[strongSwan] auth.log file does not exist on strongswan 4.4.0

2011-04-20 Thread Mickael SABELLE 
Hello,

I installed strongswan 4.4.0 on a Windriver linux distribution but the
difference with a Ubuntu for example is that I don't find the the auth.log
in the /var/log/ and in any other directory?
After read the diffrent man I didn't find if there is in a conf file a
feature to set to get work the strongswan log.

Does somebody have an idea?

Regards,

Mickael
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] auth.log file does not exist on strongswan 4.4.0

2011-04-20 Thread Martin Willi 
Hi Mickael,

> After read the diffrent man I didn't find if there is in a conf file a
> feature to set to get work the strongswan log.

By default, strongSwan logs debugging information to the syslog daemon
facility, and a simpler audit log to audit. Have a look at your syslog
configuration/documentation where this logging finally lands on disk.

For IKEv2, you can adjust the logging for your needs, see [1].

Regards
Martin

[1]http://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration



___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Hb and Spoke VPN using Strongswan

2011-04-20 Thread balu deokate 
Sir,
  I am M.Tech Student , i want to create Hub-and-spoke  IPsec VPN
model using Strongswan, so can you please  send me detail documentation for
that.


Regards
Balu Deokate
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Strongswan Unable to load OpenSSL RSA Private-Key File

2011-04-20 Thread Rajiv Kulkarni 
Hi

I am facing a problem in my Strongswan deployment on a Linux-Fedora13
Server. I have created a CA and some device certs on the Linux-Fed13 server
using OpenSSL. But iam unable to use the device certs (the private-key file)
in strongswan. Iam getting the following error (console trace). Also other
details are given below:

--



[root@dvtpc2 etc]# ipsec start --nofork
Starting strongSwan 4.5.0 IPsec [starter]...
starter_start_pluto entered
Pluto initialized
Starting IKEv1 pluto daemon (strongSwan 4.5.0) THREADS VENDORID
listening on interfaces:
  eth1
172.30.1.2
fe80::218:8bff:fe04:a492
  eth0
172.18.10.100
fe80::2d0:b7ff:fe9e:ab8b
loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem gmp
hmac xauth attr kernel-netlink resolve
  including NAT-Traversal patch (Version 0.6c)
pluto (2594) started after 20 ms
00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.0)
00[KNL] listening on interfaces:
00[KNL]   eth1
00[KNL] 172.30.1.2
00[KNL] fe80::218:8bff:fe04:a492
00[KNL]   eth0
loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
  loaded ca certificate from '/usr/local/etc/ipsec.d/cacerts/cacert.pem'
loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
loading ocsp certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Changing to directory '/usr/local/etc/ipsec.d/crls'
00[KNL] 172.18.10.100
  loaded crl from 'crl.pem'
00[KNL] fe80::2d0:b7ff:fe9e:ab8b
loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
spawning 4 worker threads
listening for IKE messages
adding interface eth0/eth0 172.18.10.100:500
adding interface eth0/eth0 172.18.10.100:4500
adding interface eth1/eth1 172.30.1.2:500
adding interface eth1/eth1 172.30.1.2:4500
adding interface lo/lo 127.0.0.1:500
adding interface lo/lo 127.0.0.1:4500
adding interface lo/lo ::1:500
00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
loading secrets from "/usr/local/etc/ipsec.secrets"
L1 - modulus: ASN1 tag 0x02 expected, but is 0x30
building CRED_PRIVATE_KEY - RSA failed, tried 5 builders
  syntax error in private key file
"/usr/local/etc/ipsec.secrets" line 3: Private key file -- could not be
loaded
00[CFG]   loaded ca certificate "C=IN, ST=AP, L=HYD, O=Internet Widgits Pty
Ltd, OU=Corp, CN=dvtpc2CA, E=ad...@dvttest.com, subjectAltName=
dvtpc2.dvttest.com" from '/usr/local/etc/ipsec.d/cacerts/cacert.pem'
00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from
'/usr/local/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
00[CFG]   loaded crl from '/usr/local/etc/ipsec.d/crls/crl.pem'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[LIB] L1 - modulus: ASN1 tag 0x02 expected, but is 0x30
00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 5 builders
00[CFG]   loading private key from
'/usr/local/etc/ipsec.d/private/dvtpc2key1024-self.pem' failed
00[DMN] loaded plugins: aes des sha1 sha2 md5 random x509 revocation pubkey
pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-raw
stroke updown
00[JOB] spawning 16 worker threads
charon (2619) started after 20 ms
04[CFG] received stroke: add connection 'dvtpc2host'
04[CFG]   loaded certificate "C=IN, ST=AP, L=HYD, O=Internet Widgits Pty
Ltd, OU=Corp, CN=dvtpc2.dvttest.com, subjectAltName=dvtpc2.dvttest.com,
E=ad...@dvttest.com" from 'dvtpc2cert1024-self.pem'
04[CFG]   id '/C=IN/ST=AP/L=HYD/O=Internet Widgits Pty
Ltd/OU=Corp/CN=dvtpc2.dvttest.com/subjectAltName=dvtpc2.dvttest.com/emailAddress=ad...@dvttest.com'not
confirmed by certificate, defaulting to 'C=IN, ST=AP, L=HYD,
O=Internet
Widgits Pty Ltd, OU=Corp, CN=dvtpc2.dvttest.com, subjectAltName=
dvtpc2.dvttest.com, E=ad...@dvttest.com'
04[CFG] added configuration 'dvtpc2host'
  loaded host certificate from
'/usr/local/etc/ipsec.d/certs/dvtpc2cert1024-self.pem'
  id '/C=IN/ST=AP/L=HYD/O=Internet Widgits Pty
Ltd/OU=Corp/CN=dvtpc2.dvttest.com/subjectAltName=dvtpc2.dvttest.com/emailAddress=ad...@dvttest.com'not
confirmed by certificate, defaulting to 'C=IN, ST=AP, L=HYD,
O=Internet
Widgits Pty Ltd, OU=Corp, CN=dvtpc2.dvttest.com, subjectAltName=
dvtpc2.dvttest.com, E=ad...@dvttest.com'
added connection description "dvtpc2host"

