Re: [strongSwan] Strongswan 5.4 issue using certificates

2016-08-03 Thread Andreas Steffen 
Hi Rajeev,

different to the stroke protocol and ipsec.conf where the filename
of the certificate gets transferred via the stroke socket and the
charon daemon loads the certificate, vici transfers the certificate
itself either as a binary DER or a base64-endocded PEM blob. Thus
your management application has to load the certificate and transfer
it over the vici socket using davici.

Regards

Andreas

On 04.08.2016 05:03, rajeev nohria wrote:
> Thanks Andreas,
> 
> It worked, I know started to implement in Davici. I had PSK working in
> Davici. With certificates, I am having  following issue during
> parse_certs().
> 
> 09[LIB]   file coded in unknown format, discarded
> 09[LIB] building CRED_CERTIFICATE - X509 failed, tried 4 builders
> 
> 
> 
> Corresponding code is for Davici is 
> davici_list_start(r,"certs");
>
> davici_list_itemf(r,"%s","/usr/local/etc/swanctl/x509/hostCert.pem");
> davici_list_end(r);
> 
> 
> I have tried file name with and without path.   
> 
> certs = hostCert.pem worked in swanctl.conf as attached in previous email.  
> 
> 
> Do you know what could be issue here? Looks like software is not able to
> recognize the pem format but again it worked when using swanctl.conf file. 
> 
> Thanks,
> Rajeev
> 
> 
> On Tue, Aug 2, 2016 at 5:41 AM, Andreas Steffen
> mailto:andreas.stef...@strongswan.org>>
> wrote:
> 
> Hi,
> 
> according to your log, the initiator and responder create their
> own Root CA certificate and store it locally in
> /usr/local/etc/swanctl/x509ca. Therefore it is not surprising
> that no trust into the received host certificate can be established
> because it has been signed with the private key of a different
> root CA (although the Distinguished Name of the issuer is the same).
> 
> Fix: Generate only one private key and matching self-signed
> Root CA certificate. Use the private Root CA key to sign both
> initiator and responder host certificates and deploy the Root CA
> certificate on both hosts.
> 
> Best regards
> 
> Andreas
> 
> On 01.08.2016 21:24, rajeev nohria wrote:
> >
> > I was able to establish IKE connection using PSK but when using pubkey I
> > am not able to able to establish the IKE connection.
> >
> > When I issue sudo swanctl --initiate --child net
> >
> >
> > At receptor, it returns the Auth_failed.  Please see the swanctl.conf,
> > strongswan.conf and charon.log.
> >
> > Aug  1 12:09:21 12[CFG]  no issuer certificate found for "C=US,
> > ST=MA, L=Lowell, O=Arris, CN=10.13.199.185"
> > Aug  1 12:09:21 12[IKE]  no trusted RSA public key found for
> > '10.13.199.185'
> > Aug  1 12:09:21 12[IKE]  peer supports MOBIKE
> > Aug  1 12:09:21 12[ENC]  added payload of type NOTIFY to message
> > Aug  1 12:09:21 12[ENC]  order payloads in message
> > Aug  1 12:09:21 12[ENC]  added payload of type NOTIFY to message
> > Aug  1 12:09:21 12[ENC]  generating IKE_AUTH response 1 [
> > N(AUTH_FAILED) ]
> >
> > I used following commands to create certificates.
> >
> > *Initiator:*
> > ---
> >
> > sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> > /usr/local/etc/swanctl/rsa/strongswanKey.pem
> >
> >
> > sudo chmod 600  /usr/local/etc/swanctl/rsa/strongswanKey.pem
> >
> >
> > sudo ipsec pki --self --ca --in
> > /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest sha256 --dn "C=US,
> > ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem >
> > /usr/local/etc/swanctl/x509ca/strongswanCert.pem
> >
> >
> > sudo ipsec pki --print --in 
> /usr/local/etc/swanctl/x509ca/strongswanCert.pem
> >
> >
> > sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> > /usr/local/etc/swanctl/rsa/hostKey.pem
> >
> >
> > sudo chmod 600 /usr/local/etc/swanctl/rsa/hostKey.pem
> >
> >
> >
> > sudo ipsec pki --pub --in /usr/local/etc/swanctl/rsa/hostKey.pem --type
> > rsa | ipsec pki --issue --digest sha256 --cacert
> > /usr/local/etc/swanctl/x509ca/strongswanCert.pem --cakey
> > /usr/local/etc/swanctl/rsa/strongswanKey.pem --dn "C=US, ST=MA,
> > L=Lowell, O=Arris, CN=10.13.199.185" --san 10.13.199.185  pem >
> > /usr/local/etc/swanctl/x509/hostCert.pem
> >
> >
> > Receptor:
> > --
> > *
> > *
> > *sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> > /usr/local/etc/swanctl/rsa/strongswanKey.pem*
> > *
> > *
> > *sudo chmod 600  /usr/local/etc/swanctl/rsa/strongswanKey.pem*
> > *
> > *
> > *sudo ipsec pki --self --ca --in
> > /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest sha256 --dn "C=US,
> > ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem >
> > /usr/local/etc/swanctl/x509ca/strongswanCert.pem*
> > *
> > *
> > *sudo ipsec pki --print --in
> > /usr/lo

Re: [strongSwan] Strongswan 5.4 issue using certificates

2016-08-03 Thread rajeev nohria 
Thanks Andreas,

It worked, I know started to implement in Davici. I had PSK working in
Davici. With certificates, I am having  following issue during
parse_certs().

