Re: [strongSwan] Davici parsing of terminating an IKE connection
Let me know if I am incorrect , user_data is the last parameter in the davici_queue? 1) Now Is it right practice to add few more elements in tester stucture to passed in call back function? These additional elements can be used to mange the response of deleting the connections. 2) If there are many davici requests are happening in parallel , For each request does davici make copy of user_Data, or it is overwritten with last call of tester structure information. 3) Is there any limit of size of data can be added? Thanks, Rajeev On Tue, Jun 26, 2018 at 8:00 AM, Tobias Brunner wrote: > > Question: Is there way to know when we parse response from Davici that > > which conenction is deleted? If yes what parameter of davici we get > > information? i see reqcb() parse the davici reponse. > > Two things: 1. Requests queued on the same connection are processed > sequentially. 2. You can pass user data when queuing a request that's > later passed to the callback. > > Regards, > Tobias >
Re: [strongSwan] Davici parsing of terminating an IKE connection
Thanks a lot.. Rajeev On Tue, Jun 26, 2018 at 8:00 AM, Tobias Brunner wrote: > > Question: Is there way to know when we parse response from Davici that > > which conenction is deleted? If yes what parameter of davici we get > > information? i see reqcb() parse the davici reponse. > > Two things: 1. Requests queued on the same connection are processed > sequentially. 2. You can pass user data when queuing a request that's > later passed to the callback. > > Regards, > Tobias >
[strongSwan] Davici parsing of terminating an IKE connection
Scenario: Strongswan has established multiple IKE connections with different peers. Lets say we have three different connections. Out of those we plan to delete two connections via initiating using davici terminate command. Question: Is there way to know when we parse response from Davici that which conenction is deleted? If yes what parameter of davici we get information? i see reqcb() parse the davici reponse. Thanks, Rajeev
Re: [strongSwan] Stronswan to ignore IKE-SA-INIT response from a bogus IPv6 address
Hi Tobias, Which parameter to configure the specific remote IP address for a connection, so that we can reject the messages from any other IP address? I am assuming we are talking about one of parameter in swanctl.conf. If we are talking about connections..remote_addrs.. I did configure remote_addrs, that does not help in Stronswan to ignore IKE-SA-INIT response from a bogus IPv6 address. Is iptables only way to stop it. Thanks, Rajeev On Wed, May 23, 2018 at 3:42 AM, Tobias Brunner wrote: > Hi Rajeev, > > > I would > > imagine it should be rejected. > > Why? Unless you configure specific remote IP addresses for a connection > there is no reason to reject messages from any IPs. > > Regards, > Tobias >
Re: [strongSwan] Stronswan to ignore IKE-SA-INIT response from a bogus IPv6 address
For following scenario, is it Strongswan bug? Responder IP address is *fc00:cada:c406::200. *But if reply come from even different IPv6 address everything goes successful like nothing is wrong. In following case IKE_SA_INIT response came from *fc00:cada:c406::500. *I would imagine it should be rejected. 9[KNL] creating acquire job for policy fc00:cada:c406:607::1001/128[tcp/57861] === fc00:cada:c406::200/128[tcp/8190] with reqid {2} 07[IKE] initiating IKE_SA rpdfc00:cada:c406::200[1] to fc00:cada:c406::200 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ] 07[NET] sending packet: from fc00:cada:c406:607::1001[500] to *fc00:cada:c406::200*[500] (456 bytes) 08[NET] received packet: from *fc00:cada:c406::500*[500] to fc00:cada:c406:607::1001[500] (453 bytes) 08[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ] 08[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root Certification Authority" 08[IKE] received 1 cert requests for an unknown ca 08[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs Device Certification Authority" 08[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root Certification Authority" 08[IKE] authentication of 'C=US, O=ARRIS Group, OU=DCA Remote Device Certificate, CN=00:01:5c:b0:04:ad' (myself) with RSA signature successful 08[IKE] sending end entity cert "C=US, O=ARRIS Group, OU=DCA Remote Device Certificate, CN=00:01:5c:b0:04:ad" 08[IKE] sending issuer cert "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs Device Certification Authority" 08[IKE] establishing CHILD_SA gcpfc00:cada:c406::200{2} 08[ENC] generating IKE_AUTH request 1 [ IDi CERT CERT CERTREQ AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ] 08[NET] sending packet: from fc00:cada:c406:607::1001[500] to fc00:cada:c406::200[500] (3200 bytes) 15[NET] received packet: from fc00:cada:c406::200[500] to fc00:cada:c406:607::1001[500] (7280 bytes) 15[ENC] parsed IKE_AUTH response 1 [ N(ESP_TFC_PAD_N) N(USE_TRANSP) IDr CERT CERT CERT CERT CERT AUTH SA TSi TSr ] 15[IKE] received end entity cert "C=US, O=CableLabs, CN=00:01:5c:96:16:00" 15[IKE] received issuer cert "C=US, O=CableLabs, OU=Device CA01, CN=CableLabs Device Certification Authority" 15[IKE] received issuer cert "C=US, O=CableLabs, OU=Device CA02, CN=CableLabs Device Certification Authority" 15[IKE] received issuer cert "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs Device Certification Authority" 15[IKE] received issuer cert "C=US, O=CableLabs, OU=TEST Service Provider CA01, CN=TEST CableLabs Service Provider Certification Authority" 15[CFG] using certificate "C=US, O=CableLabs, CN=00:01:5c:96:16:00" 15[CFG] using untrusted intermediate certificate "C=US, O=CableLabs, OU=TEST Service Provider CA01, CN=TEST CableLabs Service Provider Certification Authority" 15[CFG] checking certificate status of "C=US, O=CableLabs, CN=00:01:5c:96:16:00" 15[CFG] certificate status is not available 15[CFG] using trusted ca certificate "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root Certification Authority" 15[CFG] checking certificate status of "C=US, O=CableLabs, OU=TEST Service Provider CA01, CN=TEST CableLabs Service Provider Certification Authority" 15[CFG] certificate status is not available 15[CFG] reached self-signed root ca with a path length of 1 15[IKE] authentication of 'C=US, O=CableLabs, CN=00:01:5c:96:16:00' with RSA signature successful 15[IKE] IKE_SA rpdfc00:cada:c406::200[1] established between fc00:cada:c406:607::1001[C=US, O=ARRIS Group, OU=DCA Remote Device Certificate, CN=00:01:5c:b0:04:ad]...fc00:cada:c406::200[C=US, O=CableLabs, CN=00:01:5c:96:16:00] 15[IKE] scheduling rekeying in 13604s 15[IKE] maximum IKE_SA lifetime 15044s On Tue, May 22, 2018 at 9:08 AM, Tobias Brunnerwrote: > Hi Rajeev, > > > Is there way to Stronswan to ignore IKE-SA-INIT response from a bogus > > IPv6 address? Strongswan replies to all the IKE-SA-INIT receive from all > > IP addresses. > > Use iptables. > > Regards, > Tobias >
[strongSwan] Stronswan to ignore IKE-SA-INIT response from a bogus IPv6 address
I use Davici Interface with Strongswan 5.5 Is there way to Stronswan to ignore IKE-SA-INIT response from a bogus IPv6 address? Strongswan replies to all the IKE-SA-INIT receive from all IP addresses. thanks, Rajeev
Re: [strongSwan] Cleaning up SAs
Thanks, I initiate the "terminate" command to clear the IKE connection. This command will tear down the SAs as well. But there is retries mechanism to tear down SA. When issued "terminate", I would like delete immediately instead of going through retries mechanism. Thanks, Rajeev On Fri, Apr 27, 2018 at 5:08 PM, Phil Frost <p...@postmates.com> wrote: > Does dpdaction=clear do what you need? > > > On Fri, Apr 27, 2018, 10:11 rajeev nohria <rajnoh...@gmail.com> wrote: > >> I am using Strongswan5.5.0 and using Davici interface. Is there way (any >> options) to delete the SA immediately if peer goes down instead of going >> through retries? >> >> Any help is appreciated. I could not find anything so far.. >> >> Thanks, >> Rajeev >> >
[strongSwan] Cleaning up SAs
I am using Strongswan5.5.0 and using Davici interface. Is there way (any options) to delete the SA immediately if peer goes down instead of going through retries? Any help is appreciated. I could not find anything so far.. Thanks, Rajeev
[strongSwan] DAVICI related question
In DAVICI, what are the events and what are they for? I see davici_register and davici_unregister function. I am looking for events like certificate failed or certificate revoked or IKEv2 connection failed. I do see it is in log but I would like to receive those events so that code can react to it. How can I do that? Thanks, Rajeev
Re: [strongSwan] Strongswan 5.5 - no private key found-
Thanks, Based on response i was able to resolve my issue. I was removing "/" when reading the subject. -Rajeev On Fri, Feb 9, 2018 at 11:02 AM, Tobias Brunnerwrote: > Hi Rajeev, > > > Using DAVICI, I did make sure local.id is "C=US, > > O=ARRIS Group, Inc., OU=DCA Remote Device Certificate, > CN=FF:FF:05:E6:E7:80" > > The comma between "Group" and "Inc." in the O RDN lets the identity > string parser fail and this string will not be treated as ASN.1 DN but > as opaque key ID, this won't match your private key during the lookup. > If you want to configure DNs that contain commas you can either use / > instead of comma to separate the RDNs (the whole string has to start > with a slash then): > > /C=US/O=ARRIS Group, Inc./OU=DCA Remote Device > Certificate/CN=FF:FF:05:E6:E7:80 > > Or you may configure the identity as binary ASN.1 value with the asn1dn: > prefix (use the pki --dn utility). Also an option is to not configure > an identity in the local auth config but instead the client certificate, > then the identity should default to the subject DN of the certificate. > > Regards, > Tobias >
Re: [strongSwan] Strongswan 5.5 - no private key found-
