Re: [strongSwan] x509 subjectAltName ipaddress not matching
Opps, sorry about that. I will re-validate my configurations. Thanks, -sanjay - Please consider the environment before printing this email. -Original Message- From: users-bounces+sanjay.shukla=ipc@lists.strongswan.org [mailto:users-bounces+sanjay.shukla=ipc@lists.strongswan.org] On Behalf Of Tobias Brunner Sent: Friday, May 25, 2012 11:15 AM To: users@lists.strongswan.org Subject: Re: [strongSwan] x509 subjectAltName ipaddress not matching Hi Sanjay, > On 10.204.74.189 > config setup > uniqueids=replace > plutostart=no > charonstart=yes > #Below Are The Configuration for CCM_CCM IPSec Tunnel conn > LocalIP_LocalIP_10.204.74.188 > left=10.204.74.189 > leftcert=ServLcl.pem > leftsendcert=yes > leftupdown=/opt/ipc/security/ipsectunnel/raiseAlarm_ipsec.sh > right=10.204.74.188 > rightid=10.204.74.189 Your typo here -^^^ > keyexchange=ikev2 > type=transport > reauth=no > dpddelay=5s > dpdaction=restart > keyingtries=%forever > auto=route Regards, Tobias ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] configuration error when trying to use --enable-curl
Thank You. When I used LDFLAGS to point the proper directory, now there is the following problem seen in the process of configuration: Perhaps there is a "bug"? or some other mechanism that I'm not aware of? (Note that LDFLAGS=/local/user_data/mkpne_yhc_yhc_ltefdd_la6.0_112784/eccm/build/INSTALL_STAGE/curl-7.25.0/usr/local/li) configure:5989: $? = 1 configure:6009: checking whether the C compiler works configure:6031: powerpc-wrs-linux-gnu-ppc_e500v2-glibc_cgl-gcc -g -O2 -fomit-frame-pointer -D__USE_STRING_INLINES -pipe -DDEBUG_LEVEL=3 /local/user_data/mkpne_yhc_yhc_ltefdd_la6.0_112784/eccm/build/INSTALL_STAGE/curl-7.25.0/usr/local/lib conftest.c>&5 /local/user_data/mkpne_yhc_yhc_ltefdd_la6.0_112784/eccm/build/INSTALL_STAGE/curl-7.25.0/usr/local/lib: file not recognized: Is a directory collect2: ld returned 1 exit status On 5/25/2012 9:01 AM, Martin Willi wrote: Do you mean that strongswan needs this libcurl.so when "curl" plugin is loaded at runtime? Yes. If so, then where should this libcurl.so be located at run time, e.g. as a part of all other strongswan's .so file location? Wherever your dynamic linker looks for shared libraries, usually /usr/lib, maybe /usr/local/lib. man ld.so and ldconfig for details. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] x509 subjectAltName ipaddress not matching
Hi Sanjay, > On 10.204.74.189 > config setup > uniqueids=replace > plutostart=no > charonstart=yes > #Below Are The Configuration for CCM_CCM IPSec Tunnel > conn LocalIP_LocalIP_10.204.74.188 > left=10.204.74.189 > leftcert=ServLcl.pem > leftsendcert=yes > leftupdown=/opt/ipc/security/ipsectunnel/raiseAlarm_ipsec.sh > right=10.204.74.188 > rightid=10.204.74.189 Your typo here -^^^ > keyexchange=ikev2 > type=transport > reauth=no > dpddelay=5s > dpdaction=restart > keyingtries=%forever > auto=route Regards, Tobias ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] x509 subjectAltName ipaddress not matching