---
[root@dvtpc2 etc]# openssl version
OpenSSL 1.0.0a-fips 1 Jun 2010
[root@dvtpc2 etc]#

---
[root@dvtpc2 etc]#
[root@dvtpc2 etc]#
[root@dvtpc2 etc]# cd ipsec.d/private/
[root@dvtpc2 private]# cat dvtpc2key1024-self.pem
-BEGIN PRIVATE KEY-
MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBALPec1SeRutyn4Sb
yWS8RVXDiroh3XgXchjYbwm+RvoFS7k31LcpK+zgs62ZdTFxeYCv6hr/bV2BIwwf
NwMlPc5zyHnjFrMmOG2eXzzd0xleFwx12NSW0rXtpAVa9/GVmROhObAFUlrLYL4R
WuVLzpA+gv/2U9jVkVxBMr1GG5khAgMBAAECgYEAk2z88ppYXpswjCx0QZDe85C2
oCEpuUjeR+b9++ptmnfEvSc5vnaMfjcejmd9Wu07PXLyWvaI2V8DLuhW2skngj

[strongSwan] How to deal with a CARP cluster?

2011-04-20 Thread M M 
Hi All,

I'm trying to let a Linux/strongSwan combo talk to a CARP cluster
of OpenBSD v4 machines. As such I'm bound to IKEv1, but I'm able to
establish a tunnel. I see ESP traffic arrive on the OpenBSD side, but
not the other way around.

The strongSwan logging shows the "cannot respond to IPsec SA request
because no connection is known for [...]" The logging also reveals
that strongSwan receives the physical IP address of one of the OpenBSD
machines in the CARP cluster instead of the virtual IP address of the
cluster. Obviously it cannot find a connection as it is configured
to use the virtual IP address (and of which it has a valid certificate).

I have tried setting rightsourceip (the OpenBSD side) to %config but
that did not help. Would using virtual_private help? Or is it not pos-
sible at all to set up a tunnel with a CARP cluster?

Thanks,
Marty.


___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Strongswan Unable to load OpenSSL RSA Private-Key File

2011-04-20 Thread Martin Willi 
Hi Rajiv,

> [root@dvtpc2 private]# cat dvtpc2key1024-self.pem
> -BEGIN PRIVATE KEY-
> MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBALPec1SeRutyn4Sb
> yWS8RVXDiroh3XgXchjYbwm+RvoFS7k31LcpK+zgs62ZdTFxeYCv6hr/bV2BIwwf
> NwMlPc5zyHnjFrMmOG2eXzzd0xleFwx12NSW0rXtpAVa9/GVmROhObAFUlrLYL4R
> WuVLzpA+gv/2U9jVkVxBMr1GG5khAgMBAAECgYEAk2z88ppYXpswjCx0QZDe85C2
> oCEpuUjeR+b9++ptmnfEvSc5vnaMfjcejmd9Wu07PXLyWvaI2V8DLuhW2skngjLQ
> jADppVBvnYvNqqih3GwFSN3H3fieF6fDPeKqv67roqEiGXvCaOUWNFOnAsFGKLpw
> d66veG3C+8JD2MCd6JECQQDqpyHu/MQpKhsMW13htkhX1+QXjS584RClLLO3L7LL
> VdGRFjq5cZ2mQzQBNB+ccVDhE02WmfZzAXWHd+hjmzEjAkEAxDtyXkGrdOboz3Wq
> rvYTM/PCJ+K0/Mbisihoi295yGXU074kzXhdVevpN8SarVHz2ktyjea5qPwFRySF
> 089q6wJBAMf6ykuv9cmTTdv5HgiX3g2nO4fq1XyuHw52C2+KYhkyuViqFkAnGREy
> YubHsk0UsbYwSkaYTlXzH2PliBMjlvsCQBsWtcALQrb9lU/mR2ylrZrzYG8PHbrz
> XaIIb/4nomEmpY2hZwUyQ3gz+9rl+hBJCuesmKC8JA8O00+x3AOUU4cCQQCSn5WN
> Na04DmDpNODPlp2YgEVsnWZgOVkI3VrKhWzLhEVq/Sduzx9ySgea0VEegsmWAeqz
> IM+lCeaKgP4Dbjqs
> -END PRIVATE KEY-

This key is wrapped in PKCS#8 without encryption. We currently can't
read in any PKCS#8 keys.

Covert such keys to plain RSA using:
  openssl pkcs8 -nocrypt < dvtpc2key1024-self.pem

Regards
Martin



___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users