Let me know I can send you more information. On Thu, Feb 8, 2018 at 12:19 PM, rajeev nohria <rajnoh...@gmail.com> wrote: > > > Now I am getting the following error and not able to resolve this for > sometime. Any inkling is helpful here. > > > Using DAVICI, I did make sure local.id is "C=US, O=ARRIS Group, Inc., > OU=DCA Remote Device Certificate, CN=FF:FF:05:E6:E7:80" > > What else I be missing? > > > writing RSA key > 11[CFG] loaded RSA private key > 11[CFG] loaded certificate 'C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST > CableLabs Root Certification Authority' > 11[CFG] loaded certificate 'C=US, O=ARRIS Group, Inc., OU=DCA Remote > Device Certificate, CN=FF:FF:05:E6:E7:80' > 11[CFG] loaded certificate 'C=US, O=CableLabs, OU=TEST Device CA01, > CN=TEST CableLabs Device Certification Authority' > Key Value success > Davici End > Key Value success > Davici End > Key Value success > Davici End > Key Value success > Davici End > > > 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) > N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ] > 06[NET] sending packet: from fc00:cada:c404:607::1001[500] to > fc00:cada:c404::200[500] (456 bytes) > 13[NET] received packet: from fc00:cada:c404::200[500] to > fc00:cada:c404:607::1001[500] (453 bytes) > 13[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ] > 13[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root CA01, > CN=TEST CableLabs Root Certification Authority" > 13[IKE] received 1 cert requests for an unknown ca > 13[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01, > CN=TEST CableLabs Device Certification Authority" > 13[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01, > CN=TEST CableLabs Root Certification Authority" > 1*3[IKE] no private key found for 'C=US, O=ARRIS Group, Inc., OU=DCA > Remote Device Certificate, CN=FF:FF:05:E6:E7:80'* > > L4-RPD1-O6k># > L4-RPD1-O6k># ipsec listcerts > > List of X.509 End Entity Certificates > > subject: "C=US, O=ARRIS Group, Inc., OU=DCA Remote Device Certificate, > CN=FF:FF:05:E6:E7:80" > issuer: "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs > Device Certification Authority" > validity: not before Sep 14 16:13:25 2017, ok > not after Sep 14 16:13:25 2018, ok (expires in 218 days) > serial:01:ff:ff:05:e6:e7:80 > authkeyId: f6:dc:40:8a:89:b6:7b:7a:08:f6:78:b5:4a:28:7a:7f:57:9b:f9:9b > subjkeyId: 39:9c:b3:7d:20:23:f5:73:46:ce:fc:1a:84:a4:c0:6f:f6:e7:4c:18 > pubkey:RSA 2048 bits, has private key > keyid: 32:28:f2:70:8b:72:f1:33:05:47:9d:26:ae:00:a2:ea:93:b4:e2:a2 > subjkey: 39:9c:b3:7d:20:23:f5:73:46:ce:fc:1a:84:a4:c0:6f:f6:e7:4c:18 > L4-RPD1-O6k># > > L4-RPD1-O6k># pki --print --type x509 --in > subject: "C=US, O=ARRIS Group, Inc., OU=DCA Remote Device Certificate, > CN=FF:FF:05:E6:E7:80" > issuer: "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs > Device Certification Authority" > validity: not before Sep 14 16:13:25 2017, ok > not after Sep 14 16:13:25 2018, ok (expires in 218 days) > serial:01:ff:ff:05:e6:e7:80 > authkeyId: f6:dc:40:8a:89:b6:7b:7a:08:f6:78:b5:4a:28:7a:7f:57:9b:f9:9b > subjkeyId: 39:9c:b3:7d:20:23:f5:73:46:ce:fc:1a:84:a4:c0:6f:f6:e7:4c:18 > pubkey:RSA 2048 bits > keyid: 32:28:f2:70:8b:72:f1:33:05:47:9d:26:ae:00:a2:ea:93:b4:e2:a2 > subjkey: 39:9c:b3:7d:20:23:f5:73:46:ce:fc:1a:84:a4:c0:6f:f6:e7:4c:18 > L4-RPD1-O6k># > > > L4-RPD1-O6k># pki --print --type rsa-priv --in > privkey: RSA 2048 bits > keyid: 32:28:f2:70:8b:72:f1:33:05:47:9d:26:ae:00:a2:ea:93:b4:e2:a2 > subjkey: 39:9c:b3:7d:20:23:f5:73:46:ce:fc:1a:84:a4:c0:6f:f6:e7:4c:18 > > > > > >
[strongSwan] Strongswan 5.5 - no private key found-
Now I am getting the following error and not able to resolve this for sometime. Any inkling is helpful here. Using DAVICI, I did make sure local.id is "C=US, O=ARRIS Group, Inc., OU=DCA Remote Device Certificate, CN=FF:FF:05:E6:E7:80" What else I be missing? writing RSA key 11[CFG] loaded RSA private key 11[CFG] loaded certificate 'C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root Certification Authority' 11[CFG] loaded certificate 'C=US, O=ARRIS Group, Inc., OU=DCA Remote Device Certificate, CN=FF:FF:05:E6:E7:80' 11[CFG] loaded certificate 'C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs Device Certification Authority' Key Value success Davici End Key Value success Davici End Key Value success Davici End Key Value success Davici End 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ] 06[NET] sending packet: from fc00:cada:c404:607::1001[500] to fc00:cada:c404::200[500] (456 bytes) 13[NET] received packet: from fc00:cada:c404::200[500] to fc00:cada:c404:607::1001[500] (453 bytes) 13[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ] 13[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root Certification Authority" 13[IKE] received 1 cert requests for an unknown ca 13[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs Device Certification Authority" 13[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root Certification Authority" 1*3[IKE] no private key found for 'C=US, O=ARRIS Group, Inc., OU=DCA Remote Device Certificate, CN=FF:FF:05:E6:E7:80'* L4-RPD1-O6k># L4-RPD1-O6k># ipsec listcerts List of X.509 End Entity Certificates subject: "C=US, O=ARRIS Group, Inc., OU=DCA Remote Device Certificate, CN=FF:FF:05:E6:E7:80" issuer: "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs Device Certification Authority" validity: not before Sep 14 16:13:25 2017, ok not after Sep 14 16:13:25 2018, ok (expires in 218 days) serial:01:ff:ff:05:e6:e7:80 authkeyId: f6:dc:40:8a:89:b6:7b:7a:08:f6:78:b5:4a:28:7a:7f:57:9b:f9:9b subjkeyId: 39:9c:b3:7d:20:23:f5:73:46:ce:fc:1a:84:a4:c0:6f:f6:e7:4c:18 pubkey:RSA 2048 bits, has private key keyid: 32:28:f2:70:8b:72:f1:33:05:47:9d:26:ae:00:a2:ea:93:b4:e2:a2 subjkey: 39:9c:b3:7d:20:23:f5:73:46:ce:fc:1a:84:a4:c0:6f:f6:e7:4c:18 L4-RPD1-O6k># L4-RPD1-O6k># pki --print --type x509 --in subject: "C=US, O=ARRIS Group, Inc., OU=DCA Remote Device Certificate, CN=FF:FF:05:E6:E7:80" issuer: "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs Device Certification Authority" validity: not before Sep 14 16:13:25 2017, ok not after Sep 14 16:13:25 2018, ok (expires in 218 days) serial:01:ff:ff:05:e6:e7:80 authkeyId: f6:dc:40:8a:89:b6:7b:7a:08:f6:78:b5:4a:28:7a:7f:57:9b:f9:9b subjkeyId: 39:9c:b3:7d:20:23:f5:73:46:ce:fc:1a:84:a4:c0:6f:f6:e7:4c:18 pubkey:RSA 2048 bits keyid: 32:28:f2:70:8b:72:f1:33:05:47:9d:26:ae:00:a2:ea:93:b4:e2:a2 subjkey: 39:9c:b3:7d:20:23:f5:73:46:ce:fc:1a:84:a4:c0:6f:f6:e7:4c:18 L4-RPD1-O6k># L4-RPD1-O6k># pki --print --type rsa-priv --in privkey: RSA 2048 bits keyid: 32:28:f2:70:8b:72:f1:33:05:47:9d:26:ae:00:a2:ea:93:b4:e2:a2 subjkey: 39:9c:b3:7d:20:23:f5:73:46:ce:fc:1a:84:a4:c0:6f:f6:e7:4c:18
Re: [strongSwan] Strongswan 5.5
Andreas, There was an issue with creating private RSA key. That has been resolved now. Thanks for the direction. Rajeev On Wed, Feb 7, 2018 at 1:05 AM, Andreas Steffen < andreas.stef...@strongswan.org> wrote: > Hi Rajeev, > > the private key itself does not pass the key integrity tests of > the gpm plugin. How did you create the private RSA key? > > Regards > > Andreas > > On 07.02.2018 04:43, rajeev nohria wrote: > > > > > > I am getting following error. > > > > writing RSA key > > 11[LIB] key integrity tests failed > > 11[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 8 builders > > > > What could be wrong? I verified the certificate and private key from > > following site and they matched. > > > > https://www.sslshopper.com/certificate-key-matcher.html > > > > > > Thanks in advance, > > > > Rajeev > > > > -- > == > Andreas Steffen andreas.stef...@strongswan.org > strongSwan - the Open Source VPN Solution! www.strongswan.org > Institute for Networked Solutions > HSR University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===[INS-HSR]== > >
[strongSwan] Strongswan 5.5
I am getting following error. writing RSA key 11[LIB] key integrity tests failed 11[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 8 builders What could be wrong? I verified the certificate and private key from following site and they matched. https://www.sslshopper.com/certificate-key-matcher.html Thanks in advance, Rajeev
Re: [strongSwan] Question related to ESP_TFC_PADDING_NOT_SUPPORTED
Let me ask question again.. On local I did not configure TFC and by default it should be disabled. >From remote I am receiving following message 12[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding What exactly it mean "not using ESPv3 TFC padding" does it means local is also not using TFC padding? Why would local would send msg with TFC when TFC disabled by default. I have tried tfc_padding = 0 in configuration and get the same message. Just trying to understand.. On Wed, Jan 10, 2018 at 10:51 AM, rajeev nohria <rajnoh...@gmail.com> wrote: > I am trying to understand if ESP_TFC_PADDING_NOT_SUPPORTED means Local is > using the TFC. > > I am getting ESP_TFC_PADDING_NOT_SUPPORTED msg from remote. Is that means > local is using the TFC. > On local I have to configured tfc_padding and by default it is disabled. > If by default it is disabled why local side is sending packet with TFC. > > > > > > 12[CFG] certificate status is not available > > 12[CFG] reached self-signed root ca with a path length of 1 > > 12[IKE] authentication of 'C=US, O=CableLabs, CN=00:01:5c:96:16:00' with > RSA signature successful > > 12[IKE] IKE_SA rpdfc00:cada:c406::200[1] established between > fc00:cada:c406:607::1001[C=US, O=ARRIS, OU=LOWELL, > CN=00:33:5f:ab:8c:9e]...fc00:cada:c406::200[C=US, O=CableLabs, > CN=00:01:5c:96:16:00] > > 12[IKE] scheduling rekeying in 13218s > > 12[IKE] maximum IKE_SA lifetime 14658s > > 12[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding > > [ 274.326216] alg: No test for authenc(hmac(sha256),ecb(cipher_null)) > (authenc(hmac(sha256-generic),ecb-cipher_null)) > > 12[IKE] CHILD_SA gcpfc00:cada:c406::200{3} established with SPIs > c2b4f3ce_i 2bcba3d9_o and TS fc00:cada:c406:607::1001/128[tcp] === > fc00:cada:c406::200/128[tcp/8190] > > > > Thanks, > > Rajeev >
[strongSwan] Question related to ESP_TFC_PADDING_NOT_SUPPORTED