09[LIB]   file coded in unknown format, discarded
09[LIB] building CRED_CERTIFICATE - X509 failed, tried 4 builders



Corresponding code is for Davici is
davici_list_start(r,"certs");

davici_list_itemf(r,"%s","/usr/local/etc/swanctl/x509/hostCert.pem");
davici_list_end(r);


I have tried file name with and without path.

certs = hostCert.pem worked in swanctl.conf as attached in previous email.


Do you know what could be issue here? Looks like software is not able to
recognize the pem format but again it worked when using swanctl.conf file.

Thanks,
Rajeev


On Tue, Aug 2, 2016 at 5:41 AM, Andreas Steffen <
andreas.stef...@strongswan.org> wrote:

> Hi,
>
> according to your log, the initiator and responder create their
> own Root CA certificate and store it locally in
> /usr/local/etc/swanctl/x509ca. Therefore it is not surprising
> that no trust into the received host certificate can be established
> because it has been signed with the private key of a different
> root CA (although the Distinguished Name of the issuer is the same).
>
> Fix: Generate only one private key and matching self-signed
> Root CA certificate. Use the private Root CA key to sign both
> initiator and responder host certificates and deploy the Root CA
> certificate on both hosts.
>
> Best regards
>
> Andreas
>
> On 01.08.2016 21:24, rajeev nohria wrote:
> >
> > I was able to establish IKE connection using PSK but when using pubkey I
> > am not able to able to establish the IKE connection.
> >
> > When I issue sudo swanctl --initiate --child net
> >
> >
> > At receptor, it returns the Auth_failed.  Please see the swanctl.conf,
> > strongswan.conf and charon.log.
> >
> > Aug  1 12:09:21 12[CFG]  no issuer certificate found for "C=US,
> > ST=MA, L=Lowell, O=Arris, CN=10.13.199.185"
> > Aug  1 12:09:21 12[IKE]  no trusted RSA public key found for
> > '10.13.199.185'
> > Aug  1 12:09:21 12[IKE]  peer supports MOBIKE
> > Aug  1 12:09:21 12[ENC]  added payload of type NOTIFY to message
> > Aug  1 12:09:21 12[ENC]  order payloads in message
> > Aug  1 12:09:21 12[ENC]  added payload of type NOTIFY to message
> > Aug  1 12:09:21 12[ENC]  generating IKE_AUTH response 1 [
> > N(AUTH_FAILED) ]
> >
> > I used following commands to create certificates.
> >
> > *Initiator:*
> > ---
> >
> > sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> > /usr/local/etc/swanctl/rsa/strongswanKey.pem
> >
> >
> > sudo chmod 600  /usr/local/etc/swanctl/rsa/strongswanKey.pem
> >
> >
> > sudo ipsec pki --self --ca --in
> > /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest sha256 --dn "C=US,
> > ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem >
> > /usr/local/etc/swanctl/x509ca/strongswanCert.pem
> >
> >
> > sudo ipsec pki --print --in
> /usr/local/etc/swanctl/x509ca/strongswanCert.pem
> >
> >
> > sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> > /usr/local/etc/swanctl/rsa/hostKey.pem
> >
> >
> > sudo chmod 600 /usr/local/etc/swanctl/rsa/hostKey.pem
> >
> >
> >
> > sudo ipsec pki --pub --in /usr/local/etc/swanctl/rsa/hostKey.pem --type
> > rsa | ipsec pki --issue --digest sha256 --cacert
> > /usr/local/etc/swanctl/x509ca/strongswanCert.pem --cakey
> > /usr/local/etc/swanctl/rsa/strongswanKey.pem --dn "C=US, ST=MA,
> > L=Lowell, O=Arris, CN=10.13.199.185" --san 10.13.199.185  pem >
> > /usr/local/etc/swanctl/x509/hostCert.pem
> >
> >
> > Receptor:
> > --
> > *
> > *
> > *sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> > /usr/local/etc/swanctl/rsa/strongswanKey.pem*
> > *
> > *
> > *sudo chmod 600  /usr/local/etc/swanctl/rsa/strongswanKey.pem*
> > *
> > *
> > *sudo ipsec pki --self --ca --in
> > /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest sha256 --dn "C=US,
> > ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem >
> > /usr/local/etc/swanctl/x509ca/strongswanCert.pem*
> > *
> > *
> > *sudo ipsec pki --print --in
> > /usr/local/etc/swanctl/x509ca/strongswanCert.pem*
> > *
> > *
> > *sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> > /usr/local/etc/swanctl/rsa/hostKey.pem*
> > *
> > *
> > *sudo chmod 600 /usr/local/etc/swanctl/rsa/hostKey.pem*
> >
> > *sudo ipsec pki --pub --in /usr/local/etc/swanctl/rsa/hostKey.pem --type
> > rsa | ipsec pki --issue --digest sha256 --cacert
> > /usr/local/etc/swanctl/x509ca/strongswanCert.pem --cakey
> > /usr/local/etc/swanctl/rsa/strongswanKey.pem --dn "C=US, ST=MA,
> > L=Lowell, O=Arris, CN=10.13.199.130" --san 10.13.199.130 --outform pem >
> > /usr/local/etc/swanctl/x509/hostCert.pem*
> >
> >
> >
> >
> >
> >
> > ___
> > Users mailing list
> > Users@lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
> >
>
> --
> ==
> Andreas Ste

