[strongSwan] No MD4 hasher available
Hello all, I am attempting to use strongSwan 4.5.0 as an IKEv2 client which uses EAP-MSCHAPv2 for authentication. When building from sources I have used the following command: ./configure --enable-md4 --enable-eap-mschapv2 However, during the IKEv2 negotiation I get the following error: EAP-MS-CHAPv2 failed, no MD4 hasher available. For testing, strongswan.conf was changed to contain the following line: load = aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink fips-prf eap-mschapv2 updown Executing charon resulted in the following error: root@XUbuntu9:/usr/local/libexec/ipsec# ./charon 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.0) 00[LIB] plugin 'md4' failed to load: /usr/libexec/ipsec/plugins/libstrongswan-md4.so: cannot open shared object file: No such file or directory What am I doing wrong? Thanks & Regards, Matt ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] No MD4 hasher available
Hello Matt, your configuration steps are all correct, so it's difficult to say what went wrong. Could you change into the src/libstrongswan/plugins/md4 directory and execute make followed by sudo make install and check if 1) any compilation errors occur 2) if libstrongswan-md4.so gets installed in the /usr/libexec/ipsec/plugins directory. Best regards Andreas On 23.08.2011 11:50, Matthew Cini Sarreo wrote: > Hello all, > > I am attempting to use strongSwan 4.5.0 as an IKEv2 client which uses > EAP-MSCHAPv2 for authentication. When building from sources I have used > the following command: > ./configure --enable-md4 --enable-eap-mschapv2 > > However, during the IKEv2 negotiation I get the following error: > EAP-MS-CHAPv2 failed, no MD4 hasher available. > > For testing, strongswan.conf was changed to contain the following line: > load = aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 revocation > hmac xcbc stroke kernel-netlink fips-prf eap-mschapv2 updown > > Executing charon resulted in the following error: > root@XUbuntu9:/usr/local/libexec/ipsec# ./charon > 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.0) > 00[LIB] plugin 'md4' failed to load: > /usr/libexec/ipsec/plugins/libstrongswan-md4.so: cannot open shared > object file: No such file or directory > > What am I doing wrong? > > Thanks & Regards, > Matt == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Interoperability testing between strongswan and HPUX-IPSec.
Hi, I'm a newbie to Strongswan. I'm trying to do Interoperability testing between Strongswan IPsec implementation and HPUX -IPSec. I'm having some initial hiccups. I'm getting following error "021 no connection named "hpux"" I have choosen unbuntu to install strongswan I have installed following version of strongswan root@:~# ipsec version Linux strongSwan U4.3.2/K2.6.34 Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil, Switzerland See 'ipsec --copyright' for copyright information. I have following ipsec.conf file. root@:~# cat /etc/ipsec.conf # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # plutodebug=all # crlcheckinterval=600 # strictcrlpolicy=yes # cachecrls=yes # nat_traversal=yes charonstart=yes plutostart=yes # Add connections here. # Sample VPN connections #conn sample-self-signed # left=%defaultroute # leftsubnet=10.1.0.0/16 # leftcert=selfCert.der # leftsendcert=never # right=192.168.0.2 # rightsubnet=10.2.0.0/16 # rightcert=peerCert.der # auto=start #conn sample-with-ca-cert # left=%defaultroute # leftsubnet=10.1.0.0/16 # leftcert=myCert.pem # right=192.168.0.2 # rightsubnet=10.2.0.0/16 # rightid="C=CH, O=Linux strongSwan CN=peer name" # keyexchange=ikev2 # auto=start conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev1 auth=ah ike=3des-sha esp=3des-sha1 conn hpux auto=add type=transport authby=secret left=192.168.0.2 leftnexthop=%defaultroute right=10.1.0.1 rightnexthop=%defaultroute include /var/lib/strongswan/ipsec.conf.inc /etc/ipsec.secrets # This file holds shared secrets or RSA private keys for inter-Pluto # authentication. See ipsec_pluto(8) manpage, and HTML documentation. # RSA private key for this host, authenticating it to any other host # which knows the public part. Suitable public keys, for ipsec.conf, DNS, # or configuration of other implementations, can be extracted conveniently # with "ipsec showhostkey". # this file is managed with debconf and will contain the automatically created private key include /var/lib/strongswan/ipsec.secrets.inc %any %any: PSK "ipsec1234" Following this I have done ipsec start Starting strongSwan 4.3.2 IPsec [starter]... pluto is already running (/var/run/pluto.pid exists) -- skipping pluto start charon is already running (/var/run/charon.pid exists) -- skipping charon start starter is already running (/var/run/starter.pid exists) -- no fork done and ipsec up hpux root@:~# ipsec up hpux 021 no connection named "hpux" I googled a little bit and found that I need to add auto=add in the /etc/ipsec.conf. But it didn't help. Can someone please help resolving this. Thanks, Murali ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] TS Unacceptable error !!
