon: 01[LIB] plugin 'curl': failed to load
> '/usr/local/libexec/ipsec/plugins/libstrongswan-curl.so' -
> /usr/local/libexec/ipsec/plugins/libstrongswan-curl.so: cannot open shared
> object file: No such file or directory
> > Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading ca certificates from
> '/usr/local/etc/ipsec.d/cacerts'
> > Aug 27 10:10:11 qdpat-xp charon: 01[LIB]   missing passphrase
> > Aug 27 10:10:11 qdpat-xp charon: 01[LIB] failed to create a builder for
> credential type CRED_CERTIFICATE, subtype (1)
> > Aug 27 10:10:11 qdpat-xp charon: 01[LIB]   loaded certificate file
> '/usr/local/etc/ipsec.d/cacerts/strongswanCert.pem'
> > Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading aa certificates from
> '/usr/local/etc/ipsec.d/aacerts'
> > Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading ocsp signer
> certificates from '/usr/local/etc/ipsec.d/ocspcerts'
> > Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading attribute certificates
> from '/usr/local/etc/ipsec.d/acerts'
> > Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading crls from
> '/usr/local/etc/ipsec.d/crls'
> > Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading secrets from
> '/usr/local/etc/ipsec.secrets'
> > Aug 27 10:10:11 qdpat-xp charon: 01[CFG]   loaded private key file
> '/usr/local/etc/ipsec.d/reqs/hostKey.pem'
> > Aug 27 10:10:11 qdpat-xp charon: 01[KNL] listening on interfaces:
> > Aug 27 10:10:11 qdpat-xp charon: 01[KNL]   eth0
> > Aug 27 10:10:11 qdpat-xp charon: 01[KNL] 135.2

Re: [strongSwan] no trusted RSA public key found

2009-08-26 Thread Andreas Steffen

Hi Roger,

you have a time synchronisation problem on your linux boxes.
The certificate you generated starts to be valid (notBefore) on

Aug 27 13:45:47 UTC 2009

The current time on moon is not known but on sun it is

Aug 27 10:10:11 (Shandong local time).

Since in China you are ahead of UTC by a couple of hours
it is certainly not yet 13:45:47 UTC. While writing this email
my watch tells me (Aug 27 5:33:00 UTC 2009) that your certificate
will not become valid for about another 8 hours from now.
So either generate a new certificate [without an email RDN anyway]
or just be patient ;-)

Best regards

Andreas

Zhang, Long (Roger) wrote:
> Hi,
> 
> I am trying IPSec with StrongSwan on two Linux. The example is 
> http://www.strongswan.org/uml/testresults43/ikev2/host2host-cert/
> 
> Currently I see a problem " no trusted RSA public key found".  I do not know 
> why it is reported. My certificate sunCert.pem looks good. And the CA is 
> shared for sun and mood both sides. Anyone can help? Thanks!
> 
> [r...@localhost etc]# /usr/local/sbin/ipsec up host-host
> initiating IKE_SA host-host[1] to 135.252.130.87
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> sending packet: from 135.252.131.87[500] to 135.252.130.87[500]
> received packet: from 135.252.130.87[500] to 135.252.131.87[500]
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ 
> N(MULT_AUTH) ]
> received cert request for "C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger 
> Zhang, e=zha...@alcatel-lucent.com"
> sending cert request for "C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger 
> Zhang, e=zha...@alcatel-lucent.com"
> authentication of 'moon.strongswan.org' (myself) with RSA signature successful
> sending end entity cert "C=CN, ST=Shandong, O=ALU, OU=RD, 
> CN=moon.strongswan.org, e=m...@alcatel-lucent.com"
> establishing CHILD_SA host-host
> generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr 
> N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ]
> sending packet: from 135.252.131.87[4500] to 135.252.130.87[4500]
> received packet: from 135.252.130.87[4500] to 135.252.131.87[4500]
> parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) 
> N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
> received end entity cert "C=CN, ST=Shandong, O=ALU, OU=RD, 
> CN=sun.strongswan.org, e=...@alcatel-lucent.com"
>   using certificate "C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, 
> e=...@alcatel-lucent.com"
>   using trusted ca certificate "C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, 
> CN=Roger Zhang, e=zha...@alcatel-lucent.com"
> subject certificate invalid (valid from Aug 27 13:45:47 UTC 2009 to Aug 27 
> 13:45:47 UTC 2011)
> no trusted RSA public key found for 'sun.strongswan.org'
> 
> 
> The daemon.log on sun side. There are some failure at the beginning, but I 
> think it does not impact the problem.
> 
> Aug 27 10:10:11 qdpat-xp charon: 01[DMN] Starting IKEv2 charon daemon 
> (strongSwan 4.3.4)
> Aug 27 10:10:11 qdpat-xp charon: 01[LIB] plugin 'curl': failed to load 
> '/usr/local/libexec/ipsec/plugins/libstrongswan-curl.so' - 
> /usr/local/libexec/ipsec/plugins/libstrongswan-curl.so: cannot open shared 
> object file: No such file or directory
> Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading ca certificates from 
> '/usr/local/etc/ipsec.d/cacerts'
> Aug 27 10:10:11 qdpat-xp charon: 01[LIB]   missing passphrase
> Aug 27 10:10:11 qdpat-xp charon: 01[LIB] failed to create a builder for 
> credential type CRED_CERTIFICATE, subtype (1)
> Aug 27 10:10:11 qdpat-xp charon: 01[LIB]   loaded certificate file 
> '/usr/local/etc/ipsec.d/cacerts/strongswanCert.pem'
> Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading aa certificates from 
> '/usr/local/etc/ipsec.d/aacerts'
> Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading ocsp signer certificates 
> from '/usr/local/etc/ipsec.d/ocspcerts'
> Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading attribute certificates from 
> '/usr/local/etc/ipsec.d/acerts'
> Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading crls from 
> '/usr/local/etc/ipsec.d/crls'
> Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading secrets from 
> '/usr/local/etc/ipsec.secrets'
> Aug 27 10:10:11 qdpat-xp charon: 01[CFG]   loaded private key file 
> '/usr/local/etc/ipsec.d/reqs/hostKey.pem'
> Aug 27 10:10:11 qdpat-xp charon: 01[KNL] listening on interfaces:
> Aug 27 10:10:11 qdpat-xp charon: 01[KNL]   eth0
> Aug 27 10:10:11 qdpat-xp charon: 01[KNL] 135.252.130.87
> Aug 27 10:10:11 qdpat-xp charon: 01[KNL] 172.16.25.2
> Aug 27 10:10:11 qdpat-xp charon: 01[KNL] fe80::213:72ff:fe93:850d
> Aug 27 10:10:11 qdpat-xp charon: 01[KNL]   vmnet1
> Aug 27 10:10:11 qdpat-xp charon: 01[KNL] 172.16.25.1
> Aug 27 10:10:11 qdpat-xp charon: 01[KNL] fe80::250:56ff:fec0:1
> Aug 27 10:10:11 qdpat-xp charon: 01[KNL]   vmnet8
> Aug 27 10:10:11 qdpat-xp charon: 01[KNL] 172.16.223.1
> Aug 27 10:10:11 qdpat-xp charon: 01[KNL] fe80::250:56ff:fec0:8
> Aug 27 10:10:11

Re: [strongSwan] no matching peer config found

2009-08-26 Thread Zhang, Long (Roger)

Andreas,

Thanks for your detail explanation.

One more question. I can not find the daemon.log on moon side. Seems like it is 
not generated. Then how can I generate it? The moon side is Fedora Core 9 Linux.