I am trying to understand if ESP_TFC_PADDING_NOT_SUPPORTED means Local is using the TFC. I am getting ESP_TFC_PADDING_NOT_SUPPORTED msg from remote. Is that means local is using the TFC. On local I have to configured tfc_padding and by default it is disabled. If by default it is disabled why local side is sending packet with TFC. 12[CFG] certificate status is not available 12[CFG] reached self-signed root ca with a path length of 1 12[IKE] authentication of 'C=US, O=CableLabs, CN=00:01:5c:96:16:00' with RSA signature successful 12[IKE] IKE_SA rpdfc00:cada:c406::200[1] established between fc00:cada:c406:607::1001[C=US, O=ARRIS, OU=LOWELL, CN=00:33:5f:ab:8c:9e]...fc00:cada:c406::200[C=US, O=CableLabs, CN=00:01:5c:96:16:00] 12[IKE] scheduling rekeying in 13218s 12[IKE] maximum IKE_SA lifetime 14658s 12[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding [ 274.326216] alg: No test for authenc(hmac(sha256),ecb(cipher_null)) (authenc(hmac(sha256-generic),ecb-cipher_null)) 12[IKE] CHILD_SA gcpfc00:cada:c406::200{3} established with SPIs c2b4f3ce_i 2bcba3d9_o and TS fc00:cada:c406:607::1001/128[tcp] === fc00:cada:c406::200/128[tcp/8190] Thanks, Rajeev
Re: [strongSwan] No private key found
PEM format files.. On Tue, Dec 12, 2017 at 9:33 AM, rajeev nohria <rajnoh...@gmail.com> wrote: > This is at originator side where we are seeing the issue.. > > ~# ipsec listcerts > > List of X.509 End Entity Certificates > > subject: "C=US, O=ARRIS Group, Inc., OU=DCA Remote Device Certificate, > CN=FF:FF:05:E6:E6:20" > issuer: "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs > Device Certification Authority" > validity: not before Sep 14 16:13:24 2017, ok > not after Sep 14 16:13:24 2018, ok (expires in 276 days) > serial:01:ff:ff:05:e6:e6:20 > authkeyId: f6:dc:40:8a:89:b6:7b:7a:08:f6:78:b5:4a:28:7a:7f:57:9b:f9:9b > subjkeyId: 71:83:c0:b4:3e:40:06:f1:e5:30:d2:14:2c:82:e7:76:13:37:f4:6f > pubkey:RSA 2048 bits, has private key > keyid: 85:d3:eb:51:9a:a8:1e:f6:ff:14:ee:cc:64:f6:2f:e0:32:99:1b:ce > subjkey: 71:83:c0:b4:3e:40:06:f1:e5:30:d2:14:2c:82:e7:76:13:37:f4:6f > > On Mon, Dec 11, 2017 at 4:11 PM, rajeev nohria <rajnoh...@gmail.com> > wrote: > >> Let me know if you need more info.. >> >> On Mon, Dec 11, 2017 at 2:45 PM, rajeev nohria <rajnoh...@gmail.com> >> wrote: >> >>> Please find the key and config. I am using davici so I am printing the >>> configuration from log as commands are executing. >>> >>> Load-Connection command >>> Section start rpdfc00:cada:c404::200 >>> Version is 2 >>> Local_addrs is fc00:cada:c404:607::1004 >>> remote_addrs is fc00:cada:c404::200 >>> local_port is 500 >>> remote_port is 500 >>> proposals is aes128-sha256-modp2048 >>> local section >>> auth is pubkey >>> RPD ip address is fc00:cada:c404:607::1004 >>> id is C=US, O=ARRIS Group, Inc., OU=DCA Remote Device Certificate, >>> CN=FF:FF:05:E6:E6:20 >>> remote >>> id is %any >>> auth is pubkey >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> On Mon, Dec 11, 2017 at 10:39 AM, Jafar Al-Gharaibeh <ja...@atcorp.com> >>> wrote: >>> >>>> Can you share your config/secret files ? >>>> >>>> --Jafar >>>> >>>> >>>> On 12/11/2017 9:17 AM, rajeev nohria wrote: >>>> >>>> Anyone can help in this issue, I have setup the id with Subject id. >>>> Still have this issue. Is anything else I am missing? >>>> Thanks, >>>> Rajeev >>>> >>>> On Tue, Nov 14, 2017 at 12:44 PM, rajeev nohria <rajnoh...@gmail.com> >>>> wrote: >>>> >>>>> >>>>> Not sure what is wrong here, Can you let me know if I am missing >>>>> something here. >>>>> >>>>> >>>>> >>>>> 16[KNL] creating acquire job for policy >>>>> fc00:cada:c406:607::1001/128[tcp/43005] >>>>> === fc00:cada:c406::200/128[tcp/8190] with reqid {2} >>>>> >>>>> 2017-11-13 15:58:56,001-HalTransport.py-94-INFO-Start a agent >>>>> transport interface, path = [/tmp/Hal/agent/client/1/push] >>>>> >>>>> 15[IKE] initiating IKE_SA rpdfc00:cada:c406::200[1] to >>>>> fc00:cada:c406::200 >>>>> >>>>> 15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) >>>>> N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ] >>>>> >>>>> 15[NET] sending packet: from fc00:cada:c406:607::1001[500] to >>>>> fc00:cada:c406::200[500] (456 bytes) >>>>> >>>>> 10[NET] received packet: from fc00:cada:c406::200[500] to >>>>> fc00:cada:c406:607::1001[500] (453 bytes) >>>>> >>>>> 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ] >>>>> >>>>> 10[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root >>>>> CA01, CN=TEST CableLabs Root Certification Authority" >>>>> >>>>> 10[IKE] received 1 cert requests for an unknown ca >>>>> >>>>> 10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device >>>>> CA01, CN=TEST CableLabs Device Certification Authority" >>>>> >>>>> 10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root >>>>> CA01, CN=TEST CableLabs Root Certification Authority" >>>>> >>>>> 10[IKE] no private key found for 'C=US, O
Re: [strongSwan] No private key found
Let me know if you need more info.. On Mon, Dec 11, 2017 at 2:45 PM, rajeev nohria <rajnoh...@gmail.com> wrote: > Please find the key and config. I am using davici so I am printing the > configuration from log as commands are executing. > > Load-Connection command > Section start rpdfc00:cada:c404::200 > Version is 2 > Local_addrs is fc00:cada:c404:607::1004 > remote_addrs is fc00:cada:c404::200 > local_port is 500 > remote_port is 500 > proposals is aes128-sha256-modp2048 > local section > auth is pubkey > RPD ip address is fc00:cada:c404:607::1004 > id is C=US, O=ARRIS Group, Inc., OU=DCA Remote Device Certificate, > CN=FF:FF:05:E6:E6:20 > remote > id is %any > auth is pubkey > > > > > > > > > > > On Mon, Dec 11, 2017 at 10:39 AM, Jafar Al-Gharaibeh <ja...@atcorp.com> > wrote: > >> Can you share your config/secret files ? >> >> --Jafar >> >> >> On 12/11/2017 9:17 AM, rajeev nohria wrote: >> >> Anyone can help in this issue, I have setup the id with Subject id. >> Still have this issue. Is anything else I am missing? >> Thanks, >> Rajeev >> >> On Tue, Nov 14, 2017 at 12:44 PM, rajeev nohria <rajnoh...@gmail.com> >> wrote: >> >>> >>> Not sure what is wrong here, Can you let me know if I am missing >>> something here. >>> >>> >>> >>> 16[KNL] creating acquire job for policy >>> fc00:cada:c406:607::1001/128[tcp/43005] >>> === fc00:cada:c406::200/128[tcp/8190] with reqid {2} >>> >>> 2017-11-13 15:58:56,001-HalTransport.py-94-INFO-Start a agent transport >>> interface, path = [/tmp/Hal/agent/client/1/push] >>> >>> 15[IKE] initiating IKE_SA rpdfc00:cada:c406::200[1] to >>> fc00:cada:c406::200 >>> >>> 15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) >>> N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ] >>> >>> 15[NET] sending packet: from fc00:cada:c406:607::1001[500] to >>> fc00:cada:c406::200[500] (456 bytes) >>> >>> 10[NET] received packet: from fc00:cada:c406::200[500] to >>> fc00:cada:c406:607::1001[500] (453 bytes) >>> >>> 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ] >>> >>> 10[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root CA01, >>> CN=TEST CableLabs Root Certification Authority" >>> >>> 10[IKE] received 1 cert requests for an unknown ca >>> >>> 10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device >>> CA01, CN=TEST CableLabs Device Certification Authority" >>> >>> 10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01, >>> CN=TEST CableLabs Root Certification Authority" >>> >>> 10[IKE] no private key found for 'C=US, O=ARRIS Group, Inc., OU=DCA >>> Remote Device Certificate, CN=FF:FF:05:E6:E6:20' >>> >>> 13[KNL] creating delete job for CHILD_SA ESP/0x/fc00:cada:c406: >>> :200 >>> >>> 08[JOB] CHILD_SA ESP/0x/fc00:cada:c406::200 not found for delete >>> >>> 06[KNL] creating acquire job for policy >>> fc00:cada:c406:607::1001/128[tcp/39047] >>> === fc00:cada:c406::200/128[tcp/8190] with reqid {2} >>> >>> 16[IKE] initiating IKE_SA rpdfc00:cada:c406::200[2] to >>> fc00:cada:c406::200 >>> >>> 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) >>> N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ] >>> >>> 16[NET] sending packet: from fc00:cada:c406:607::1001[500] to >>> fc00:cada:c406::200[500] (456 bytes) >>> >>> 11[NET] received packet: from fc00:cada:c406::200[500] to >>> fc00:cada:c406:607::1001[500] (453 bytes) >>> >>> 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ] >>> >>> 11[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root CA01, >>> CN=TEST CableLabs Root Certification Authority" >>> >>> 11[IKE] received 1 cert requests for an unknown ca >>> >>> 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device >>> CA01, CN=TEST CableLabs Device Certification Authority" >>> >>> 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01, >>> CN=TEST CableLabs Root Certification Authority" >>> >>> 11[IKE] no private key found for 'C=US, O=ARRIS Group, Inc., OU=DCA >>> Remote Devi
Re: [strongSwan] No private key found
Please find the key and config. I am using davici so I am printing the configuration from log as commands are executing. Load-Connection command Section start rpdfc00:cada:c404::200 Version is 2 Local_addrs is fc00:cada:c404:607::1004 remote_addrs is fc00:cada:c404::200 local_port is 500 remote_port is 500 proposals is aes128-sha256-modp2048 local section auth is pubkey RPD ip address is fc00:cada:c404:607::1004 id is C=US, O=ARRIS Group, Inc., OU=DCA Remote Device Certificate, CN=FF:FF:05:E6:E6:20 remote id is %any auth is pubkey On Mon, Dec 11, 2017 at 10:39 AM, Jafar Al-Gharaibeh <ja...@atcorp.com> wrote: > Can you share your config/secret files ? > > --Jafar > > > On 12/11/2017 9:17 AM, rajeev nohria wrote: > > Anyone can help in this issue, I have setup the id with Subject id. Still > have this issue. Is anything else I am missing? > Thanks, > Rajeev > > On Tue, Nov 14, 2017 at 12:44 PM, rajeev nohria <rajnoh...