Hello everyone, I need some help regarding load testing against remote host. I have my strongswan.conf file as said in the below link http://wiki.strongswan.org/projects/strongswan/wiki/LoadTests Right now i am using EAP Authentication, i.e in the strongswan.conf file i have set *""initiator_auth = eap""*. But Tunnel is not created. When i give ipsec statusall its telling SA NONE. In the server side its giving *error for Tunnel down as TS Unacceptable*. So i tried configuring *rightsubnet *in the client side *ipsec.conf* file at *conn %default *but still its giving the same error !! 1. Does it have anything to do with *reuse_ikesa *or *ike_rekey *or *child_rekey* or *nat_traversal *parameters in the strongswan.conf file ? 2. Do i have to do anything with the *ip xfrm state* and *ip xfrm pol* commands ??? 3. I also observed some variations in the SA field when i give *ipsec statusall* command immediately after a second after starting ipsec.. but after 3 or 4 seconds when i give *ipsec statusall then SA field was NONE*... Here is the sample log.. Connections: load-test: 0.0.0.0...192.168.17.1 load-test: local: [CN=srv, OU=load-test, O=strongSwan] uses public key authentication load-test: remote: [%any] uses EAP authentication load-test: child: dynamic === dynamic Security Associations: load-test[1]: CONNECTING, 172.63.102.20[fbsr-0...@eapds2460.iprc.nlt.in]...192.168.17.1[iprc.nlt.in] load-test[1]: IKE SPIs: 18d5752ca9dc3152_i* 5eaa017e1baa4a29_r load-test[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 load-test[2]: CONNECTING, 172.63.102.20[fbsr-0...@eapds2460.iprc.nlt.in]...192.168.17.1[iprc.nlt.in] load-test[2]: IKE SPIs: 6d04312601f85395_i* 14e8b0cbaf5a307c_r load-test[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 load-test[3]: CONNECTING, 172.63.102.20[fbsr-0...@eapds2460.iprc.nlt.in]...192.168.17.1[iprc.nlt.in] load-test[3]: IKE SPIs: 885ea46503d1ef5b_i* 5dccc3731da91a99_r load-test[3]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 load-test[4]: CONNECTING, 172.63.102.20[fbsr-0...@eapds2460.iprc.nlt.in]...192.168.17.1[iprc.nlt.in] load-test[4]: IKE SPIs: 5df279ec4e45815e_i* 93012abd904120ec_r load-test[4]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 load-test[5]: CONNECTING, 172.63.102.20[%any]...192.168.17.1[%any] * load-test[5]: IKE SPIs: 770a8629b52f07cd_i* _r* Observe the above line. Here i am creating 10 iterations but after 4th iteration IKE SPI values are zeros *After 5 seconds.. * strongswan-4.4.0]# ipsec statusall Status of IKEv2 charon daemon (strongSwan 4.4.0): uptime: 3 seconds, since Aug 23 18:17:09 2011 worker threads: 25 idle of 32, job queue load: 0, scheduled events: 60 loaded plugins: aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem fips-prf xcbc hmac gmp attr load-tester kernel-netlink socket-raw stroke updown eap-identity eap-ds2460 resolve Listening IP addresses: 135.254.212.216 