Re: [strongSwan] strongswan with ocf or hardware accelator
Jayasri Sangu wrote: Hi All, We are trying to implement the strongswan on our embedded product with freescale processor. B'coz of limitations of our processor we cann't use the software encryption. Is there any way the strongswan supports hardware acceleration? Thanks for your help Jayasri Sangu *Come* *visit* *us at **CommunicAsia 2010* http://www.communicasia.com/ *June 15-18, 2010 at Singapore Expo in the **USA Pavilion,* *Stand 6H1-07* ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users Assumptions: 1) linux plaform 2) ESP 3) you want to accelerate the crypto+hash for each packet at the ESP level, not RSA crypto operations of IKE Strongswan uses the linux kernel to do ESP packet processing, therefore the questions to ask is: does the linux ESP implementation support hardware acceleration? Yes, linux ESP uses the linux kernel crypto api, which can support hardware acceleration. Look at the talitos driver in the linux kernel for an example. Beware that the linux crypto api is actively developed as we speak and is constantly changing. Dimitrios Siganos ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] encryption of packets failing
NAGARAJAN, ANIL (ANIL) wrote: Hi All, I am trying to establish SA for site-to-site with ikev2. I am using strongswan4.3.5. I have added connection and brought up the connection using stroke message framework. SA gets established. However when I try to send packets from subnet, the packet is not getting encoded. Is this a known issue? Does any one else has faced this. Is there any work-around for the issue? Regds Anil N ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users You are not giving any details. It is impossible to help you. What do the following commands output? 1) ip xfrm state 2) ip xfrm policy 3) ipsec statusall ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Need help reviewing a tutorial on smartcards
François Pérou wrote: On Fri, 2010-04-09 at 07:58 +0200, François Pérou wrote: Dear Dimitrios, I modified to have pluto running in debug mode on Carol: http://www.gooze.eu/howto/using-strongswan-with-smart-cards/configuring-road-warrior-carol This seems to work fine on Carol side with pluto. PIN and credentials are cached. I can run ipsec listcards. Many thanks. Now I have some problem on the most simple part: Moon. 1) Should I also run pluto on Moon? I guess no, charon should work also? Yes, pluto must be running on both sides. I would also disable charon on both sides to simplify the setup. 2) Should I use keyexchange=ikev2 or keyexchange=ikev1? keyexchange=ikev1 on both sides 3) I installed carol PEM cert in /etc/ipsec.d/certs/carolCert.pem. Is this the right location? It sounds right. But obviously that depends on default directory settings and ipsec.conf configuration. You can also use absolute pathnames. I do that sometimes to simplify things when I get confused. Without some debug logs I can't help anymore. Also, upgrade to the latest strongswan. If you are using emails in the DN (it is very common), it won't work unless you upgrade to 4.3.5 at least. Thank you for your reply to my question and i would be interested in buying a usb dongle. But it would be better to reply separately to my question (for future reference), because our questions, although related, are not on the same topic. Regards, Dimitrios Siganos ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] charon IKEv2 usb smartcard dongle integration
Hi, I have been asked by a client to investigate what it would take to create a linux strongswan deployment that integrates strongswan IKEv2 with a USB security smartcard. We already have some Aladdin Token JavaCard (USB ID 0529:0620) dongles but I imagine that any well known dongle will do. We want to deploy a PKI based system where the RSA private key is stored in the smartcard. Just to make sure I don't get the wrong replies, I would like to reiterate that this email refers to charon (IKEv2) smartcard integration. The smartcard related pages in the strongswan wiki, don't apply in this case, because they refer to pluto IKEv1 smartcard integration. My understanding from reading various sources, is that to get charon to work with a smartcard, I need to do the following: 1) setup charon to use openssl instead of its default plugins for RSA 2) use engine_pkcs11 to provide PKCS openssl engine (and somehow get charon to use it) 3) use openct to provide driver access to the dongle 4) I think I also need opensc because engine_pkcs11 expects it but I am not sure. Does anyone have any experience with this sort of integration? I believe the client is willing to pay for this. Obviously a ready made solution would be ideal but if we will have to develop it ourselves. Regards, Dimitrios Siganos ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] bare minimum required kernel modules/version