I have ip address defined in the subjectAltName of the server certificates. However the authentication fails, here are by configs on the peers (10.204.74.188 and 10.204.74.189). What is need for ip address validation found in the subjectAltName On 10.204.74.188 config setup uniqueids=replace plutostart=no charonstart=yes #Below Are The Configuration for CCM_CCM IPSec Tunnel conn LocalIP_LocalIP_10.204.74.189 left=10.204.74.188 leftcert=ServLcl.pem leftsendcert=yes leftupdown=/opt/ipc/security/ipsectunnel/raiseAlarm_ipsec.sh right=10.204.74.189 rightid=10.204.74.189 keyexchange=ikev2 type=transport reauth=no dpddelay=5s dpdaction=restart keyingtries=%forever auto=route -- On 10.204.74.189 config setup uniqueids=replace plutostart=no charonstart=yes #Below Are The Configuration for CCM_CCM IPSec Tunnel conn LocalIP_LocalIP_10.204.74.188 left=10.204.74.189 leftcert=ServLcl.pem leftsendcert=yes leftupdown=/opt/ipc/security/ipsectunnel/raiseAlarm_ipsec.sh right=10.204.74.188 rightid=10.204.74.189 keyexchange=ikev2 type=transport reauth=no dpddelay=5s dpdaction=restart keyingtries=%forever auto=route logs on 189 2012-05-25T10:34:24.000-04:00 [daemon] [info] ffd-ipsec-189.ipc.com charon: 07[NET] received packet: from 10.204.74.188[500] to 10.204.74.189[500] 2012-05-25T10:34:24.000-04:00 [daemon] [info] ffd-ipsec-189.ipc.com charon: 12[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(NO _ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] 2012-05-25T10:34:24.000-04:00 [daemon] [info] ffd-ipsec-189.ipc.com charon: 12[IKE] received cert request for "C=US, ST=CT, L=Fairfield, O=IPC, OU=TS-1337911838, CN=http://www.ipc.com"; 2012-05-25T10:34:24.000-04:00 [daemon] [info] ffd-ipsec-189.ipc.com charon: 12[IKE] received end entity cert "C=US, ST=CT, L=Fairfield, O=IPC, CN=10.204.74.188" 2012-05-25T10:34:24.000-04:00 [daemon] [info] ffd-ipsec-189.ipc.com charon: 12[CFG] looking for peer configs matching 10.204.74.189[10.204.74.189]...10.204.74.188[10.204.74.188] 2012-05-25T10:34:24.000-04:00 [daemon] [info] ffd-ipsec-189.ipc.com charon: 12[CFG] no matching peer config found 2012-05-25T10:34:24.000-04:00 [daemon] [info] ffd-ipsec-189.ipc.com charon: 12[IKE] peer supports MOBIKE 2012-05-25T10:34:24.000-04:00 [daemon] [info] ffd-ipsec-189.ipc.com charon: 12[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] -- Logs on 188 2012-05-25T10:37:56.000-04:00 [daemon] [info] ffd-ipsec-188.ipc.com charon: 15[NET] received packet: from 10.204.74.189[4500] to 10.204.74.188[4500] 2012-05-25T10:37:56.000-04:00 [daemon] [info] ffd-ipsec-188.ipc.com charon: 15[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(AD D_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] 2012-05-25T10:37:56.000-04:00 [daemon] [info] ffd-ipsec-188.ipc.com charon: 15[IKE] received cert request for "C=US, ST=CT, L=Fairfield, O=IPC, OU=TS-1337911838, CN=http://www.ipc.com"; 2012-05-25T10:37:56.000-04:00 [daemon] [info] ffd-ipsec-188.ipc.com charon: 15[IKE] received end entity cert "C=US, ST=CT, L=Fairfield, O=IPC, CN=10.204.74.189" 2012-05-25T10:37:56.000-04:00 [daemon] [info] ffd-ipsec-188.ipc.com charon: 15[CFG] looking for peer configs matching 10.204.74.188[10.204.74.189]...10.204.74.189[10.204.74.189] 2012-05-25T10:37:56.000-04:00 [daemon] [info] ffd-ipsec-188.ipc.com charon: 15[CFG] no matching peer config found 2012-05-25T10:37:56.000-04:00 [daemon] [info] ffd-ipsec-188.ipc.com charon: 15[IKE] peer supports MOBIKE 2012-05-25T10:37:56.000-04:00 [daemon] [info] ffd-ipsec-188.ipc.com charon: 15[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Certificate on 189 [root@ffd-ipsec-189 ~]# openssl x509 -in /opt/ipc/security/keymgmt/certs/ServLcl.