192.168.122.1 172.63.102.20 Connections: load-test: 0.0.0.0...192.168.17.1 load-test: local: [CN=srv, OU=load-test, O=strongSwan] uses public key authentication load-test: remote: [%any] uses EAP authentication load-test: child: dynamic === dynamic Security Associations: none Please help me solving this problem Regards, Naren ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Interoperability testing between strongswan and HPUX-IPSec.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Am 23.08.2011 15:00, schrieb Chakravarthy, Chintagunta Murali Mohan (HPUX-Network Security): > Starting strongSwan 4.3.2 IPsec [starter]... pluto is already > running (/var/run/pluto.pid exists) -- skipping pluto start charon > is already running (/var/run/charon.pid exists) -- skipping charon > start starter is already running (/var/run/starter.pid exists) -- > no fork done > > and > > ipsec up hpux > > root@:~# ipsec up hpux 021 no connection named "hpux" Ubuntu uses init or upstart to start strongswan on boot, hence the message it's already running. Try using "/etc/init.d/strongswan restart" or "service strongswan restart" (depending on your ubuntu version) to restart and thus reload the config file. Regards, Julian - -- Julian Poschmann Josefstr. 126 52080 Aachen-Eilendorf Telefon: +49 170 3295135 E-Mail: julian.poschma...@rwth-aachen.de PGP-ID: 0x7D51DD8B -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) iEYEARECAAYFAk5TunsACgkQJmSm8H1R3Ys6+ACfWaR0UXC5GkSWLx6hlKOq5OJT 5Q8AnR5E7oGaUl9Lp0xXGTxpCumLhmzP =hSAF -END PGP SIGNATURE- ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Automatic Addition/Deletion of Ipsec-Policy-based Firewall Rules
Thanks Andreas. We have Made some progress by following these steps... 1] Created a Static Firewall Policy allowing Traffic for UDP port 500.PFA Configuration File for Strongswan. 2] It is Noticed that Tunnel was established by dynamically adding a Matching policy for IPSEC. 3] Now the Requirement is to send Only SSH/TFTP Encrypted Traffic over this Tunnel. Can You please let me know the Steps to achieve the Last Requirement ?? Also Please note that this Traffic not to be allowed once the Tunnel went down. Looking forward for the reply!!! -Best Regards, VKS. Andreas Steffen 08/23/2011 01:39 AM To kvunn...@rockwellcollins.com cc users@lists.strongswan.org Subject Re: [strongSwan] Automatic Addition/Deletion of Ipsec-Policy-based Firewall Rules IPsec policy based rules are installed with the standard _updown script which is activated with the ipsec.conf parameter leftfirewall=yes Regards Andreas On 08/22/2011 05:05 PM, kvunn...@rockwellcollins.com wrote: > > Hi Guys, > we have a requirement related to IPSEC-Policy-based Firewall Rules. > > Steps we followed: > 1] Configured the ipsec.conf with the parameter "leftupdown=
Re: [strongSwan] Interoperability testing between strongswan and HPUX-IPSec.