No, the IPv6 related modules are not necessary but you have to have linux-2.6.29 or above. Look at this thread for more details and workaround for earlier kernels: http://www.mail-archive.com/users@lists.strongswan.org/msg00920.html I am using 2.6.28 and I worked around the problem by applying the disable-iaf-tunnels patch to strongswan. Dimitris Siganos Matthias Dahl wrote: Hi. I took over the maintainership of the strongswan ebuild on Gentoo and I am currently in the process of polishing it as time permits. I'd like to add kernel config sanity checks to the ebuild, so a potential user won't shoot his own feet. Looking around the wiki I found this: http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules Is this list the real bare minimum even if one only wants to use IPv4? I recall there was some bug that prevented one from configuring w/o IPv6 on some 2.6.28 kernel? I for one don't have IP: policy routing enabled (didn't know it was required) and strongswan still works just fine. That brings me to my next question: What is the suggested kernel version for the 4.3.6 release? Currently we allow any 2.6 kernel but I guess that's just a bad idea. Thanks for taking the time... and if you have any suggestions or critique for the Gentoo ebuild, please let me know, so I can improve things. So long, matthias ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Ikev2 on initiator side and ikev1 on responder side
ashish mahalka wrote: In the ipsec.conf file for Initiator, keyexchange is specified as ikev2 whereas for the Responder it is specified as ikev1. But still i am able to establish a ikev2 association between the two peers. The keyexhange setting has no effect on the responder. keyexchange = ike | ikev1 | ikev2 method of key exchange; which protocol should be used to initialize the connection. Connections marked with ikev1 are initiated with Pluto, those marked with ikev2 with Charon. An incoming request from the remote peer is handled by the correct daemon, unaffected from the keyexchange setting. The default value ike currently is a synonym for ikev1. Dimitris Siganos ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1
Sucha Singh wrote: Hi Andreas, Reviewing the above settings I added the following line to the ipsec.conf: ike=3des-sha1-md5-modp1024 I then get the following errors: 002 test #1: initiating Main Mode 003 test #1: no IKE algorithms for this connection (check ike algorithm string) 003 test #1: empty ISAKMP SA proposal to send (no algorithms for ike selection?) Was I right to add the above setting That setting looks wrong to me. You probably want: ike=3des-sha1-modp1024 or ike=3des-md5-modp1024 or both ike=3des-sha1-modp1024,3des-md5-modp1024 Dimitris Siganos ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] installing DNS server %any to /etc/resolv.conf
Hi, I am getting this strange log when I setup a strongswan tunnel installing DNS server %any to /etc/resolv.conf And it adds this line to /etc/resolv.conf: nameserver %any # by strongSwan, from C=UK, ST= ... Does anyone know what is causing this? I am assuming it is a mis-configuration or bug. The IPsec gateway is a: Linux strongSwan U4.2.11/K2.6.28-11-generic The IPsec client is a: Linux strongSwan U4.3.3/K2.6.28 Regards, Dimitrios Siganos ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] installing DNS server %any to /etc/resolv.conf
I should add that we are not trying to use DNS. As far as we can see, we are not setting any DNS settings, in ipsec.conf or strongswan.conf, in neither the gateway nor the client. Dimitrios Siganos wrote: Hi, I am getting this strange log when I setup a strongswan tunnel installing DNS server %any to /etc/resolv.conf And it adds this line to /etc/resolv.conf: nameserver %any # by strongSwan, from C=UK, ST= ... Does anyone know what is causing this? I am assuming it is a mis-configuration or bug. The IPsec gateway is a: Linux strongSwan U4.2.11/K2.6.28-11-generic The IPsec client is a: Linux strongSwan U4.3.3/K2.6.28 Regards, Dimitrios Siganos ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] installing DNS server %any to /etc/resolv.conf
