[strongSwan] Help regarding eap-sim-pcsc plugin of Strongswan
Hi Alan, I was trying to use the eap-sim-pcsc plugin of strongswan and facing some issues while testing it.I came across one of your threads in strongswan mailer list where you mentioned that you used this plugin.I am stuck at one of the parts and getting the following error on the client side: << root@ubuntu5-desktop:/home/ubuntu5# ipsec up android initiating IKE_SA android[2] to 192.168.1.154 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] sending packet: from 192.168.1.8[500] to 192.168.1.154[500] received packet: from 192.168.1.154[500] to 192.168.1.8[500] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] sending cert request for "C=UK, CN=nits" establishing CHILD_SA android generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] sending packet: from 192.168.1.8[4500] to 192.168.1.154[4500] received packet: from 192.168.1.154[4500] to 192.168.1.8[4500] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] received end entity cert "C=UK, CN=nits" using certificate "C=UK, CN=nits" using trusted ca certificate "C=UK, CN=nits" checking certificate status of "C=UK, CN=nits" certificate status is not available reached self-signed root ca with a path length of 0 authentication of '192.168.1.154' with RSA signature successful server requested EAP_IDENTITY (id 0x00), sending '9404118100734530' generating IKE_AUTH request 2 [ EAP/RES/ID ] sending packet: from 192.168.1.8[4500] to 192.168.1.154[4500] received packet: from 192.168.1.154[4500] to 192.168.1.8[4500] parsed IKE_AUTH response 2 [ EAP/FAIL ] received EAP_FAILURE, EAP authentication failed root@ubuntu5-desktop:/home/ubuntu5# ipsec up android initiating IKE_SA android[3] to 192.168.1.154 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] sending packet: from 192.168.1.8[500] to 192.168.1.154[500] received packet: from 192.168.1.154[500] to 192.168.1.8[500] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] sending cert request for "C=UK, CN=nits" establishing CHILD_SA android generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] sending packet: from 192.168.1.8[4500] to 192.168.1.154[4500] received packet: from 192.168.1.154[4500] to 192.168.1.8[4500] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] received end entity cert "C=UK, CN=nits" using certificate "C=UK, CN=nits" using trusted ca certificate "C=UK, CN=nits" checking certificate status of "C=UK, CN=nits" certificate status is not available reached self-signed root ca with a path length of 0 authentication of '192.168.1.154' with RSA signature successful server requested EAP_IDENTITY (id 0x00), sending '9404118100734530' generating IKE_AUTH request 2 [ EAP/RES/ID ] sending packet: from 192.168.1.8[4500] to 192.168.1.154[4500] received packet: from 192.168.1.154[4500] to 192.168.1.8[4500] parsed IKE_AUTH response 2 [ EAP/REQ/SIM ] server requested EAP_SIM authentication (id 0xCA) generating IKE_AUTH request 3 [ EAP/RES/SIM ] sending packet: from 192.168.1.8[4500] to 192.168.1.154[4500] received packet: from 192.168.1.154[4500] to 192.168.1.8[4500] parsed IKE_AUTH response 3 [ EAP/REQ/SIM ] *EAP_SIM MAC verification failed* sending client error 'unable to process packet' generating IKE_AUTH request 4 [ EAP/RES/SIM ] sending packet: from 192.168.1.8[4500] to 192.168.1.154[4500] received packet: from 192.168.1.154[4500] to 192.168.1.8[4500] parsed IKE_AUTH response 4 [ EAP/FAIL ] *received EAP_FAILURE, EAP authentication failed* root@ubuntu5-desktop:/home/ubuntu5# >>> I was wondering if you can suggest if I'm missing something while testing the plugin.My main doubts are: 1) Whether the eap-sim-pcsc plugin supports sim card based authentication. If yes, then what should be the username and keys format that needs to be stored on the radius server . 2) Is there any other dependencies for using this plugin? Thanks Deepika -- If you think you can or if you think you can't, you are right. -Henry Ford ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] How to disable 'CRL' in strongswan.conf?
