[strongSwan] one question about the Subjectid and SubjectAltName of two peers
Hi Both, I have one question about the SubjectID and SubjectAltName to ask you: Now I want to configure the SubjectID or SubjectAltName automatically while not configure these items manually.. Today, I try the following method: reading the result generated by the command ipsec listcerts after certificates has been loaded by strongswan. But I found sometimes certificates can not be load in some scenarios, such as: EAP-SIM or EAP-AKA related cases. .. If I can automatically obtain the SubjectID and SubjectAltName from two peers' certificate in my own application by using other current mechanisms which provided by StrongSwan: Such as: certificate loading and parsing mechanism If so, how can I do and what should be noticed by me? Thanks. Best Regards, David ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] IPSEC_CONFDIR does not work?
Hi, I want to put all configuration file under my directory. Then I exported IPSEC_CONFDIR, but seems the IPSEC_CONFDIR does not work. Not sure why. My shell is bash. Tried two ways. And could not start my connection. If I started my conection under /etc, it could succeed. Curious, IPSEC_CONFDIR should be set. [r...@localhost config]# export IPSEC_CONFDIR=/home/zhangl/ipsec/config [r...@localhost config]# echo $IPSEC_CONFDIR /home/zhangl/ipsec/config [r...@localhost config]# ipsec --confdir /etc [r...@localhost config]# IPSEC_CONFDIR=/home/zhangl/ipsec/config [r...@localhost config]# export IPSEC_CONFDIR [r...@localhost config]# echo $IPSEC_CONFDIR /home/zhangl/ipsec/config [r...@localhost config]# ipsec --confdir /etc Thanks, Roger ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] IPSEC_CONFDIR does not work?
If you look at the first few lines of the ipsec script, you will see that it assigns IPSEC_CONFDIR to /etc. That's why your approach doesn't work. You could edit the script and see what happens. But I don't really know if that is the correct way to do what you want. That would depend on the behaviour of all the other scripts/binaries, which I don't know. Dimitrios Siganos Zhang, Long (Roger) wrote: Hi, I want to put all configuration file under my directory. Then I exported IPSEC_CONFDIR, but seems the IPSEC_CONFDIR does not work. Not sure why. My shell is bash. Tried two ways. And could not start my connection. If I started my conection under /etc, it could succeed. Curious, IPSEC_CONFDIR should be set. [r...@localhost config]# export IPSEC_CONFDIR=/home/zhangl/ipsec/config [r...@localhost config]# echo $IPSEC_CONFDIR /home/zhangl/ipsec/config [r...@localhost config]# ipsec --confdir /etc [r...@localhost config]# IPSEC_CONFDIR=/home/zhangl/ipsec/config [r...@localhost config]# export IPSEC_CONFDIR [r...@localhost config]# echo $IPSEC_CONFDIR /home/zhangl/ipsec/config [r...@localhost config]# ipsec --confdir /etc Thanks, Roger ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] IPSEC_CONFDIR does not work?
From ipsec man page, seems these variables can be configurable? The following environment variables control where strongSwan finds its components. The ipsec command sets them if they are not already set. IPSEC_DIR directory containing ipsec programs and utilities IPSEC_SBINDIR directory containing ipsec command IPSEC_CONFDIR directory containing configuration files IPSEC_PIDDIRdirectory containing PID files IPSEC_NAME name of ipsec distribution IPSEC_VERSION version numer of ipsec userland and kernel IPSEC_STARTER_PID PID file for ipsec starter IPSEC_PLUTO_PID PID file for IKEv1 keying daemon IPSEC_CHARON_PIDPID file for IKEv2 keying daemon Thanks, Roger -Original Message- From: users-boun...@lists.strongswan.org [mailto:users-boun...@lists.strongswan.org] On Behalf Of Dimitrios Siganos Sent: 2009年9月10日 22:06 Cc: users@lists.strongswan.org Subject: Re: [strongSwan] IPSEC_CONFDIR does not work? If you look at the first few lines of the ipsec script, you will see that it assigns IPSEC_CONFDIR to /etc. That's why your approach doesn't work. You could edit the script and see what happens. But I don't really know if that is the correct way to do what you want. That would depend on the behaviour of all the other scripts/binaries, which I don't know. Dimitrios Siganos Zhang, Long (Roger) wrote: Hi, I want to put all configuration file under my directory. Then I exported IPSEC_CONFDIR, but seems the IPSEC_CONFDIR does not work. Not sure why. My shell is bash. Tried two ways. And could not start my connection. If I started my conection under /etc, it could succeed. Curious, IPSEC_CONFDIR should be set. [r...@localhost config]# export IPSEC_CONFDIR=/home/zhangl/ipsec/config [r...@localhost config]# echo $IPSEC_CONFDIR /home/zhangl/ipsec/config [r...@localhost config]# ipsec --confdir /etc [r...@localhost config]# IPSEC_CONFDIR=/home/zhangl/ipsec/config [r...@localhost config]# export IPSEC_CONFDIR [r...@localhost config]# echo $IPSEC_CONFDIR /home/zhangl/ipsec/config [r...@localhost config]# ipsec --confdir /etc Thanks, Roger ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] MODP_2048?
FYI: The linux version for the board is 2.6.21.7. And the snip of the ipsec.conf for this is (very simple): conn net-enb40 left=135.39.111.226 right=135.185.91.86 auto=add and I'm using Predefined Key for these two. Yong Choo wrote: Hi all, I'm trying to 'execute' the following (on a cross-compiled PowerPC Linux for a telecommunication board): ipsec up net-enb40 (where I have the connectivity setup in the ipsec.config) I'm getting the following error: *configured DH group MODP_2048 not supported* I think I'm missing a kernel option?. We are using Wind River Linux PNE2.0 version. Does anyone know how to turn this 'MODP_2048' on? Thanks Much! ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] MODP_2048?
Hi, the error message: *configured DH group MODP_2048 not supported* means that neither the gmp nor the openssl plugin could be loaded successfully which implement the big number arithmetic required for the Diffie-Hellman groups. The command ipsec statusall should list either gmp and|or opensss in the line loaded plugins: and the command ipsec listalgs should list all Diffie Hellman groups: dh-group: MODP_2048 MODP_1536 MODP_3072 MODP_4096 MODP_6144 MODP_8192 MODP_1024 MODP_768 with the gmp plugin plus ECP_192 ECP_224 ECP_256 ECP_384 ECP_521 with the openssl plugin. By default strongSwan compiles and loads the gmp plugin which in turn requires the GNU Multiprecision library (libgmp3) including the header file /usr/include/gmp.h. Alternatively you can activate the openssl plugin (./configure --enable-openssl) which requires the libcrypto-0.9.8 library plus the /usr/include/openssl/ header files. Best regards Andreas Yong Choo wrote: Hi all, I'm trying to 'execute' the following (on a cross-compiled PowerPC Linux for a telecommunication board): ipsec up net-enb40 (where I have the connectivity setup in the ipsec.config) I'm getting the following error: *configured DH group MODP_2048 not supported* I think I'm missing a kernel option?. We are using Wind River Linux PNE2.0 version. Does anyone know how to turn this 'MODP_2048' on? Thanks Much! == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
