Re: [strongSwan] [Strongswan][Error] Loaded 0 Radius server configurations
Hi Martin, Thanks for the quick guidance. On Fri, Oct 4, 2013 at 3:51 PM, Martin Willi mar...@strongswan.org wrote: For my setup all the configurations are read from /usr/local/etc/*.conf. ./configure [...] --with-strongswan-conf ./configure --help says: --with-strongswan-conf=arg set the strongswan.conf file location (default: ${sysconfdir}/strongswan.conf). So it sets a path. Most likely omitting the argument breaks that. Just leave out that option. Removing the --with-strongswan-conf option works for me. Now I am able to start ipsec on my gateway machine (Linux box). Also, your log shows: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' This indicates that your installations uses the ${sysconfdir} /etc, not /usr/local/etc. Regards Martin I've another question. Do you have any sample code for working eap-sim or eap-aka based authentication from Android? I mean I want my Android device to be the road-warrior (based on your examples) and my linux box is the gateway. My radius server (hostapd based) is hosted on some other machine which gateway has access to. Currently I'm trying to modify libandroidbridge code to do that but I'm getting NO_PROPOSAL_CHOOSEN error at the IKE_SA_INIT itself. Can you please help me on this? Thanks. --Regards Sam ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] [Strongswan][Error] Loaded 0 Radius server configurations
Hi, I'm trying to create a secure tunnel between my mobile device (Android) and a gateway (Linux box). I need an EAP-SIM based authentication with the radius server. For this I compiled the strongswan library with --enable-eap-sim, --enable-eap-sim-file and --enable-eap-radius options on both the Android device and the gateway machine. However when I try ipsec start --nofork on my gateway machine, the charon daemon starts with following error messages: moon@moon-gw:~/Desktop/strongswan-5.1.0$ sudo ipsec start --nofork Starting strongSwan 5.1.0 IPsec [starter]... 00[DMN] Starting IKE charon daemon (strongSwan 5.1.0, Linux 3.2.0-29-generic, x86_64) 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' 00[CFG] loaded ca certificate C=IN, O=someorg, CN=someorg CA from '/etc/ipsec.d/cacerts/caCert.der' 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' 00[CFG] loading crls from '/etc/ipsec.d/crls' 00[CFG] loaded crl from '/etc/ipsec.d/crls/crl_moon.der' 00[CFG] loading secrets from '/etc/ipsec.secrets' 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/moonKey.der' 00[CFG] sql plugin: database URI not set 00[CFG] read 0 triplets from /etc/ipsec.d/triplets.dat 00[CFG] eap-simaka-sql database URI missing *00[CFG] loaded 0 RADIUS server configurations* 00[LIB] loaded plugins: charon sqlite pkcs11 aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-sim eap-sim-file eap-aka eap-aka-3gpp2 eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls xauth-generic error-notify 00[LIB] unable to load 9 plugin features (7 due to unmet dependencies) 00[JOB] spawning 16 worker threads charon (15730) started after 40 ms 05[CFG] received stroke: add connection 'rw-eap' 05[CFG] loaded certificate C=IN, O=someorg, CN=moon from 'moonCert.der' 05[CFG] added configuration 'rw-eap' Why am I getting this error? I referred the mailing list archives for this but could not get any specific help. Also when my android device tries to initiate IKE exchanges with the gateway, the gateway throws an error saying: *loading EAP_RADIUS method failed.* Can some one please help me on this? Below is the content of my *strongswan.conf* file: # strongswan.conf - strongSwan configuration file charon { # number of worker threads in charon threads = 16 # send strongswan vendor ID? # send_vendor_id = yes load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-raw fips-prf eap-radius eap-sim eap-sim-file updown plugins { sql { # loglevel to log into sql database loglevel = -1 # URI to the database # database = sqlite:///path/to/file.db # database = mysql://user:password@localhost/database } eap-radius { class_group = yes eap_start = yes servers { primary { address = 10.10.10.2 secret = gv6URkSs nas_identifier = moon-gw sockets = 20 preference = 99 } } #secret = gv6URkSs #server = 10.10.10.2 } } # ... } --Regards Sam ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] [Strongswan][Error] Loaded 0 Radius server configurations
Hi Sam, I need an EAP-SIM based authentication with the radius server. For this I compiled the strongswan library with --enable-eap-sim, --enable-eap-sim-file and --enable-eap-radius options on both the Android device and the gateway machine. If you delegate EAP-SIM authentication to RADIUS, you won't need the eap-sim plugins on the server. Further, a client never needs the eap-radius plugin; it does not directly speak RADIUS. 00[CFG] loaded 0 RADIUS server configurations Seems that the plugin can't find your RADIUS configuration in strongswan.conf. load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-raw fips-prf eap-radius eap-sim eap-sim-file updown You should not explicitly define a load statement. ./configure your installation with what you need, and let the daemon handle plugin order and the plugin list. Below is the content of my *strongswan.conf* file: At a first look your gateway strongswan.conf is fine. Please double check that you are editing the same file as the daemon reads (your --sysconfdir= matches your strongswan.conf path), and access rights are ok. Given that your explicit load statement does not throw a warning, I'd guess that the daemon does not read from the correct file. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] [Strongswan][Error] Loaded 0 Radius server configurations
Hi Martin, Thanks for the reply. Few followup questions: On Fri, Oct 4, 2013 at 1:20 PM, Martin Willi mar...@strongswan.org wrote: Hi Sam, I need an EAP-SIM based authentication with the radius server. For this I compiled the strongswan library with --enable-eap-sim, --enable-eap-sim-file and --enable-eap-radius options on both the Android device and the gateway machine. If you delegate EAP-SIM authentication to RADIUS, you won't need the eap-sim plugins on the server. Further, a client never needs the eap-radius plugin; it does not directly speak RADIUS. 00[CFG] loaded 0 RADIUS server configurations Seems that the plugin can't find your RADIUS configuration in strongswan.conf. What could be the reason for this? load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-raw fips-prf eap-radius eap-sim eap-sim-file updown You should not explicitly define a load statement. ./configure your installation with what you need, and let the daemon handle plugin order and the plugin list. I got that. However even with that I'm getting the same error message. Below is the content of my *strongswan.conf* file: At a first look your gateway strongswan.conf is fine. Please double check that you are editing the same file as the daemon reads (your --sysconfdir= matches your strongswan.conf path), and access rights are ok. Given that your explicit load statement does not throw a warning, I'd guess that the daemon does not read from the correct file. For my setup all the configurations are read from /usr/local/etc/*.conf. If it is not reading from here then is there a way to check which path it has picked up? Regards Martin I compiled strongswan with following configuration options: ./configure --enable-sql --enable-sqlite --enable-eap-sim --enable-eap-sim-file --enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-simaka-sql --enable-eap-radius --enable-eap-ttls --enable-eap-tls --enable-eap-md5 --enable-eap-identity --enable-eap-mschapv2 --enable-socket-dynamic --enable-integrity-test --enable-gcrypt --enable-openssl --enable-pkcs11 --enable-libipsec --with-strongswan-conf Is there some thing I'm missing here? Regards Sam ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] [Strongswan][Error] Loaded 0 Radius server configurations
For my setup all the configurations are read from /usr/local/etc/*.conf. ./configure [...] --with-strongswan-conf ./configure --help says: --with-strongswan-conf=arg set the strongswan.conf file location (default: ${sysconfdir}/strongswan.conf). So it sets a path. Most likely omitting the argument breaks that. Just leave out that option. Also, your log shows: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' This indicates that your installations uses the ${sysconfdir} /etc, not /usr/local/etc. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users