Roger

> -Original Message-
> From: Andreas Steffen [mailto:andreas.stef...@strongswan.org]
> Sent: Thursday, August 27, 2009 1:25 PM
> To: Zhang, Long (Roger)
> Cc: Martin Willi; users@lists.strongswan.org
> Subject: Re: [strongSwan] no matching peer config found
> 
> Roger,
> 
> as Martin mentioned in his previous mail, a stupid bug was introduced
> some time back in the strongSwan 4.3 branch that incorrectly encodes
> the email address in a left|rightid="" statement. There are
> the following workarounds:
> 
> 1) Don't use email RDNs in DNs since they are bad practice anyway.
> 2) Use a subjectAltName in left|rightid
> 3) Apply the patch [1] to your strongSwan 4.3.x distribution. The
>patch fixes the ASN.1 email OID encoding.
> 4) Use the latest strongSwan developer release 4.3.5dr1 [2]
> 
> [1] http://wiki.strongswan.org/repositories/diff/strongswan?rev=c8b543a6
> [2] http://download.strongswan.org/strongswan-4.3.5dr1.tar.bz2
> 
> Best regards
> 
> Andreas
> 
> Zhang, Long (Roger) wrote:
> > Martin,
> >
> > I can pass authentication now after I set subjectAltName, but I always
> failed when I use the DN. Curious what is wrong.
> >
> > Thanks,
> > Roger
> >
> >> -Original Message-
> >> From: users-boun...@lists.strongswan.org [mailto:users-
> >> boun...@lists.strongswan.org] On Behalf Of Zhang, Long (Roger)
> >> Sent: Thursday, August 27, 2009 8:58 AM
> >> To: Martin Willi
> >> Cc: users@lists.strongswan.org
> >> Subject: Re: [strongSwan] no matching peer config found
> >>
> >> Martin,
> >>
> >> Thanks for your reply.
> >>
> >> I tried with the full DN, but still failed :-(
> >>
> >> I tried with DN "C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org,
> >> e=...@alcatel-lucent.com" and "C=CN, ST=Shandong, O=ALU, OU=RD,
> >> CN=moon.strongswan.org, emailaddress=m...@alcatel-lucent.com" and
> >> combination of leftid and righted. Still failed. I will try to add
> >> subjectAltName to the certificate.
> >>
> >> Aug 27 08:49:52 qdpat-xp charon: 11[ENC] parsed IKE_AUTH request 1
> [ IDi
> >> CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR)
> >> N(MULT_AUTH) ]
> >> Aug 27 08:49:52 qdpat-xp charon: 11[IKE] received cert request for
> "C=CN,
> >> ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang, e=zha...@alcatel-
> >> lucent.com"
> >> Aug 27 08:49:52 qdpat-xp charon: 11[IKE] received end entity cert "C=CN,
> >> ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, e=m...@alcatel-
> >> lucent.com"
> >> Aug 27 08:49:52 qdpat-xp charon: 11[CFG] looking for peer configs
> matching
> >> 135.252.130.87[C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org,
> >> emailaddress=...@alcatel-lucent.com]...135.252.131.87[c=cn, ST=Shandong,
> >> O=ALU, OU=RD, CN=moon.strongswan.org, e=m...@alcatel-lucent.com]
> >> Aug 27 08:49:52 qdpat-xp charon: 11[CFG] no matching peer config found
> >> Aug 27 08:49:52 qdpat-xp charon: 11[IKE] peer supports MOBIKE
> >> Aug 27 08:49:52 qdpat-xp charon: 11[ENC] generating IKE_AUTH response 1
> >> [ N(AUTH_FAILED) ]
> >> Aug 27 08:49:52 qdpat-xp charon: 11[NET] sending packet: from
> >> 135.252.130.87[4500] to 135.252.131.87[4500]
> >>
> >> Sun side ipsec.conf
> >> # /etc/ipsec.conf - strongSwan IPsec configuration file
> >>
> >> config setup
> >> crlcheckinterval=180
> >> strictcrlpolicy=no
> >> plutostart=no
> >>
> >> conn %default
> >> ikelifetime=60m
> >> keylife=20m
> >> rekeymargin=3m
> >> keyingtries=1
> >> keyexchange=ikev2
> >>
> >> conn host-host
> >> left=135.252.130.87
> >> leftcert=/usr/local/etc/ipsec.d/certs/sunCert.pem
> >> #leftid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org,
> >> e=...@alcatel-lucent.com"
> >> leftid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org,
> >> emailaddress=...@alcatel-lucent.com"
> >> #left...@sun.strongswan.org
> >> leftfirewall=no
> >> right=135.252.131.87
> >> rightid="C=CN, ST=Shandong, O=ALU, OU=RD,
> CN=moon.strongswan.org,
> >> e=m...@alcatel-lucent.com"
> >> #rightid="C=CN, ST=Shandong, O=ALU, OU=RD,
> CN=moon.strongswan.org,
> >> emailaddress=m...@alcatel-lucent.com"
> >> #right...@moon.strongswan.org
> >> auto=add
> >>
> >>
> >> moon side ipsec.conf
> >> # /etc/ipsec.conf - strongSwan IPsec configuration file
> >>
> >> config setup
> >> crlcheckinterval=180
> >> strictcrlpolicy=no
> >> plutostart=no
> >>
> >> conn %default
> >> ikelifetime=60m
> >> keylife=20m
> >> rekeymargin=3m
> >> keyingtries=1
> >> keyexchange=ikev2
> >>
> >> conn host-host
> >> left=135.252.131.87
> >> leftcert=/etc/ipsec.d/certs/moonCert.pem
> >> leftid="C=CN, ST=Shandong

Re: [strongSwan] no matching peer config found

2009-08-26 Thread Andreas Steffen

Roger,

as Martin mentioned in his previous mail, a stupid bug was introduced
some time back in the strongSwan 4.3 branch that incorrectly encodes
the email address in a left|rightid="" statement. There are
the following workarounds:

1) Don't use email RDNs in DNs since they are bad practice anyway.
2) Use a subjectAltName in left|rightid
3) Apply the patch [1] to your strongSwan 4.3.x distribution. The
   patch fixes the ASN.1 email OID encoding.
4) Use the latest strongSwan developer release 4.3.5dr1 [2]

[1] http://wiki.strongswan.org/repositories/diff/strongswan?rev=c8b543a6
[2] http://download.strongswan.org/strongswan-4.3.5dr1.tar.bz2

Best regards

Andreas

Zhang, Long (Roger) wrote:
> Martin,
> 
> I can pass authentication now after I set subjectAltName, but I always failed 
> when I use the DN. Curious what is wrong.
> 
> Thanks,
> Roger
> 
>> -Original Message-
>> From: users-boun...@lists.strongswan.org [mailto:users-
>> boun...@lists.strongswan.org] On Behalf Of Zhang, Long (Roger)
>> Sent: Thursday, August 27, 2009 8:58 AM
>> To: Martin Willi
>> Cc: users@lists.strongswan.org
>> Subject: Re: [strongSwan] no matching peer config found
>>
>> Martin,
>>
>> Thanks for your reply.
>>
>> I tried with the full DN, but still failed :-(
>>
>> I tried with DN "C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org,
>> e=...@alcatel-lucent.com" and "C=CN, ST=Shandong, O=ALU, OU=RD,
>> CN=moon.strongswan.org, emailaddress=m...@alcatel-lucent.com" and
>> combination of leftid and righted. Still failed. I will try to add
>> subjectAltName to the certificate.
>>
>> Aug 27 08:49:52 qdpat-xp charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi
>> CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR)
>> N(MULT_AUTH) ]
>> Aug 27 08:49:52 qdpat-xp charon: 11[IKE] received cert request for "C=CN,
>> ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang, e=zha...@alcatel-
>> lucent.com"
>> Aug 27 08:49:52 qdpat-xp charon: 11[IKE] received end entity cert "C=CN,
>> ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, e=m...@alcatel-
>> lucent.com"
>> Aug 27 08:49:52 qdpat-xp charon: 11[CFG] looking for peer configs matching
>> 135.252.130.87[C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org,
>> emailaddress=...@alcatel-lucent.com]...135.252.131.87[c=cn, ST=Shandong,
>> O=ALU, OU=RD, CN=moon.strongswan.org, e=m...@alcatel-lucent.com]
>> Aug 27 08:49:52 qdpat-xp charon: 11[CFG] no matching peer config found
>> Aug 27 08:49:52 qdpat-xp charon: 11[IKE] peer supports MOBIKE
>> Aug 27 08:49:52 qdpat-xp charon: 11[ENC] generating IKE_AUTH response 1
>> [ N(AUTH_FAILED) ]
>> Aug 27 08:49:52 qdpat-xp charon: 11[NET] sending packet: from
>> 135.252.130.87[4500] to 135.252.131.87[4500]
>>
>> Sun side ipsec.conf
>> # /etc/ipsec.conf - strongSwan IPsec configuration file
>>
>> config setup
>> crlcheckinterval=180
>> strictcrlpolicy=no
>> plutostart=no
>>
>> conn %default
>> ikelifetime=60m
>> keylife=20m
>> rekeymargin=3m
>> keyingtries=1
>> keyexchange=ikev2
>>
>> conn host-host
>> left=135.252.130.87
>> leftcert=/usr/local/etc/ipsec.d/certs/sunCert.pem
>> #leftid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org,
>> e=...@alcatel-lucent.com"
>> leftid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org,
>> emailaddress=...@alcatel-lucent.com"
>> #left...@sun.strongswan.org
>> leftfirewall=no
>> right=135.252.131.87
>> rightid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org,
>> e=m...@alcatel-lucent.com"
>> #rightid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org,
>> emailaddress=m...@alcatel-lucent.com"
>> #right...@moon.strongswan.org
>> auto=add
>>
>>
>> moon side ipsec.conf
>> # /etc/ipsec.conf - strongSwan IPsec configuration file
>>
>> config setup
>> crlcheckinterval=180
>> strictcrlpolicy=no
>> plutostart=no
>>
>> conn %default
>> ikelifetime=60m
>> keylife=20m
>> rekeymargin=3m
>> keyingtries=1
>> keyexchange=ikev2
>>
>> conn host-host
>> left=135.252.131.87
>> leftcert=/etc/ipsec.d/certs/moonCert.pem
>> leftid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org,
>> e=m...@alcatel-lucent.com"
>> #leftid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org,
>> emailaddress=m...@alcatel-lucent.com"
>> #left...@moon.strongswan.org
>> leftfirewall=no
>> right=135.252.130.87
>> rightid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org,
>> e=...@alcatel-lucent.com"
>> #rightid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org,
>> emailaddress=...@alcatel-lucent.com"
>> #right...@sun.strongswan.org
>> auto=add
>>
>> Thanks,
>> Roger
>>
>>> -Original Message-
>>> From: Martin Willi [mailto:mar...@strongswan.org]
>>> Sent: Wednesday, August 26, 2009 10:10 PM
>>> To

[strongSwan] no trusted RSA public key found

2009-08-26 Thread Zhang, Long (Roger)

Hi,

I am trying IPSec with StrongSwan on two Linux. The example is 
http://www.strongswan.org/uml/testresults43/ikev2/host2host-cert/

Currently I see a problem " no trusted RSA public key found".  I do not know 
why it is reported. My certificate sunCert.pem looks good. And the CA is shared 
for sun and mood both sides. Anyone can help? Thanks!