Hello Murali, it seems that strongSwan was already running. Did you try ipsec restart if the connection is still not known then probably a syntax error occurred in the connection definition. Execute the command ipsec reload and check if any syntax errors are written to the log. Regards Andreas On 23.08.2011 15:00, Chakravarthy, Chintagunta Murali Mohan (HPUX-Network Security) wrote: > Hi, > > I’m a newbie to Strongswan. I’m trying to do Interoperability testing > between Strongswan IPsec implementation and HPUX –IPSec. > > I’m having some initial hiccups. > > I’m getting following error “021 no connection named "hpux"” > > I have choosen unbuntu to install strongswan I have installed following > version of strongswan > > root@:~# ipsec version > > Linux strongSwan U4.3.2/K2.6.34 > > Institute for Internet Technologies and Applications > > University of Applied Sciences Rapperswil, Switzerland > > See 'ipsec --copyright' for copyright information. > > I have following ipsec.conf file. > > root@:~# cat /etc/ipsec.conf > > # ipsec.conf - strongSwan IPsec configuration file > > > > # basic configuration > > > > config setup > > # plutodebug=all > # crlcheckinterval=600 > # strictcrlpolicy=yes > # cachecrls=yes > # nat_traversal=yes > charonstart=yes > plutostart=yes > > # Add connections here. > > > > # Sample VPN connections > > > > #conn sample-self-signed > > # left=%defaultroute > > # leftsubnet=10.1.0.0/16 > > # leftcert=selfCert.der > > # leftsendcert=never > > # right=192.168.0.2 > > # rightsubnet=10.2.0.0/16 > > # rightcert=peerCert.der > > # auto=start > > > > #conn sample-with-ca-cert > > # left=%defaultroute > > # leftsubnet=10.1.0.0/16 > > # leftcert=myCert.pem > > # right=192.168.0.2 > > # rightsubnet=10.2.0.0/16 > > # rightid="C=CH, O=Linux strongSwan CN=peer name" > > # keyexchange=ikev2 > > # auto=start > > > > conn %default > > ikelifetime=60m > > keylife=20m > > rekeymargin=3m > > keyingtries=1 > > keyexchange=ikev1 > > auth=ah > > ike=3des-sha > > esp=3des-sha1 > > > > conn hpux > > auto=add > > type=transport > > authby=secret > > left=192.168.0.2 > > leftnexthop=%defaultroute > > right=10.1.0.1 > > rightnexthop=%defaultroute > > > > include /var/lib/strongswan/ipsec.conf.inc > > > > > > > > /etc/ipsec.secrets > > > > # This file holds shared secrets or RSA private keys for inter-Pluto > > # authentication. See ipsec_pluto(8) manpage, and HTML documentation. > > > > # RSA private key for this host, authenticating it to any other host > > # which knows the public part. Suitable public keys, for ipsec.conf, DNS, > > # or configuration of other implementations, can be extracted conveniently > > # with "ipsec showhostkey". > > > > # this file is managed with debconf and will contain the automatically > created private key > > include /var/lib/strongswan/ipsec.secrets.inc > > > > %any %any: PSK "ipsec1234" > > > > > > Following this I have done ipsec start > > > > > > Starting strongSwan 4.3.2 IPsec [starter]... > > pluto is already running (/var/run/pluto.pid exists) -- skipping pluto start > > charon is already running (/var/run/charon.pid exists) -- skipping > charon start > > starter is already running (/var/run/starter.pid exists) -- no fork done > > > > and > > > > ipsec up hpux > > > > root@:~# ipsec up hpux > > 021 no connection named "hpux" > > > > > > I googled a little bit and found that I need to add auto=add in the > /etc/ipsec.conf. But it didn’t help. > > > > Can someone please help resolving this. > > > > Thanks, > > Murali == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Automatic Addition/Deletion of Ipsec-Policy-based Firewall Rules
Hello, define two connections, one restricting the protocol to ssh and the second one to tftp: conn ssh also=hosts leftprotoport=tcp rightprotoport=tcp/ssh auto=add conn tftp also=hosts leftprotoport=udp rightprotoport=udp/tftp conn host left= right= #common definitions Regards Andreas On 23.08.2011 16:38, kvunn...@rockwellcollins.com wrote: > > Thanks Andreas. > We have Made some progress by following these steps... > > 1] Created a Static Firewall Policy allowing Traffic for UDP port > 500.*PFA Configuration File* *for Strongswan*. > 2] It is Noticed that Tunnel was established by dynamically adding a > Matching policy for IPSEC. > 3] Now the Requirement is to send Only SSH/TFTP Encrypted Traffic over > this Tunnel. > > Can You please let me know the Steps to achieve the Last Requirement ?? > Also Please note that this Traffic not to be allowed once the Tunnel > went down. > > > > Looking forward for the reply!!! > > -Best Regards, > VKS. > > > > *Andreas Steffen * > > 08/23/2011 01:39 AM > > > To > kvunn...