subject:"\[strongSwan\] config which worked with 4.3.2 does not work with 4.4.0"

Re: [strongSwan] config which worked with 4.3.2 does not work with 4.4.0

2010-08-16 Thread Wolfgang Walter

Hi Martin,

Am Mittwoch, 7. Juli 2010 schrieb Martin Willi:
 Hi Wolfgang,

  loaded plugins: [...] socket-default socket-raw socket-dynamic [...]

 Loading all the different socket implementations does not make a lot of
 sense, but it shouldn't harm. Only the first loaded is used. You may try
 to remove the others by specifying

   load = curl ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp
dnskey pem openssl fips-prf xcbc hmac agent gmp attr
kernel-netlink socket-default farp stroke updown eap-identity
eap-aka eap-md5 eap-gtc eap-mschapv2 dhcp resolve
   (all on a single line)

I now found time to check that: it works partially:

I found that socket-default or socket-raw works, socket-dynamic does not work.

But socket-default seems to have some problems, though:

* The ipsec-connection breaks after some time.

* If you don't start both sides almost simultanously, no connection is 
established.

With  socket-raw a connection is established and I may restart each side at 
will.

 Do the packets show up in a packet sniffer on biene?

Yes, they did.


Regards,
-- 
Wolfgang Walter
Studentenwerk München
Anstalt des öffentlichen Rechts


___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] config which worked with 4.3.2 does not work with 4.4.0

2010-07-07 Thread Wolfgang Walter

Hi Martin,

Am Mittwoch, 7. Juli 2010 schrieb Martin Willi:
 Hi Wolfgang,

  loaded plugins: [...] socket-default socket-raw socket-dynamic [...]

 Loading all the different socket implementations does not make a lot of
 sense, but it shouldn't harm. Only the first loaded is used. You may try
 to remove the others by specifying

   load = curl ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp
dnskey pem openssl fips-prf xcbc hmac agent gmp attr
kernel-netlink socket-default farp stroke updown eap-identity
eap-aka eap-md5 eap-gtc eap-mschapv2 dhcp resolve
   (all on a single line)

 in the charon section of strongswan.conf. We usually do not recommend to
 set the load directive manually, but maybe it is necessary for this
 distribution package.

I'll try that.


 Do the packets show up in a packet sniffer on biene?


Yes.

Regards,
-- 
Wolfgang Walter
Studentenwerk München
Anstalt des öffentlichen Rechts


___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] config which worked with 4.3.2 does not work with 4.4.0

2010-07-06 Thread Wolfgang Walter

Hello,

I have two hosts which are connected via ipsec (transport mode). The setup 
does not work any more with strongswan 4.4.0 (debian-package version 4.4.0-2 
from unstable).

I see that both hosts are sending ikev2 messages to establish a connection but 
they seem to ignore any packet they receive from the other side, they do not 
even log an error.

I use rsa authentification where the public-key is stored in a self-signed 
certificate.

/etc/ipsec.conf is:

=
config setup
# plutodebug=all
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
# nat_traversal=yes
charonstart=yes
plutostart=no



conn hummel_biene
auto=start
type=transport
left=10.10.10.2
leftrsasigkey=%cert
leftcert=hummelCert.der
leftfirewall=yes
right=10.10.10.1
rightrsasigkey=%cert
rightcert=bieneCert.der
rightfirewall=yes
keyexchange=ikev2
ike=aes128-sha-modp1536!
esp=aes128-sha1!
=

/etc/ipsec.secrets on hummel is

=
: RSA /etc/ipsec.d/private/hummelKey.der
=

and on biene

=
: RSA /etc/ipsec.d/private/bieneKey.der
=

The (selfsigned) certs are in /etc/ipsec.d/certs/hummelCert.der 
and /etc/ipsec.d/certs/bieneCert.der

strongswan.conf is

=
# strongswan.conf - strongSwan configuration file

charon {

# number of worker threads in charon
threads = 16

# plugins to load in charon
# load = aes des sha1 md5 sha2 hmac gmp random pubkey xcbc x509 stroke

plugins {

sql {
# loglevel to log into sql database
loglevel = -1

# URI to the database
# database = sqlite:///path/to/file.db
# database = mysql://user:passw...@localhost/database
}
}

# ...
}

pluto {

# plugins to load in pluto
# load = aes des sha1 md5 sha2 hmac gmp random pubkey

}

libstrongswan {

#  set to no, the DH exponent size is optimized
#  dh_exponent_ansi_x9_42 = no
}

=


Regards,
-- 
Wolfgang Walter
Studentenwerk München
Anstalt des öffentlichen Rechts

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] config which worked with 4.3.2 does not work with 4.4.0

2010-07-06 Thread Wolfgang Walter

Am Dienstag, 6. Juli 2010 schrieb Andreas Steffen:
 Hi Wolfgang,

 I suspect that either the socket_default (IKEv2 only running)
 or socket_raw (IKEv1  IKEv2 running) plugin is not loaded.
 Could you provide a strongSwan log file?


This is the log from hummel (I made some things anonymous).

The log from biene is analog.

I checked with tcpdump that both packets were sent and arrived.

