Re: [strongSwan] StrongSwan, PSK and Windows 7
Can anyone help me get strongswan going with PSK? My config is below. I see on the router logs (strongswan behind it) that I am making it to the router and the router is passing the connection to the strongswan server but the VPN is not established. I feel like this is a strongswan config issue. Any help is appreciated. Sent from my iPhone On May 22, 2012, at 6:42 PM, Chris Arnold wrote: > I have given up on ikev2 with certs and have turned my attention to psk. Here > is the ipsec.conf file: > config setup ># plutodebug=all > crlcheckinterval=600 > strictcrlpolicy=no ># cachecrls=yes > nat_traversal=yes ># charonstart=no > plutostart=no > > # Add connections here. > > conn %default >ikelifetime=28800s >keylife=20m >rekeymargin=3m >keyingtries=1 >authby=secret >keyexchange=ikev2 >mobike=no > > conn rclients >left=%defaultroute >#leftcert=ChrisACert.pem >#leftid= >leftsubnet=192.168.1.0/24 >right=%any >#rightsourceip=192.168.1.0/24 >auto=add > > conn teknerds >left=%defaultroute >leftcert=moonCert.pem >leftsubnet=192.168.1.0/24 >#leftid="dn name" >#leftfirewall=yes >right=moon public ip >rightsubnet=192.168.123.0/24 >rightcert=sunCert.pem >rightid="un dn" >auto=add > > Is there a wiki for the strongswan config and windows 7 config? I get an > error 789 on the windows side. > > Here is the ipsec.secrets file: > #@192.168.123.1 @moon.com : PSK secret (not sure why this is here?) > : RSA moonKey.pem > > 192.168.1.40 : PSK secret > > ___ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] StrongSwan, PSK and Windows 7
Hi Chris, On Thursday, 24. May 2012 17:05:46 Chris Arnold wrote: > Can anyone help me get strongswan going with PSK? My config is below. I > see on the router logs (strongswan behind it) that I am making it to the > router and the router is passing the connection to the strongswan server > but the VPN is not established. I feel like this is a strongswan config > issue. Any help is appreciated. It might help if you post the relevant strongswan log messages. Thomas ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] StrongSwan, PSK and Windows 7
Hi Thomas, > Hi Chris, > > It might help if you post the relevant strongswan log messages. I meant to say, Charon log does not show any relevant logs. Maybe I need to set the debug level to something different? Now, debug is in the strongswan.conf file ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] configuration error when trying to use --enable-curl
Hi, We are trying to have --enable-curl plugin be a part of the image using _*cross-compilation*_ for power-pc (not the native linux host) We have downloaded the latest curl version from http://curl.haxx.se/download.html We were able to compile and generate a libcurl.a in ./INSTALL_STAGE/curl-7.25.0/usr/lib/libcurl.a We tried to compile for strongswan but in the 'configuration' stage, we get the following error: configure:15423: checking for main in -lcurl configure:15442: powerpc-wrs-linux-gnu-ppc_e500v2-glibc_cgl-gcc -o conftest -g -O2 -fomit-frame-pointer -D__USE_STRING_INLINES -pipe -DDEBUG_LEVEL=3 conftest.c -lcurl>&5 /vobs/ngp_windriver/windriver_pne2.0/gnu/4.1-wrlinux-2.0/x86-linux2/bin/../lib/gcc/powerpc-wrs-linux-gnu/4.1.2/../../../../powerpc-wrs-linux-gnu/bin/ld: cannot find -lcurl How do we specify how to find the library for curl (libcurl.a)? I dont think it is --lib (I tried to build the strongswan in the native linux host machine and everything is fine.) Thanks in advance, -Yong Choo ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] IKE_AUTH fails with "no matching peer config found" error message in strongswan ver 4.6.3
IKE_AUTH fails when I try to bring up net-net connection. I have
attached config files, certs for MOON and SUN below. I see that error
message is coming from the function load_cfg_candidates in
src/libcharon/sa/tasks/ike_auth.c. I have used the setup and configs
indicated at the following link
http://www.strongswan.org/uml/testresults/ikev2/net2net-cert/. Please
let me know why it is throwing the error message "no matching peer
config found". Any help is appreciated.
