[strongSwan] BUG: DN with email
Hi, I believe I have found a bug with the latest strongswan. I used strongswan-4.3.3 and also the latest git code (commit 333b461aa689c29197dadb2a15abc3ccade0c89a). They both exhibit the same or similar problem. The problem appears when I add an email address to a certificate DN and then try to use DN matching in strongswan. This type of DN, works: C=UK, CN=host1 This type of DN, doesn't work: C=UK, CN=host2, e=ho...@somewhere.com To demonstrate the problem I created a very simple configuration with 2 self-signed certificates. One with an email in the DN and the other without. Then I try to set the leftid to be same as the DN of the certificate and start the ipsec. It only works if I don't have an email set in the DN. The following was tested using the git commit 333b461aa689c29197dadb2a15abc3ccade0c89a. ipsec.conf: config setup strictcrlpolicy=no plutostart=no conn host1 right=%defaultroute leftcert=host1.cert leftid=C=UK, CN=host1 auto=add conn host2 right=%defaultroute leftcert=host2.cert leftid=C=UK, CN=host2, e=ho...@somewhere.com auto=add # ipsec.secrets: : RSA host1.key : RSA host2.key # openssl x509 -in host1.cert -text -noout: Certificate: Data: Version: 3 (0x2) Serial Number: a7:59:91:8d:a2:d8:e7:25 Signature Algorithm: sha1WithRSAEncryption Issuer: C=UK, CN=host1 Validity Not Before: Aug 18 14:17:23 2009 GMT Not After : Aug 18 14:17:23 2010 GMT Subject: C=UK, CN=host1 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:bd:67:68:2a:65:05:cb:0e:41:82:b7:39:4d:f2: f3:85:77:17:2f:40:f0:83:d1:dc:34:eb:26:cf:7a: be:b3:a0:3e:24:4a:c1:4e:e4:11:1a:d4:c3:18:23: b7:86:db:e7:26:5a:c4:b8:dd:42:eb:5d:12:eb:a5: 70:9a:5b:40:2a:ba:74:49:7b:84:d6:37:ea:c5:a1: 30:28:dc:ce:34:c7:68:47:6a:80:3d:b9:bd:67:ee: 31:70:4d:8a:fb:64:5f:c6:68:fa:8c:56:b0:1a:47: 0a:94:b5:f6:28:de:0a:6d:4e:07:55:ab:e0:e0:7b: 92:51:ff:69:8f:c4:fc:15:c5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 48:A6:C5:61:A7:97:56:5D:0C:D1:0C:67:EA:C0:1E:BC:51:7F:59:75 X509v3 Authority Key Identifier: keyid:48:A6:C5:61:A7:97:56:5D:0C:D1:0C:67:EA:C0:1E:BC:51:7F:59:75 DirName:/C=UK/CN=host1 serial:A7:59:91:8D:A2:D8:E7:25 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption 0e:60:05:22:ca:42:59:95:c3:c8:d8:1d:c4:09:c8:03:1a:05: 2c:30:c3:ec:5d:47:8e:98:6b:60:c6:43:2e:d9:55:d2:01:83: b7:4a:c9:e7:28:8c:e8:e4:3e:76:84:48:f8:69:c7:e0:05:0b: 3d:5a:46:71:a6:ef:47:7b:c6:42:86:f6:eb:66:86:12:e3:1c: 57:40:54:4e:96:20:b6:b2:3e:b6:67:75:a0:f3:4d:ba:d9:ea: eb:bb:ee:80:7a:af:9d:43:0c:ca:8c:d2:56:7a:49:8a:8c:a1: 17:d0:fc:ba:88:b3:9e:6b:9d:41:a5:68:69:46:f7:c0:41:a4: 23:da # openssl x509 -in host2.cert -text -noout: Certificate: Data: Version: 3 (0x2) Serial Number: 8f:00:01:8a:0d:5d:0f:42 Signature Algorithm: sha1WithRSAEncryption Issuer: C=UK, CN=host2/emailaddress=ho...@somewhere.com Validity Not Before: Aug 18 14:17:02 2009 GMT Not After : Aug 18 14:17:02 2010 GMT Subject: C=UK, CN=host2/emailaddress=ho...@somewhere.