@gmail.com> > wrote: > >> >> Not sure what is wrong here, Can you let me know if I am missing >> something here. >> >> >> >> 16[KNL] creating acquire job for policy >> fc00:cada:c406:607::1001/128[tcp/43005] >> === fc00:cada:c406::200/128[tcp/8190] with reqid {2} >> >> 2017-11-13 15:58:56,001-HalTransport.py-94-INFO-Start a agent transport >> interface, path = [/tmp/Hal/agent/client/1/push] >> >> 15[IKE] initiating IKE_SA rpdfc00:cada:c406::200[1] to fc00:cada:c406::200 >> >> 15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) >> N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ] >> >> 15[NET] sending packet: from fc00:cada:c406:607::1001[500] to >> fc00:cada:c406::200[500] (456 bytes) >> >> 10[NET] received packet: from fc00:cada:c406::200[500] to >> fc00:cada:c406:607::1001[500] (453 bytes) >> >> 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ] >> >> 10[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root CA01, >> CN=TEST CableLabs Root Certification Authority" >> >> 10[IKE] received 1 cert requests for an unknown ca >> >> 10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01, >> CN=TEST CableLabs Device Certification Authority" >> >> 10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01, >> CN=TEST CableLabs Root Certification Authority" >> >> 10[IKE] no private key found for 'C=US, O=ARRIS Group, Inc., OU=DCA >> Remote Device Certificate, CN=FF:FF:05:E6:E6:20' >> >> 13[KNL] creating delete job for CHILD_SA ESP/0x/fc00:cada:c406: >> :200 >> >> 08[JOB] CHILD_SA ESP/0x/fc00:cada:c406::200 not found for delete >> >> 06[KNL] creating acquire job for policy >> fc00:cada:c406:607::1001/128[tcp/39047] >> === fc00:cada:c406::200/128[tcp/8190] with reqid {2} >> >> 16[IKE] initiating IKE_SA rpdfc00:cada:c406::200[2] to fc00:cada:c406::200 >> >> 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) >> N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ] >> >> 16[NET] sending packet: from fc00:cada:c406:607::1001[500] to >> fc00:cada:c406::200[500] (456 bytes) >> >> 11[NET] received packet: from fc00:cada:c406::200[500] to >> fc00:cada:c406:607::1001[500] (453 bytes) >> >> 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ] >> >> 11[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root CA01, >> CN=TEST CableLabs Root Certification Authority" >> >> 11[IKE] received 1 cert requests for an unknown ca >> >> 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01, >> CN=TEST CableLabs Device Certification Authority" >> >> 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01, >> CN=TEST CableLabs Root Certification Authority" >> >> 11[IKE] no private key found for 'C=US, O=ARRIS Group, Inc., OU=DCA >> Remote Device Certificate, CN=FF:FF:05:E6:E6:20 >> >> >> >> >> >> >> >> root@plnx_aarch64:~# ip -s xfrm state >> >> src fc00:cada:c406:607::1001 dst fc00:cada:c406::200 >> >> proto esp spi 0x(0) reqid 2(0x0002) mode transport >> >> replay-window 0 seq 0x0002 flag (0x) >> >> anti-replay context: seq 0x0, oseq 0x0, bitmap 0x >> >> sel src fc00:cada:c406:607::1001/128 dst fc00:cada:c406::200/128 >> proto tcp sport 39047 dport 8190 uid 0 >> >> lifetime config: >> >> lim
Re: [strongSwan] No private key found
Anyone can help in this issue, I have setup the id with Subject id. Still have this issue. Is anything else I am missing? Thanks, Rajeev On Tue, Nov 14, 2017 at 12:44 PM, rajeev nohria <rajnoh...@gmail.com> wrote: > > Not sure what is wrong here, Can you let me know if I am missing > something here. > > > > 16[KNL] creating acquire job for policy > fc00:cada:c406:607::1001/128[tcp/43005] > === fc00:cada:c406::200/128[tcp/8190] with reqid {2} > > 2017-11-13 15:58:56,001-HalTransport.py-94-INFO-Start a agent transport > interface, path = [/tmp/Hal/agent/client/1/push] > > 15[IKE] initiating IKE_SA rpdfc00:cada:c406::200[1] to fc00:cada:c406::200 > > 15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) > N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ] > > 15[NET] sending packet: from fc00:cada:c406:607::1001[500] to > fc00:cada:c406::200[500] (456 bytes) > > 10[NET] received packet: from fc00:cada:c406::200[500] to > fc00:cada:c406:607::1001[500] (453 bytes) > > 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ] > > 10[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root CA01, > CN=TEST CableLabs Root Certification Authority" > > 10[IKE] received 1 cert requests for an unknown ca > > 10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01, > CN=TEST CableLabs Device Certification Authority" > > 10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01, > CN=TEST CableLabs Root Certification Authority" > > 10[IKE] no private key found for 'C=US, O=ARRIS Group, Inc., OU=DCA Remote > Device Certificate, CN=FF:FF:05:E6:E6:20' > > 13[KNL] creating delete job for CHILD_SA ESP/0x/fc00:cada:c406: > :200 > > 08[JOB] CHILD_SA ESP/0x/fc00:cada:c406::200 not found for delete > > 06[KNL] creating acquire job for policy > fc00:cada:c406:607::1001/128[tcp/39047] > === fc00:cada:c406::200/128[tcp/8190] with reqid {2} > > 16[IKE] initiating IKE_SA rpdfc00:cada:c406::200[2] to fc00:cada:c406::200 > > 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) > N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ] > > 16[NET] sending packet: from fc00:cada:c406:607::1001[500] to > fc00:cada:c406::200[500] (456 bytes) > > 11[NET] received packet: from fc00:cada:c406::200[500] to > fc00:cada:c406:607::1001[500] (453 bytes) > > 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ] > > 11[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root CA01, > CN=TEST CableLabs Root Certification Authority" > > 11[IKE] received 1 cert requests for an unknown ca > > 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01, > CN=TEST CableLabs Device Certification Authority" > > 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01, > CN=TEST CableLabs Root Certification Authority" > > 11[IKE] no private key found for 'C=US, O=ARRIS Group, Inc., OU=DCA Remote > Device Certificate, CN=FF:FF:05:E6:E6:20 > > > > > > > > root@plnx_aarch64:~# ip -s xfrm state > > src fc00:cada:c406:607::1001 dst fc00:cada:c406::200 > > proto esp spi 0x(0) reqid 2(0x0002) mode transport > > replay-window 0 seq 0x0002 flag (0x) > > anti-replay context: seq 0x0, oseq 0x0, bitmap 0x > > sel src fc00:cada:c406:607::1001/128 dst fc00:cada:c406::200/128 > proto tcp sport 39047 dport 8190 uid 0 > > lifetime config: > > limit: soft (INF)(bytes), hard (INF)(bytes) > > limit: soft (INF)(packets), hard (INF)(packets) > > expire add: soft 0(sec), hard 165(sec) > > expire use: soft 0(sec), hard 0(sec) > > lifetime current: > > 0(bytes), 0(packets) > > add 2017-11-13 16:01:42 use - > > stats: > > replay-wind > > > > > > > > root@plnx_aarch64:~# ip -s xfrm policy > > src fc00:cada:c406::200/128 dst fc00:cada:c406:607::1001/128 proto tcp > uid 0 > > dir in action allow index 88 priority 234336 share any flag > (0x) > > lifetime config: > > limit: soft (INF)(bytes), hard (INF)(bytes) > > limit: soft (INF)(packets), hard (INF)(packets) > > expire add: soft 0(sec), hard 0(sec) > > expire use: soft 0(sec), hard 0(sec) > > lifetime current: > > 0(bytes), 0(packets) > > add 2017-11-13 15:58:55 use - > > tmpl src :: dst :: > > proto esp spi 0x(0) reqid 2(0x0002) mode > transport > >
[strongSwan] No private key found
Not sure what is wrong here, Can you let me know if I am missing something here. 16[KNL] creating acquire job for policy fc00:cada:c406:607::1001/128[tcp/43005] === fc00:cada:c406::200/128[tcp/8190] with reqid {2} 2017-11-13 15:58:56,001-HalTransport.py-94-INFO-Start a agent transport interface, path = [/tmp/Hal/agent/client/1/push] 15[IKE] initiating IKE_SA rpdfc00:cada:c406::200[1] to fc00:cada:c406::200 15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ] 15[NET] sending packet: from fc00:cada:c406:607::1001[500] to fc00:cada:c406::200[500] (456 bytes) 10[NET] received packet: from fc00:cada:c406::200[500] to fc00:cada:c406:607::1001[500] (453 bytes) 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ] 10[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root Certification Authority" 10[IKE] received 1 cert requests for an unknown ca 10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs Device Certification Authority" 10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root Certification Authority" 10[IKE] no private key found for 'C=US, O=ARRIS Group, Inc., OU=DCA Remote Device Certificate, CN=FF:FF:05:E6:E6:20' 13[KNL] creating delete job for CHILD_SA ESP/0x/fc00:cada:c406::200 08[JOB] CHILD_SA ESP/0x/fc00:cada:c406::200 not found for delete 06[KNL] creating acquire job for policy fc00:cada:c406:607::1001/128[tcp/39047] === fc00:cada:c406::200/128[tcp/8190] with reqid {2} 16[IKE] initiating IKE_SA rpdfc00:cada:c406::200[2] to fc00:cada:c406::200 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ] 16[NET] sending packet: from fc00:cada:c406:607::1001[500] to fc00:cada:c406::200[500] (456 bytes) 11[NET] received packet: from fc00:cada:c406::200[500] to fc00:cada:c406:607::1001[500] (453 bytes) 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ] 11[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root Certification Authority" 11[IKE] received 1 cert requests for an unknown ca 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs Device Certification Authority" 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root Certification Authority" 11[IKE] no private key found for 'C=US, O=ARRIS Group, Inc., OU=DCA Remote Device Certificate, CN=FF:FF:05:E6:E6:20 root@plnx_aarch64:~# ip -s xfrm state src fc00:cada:c406:607::1001 dst fc00:cada:c406::200 proto esp spi 0x(0) reqid 2(0x0002) mode transport replay-window 0 seq 0x0002 flag (0x) anti-replay context: seq 0x0, oseq 0x0, bitmap 0x sel src fc00:cada:c406:607::1001/128 dst fc00:cada:c406::200/128 proto tcp sport 39047 dport 8190 uid 0 lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 165(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2017-11-13 16:01:42 use - stats: replay-wind root@plnx_aarch64:~# ip -s xfrm policy src fc00:cada:c406::200/128 dst fc00:cada:c406:607::1001/128 proto tcp uid 0 dir in action allow index 88 priority 234336 share any flag (0x) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2017-11-13 15:58:55 use - tmpl src :: dst :: proto esp spi 0x(0) reqid 2(0x0002) mode transport level required share any enc-mask auth-mask comp-mask src fc00:cada:c406:607::1001/128 dst fc00:cada:c406::200/128 proto tcp uid 0 dir out action allow index 81 priority 234336 share any flag (0x) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2017-11-13 15:58:55 use - tmpl src :: dst :: proto esp spi 0x(0) reqid 2(0x0002) mode transport level required share any enc-mask auth-mask comp-mask src fc00:cada:c406::200/128 dst fc00:cada:c406:607::1001/128 proto l2tp uid 0 dir in action allow index 72 priority 234336 share
Re: [strongSwan] no matching peer config found