Hi Martin, It is a bug in strongswan. The bug exists in the latest git code as well. In the function: static bool handle(private_resolve_handler_t *this, identification_t *server, configuration_attribute_type_t type, chunk_t data) located inside the file: http://wiki.strongswan.org/repositories/entry/strongswan/src/charon/plugins/resolve/resolve_handler.c The DNS IP address provided by the IPsec gateway is printed out (using the %H mechanism) without any checking. But it looks like (I haven't checked) %H prints %any when it is given an IP address of 0.0.0.0 or similar. I can confirm that my IPsec gateway returns 0.0.0.0 as the DNS. It should either print out 0.0.0.0 or nothing at all. I am not sure which is more appropriate. Also looking at the source I can see a possible leak. If 'in' is opened successfully but 'out' cannot be opened then 'in' is leaked. Regards, Dimitrios Siganos Martin Willi wrote: Hi, I am assuming it is a mis-configuration or bug. Maybe both. It seems that your client requests a DNS server, but your server returns an empty or a 0.0.0.0 address. The IPsec gateway is a: Linux strongSwan U4.2.11/K2.6.28-11-generic Some time passed since 4.2.11, probably we handle it better now. If you want to push DNS information to your client, you'll need a more recent version on the gateway. The IPsec client is a: Linux strongSwan U4.3.3/K2.6.28 4.3.3 always includes a DNS request if you request a virtual IP. But you can skip the installation by disabling the resolve plugin during ./configure. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] charon: how to determine minimum number of threads
Hi, Scanning through the mailing list I can see that the recomended minimum number of threads is 8-10 depending on the plugins used. Is there a way to determine the absolute minimum number of threads for a given plugin configuration? For example, are the threads allocated statically at start-up or are there cases when they are spawned on demand after start-up. My system seems to work fine with 8 threads. Can I assume that, if I don't change the plugin configuration, 8 threads will always be enough? Are there any plans to introduce a single threaded mode, for embedded devices? Is a single threaded mode possible, realistically, or would it require complete re-engineering of charon? Regards, Dimitrios Siganos ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] ip xfrm state / ip xfrm policy
Busybox doesn't have iproute2. They have a simple utility that looks and feels like iproute2 and it doesn't have support for xfrm and many other features of iproute2. You'll need to download the proper iproute2 package. Dimitrios Siganos Jessie Liu wrote: Hi Andreas, ip route list works fine on my target board. but ip xfrm state did not work. When I type ip xfrm state, it shows the following messages: BusyBox v1.10.1 (2009-09-28 15:09:16 CST) multi-call binary Usage ip [OPTIONS] {address | route | link | tunnel | rule} {COMMAND} --- 09/9/30 (三),Andreas Steffen andreas.stef...@strongswan.org 寫道: 寄件者: Andreas Steffen andreas.stef...@strongswan.org 主旨: Re: [strongSwan] ip xfrm state / ip xfrm policy 收件者: Jessie Liu iamnotjes...@yahoo.com.tw 副本: users@lists.strongswan.org 日期: 2009年9月30日,三,下午12:32 Hi Jessie, in the past there are some embedded platform which did not implement the ip xfrm command. Does e.g. ip route list work? If not then the whole iproute2 package is missing and you must install it first. Regards Andreas Jessie Liu wrote: Hi all, I'am trying to use ip xfrm state and ip xfrm policy command. But I couldn't use that command to show information. There is no such command! What else should I add in kernel config? I already have xfrm4_tunnel.ko and xfrm_user.ko, but still cannot use that command. Thanks a lot. ^___^ == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ 您的生活即時通 - 溝通、娛樂、生活、工作一次搞定! http://messenger.yahoo.com.tw/ ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] esp=null-sha1-modp1024,null-null
Hi, Is the following esp line, valid configuration? conn west-east esp=null-sha1-modp1024,null-null Does it mean: add null-sha1-modp1024 and null-null to the default list of proposals to be negotiated? How do I know what the default list proposal list is? Regards, Dimitrios Siganos ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] ARM and I386 ?
I also have a problem on the arm platform. I am cross compiling from Linux/Intel to arm platform. The latest release that works for me is 4.3.3. I don't know if have the same problem. I am investigating right now. Dimitrios Siganos Nguyễn Hoàng Anh wrote: Hi Andreas and all members! Today, after finished make and make install strongswan 4.3.4 on an ARM architecture, I try setup it with a tunnel host-to-host to an I386, but I get this error in log file of pluto in I386: .. client2 #2: we have a cert and are sending it upon request server #3: NAT-Traversal: Result using RFC 3947: no NAT detected server #3: we have a cert and are sending it upon request client1 #1: next payload type of ISAKMP Hash Payload has an unknown value: 55 client1 #1: malformed payload in packet client2 #2: next payload type of ISAKMP Hash Payload has an unknown value: 181 client2 #2: malformed payload in packet server #3: next payload type of ISAKMP Hash Payload has an unknown value: 164 server #3: malformed payload in packet .. What is this error and how can I solve it ? Many thanks! ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] ARM and I386 ?