[r...@localhost etc]# /usr/local/sbin/ipsec up host-host
initiating IKE_SA host-host[1] to 135.252.130.87
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 135.252.131.87[500] to 135.252.130.87[500]
received packet: from 135.252.130.87[500] to 135.252.131.87[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ 
N(MULT_AUTH) ]
received cert request for "C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger 
Zhang, e=zha...@alcatel-lucent.com"
sending cert request for "C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger 
Zhang, e=zha...@alcatel-lucent.com"
authentication of 'moon.strongswan.org' (myself) with RSA signature successful
sending end entity cert "C=CN, ST=Shandong, O=ALU, OU=RD, 
CN=moon.strongswan.org, e=m...@alcatel-lucent.com"
establishing CHILD_SA host-host
generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr 
N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ]
sending packet: from 135.252.131.87[4500] to 135.252.130.87[4500]
received packet: from 135.252.130.87[4500] to 135.252.131.87[4500]
parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) 
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
received end entity cert "C=CN, ST=Shandong, O=ALU, OU=RD, 
CN=sun.strongswan.org, e=...@alcatel-lucent.com"
  using certificate "C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, 
e=...@alcatel-lucent.com"
  using trusted ca certificate "C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger 
Zhang, e=zha...@alcatel-lucent.com"
subject certificate invalid (valid from Aug 27 13:45:47 UTC 2009 to Aug 27 
13:45:47 UTC 2011)
no trusted RSA public key found for 'sun.strongswan.org'


The daemon.log on sun side. There are some failure at the beginning, but I 
think it does not impact the problem.

Aug 27 10:10:11 qdpat-xp charon: 01[DMN] Starting IKEv2 charon daemon 
(strongSwan 4.3.4)
Aug 27 10:10:11 qdpat-xp charon: 01[LIB] plugin 'curl': failed to load 
'/usr/local/libexec/ipsec/plugins/libstrongswan-curl.so' - 
/usr/local/libexec/ipsec/plugins/libstrongswan-curl.so: cannot open shared 
object file: No such file or directory
Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading ca certificates from 
'/usr/local/etc/ipsec.d/cacerts'
Aug 27 10:10:11 qdpat-xp charon: 01[LIB]   missing passphrase
Aug 27 10:10:11 qdpat-xp charon: 01[LIB] failed to create a builder for 
credential type CRED_CERTIFICATE, subtype (1)
Aug 27 10:10:11 qdpat-xp charon: 01[LIB]   loaded certificate file 
'/usr/local/etc/ipsec.d/cacerts/strongswanCert.pem'
Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading aa certificates from 
'/usr/local/etc/ipsec.d/aacerts'
Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading ocsp signer certificates from 
'/usr/local/etc/ipsec.d/ocspcerts'
Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading attribute certificates from 
'/usr/local/etc/ipsec.d/acerts'
Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading crls from 
'/usr/local/etc/ipsec.d/crls'
Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading secrets from 
'/usr/local/etc/ipsec.secrets'
Aug 27 10:10:11 qdpat-xp charon: 01[CFG]   loaded private key file 
'/usr/local/etc/ipsec.d/reqs/hostKey.pem'
Aug 27 10:10:11 qdpat-xp charon: 01[KNL] listening on interfaces:
Aug 27 10:10:11 qdpat-xp charon: 01[KNL]   eth0
Aug 27 10:10:11 qdpat-xp charon: 01[KNL] 135.252.130.87
Aug 27 10:10:11 qdpat-xp charon: 01[KNL] 172.16.25.2
Aug 27 10:10:11 qdpat-xp charon: 01[KNL] fe80::213:72ff:fe93:850d
Aug 27 10:10:11 qdpat-xp charon: 01[KNL]   vmnet1
Aug 27 10:10:11 qdpat-xp charon: 01[KNL] 172.16.25.1
Aug 27 10:10:11 qdpat-xp charon: 01[KNL] fe80::250:56ff:fec0:1
Aug 27 10:10:11 qdpat-xp charon: 01[KNL]   vmnet8
Aug 27 10:10:11 qdpat-xp charon: 01[KNL] 172.16.223.1
Aug 27 10:10:11 qdpat-xp charon: 01[KNL] fe80::250:56ff:fec0:8
Aug 27 10:10:11 qdpat-xp charon: 01[DMN] loaded plugins: aes des sha1 sha2 md5 
gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
Aug 27 10:10:11 qdpat-xp charon: 01[JOB] spawning 16 worker threads
Aug 27 10:10:11 qdpat-xp charon: 03[CFG] received stroke: add connection 
'host-host'
Aug 27 10:10:11 qdpat-xp charon: 03[LIB]   loaded certificate file 
'/usr/local/etc/ipsec.d/certs/sunCert.pem'
Aug 27 10:10:11 qdpat-xp charon: 03[CFG] added configuration 'host-host'
Aug 27 10:10:15 qdpat-xp charon: 10[NET] received packet: from 
135.252.131.87[500] to 135.252.130.87[500]
Aug 27 10:10:15 qdpat-xp charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE 
No N(NATD_S_IP) N(NATD_D_IP) ]
Aug 27 10:10:15 qdpat-xp charon: 10[IKE] 135.252.131.87 is initiating an IKE_SA
Aug 27 10:10:15 qdpat-xp charon: 10[IKE] sen

Re: [strongSwan] no matching peer config found

2009-08-26 Thread Zhang, Long (Roger)

Martin,

I can pass authentication now after I set subjectAltName, but I always failed 
when I use the DN. Curious what is wrong.

Thanks,
Roger

> -Original Message-
> From: users-boun...@lists.strongswan.org [mailto:users-
> boun...@lists.strongswan.org] On Behalf Of Zhang, Long (Roger)
> Sent: Thursday, August 27, 2009 8:58 AM
> To: Martin Willi
> Cc: users@lists.strongswan.org
> Subject: Re: [strongSwan] no matching peer config found
> 
> Martin,
> 
> Thanks for your reply.
> 
> I tried with the full DN, but still failed :-(
> 
> I tried with DN "C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org,
> e=...@alcatel-lucent.com" and "C=CN, ST=Shandong, O=ALU, OU=RD,
> CN=moon.strongswan.org, emailaddress=m...@alcatel-lucent.com" and
> combination of leftid and righted. Still failed. I will try to add
> subjectAltName to the certificate.
> 
> Aug 27 08:49:52 qdpat-xp charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi
> CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR)
> N(MULT_AUTH) ]
> Aug 27 08:49:52 qdpat-xp charon: 11[IKE] received cert request for "C=CN,
> ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang, e=zha...@alcatel-
> lucent.com"
> Aug 27 08:49:52 qdpat-xp charon: 11[IKE] received end entity cert "C=CN,
> ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, e=m...@alcatel-
> lucent.com"
> Aug 27 08:49:52 qdpat-xp charon: 11[CFG] looking for peer configs matching
> 135.252.130.87[C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org,
> emailaddress=...@alcatel-lucent.com]...135.252.131.87[c=cn, ST=Shandong,
> O=ALU, OU=RD, CN=moon.strongswan.org, e=m...@alcatel-lucent.com]
> Aug 27 08:49:52 qdpat-xp charon: 11[CFG] no matching peer config found
> Aug 27 08:49:52 qdpat-xp charon: 11[IKE] peer supports MOBIKE
> Aug 27 08:49:52 qdpat-xp charon: 11[ENC] generating IKE_AUTH response 1
> [ N(AUTH_FAILED) ]
> Aug 27 08:49:52 qdpat-xp charon: 11[NET] sending packet: from
> 135.252.130.87[4500] to 135.252.131.87[4500]
> 
> Sun side ipsec.conf
> # /etc/ipsec.conf - strongSwan IPsec configuration file
> 
> config setup
> crlcheckinterval=180
> strictcrlpolicy=no
> plutostart=no
> 
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev2
> 
> conn host-host
> left=135.252.130.87
> leftcert=/usr/local/etc/ipsec.d/certs/sunCert.pem
> #leftid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org,
> e=...@alcatel-lucent.com"
> leftid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org,
> emailaddress=...@alcatel-lucent.com"
> #left...@sun.strongswan.org
> leftfirewall=no
> right=135.252.131.87
> rightid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org,
> e=m...@alcatel-lucent.com"
> #rightid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org,
> emailaddress=m...@alcatel-lucent.com"
> #right...@moon.strongswan.org
> auto=add
> 
> 
> moon side ipsec.conf
> # /etc/ipsec.conf - strongSwan IPsec configuration file
> 
> config setup
> crlcheckinterval=180
> strictcrlpolicy=no
> plutostart=no
> 
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev2
> 
> conn host-host
> left=135.252.131.87
> leftcert=/etc/ipsec.d/certs/moonCert.pem
> leftid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org,
> e=m...@alcatel-lucent.com"
> #leftid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org,
> emailaddress=m...@alcatel-lucent.com"
> #left...@moon.strongswan.org
> leftfirewall=no
> right=135.252.130.87
> rightid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org,
> e=...@alcatel-lucent.com"
> #rightid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org,
> emailaddress=...@alcatel-lucent.com"
> #right...@sun.strongswan.org
> auto=add
> 
> Thanks,
> Roger
> 
> > -Original Message-
> > From: Martin Willi [mailto:mar...@strongswan.org]
> > Sent: Wednesday, August 26, 2009 10:10 PM
> > To: Zhang, Long (Roger)
> > Cc: users@lists.strongswan.org
> > Subject: Re: [strongSwan] no matching peer config found
> >
> > Hi Roger,
> >
> > > peerid sun.strongswan.org not confirmed by certificate, defaulting to
> > >  subject DN: C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org,
> > >  e=...@alcatel-lucent.com
> >
> > strongSwan requires the peer ID to be contained in the certificate
> > (either the complete DN, or as a subjectAltName, a matching CN= is
> > insufficient).
> >
> > Either add your peer identities as subjectAltName, or use the complete
> > DN of your certificate as peer identity.
> >
> > If you have E= in your peer DN identities, make sure to apply [1], there
> > was is regression in 4.3.4 with email OID handling.
> >
> > Regards
> > Martin
> >
> > [1]http://wiki.strongswan.

Re: [strongSwan] no matching peer config found

2009-08-26 Thread Zhang, Long (Roger)

Martin,

Thanks for your reply.

I tried with the full DN, but still failed :-( 

I tried with DN "C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, 
e=...@alcatel-lucent.com" and "C=CN, ST=Shandong, O=ALU, OU=RD, 
CN=moon.strongswan.org, emailaddress=m...@alcatel-lucent.com" and combination 
of leftid and righted. Still failed. I will try to add subjectAltName to the 
certificate.

