Re: [strongSwan] StrongSwan, PSK and Windows 7
Can anyone help me get strongswan going with PSK? My config is below. I see on the router logs (strongswan behind it) that I am making it to the router and the router is passing the connection to the strongswan server but the VPN is not established. I feel like this is a strongswan config issue. Any help is appreciated. Sent from my iPhone On May 22, 2012, at 6:42 PM, Chris Arnold wrote: > I have given up on ikev2 with certs and have turned my attention to psk. Here > is the ipsec.conf file: > config setup ># plutodebug=all > crlcheckinterval=600 > strictcrlpolicy=no ># cachecrls=yes > nat_traversal=yes ># charonstart=no > plutostart=no > > # Add connections here. > > conn %default >ikelifetime=28800s >keylife=20m >rekeymargin=3m >keyingtries=1 >authby=secret >keyexchange=ikev2 >mobike=no > > conn rclients >left=%defaultroute >#leftcert=ChrisACert.pem >#leftid= >leftsubnet=192.168.1.0/24 >right=%any >#rightsourceip=192.168.1.0/24 >auto=add > > conn teknerds >left=%defaultroute >leftcert=moonCert.pem >leftsubnet=192.168.1.0/24 >#leftid="dn name" >#leftfirewall=yes >right=moon public ip >rightsubnet=192.168.123.0/24 >rightcert=sunCert.pem >rightid="un dn" >auto=add > > Is there a wiki for the strongswan config and windows 7 config? I get an > error 789 on the windows side. > > Here is the ipsec.secrets file: > #@192.168.123.1 @moon.com : PSK secret (not sure why this is here?) > : RSA moonKey.pem > > 192.168.1.40 : PSK secret > > ___ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] StrongSwan, PSK and Windows 7
Hi Chris, On Thursday, 24. May 2012 17:05:46 Chris Arnold wrote: > Can anyone help me get strongswan going with PSK? My config is below. I > see on the router logs (strongswan behind it) that I am making it to the > router and the router is passing the connection to the strongswan server > but the VPN is not established. I feel like this is a strongswan config > issue. Any help is appreciated. It might help if you post the relevant strongswan log messages. Thomas ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] StrongSwan, PSK and Windows 7
Hi Thomas, > Hi Chris, > > It might help if you post the relevant strongswan log messages. I meant to say, Charon log does not show any relevant logs. Maybe I need to set the debug level to something different? Now, debug is in the strongswan.conf file ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] configuration error when trying to use --enable-curl
Hi, We are trying to have --enable-curl plugin be a part of the image using _*cross-compilation*_ for power-pc (not the native linux host) We have downloaded the latest curl version from http://curl.haxx.se/download.html We were able to compile and generate a libcurl.a in ./INSTALL_STAGE/curl-7.25.0/usr/lib/libcurl.a We tried to compile for strongswan but in the 'configuration' stage, we get the following error: configure:15423: checking for main in -lcurl configure:15442: powerpc-wrs-linux-gnu-ppc_e500v2-glibc_cgl-gcc -o conftest -g -O2 -fomit-frame-pointer -D__USE_STRING_INLINES -pipe -DDEBUG_LEVEL=3 conftest.c -lcurl>&5 /vobs/ngp_windriver/windriver_pne2.0/gnu/4.1-wrlinux-2.0/x86-linux2/bin/../lib/gcc/powerpc-wrs-linux-gnu/4.1.2/../../../../powerpc-wrs-linux-gnu/bin/ld: cannot find -lcurl How do we specify how to find the library for curl (libcurl.a)? I dont think it is --lib (I tried to build the strongswan in the native linux host machine and everything is fine.) Thanks in advance, -Yong Choo ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] IKE_AUTH fails with "no matching peer config found" error message in strongswan ver 4.6.3