Version 4.3.4 does not work on my arm board, whereas v4.3.3 and the latest git development code, does. Hence, I am not chasing this problem any more. I will stick to 4.3.3 or git code, until the new release comes out. For the record, this is what I get with 4.3.4: Sep 14 17:05:13 ds-board authpriv.warn ipsec_starter[351]: Starting strongSwan 4.3.4 IPsec [starter]... Sep 14 17:05:13 ds-board authpriv.debug ipsec_starter[351]: | Default route found: iface=eth0, addr=10.224.2.101, nex0 Sep 14 17:05:13 ds-board authpriv.debug ipsec_starter[351]: | Loading config setup Sep 14 17:05:13 ds-board authpriv.debug ipsec_starter[351]: | Loading conn %default Sep 14 17:05:13 ds-board authpriv.debug ipsec_starter[351]: | Loading conn 'test' Sep 14 17:05:13 ds-board authpriv.debug ipsec_starter[351]: | Found netkey IPsec stack Sep 14 17:05:13 ds-board authpriv.debug ipsec_starter[365]: | Attempting to start charon... Sep 14 17:05:13 ds-board daemon.info charon: 01[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.4) Sep 14 17:05:13 ds-board daemon.info charon: 01[DMN] thread 1073862784 received 4 Sep 14 17:05:13 ds-board daemon.info charon: 01[DMN] killing ourself, received critical signal Regards, Dimitris Dimitrios Siganos wrote: I also have a problem on the arm platform. I am cross compiling from Linux/Intel to arm platform. The latest release that works for me is 4.3.3. I don't know if have the same problem. I am investigating right now. Dimitrios Siganos Nguyễn Hoàng Anh wrote: Hi Andreas and all members! Today, after finished make and make install strongswan 4.3.4 on an ARM architecture, I try setup it with a tunnel host-to-host to an I386, but I get this error in log file of pluto in I386: .. client2 #2: we have a cert and are sending it upon request server #3: NAT-Traversal: Result using RFC 3947: no NAT detected server #3: we have a cert and are sending it upon request client1 #1: next payload type of ISAKMP Hash Payload has an unknown value: 55 client1 #1: malformed payload in packet client2 #2: next payload type of ISAKMP Hash Payload has an unknown value: 181 client2 #2: malformed payload in packet server #3: next payload type of ISAKMP Hash Payload has an unknown value: 164 server #3: malformed payload in packet .. What is this error and how can I solve it ? Many thanks! ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] esalg: No test for authenc(hmac(sha1), cbc(aes)) (authenc(hmac(sha1-generic), cbc(aes-generic)))
I have found out that the message is coming from the linux kernel and not from charon as I thought. It comes from the function: int alg_test(const char *driver, const char *alg, u32 type, u32 mask) I still don't know if it something to worry about though. Regards, Dimitrios Siganos Dimitrios Siganos wrote: Hi, I am getting the message: esalg: No test for authenc(hmac(sha1),cbc(aes)) (authenc(hmac(sha1-generic),cbc(aes-generic))) when I bring up a tunnel. The tunnel is established. I am using strongswan with openssl instead of libgmp. I believe (but I am not sure, I can check if you like) that I wasn't getting this message when I was using libgmp. I would like to know what this message means. And if it is something I should worry about. Later on, after a period of inactivity, of 30 min to 1 hour, the tunnel fails, one direction first and then eventually both directions. I will provide more details on that problem separately. I just wanted to know if this message is an early hint of a problem. The complete output from charon follows: # ipsec up test initiating IKE_SA test[1] to 10.224.2.100 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] sending packet: from 10.224.2.101[500] to 10.224.2.100[500] received packet: from 10.224.2.100[500] to 10.224.2.101[500] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] received cert request for C=AU, ST=Some-State, L=London, O=Internet Widgits Pty Ltd, CN=west received cert request for C=AU, ST=Some-State, L=London, O=Internet Widgits Pty Ltd, CN=east sending cert request for C=UK, ST=Cambridgeshire, L=Cambridge, O=Airvana INC, OU=TR069, CN=Airvana CA, e=airvana...@airvana.com sending cert request for C=AU, ST=Some-State, L=London, O=Internet Widgits Pty Ltd, CN=east sending cert request for C=AU, ST=Some-State, L=London, O=Internet Widgits Pty Ltd, CN=west authentication of 'C=AU, ST=Some-State, L=London, O=Internet Widgits Pty Ltd, CN=east' (myself) with RSA signature successful sending end entity cert C=AU, ST=Some-State, L=London, O=Internet Widgits Pty Ltd, CN=east esalg: No test for authenc(hmac(sha1),cbc(aes)) (authenc(hmac(sha1-generic),cbc(aes-generic))) tablishing CHILD_SA test generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ] sending packet: from 10.224.2.101[4500] to 10.224.2.100[4500] received packet: from 10.224.2.100[4500] to 10.224.2.101[4500] parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ] received end entity cert C=AU, ST=Some-State, L=London, O=Internet Widgits Pty Ltd, CN=west using trusted certificate C=AU, ST=Some-State, L=London, O=Internet Widgits Pty Ltd, CN=west authentication of 'C=AU, ST=Some-State, L=London, O=Internet Widgits Pty Ltd, CN=west' with RSA signature successful scheduling reauthentication in 3351s maximum IKE_SA lifetime 3531s IKE_SA test[1] established between 10.224.2.101[C=AU, ST=Some-State, L=London, O=Internet Widgits Pty Ltd, CN=east]...10.224.2.100[C=AU, ST=Some-State, L=London, O=Internet Widgits Pty Ltd, CN=west] Regards, Dimitrios Siganos ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] IPSEC_CONFDIR does not work?