Aug 27 08:49:52 qdpat-xp charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi CERT 
CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ]
Aug 27 08:49:52 qdpat-xp charon: 11[IKE] received cert request for "C=CN, 
ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang, e=zha...@alcatel-lucent.com"
Aug 27 08:49:52 qdpat-xp charon: 11[IKE] received end entity cert "C=CN, 
ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, e=m...@alcatel-lucent.com"
Aug 27 08:49:52 qdpat-xp charon: 11[CFG] looking for peer configs matching 
135.252.130.87[C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, 
emailaddress=...@alcatel-lucent.com]...135.252.131.87[c=cn, ST=Shandong, O=ALU, 
OU=RD, CN=moon.strongswan.org, e=m...@alcatel-lucent.com]
Aug 27 08:49:52 qdpat-xp charon: 11[CFG] no matching peer config found
Aug 27 08:49:52 qdpat-xp charon: 11[IKE] peer supports MOBIKE
Aug 27 08:49:52 qdpat-xp charon: 11[ENC] generating IKE_AUTH response 1 [ 
N(AUTH_FAILED) ]
Aug 27 08:49:52 qdpat-xp charon: 11[NET] sending packet: from 
135.252.130.87[4500] to 135.252.131.87[4500]

Sun side ipsec.conf
# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
crlcheckinterval=180
strictcrlpolicy=no
plutostart=no

conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2

conn host-host
left=135.252.130.87
leftcert=/usr/local/etc/ipsec.d/certs/sunCert.pem
#leftid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, 
e=...@alcatel-lucent.com"
leftid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, 
emailaddress=...@alcatel-lucent.com"
#left...@sun.strongswan.org
leftfirewall=no
right=135.252.131.87
rightid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, 
e=m...@alcatel-lucent.com"
#rightid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, 
emailaddress=m...@alcatel-lucent.com"
#right...@moon.strongswan.org
auto=add


moon side ipsec.conf
# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
crlcheckinterval=180
strictcrlpolicy=no
plutostart=no

conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2

conn host-host
left=135.252.131.87
leftcert=/etc/ipsec.d/certs/moonCert.pem
leftid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, 
e=m...@alcatel-lucent.com"
#leftid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, 
emailaddress=m...@alcatel-lucent.com"
#left...@moon.strongswan.org
leftfirewall=no
right=135.252.130.87
rightid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, 
e=...@alcatel-lucent.com"
#rightid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, 
emailaddress=...@alcatel-lucent.com"
#right...@sun.strongswan.org
auto=add

Thanks,
Roger

> -Original Message-
> From: Martin Willi [mailto:mar...@strongswan.org]
> Sent: Wednesday, August 26, 2009 10:10 PM
> To: Zhang, Long (Roger)
> Cc: users@lists.strongswan.org
> Subject: Re: [strongSwan] no matching peer config found
> 
> Hi Roger,
> 
> > peerid sun.strongswan.org not confirmed by certificate, defaulting to
> >  subject DN: C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org,
> >  e=...@alcatel-lucent.com
> 
> strongSwan requires the peer ID to be contained in the certificate
> (either the complete DN, or as a subjectAltName, a matching CN= is
> insufficient).
> 
> Either add your peer identities as subjectAltName, or use the complete
> DN of your certificate as peer identity.
> 
> If you have E= in your peer DN identities, make sure to apply [1], there
> was is regression in 4.3.4 with email OID handling.
> 
> Regards
> Martin
> 
> [1]http://wiki.strongswan.org/repositories/diff/strongswan?rev=c8b543a6
> 

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] FW: strongSwan installs SPs?

2009-08-26 Thread Stephen Pisano

Hi Andreas:

Is it possible for a user space program, registered with XFRM, to delete
policies that charon adds?  

Will that create some errors in charon in subsequent processing?

When does charon delete policies? 

What happens if charon tries to delete a policy (that it previously added)
that is no longer there (someone else deleted it)?

Note that the assumption is that IPSEC is being performed by some external
device, and not the Linux kernel, so the absence of the policy in the
kernel's SPD is not an issue from the IPSEC perspective.

Thanks,
Stephen




>-Original Message-
>From: Andreas Steffen [mailto:andreas.stef...@strongswan.org]
>Sent: Monday, July 27, 2009 1:52 PM
>To: Stephen Pisano
>Cc: users@lists.strongswan.org
>Subject: Re: [strongSwan] FW: strongSwan installs SPs?
>
>Hi Stephen,
>
>strongSwan can assign a preliminary IPsec SA and a corresponding
>reqid using auto=route without installing an SPD in the kernel
>(installpolicy=no). This is used in our Mobile IPv6 scenario:
>
>http://wiki.strongswan.org/wiki/strongswan/MobileNodeSetup
>
>The current disadvantage is that the XFRM_ACQUIRE message which
>will trigger the actual IKE negotiation must use the correct reqid.
>This is not a problem if only one tunnel is managed but might be tricky
>with multiple tunnel definitions pre-started with auto=route. As an
>alternative we could create the SA definition on demand applying a
>closest match on the traffic selectors that are received via the
>XFRM_ACQUIRE message.
>
>Best regards
>
>Andreas
>
>Stephen Pisano wrote:
>> Hi Andreas,
>>
>> That is just the kind of solution I had in mind.
>>
>> Are you aware of any other SPD dependencies?
>>
>> I think I found one, which I wanted to get your view on.
>>
>> The area of functionality is SA establishment via a kernel ACQUIRE.
>>
>> In ike_sa.c:acquire(), there is the following snippet:
>>
>> /* find CHILD_SA */
>> iterator = this->child_sas->create_iterator(this->child_sas,
>TRUE);
>> while (iterator->iterate(iterator, (void**)¤t))
>> {
>> if (current->get_reqid(current) == reqid)
>> {
>> child_sa = current;
>> break;
>> }
>> }
>> iterator->destroy(iterator);
>> if (!child_sa)
>> {
>> DBG1(DBG_IKE, "acquiring CHILD_SA {reqid %d} failed: "
>>  "CHILD_SA not found", reqid);
>> return FAILED;
>> }
>>
>> I interpret this to mean that you can only initiate an SA establishment
>via
>> a kernel ACQUIRE if there is an existing SA (which was generated with a
>> policy in the SPD, having a certain reqid).
>>
>> Is this a correct interpretation?
>>
>> Thanks,
>> Stephen
>>
>>
>>
>>> -Original Message-
>>> From: Andreas Steffen [mailto:andreas.stef...@strongswan.org]
>>> Sent: Wednesday, July 22, 2009 7:20 AM
>>> To: Stephen Pisano
>>> Cc: users@lists.strongswan.org
>>> Subject: Re: [strongSwan] FW: strongSwan installs SPs?
>>>
>>> Hi Stephen,
>>>
>>> we could introduce e.g. a new charon.no_spd_available configuration
>>> option in /etc/strongswan.conf that would redefine the
>>> child_sa_t.get_usetime() method:
>>>
>>>
>http://wiki.strongswan.org/repositories/entry/strongswan/src/charon/sa/chil
>>> d_sa.c#L357
>>>
>>> Instead of using the kernel_interface->query_policy() method
>>> a new kernel_interface->query_sa() method that we wanted to
>>> implement anyway in one of the next releases, would retrieve
>>> the current number of packets/bytes and compare it with the
>>> previously retrieved value cached in the child_sa_t object.
>>> I think I even implemented such an approach in pluto's KLIPS
>>> kernel interface many years ago.
>>>
>>> Best regards
>>>
>>> Andreas
>>>
>>> Stephen Pisano wrote:
 Thanks Andreas, please see my comment below.


> -Original Message-
> From: Andreas Steffen [mailto:andreas.stef...@strongswan.org]
> Sent: Wednesday, July 22, 2009 2:12 AM
> To: Stephen Pisano
> Cc: users@lists.strongswan.org
> Subject: Re: [strongSwan] FW: strongSwan installs SPs?
>
> Hello Stephen,
>
> installpolicy=no just means the the IKEv2 charon daemon does not
> use the add_policy() and del_policy() methods of the kernel interface
> to actively manage the IPsec policies but delegates these tasks to
> another process on the same host. charon still uses the query_policy()
> method to get the use_time status information for liveliness checks.
 [pisano] Ah, yes, I understand what you're saying, but consider an
 application where the SPD is not used and the IKE daemon is to be used
>>> for
 SA management alone.  With the current behavior, this places a
>dependency
 between the IKE daemon and the presence of a policy in the SPD.

> Concerning your question why we don't query the SA's use_time instead,
> you are not the only wond

Re: [strongSwan] charon supports ipv4 or ipv6?

2009-08-26 Thread Andreas Steffen

ipsec statusall

shows the connection definitions.

Andreas

Yong Choo wrote:
> 
> Will the charon's log show the auto-detected ipv4 .vs. ipv6 per connection?
> 
> I looked at the daemon.log & auth.log example but did not see. Perhaps I
> need to enable more charon debug level?
> 
> Yong Choo wrote:
>> Auto Detect! The Best!
>> Thank You!
>>
>> Andreas Steffen wrote:
>>> Hi Yong Choo,
>>>
>>> we don't use the --ipv4, --ipv6, --tunnelipv4, and --tunnelipv6
>>> options at all. I think they are FreeS/WAN legacy and should be
>>> removed from our man pages.
>>>
>>> Both strongSwan pluto and strongSwan charon detect IPv4 and IPv6
>>> addresses automatically, so you don't have to give any explicit
>>> IP address family hints.
>>>
>>> Here are a couple of charon IPv4 and IPv6 example configurations:
>>>
>>> http://wiki.strongswan.org/wiki/strongswan/IKEv2Examples
>>>
>>> Regards
>>>
>>> Andreas
>>>
>>> Yong Choo wrote:
>>>  
 Hi all,
 I want to enable charon and disable pluto in order to limit to IKEv2
 without 'mobike'.
 When I enable charon in ipsec.conf,
 - does charon support only ipv6?

