Re: [strongSwan] [Strongswan][Error] Loaded 0 Radius server configurations

2013-10-06 Thread Ccf Cloud 
Hi Martin,

Thanks for the quick guidance.

On Fri, Oct 4, 2013 at 3:51 PM, Martin Willi mar...@strongswan.org wrote:


  For my setup all the configurations are read from /usr/local/etc/*.conf.

  ./configure [...] --with-strongswan-conf

 ./configure --help says:

--with-strongswan-conf=arg
set the strongswan.conf file location (default:
${sysconfdir}/strongswan.conf).

 So it sets a path. Most likely omitting the argument breaks that. Just
 leave out that option.


Removing the --with-strongswan-conf option works for me. Now I am able to
start ipsec on my gateway machine (Linux box).



 Also, your log shows:

  00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'

 This indicates that your installations uses the ${sysconfdir} /etc,
 not /usr/local/etc.

 Regards
 Martin


I've another question. Do you have any sample code for working eap-sim or
eap-aka based authentication from Android? I mean I want my Android device
to be the road-warrior (based on your examples) and my linux box is the
gateway. My radius server (hostapd based) is hosted on some other machine
which gateway has access to.

Currently I'm trying to modify libandroidbridge code to do that but I'm
getting NO_PROPOSAL_CHOOSEN error at the IKE_SA_INIT itself. Can you please
help me on this?

Thanks.

--Regards
Sam
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] [Strongswan][Error] Loaded 0 Radius server configurations

2013-10-04 Thread Ccf Cloud 
Hi,

I'm trying to create a secure tunnel between my mobile device (Android) and
a gateway (Linux box). I need an EAP-SIM based authentication with the
radius server. For this I compiled the strongswan library with
--enable-eap-sim, --enable-eap-sim-file and --enable-eap-radius options on
both the Android device and the gateway machine. However when I try ipsec
start --nofork on my gateway machine, the charon daemon starts with
following error messages:

moon@moon-gw:~/Desktop/strongswan-5.1.0$ sudo ipsec start --nofork
Starting strongSwan 5.1.0 IPsec [starter]...
00[DMN] Starting IKE charon daemon (strongSwan 5.1.0, Linux
3.2.0-29-generic, x86_64)
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG]   loaded ca certificate C=IN, O=someorg, CN=someorg CA from
'/etc/ipsec.d/cacerts/caCert.der'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG]   loaded crl from '/etc/ipsec.d/crls/crl_moon.der'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/moonKey.der'
00[CFG] sql plugin: database URI not set
00[CFG] read 0 triplets from /etc/ipsec.d/triplets.dat
00[CFG] eap-simaka-sql database URI missing
*00[CFG] loaded 0 RADIUS server configurations*
00[LIB] loaded plugins: charon sqlite pkcs11 aes des rc2 sha1 sha2 md5
random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12
pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac attr
kernel-netlink resolve socket-default stroke updown eap-identity eap-sim
eap-sim-file eap-aka eap-aka-3gpp2 eap-md5 eap-mschapv2 eap-radius eap-tls
eap-ttls xauth-generic error-notify
00[LIB] unable to load 9 plugin features (7 due to unmet dependencies)
00[JOB] spawning 16 worker threads
charon (15730) started after 40 ms
05[CFG] received stroke: add connection 'rw-eap'
05[CFG]   loaded certificate C=IN, O=someorg, CN=moon from 'moonCert.der'
05[CFG] added configuration 'rw-eap'


Why am I getting this error? I referred the mailing list archives for this
but could not get any specific help. Also when my android device tries to
initiate IKE exchanges with the gateway, the gateway throws an error
saying: *loading EAP_RADIUS method failed.*

Can some one please help me on this?


Below is the content of my *strongswan.conf* file:
# strongswan.conf - strongSwan configuration file
charon {
# number of worker threads in charon
threads = 16

# send strongswan vendor ID?
# send_vendor_id = yes

load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac
xcbc stroke kernel-netlink socket-raw fips-prf eap-radius eap-sim
eap-sim-file updown

plugins {
sql {
# loglevel to log into sql database
loglevel = -1

# URI to the database
# database = sqlite:///path/to/file.db
# database = mysql://user:password@localhost/database
}
eap-radius {
class_group = yes
eap_start = yes
servers {
primary {
address = 10.10.10.2
secret = gv6URkSs
nas_identifier = moon-gw
sockets = 20
preference = 99
}
}
#secret = gv6URkSs
#server = 10.10.10.2
}
}

# ...
}


--Regards
   Sam
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] [Strongswan][Error] Loaded 0 Radius server configurations

2013-10-04 Thread Martin Willi 
Hi Sam,

 I need an EAP-SIM based authentication with the radius server. For this
 I compiled the strongswan library with --enable-eap-sim,
 --enable-eap-sim-file and --enable-eap-radius options on both the
 Android device and the gateway machine.