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:c9:dd:90:db:c3:25:61:e6:f2:06:be:7c:9c:ba: 94:87:ec:c8:98:17:c8:bf:18:07:96:a4:32:00:4d: a2:33:36:f4:3b:11:eb:12:7c:96:dd:31:07:16:2c: 28:3d:c9:ff:c1:88:0c:86:31:e7:15:ef:a3:63:e3: 11:81:c1:00:82:a3:74:2c:4b:69:74:34:07:fe:c2: 9b:a4:e2:7e:50:43:b6:14:78:db:58:45:0f:6a:0c: 67:49:88:d3:87:42:36:16:4a:c1:14:b5:04:99:38: 97:7b:a1:0d:56:ab:51:c4:3d:c8:b1:94:b3:c8:e6: 57:d4:ac:76:80:7d:77:dc:f7 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 52:5E:6A:54:42:DD:90:C8:9E:51:81:99:39:54:67:4E:F5:50:C5:C8 X509v3 Authority Key Identifier: keyid:52:5E:6A:54:42:DD:90:C8:9E:51:81:99:39:54:67:4E:F5:50:C5:C8 DirName:/C=UK/CN=host2/emailaddress=ho...@somewhere.com serial:8F:00:01:8A:0D:5D:0F:42 X509v3 Basic Constraints: CA:TRUE Signature Algorithm:
[strongSwan] bashism in ipsec script
The ipsec script has the following bashism (line 324 of ipsec script, git commit 333b461aa689c29197dadb2a15abc3ccade0c89a): loop=$(($loop - 1)) This doesn't work on my embedded board running busybox msh. I suggest changing the live above, to: loop=`expr $loop - 1` to make it more portable. Regards, Dimitris ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] BUG: DN with email
Yes, it does fix it. Thank you. I noticed that you commited some more changes related to email OIDs. Are they important? Should I get those too? I am referring to http://wiki.strongswan.org/repositories/revision/strongswan/fc0ed07c1f44d56ac9a5353c23e4cd79ee2594dd. Regards, Dimitrios Siganos Andreas Steffen wrote: Hi Dimitrios, yes, you are right. A recent refactoring of the RDN synthesis function introduced a wrong emailAddress OID (there are at least three of them but in most cases the PKCS#9 definition is still used). The following patch should fix your problem: http://wiki.strongswan.org/repositories/revision/1/c8b543a6fc28bc335212ec69d39cc57f5b0e4095 Best regards Andreas Dimitrios Siganos wrote: Hi, I believe I have found a bug with the latest strongswan. I used strongswan-4.3.3 and also the latest git code (commit 333b461aa689c29197dadb2a15abc3ccade0c89a). They both exhibit the same or similar problem. The problem appears when I add an email address to a certificate DN and then try to use DN matching in strongswan. This type of DN, works: C=UK, CN=host1 This type of DN, doesn't work: C=UK, CN=host2, e=ho...@somewhere.com To demonstrate the problem I created a very simple configuration with 2 self-signed certificates. One with an email in the DN and the other without. Then I try to set the leftid to be same as the DN of the certificate and start the ipsec. It only works if I don't have an email set in the DN. The following was tested using the git commit 333b461aa689c29197dadb2a15abc3ccade0c89a. ipsec.conf: config setup strictcrlpolicy=no plutostart=no conn host1 right=%defaultroute leftcert=host1.cert leftid=C=UK, CN=host1 auto=add conn host2 right=%defaultroute leftcert=host2.cert leftid=C=UK, CN=host2, e=ho...@somewhere.com auto=add # ipsec.secrets: : RSA host1.key : RSA host2.key # openssl x509 -in host1.cert -text -noout: Certificate: Data: Version: 3 (0x2) Serial Number: a7:59:91:8d:a2:d8:e7:25 Signature Algorithm: sha1WithRSAEncryption Issuer: C=UK, CN=host1 Validity Not Before: Aug 18 14:17:23 2009 GMT Not After : Aug 18 14:17:23 2010 GMT Subject: C=UK, CN=host1 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:bd:67:68:2a:65:05:cb:0e:41:82:b7:39:4d:f2: f3:85:77:17:2f:40:f0:83:d1:dc:34:eb:26:cf:7a: be:b3:a0:3e:24:4a:c1:4e:e4:11:1a:d4:c3:18:23: b7:86:db:e7:26:5a:c4:b8:dd:42:eb:5d:12:eb:a5: 70:9a:5b:40:2a:ba:74:49:7b:84:d6:37:ea:c5:a1: 30:28:dc:ce:34:c7:68:47:6a:80:3d:b9:bd:67:ee: 31:70:4d:8a:fb:64:5f:c6:68:fa:8c:56:b0:1a:47: 0a:94:b5:f6:28:de:0a:6d:4e:07:55:ab:e0:e0:7b: 92:51:ff:69:8f:c4:fc:15:c5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 48:A6:C5:61:A7:97:56:5D:0C:D1:0C:67:EA:C0:1E:BC:51:7F:59:75 X509v3 Authority Key Identifier: keyid:48:A6:C5:61:A7:97:56:5D:0C:D1:0C:67:EA:C0:1E:BC:51:7F:59:75 DirName:/C=UK/CN=host1 serial:A7:59:91:8D:A2:D8:E7:25 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption 0e:60:05:22:ca:42:59:95:c3:c8:d8:1d:c4:09:c8:03:1a:05: 2c:30:c3:ec:5d:47:8e:98:6b:60:c6:43:2e:d9:55:d2:01:83: b7:4a:c9:e7:28:8c:e8:e4:3e:76:84:48:f8:69:c7:e0:05:0b: 3d:5a:46:71:a6:ef:47:7b:c6:42:86:f6:eb:66:86:12:e3:1c: 57:40:54:4e:96:20:b6:b2:3e:b6:67:75:a0:f3:4d:ba:d9:ea: eb:bb:ee:80:7a:af:9d:43:0c:ca:8c:d2:56:7a:49:8a:8c:a1: 17:d0:fc:ba:88:b3:9e:6b:9d:41:a5:68:69:46:f7:c0:41:a4: 23:da # openssl x509 -in host2.cert -text -noout: Certificate: Data: Version: 3 (0x2) Serial Number: 8f:00:01:8a:0d:5d:0f:42 Signature Algorithm: sha1WithRSAEncryption Issuer: C=UK, CN=host2/emailaddress=ho...@somewhere.com Validity Not Before: Aug 18 14:17:02 2009 GMT Not After : Aug 18 14:17:02 2010 GMT Subject: C=UK, CN=host2/emailaddress=ho...@somewhere.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:c9:dd:90:db:c3:25:61:e6:f2:06:be:7c:9c:ba: 94:87:ec:c8:98:17:c8:bf:18:07:96:a4:32:00:4d: a2:33:36:f4:3b:11:eb:12:7c:96:dd:31:07:16:2c: 28:3d:c9:ff:c1:88:0c:86:31:e7:15:ef:a3:63:e3:
Re: [strongSwan] BUG: DN with email
Yes, this is actually the real fix which was a corruption of the OID tree. Regards Andreas Dimitrios Siganos wrote: Yes, it does fix it. Thank you. I noticed that you commited some more changes related to email OIDs. Are they important? Should I get those too? I am referring to http://wiki.strongswan.org/repositories/revision/strongswan/fc0ed07c1f44d56ac9a5353c23e4cd79ee2594dd. Regards, Dimitrios Siganos Andreas Steffen wrote: Hi Dimitrios, yes, you are right. A recent refactoring of the RDN synthesis function introduced a wrong emailAddress OID (there are at least three of them but in most cases the PKCS#9 definition is still used). The following patch should fix your problem: http://wiki.strongswan.org/repositories/revision/1/c8b543a6fc28bc335212ec69d39cc57f5b0e4095 Best regards Andreas Dimitrios Siganos wrote: Hi, I believe I have found a bug with the latest strongswan. I used strongswan-4.3.3 and also the latest git code (commit 333b461aa689c29197dadb2a15abc3ccade0c89a). They both exhibit the same or similar problem. The problem appears when I add an email address to a certificate DN and then try to use DN matching in strongswan. This type of DN, works: C=UK, CN=host1 This type of DN, doesn't work: C=UK, CN=host2, e=ho...@somewhere.com To demonstrate the problem I created a very simple configuration with 2 self-signed certificates. One with an email in the DN and the other without. Then I try to set the leftid to be same as the DN of the certificate and start the ipsec. It only works if I don't have an email set in the DN. The following was tested using the git commit 333b461aa689c29197dadb2a15abc3ccade0c89a. ipsec.conf: config setup strictcrlpolicy=no plutostart=no conn host1 right=%defaultroute leftcert=host1.cert leftid=C=UK, CN=host1 auto=add conn host2 right=%defaultroute leftcert=host2.cert leftid=C=UK, CN=host2, e=ho...