 (It was not clear whether this is the default behavior for 'charon'
 in the description http://www.strongswan.org/index.htm)

 - I read pluto man page where the usage of ipv4/6 can be controlled
 by --ipv4 --ipv6, --tunnelipv4, --tunnelipv6 options but it was not
 clear on the charon.
 - man page on the ipsec.config did not mention about controlling
 ipv4 .vs. ipv6.

 Thanks Again,
 -Yong Choo

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] charon supports ipv4 or ipv6?

2009-08-26 Thread Yong Choo


Will the charon's log show the auto-detected ipv4 .vs. ipv6 per connection?

I looked at the daemon.log & auth.log example but did not see. Perhaps I 
need to enable more charon debug level?

Yong Choo wrote:
> Auto Detect! The Best!
> Thank You!
>
> Andreas Steffen wrote:
>> Hi Yong Choo,
>>
>> we don't use the --ipv4, --ipv6, --tunnelipv4, and --tunnelipv6
>> options at all. I think they are FreeS/WAN legacy and should be
>> removed from our man pages.
>>
>> Both strongSwan pluto and strongSwan charon detect IPv4 and IPv6
>> addresses automatically, so you don't have to give any explicit
>> IP address family hints.
>>
>> Here are a couple of charon IPv4 and IPv6 example configurations:
>>
>> http://wiki.strongswan.org/wiki/strongswan/IKEv2Examples
>>
>> Regards
>>
>> Andreas
>>
>> Yong Choo wrote:
>>  
>>> Hi all,
>>> I want to enable charon and disable pluto in order to limit to IKEv2 
>>> without 'mobike'.
>>> When I enable charon in ipsec.conf,
>>> - does charon support only ipv6?
>>>
>>> (It was not clear whether this is the default behavior for 'charon' 
>>> in the description http://www.strongswan.org/index.htm)
>>>
>>> - I read pluto man page where the usage of ipv4/6 can be controlled 
>>> by --ipv4 --ipv6, --tunnelipv4, --tunnelipv6 options but it was not 
>>> clear on the charon.
>>> - man page on the ipsec.config did not mention about controlling 
>>> ipv4 .vs. ipv6.
>>>
>>> Thanks Again,
>>> -Yong Choo
>>> 
>>
>> ==
>> Andreas Steffen andreas.stef...@strongswan.org
>> strongSwan - the Linux VPN Solution!www.strongswan.org
>>
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil
>> CH-8640 Rapperswil (Switzerland)
>> ===[ITA-HSR]==
>>
>>   
>
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] charon supports ipv4 or ipv6?

2009-08-26 Thread Yong Choo

Auto Detect! The Best!
Thank You!

Andreas Steffen wrote:
> Hi Yong Choo,
>
> we don't use the --ipv4, --ipv6, --tunnelipv4, and --tunnelipv6
> options at all. I think they are FreeS/WAN legacy and should be
> removed from our man pages.
>
> Both strongSwan pluto and strongSwan charon detect IPv4 and IPv6
> addresses automatically, so you don't have to give any explicit
> IP address family hints.
>
> Here are a couple of charon IPv4 and IPv6 example configurations:
>
> http://wiki.strongswan.org/wiki/strongswan/IKEv2Examples
>
> Regards
>
> Andreas
>
> Yong Choo wrote:
>   
>> Hi all,
>> I want to enable charon and disable pluto in order to limit to IKEv2 
>> without 'mobike'.
>> When I enable charon in ipsec.conf,
>> - does charon support only ipv6?
>>
>> (It was not clear whether this is the default behavior for 'charon' in 
>> the description http://www.strongswan.org/index.htm)
>>
>> - I read pluto man page where the usage of ipv4/6 can be controlled by 
>> --ipv4 --ipv6, --tunnelipv4, --tunnelipv6 options but it was not clear 
>> on the charon.
>> - man page on the ipsec.config did not mention about controlling ipv4 
>> .vs. ipv6.
>>
>> Thanks Again,
>> -Yong Choo
>> 
>
> ==
> Andreas Steffen andreas.stef...@strongswan.org
> strongSwan - the Linux VPN Solution!www.strongswan.org
>
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===[ITA-HSR]==
>
>   
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] charon supports ipv4 or ipv6?

2009-08-26 Thread Andreas Steffen

Hi Yong Choo,

we don't use the --ipv4, --ipv6, --tunnelipv4, and --tunnelipv6
options at all. I think they are FreeS/WAN legacy and should be
removed from our man pages.

Both strongSwan pluto and strongSwan charon detect IPv4 and IPv6
addresses automatically, so you don't have to give any explicit
IP address family hints.

Here are a couple of charon IPv4 and IPv6 example configurations:

http://wiki.strongswan.org/wiki/strongswan/IKEv2Examples

Regards

Andreas

Yong Choo wrote:
> Hi all,
> I want to enable charon and disable pluto in order to limit to IKEv2 
> without 'mobike'.
> When I enable charon in ipsec.conf,
> - does charon support only ipv6?
> 
> (It was not clear whether this is the default behavior for 'charon' in 
> the description http://www.strongswan.org/index.htm)
> 
> - I read pluto man page where the usage of ipv4/6 can be controlled by 
> --ipv4 --ipv6, --tunnelipv4, --tunnelipv6 options but it was not clear 
> on the charon.
> - man page on the ipsec.config did not mention about controlling ipv4 
> .vs. ipv6.
> 
> Thanks Again,
> -Yong Choo

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==



smime.p7s
Description: S/MIME Cryptographic Signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] charon supports ipv4 or ipv6?

2009-08-26 Thread Yong Choo

Hi all,
I want to enable charon and disable pluto in order to limit to IKEv2 
without 'mobike'.
When I enable charon in ipsec.conf,
- does charon support only ipv6?

(It was not clear whether this is the default behavior for 'charon' in 
the description http://www.strongswan.org/index.htm)

- I read pluto man page where the usage of ipv4/6 can be controlled by 
--ipv4 --ipv6, --tunnelipv4, --tunnelipv6 options but it was not clear 
on the charon.
- man page on the ipsec.config did not mention about controlling ipv4 
.vs. ipv6.

Thanks Again,
-Yong Choo
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] unroute problem

2009-08-26 Thread Andreas Steffen

Hi,

there is no established IPsec SA between the two hosts. You must
start the IKE negotiation with the command

ipsec up host-host

if the setting in ipsec.conf is auto=add or change the setting
to auto=start which will start the negotiation automatically.

Regards

Andreas

Sushil Chaudhari wrote:
> Hello Everyone,
> 
> I am trying to establish static SA between two hosts. But when I run the 
> command ipsec status, it gives me 
> 
> r...@sushil:/etc# ipsec status
> 000 "host-host": 192.168.1.143[C=us, ST=ma, O=mzeal, OU=op, 
> CN=192.168.1.143]---192.168.1.1...192.168.1.124[C=us, O=mzeal, 
> CN=192.168.1.124]; unrouted; eroute owner: #0
> 000 "host-host":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
> 000 
> 
> same thing on sun host.
> can anybody tell me how to establish route between the two hosts. Sorry for 
> bothering for such a basic question.
> 
> Thanks.

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] unroute problem

2009-08-26 Thread Sushil Chaudhari

Hello Everyone,

I am trying to establish static SA between two hosts. But when I run the 
command ipsec status, it gives me 

r...@sushil:/etc# ipsec status
000 "host-host": 192.168.1.143[C=us, ST=ma, O=mzeal, OU=op, 
CN=192.168.1.143]---192.168.1.1...192.168.1.124[C=us, O=mzeal, 
CN=192.168.1.124]; unrouted; eroute owner: #0
000 "host-host":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
000 

same thing on sun host.
can anybody tell me how to establish route between the two hosts. Sorry for 
bothering for such a basic question.

Thanks.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] strongswan dropping encapsulated ESP packet...

2009-08-26 Thread sunil kumar

Dear Andreas,

Thanks for reply.
There was problem with packet encapsulation.
Now, it is working fine.

Regards,
Sunilkumar

On Wed, Aug 26, 2009 at 12:20 PM, Andreas Steffen <
andreas.stef...@strongswan.org> wrote:

> Hi,
>
> dropped ESP packets will not appear in the strongSwan logs because
> they are either blocked by the firewall (check the firewall logs)
> or by the IPsec stack in the kernel which can be checked with the
> command
>
> ip -s xfrm state
>
> src 192.168.0.1 dst 192.168.0.200
>proto esp spi 0xca40e7a5(3393251237) reqid 2(0x0002) mode tunnel
>replay-window 32 seq 0x flag 20 (0x0010)
>auth hmac(sha1) 0xb3bb1b1a0d6bb1a79c6a009332dd8283719ae369 (160
> bits)
>enc cbc(aes) 0x91652eba63520959132f2967fd03e393 (128 bits)
>lifetime config:
>  limit: soft (INF)(bytes), hard (INF)(bytes)
>  limit: soft (INF)(packets), hard (INF)(packets)
>  expire add: soft 0(sec), hard 1200(sec)
>  expire use: soft 0(sec), hard 0(sec)
>lifetime current:
>  84(bytes), 1(packets)
>  add 2009-08-18 15:50:33 use 2009-08-18 15:50:36
>stats:
>  replay-window 0 replay 0 failed 0
>
> If the 'failed' count is not 0 then something is wrong with your IPsec
> SA.
>
> Best regards
>
> Andreas
>
> sunil kumar wrote:
> > Hi,
> >
> > I established SA from a peer to strongswan.
> > Peer is behind NAT.
> > After SA is established, When peer sends encapsulated ESP packet,
> strongswan
> > is dropping it.
> > I am not getting, why the packet is dropped.
> > I checked ../log/secure and ../log/message files for any information, but
> i
> > am not getting any.
> >
> > Where to get error information ..
> >
> > Regards,
> > Sunilkumar
>
> ==
> Andreas Steffen andreas.stef...@strongswan.org
> strongSwan - the Linux VPN Solution!www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===[ITA-HSR]==
>
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] no matching peer config found

2009-08-26 Thread Martin Willi

Hi Roger,

> peerid sun.strongswan.org not confirmed by certificate, defaulting to
>  subject DN: C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org,
>  e=...@alcatel-lucent.com

strongSwan requires the peer ID to be contained in the certificate
(either the complete DN, or as a subjectAltName, a matching CN= is
insufficient).