===

Jun 29 23:58:54 hummel charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 
4.4.0)
Jun 29 23:58:54 hummel charon: 00[CFG] attr-sql plugin: database URI not set
Jun 29 23:58:54 hummel charon: 00[LIB] plugin 'attr-sql': failed to load - 
attr_sql_plugin_create returned NULL
Jun 29 23:58:54 hummel charon: 00[KNL] listening on interfaces:
Jun 29 23:58:54 hummel charon: 00[KNL]   eth0
Jun 29 23:58:54 hummel charon: 00[KNL] 10.10.10.2
Jun 29 23:58:54 hummel charon: 00[KNL] fe80:::::
Jun 29 23:58:54 hummel charon: 00[KNL]   is0
Jun 29 23:58:54 hummel charon: 00[KNL] ::::::a0a:a02
Jun 29 23:58:54 hummel charon: 00[KNL] fe80::5efe:a0a:a02
Jun 29 23:58:54 hummel charon: 00[CFG] loading ca certificates from 
'/etc/ipsec.d/cacerts'
Jun 29 23:58:54 hummel charon: 00[CFG] loading aa certificates from 
'/etc/ipsec.d/aacerts'
Jun 29 23:58:54 hummel charon: 00[CFG] loading ocsp signer certificates from 
'/etc/ipsec.d/ocspcerts'
Jun 29 23:58:54 hummel charon: 00[CFG] loading attribute certificates from 
'/etc/ipsec.d/acerts'
Jun 29 23:58:54 hummel charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jun 29 23:58:54 hummel charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jun 29 23:58:54 hummel charon: 00[CFG]   loaded RSA private key from 
'/etc/ipsec.d/private/hummelKey.pem'
Jun 29 23:58:54 hummel charon: 00[CFG] sql plugin: database URI not set
Jun 29 23:58:54 hummel charon: 00[LIB] plugin 'sql': failed to load - 
sql_plugin_create returned NULL
Jun 29 23:58:54 hummel charon: 00[CFG] no RADUIS secret defined
Jun 29 23:58:54 hummel charon: 00[CFG] RADIUS plugin initialization failed
Jun 29 23:58:54 hummel charon: 00[LIB] plugin 'eap-radius': failed to load - 
eap_radius_plugin_create returned NULL
Jun 29 23:58:54 hummel charon: 00[CFG] mediation database URI not defined, 
skipped
Jun 29 23:58:54 hummel charon: 00[LIB] plugin 'medsrv': failed to load - 
medsrv_plugin_create returned NULL
Jun 29 23:58:54 hummel charon: 00[CFG] mediation client database URI not 
defined, skipped
Jun 29 23:58:54 hummel charon: 00[LIB] plugin 'medcli': failed to load - 
medcli_plugin_create returned NULL
Jun 29 23:58:54 hummel charon: 00[LIB] plugin 'nm': failed to 
load '/usr/lib/ipsec/plugins/libstrongswan-nm.so' - 
/usr/lib/ipsec/plugins/libstrongswan-nm.so: cannot open shared object file: No 
such 
file or directory
Jun 29 23:58:54 hummel charon: 00[CFG] HA config misses local/remote address
Jun 29 23:58:54 hummel charon: 00[LIB] plugin 'ha': failed to load - 
ha_plugin_create returned NULL
Jun 29 23:58:54 hummel charon: 00[DMN] loaded plugins: curl ldap aes des sha1 
sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem openssl 
fips-prf xcbc hmac agent gmp attr kernel-netlink socket-default socket-raw 
socket-dynamic farp stroke updown eap-identity eap-aka eap-md5 
eap-gtc eap-mschapv2 dhcp resolve 
Jun 29 23:58:54 hummel charon: 00[JOB] spawning 16 worker threads
Jun 29 23:58:54 hummel charon: 04[CFG] received stroke: add connection 
'hummel_biene'
Jun 29 23:58:54 hummel charon: 04[CFG]   loaded certificate C=DE, CN=hummel 
from 'hummelCert.pem'
Jun 29 23:58:54 hummel charon: 04[CFG]   id '10.10.10.2' not confirmed by 
certificate, defaulting to 'C=DE, CN=hummel'
Jun 29 23:58:54 hummel charon: 04[CFG]   loaded certificate C=DE, CN=biene 
from 'bieneCert.pem'
Jun 29 23:58:54 hummel charon: 04[CFG]   id '10.10.10.1' not confirmed by 
certificate, defaulting to 'C=DE, CN=biene'
Jun 29 23:58:54 hummel charon: 04[CFG] added configuration 'hummel_biene'
Jun 29 23:58:54 hummel charon: 09[CFG] received stroke: initiate 'hummel_biene'
Jun 29 23:58:54 hummel charon: 09[IKE] initiating IKE_SA hummel_biene[1] to 
10.10.10.1
Jun 29 23:58:54 hummel charon: 09[ENC] generating IKE_SA_INIT request 0 [ SA KE 
No N(NATD_S_IP) N(NATD_D_IP) ]
Jun 29 23:58:54 hummel charon: 09[NET] sending packet: from 10.10.10.2[500] to 
10.10.10.1[500]
Jun 29 23:58:54 hummel charon: 13[CFG] received stroke: add connection 
'hummel_wespe'
Jun 29 23:58:54 hummel charon: 13[CFG]   loaded certificate C=DE, ST=X, 
L=X, O=X, CN=hummel, E=X from 'hummelCert.der'
Jun 29 23:58:54 hummel charon: 13[CFG]   id '10.10.10.2' not confirmed by 
certificate, defaulting to 'C=DE, ST=X, L=X, O=X, 
CN=hummel, E=X'
Jun 29 23:58:54 hummel charon: 13[CFG]   loaded certificate C=DE, ST=X, 
L=X, O=X, CN=wespe, E=X from 'wespeCert.der'
Jun 29 23:58:54 hummel charon: 13[CFG]   id '10.10.10.3' not confirmed by 
certificate,

Re: [strongSwan] config which worked with 4.3.2 does not work with 4.4.0

Re: [strongSwan] config which worked with 4.3.2 does not work with 4.4.0

[strongSwan] config which worked with 4.3.2 does not work with 4.4.0

Re: [strongSwan] config which worked with 4.3.2 does not work with 4.4.0

4 matches

Site Navigation

Mail list logo

Footer information