If you look at the first few lines of the ipsec script, you will see that it assigns IPSEC_CONFDIR to /etc. That's why your approach doesn't work. You could edit the script and see what happens. But I don't really know if that is the correct way to do what you want. That would depend on the behaviour of all the other scripts/binaries, which I don't know. Dimitrios Siganos Zhang, Long (Roger) wrote: Hi, I want to put all configuration file under my directory. Then I exported IPSEC_CONFDIR, but seems the IPSEC_CONFDIR does not work. Not sure why. My shell is bash. Tried two ways. And could not start my connection. If I started my conection under /etc, it could succeed. Curious, IPSEC_CONFDIR should be set. [r...@localhost config]# export IPSEC_CONFDIR=/home/zhangl/ipsec/config [r...@localhost config]# echo $IPSEC_CONFDIR /home/zhangl/ipsec/config [r...@localhost config]# ipsec --confdir /etc [r...@localhost config]# IPSEC_CONFDIR=/home/zhangl/ipsec/config [r...@localhost config]# export IPSEC_CONFDIR [r...@localhost config]# echo $IPSEC_CONFDIR /home/zhangl/ipsec/config [r...@localhost config]# ipsec --confdir /etc Thanks, Roger ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] a particular ``no trusted third party'' setup with X.509
Ivan Shmakov wrote: Consider, e. g., two sites which are going to establish secure communication. Each of the sites is comprised of a set of IKEv2-enabled hosts. Do I understand it correctly that with strongSwan: * it's not necessary to use X.509, though it may make maintenance easier; You are right. It is not necessary to use x509. For example you can also use: a) shared password, b) rsa keys. * when there're no trusted third party to serve as the CA to sign the certificates for the hosts belonging to the sites, each of the sites should sign the certificates used by the hosts of the other site to connect to the hosts of this site (i. e., each of the sites effectively becomes a CA)? Yes, you could do that, but you don't have to go to that length and probably shouldn't. Certificates without a trusted third party don't give you anything more (from a security point of view) than straight rsa keys. You don't need CAs. You can just use rsa keys or self signed certificates or even unique shared secrets for each link. With each of the sites being its own CA, tasks such as removing an other site's host from the set of the ``trusted ones'' (for whatever reason) could be accomplished by just revoking the respective certificate. If you use self-signed certficates or rsa keys, revoking is the act of deleting the key/cert from trusted store. IIUC, this scheme is applicable to the other protocols that allow mutual authentication based on X.509 certificates (say, SMTP.) Or are there any known deficiencies? Self-signed certificates would apply to other protocols that use certificate based authentication. Straight rsa keys and shared passwords, wouldn't. Regards, Dimitrios Siganos ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] a particular ``no trusted third party'' setup with X.509
Oops. I fell into the trap of thinking small scale. If you are talking about large scale installations then your way is probably recommended. Dimitrios Siganos Dimitrios Siganos wrote: Ivan Shmakov wrote: Consider, e. g., two sites which are going to establish secure communication. Each of the sites is comprised of a set of IKEv2-enabled hosts. Do I understand it correctly that with strongSwan: * it's not necessary to use X.509, though it may make maintenance easier; You are right. It is not necessary to use x509. For example you can also use: a) shared password, b) rsa keys. * when there're no trusted third party to serve as the CA to sign the certificates for the hosts belonging to the sites, each of the sites should sign the certificates used by the hosts of the other site to connect to the hosts of this site (i. e., each of the sites effectively becomes a CA)? Yes, you could do that, but you don't have to go to that length and probably shouldn't. Certificates without a trusted third party don't give you anything more (from a security point of view) than straight rsa keys. You don't need CAs. You can just use rsa keys or self signed certificates or even unique shared secrets for each link. With each of the sites being its own CA, tasks such as removing an other site's host from the set of the ``trusted ones'' (for whatever reason) could be accomplished by just revoking the respective certificate. If you use self-signed certficates or rsa keys, revoking is the act of deleting the key/cert from trusted store. IIUC, this scheme is applicable to the other protocols that allow mutual authentication based on X.509 certificates (say, SMTP.) Or are there any known deficiencies? Self-signed certificates would apply to other protocols that use certificate based authentication. Straight rsa keys and shared passwords, wouldn't. Regards, Dimitrios Siganos ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] IPv4 only and minimal kernel modules