I figured out, one of certificate was not loaded. Fixed it and working now. On Mon, Oct 9, 2017 at 10:36 AM, rajeev nohria <rajnoh...@gmail.com> wrote: > I am using swanctl, and having "no matching peer config found" issue. > > Please find logs and swanctl.conf in this email. > > Thanks, > Rajeev > > 9[NET] received packet: from fc00:cada:c402:607::1001[500] to > 2017::5002[500] (264 bytes) > 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) > N(HASH_ALG) N(REDIR_SUP) ] > 09[CFG] looking for an ike config for 2017::5002...fc00:cada:c402: > 607::1001 > 09[CFG] ike config match: 3100 (2017::5002 fc00:cada:c402:607::1001 IKEv2) > 09[CFG] candidate: 2017::5002...fc00:cada:C402:607::1001, prio 3100 > 09[CFG] found matching ike config: 2017::5002...fc00:cada:C402:607::1001 > with prio 3100 > 09[IKE] fc00:cada:c402:607::1001 is initiating an IKE_SA > 09[IKE] IKE_SA (unnamed)[2] state change: CREATED => CONNECTING > 09[CFG] selecting proposal: > 09[CFG] proposal matches > 09[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA2_256_ > 128/PRF_HMAC_SHA2_256/ECP_256 > 09[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_ > 128/PRF_HMAC_SHA2_256/ECP_256 > 09[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_ > 128/PRF_HMAC_SHA2_256/ECP_256 > 09[IKE] natd_chunk => 34 bytes @ 0x7f6d080009c0 > 09[IKE]0: 4D 98 3C 1D 83 58 E9 77 00 00 00 00 00 00 00 00 > M.<..X.w > 09[IKE] 16: 20 17 00 00 00 00 00 00 00 00 00 00 00 00 50 02 > .P. > 09[IKE] 32: 01 F4.. > 09[IKE] natd_hash => 20 bytes @ 0x7f6d08005630 > 09[IKE]0: F8 0F 32 75 38 53 84 20 35 D3 D5 81 06 50 5B B1 ..2u8S. > 5P[. > 09[IKE] 16: 90 95 12 4B ...K > 09[IKE] natd_chunk => 34 bytes @ 0x7f6d080009c0 > 09[IKE]0: 4D 98 3C 1D 83 58 E9 77 00 00 00 00 00 00 00 00 > M.<..X.w > 09[IKE] 16: FC 00 CA DA C4 02 06 07 00 00 00 00 00 00 10 01 > > 09[IKE] 32: 01 F4.. > 09[IKE] natd_hash => 20 bytes @ 0x7f6d080056a0 > 09[IKE]0: 89 87 B4 7C 73 09 A9 F3 2A 92 E3 A9 C6 C6 64 35 > ...|s...*.d5 > 09[IKE] 16: 95 BC 38 0F ..8. > 09[IKE] precalculated src_hash => 20 bytes @ 0x7f6d080056a0 > 09[IKE]0: 89 87 B4 7C 73 09 A9 F3 2A 92 E3 A9 C6 C6 64 35 > ...|s...*.d5 > 09[IKE] 16: 95 BC 38 0F ..8. > 09[IKE] precalculated dst_hash => 20 bytes @ 0x7f6d08005630 > 09[IKE]0: F8 0F 32 75 38 53 84 20 35 D3 D5 81 06 50 5B B1 ..2u8S. > 5P[. > 09[IKE] 16: 90 95 12 4B ...K > 09[IKE] received src_hash => 20 bytes @ 0x7f6d08000eb0 > 09[IKE]0: 89 87 B4 7C 73 09 A9 F3 2A 92 E3 A9 C6 C6 64 35 > ...|s...*.d5 > 09[IKE] 16: 95 BC 38 0F ..8. > 09[IKE] received dst_hash => 20 bytes @ 0x7f6d08000fd0 > 09[IKE]0: F8 0F 32 75 38 53 84 20 35 D3 D5 81 06 50 5B B1 ..2u8S. > 5P[. > 09[IKE] 16: 90 95 12 4B ...K > 09[IKE] shared Diffie Hellman secret => 32 bytes @ 0x7f6d08005600 > 09[IKE]0: 07 A8 18 F1 5B 97 39 47 DB AE 62 F1 56 DA 12 56 > [.9G..b.V..V > 09[IKE] 16: 5F 5F F9 55 F4 68 94 50 AB 11 2D 5D E4 8C A8 9A > __.U.h.P..-] > 09[IKE] SKEYSEED => 32 bytes @ 0x7f6d08003240 > 09[IKE]0: C0 1A C8 49 7B ED 7C AD 07 02 B7 44 48 18 B3 B3 > ...I{.|DH... > 09[IKE] 16: 7D 43 E0 E7 5D 58 40 B2 5D 7B 90 D5 90 BD D3 99 }C..]X@ > .]{.. > 09[IKE] Sk_d secret => 32 bytes @ 0x7f6d08005600 > 09[IKE]0: BE 08 2D 04 64 4D BB CE FC 83 DD 05 C9 D9 F0 05 > ..-.dM.. > 09[IKE] 16: 60 EF C4 53 88 C9 82 41 54 36 00 3A AC DD 40 A9 > `..S...AT6.:..@. > 09[IKE] Sk_ai secret => 32 bytes @ 0x7f6d08003240 > 09[IKE]0: 03 03 2C 1E 63 60 16 08 B6 E3 3E BA 8C 80 AA 34 > ..,.c`>4 > 09[IKE] 16: A9 FA 0C 9A FF 0B A5 3C E8 2C 66 FE C6 A3 6D 85 > ...<.,f...m. > 09[IKE] Sk_ar secret => 32 bytes @ 0x7f6d08003240 > 09[IKE]0: 58 50 F7 80 69 2E F1 BF C6 3E 27 B2 7F 51 11 D2 > XP..i>'..Q.. > 09[IKE] 16: 79 FE 18 9B 6E C7 71 20 2B E6 EB 7F D5 A2 E3 3D y...n.q > +..= > 09[IKE] Sk_ei secret => 16 bytes @ 0x7f6d080017e0 > 09[IKE]0: FC CB 72 54 A1 2B C4 31 BF 80 E6 E3 62 50 3F 34 > ..rT.+.1bP?4 > 09[IKE] Sk_er secret => 16 bytes @ 0x7f6d080017e0 > 09[IKE]0: F4 18 F2 91 64 3D 72 97 5C 71 06 7F A8 82 C6 41 > d=r.\q.A > 09[IKE] Sk_pi secret => 32 bytes @ 0x7f6d08003ea0 > 09[IKE]0: 9A 72 FC 50 C5 8E 55 FF EC 59 F3 AB A9 1B 71 58 > .r
[strongSwan] no matching peer config found
I am using swanctl, and having "no matching peer config found" issue. Please find logs and swanctl.conf in this email. Thanks, Rajeev 9[NET] received packet: from fc00:cada:c402:607::1001[500] to 2017::5002[500] (264 bytes) 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ] 09[CFG] looking for an ike config for 2017::5002...fc00:cada:c402:607::1001 09[CFG] ike config match: 3100 (2017::5002 fc00:cada:c402:607::1001 IKEv2) 09[CFG] candidate: 2017::5002...fc00:cada:C402:607::1001, prio 3100 09[CFG] found matching ike config: 2017::5002...fc00:cada:C402:607::1001 with prio 3100 09[IKE] fc00:cada:c402:607::1001 is initiating an IKE_SA 09[IKE] IKE_SA (unnamed)[2] state change: CREATED => CONNECTING 09[CFG] selecting proposal: 09[CFG] proposal matches 09[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 09[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 09[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 09[IKE] natd_chunk => 34 bytes @ 0x7f6d080009c0 09[IKE]0: 4D 98 3C 1D 83 58 E9 77 00 00 00 00 00 00 00 00 M.<..X.w 09[IKE] 16: 20 17 00 00 00 00 00 00 00 00 00 00 00 00 50 02 .P. 09[IKE] 32: 01 F4.. 09[IKE] natd_hash => 20 bytes @ 0x7f6d08005630 09[IKE]0: F8 0F 32 75 38 53 84 20 35 D3 D5 81 06 50 5B B1 ..2u8S. 5P[. 09[IKE] 16: 90 95 12 4B ...K 09[IKE] natd_chunk => 34 bytes @ 0x7f6d080009c0 09[IKE]0: 4D 98 3C 1D 83 58 E9 77 00 00 00 00 00 00 00 00 M.<..X.w 09[IKE] 16: FC 00 CA DA C4 02 06 07 00 00 00 00 00 00 10 01 09[IKE] 32: 01 F4.. 09[IKE] natd_hash => 20 bytes @ 0x7f6d080056a0 09[IKE]0: 89 87 B4 7C 73 09 A9 F3 2A 92 E3 A9 C6 C6 64 35 ...|s...*.d5 09[IKE] 16: 95 BC 38 0F ..8. 09[IKE] precalculated src_hash => 20 bytes @ 0x7f6d080056a0 09[IKE]0: 89 87 B4 7C 73 09 A9 F3 2A 92 E3 A9 C6 C6 64 35 ...|s...*.d5 09[IKE] 16: 95 BC 38 0F ..8. 09[IKE] precalculated dst_hash => 20 bytes @ 0x7f6d08005630 09[IKE]0: F8 0F 32 75 38 53 84 20 35 D3 D5 81 06 50 5B B1 ..2u8S. 5P[. 09[IKE] 16: 90 95 12 4B ...K 09[IKE] received src_hash => 20 bytes @ 0x7f6d08000eb0 09[IKE]0: 89 87 B4 7C 73 09 A9 F3 2A 92 E3 A9 C6 C6 64 35 ...|s...*.d5 09[IKE] 16: 95 BC 38 0F ..8. 09[IKE] received dst_hash => 20 bytes @ 0x7f6d08000fd0 09[IKE]0: F8 0F 32 75 38 53 84 20 35 D3 D5 81 06 50 5B B1 ..2u8S. 5P[. 09[IKE] 16: 90 95 12 4B ...K 09[IKE] shared Diffie Hellman secret => 32 bytes @ 0x7f6d08005600 09[IKE]0: 07 A8 18 F1 5B 97 39 47 DB AE 62 F1 56 DA 12 56 [.9G..b.V..V 09[IKE] 16: 5F 5F F9 55 F4 68 94 50 AB 11 2D 5D E4 8C A8 9A __.U.h.P..-] 09[IKE] SKEYSEED => 32 bytes @ 0x7f6d08003240 09[IKE]0: C0 1A C8 49 7B ED 7C AD 07 02 B7 44 48 18 B3 B3 ...I{.|DH... 09[IKE] 16: 7D 43 E0 E7 5D 58 40 B2 5D 7B 90 D5 90 BD D3 99 }C..]X@ .]{.. 09[IKE] Sk_d secret => 32 bytes @ 0x7f6d08005600 09[IKE]0: BE 08 2D 04 64 4D BB CE FC 83 DD 05 C9 D9 F0 05 ..-.dM.. 09[IKE] 16: 60 EF C4 53 88 C9 82 41 54 36 00 3A AC DD 40 A9 `..S...AT6.:..@. 09[IKE] Sk_ai secret => 32 bytes @ 0x7f6d08003240 09[IKE]0: 03 03 2C 1E 63 60 16 08 B6 E3 3E BA 8C 80 AA 34 ..,.c`>4 09[IKE] 16: A9 FA 0C 9A FF 0B A5 3C E8 2C 66 FE C6 A3 6D 85 ...<.,f...m. 09[IKE] Sk_ar secret => 32 bytes @ 0x7f6d08003240 09[IKE]0: 58 50 F7 80 69 2E F1 BF C6 3E 27 B2 7F 51 11 D2 XP..i>'..Q.. 09[IKE] 16: 79 FE 18 9B 6E C7 71 20 2B E6 EB 7F D5 A2 E3 3D y...n.q +..= 09[IKE] Sk_ei secret => 16 bytes @ 0x7f6d080017e0 09[IKE]0: FC CB 72 54 A1 2B C4 31 BF 80 E6 E3 62 50 3F 34 ..rT.+.1bP?4 09[IKE] Sk_er secret => 16 bytes @ 0x7f6d080017e0 09[IKE]0: F4 18 F2 91 64 3D 72 97 5C 71 06 7F A8 82 C6 41 d=r.\q.A 09[IKE] Sk_pi secret => 32 bytes @ 0x7f6d08003ea0 09[IKE]0: 9A 72 FC 50 C5 8E 55 FF EC 59 F3 AB A9 1B 71 58 .r.P..U..YqX 09[IKE] 16: 27 76 46 AB EE 5B 64 36 9F 9A 09 52 81 82 D3 A9 'vF..[d6...R 09[IKE] Sk_pr secret => 32 bytes @ 0x7f6d08003f70 09[IKE]0: 3F A5 34 D7 4A B5 2E DB D4 F3 18 57 52 97 A8 EC ?.4.J..WR... 09[IKE] 16: 9D 87 5A 66 AE AF 18 F0 17 75 C7 67 4C 0F 39 4D ..Zf.u.gL.9M 09[IKE] natd_chunk => 34 bytes @ 0x7f6d08005730 09[IKE]0: 4D 98 3C 1D 83 58 E9 77 54 E5 64 60 22 20 BF A2 M.<..X.wT.d`" .. 09[IKE] 16: 20 17 00 00 00 00 00 00 00 00 00 00 00 00 50 02 .P. 09[IKE] 32: 01 F4.. 09[IKE] natd_hash => 20 bytes @ 0x7f6d08005510 09[IKE]0: 05 CB 8A 0D 44 85 26 3F 29 89 80 B8 35 8E ED DE D.&?)...5... 09[IKE] 16: D4 48
Re: [strongSwan] No private key found
I resolved the issue by setting up id properly. Thanks for the direction. On Fri, Oct 6, 2017 at 8:37 AM, rajeev nohria <rajnoh...@gmail.com> wrote: > Anderas, > > Thanks for reply. I am using davici interface instead of swanctl.conf. I > do set the id as id: fc00:cada:c404:607::1001 but not the certs. Since > I am using davici, it does not know the certificate file name and its path, > I am reading the certificate file and passing the data. How can I resolve > the problem in this situation? > > Thanks, > Rajeev > > On Thu, Oct 5, 2017 at 11:56 AM, Andreas Steffen < > andreas.stef...