Either add your peer identities as subjectAltName, or use the complete
DN of your certificate as peer identity.

If you have E= in your peer DN identities, make sure to apply [1], there
was is regression in 4.3.4 with email OID handling.

Regards
Martin

[1]http://wiki.strongswan.org/repositories/diff/strongswan?rev=c8b543a6


___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] no matching peer config found

2009-08-26 Thread Zhang, Long (Roger)

Hi,

I am trying IPSec with StrongSwan on two Linux. The example is 
http://www.strongswan.org/uml/testresults43/ikev2/host2host-cert/

Currently I see a problem "no matching peer config found" from daemon.log. I 
think the problem is in the ipsec.conf righted and leftid,  I tried many ways, 
but it always failed. Anyone can help?


[r...@localhost etc]# ipsec start
Starting strongSwan 4.3.4 IPsec [starter]...
[r...@localhost etc]# /usr/local/sbin/ipsec up host-host
initiating IKE_SA host-host[1] to 135.252.130.87
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 135.252.131.87[500] to 135.252.130.87[500]
received packet: from 135.252.130.87[500] to 135.252.131.87[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ 
N(MULT_AUTH) ]
received cert request for "C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger 
Zhang, e=zha...@alcatel-lucent.com"
sending cert request for "C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger 
Zhang, e=zha...@alcatel-lucent.com"
authentication of 'C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, 
e=m...@alcatel-lucent.com' (myself) with RSA signature successful
sending end entity cert "C=CN, ST=Shandong, O=ALU, OU=RD, 
CN=moon.strongswan.org, e=m...@alcatel-lucent.com"
establishing CHILD_SA host-host
generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr 
N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ]
sending packet: from 135.252.131.87[4500] to 135.252.130.87[4500]
received packet: from 135.252.130.87[4500] to 135.252.131.87[4500]
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error


The daemon.log on sun side, it always complains "no matching peer config found"

Aug 26 21:34:16 qdpat-xp charon: 01[DMN] loaded plugins: aes des sha1 sha2 md5 
gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
Aug 26 21:34:16 qdpat-xp charon: 01[JOB] spawning 16 worker threads
Aug 26 21:34:16 qdpat-xp charon: 03[CFG] received stroke: add connection 
'host-host'
Aug 26 21:34:16 qdpat-xp charon: 03[LIB]   loaded certificate file 
'/usr/local/etc/ipsec.d/certs/sunCert.pem'
Aug 26 21:34:16 qdpat-xp charon: 03[CFG]   peerid sun.strongswan.org not 
confirmed by certificate, defaulting to subject DN: C=CN, ST=Shandong, O=ALU, 
OU=RD, CN=sun.strongswan.org, e=...@alcatel-lucent.com
Aug 26 21:34:16 qdpat-xp charon: 03[CFG] added configuration 'host-host'
Aug 26 21:34:21 qdpat-xp charon: 10[NET] received packet: from 
135.252.131.87[500] to 135.252.130.87[500]
Aug 26 21:34:21 qdpat-xp charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE 
No N(NATD_S_IP) N(NATD_D_IP) ]
Aug 26 21:34:21 qdpat-xp charon: 10[IKE] 135.252.131.87 is initiating an IKE_SA
Aug 26 21:34:21 qdpat-xp charon: 10[IKE] sending cert request for "C=CN, 
ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang, e=zha...@alcatel-lucent.com"
Aug 26 21:34:21 qdpat-xp charon: 10[ENC] generating IKE_SA_INIT response 0 [ SA 
KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Aug 26 21:34:21 qdpat-xp charon: 10[NET] sending packet: from 
135.252.130.87[500] to 135.252.131.87[500]
Aug 26 21:34:21 qdpat-xp charon: 11[NET] received packet: from 
135.252.131.87[4500] to 135.252.130.87[4500]
Aug 26 21:34:21 qdpat-xp charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi CERT 
CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ]
Aug 26 21:34:21 qdpat-xp charon: 11[IKE] received cert request for "C=CN, 
ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang, e=zha...@alcatel-lucent.com"
Aug 26 21:34:21 qdpat-xp charon: 11[IKE] received end entity cert "C=CN, 
ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, e=m...@alcatel-lucent.com"
Aug 26 21:34:21 qdpat-xp charon: 11[CFG] looking for peer configs matching 
135.252.130.87[sun.strongswan.org]...135.252.131.87[C=CN, ST=Shandong, O=ALU, 
OU=RD, CN=moon.strongswan.org, e=m...@alcatel-lucent.com]
Aug 26 21:34:21 qdpat-xp charon: 11[CFG] no matching peer config found
Aug 26 21:34:21 qdpat-xp charon: 11[IKE] peer supports MOBIKE
Aug 26 21:34:21 qdpat-xp charon: 11[ENC] generating IKE_AUTH response 1 [ 
N(AUTH_FAILED) ]
Aug 26 21:34:21 qdpat-xp charon: 11[NET] sending packet: from 
135.252.130.87[4500] to 135.252.131.87[4500]

My ipsec.conf on sun side

# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
crlcheckinterval=180
strictcrlpolicy=no
plutostart=no

conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2

conn host-host
left=135.252.130.87
leftcert=/usr/local/etc/ipsec.d/certs/sunCert.pem
#leftid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, 
e=...@alcatel-lucent.com"
#leftid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, 
emailaddress=...@alcatel-lucent.com"
left...@sun.strongswan.org
leftfirewall=no
right=135.252.131.87
#rightid="C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.str

Re: [strongSwan] can not find private key for certificate

2009-08-26 Thread Andreas Steffen

But your private key seems to be protected by a passphrase:

> [r...@localhost reqs]#  openssl rsa -in hostKey.pem -noout -text
> Enter pass phrase for hostKey.pem:
> Private-Key: (1024 bit)

You must add this passphrase to the key entry in ipsec.secrets:

: RSA /etc/ipsec.d/reqs/hostKey.pem ""