Hello Yong Choo, you can do that with an explicit load statement in strongswan.conf. Just prepare two versions of strongswan.conf - one with the revocation plugin in the load statement and one without it. Depending on the situation you either start strongSwan with one strongswan.conf or the second one. Is this dynamical enough? Regards Andreas On 09.01.2012 20:59, Yong Choo wrote: > Searching in database, I came up on the following in > http://www.mail-archive.com/users@lists.strongswan.org/msg03918.html > So, the question is 'how not to load the revocation plugin when it is > already enabled by default?' > > -Original Message- > From: Andreas Steffen [mailto:andreas.stef...@strongswan.org] > Sent: jeudi 24 novembre 2011 12:51 > To: ABULIUS, MUGUR (MUGUR) > Cc: users@lists.strongswan.org; SCARAZZINI, FABRICE (FABRICE); Pisano, > Stephen > G (Stephen); WASNIEWSKI, ALAIN (ALAIN) > Subject: Re: [strongSwan] How to bypass CRL checks? > > Hello Mugur, > > with IKEv2 revocation checks can be easily disabled by not loading the > revocation plugin. What is not possible is to disable CRL checking on a per > connection definition basis. > > Regards > > Andreas > > > > On 1/9/2012 12:30 PM, Yong Choo wrote: >> Hi, >> Looking at http://wiki.strongswan.org/projects/1/wiki/441, >> OCSP/CRL checking in IKEv2 has been moved to the revocation plugin, >> enabled >> by default. Plase update manual load directives in strongswan.conf. >> >> How can I disable this plugin dynamically? We have a need of >> dynamically controlling the loading of plugin at run-time. >> >> Thanks Much, >> -Yong Choo == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Problem exporting pkcs12-File
4.4.0 certainly doesn't support PEM output yet, so please upgrade if possible to 4.6.1, although some 4.5.x versions should already come with PEM conversion. And yes you have to add --outform pem to both certificates and keys since the default is always binary DER format. Regards Andreas On 09.01.2012 12:05, Stefan Malte Schumacher wrote: > 2012/1/9 Andreas Steffen : >> Hello Stefan, >> >> could it be that you are using an older strongSwan version where >> the ipsec pki commands do not support PEM format output yet, even >> though the --outform option already exists? >> >> Regards >> > Hello Andreas > > I am currently using strongSwan 4.4.0-4.1.1.i586, which came with my > distribution. Should I update to a more current version? Just to be > sure: I have to use the --outform pem-Option for both the keys AND the > certificates, correct? > > Yours > Stefan Malte Schumacher -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] How to disable 'CRL' in strongswan.conf?
Searching in database, I came up on the following in http://www.mail-archive.com/users@lists.strongswan.org/msg03918.html So, the question is 'how not to load the revocation plugin when it is already enabled by default?' -Original Message- From: Andreas Steffen [mailto:andreas.stef...@strongswan.org] Sent: jeudi 24 novembre 2011 12:51 To: ABULIUS, MUGUR (MUGUR) Cc: users@lists.strongswan.org; SCARAZZINI, FABRICE (FABRICE); Pisano, Stephen G (Stephen); WASNIEWSKI, ALAIN (ALAIN) Subject: Re: [strongSwan] How to bypass CRL checks? Hello Mugur, with IKEv2 revocation checks can be easily disabled by not loading the revocation plugin. What is not possible is to disable CRL checking on a per connection definition basis. Regards Andreas On 1/9/2012 12:30 PM, Yong Choo wrote: Hi, Looking at http://wiki.strongswan.org/projects/1/wiki/441, OCSP/CRL checking in IKEv2 has been moved to the revocation plugin, enabled by default. Plase update manual load directives in strongswan.conf. How can I disable this plugin dynamically? We have a need of dynamically controlling the loading of plugin at run-time. Thanks Much, -Yong Choo ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] How to disable 'CRL' in strongswan.conf?
Hi, Looking at http://wiki.strongswan.org/projects/1/wiki/441, OCSP/CRL checking in IKEv2 has been moved to the revocation plugin, enabled by default. Plase update manual load directives in strongswan.conf. How can I disable this plugin dynamically? We have a need of dynamically controlling the loading of plugin at run-time. Thanks Much, -Yong Choo ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Tunnel layer 2 with ipsec
On 02.01.2012 14:53, nima chavooshi wrote: > Hi > Is it possible that I forward layer 2 packet in ipsec tunnel?? I can not comment about IPSec, but I use OpenVPN for L2 tunneling and it works very well. Klaus ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Problem exporting pkcs12-File
2012/1/9 Andreas Steffen : > Hello Stefan, > > could it be that you are using an older strongSwan version where > the ipsec pki commands do not support PEM format output yet, even > though the --outform option already exists? > > Regards > Hello Andreas I am currently using strongSwan 4.4.0-4.1.1.i586, which came with my distribution. Should I update to a more current version? Just to be sure: I have to use the --outform pem-Option for both the keys AND the certificates, correct? Yours Stefan Malte Schumacher ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