IKE_AUTH fails when I try to bring up net-net connection. I have attached config files, certs for MOON and SUN below. I see that error message is coming from the function load_cfg_candidates in src/libcharon/sa/tasks/ike_auth.c. I have used the setup and configs indicated at the following link http://www.strongswan.org/uml/testresults/ikev2/net2net-cert/. Please let me know why it is throwing the error message "no matching peer config found". Any help is appreciated. Thanks, Nagaraj config files on MOON: ipsec.conf = config setup crlcheckinterval=180 strictcrlpolicy=no plutostart=no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 mobike=no conn net-net left=192.167.21.1 leftcert=moonCert.pem leftid=@localhost leftsubnet=192.167.2.0/24 leftfirewall=no right=192.167.21.2 rightid=@localhost rightsubnet=192.167.1.0/24 auto=add # /etc/ipsec.secrets - strongSwan IPsec secrets file : RSA moonKey.pem "testing" # /etc/strongswan.conf - strongSwan configuration file # /etc/strongswan.conf - strongSwan configuration file charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no } [root@moon certs]# openssl x509 -in moonCert.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 44 (0x2c) Signature Algorithm: sha1WithRSAEncryption Issuer: C=SG, ST=CA, O=DemoCA, CN=DemoCA Certificate Master/emailAddress=certmas...@democa.dom Validity Not Before: May 24 23:37:15 2012 GMT Not After : May 24 23:37:15 2014 GMT Subject: C=SG, ST=CA, O=DemoCA, CN=localhost/emailAddress=ad...@server.example.dom Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:c8:f8:21:05:4e:b6:ea:43:28:ee:aa:3f:0a:72: 39:39:f1:1b:f9:a2:79:50:39:5b:09:a9:c9:00:e2: 76:39:07:1f:8a:83:9b:74:26:74:81:ba:be:73:14: 01:bb:76:44:a8:9f:48:13:2b:c5:e4:9b:41:78:75: 5b:e5:e2:06:cf:d2:c6:49:5b:f7:1f:d1:4a:2f:d2: bb:35:c8:d9:36:e3:0a:60:c5:b0:a6:58:56:3e:fc: c0:da:a6:7d:09:94:9e:da:2c:e2:e3:6e:27:3a:4a: 43:f8:0e:f4:6f:9a:95:86:0e:f0:5d:83:ce:6f:f0: 6f:af:c8:55:ba:cf:8d:26:df Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: E0:C3:F6:51:C6:B2:81:B2:55:51:11:E3:24:77:CD:6D:CC:C0:DE:D3 X509v3 Authority Key Identifier: keyid:A5:AF:0C:CD:05:BB:28:94:70:33:4E:14:E6:5A:74:09:20:DA:84:3F Signature Algorithm: sha1WithRSAEncryption 5a:dc:47:41:9e:c9:65:d6:33:36:e8:b1:0b:72:4b:ed:b5:a5: 3d:ea:73:1f:3c:e6:f4:93:54:33:dc:37:90:eb:b8:49:23:2e: 79:06:30:e9:a2:4c:4f:46:8f:1f:24:14:13:c1:45:80:1a:fb: ea:59:68:a7:be:22:59:1d:94:9d:47:0d:d0:0e:fc:22:f2:63: 44:db:f8:cf:a3:df:bd:36:16:dd:bb:b4:22:fa:63:ee:39:cf: 65:5f:b0:2e:72:c7:ba:f0:6c:67:63:84:6e:96:42:36:eb:03: fb:63:7b:32:75:17:cd:60:5c:b5:7b:a3:29:ff:64:54:93:d5: 68:e9:39:3a:03:3b:6d:b7:16:e2:89:a9:c9:24:60:e7:0a:bb: 44:c1:d8:ce:50:7a:80:be:ca:6b:33:b2:c5:68:77:72:c8:28: 0d:0f:aa:3c:7e:f7:01:7c:e2:7a:d4:83:27:8a:54:aa:22:a4: 63:6b:37:f8:60:eb:5f:70:e4:1b:54:0f:ee:09:ff:55:cb:44: 96:24:3e:6f:60:12:e1:31:45:c1:8e:6c:bc:f5:eb:81:f1:39: 50:58:b6:9c:f3:1d:76:8e:c5:ae:83:a4:b3:c1:66:e2:13:e5: ab:64:29:08:b3:4f:5e:10:31:69:aa:ff:73:7b:a6:af:bd:da: a3:8d:e1:38 [root@moon certs]# config files on SUN: # /etc/ipsec.conf - strongSwan IPsec configuration file config setup crlcheckinterval=180 strictcrlpolicy=no plutostart=no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 mobike=no conn net-net left=192.167.21.2 leftcert=sunCert.pem leftid=@localhost leftsubnet=192.167.1.0/24 leftfirewall=no right=192.167.21.1 rightid=@localhost rightsubnet=192.167.2.0/24 auto=add # /etc/ipsec.secrets - strongSwan IPsec secrets file : RSA sunKey.pem "testing" # /etc/strongswan.conf - strongSwan configuration file charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no } root@sun:/etc/ipsec.d/certs# openssl x509 -in sunCert.pem -noout -text Ce
Re: [strongSwan] IKE_AUTH fails with "no matching peer config found" error message in strongswan ver 4.6.3