Martin Willi wrote: It seems that if I remove all of the Ipv6 modules the IPsec doesn't work Make sure to have at least a 2.6.29 kernel, apply the kernel patch [1] or use the workaround patch for strongSwan (attached, breaks mixed v4/v6 tunnels). Regards Martin [1]http://kerneltrap.org/mailarchive/linux-netdev/2008/11/25/4231304 I am using kernel 2.6.28. If I understand well, my options are: 1) upgrade to kernel 2.6.29 and apply patch [1] from above, to the linux kernel. 2) stick with kernel 2.6.28 and apply the disable-iaf-tunnels patch to charon, (this patch will brake v6/v4 mixed operation) Can you confirm that this is correct and complete? I plan to stick with 2.6.28 because changing kernel would require a lot of discussions and testing. Regards, Dimitrios Siganos ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] IPv4 only and minimal kernel modules
Hi, The webpage http://wiki.strongswan.org/wiki/1/KernelModules states that the following kernel modules are required for strongswan operation: Networking --- Networking options --- Transformation user configuration interface PF_KEY sockets TCP/IP networking IP: advanced router IP: policy routing IP: AH transformation IP: ESP transformation IP: IPComp transformation IP: IPsec transport mode IP: IPsec tunnel mode IP: IPsec BEET mode (experimental) The IPv6 protocol IPv6: AH transformation IPv6: ESP transformation IPv6: IPComp transformation IPv6: IPsec transport mode IPv6: IPsec tunnel mode IPv6: IPsec BEET mode IPv6: Multiple Routing Tables Network packet filtering framework (Netfilter) --- Core Netfilter Configuration IPsec policy match support Cryptographic API Select algorithms you want to use... If we only want Ipv4 support, can this required kernel modules list be shortened? It seems that I I remove all of the Ipv6 modules the IPsec doesn't work so there is some dependency. Can you tell what it is? Regards, Dimitrios Siganos ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Problem signing the certificate by CA
From the logs I see, I can deduce that openssl expects to find the key file at: ./etc/ssl/private/strongswanKey.pem which according to the bash prompt, is: /etc/ipsec.d/cacerts/etc/ssl/private/strongswanKey.pem That doesn't look like the normal way of doing things, so I am assuming it is wrong. I am guessing that you need to set dir like this (absolute path): dir = /etc/ssl You had it set as : ./etc/dir, which is relative to the current working directory (probably not what you intended). Regards, Dimitrios Siganos Sushil Chaudhari wrote: Hi Everyone, I am trying to sign the user certificate from the certification authority bus getting the following error: r...@sushil:/etc/ipsec.d/cacerts# openssl ca -in moonReq.pem -days 730 -out moonCert.pem -notext Using configuration from /usr/lib/ssl/openssl.cnf Error opening CA private key ./etc/ssl/private/strongswanKey.pem 17427:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('./etc/ssl/private/strongswanKey.pem','r') 17427:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354: unable to load CA private key My openssl.cnf is as follows: # # OpenSSL example configuration file. # This is mostly being used for generation of certificate requests. # # This definition stops the following lines choking if HOME isn't # defined. HOME = . RANDFILE = $ENV::HOME/.rnd # Extra OBJECT IDENTIFIER info: #oid_file = $ENV::HOME/.oid oid_section = new_oids # To use this configuration file with the -extfile option of the # openssl x509 utility, name here the section containing the # X.509v3 extensions to use: # extensions = # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) [ new_oids ] # We can add new OIDs in here for use by 'ca' and 'req'. # Add a simple OID like this: # testoid1=1.2.3.4 # Or use config file substitution like this: # testoid2=${testoid1}.5.6 [ ca ] default_ca= CA_default# The default ca section [ CA_default ] #dir = ./demoCA # Where