@strongswan.org> wrote: > >> Hi, >> >> you must not set the IKEv2 ID to >> >> id: fc00:cada:c404:607::1001 >> >> since this ID is not contained as a subjectAltName in the client >> certificate. >> >> Probably you didn't use the "certs" parameter in the local section of >> swanctl.conf so that the client certificate just got loaded from >> /etc/swanctl/x509. If you don't define the "id" parameter in the local >> section then the IPv6 address of the client is assumed as the "id" by >> default and because the IP address is not contained as a subjectAltName >> in the certificate then neither the certificate nor the corresponding >> private key is found. >> >> So the best approach is to define the following in swanctl.conf: >> >> local { >>auth = pubkey >>certs = myCert.pem >> } >> >> This first causes the private key to be found automatically based >> on the fingerprint of the public key contained in the certificate and >> the ID to be set to the subject distinguished name contained in the >> certificate. >> >> Best regards >> >> Andreas >> >> On 05.10.2017 17:33, rajeev nohria wrote: >> > I have seen this issue before and fixed it. But this time I am not able >> > to figure you. Let me know if anyone see issue or any suggestion. Thanks >> > in advance. >> > >> > Problem: >> > Getting error while initiating the connection. >> > >> > *[IKE] no private key found for 'fc00:cada:c404:607::1001'* >> > >> > *11[IKE] no private key found for 'fc00:cada:c404:607::1001'* >> > >> > * >> > * >> > >> > * >> > * >> > >> > * >> > * >> > >> > >> > We are able to load the certificate and keys. looking at logs following >> > are proof. >> > >> > >> > messages.0:Jan 1 09:09:23 E6kn-2016 daemon.info <http://daemon.info> : >> > 08[CFG] loaded RSA private key >> > >> > messages.0:Jan 1 09:09:23 E6kn-2016 daemon.info <http://daemon.info> : >> > 08[CFG] loaded certificate 'C=US, O=CableLabs, OU=TEST Root CA01, >> > CN=TEST CableLabs Root Certification Authority' >> > >> > messages.0:Jan 1 09:09:23 E6kn-2016 daemon.info <http://daemon.info> : >> > 08[CFG] loaded certificate 'C=US, O=ARRIS, OU=LOWELL, >> CN=00:33:5f:ab:8c:9e' >> > >> > messages.0:Jan 1 09:09:23 E6kn-2016 daemon.info <http://daemon.info> : >> > 08[CFG] loaded certificate 'C=US, O=CableLabs, OU=TEST Device CA01, >> > CN=TEST CableLabs Device Certification Authority' >> > >> > >> > >> > But when I initiate a connection, I get the following. >> > >> > >> > >> > root@E6kn-2016:# swanctl --initiate --child gcpfc00:cada:c404::200 >> > >> > 07[CFG] vici initiate 'gcpfc00:cada:c404::200' >> > >> > 09[IKE] initiating IKE_SA rpdfc00:cada:c404::200[1] to 2017::5002 >> > >> > [IKE] initiating IKE_SA rpdfc00:cada:c404::200[1] to 2017::5002 >> > >> > [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) >> > N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ] >> > >> > 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) >> > N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ] >> > >> > [NET] sending packet: from fc00:cada:c404:607::1001[500] to >> > 2017::5002[500] (264 bytes) >> > >> > 09[NET] sending packet: from fc00:cada:c404:607::1001[500] to >> > 2017::5002[500] (264 bytes) >> > >> > 11[NET] received packet: from 2017::5002[500] to >> > fc00:cada:c404:607::1001[500] (289 bytes) >> > >> > [NET] received packet: from 2017::5002[500] to >> > fc00:cada:c404:607::1001[500] (289 bytes) >> > >> > 11[ENC] parsed IKE_SA_INIT response 0 [
Re: [strongSwan] No private key found
Anderas, Thanks for reply. I am using davici interface instead of swanctl.conf. I do set the id as id: fc00:cada:c404:607::1001 but not the certs. Since I am using davici, it does not know the certificate file name and its path, I am reading the certificate file and passing the data. How can I resolve the problem in this situation? Thanks, Rajeev On Thu, Oct 5, 2017 at 11:56 AM, Andreas Steffen < andreas.stef...@strongswan.org> wrote: > Hi, > > you must not set the IKEv2 ID to > > id: fc00:cada:c404:607::1001 > > since this ID is not contained as a subjectAltName in the client > certificate. > > Probably you didn't use the "certs" parameter in the local section of > swanctl.conf so that the client certificate just got loaded from > /etc/swanctl/x509. If you don't define the "id" parameter in the local > section then the IPv6 address of the client is assumed as the "id" by > default and because the IP address is not contained as a subjectAltName > in the certificate then neither the certificate nor the corresponding > private key is found. > > So the best approach is to define the following in swanctl.conf: > > local { >auth = pubkey >certs = myCert.pem > } > > This first causes the private key to be found automatically based > on the fingerprint of the public key contained in the certificate and > the ID to be set to the subject distinguished name contained in the > certificate. > > Best regards > > Andreas > > On 05.10.2017 17:33, rajeev nohria wrote: > > I have seen this issue before and fixed it. But this time I am not able > > to figure you. Let me know if anyone see issue or any suggestion. Thanks > > in advance. > > > > Problem: > > Getting error while initiating the connection. > > > > *[IKE] no private key found for 'fc00:cada:c404:607::1001'* > > > > *11[IKE] no private key found for 'fc00:cada:c404:607::1001'* > > > > * > > * > > > > * > > * > > > > * > > * > > > > > > We are able to load the certificate and keys. looking at logs following > > are proof. > > > > > > messages.0:Jan 1 09:09:23 E6kn-2016 daemon.info <http://daemon.info> : > > 08[CFG] loaded RSA private key > > > > messages.0:Jan 1 09:09:23 E6kn-2016 daemon.info <http://daemon.info> : > > 08[CFG] loaded certificate 'C=US, O=CableLabs, OU=TEST Root CA01, > > CN=TEST CableLabs Root Certification Authority' > > > > messages.0:Jan 1 09:09:23 E6kn-2016 daemon.info <http://daemon.info> : > > 08[CFG] loaded certificate 'C=US, O=ARRIS, OU=LOWELL, > CN=00:33:5f:ab:8c:9e' > > > > messages.0:Jan 1 09:09:23 E6kn-2016 daemon.info <http://daemon.info> : > > 08[CFG] loaded certificate 'C=US, O=CableLabs, OU=TEST Device CA01, > > CN=TEST CableLabs Device Certification Authority' > > > > > > > > But when I initiate a connection, I get the following. > > > > > > > > root@E6kn-2016:# swanctl --initiate --child gcpfc00:cada:c404::200 > > > > 07[CFG] vici initiate 'gcpfc00:cada:c404::200' > > > > 09[IKE] initiating IKE_SA rpdfc00:cada:c404::200[1] to 2017::5002 > > > > [IKE] initiating IKE_SA rpdfc00:cada:c404::200[1] to 2017::5002 > > > > [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) > > N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ] > > > > 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) > > N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ] > > > > [NET] sending packet: from fc00:cada:c404:607::1001[500] to > > 2017::5002[500] (264 bytes) > > > > 09[NET] sending packet: from fc00:cada:c404:607::1001[500] to > > 2017::5002[500] (264 bytes) > > > > 11[NET] received packet: from 2017::5002[500] to > > fc00:cada:c404:607::1001[500] (289 bytes) > > > > [NET] received packet: from 2017::5002[500] to > > fc00:cada:c404:607::1001[500] (289 bytes) > > > > 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) > > N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ] > > > > [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) > > CERTREQ N(HASH_ALG) N(MULT_AUTH) ] > > > > [IKE] received cert request for "C=US, O=CableLabs, OU=TEST Device CA01, > > CN=TEST CableLabs Device Certification Authority" > > > > 11[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Device > > CA01, CN=TEST CableLabs Device Certification Authority" > > > > [IKE] sending cert request for "C=US, O=CableLabs, OU=TEST
[strongSwan] No private key found
I have seen this issue before and fixed it. But this time I am not able to figure you. Let me know if anyone see issue or any suggestion. Thanks in advance. Problem: Getting error while initiating the connection. *[IKE] no private key found for 'fc00:cada:c404:607::1001'* *11[IKE] no private key found for 'fc00:cada:c404:607::1001'* We are able to load the certificate and keys. looking at logs following are proof. messages.0:Jan 1 09:09:23 E6kn-2016 daemon.info : 08[CFG] loaded RSA private key messages.0:Jan 1 09:09:23 E6kn-2016 daemon.info : 08[CFG] loaded certificate 'C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root Certification Authority' messages.0:Jan 1 09:09:23 E6kn-2016 daemon.info : 08[CFG] loaded certificate 'C=US, O=ARRIS, OU=LOWELL, CN=00:33:5f:ab:8c:9e' messages.0:Jan 1 09:09:23 E6kn-2016 daemon.info : 08[CFG] loaded certificate 'C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs Device Certification Authority' But when I initiate a connection, I get the following. root@E6kn-2016:# swanctl --initiate --child gcpfc00:cada:c404::200 07[CFG] vici initiate 'gcpfc00:cada:c404::200' 09[IKE] initiating IKE_SA rpdfc00:cada:c404::200[1] to 2017::5002 [IKE] initiating IKE_SA rpdfc00:cada:c404::200[1] to 2017::5002 [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ] 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ] [NET] sending packet: from fc00:cada:c404:607::1001[500] to 2017::5002[500] (264 bytes) 09[NET] sending packet: from fc00:cada:c404:607::1001[500] to 2017::5002[500] (264 bytes) 11[NET] received packet: from 2017::5002[500] to fc00:cada:c404:607::1001[500] (289 bytes) [NET] received packet: from 2017::5002[500] to fc00:cada:c404:607::1001[500] (289 bytes) 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ] [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ] [IKE] received cert request for "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs Device Certification Authority" 11[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs Device Certification Authority" [IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs Device Certification Authority" 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs Device Certification Authority" [IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root Certification Authority" 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root Certification Authority" *[IKE] no private key found for 'fc00:cada:c404:607::1001'* *11[IKE] no private key found for 'fc00:cada:c404:607::1001'* *initiate failed: establishing CHILD_SA 'gcpfc00:cada:c404::200' failed* root@E6kn-2016:# swanctl --list-conns rpdfc00:cada:c404::200: IKEv2, no reauthentication, rekeying every 14400s local: fc00:cada:c404:607::1001 remote: 2017::5002 local public key authentication: id: fc00:cada:c404:607::1001 remote public key authentication: gcpfc00:cada:c404::200: TRANSPORT, rekeying every 3600s local: fc00:cada:c404:607::1001/128[tcp] remote: 2017::5002/128[tcp] l2tpfc00:cada:c404::200: TRANSPORT, rekeying every 3600s local: fc00:cada:c404:607::1001/128[l2tp] remote: 2017::5002/128[l2tp] root@E6kn-2016:# swanctl --list-certs List of X.509 End Entity Certificates subject: "C=US, O=ARRIS, OU=LOWELL, CN=00:33:5f:ab:8c:9e" issuer: "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs Device Certification Authority" validity: not before Sep 28 18:18:53 2017, ok not after Sep 28 18:18:53 2037, ok (expires in 7300 days) serial:dd:dc:09:21:36:f2:e8:71 authkeyId: f6:dc:40:8a:89:b6:7b:7a:08:f6:78:b5:4a:28:7a:7f:57:9b:f9:9b subjkeyId: 9d:c7:c5:20:f7:bf:0c:fb:39:d2:5d:a2:8f:73:37:f1:f3:e0:a4:f9 pubkey:RSA 2048 bits, has private key keyid: 8d:40:7d:fb:38:7b:4b:e2:fe:00:ba:72:6c:82:63:2b:6b:75:30:6e subjkey: 9d:c7:c5:20:f7:bf:0c:fb:39:d2:5d:a2:8f:73:37:f1:f3:e0:a4:f9 List of X.509 CA Certificates subject: "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs Device Certification Authority" issuer: "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root Certification Authority" validity: not before Dec 09 23:08:49 2014, ok not after Dec 09 23:08:49 2049, ok (expires in 11755 days) serial:a0:16:bc:73:85:0e:65:37 altNames: CN=SYMC-3072-5 flags: CA CRLSign pathlen: 0 authkeyId: 89:62:79:3d:b4:07:c9:f3:c6:97:59:dd:b6:dc:65:0b:33:54:ff:fb subjkeyId: f6:dc:40:8a:89:b6:7b:7a:08:f6:78:b5:4a:28:7a:7f:57:9b:f9:9b pubkey:RSA 3072 bits keyid:
[strongSwan] PSK-IKEv2- DAVICI
Following capture is taken on responder side. Can you give any idea what could be wrong? 15[ENC] parsed IKE_AUTH request 1 [ IDi IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] 15[CFG] looking for peer configs matching 2001:2016:0:1::23e[2001:2016:0 :1::23e]...2001:2016:0:1::24b[2001:2016:0:1::24b] 15[CFG] peer config match local: 20 (ID_IPV6_ADDR -> 20:01:20:16:00:00:00:01:00:00:00:00:00:00:02:3e) 15[CFG] peer config match remote: 20 (ID_IPV6_ADDR -> 20:01:20:16:00:00:00:01:00:00:00:00:00:00:02:4b) 15[CFG] ike config match: 3100 (2001:2016:0:1::23e 2001:2016:0:1::24b IKEv2) 15[CFG] candidate "rw", match: 20/20/3100 (me/other/ike) 15[CFG] selected peer config 'rw' *15[IKE] tried 0 shared keys for '2001:2016:0:1::23e' - '2001:2016:0:1::24b', but MAC matched* *15[IKE] no shared key found for '2001:2016:0:1::23e' - '2001:2016:0:1::24b'* *15[IKE] peer supports MOBIKE* *15[IKE] got additional MOBIKE peer address: 10.14.37.97* *15[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]* 15[NET] sending packet: from 2001:2016:0:1::23e[4500] to 2001:2016:0:1::24b[4500] (80 bytes) 15[IKE] IKE_SA rw[2] state change: CONNECTING => DESTROYING *Initiator* *--* 2001:2016:0:1::24b Uses Davici code char str[] = "password"; davici_new_cmd("load-shared", ); davici_kvf(dvReq, "type", "%s", "ike"); davici_kv(dvReq,"data",str, strlen(str)); davici_list_start(dvReq,"owners"); davici_list_itemf(dvReq,"%s",ipAddrStr); davici_list_end(dvReq); err=davici_queue(dvConn, dvReq, reqcb, dvTester); err = davici_write(dvConn); *Receptor* 2001:2016:0:1::23e uses swanctl.conf See attached file. i tried secret as password as well as 0spassword*.* swanctl.conf Description: Binary data
Re: [strongSwan] Error while running Charon
Ok, I will register on the issue tracker. On Thu, Oct 27, 2016 at 2:37 PM, Noel Kuntze <n...@familie-kuntze.de> wrote: > On 27.10.2016 20:34, rajeev nohria wrote: > > > > I am getting similar to following issue. Not sure how it was resolved. > > https://wiki.strongswan.org/issues/1299 > It wasn't resolved. The person didn't answer to Tobias' question and then > the issue was closed. > If you care enough about your problem to want it be resolved, register on > the issue tracker and comment on it. > > -- > > Mit freundlichen Grüßen/Kind Regards, > Noel Kuntze > > GPG Key ID: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > > ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Error while running Charon
Problem 1: root@Xilinx-ZCU102-2016_1:/lib# charon 00[DMN] Starting IKE charon daemon (strongSwan 5.5.0, Linux 4.4.0, aarch64) 00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet dependency: NONCE_GEN 00[LIB] feature CUSTOM:libcharon-receiver in critical plugin 'charon' has unmet dependency: HASHER:HASH_SHA1 00[LIB] feature CUSTOM:libcharon-sa-managers in critical plugin 'charon' has unmet dependency: HASHER:HASH_SHA1 00[LIB] failed to load 3 critical plugin features 00[DMN] initialization failed - aborting charon How does charon knows that where to look for the plugins? I used --enable-monolithic options and that means all the plugins should be there in libstrongswan and libcharon and libvici. I am getting similar to following issue. Not sure how it was resolved. https://wiki.strongswan.org/issues/1299 root@Xilinx-ZCU102-2016_1:~# cd /usr/lib/ipsec root@Xilinx-ZCU102-2016_1:/usr/lib/ipsec# ls libcharon.a libstrongswan.a libvici.a plugins libcharon.la libstrongswan.la libvici.la root@Xilinx-ZCU102-2016_1:/usr/lib/ipsec# cd plugins/ root@Xilinx-ZCU102-2016_1:/usr/lib/ipsec/plugins# ls libstrongswan-aes.a libstrongswan-pkcs7.a libstrongswan-aes.la libstrongswan-pkcs7.la libstrongswan-attr.a libstrongswan-pkcs8.a libstrongswan-attr.lalibstrongswan-pkcs8.la libstrongswan-cmac.a libstrongswan-pubkey.a libstrongswan-cmac.lalibstrongswan-pubkey.la libstrongswan-constraints.a libstrongswan-random.a libstrongswan-constraints.la libstrongswan-random.la libstrongswan-des.a libstrongswan-rc2.a libstrongswan-des.la libstrongswan-rc2.la libstrongswan-dnskey.a libstrongswan-resolve.a libstrongswan-dnskey.la libstrongswan-resolve.la libstrongswan-fips-prf.a libstrongswan-revocation.a libstrongswan-fips-prf.lalibstrongswan-revocation.la libstrongswan-hmac.a libstrongswan-sha1.a libstrongswan-hmac.lalibstrongswan-sha1.la libstrongswan-kernel-netlink.a libstrongswan-sha2.a libstrongswan-kernel-netlink.la libstrongswan-sha2.la libstrongswan-md5.a libstrongswan-socket-default.a libstrongswan-md5.la libstrongswan-socket-default.la libstrongswan-nonce.alibstrongswan-sshkey.a libstrongswan-nonce.la libstrongswan-sshkey.la libstrongswan-openssl.a libstrongswan-stroke.a libstrongswan-openssl.la libstrongswan-stroke.la libstrongswan-pem.a libstrongswan-updown.a libstrongswan-pem.la libstrongswan-updown.la libstrongswan-pgp.a libstrongswan-vici.a libstrongswan-pgp.la libstrongswan-vici.la libstrongswan-pkcs1.alibstrongswan-x509.a libstrongswan-pkcs1.la libstrongswan-x509.la libstrongswan-pkcs11.a libstrongswan-xauth-generic.a libstrongswan-pkcs11.la libstrongswan-xauth-generic.la libstrongswan-pkcs12.a libstrongswan-xcbc.a libstrongswan-pkcs12.la libstrongswan-xcbc.la Problem 2: When running swanctl, I am getting following issue? Any pointer? root@Xilinx-ZCU102-2016_1:/lib# root@Xilinx-ZCU102-2016_1:/lib# root@Xilinx-ZCU102-2016_1:/lib# swanctl strongSwan 5.5.0 swanctl loaded plugins: usage: swanctl --initiate (-i) initiate a connection swanctl --terminate(-t) terminate a connection swanctl --redirect (-d) redirect an IKE_SA swanctl --uninstall(-u) uninstall a trap or shunt policy swanctl --install (-p) install a trap or shunt policy swanctl --list-sas (-l) list currently active IKE_SAs swanctl --monitor-sa (-m) monitor for IKE_SA and CHILD_SA changes swanctl --list-pols(-P) list currently installed policies swanctl --list-authorities (-B) list loaded authority configurations swanctl --list-conns (-L) list loaded configurations swanctl --list-certs (-x) list stored certificates swanctl --list-pools (-A) list loaded pool configurations swanctl --list-algs(-g) show loaded algorithms swanctl --load-all (-q) load credentials, authorities, pools and connections swanctl --load-authorities (-b) (re-)load authority configuration swanctl --load-conns (-c) (re-)load connection configuration swanctl --load-creds (-s) (re-)load credentials swanctl --load-pools (-a) (re-)load pool configuration swanctl --log (-T) trace logging output swanctl --version (-v) show version information swanctl --stats(-S) show daemon stats information swanctl --reload-settings (-r) reload daemon strongswan.conf swanctl --help (-h) show usage information libgcc_s.so.1 must be installed for pthread_cancel to work Aborted On Wed, Oct 19, 2016 at 2:43 PM, rajeev nohria <rajnoh...@gmail.com> wrote: > Thom
Re: [strongSwan] Error while running Charon
Thomas, I tired both way and did not help. Not sure what I could be missing. In following I also tried removing swanctl section, that also did not work. # strongswan.conf - strongSwan configuration file # # Refer to the strongswan.conf(5) manpage for details # # Configuration changes should be made in the included files swanctl { load = pem pkcs1 x509 revocation constraints pubkey openssl random } charon { load_modular = yes plugins { include strongswan.d/charon/*.conf } } filelog { /var/log/charon.log { # add a timestamp prefix time_format = %b %e %T # prepend connection name, simplifies grepping ike_name = yes # overwrite existing files append = no # increase default loglevel for all daemon subsystems default = 10 # flush each line to disk flush_line = yes } stderr { # more detailed loglevel for a specific subsystem, overriding the # default loglevel. ike = 4 cfg = 4 asn = 4 app = 4 tls = 4 esp = 4 chd = 4 knl = 0 } } include strongswan.d/charon/*.conf *root@Xilinx-ZCU102-2016_1:/usr/etc/strongswan.d/charon# ls* aes.conf pem.conf sha1.conf attr.confpgp.conf sha2.conf cmac.confpkcs1.conf socket-default.conf constraints.conf pkcs11.conf sshkey.conf des.conf pkcs12.conf stroke.conf dnskey.conf pkcs7.conf updown.conf fips-prf.confpkcs8.conf vici.conf hmac.confpubkey.conf x509.conf kernel-netlink.conf random.conf xauth-generic.conf md5.conf rc2.conf xcbc.conf nonce.conf resolve.conf openssl.conf revocation.conf root@Xilinx-ZCU102-2016_1:/usr/etc/strongswan.d/charon# *cat nonce.conf* nonce { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes } On Tue, Oct 18, 2016 at 3:03 PM, Thomas Egerer <hakke_...@gmx.de> wrote: > Rajeev, > > I guess, the config option '--enable-monolithic' option > builds charon with all plugins compiled into one binary > blob. Try and remove this option. Then remove the > load_modular option from your strongwan.conf, or place > the configuration snippets in your file system as > described in [1]. Then of course, you would have to > remove the load keyword from your strongswan.conf. > > Cheers, > Thomas > > [1] https://wiki.strongswan.org/projects/strongswan/wiki/Strongs > wandirectory > > > On 10/18/2016 04:37 PM, rajeev nohria wrote: > >> Noel, >> >> I still having issue after going through many hit and trial method to >> fix this, >> >> root@Xilinx-ZCU102-2016_1:~# charon >> 00[DMN] Starting IKE charon daemon (strongSwan 5.5.0, Linux 4.4.0, >> aarch64) >> 00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet >> dependency: NONCE_GEN >> 00[LIB] feature CUSTOM:libcharon-receiver in critical plugin 'charon' >> has unmet dependency: HASHER:HASH_SHA1 >> 00[LIB] feature CUSTOM:libcharon-sa-managers in critical plugin 'charon' >> has unmet dependency: HASHER:HASH_SHA1 >> 00[LIB] failed to load 3 critical plugin features >> 00[DMN] initialization failed - aborting charon >> >> >> Makefile: >> >> CONF_OPTS += --disable-gmp --enable-monolithic --enable-openssl >> --enable-pkcs11 --enable-vici --enable-x509 --enable-nonce >> >> >> >> >> strongswan.conf >> # strongswan.conf - strongSwan configuration file >> # >> # Refer to the strongswan.conf(5) manpage for details >> # >> # Configuration changes should be made in the included files >> >> swanctl { >> load = pem pkcs1 x509 revocation constraints pubkey openssl random >> } >> >> charon { >> load_modular = yes >> load = sha1 pem pkcs1 x509 revocation constraints pubkey openssl random >> nonce curl kernel-netlink socket-default updown vici >> >> plugins { >> include strongswan.d/charon/*.conf >> } >> } >> >> filelog { >> /var/log/charon.log { >> # add a timestamp prefix >> time_format = %b %e %T >> # prepend connection name, simplifies grepping >> ike_name = yes >> # overwrite existing files >> append = no >> # increase default loglevel for all daemon subsystems >> default = 10 >> # flush each line to disk >> flush_line = yes >> } &
