Hi Rajeev, different to the stroke protocol and ipsec.conf where the filename of the certificate gets transferred via the stroke socket and the charon daemon loads the certificate, vici transfers the certificate itself either as a binary DER or a base64-endocded PEM blob. Thus your management application has to load the certificate and transfer it over the vici socket using davici.
Regards Andreas On 04.08.2016 05:03, rajeev nohria wrote: > Thanks Andreas, > > It worked, I know started to implement in Davici. I had PSK working in > Davici. With certificates, I am having following issue during > parse_certs(). > > 09[LIB] file coded in unknown format, discarded > 09[LIB] building CRED_CERTIFICATE - X509 failed, tried 4 builders > > > > Corresponding code is for Davici is > davici_list_start(r,"certs"); > > davici_list_itemf(r,"%s","/usr/local/etc/swanctl/x509/hostCert.pem"); > davici_list_end(r); > > > I have tried file name with and without path. > > certs = hostCert.pem worked in swanctl.conf as attached in previous email. > > > Do you know what could be issue here? Looks like software is not able to > recognize the pem format but again it worked when using swanctl.conf file. > > Thanks, > Rajeev > > > On Tue, Aug 2, 2016 at 5:41 AM, Andreas Steffen > <andreas.stef...@strongswan.org <mailto:andreas.stef...@strongswan.org>> > wrote: > > Hi, > > according to your log, the initiator and responder create their > own Root CA certificate and store it locally in > /usr/local/etc/swanctl/x509ca. Therefore it is not surprising > that no trust into the received host certificate can be established > because it has been signed with the private key of a different > root CA (although the Distinguished Name of the issuer is the same). > > Fix: Generate only one private key and matching self-signed > Root CA certificate. Use the private Root CA key to sign both > initiator and responder host certificates and deploy the Root CA > certificate on both hosts. > > Best regards > > Andreas > > On 01.08.2016 21:24, rajeev nohria wrote: > > > > I was able to establish IKE connection using PSK but when using pubkey I > > am not able to able to establish the IKE connection. > > > > When I issue sudo swanctl --initiate --child net > > > > > > At receptor, it returns the Auth_failed. Please see the swanctl.conf, > > strongswan.conf and charon.log. > > > > Aug 1 12:09:21 12[CFG] <rw|1> no issuer certificate found for "C=US, > > ST=MA, L=Lowell, O=Arris, CN=10.13.199.185" > > Aug 1 12:09:21 12[IKE] <rw|1> no trusted RSA public key found for > > '10.13.199.185' > > Aug 1 12:09:21 12[IKE] <rw|1> peer supports MOBIKE > > Aug 1 12:09:21 12[ENC] <rw|1> added payload of type NOTIFY to message > > Aug 1 12:09:21 12[ENC] <rw|1> order payloads in message > > Aug 1 12:09:21 12[ENC] <rw|1> added payload of type NOTIFY to message > > Aug 1 12:09:21 12[ENC] <rw|1> generating IKE_AUTH response 1 [ > > N(AUTH_FAILED) ] > > > > I used following commands to create certificates. > > > > *Initiator:* > > ----------- > > > > sudo ipsec pki --gen --type rsa --size 4096 --outform pem > > > /usr/local/etc/swanctl/rsa/strongswanKey.pem > > > > > > sudo chmod 600 /usr/local/etc/swanctl/rsa/strongswanKey.pem > > > > > > sudo ipsec pki --self --ca --in > > /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest sha256 --dn "C=US, > > ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem > > > /usr/local/etc/swanctl/x509ca/strongswanCert.pem > > > > > > sudo ipsec pki --print --in > /usr/local/etc/swanctl/x509ca/strongswanCert.pem > > > > > > sudo ipsec pki --gen --type rsa --size 4096 --outform pem > > > /usr/local/etc/swanctl/rsa/hostKey.pem > > > > > > sudo chmod 600 /usr/local/etc/swanctl/rsa/hostKey.pem > > > > > > > > sudo ipsec pki --pub --in /usr/local/etc/swanctl/rsa/hostKey.pem --type > > rsa | ipsec pki --issue --digest sha256 --cacert > > /usr/local/etc/swanctl/x509ca/strongswanCert.pem --cakey > > /usr/local/etc/swanctl/rsa/strongswanKey.pem --dn "C=US, ST=MA, > > L=Lowell, O=Arris, CN=10.13.199.185" --san 10.13.199.185 pem > > > /usr/local/etc/swanctl/x509/hostCert.pem > > > > > > Receptor: > > -------------- > > * > > * > > *sudo ipsec pki --gen --type rsa --size 4096 --outform pem > > > /usr/local/etc/swanctl/rsa/strongswanKey.pem* > > * > > * > > *sudo chmod 600 /usr/local/etc/swanctl/rsa/strongswanKey.pem* > > * > > * > > *sudo ipsec pki --self --ca --in > > /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest sha256 --dn "C=US, > > ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem > > > /usr/local/etc/swanctl/x509ca/strongswanCert.pem* > > * > > * > > *sudo ipsec pki --print --in > > /usr/local/etc/swanctl/x509ca/strongswanCert.pem* > > * > > * > > *sudo ipsec pki --gen --type rsa --size 4096 --outform pem > > > /usr/local/etc/swanctl/rsa/hostKey.pem* > > * > > * > > *sudo chmod 600 /usr/local/etc/swanctl/rsa/hostKey.pem* > > > > *sudo ipsec pki --pub --in /usr/local/etc/swanctl/rsa/hostKey.pem > --type > > rsa | ipsec pki --issue --digest sha256 --cacert > > /usr/local/etc/swanctl/x509ca/strongswanCert.pem --cakey > > /usr/local/etc/swanctl/rsa/strongswanKey.pem --dn "C=US, ST=MA, > > L=Lowell, O=Arris, CN=10.13.199.130" --san 10.13.199.130 --outform pem > > > /usr/local/etc/swanctl/x509/hostCert.pem* ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users