everything is kept dir = ./etc/ssl certs = $dir/certs# Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt# database index file. #unique_subject = no# Set to 'no' to allow creation of # several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. #certificate = $dir/cacert.pem # The CA certificate certificate = $dir/strongswanCert.pem serial= $dir/serial # The current serial number crlnumber = $dir/crlnumber# the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL #private_key = $dir/private/cakey.pem# The private key private_key = $dir/private/strongswanKey.pem RANDFILE = $dir/private/.rand# private random number file x509_extensions = usr_cert # The extentions to add to the cert # Comment out the following two lines for the traditional # (and highly broken) format. name_opt = ca_default# Subject Name options cert_opt = ca_default# Certificate field options # Extension copying option: use with caution. # copy_extensions = copy # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crlnumber must also be commented out to leave a V1 CRL. # crl_extensions = crl_ext default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md= sha1 # which md to use. preserve = no# keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy= policy_match # For the CA policy [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName= optional commonName= supplied emailAddress = optional # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName
[strongSwan] BUG: DN with email
: sha1WithRSAEncryption 47:51:75:b8:85:85:93:da:f8:39:ce:0b:50:34:3a:16:59:f9: 09:4d:54:ac:79:72:f0:3d:af:9e:d5:e2:78:be:28:b6:72:d3: 46:b8:75:a1:d5:e7:6d:8f:a4:19:6b:13:d1:14:b5:f5:69:54: ed:33:e2:fb:60:19:51:21:9f:1e:1c:2d:51:7e:72:a3:8c:bb: 61:44:bc:bf:66:6a:ba:49:e1:57:a4:9b:c4:df:e3:f7:50:76: 4a:46:72:5d:1f:87:0f:2b:d8:1d:44:e3:7c:33:ea:6c:ca:fd: d7:1e:13:51:e7:1f:ad:d4:9a:14:a3:1a:08:b1:6b:b7:59:fe: 2f:02 # syslog: Aug 18 15:44:59 ds-ubuntu-disk charon: 01[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.4) Aug 18 15:44:59 ds-ubuntu-disk charon: 01[KNL] listening on interfaces: Aug 18 15:44:59 ds-ubuntu-disk charon: 01[KNL] eth5 Aug 18 15:44:59 ds-ubuntu-disk charon: 01[KNL] 172.18.16.188 Aug 18 15:44:59 ds-ubuntu-disk charon: 01[KNL] fe80::222:19ff:fe10:e949 Aug 18 15:44:59 ds-ubuntu-disk charon: 01[KNL] eth6 Aug 18 15:44:59 ds-ubuntu-disk charon: 01[KNL] 10.224.2.100 Aug 18 15:44:59 ds-ubuntu-disk charon: 01[KNL] fe80::21b:21ff:fe33:dfb1 Aug 18 15:44:59 ds-ubuntu-disk charon: 01[CFG] loading ca certificates from '/opt/strongswan/etc/ipsec.d/cacerts' Aug 18 15:44:59 ds-ubuntu-disk charon: 01[CFG] loading aa certificates from '/opt/strongswan/etc/ipsec.d/aacerts' Aug 18 15:44:59 ds-ubuntu-disk charon: 01[CFG] loading ocsp signer certificates from '/opt/strongswan/etc/ipsec.d/ocspcerts' Aug 18 15:44:59 ds-ubuntu-disk charon: 01[CFG] loading attribute certificates from '/opt/strongswan/etc/ipsec.d/acerts' Aug 18 15:44:59 ds-ubuntu-disk charon: 01[CFG] loading crls from '/opt/strongswan/etc/ipsec.d/crls' Aug 18 15:44:59 ds-ubuntu-disk charon: 01[CFG] loading secrets from '/opt/strongswan/etc/ipsec.secrets' Aug 18 15:44:59 ds-ubuntu-disk charon: 01[CFG] loaded private key file '/opt/strongswan/etc/ipsec.d/private/host1.key' Aug 18 15:44:59 ds-ubuntu-disk charon: 01[CFG] loaded private key file '/opt/strongswan/etc/ipsec.d/private/host2.key' Aug 18 15:44:59 ds-ubuntu-disk charon: 01[DMN] loaded plugins: aes des sha1 sha2 md5 fips-prf random x509 pubkey xcbc hmac gmp kernel-netlink stroke updown attr resolv-conf Aug 18 15:44:59 ds-ubuntu-disk charon: 01[JOB] spawning 16 worker threads Aug 18 15:44:59 ds-ubuntu-disk charon: 04[CFG] received stroke: add connection 'host1' Aug 18 15:44:59 ds-ubuntu-disk charon: 04[LIB] loaded certificate file '/opt/strongswan/etc/ipsec.d/certs/host1.cert' Aug 18 15:44:59 ds-ubuntu-disk charon: 04[CFG] added configuration 'host1' Aug 18 15:44:59 ds-ubuntu-disk charon: 04[CFG] received stroke: add connection 'host2' Aug 18 15:44:59 ds-ubuntu-disk charon: 04[LIB] loaded certificate file '/opt/strongswan/etc/ipsec.d/certs/host2.cert' Aug 18 15:44:59 ds-ubuntu-disk charon: 04[CFG] peerid C=UK, CN=host2, emailaddress=ho...@somewhere.com not confirmed by certificate, defaulting to subject DN: C=UK, CN=host2, e=ho...@somewhere.com Aug 18 15:44:59 ds-ubuntu-disk charon: 04[CFG] added configuration 'host2' # Note the line: Aug 18 15:44:59 ds-ubuntu-disk charon: 04[CFG] peerid C=UK, CN=host2, emailaddress=ho...@somewhere.com not confirmed by certificate, defaulting to subject DN: C=UK, CN=host2, e=ho...@somewhere.com That looks wrong, doesn't it? Regards, Dimitrios Siganos ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] bashism in ipsec script