Regards

Andreas

Zhang, Long (Roger) wrote:
> Andreas,
> 
> Thanks for your reply.
> 
> I checked the modulus of the private key and the certificate. They are 
> matched. Below is my execution output.
> 
> [r...@localhost etc]# ipsec listcerts
> 
> List of X.509 End Entity Certificates:
> 
>   subject:  "C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, 
> e=m...@alcatel-lucent.com"
>   issuer:   "C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang, 
> e=zha...@alcatel-lucent.com"
>   serial:02
>   validity:  not before Aug 26 11:35:21 2009, ok
>  not after  Aug 26 11:35:21 2011, ok
>   pubkey:RSA 1024 bits
>   keyid: f8:2a:8c:e8:f3:2e:2b:c4:7f:30:fd:92:8f:0d:89:23:14:a3:ee:e2
>   subjkey:   00:a5:d7:c3:cf:b7:f0:c3:fa:e4:70:0f:f3:96:ce:99:cc:58:1a:be
>   authkey:   c4:6d:f2:07:c9:c1:2d:6c:b7:5e:e9:92:bd:97:a6:61:c2:23:e6:23
> [r...@localhost etc]# cd ipsec.d
> [r...@localhost ipsec.d]# ls
> aacerts  acerts  cacerts  certs  crls  ocspcerts  private  reqs
> [r...@localhost ipsec.d]# cd reqs
> [r...@localhost reqs]# ls
> hostKey.pem  hostReq.pem
> [r...@localhost reqs]#  openssl rsa -in hostKey.pem -noout -text
> Enter pass phrase for hostKey.pem:
> Private-Key: (1024 bit)
> modulus:
> 00:c1:21:20:a3:88:b7:bd:87:03:6e:0b:31:8a:77:
> eb:93:ba:5f:75:6f:7b:83:f3:84:28:60:3b:12:e5:
> 2c:f3:ce:c3:72:a9:4a:72:e7:03:86:bf:83:1f:73:
> 3c:14:47:79:27:b6:1b:bf:92:5a:42:5b:8c:62:f1:
> c4:23:54:98:13:53:a3:e5:a9:9e:82:69:c6:3d:8e:
> 66:10:73:46:48:50:24:93:ae:98:d7:61:93:54:01:
> c4:0a:19:4e:31:42:c8:68:0b:79:c4:39:00:5b:5e:
> 63:5e:e6:8f:91:1b:0a:a8:07:4c:32:2d:a5:72:61:
> 18:7d:94:3b:22:f1:1c:25:51
> publicExponent: 65537 (0x10001)
> privateExponent:
> 51:3f:91:8e:9a:ee:c9:c2:2a:14:3a:8b:4d:f8:a3:
> 57:d3:d9:62:fb:52:98:31:73:50:d5:23:25:10:da:
> f7:7a:ed:c8:a8:25:d4:ef:11:11:b8:31:fe:a2:29:
> 0d:53:00:4a:4f:97:9e:e1:80:2d:58:7c:58:07:e3:
> ff:05:10:b0:9c:85:bd:e2:13:5a:4a:de:72:08:88:
> 80:7f:85:a1:9e:3b:0c:dd:5e:06:eb:88:52:a4:fd:
> 29:55:d2:16:5f:1a:4f:b8:7d:cf:ba:84:f2:04:a7:
> 56:d9:cb:eb:ea:16:71:7a:a7:d3:d7:13:95:17:90:
> ab:57:8e:6c:bc:e5:f1:d1
> prime1:
> 00:f8:ac:54:d5:bf:2a:b0:05:1b:18:1a:a6:c7:df:
> 4c:ad:79:09:31:55:9c:a8:58:30:e6:fd:a9:ac:64:
> bc:e0:05:d3:39:c5:8e:96:fd:87:cc:2b:66:5e:83:
> 5f:4a:4e:4f:67:50:04:a9:63:cc:17:c1:fc:71:85:
> 8b:ff:13:92:75
> prime2:
> 00:c6:d1:d8:87:6d:05:58:91:cc:cc:3b:90:12:93:
> ca:a8:5f:cd:27:0f:82:34:59:73:8e:a7:ad:53:30:
> 2f:d7:5d:94:56:91:ad:15:34:8b:13:a1:9c:ba:6b:
> e8:84:c0:95:8f:f0:02:7b:22:70:d2:46:ec:c4:3e:
> a5:00:07:73:ed
> exponent1:
> 2f:49:25:c0:97:5f:58:a5:3f:e7:af:79:b3:5c:04:
> ca:9f:cf:5d:b0:37:df:d3:15:49:77:46:c2:5f:4d:
> 83:13:d8:7c:8d:d2:75:67:b4:60:e0:87:d0:c5:0e:
> 63:a4:cc:78:8a:c0:b8:2d:1f:ec:0c:99:22:45:10:
> bf:ea:4a:d9
> exponent2:
> 15:52:ea:6b:53:f9:0f:cf:cb:6c:58:33:12:9b:01:
> 50:5f:be:0c:23:70:ae:96:ad:7b:2e:66:bb:96:5e:
> 7b:35:d1:34:1b:b9:b9:9d:82:11:1f:f3:44:57:50:
> 7f:f4:7b:d6:0d:42:e6:dc:01:c7:bb:cd:a7:1a:a4:
> ed:c4:de:dd
> coefficient:
> 57:32:84:ba:ea:15:a7:62:08:6b:11:ce:79:fa:63:
> 2b:41:34:a5:f2:9f:c5:24:31:4c:fa:36:b2:1f:17:
> c6:e1:5e:53:76:6a:cc:36:48:86:1a:10:72:fd:96:
> 8b:91:f2:b2:db:99:de:6d:70:3b:68:fb:b1:ca:e3:
> f0:01:23:41
> [r...@localhost reqs]# ls
> hostKey.pem  hostReq.pem
> [r...@localhost reqs]# cd ../certs
> [r...@localhost certs]# ls
> demoCA  moonCert.pem
> [r...@localhost certs]# openssl x509 -in moonCert.pem  -noout -text
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 2 (0x2)
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger 
> Zhang/emailaddress=zha...@alcatel-lucent.com
> Validity
> Not Before: Aug 26 03:35:21 2009 GMT
> Not After : Aug 26 03:35:21 2011 GMT
> Subject: C=CN, ST=Shandong, O=ALU, OU=RD, 
> CN=moon.strongswan.org/emailaddress=m...@alcatel-lucent.com
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (1024 bit)
> Modulus (1024 bit):
> 00:c1:21:20:a3:88:b7:bd:87:03:6e:0b:31:8a:77:
> eb:93:ba:5f:75:6f:7b:83:f3:84:28:60:3b:12:e5:
> 2c:f3:ce:c3:72:a9:4a:72:e7:03:86:bf:83:1f:73:
> 3c:14:47:79:27:b6:1b:bf:92:5a:42:5b:8c:62:f1:
> c4:23:54:98:13:53:a3:e5:a9:9e:82:69:c6:3d:8e:
> 66:10:73:46:48:50:24:93:ae:98:d7:61:93:54:01:
> c4:0a:19:4e:31:42:c8:68:0

Re: [strongSwan] can not find private key for certificate

2009-08-26 Thread Zhang, Long (Roger)

Andreas,

I added the passphrase to private key in ipsec.secrets, it works now. Curious 
it works now, I tried this way this morning.

[r...@localhost etc]# cat ipsec.secrets
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA /etc/ipsec.d/reqs/hostKey.pem "123456"


Thanks,
Roger

> -Original Message-
> From: users-boun...@lists.strongswan.org [mailto:users-
> boun...@lists.strongswan.org] On Behalf Of Zhang, Long (Roger)
> Sent: Wednesday, August 26, 2009 3:20 PM
> To: Andreas Steffen
> Cc: users@lists.strongswan.org
> Subject: Re: [strongSwan] can not find private key for certificate
>
> Andreas,
>
> Thanks for your reply.
>
> I checked the modulus of the private key and the certificate. They are
> matched. Below is my execution output.
>
> [r...@localhost etc]# ipsec listcerts
>
> List of X.509 End Entity Certificates:
>
>   subject:  "C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org,
> e=m...@alcatel-lucent.com"
>   issuer:   "C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang,
> e=zha...@alcatel-lucent.com"
>   serial:02
>   validity:  not before Aug 26 11:35:21 2009, ok
>  not after  Aug 26 11:35:21 2011, ok
>   pubkey:RSA 1024 bits
>   keyid: f8:2a:8c:e8:f3:2e:2b:c4:7f:30:fd:92:8f:0d:89:23:14:a3:ee:e2
>   subjkey:   00:a5:d7:c3:cf:b7:f0:c3:fa:e4:70:0f:f3:96:ce:99:cc:58:1a:be
>   authkey:   c4:6d:f2:07:c9:c1:2d:6c:b7:5e:e9:92:bd:97:a6:61:c2:23:e6:23
> [r...@localhost etc]# cd ipsec.d
> [r...@localhost ipsec.d]# ls
> aacerts  acerts  cacerts  certs  crls  ocspcerts  private  reqs
> [r...@localhost ipsec.d]# cd reqs
> [r...@localhost reqs]# ls
> hostKey.pem  hostReq.pem
> [r...@localhost reqs]#  openssl rsa -in hostKey.pem -noout -text
> Enter pass phrase for hostKey.pem:
> Private-Key: (1024 bit)
> modulus:
> 00:c1:21:20:a3:88:b7:bd:87:03:6e:0b:31:8a:77:
> eb:93:ba:5f:75:6f:7b:83:f3:84:28:60:3b:12:e5:
> 2c:f3:ce:c3:72:a9:4a:72:e7:03:86:bf:83:1f:73:
> 3c:14:47:79:27:b6:1b:bf:92:5a:42:5b:8c:62:f1:
> c4:23:54:98:13:53:a3:e5:a9:9e:82:69:c6:3d:8e:
> 66:10:73:46:48:50:24:93:ae:98:d7:61:93:54:01:
> c4:0a:19:4e:31:42:c8:68:0b:79:c4:39:00:5b:5e:
> 63:5e:e6:8f:91:1b:0a:a8:07:4c:32:2d:a5:72:61:
> 18:7d:94:3b:22:f1:1c:25:51
> publicExponent: 65537 (0x10001)
> privateExponent:
> 51:3f:91:8e:9a:ee:c9:c2:2a:14:3a:8b:4d:f8:a3:
> 57:d3:d9:62:fb:52:98:31:73:50:d5:23:25:10:da:
> f7:7a:ed:c8:a8:25:d4:ef:11:11:b8:31:fe:a2:29:
> 0d:53:00:4a:4f:97:9e:e1:80:2d:58:7c:58:07:e3:
> ff:05:10:b0:9c:85:bd:e2:13:5a:4a:de:72:08:88:
> 80:7f:85:a1:9e:3b:0c:dd:5e:06:eb:88:52:a4:fd:
> 29:55:d2:16:5f:1a:4f:b8:7d:cf:ba:84:f2:04:a7:
> 56:d9:cb:eb:ea:16:71:7a:a7:d3:d7:13:95:17:90:
> ab:57:8e:6c:bc:e5:f1:d1
> prime1:
> 00:f8:ac:54:d5:bf:2a:b0:05:1b:18:1a:a6:c7:df:
> 4c:ad:79:09:31:55:9c:a8:58:30:e6:fd:a9:ac:64:
> bc:e0:05:d3:39:c5:8e:96:fd:87:cc:2b:66:5e:83:
> 5f:4a:4e:4f:67:50:04:a9:63:cc:17:c1:fc:71:85:
> 8b:ff:13:92:75
> prime2:
> 00:c6:d1:d8:87:6d:05:58:91:cc:cc:3b:90:12:93:
> ca:a8:5f:cd:27:0f:82:34:59:73:8e:a7:ad:53:30:
> 2f:d7:5d:94:56:91:ad:15:34:8b:13:a1:9c:ba:6b:
> e8:84:c0:95:8f:f0:02:7b:22:70:d2:46:ec:c4:3e:
> a5:00:07:73:ed
> exponent1:
> 2f:49:25:c0:97:5f:58:a5:3f:e7:af:79:b3:5c:04:
> ca:9f:cf:5d:b0:37:df:d3:15:49:77:46:c2:5f:4d:
> 83:13:d8:7c:8d:d2:75:67:b4:60:e0:87:d0:c5:0e:
> 63:a4:cc:78:8a:c0:b8:2d:1f:ec:0c:99:22:45:10:
> bf:ea:4a:d9
> exponent2:
> 15:52:ea:6b:53:f9:0f:cf:cb:6c:58:33:12:9b:01:
> 50:5f:be:0c:23:70:ae:96:ad:7b:2e:66:bb:96:5e:
> 7b:35:d1:34:1b:b9:b9:9d:82:11:1f:f3:44:57:50:
> 7f:f4:7b:d6:0d:42:e6:dc:01:c7:bb:cd:a7:1a:a4:
> ed:c4:de:dd
> coefficient:
> 57:32:84:ba:ea:15:a7:62:08:6b:11:ce:79:fa:63:
> 2b:41:34:a5:f2:9f:c5:24:31:4c:fa:36:b2:1f:17:
> c6:e1:5e:53:76:6a:cc:36:48:86:1a:10:72:fd:96:
> 8b:91:f2:b2:db:99:de:6d:70:3b:68:fb:b1:ca:e3:
> f0:01:23:41
> [r...@localhost reqs]# ls
> hostKey.pem  hostReq.pem
> [r...@localhost reqs]# cd ../certs
> [r...@localhost certs]# ls
> demoCA  moonCert.pem
> [r...@localhost certs]# openssl x509 -in moonCert.pem  -noout -text
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 2 (0x2)
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger
> Zhang/emailaddress=zha...@alcatel-lucent.com
> Validity
> Not Before: Aug 26 03:35:21 2009 GMT
> Not After : Aug 26 03:35:21 2011 GMT
> Subject: C=CN, ST=Shandong, O=ALU, OU=RD,
> CN=moon.strongswan.org/emailaddress=m...@alcatel-lucent.com
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (1024 bit)
> Modulus (1024 bit):
> 00:c1:21:20:a3:88:b7:bd:87:03:6e:0b:31:8a:77:
> eb:93:ba:5f:75:6f:7b:83:f3:84:28:60:3b:12:e5:
> 2c:f3:ce:c3:72:a9:4a:72:e7:03:86:bf:83

