Hello Martin, as much as I can understand your anger about your broken strongswan configuration, I would like to remind you that you're using a *free of charge* software maintained by a number of very, very capable people with a *top of the notch* documentation and support. You should treat them with the respect they deserve and compose your mails accordingly. Consideringyour issue:
On 12/03/2015 04:20 PM, Martin Lund wrote: > Hello, > > Today I started to reconfiguring an existing StrongSwan 4.4 <>StrongSwan 4.4 > vpn because the certs are about to expire soon. Are you upgrading your strongswan or sticking to 4.4? If you're sticking to your old version, then why would you think a change of cert-encoding is required? > > I was surprised that the current documentation on the strongswan site suggest > to use some .DER (Binary) certification format: > > https://wiki.strongswan.org/projects/1/wiki/SimpleCA PEM support is available in any strongswan-version shipped, as long as the pem plugin is loaded. You will not have to convert to DER for that matter. > > Why is this? Why did you had to change something which was working for years? > Where do I even see the expiration date of this .der file? > > At the old .PEM certificates at least it was obvious because I could set the > number of days for expiration: > https://www.strongswan.org/docs/readme4.htm It seems you totally misunderstand the concept of certificate encoding. PEM and DER are certificate formats (the former is ASCII-armored, the latter binary). Refer to [1]. Otherwise it's simple to employ openssl for a format conversion from PEM to DER and vice versa: > openssl x509 inform (pem|der) -in cert -out converted -outform (der|pem) Even pki itself has tons of options (including pem/der handling and validity options [2]). > > Considering that this .der identified by unix file as "data", it is junk for > other devices like routers. How is this any better from .pem? That's entirely wrong. It's a fact that the 'file'-binary does not recognize it as ASN.1 (the encoding of the file), but if you run dumpasn1 [3] on a DER file you will be suprised about the output. I'm not sure if routers consider the file as junk, but you would you store the certificates on a router? > > After replacing the old .pems with .ders and restarting the vpn nodes I got > id 'blahblah.com' not confirmed by certificate, defaulting to ... message so > I had to remove the leftid/rightid directives which just making the config > more secure but not even after this worked... This warning is issued if the identity configured in strongswan.conf cannot be found in the certificate. If you supply more information to the list, I'm sure that someone will be able to help you. > On Server: > > Dec 3 14:01:08 vpntest1 charon: 14[CFG] no matching peer config found > Dec 3 14:01:08 vpntest1 charon: 14[IKE] peer supports MOBIKE > Dec 3 14:01:08 vpntest1 charon: 14[ENC] generating IKE_AUTH response 1 [ > N(AUTH_FAILED) ] > > On Client: > Dec 3 14:01:08 vpntest2 charon: 05[ENC] parsed IKE_AUTH response 1 [ > N(AUTH_FAILED) ] > Dec 3 14:01:08 vpntest2 charon: 05[IKE] received AUTHENTICATION_FAILED > notify error Post your configuration along with more log information and the list will be able to inspect your issue. Your log lacks information about IDs and what charon is looking for, so noone will be able to solve your problem based on these sparse infos. > What no matching peer configuration? The server does not have to have any > config files just it's own key+cert+cacert. > > Please remove this new "der tutorial" from your website asap so people don't > even see it > !!!!!!!!!!!! It's ridiculous to ask for the removal. If you think an important piece of information is missing from the page, then go ahead and add it. It's a wiki after all. Cheers, Thomas P.S.: Calm down! [1] https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them [2] https://wiki.strongswan.org/projects/strongswan/wiki/IpsecPkiSelf [3] https://www.cs.auckland.ac.nz/~pgut001/
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