Thanks,
Nagaraj
config files on MOON:
ipsec.conf
=
config setup
crlcheckinterval=180
strictcrlpolicy=no
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
mobike=no
conn net-net
left=192.167.21.1
leftcert=moonCert.pem
leftid=@localhost
leftsubnet=192.167.2.0/24
leftfirewall=no
right=192.167.21.2
rightid=@localhost
rightsubnet=192.167.1.0/24
auto=add
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA moonKey.pem "testing"
# /etc/strongswan.conf - strongSwan configuration file
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509
revocation hmac xcbc stroke kernel-netlink socket-default updown
multiple_authentication = no
}
[root@moon certs]# openssl x509 -in moonCert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 44 (0x2c)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=SG, ST=CA, O=DemoCA, CN=DemoCA Certificate
Master/emailAddress=certmas...@democa.dom
Validity
Not Before: May 24 23:37:15 2012 GMT
Not After : May 24 23:37:15 2014 GMT
Subject: C=SG, ST=CA, O=DemoCA,
CN=localhost/emailAddress=ad...@server.example.dom
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c8:f8:21:05:4e:b6:ea:43:28:ee:aa:3f:0a:72:
39:39:f1:1b:f9:a2:79:50:39:5b:09:a9:c9:00:e2:
76:39:07:1f:8a:83:9b:74:26:74:81:ba:be:73:14:
01:bb:76:44:a8:9f:48:13:2b:c5:e4:9b:41:78:75:
5b:e5:e2:06:cf:d2:c6:49:5b:f7:1f:d1:4a:2f:d2:
bb:35:c8:d9:36:e3:0a:60:c5:b0:a6:58:56:3e:fc:
c0:da:a6:7d:09:94:9e:da:2c:e2:e3:6e:27:3a:4a:
43:f8:0e:f4:6f:9a:95:86:0e:f0:5d:83:ce:6f:f0:
6f:af:c8:55:ba:cf:8d:26:df
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
E0:C3:F6:51:C6:B2:81:B2:55:51:11:E3:24:77:CD:6D:CC:C0:DE:D3
X509v3 Authority Key Identifier:
keyid:A5:AF:0C:CD:05:BB:28:94:70:33:4E:14:E6:5A:74:09:20:DA:84:3F
Signature Algorithm: sha1WithRSAEncryption
5a:dc:47:41:9e:c9:65:d6:33:36:e8:b1:0b:72:4b:ed:b5:a5:
3d:ea:73:1f:3c:e6:f4:93:54:33:dc:37:90:eb:b8:49:23:2e:
79:06:30:e9:a2:4c:4f:46:8f:1f:24:14:13:c1:45:80:1a:fb:
ea:59:68:a7:be:22:59:1d:94:9d:47:0d:d0:0e:fc:22:f2:63:
44:db:f8:cf:a3:df:bd:36:16:dd:bb:b4:22:fa:63:ee:39:cf:
65:5f:b0:2e:72:c7:ba:f0:6c:67:63:84:6e:96:42:36:eb:03:
fb:63:7b:32:75:17:cd:60:5c:b5:7b:a3:29:ff:64:54:93:d5:
68:e9:39:3a:03:3b:6d:b7:16:e2:89:a9:c9:24:60:e7:0a:bb:
44:c1:d8:ce:50:7a:80:be:ca:6b:33:b2:c5:68:77:72:c8:28:
0d:0f:aa:3c:7e:f7:01:7c:e2:7a:d4:83:27:8a:54:aa:22:a4:
63:6b:37:f8:60:eb:5f:70:e4:1b:54:0f:ee:09:ff:55:cb:44:
96:24:3e:6f:60:12:e1:31:45:c1:8e:6c:bc:f5:eb:81:f1:39:
50:58:b6:9c:f3:1d:76:8e:c5:ae:83:a4:b3:c1:66:e2:13:e5:
ab:64:29:08:b3:4f:5e:10:31:69:aa:ff:73:7b:a6:af:bd:da:
a3:8d:e1:38
[root@moon certs]#
config files on SUN:
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
crlcheckinterval=180
strictcrlpolicy=no
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
mobike=no
conn net-net
left=192.167.21.2
leftcert=sunCert.pem
leftid=@localhost
leftsubnet=192.167.1.0/24
leftfirewall=no
right=192.167.21.1
rightid=@localhost
rightsubnet=192.167.2.0/24
auto=add
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA sunKey.pem "testing"
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509
revocation hmac xcbc stroke kernel-netlink socket-default updown
multiple_authentication = no
}
root@sun:/etc/ipsec.d/certs# openssl x509 -in sunCert.pem -noout -text
Ce
Re: [strongSwan] IKE_AUTH fails with "no matching peer config found" error message in strongswan ver 4.6.3
I have attached gdb to charon process and set breakpoint at function load_cfg_candidates( ) to debug this issue. However when I execute "ipsec up net-net" on SUN, the breakpoint I set on MOON never hits. Apparently when I ran nm on libcharon.so I do not see the symbol load_cfg_candidates( ). Does anybody know what is happening in here ? Regards, Nagaraj [root@moon ~]# ldd /usr/local/libexec/ipsec/charon linux-gate.so.1 => (0x0011) libstrongswan.so.0 => /usr/local/lib/ipsec/libstrongswan.so.0 (0x00111000) libhydra.so.0 => /usr/local/lib/ipsec/libhydra.so.0 (0x00141000) libcharon.so.0 => /usr/local/lib/ipsec/libcharon.so.0 (0x00146000) libm.so.6 => /lib/libm.so.6 (0x005a8000) libpthread.so.0 => /lib/libpthread.so.0 (0x005da000) libdl.so.2 => /lib/libdl.so.2 (0x005d3000) libc.so.6 => /lib/libc.so.6 (0x0044d000) librt.so.1 => /lib/librt.so.1 (0x006d5000) /lib/ld-linux.so.2 (0x0042e000) [root@moon ~]# [root@moon etc]# ps aux | grep charon root 29547 0.0 0.1 168148 1872 ?Ssl 19:14 0:00 /usr/local/libexec/ipsec/charon --use-syslog root 29566 0.0 0.0 4044 680 pts/2S+ 19:14 0:00 grep charon [root@moon etc]# gdb attach 29547 GNU gdb Red Hat Linux (6.6-35.fc8rh) Copyright (C) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux-gnu"... attach: No such file or directory. Attaching to process 29547 Reading symbols from /usr/local/libexec/ipsec/charon...done. Using host libthread_db library "/lib/libthread_db.so.1". Reading symbols from /usr/local/lib/ipsec/libstrongswan.so.0...done. Loaded symbols for /usr/local/lib/ipsec/libstrongswan.so.0 Reading symbols from /usr/local/lib/ipsec/libhydra.so.0...done. Loaded symbols for /usr/local/lib/ipsec/libhydra.so.0 Reading symbols from /usr/local/lib/ipsec/libcharon.so.0...done. Loaded symbols for /usr/local/lib/ipsec/libcharon.so.0 Reading symbols from /lib/libm.so.6... warning: Missing the separate debug info file: /usr/lib/debug/.build-id/92/8ab51a53627c59877a85dd9afecc1619ca866c.debug done. Loaded symbols for /lib/libm.so.6 Reading symbols from /lib/libpthread.so.0... warning: Missing the separate debug info file: /usr/lib/debug/.build-id/6c/1cdbb38ae2a292613c8c31195417ee80ea7e1e.debug done. [Thread debugging using libthread_db enabled] [New Thread -1208505760 (LWP 29547)] [New Thread -1365857392 (LWP 29563)] [New Thread -1355367536 (LWP 29562)] [New Thread -1344877680 (LWP 29561)] [New Thread -1334387824 (LWP 29560)] [New Thread -1323897968 (LWP 29559)] [New Thread -1313408112 (LWP 29558)] [New Thread -1302918256 (LWP 29557)] [New Thread -1292428400 (LWP 29556)] [New Thread -1281938544 (LWP 29555)] [New Thread -1271448688 (LWP 29554)] [New Thread -1260958832 (LWP 29553)] [New Thread -1250468976 (LWP 29552)] [New Thread -1239979120 (LWP 29551)] [New Thread -1229489264 (LWP 29550)] [New Thread -1218999408 (LWP 29549)] [New Thread -1208509552 (LWP 29548)] Loaded symbols for /lib/libpthread.so.0 Reading symbols from /lib/libdl.so.2... warning: Missing the separate debug info file: /usr/lib/debug/.build-id/db/a292aff9720bfc3f25c53fa8e469168460a894.debug done. Loaded symbols for /lib/libdl.so.2 Reading symbols from /lib/libc.so.6... warning: Missing the separate debug info file: /usr/lib/debug/.build-id/ba/4ea1118691c826426e9410cafb798f25cefad5.debug done. Loaded symbols for /lib/libc.so.6 Reading symbols from /lib/librt.so.1... warning: Missing the separate debug info file: /usr/lib/debug/.build-id/e3/3448de964a5ca97b70edbdcea227c6ea5d3657.debug done. Loaded symbols for /lib/librt.so.1 Reading symbols from /lib/ld-linux.so.2... warning: Missing the separate debug info file: /usr/lib/debug/.build-id/ac/2eeb206486bb7315d6ac4cd64de0cb50838ff6.debug done. Loaded symbols for /lib/ld-linux.so.2 Reading symbols from /usr/local/lib/ipsec/plugins/libstrongswan-aes.so...done. Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-aes.so Reading symbols from /usr/local/lib/ipsec/plugins/libstrongswan-des.so...done. Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-des.so Reading symbols from /usr/local/lib/ipsec/plugins/libstrongswan-sha1.so...done. Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-sha1.so Reading symbols from /usr/local/lib/ipsec/plugins/libstrongswan-sha2.so...done. Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-sha2.so Reading symbols from /usr/local/lib/ipsec/plugins/libstrongswan-md5.so...done. Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-md5.so Reading symbols from /usr/local/lib/ipsec/plugins/libstrongswan-pem.so...done. Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-p