The ipsec script has the following bashism (line 324 of ipsec script, git commit 333b461aa689c29197dadb2a15abc3ccade0c89a): loop=$(($loop - 1)) This doesn't work on my embedded board running busybox msh. I suggest changing the live above, to: loop=`expr $loop - 1` to make it more portable. Regards, Dimitris ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] BUG: DN with email
Yes, it does fix it. Thank you. I noticed that you commited some more changes related to email OIDs. Are they important? Should I get those too? I am referring to http://wiki.strongswan.org/repositories/revision/strongswan/fc0ed07c1f44d56ac9a5353c23e4cd79ee2594dd. Regards, Dimitrios Siganos Andreas Steffen wrote: Hi Dimitrios, yes, you are right. A recent refactoring of the RDN synthesis function introduced a wrong emailAddress OID (there are at least three of them but in most cases the PKCS#9 definition is still used). The following patch should fix your problem: http://wiki.strongswan.org/repositories/revision/1/c8b543a6fc28bc335212ec69d39cc57f5b0e4095 Best regards Andreas Dimitrios Siganos wrote: Hi, I believe I have found a bug with the latest strongswan. I used strongswan-4.3.3 and also the latest git code (commit 333b461aa689c29197dadb2a15abc3ccade0c89a). They both exhibit the same or similar problem. The problem appears when I add an email address to a certificate DN and then try to use DN matching in strongswan. This type of DN, works: C=UK, CN=host1 This type of DN, doesn't work: C=UK, CN=host2, e=ho...@somewhere.com To demonstrate the problem I created a very simple configuration with 2 self-signed certificates. One with an email in the DN and the other without. Then I try to set the leftid to be same as the DN of the certificate and start the ipsec. It only works if I don't have an email set in the DN. The following was tested using the git commit 333b461aa689c29197dadb2a15abc3ccade0c89a. ipsec.conf: config setup strictcrlpolicy=no plutostart=no conn host1 right=%defaultroute leftcert=host1.cert leftid=C=UK, CN=host1 auto=add conn host2 right=%defaultroute leftcert=host2.cert leftid=C=UK, CN=host2, e=ho...@somewhere.com auto=add # ipsec.secrets: : RSA host1.key : RSA host2.key # openssl x509 -in host1.cert -text -noout: Certificate: Data: Version: 3 (0x2) Serial Number: a7:59:91:8d:a2:d8:e7:25 Signature Algorithm: sha1WithRSAEncryption Issuer: C=UK, CN=host1 Validity Not Before: Aug 18 14:17:23 2009 GMT Not After : Aug 18 14:17:23 2010 GMT Subject: C=UK, CN=host1 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:bd:67:68:2a:65:05:cb:0e:41:82:b7:39:4d:f2: f3:85:77:17:2f:40:f0:83:d1:dc:34:eb:26:cf:7a: be:b3:a0:3e:24:4a:c1:4e:e4:11:1a:d4:c3:18:23: b7:86:db:e7:26:5a:c4:b8:dd:42:eb:5d:12:eb:a5: 70:9a:5b:40:2a:ba:74:49:7b:84:d6:37:ea:c5:a1: 30:28:dc:ce:34:c7:68:47:6a:80:3d:b9:bd:67:ee: 31:70:4d:8a:fb:64:5f:c6:68:fa:8c:56:b0:1a:47: 0a:94:b5:f6:28:de:0a:6d:4e:07:55:ab:e0:e0:7b: 92:51:ff:69:8f:c4:fc:15:c5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 48:A6:C5:61:A7:97:56:5D:0C:D1:0C:67:EA:C0:1E:BC:51:7F:59:75 X509v3 Authority Key Identifier: keyid:48:A6:C5:61:A7:97:56:5D:0C:D1:0C:67:EA:C0:1E:BC:51:7F:59:75 DirName:/C=UK/CN=host1 serial:A7:59:91:8D:A2:D8:E7:25 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption 0e:60:05:22:ca:42:59:95:c3:c8:d8:1d:c4:09:c8:03:1a:05: 2c:30:c3:ec:5d:47:8e:98:6b:60:c6:43:2e:d9:55:d2:01:83: b7:4a:c9:e7:28:8c:e8:e4:3e:76:84:48:f8:69:c7:e0:05:0b: 3d:5a:46:71:a6:ef:47:7b:c6:42:86:f6:eb:66:86:12:e3:1c: 57:40:54:4e:96:20:b6:b2:3e:b6:67:75:a0:f3:4d:ba:d9:ea: eb:bb:ee:80:7a:af:9d:43:0c:ca:8c:d2:56:7a:49:8a:8c:a1: 17:d0:fc:ba:88:b3:9e:6b:9d:41:a5:68:69:46:f7:c0:41:a4: 23:da # openssl x509 -in host2.cert -text -noout: Certificate: Data: Version: 3 (0x2) Serial Number: 8f:00:01:8a:0d:5d:0f:42 Signature Algorithm: sha1WithRSAEncryption Issuer: C=UK, CN=host2/emailaddress=ho...@somewhere.com Validity Not Before: Aug 18 14:17:02 2009 GMT Not After : Aug 18 14:17:02 2010 GMT Subject: C=UK, CN=host2/emailaddress=ho...@somewhere.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:c9:dd:90:db:c3:25:61:e6:f2:06:be:7c:9c:ba: 94:87:ec:c8:98:17:c8:bf:18:07:96:a4:32:00:4d: a2:33:36:f4:3b:11:eb:12:7c:96:dd:31:07:16:2c: 28:3d:c9:ff:c1:88:0c:86:31:e7:15:ef:a3:63:e3