[strongSwan] Where to specify -no-undefined?

2020-05-10 Thread Derek Cameron 
I am building strongSwan natively on Windows with MSYS2 and MinGW-w64 following 
the instructions at 
https://wiki.strongswan.org/projects/strongswan/wiki/Windows.

The make terminates with messages:


libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I../../../.. 
-I../../../../src/libstrongswan -I../../../../src/libstrongswan/plugins/pubkey 
-I../../../../src/libcharon -I../../../../src/libcharon/plugins/counters 
-DSWANCTLDIR=\"swanctl\" -DIPSEC_PIDDIR=\"/var/run\" -I/mingw64/include -g -O2 
-Wall -Wno-pointer-sign -Wno-format-security -Wno-format -mno-ms-bitfields 
-D_WIN32 -D_WIN64 -DOPENSSL_SYS_WIN32 -DOPENSSL_SYS_WIN64 
-I/C:/OpenSSL-Win64/include/openssl -include 
/home/IEUser/strongswan-5.8.4/config.h -MT libvici.lo -MD -MP -MF 
.deps/libvici.Tpo -c libvici.c  -DDLL_EXPORT -DPIC -o .libs/libvici.o

/bin/sh ../../../../libtool  --tag=CC   --mode=link gcc  -g -O2 -Wall 
-Wno-pointer-sign -Wno-format-security -Wno-format -mno-ms-bitfields -D_WIN32 
-D_WIN64 -DOPENSSL_SYS_WIN32 -DOPENSSL_SYS_WIN64 
-I/C:/OpenSSL-Win64/include/openssl -include 
/home/IEUser/strongswan-5.8.4/config.h  -L/C:/OpenSSL-Win64/lib -L/mingw64/lib 
-o libvici.la -rpath /mingw64/lib/ipsec vici_message.lo vici_builder.lo 
vici_cert_info.lo libvici.lo ../../../../src/libstrongswan/libstrongswan.la

libtool:   error: can't build x86_64-pc-mingw64 shared library unless 
-no-undefined is specified

make[6]: *** [Makefile:737: libvici.la] Error 1

make[6]: Leaving directory 
'/home/IEUser/strongswan-5.8.4/src/libcharon/plugins/vici'

make[5]: *** [Makefile:975: all-recursive] Error 1

make[5]: Leaving directory 
'/home/IEUser/strongswan-5.8.4/src/libcharon/plugins/vici'

make[4]: *** [Makefile:1983: all-recursive] Error 1

make[4]: Leaving directory '/home/IEUser/strongswan-5.8.4/src/libcharon'

make[3]: *** [Makefile:1279: all] Error 2

make[3]: Leaving directory '/home/IEUser/strongswan-5.8.4/src/libcharon'

make[2]: *** [Makefile:537: all-recursive] Error 1

make[2]: Leaving directory '/home/IEUser/strongswan-5.8.4/src'

make[1]: *** [Makefile:598: all-recursive] Error 1

make[1]: Leaving directory '/home/IEUser/strongswan-5.8.4'

make: *** [Makefile:509: all] Error 2


Where and how do I specify -no-undefined?



Sent with ProtonMail Secure Email.

Re: [strongSwan] How to use letsencrypt certificate in swanctl?

2019-02-01 Thread Derek Cameron 
I got StrongSwan working with Let’s Encrypt. It’s a good idea, since it
makes the client work with no extra software or certificates to install.
Here’s my documentation of the method I used:
https://dc77312.wordpress.com/2019/02/01/strongswan-with-lets-encrypt-ssl-certificate-for-server/

Derek.

