Re: [strongSwan] Wildcard certificates
Oops, sometimes I forget the most evident things. I forgot to put the keyfile into the ipsec.secrets. My bad, so sorry. kind regards, Claude On Wednesday 07 July 2010 13:06:11 Claude Tompers wrote: > Hello Stefan, > > Ok, in that case the IKEv2 ID is not that important, but why can't it find > the key for the default DN 'C=LU, ST=n/a, L=Luxembourg, O=Fondation RESTENA, > CN=*.restena.lu' ? > > kind regards > Claude > > > On Wednesday 07 July 2010 12:43:03 Andreas Steffen wrote: > > Hello Claude, > > > > as far as I know strongSwan does not treat '*' in the subject > > Distinguished Name as a wildcard in comparisons with an IKEv2 ID. > > > > strongSwan rather treats a '*' in an IKEv2 ID as a wildcard in > > comparisons with IDs contained in a certificate. > > > > Regards > > > > Andreas > > > > On 07.07.2010 10:39, Claude Tompers wrote: > > > Hello, > > > > > > I'm trying to make strongswan work with our wildcard certificate, but I'm > > > getting a strange error. > > > > > > Here's my log : > > > > > > Jul 7 10:34:08 vpn6-test charon: 12[CFG] id 'vpn6-pub.restena.lu' not > > > confirmed by certificate, defaulting to 'C=LU, ST=n/a, L=Luxembourg, > > > O=Fondation RESTENA, CN=*.restena.lu' > > > > > > So far I think this is not a problem, but then : > > > > > > Jul 7 10:34:18 vpn6-test charon: 10[IKE] no private key found for 'C=LU, > > > ST=n/a, L=Luxembourg, O=Fondation RESTENA, CN=*.restena.lu' > > > > > > The wildcard certificate work perfectly on other servers. > > > I installed the certificate exactly the same way as my self-signed > > > before. That one worked perfectly. > > > > > > Is it possible the the "/" or the "*" characters make some issues ? > > > > > > thanks a lot in advance > > > > > > kind regards > > > Claude > > > > == > > Andreas Steffen andreas.stef...@strongswan.org > > strongSwan - the Linux VPN Solution!www.strongswan.org > > Institute for Internet Technologies and Applications > > University of Applied Sciences Rapperswil > > CH-8640 Rapperswil (Switzerland) > > ===[ITA-HSR]== > > > > > > -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] route-client error
Hi, I still get that "unknown interface version" error if I'm trying to start pluto as non-privileged user, followed by the deletion of the SA. Is there some fix to my issue or do I have to run strongswan as root as long as I use pluto ? thanks a lot for your help kind regards, Claude On Wednesday 07 July 2010 10:11:50 Claude Tompers wrote: > Hi, > > I've had it already compiled with --with-capabilities=libcap . > I've tried sudo'ing and it has changed something, but I think there are still > missing some bits. > > Here's the new log error : > > Jul 2 13:33:56 vpn6-test pluto[3286]: "cisco-vpn"[6] 192.168.3.18:58180 #6: > up-client output: /usr/local/libexec/ipsec/_updown: unknown interface version > `' > Jul 2 13:33:56 vpn6-test pluto[3286]: "cisco-vpn"[6] 192.168.3.18:58180 #6: > up-client command exited with status 2 > Jul 2 13:33:56 vpn6-test pluto[3286]: "cisco-vpn"[6] 192.168.3.18:58180 #6: > ERROR: netlink response for Del SA esp.63e0a...@192.168.1.13 included errno > 3: No such process > Jul 2 13:33:57 vpn6-test pluto[3286]: "cisco-vpn"[6] 192.168.3.18:58180 #5: > ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x919ff160) not found (maybe > expired) > Jul 2 13:33:57 vpn6-test pluto[3286]: "cisco-vpn"[6] 192.168.3.18:58180 #5: > ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x63e0a322) not found (maybe > expired) > > kind regards > Claude > > > On Friday 02 July 2010 12:13:21 Martin Willi wrote: > > Hi, > > > > > I've compiled strongswan with user vpn and group vpn. > > > > If you use non-root users, you'll need support for capability handling > > too. Add --with-capabilities=libcap to ./configure. > > > > > route-client output: Not sufficient rights to flush > > > > It is not possible to propagate the capabilities to the updown script. > > Pluto uses the updown script not only for firewalling, but also for > > route installation. > > You'll have to run the updown script with root privileges. Never tried > > it, but file system based capability settings might work. Another > > alternative is to define > > leftupdown="sudo ipsec _updown" > > and configure sudo accordingly. > > > > Regards > > Martin > > > > > > -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
