Re: [strongSwan] route-client error
Hi, I still get that unknown interface version error if I'm trying to start pluto as non-privileged user, followed by the deletion of the SA. Is there some fix to my issue or do I have to run strongswan as root as long as I use pluto ? thanks a lot for your help kind regards, Claude On Wednesday 07 July 2010 10:11:50 Claude Tompers wrote: Hi, I've had it already compiled with --with-capabilities=libcap . I've tried sudo'ing and it has changed something, but I think there are still missing some bits. Here's the new log error : Jul 2 13:33:56 vpn6-test pluto[3286]: cisco-vpn[6] 192.168.3.18:58180 #6: up-client output: /usr/local/libexec/ipsec/_updown: unknown interface version `' Jul 2 13:33:56 vpn6-test pluto[3286]: cisco-vpn[6] 192.168.3.18:58180 #6: up-client command exited with status 2 Jul 2 13:33:56 vpn6-test pluto[3286]: cisco-vpn[6] 192.168.3.18:58180 #6: ERROR: netlink response for Del SA esp.63e0a...@192.168.1.13 included errno 3: No such process Jul 2 13:33:57 vpn6-test pluto[3286]: cisco-vpn[6] 192.168.3.18:58180 #5: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x919ff160) not found (maybe expired) Jul 2 13:33:57 vpn6-test pluto[3286]: cisco-vpn[6] 192.168.3.18:58180 #5: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x63e0a322) not found (maybe expired) kind regards Claude On Friday 02 July 2010 12:13:21 Martin Willi wrote: Hi, I've compiled strongswan with user vpn and group vpn. If you use non-root users, you'll need support for capability handling too. Add --with-capabilities=libcap to ./configure. route-client output: Not sufficient rights to flush It is not possible to propagate the capabilities to the updown script. Pluto uses the updown script not only for firewalling, but also for route installation. You'll have to run the updown script with root privileges. Never tried it, but file system based capability settings might work. Another alternative is to define leftupdown=sudo ipsec _updown and configure sudo accordingly. Regards Martin -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Wildcard certificates
Oops, sometimes I forget the most evident things. I forgot to put the keyfile into the ipsec.secrets. My bad, so sorry. kind regards, Claude On Wednesday 07 July 2010 13:06:11 Claude Tompers wrote: Hello Stefan, Ok, in that case the IKEv2 ID is not that important, but why can't it find the key for the default DN 'C=LU, ST=n/a, L=Luxembourg, O=Fondation RESTENA, CN=*.restena.lu' ? kind regards Claude On Wednesday 07 July 2010 12:43:03 Andreas Steffen wrote: Hello Claude, as far as I know strongSwan does not treat '*' in the subject Distinguished Name as a wildcard in comparisons with an IKEv2 ID. strongSwan rather treats a '*' in an IKEv2 ID as a wildcard in comparisons with IDs contained in a certificate. Regards Andreas On 07.07.2010 10:39, Claude Tompers wrote: Hello, I'm trying to make strongswan work with our wildcard certificate, but I'm getting a strange error. Here's my log : Jul 7 10:34:08 vpn6-test charon: 12[CFG] id 'vpn6-pub.restena.lu' not confirmed by certificate, defaulting to 'C=LU, ST=n/a, L=Luxembourg, O=Fondation RESTENA, CN=*.restena.lu' So far I think this is not a problem, but then : Jul 7 10:34:18 vpn6-test charon: 10[IKE] no private key found for 'C=LU, ST=n/a, L=Luxembourg, O=Fondation RESTENA, CN=*.restena.lu' The wildcard certificate work perfectly on other servers. I installed the certificate exactly the same way as my self-signed before. That one worked perfectly. Is it possible the the / or the * characters make some issues ? thanks a lot in advance kind regards Claude == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users