If you delegate EAP-SIM authentication to RADIUS, you won't need the
eap-sim plugins on the server. Further, a client never needs the
eap-radius plugin; it does not directly speak RADIUS.

 00[CFG] loaded 0 RADIUS server configurations

Seems that the plugin can't find your RADIUS configuration in
strongswan.conf.

 load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac
 xcbc stroke kernel-netlink socket-raw fips-prf eap-radius eap-sim
 eap-sim-file updown

You should not explicitly define a load statement. ./configure your
installation with what you need, and let the daemon handle plugin order
and the plugin list.

 Below is the content of my *strongswan.conf* file:

At a first look your gateway strongswan.conf is fine. Please double
check that you are editing the same file as the daemon reads (your
--sysconfdir= matches your strongswan.conf path), and access rights are
ok. Given that your explicit load statement does not throw a warning,
I'd guess that the daemon does not read from the correct file.

Regards
Martin


___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] [Strongswan][Error] Loaded 0 Radius server configurations

2013-10-04 Thread Ccf Cloud 
Hi Martin,

Thanks for the reply. Few followup questions:


On Fri, Oct 4, 2013 at 1:20 PM, Martin Willi mar...@strongswan.org wrote:

 Hi Sam,

  I need an EAP-SIM based authentication with the radius server. For this
  I compiled the strongswan library with --enable-eap-sim,
  --enable-eap-sim-file and --enable-eap-radius options on both the
  Android device and the gateway machine.

 If you delegate EAP-SIM authentication to RADIUS, you won't need the
 eap-sim plugins on the server. Further, a client never needs the
 eap-radius plugin; it does not directly speak RADIUS.

  00[CFG] loaded 0 RADIUS server configurations

 Seems that the plugin can't find your RADIUS configuration in
 strongswan.conf.


What could be the reason for this?




  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation
 hmac
  xcbc stroke kernel-netlink socket-raw fips-prf eap-radius eap-sim
  eap-sim-file updown

 You should not explicitly define a load statement. ./configure your
 installation with what you need, and let the daemon handle plugin order
 and the plugin list.


I got that. However even with that I'm getting the same error message.


  Below is the content of my *strongswan.conf* file:

 At a first look your gateway strongswan.conf is fine. Please double
 check that you are editing the same file as the daemon reads (your
 --sysconfdir= matches your strongswan.conf path), and access rights are
 ok. Given that your explicit load statement does not throw a warning,
 I'd guess that the daemon does not read from the correct file.


For my setup all the configurations are read from /usr/local/etc/*.conf. If
it is not reading from here then is there a way to check which path it has
picked up?



 Regards
 Martin


I compiled strongswan with following configuration options:

./configure --enable-sql --enable-sqlite --enable-eap-sim
--enable-eap-sim-file --enable-eap-aka --enable-eap-aka-3gpp2
--enable-eap-simaka-sql --enable-eap-radius --enable-eap-ttls
--enable-eap-tls --enable-eap-md5 --enable-eap-identity
--enable-eap-mschapv2 --enable-socket-dynamic --enable-integrity-test
--enable-gcrypt --enable-openssl --enable-pkcs11 --enable-libipsec
--with-strongswan-conf

Is there some thing I'm missing here?



Regards
Sam
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] [Strongswan][Error] Loaded 0 Radius server configurations

2013-10-04 Thread Martin Willi 

 For my setup all the configurations are read from /usr/local/etc/*.conf. 

 ./configure [...] --with-strongswan-conf

./configure --help says:

   --with-strongswan-conf=arg
   set the strongswan.conf file location (default:
   ${sysconfdir}/strongswan.conf).

So it sets a path. Most likely omitting the argument breaks that. Just
leave out that option.

Also, your log shows:

 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'

This indicates that your installations uses the ${sysconfdir} /etc,
not /usr/local/etc.

Regards
Martin


___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users