@somewhere.com auto=add # ipsec.secrets: : RSA host1.key : RSA host2.key # openssl x509 -in host1.cert -text -noout: Certificate: Data: Version: 3 (0x2) Serial Number: a7:59:91:8d:a2:d8:e7:25 Signature Algorithm: sha1WithRSAEncryption Issuer: C=UK, CN=host1 Validity Not Before: Aug 18 14:17:23 2009 GMT Not After : Aug 18 14:17:23 2010 GMT Subject: C=UK, CN=host1 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:bd:67:68:2a:65:05:cb:0e:41:82:b7:39:4d:f2: f3:85:77:17:2f:40:f0:83:d1:dc:34:eb:26:cf:7a: be:b3:a0:3e:24:4a:c1:4e:e4:11:1a:d4:c3:18:23: b7:86:db:e7:26:5a:c4:b8:dd:42:eb:5d:12:eb:a5: 70:9a:5b:40:2a:ba:74:49:7b:84:d6:37:ea:c5:a1: 30:28:dc:ce:34:c7:68:47:6a:80:3d:b9:bd:67:ee: 31:70:4d:8a:fb:64:5f:c6:68:fa:8c:56:b0:1a:47: 0a:94:b5:f6:28:de:0a:6d:4e:07:55:ab:e0:e0:7b: 92:51:ff:69:8f:c4:fc:15:c5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 48:A6:C5:61:A7:97:56:5D:0C:D1:0C:67:EA:C0:1E:BC:51:7F:59:75 X509v3 Authority Key Identifier: keyid:48:A6:C5:61:A7:97:56:5D:0C:D1:0C:67:EA:C0:1E:BC:51:7F:59:75 DirName:/C=UK/CN=host1 serial:A7:59:91:8D:A2:D8:E7:25 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption 0e:60:05:22:ca:42:59:95:c3:c8:d8:1d:c4:09:c8:03:1a:05: 2c:30:c3:ec:5d:47:8e:98:6b:60:c6:43:2e:d9:55:d2:01:83: b7:4a:c9:e7:28:8c:e8:e4:3e:76:84:48:f8:69:c7:e0:05:0b: 3d:5a:46:71:a6:ef:47:7b:c6:42:86:f6:eb:66:86:12:e3:1c: 57:40:54:4e:96:20:b6:b2:3e:b6:67:75:a0:f3:4d:ba:d9:ea: eb:bb:ee:80:7a:af:9d:43:0c:ca:8c:d2:56:7a:49:8a:8c:a1: 17:d0:fc:ba:88:b3:9e:6b:9d:41:a5:68:69:46:f7:c0:41:a4: 23:da # openssl x509 -in host2.cert -text -noout: Certificate: Data: Version: 3 (0x2) Serial Number: 8f:00:01:8a:0d:5d:0f:42 Signature Algorithm: sha1WithRSAEncryption Issuer: C=UK, CN=host2/emailaddress=ho...@somewhere.com Validity Not Before: Aug 18 14:17:02 2009 GMT Not After : Aug 18 14:17:02 2010 GMT Subject: C=UK, CN=host2/emailaddress=ho...@somewhere.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:c9:dd:90:db:c3:25:61:e6:f2:06:be:7c:9c:ba: 94:87:ec:c8:98:17:c8:bf:18:07:96:a4:32:00:4d:
[strongSwan] unable to allocate SPIs from kernel
Hi, I am an ipsec beginner. I installed strongswan 4.3.3 on my FC10/FC11 machines and tried to setup a host-host tunnel. But I get the following error. Googling it and searching for it in strongswan wiki didn't give any results. [r...@localhost ~]# ipsec restart Stopping strongSwan IPsec... Starting strongSwan 4.3.3 IPsec [starter]... [r...@localhost ~]# ipsec up host-host initiating IKE_SA host-host[1] to 10.40.128.14 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] sending packet: from 10.47.20.20[500] to 10.40.128.14[500] received packet: from 10.40.128.14[500] to 10.47.20.20[500] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] authentication of 'moon.strongswan.org' (myself) with pre-shared key establishing CHILD_SA host-host unable to allocate SPIs from kernel Can someone please help me. I tried rebuilding the kernel with the ipsec options mentioned in the doc. But I still see the error. Thanks. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users