Re: [strongSwan] kernel-libipsec charon plugin and Android VPN Client

2016-08-03 Thread Noel Kuntze 
Hello Brian,

On 03.08.2016 22:51, Brian O'Connor wrote:
> Hello,
> 
> I have recently been doing some tests with an Android tablet version of
> strongSwan.  It appears that the Android app uses the kernel-libipsec
> charon plugin to avoid limitations imposed by the app running in a very
> restricted user environment in the tablet.  My tablet is not rooted.
> 
> What I am seeing on the tablet is that it uses routing table 60, creates
> interface tun0 and some routing policy database rules.  My tablet will
> not let me access the iptables or ip xfrm commands. This is why I
> suspect the Android strongSwan app, presumably running in a very
> tightly constrained userspace environment, uses the charon
> kernel-libipsec plugin. Is there a way to access iptables and ip  xfrm
> functionality on a non-rooted tablet?
No. libipsec works purely in the charon process (the app).
> 
> Given my assumption above, is it correct that the libipsec plugin
> also does SNAT on outgoing encrypted packets?  The ip rule
> command shows 100: from all fwmark 0x3c lookup 60.
No. It gets packets from the tun device and handles them according to the 
policies and states,
then sends them out of the socket that is also used to send the IKE packets.

> 
> The kernel netfilter packet flow diagram at [1] documents how
> IPSec interacts with the xfrm process for IPSec encapsulation
> and decapsulation, and iptables for SNAT.  Is there a diagram
> somewhere that shows how the charon kernel-libipsec plugin
> interacts  with diagram [1], please?  I sort of expect the charon
> plugin operates entirely in the application layer, forward path,
> local process, part of this diagram and that it also performs SNAT.
The app (and hence libipsec, too) are simple applications.
> 
> If not, how does a non-rooted Android tablet that cannot use
> iptables to do SNAT and the xfrm process for IPSec processing
> operate, please?
It doesn't do SNAT. The routing table chooses the correct source IP.
No SNAT needed. XFRM is also not needed, because IPsec processing is done in 
the application itself.

> 
> I am not a programmer and have not been able to find much on
> the inner workings of the charon plugin.
> 
>  [1]  inai.de/images/nf-packet-flow.png 
> 
> 
> Regards,
> Brian
> 
> 
> 
>  
> 
> 
> ___
> Users mailing list
> Users@lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 

-- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658




signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] kernel-libipsec charon plugin and Android VPN Client

2016-08-03 Thread Brian O'Connor 
Hello,

I have recently been doing some tests with an Android tablet version of
strongSwan.  It appears that the Android app uses the kernel-libipsec
charon plugin to avoid limitations imposed by the app running in a very
restricted user environment in the tablet.  My tablet is not rooted.

What I am seeing on the tablet is that it uses routing table 60, creates
interface tun0 and some routing policy database rules.  My tablet will
not let me access the iptables or ip xfrm commands. This is why I
suspect the Android strongSwan app, presumably running in a very
tightly constrained userspace environment, uses the charon
kernel-libipsec plugin. Is there a way to access iptables and ip  xfrm
functionality on a non-rooted tablet?

Given my assumption above, is it correct that the libipsec plugin
also does SNAT on outgoing encrypted packets?  The ip rule
command shows 100: from all fwmark 0x3c lookup 60.

The kernel netfilter packet flow diagram at [1] documents how
IPSec interacts with the xfrm process for IPSec encapsulation
and decapsulation, and iptables for SNAT.  Is there a diagram
somewhere that shows how the charon kernel-libipsec plugin
interacts  with diagram [1], please?  I sort of expect the charon
plugin operates entirely in the application layer, forward path,
local process, part of this diagram and that it also performs SNAT.

If not, how does a non-rooted Android tablet that cannot use
iptables to do SNAT and the xfrm process for IPSec processing
operate, please?

I am not a programmer and have not been able to find much on
the inner workings of the charon plugin.

 [1]  inai.de/images/nf-packet-flow.png 


Regards,
Brian



 
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users