@rockwellcollins.com > cc > users@lists.strongswan.org > Subject > Re: [strongSwan] Automatic Addition/Deletion of Ipsec-Policy-based > Firewall Rules > > > > > > > > > IPsec policy based rules are installed with the standard _updown > script which is activated with the ipsec.conf parameter > > leftfirewall=yes > > Regards > > Andreas > > On 08/22/2011 05:05 PM, kvunn...@rockwellcollins.com wrote: >> >> Hi Guys, >> we have a requirement related to IPSEC-Policy-based Firewall Rules. >> >> Steps we followed: >> 1] Configured the ipsec.conf with the parameter "leftupdown=
[strongSwan] restart action on redundant CHILD_SAs
Hi: We have found a message sequencing error scenario which yields unexpected/undesirable behavior: 1. An established IKE_SA has an established CHILD_SA, with a non-strongSwan gateway. 2. During rekeying, at the point there are two established CHILD_SAs, the old and the new CHILD_SAs, a request is received from the peer to DELETE the IKE_SA. 3. Our strongSwan is configured to automatically restart. 4. It dutifully restarts the IKE_SA and CHILD_SAs that currently exist, even though the old one is an artifact of an incomplete rekey sequence. Do you agree this is an issue? Some thoughts on fixing it: Inspiration comes from a fix for a similar issue: http://wiki.strongswan.org/projects/strongswan/repository/revisions/2f57e6da 0e83a3e64e36dd2559b2579b9b1e32a2 Where a CHILD_SA's close action was "adjusted" so that it is not recreated upon restart. In our error scenario, could this same technique be used on the "Old" SA (the one being rekeyed) to prevent a restart action on it? That is when a new SA is created for a policy, the old SA's action (for the same policy) would be set to "NONE". What do you think? Thanks, Stephen ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Changes in secrets file handling in 4.4.1
Hi, We (Vyatta) updated strongswan in our last release to 4.4.1, previously we were using 4.3.2. I'm observing a change in the handling of /etc/ipsec.secrets. In 4.3.2 if a FQDN (not prepended with an '@') was used in the ipsec.secrets file it was resolved to the IP address when the file was read in. In 4.4.1 however this resolution doesn't occur. Unless I missed something the new code for identification processing in this version isn't written to do the name resolution. Was this behavior change intentional? If so what was the rational behind this? Thanks, John Southworth Network Software Engineer Vyatta Inc. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] R_U_THERE_ACK has invalid SPI length (16)
Hi, I have seen this error in the pluto debug log "secure" when testing DPD against my SeGW, I wonder what this error really means. Per RFC3706, the SPI length should be set to 16 in the R_U_THERE/R_U_THERE_ACK messages. So does this error mean something else wrong in the R_U_THERE_ACK sent by my SeGW? strongSwan sent a MALFORMED-PAYLOAD back to my SeGW after printing out this error Thanks for your help Nan ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] R_U_THERE_ACK has invalid SPI length (16)
Hello Nan, the source code in question is if (n->isan_spisize != COOKIE_SIZE * 2 || pbs_left(pbs) < COOKIE_SIZE * 2) { loglog(RC_LOG_SERIOUS , "DPD: R_U_THERE_ACK has invalid SPI length (%d)" , n->isan_spisize); return STF_FAIL + ISAKMP_PAYLOAD_MALFORMED; } COOKIE_SIZE is a constant with a value of 8 bytes and n->isan_spisize is output as 16 bytes in the error message. This means that the second half || pbs_left(pbs) < COOKIE_SIZE * 2) triggers the error. This means that the received R_U_THERE_ACK message does not contain 2 COOKIES. Regards Andreas On 08/24/2011 03:34 AM, Nan Luo wrote: > Hi, > > I have seen this error in the pluto debug log "secure" when testing DPD > against my SeGW, I wonder what this error really means. Per RFC3706, the > SPI length should be set to 16 in the R_U_THERE/R_U_THERE_ACK messages. > So does this error mean something else wrong in the R_U_THERE_ACK sent > by my SeGW? strongSwan sent a MALFORMED-PAYLOAD back to my SeGW after > printing out this error > > Thanks for your help > > Nan == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users