On Fri, Feb 1, 2019 at 5:40 AM, Glen Huang  wrote:

> I’m trying to use the certificate generated by letsencrypt for my ikev2
> vpn, and I use swanctl.conf
>
> I copied either cert.pem or fullchain.pem to swanctl/x509 as cert.pem, and
> specify certs.pem to local.certs. When starting charon, it fails with
>
> loading ‘/path/to/cert.pem’ failed: parsing X509 certificate failed
>
> It seems swanctl doesn’t directly support the certificate generated
> by letsencrypt? Is it possible to convert manually?
>
> Another quick question, if I name the pem file as mydomain.com.pem, charon
> fails with invalid syntax for certs, and it also fails with the same reason
> if I put it in a subfolder in x509 and specify mydomain.com/cert.pem to
> certs. Does that main cert file shouldn’t contain more than two dots in the
> file name? And subfolder isn’t supported?
>
> Thanks a lot.
>

Re: [strongSwan] A couple of offerings for the community

2019-01-29 Thread Derek Cameron 
On Mon, Jan 28, 2019 at 2:29 AM Tobias Brunner  wrote:
> Does Windows require the complete chain for the client
> certificate?

If you deliberately delete the CA certificate of the client
certificate on Windows, then when you try to connect, you will get an
error message in red, "Invalid certificate type." This is an
"all-purpose" error message Windows gives when it does not like
something about your certificates. If you look in Windows Event
Viewer, you will see an error from source RasClient saying, "The error
code returned on failure is 13819." Again, this is an "all-purpose"
error code for certificates.

Derek.

[strongSwan] A couple of offerings for the community

2019-01-26 Thread Derek Cameron 
Good afternoon,

A couple of offerings that might interest you:

(1) An IKEv2 profile importer for Windows 10, modeled on the
strongSwan profile importer for Android:
https://github.com/dcamero2016/vpn-importer

(2) Step-by-step, end-to-end tutorial for installing strongSwan 5.7.2
on Debian 10 Buster server and Android client:
https://dc77312.wordpress.com

Kind regards,

Derek Cameron.

Re: [strongSwan] ikev2 server without cert

2016-11-06 Thread Derek Cameron 
Yes, you can use username and password. In this tutorial, the
strongSwan server authenticates with a certificate, and the various
clients authenticate with a user name and password:

http://xpu.ca/strongswan-ubuntu/

This procedure was tested on an Amazon EC2 t2.micro instance running
Ubuntu 16.04. The version of the strongSwan package installed was
5.3.5-1ubuntu3.

On Sun, Nov 6, 2016 at 3:11 PM, robert k Wild  wrote:
> hi all,
>
> im trying to create an ikev2 server but this how-to guide says i need to
> create certs for the server and client, can i just not use normal username
> and password for authentication?
>
> https://raymii.org/s/tutorials/IPSEC_vpn_with_CentOS_7.html
>
> many thanks,
>
> rob
>
> --
> Regards,
>
> Robert K Wild.
>
> ___
> Users mailing list
> Users@lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Apple IOS 10 VPN

2016-10-29 Thread Derek Cameron 
Jim,

Here is a configuration that works for iOS 10: http://xpu.ca/strongswan-ubuntu/

Derek.

> Can anyone share a working configuration between Strongswan and
> Apple IOS 10?
>
> ___
>
>
> Jim Buttafuoco
> jim at contacttelecom.com
> 603-647-7170
> 603-490-3409 - Cell
> jimbuttafuoco - Skype
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] using eap-tls and eap-mschapv2 simultaneously

2016-01-04 Thread Derek Cameron 
Hi, Josh,

Thank you.

You can probably just have two "conn" sections where they differ, with a shared 
"%default" conn where they are the same, but I have not tried this myself.

The certificates issued by "Let's Encrypt" work fine as server certificates if 
you are going to use user/password authentication (eap-mschapv2) on the iOS 
client side.

sudo openssl x509 -in /etc/letsencrypt/live/vpn.example.com/fullchain.pem -text

Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X1
. . .
Subject: CN=vpn.example.com
. . .
X509v3 Subject Alternative Name:
DNS:vpn.example.com

The special rules for iOS and OS X are, of course, imposed by Apple rather than 
by Strongswan. They are described in the Strongswan wiki on the page 
https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple) especially in 
the sections "Certificate requirements for iOS interoperability" and 
"Certificate examples using strongSwan PKI tool"

Derek.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Using StrongSwan for IPSec VPN on CentOS 7 - no matching peer config found.

2016-01-04 Thread Derek Cameron 
Hi, Josh,

I am using Debian 8 rather than CentOS 7, but it works fine for iOS 9 clients.

Here is what I did:

https://dcamero.github.io

Regards,
Derek.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users