Re: [strongSwan] can not find private key for certificate

2009-08-26 Thread Zhang, Long (Roger)

Andreas,

Thanks for your reply.

I checked the modulus of the private key and the certificate. They are matched. 
Below is my execution output.

[r...@localhost etc]# ipsec listcerts

List of X.509 End Entity Certificates:

  subject:  "C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, 
e=m...@alcatel-lucent.com"
  issuer:   "C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang, 
e=zha...@alcatel-lucent.com"
  serial:02
  validity:  not before Aug 26 11:35:21 2009, ok
 not after  Aug 26 11:35:21 2011, ok
  pubkey:RSA 1024 bits
  keyid: f8:2a:8c:e8:f3:2e:2b:c4:7f:30:fd:92:8f:0d:89:23:14:a3:ee:e2
  subjkey:   00:a5:d7:c3:cf:b7:f0:c3:fa:e4:70:0f:f3:96:ce:99:cc:58:1a:be
  authkey:   c4:6d:f2:07:c9:c1:2d:6c:b7:5e:e9:92:bd:97:a6:61:c2:23:e6:23
[r...@localhost etc]# cd ipsec.d
[r...@localhost ipsec.d]# ls
aacerts  acerts  cacerts  certs  crls  ocspcerts  private  reqs
[r...@localhost ipsec.d]# cd reqs
[r...@localhost reqs]# ls
hostKey.pem  hostReq.pem
[r...@localhost reqs]#  openssl rsa -in hostKey.pem -noout -text
Enter pass phrase for hostKey.pem:
Private-Key: (1024 bit)
modulus:
00:c1:21:20:a3:88:b7:bd:87:03:6e:0b:31:8a:77:
eb:93:ba:5f:75:6f:7b:83:f3:84:28:60:3b:12:e5:
2c:f3:ce:c3:72:a9:4a:72:e7:03:86:bf:83:1f:73:
3c:14:47:79:27:b6:1b:bf:92:5a:42:5b:8c:62:f1:
c4:23:54:98:13:53:a3:e5:a9:9e:82:69:c6:3d:8e:
66:10:73:46:48:50:24:93:ae:98:d7:61:93:54:01:
c4:0a:19:4e:31:42:c8:68:0b:79:c4:39:00:5b:5e:
63:5e:e6:8f:91:1b:0a:a8:07:4c:32:2d:a5:72:61:
18:7d:94:3b:22:f1:1c:25:51
publicExponent: 65537 (0x10001)
privateExponent:
51:3f:91:8e:9a:ee:c9:c2:2a:14:3a:8b:4d:f8:a3:
57:d3:d9:62:fb:52:98:31:73:50:d5:23:25:10:da:
f7:7a:ed:c8:a8:25:d4:ef:11:11:b8:31:fe:a2:29:
0d:53:00:4a:4f:97:9e:e1:80:2d:58:7c:58:07:e3:
ff:05:10:b0:9c:85:bd:e2:13:5a:4a:de:72:08:88:
80:7f:85:a1:9e:3b:0c:dd:5e:06:eb:88:52:a4:fd:
29:55:d2:16:5f:1a:4f:b8:7d:cf:ba:84:f2:04:a7:
56:d9:cb:eb:ea:16:71:7a:a7:d3:d7:13:95:17:90:
ab:57:8e:6c:bc:e5:f1:d1
prime1:
00:f8:ac:54:d5:bf:2a:b0:05:1b:18:1a:a6:c7:df:
4c:ad:79:09:31:55:9c:a8:58:30:e6:fd:a9:ac:64:
bc:e0:05:d3:39:c5:8e:96:fd:87:cc:2b:66:5e:83:
5f:4a:4e:4f:67:50:04:a9:63:cc:17:c1:fc:71:85:
8b:ff:13:92:75
prime2:
00:c6:d1:d8:87:6d:05:58:91:cc:cc:3b:90:12:93:
ca:a8:5f:cd:27:0f:82:34:59:73:8e:a7:ad:53:30:
2f:d7:5d:94:56:91:ad:15:34:8b:13:a1:9c:ba:6b:
e8:84:c0:95:8f:f0:02:7b:22:70:d2:46:ec:c4:3e:
a5:00:07:73:ed
exponent1:
2f:49:25:c0:97:5f:58:a5:3f:e7:af:79:b3:5c:04:
ca:9f:cf:5d:b0:37:df:d3:15:49:77:46:c2:5f:4d:
83:13:d8:7c:8d:d2:75:67:b4:60:e0:87:d0:c5:0e:
63:a4:cc:78:8a:c0:b8:2d:1f:ec:0c:99:22:45:10:
bf:ea:4a:d9
exponent2:
15:52:ea:6b:53:f9:0f:cf:cb:6c:58:33:12:9b:01:
50:5f:be:0c:23:70:ae:96:ad:7b:2e:66:bb:96:5e:
7b:35:d1:34:1b:b9:b9:9d:82:11:1f:f3:44:57:50:
7f:f4:7b:d6:0d:42:e6:dc:01:c7:bb:cd:a7:1a:a4:
ed:c4:de:dd
coefficient:
57:32:84:ba:ea:15:a7:62:08:6b:11:ce:79:fa:63:
2b:41:34:a5:f2:9f:c5:24:31:4c:fa:36:b2:1f:17:
c6:e1:5e:53:76:6a:cc:36:48:86:1a:10:72:fd:96:
8b:91:f2:b2:db:99:de:6d:70:3b:68:fb:b1:ca:e3:
f0:01:23:41
[r...@localhost reqs]# ls
hostKey.pem  hostReq.pem
[r...@localhost reqs]# cd ../certs
[r...@localhost certs]# ls
demoCA  moonCert.pem
[r...@localhost certs]# openssl x509 -in moonCert.pem  -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger 
Zhang/emailaddress=zha...@alcatel-lucent.com
Validity
Not Before: Aug 26 03:35:21 2009 GMT
Not After : Aug 26 03:35:21 2011 GMT
Subject: C=CN, ST=Shandong, O=ALU, OU=RD, 
CN=moon.strongswan.org/emailaddress=m...@alcatel-lucent.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c1:21:20:a3:88:b7:bd:87:03:6e:0b:31:8a:77:
eb:93:ba:5f:75:6f:7b:83:f3:84:28:60:3b:12:e5:
2c:f3:ce:c3:72:a9:4a:72:e7:03:86:bf:83:1f:73:
3c:14:47:79:27:b6:1b:bf:92:5a:42:5b:8c:62:f1:
c4:23:54:98:13:53:a3:e5:a9:9e:82:69:c6:3d:8e:
66:10:73:46:48:50:24:93:ae:98:d7:61:93:54:01:
c4:0a:19:4e:31:42:c8:68:0b:79:c4:39:00:5b:5e:
63:5e:e6:8f:91:1b:0a:a8:07:4c:32:2d:a5:72:61:
18:7d:94:3b:22:f1:1c:25:51
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
00:A5:D7:C3:CF:B7:F0:C3:FA:E4:70:0F:F3:96:CE:99:CC:58:1A:BE
X509v3 Authority Key Identifier:

keyid:C4:6D:F2:07:C9:C1:2D:6C:B7:5E:E9:92

Re: [strongSwan] FW: strongSwan installs SPs?

Re: [strongSwan] no matching peer config found

Re: [strongSwan] no trusted RSA public key found

Re: [strongSwan] no trusted RSA public key found

Re: [strongSwan] no matching peer config found

Re: [strongSwan] no matching peer config found

[strongSwan] no trusted RSA public key found

Re: [strongSwan] no matching peer config found

Re: [strongSwan] no matching peer config found

Re: [strongSwan] FW: strongSwan installs SPs?

Re: [strongSwan] charon supports ipv4 or ipv6?

Re: [strongSwan] charon supports ipv4 or ipv6?

Re: [strongSwan] charon supports ipv4 or ipv6?

Re: [strongSwan] charon supports ipv4 or ipv6?

[strongSwan] charon supports ipv4 or ipv6?

Re: [strongSwan] unroute problem

Re: [strongSwan] unroute problem

Re: [strongSwan] strongswan dropping encapsulated ESP packet...

Re: [strongSwan] no matching peer config found

[strongSwan] no matching peer config found

Re: [strongSwan] can not find private key for certificate

Re: [strongSwan] can not find private key for certificate

Re: [strongSwan] can not find private key for certificate

23 matches

Site Navigation

Mail list logo

Footer information