I have attached gdb to charon process and set breakpoint at function load_cfg_candidates( ) to debug this issue. However when I execute "ipsec up net-net" on SUN, the breakpoint I set on MOON never hits. Apparently when I ran nm on libcharon.so I do not see the symbol load_cfg_candidates( ). Does anybody know what is happening in here ? Regards, Nagaraj [root@moon ~]# ldd /usr/local/libexec/ipsec/charon linux-gate.so.1 => (0x0011) libstrongswan.so.0 => /usr/local/lib/ipsec/libstrongswan.so.0 (0x00111000) libhydra.so.0 => /usr/local/lib/ipsec/libhydra.so.0 (0x00141000) libcharon.so.0 => /usr/local/lib/ipsec/libcharon.so.0 (0x00146000) libm.so.6 => /lib/libm.so.6 (0x005a8000) libpthread.so.0 => /lib/libpthread.so.0 (0x005da000) libdl.so.2 => /lib/libdl.so.2 (0x005d3000) libc.so.6 => /lib/libc.so.6 (0x0044d000) librt.so.1 => /lib/librt.so.1 (0x006d5000) /lib/ld-linux.so.2 (0x0042e000) [root@moon ~]# [root@moon etc]# ps aux | grep charon root 29547 0.0 0.1 168148 1872 ?Ssl 19:14 0:00 /usr/local/libexec/ipsec/charon --use-syslog root 29566 0.0 0.0 4044 680 pts/2S+ 19:14 0:00 grep charon [root@moon etc]# gdb attach 29547 GNU gdb Red Hat Linux (6.6-35.fc8rh) Copyright (C) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux-gnu"... attach: No such file or directory. Attaching to process 29547 Reading symbols from /usr/local/libexec/ipsec/charon...done. Using host libthread_db library "/lib/libthread_db.so.1". Reading symbols from /usr/local/lib/ipsec/libstrongswan.so.0...done. Loaded symbols for /usr/local/lib/ipsec/libstrongswan.so.0 Reading symbols from /usr/local/lib/ipsec/libhydra.so.0...done. Loaded symbols for /usr/local/lib/ipsec/libhydra.so.0 Reading symbols from /usr/local/lib/ipsec/libcharon.so.0...done. Loaded symbols for /usr/local/lib/ipsec/libcharon.so.0 Reading symbols from /lib/libm.so.6... warning: Missing the separate debug info file: /usr/lib/debug/.build-id/92/8ab51a53627c59877a85dd9afecc1619ca866c.debug done. Loaded symbols for /lib/libm.so.6 Reading symbols from /lib/libpthread.so.0... warning: Missing the separate debug info file: /usr/lib/debug/.build-id/6c/1cdbb38ae2a292613c8c31195417ee80ea7e1e.debug done. [Thread debugging using libthread_db enabled] [New Thread -1208505760 (LWP 29547)] [New Thread -1365857392 (LWP 29563)] [New Thread -1355367536 (LWP 29562)] [New Thread -1344877680 (LWP 29561)] [New Thread -1334387824 (LWP 29560)] [New Thread -1323897968 (LWP 29559)] [New Thread -1313408112 (LWP 29558)] [New Thread -1302918256 (LWP 29557)] [New Thread -1292428400 (LWP 29556)] [New Thread -1281938544 (LWP 29555)] [New Thread -1271448688 (LWP 29554)] [New Thread -1260958832 (LWP 29553)] [New Thread -1250468976 (LWP 29552)] [New Thread -1239979120 (LWP 29551)] [New Thread -1229489264 (LWP 29550)] [New Thread -1218999408 (LWP 29549)] [New Thread -1208509552 (LWP 29548)] Loaded symbols for /lib/libpthread.so.0 Reading symbols from /lib/libdl.so.2... warning: Missing the separate debug info file: /usr/lib/debug/.build-id/db/a292aff9720bfc3f25c53fa8e469168460a894.debug done. Loaded symbols for /lib/libdl.so.2 Reading symbols from /lib/libc.so.6... warning: Missing the separate debug info file: /usr/lib/debug/.build-id/ba/4ea1118691c826426e9410cafb798f25cefad5.debug done. Loaded symbols for /lib/libc.so.6 Reading symbols from /lib/librt.so.1... warning: Missing the separate debug info file: /usr/lib/debug/.build-id/e3/3448de964a5ca97b70edbdcea227c6ea5d3657.debug done. Loaded symbols for /lib/librt.so.1 Reading symbols from /lib/ld-linux.so.2... warning: Missing the separate debug info file: /usr/lib/debug/.build-id/ac/2eeb206486bb7315d6ac4cd64de0cb50838ff6.debug done. Loaded symbols for /lib/ld-linux.so.2 Reading symbols from /usr/local/lib/ipsec/plugins/libstrongswan-aes.so...done. Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-aes.so Reading symbols from /usr/local/lib/ipsec/plugins/libstrongswan-des.so...done. Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-des.so Reading symbols from /usr/local/lib/ipsec/plugins/libstrongswan-sha1.so...done. Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-sha1.so Reading symbols from /usr/local/lib/ipsec/plugins/libstrongswan-sha2.so...done. Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-sha2.so Reading symbols from /usr/local/lib/ipsec/plugins/libstrongswan-md5.so...done. Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-md5.so Reading symbols from /usr/local/lib/ipsec/plugins/libstrongswan-pem.so...done. Loaded symbols for /usr/local/lib/ipsec/plugins/libstrongswan-p