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 1337917633 (0x4fbf00c1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=CT, L=Fairfield, O=IPC, OU=TS-1337911838, CN=http://www.ipc.com Validity Not Before: May 25 03:47:13 2012 GMT Not After : May 24 03:47:13 2019 GMT Subject: C=US, ST=CT, L=Fairfield, O=IPC, CN=10.204.74.189 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:ca:7d:6a:03:09:a5:57:e4:19:a9:05:81:9c:45: 82:99:59:7d:1d:d5:2e:fe:f0:1c:f0:46:32:7e:d6: 48:ee:d5:50:41:eb:32:95:62:d9:41:76:dd:be:6b: f8:de:85:f6:fd:f1:ee:aa:47:f3:69:85:cc:42:7b: d2:2c:7e:0b:28:c7:65:03:5e:ac:9a:6c:39:e5:68: de:d
Re: [strongSwan] configuration error when trying to use --enable-curl
> Do you mean that strongswan needs this libcurl.so when "curl" plugin > is loaded at runtime? Yes. > If so, then where should this libcurl.so be located at run time, e.g. > as a part of all other strongswan's .so file location? Wherever your dynamic linker looks for shared libraries, usually /usr/lib, maybe /usr/local/lib. man ld.so and ldconfig for details. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] configuration error when trying to use --enable-curl
Thank you. I don't quite understand on "as by default it is linked dynamically". Do you mean that strongswan needs this libcurl.so when "curl" plugin is loaded at runtime? If so, then where should this libcurl.so be located at run time, e.g. as a part of all other strongswan's .so file location? But you'll need a dynamic CURL library (libcurl.so), as by default it is linked dynamically. We see the following. ./INSTALL_STAGE/curl-7.25.0/usr/local/lib/libcurl.so On 5/25/2012 5:26 AM, Martin Willi wrote: Hi, How do we specify how to find the library for curl (libcurl.a)? I dont think it is --lib "./configure --help" says: LDFLAGS linker flags, e.g. -L if you have libraries in a nonstandard directory Setting LDFLAGS=-L./INSTALL_STAGE/curl-7.25.0/usr/lib during ./configure should work. But you'll need a dynamic CURL library (libcurl.so), as by default it is linked dynamically. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] IKE_AUTH fails with "no matching peer config found" error message in strongswan ver 4.6.3
Hi, > leftid=@localhost > rightid=@localhost These identities don't make much sense. When using certificate authentication, the peer identities must be contained in the certificate, either as subject or as subjectAltName. > 08[CFG] id 'localhost' not confirmed by certificate, defaulting to > 'C=SG, ST=CA, O=DemoCA, CN=localhost, E=adm...@server.example.dom' If the ID is not found in the certificate, the identity gets enforced. > 10[CFG] looking for peer configs matching > 192.167.21.2[localhost]...192.167.21.1[C=SG, ST=CA, O=DemoCA, > CN=localhost, E=ad...@server.example.dom] The identities won't match to your configuration. Try to use sane peer identities in your config, either subject DNs or subjectAltNames from your certificates. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] configuration error when trying to use --enable-curl
Hi, > How do we specify how to find the library for curl (libcurl.a)? I dont > think it is --lib "./configure --help" says: > LDFLAGS linker flags, e.g. -L if you have libraries in a > nonstandard directory Setting LDFLAGS=-L./INSTALL_STAGE/curl-7.25.0/usr/lib during ./configure should work. But you'll need a dynamic CURL library (libcurl.so), as by default it is linked dynamically. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