Re: [strongSwan] Error while running Charon
Noel, I still having issue after going through many hit and trial method to fix this, root@Xilinx-ZCU102-2016_1:~# charon 00[DMN] Starting IKE charon daemon (strongSwan 5.5.0, Linux 4.4.0, aarch64) 00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet dependency: NONCE_GEN 00[LIB] feature CUSTOM:libcharon-receiver in critical plugin 'charon' has unmet dependency: HASHER:HASH_SHA1 00[LIB] feature CUSTOM:libcharon-sa-managers in critical plugin 'charon' has unmet dependency: HASHER:HASH_SHA1 00[LIB] failed to load 3 critical plugin features 00[DMN] initialization failed - aborting charon Makefile: CONF_OPTS += --disable-gmp --enable-monolithic --enable-openssl --enable-pkcs11 --enable-vici --enable-x509 --enable-nonce strongswan.conf # strongswan.conf - strongSwan configuration file # # Refer to the strongswan.conf(5) manpage for details # # Configuration changes should be made in the included files swanctl { load = pem pkcs1 x509 revocation constraints pubkey openssl random } charon { load_modular = yes load = sha1 pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default updown vici plugins { include strongswan.d/charon/*.conf } } filelog { /var/log/charon.log { # add a timestamp prefix time_format = %b %e %T # prepend connection name, simplifies grepping ike_name = yes # overwrite existing files append = no # increase default loglevel for all daemon subsystems default = 10 # flush each line to disk flush_line = yes } stderr { # more detailed loglevel for a specific subsystem, overriding the # default loglevel. ike = 4 cfg = 4 asn = 4 app = 4 tls = 4 esp = 4 chd = 4 knl = 0 } } On Sat, Oct 8, 2016 at 7:41 PM, Noel Kuntzewrote: > Hello Rajeevm > > > > 00[DMN] Starting IKE charon daemon (strongSwan 5.5.0, Linux 4.4.0, > aarch64) > > 00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet > dependency: NONCE_GEN > > 00[LIB] feature CUSTOM:libcharon-receiver in critical plugin 'charon' > has unmet dependency: HASHER:HASH_SHA1 > > 00[LIB] feature CUSTOM:libcharon-sa-managers in critical plugin 'charon' > has unmet dependency: HASHER:HASH_SHA1 > > 00[LIB] failed to load 3 critical plugin features > > 00[DMN] initialization failed - aborting charon > > You need the sha1 or the openssl plugin, as well as the nonce plugin. > Please use google[1] next time. > > [1] https://encrypted.google.com/search?hl=en=site%3Awiki. > strongswan.org%20%22libcharon%20in%20critical%20plugin%20% > 27charon%27%20has%20unmet%20dependency%3A%20NONCE_GEN%22 > > -- > > Mit freundlichen Grüßen/Kind Regards, > Noel Kuntze > > GPG Key ID: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > > ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Strongswan 5.4 issue using certificates
I am all set after adding libatomic.so.1 in lib directory. On Tue, Oct 4, 2016 at 3:05 PM, rajeev nohria <rajnoh...@gmail.com> wrote: > Andreas, > > Thank you for all your help. I have compiled the Strongswan with > petalinux . Whenever I run the charon I get the following error. Is there > any flag I can add in makefile to get this fixed? > > #charon > charon: error while loading shared libraries: libatomic.so.1: cannot open > shared object file: No such file or directory > > Thanks, > Rajeev > > > On Fri, Sep 16, 2016 at 4:33 AM, Andreas Steffen < > andreas.stef...@strongswan.org> wrote: > >> Hi Rajeev, >> >> yes, you have to load the private key file in your management tool >> and transfer it via the VICI interface as a binary blob. >> >> Regards >> >> Andreas >> >> On 15.09.2016 21:20, rajeev nohria wrote: >> > Anderas, >> > >> > When using davici- >> > For the loading of private rsa keys, that has to be loaded like the >> > certificate? >> > >> > Thanks, >> > Rajeev >> > >> > On Thu, Sep 15, 2016 at 3:19 PM, rajeev nohria <rajnoh...@gmail.com >> > <mailto:rajnoh...@gmail.com>> wrote: >> > >> > Anderas, >> > >> > For the loading of private rsa keys, that has to be loaded like the >> > certificate? >> > >> > Thanks, >> > Rajeev >> > >> > On Thu, Aug 4, 2016 at 12:16 AM, Andreas Steffen >> > <andreas.stef...@strongswan.org >> > <mailto:andreas.stef...@strongswan.org>> wrote: >> > >> > Hi Rajeev, >> > >> > different to the stroke protocol and ipsec.conf where the >> filename >> > of the certificate gets transferred via the stroke socket and >> the >> > charon daemon loads the certificate, vici transfers the >> certificate >> > itself either as a binary DER or a base64-endocded PEM blob. >> Thus >> > your management application has to load the certificate and >> transfer >> > it over the vici socket using davici. >> > >> > Regards >> > >> > Andreas >> > >> > On 04.08.2016 05:03, rajeev nohria wrote: >> > > Thanks Andreas, >> > > >> > > It worked, I know started to implement in Davici. I had PSK >> working in >> > > Davici. With certificates, I am having following issue during >> > > parse_certs(). >> > > >> > > 09[LIB] file coded in unknown format, discarded >> > > 09[LIB] building CRED_CERTIFICATE - X509 failed, tried 4 >> builders >> > > >> > > >> > > >> > > Corresponding code is for Davici is >> > > davici_list_start(r,"certs"); >> > > >> > > davici_list_itemf(r,"%s","/usr/local/etc/swanctl/x509/hostCe >> rt.pem"); >> > > davici_list_end(r); >> > > >> > > >> > > I have tried file name with and without path. >> > > >> > > certs = hostCert.pem worked in swanctl.conf as attached in >> previous email. >> > > >> > > >> > > Do you know what could be issue here? Looks like software is >> not able to >> > > recognize the pem format but again it worked when using >> swanctl.conf file. >> > > >> > > Thanks, >> > > Rajeev >> > > >> > > >> > > On Tue, Aug 2, 2016 at 5:41 AM, Andreas Steffen >> > > <andreas.stef...@strongswan.org >> > <mailto:andreas.stef...@strongswan.org> >> > <mailto:andreas.stef...@strongswan.org >> > <mailto:andreas.stef...@strongswan.org>>> >> > > wrote: >> > > >> > > Hi, >> > > >> > > according to your log, the initiator and responder create >> > their >> > > own Root CA certificate and store it locally in >> > > /usr/local/etc/swanctl/x509ca. Therefore it is not >> surprising >> > &
Re: [strongSwan] Strongswan 5.4 issue using certificates
Andreas, Thank you for all your help. I have compiled the Strongswan with petalinux . Whenever I run the charon I get the following error. Is there any flag I can add in makefile to get this fixed? #charon charon: error while loading shared libraries: libatomic.so.1: cannot open shared object file: No such file or directory Thanks, Rajeev On Fri, Sep 16, 2016 at 4:33 AM, Andreas Steffen < andreas.stef...@strongswan.org> wrote: > Hi Rajeev, > > yes, you have to load the private key file in your management tool > and transfer it via the VICI interface as a binary blob. > > Regards > > Andreas > > On 15.09.2016 21:20, rajeev nohria wrote: > > Anderas, > > > > When using davici- > > For the loading of private rsa keys, that has to be loaded like the > > certificate? > > > > Thanks, > > Rajeev > > > > On Thu, Sep 15, 2016 at 3:19 PM, rajeev nohria <rajnoh...@gmail.com > > <mailto:rajnoh...@gmail.com>> wrote: > > > > Anderas, > > > > For the loading of private rsa keys, that has to be loaded like the > > certificate? > > > > Thanks, > > Rajeev > > > > On Thu, Aug 4, 2016 at 12:16 AM, Andreas Steffen > > <andreas.stef...@strongswan.org > > <mailto:andreas.stef...@strongswan.org>> wrote: > > > > Hi Rajeev, > > > > different to the stroke protocol and ipsec.conf where the > filename > > of the certificate gets transferred via the stroke socket and the > > charon daemon loads the certificate, vici transfers the > certificate > > itself either as a binary DER or a base64-endocded PEM blob. Thus > > your management application has to load the certificate and > transfer > > it over the vici socket using davici. > > > > Regards > > > > Andreas > > > > On 04.08.2016 05:03, rajeev nohria wrote: > > > Thanks Andreas, > > > > > > It worked, I know started to implement in Davici. I had PSK > working in > > > Davici. With certificates, I am having following issue during > > > parse_certs(). > > > > > > 09[LIB] file coded in unknown format, discarded > > > 09[LIB] building CRED_CERTIFICATE - X509 failed, tried 4 > builders > > > > > > > > > > > > Corresponding code is for Davici is > > > davici_list_start(r,"certs"); > > > > > > davici_list_itemf(r,"%s","/usr/local/etc/swanctl/x509/ > hostCert.pem"); > > > davici_list_end(r); > > > > > > > > > I have tried file name with and without path. > > > > > > certs = hostCert.pem worked in swanctl.conf as attached in > previous email. > > > > > > > > > Do you know what could be issue here? Looks like software is > not able to > > > recognize the pem format but again it worked when using > swanctl.conf file. > > > > > > Thanks, > > > Rajeev > > > > > > > > > On Tue, Aug 2, 2016 at 5:41 AM, Andreas Steffen > > > <andreas.stef...@strongswan.org > > <mailto:andreas.stef...@strongswan.org> > > <mailto:andreas.stef...@strongswan.org > > <mailto:andreas.stef...@strongswan.org>>> > > > wrote: > > > > > > Hi, > > > > > > according to your log, the initiator and responder create > > their > > > own Root CA certificate and store it locally in > > > /usr/local/etc/swanctl/x509ca. Therefore it is not > surprising > > > that no trust into the received host certificate can be > > established > > > because it has been signed with the private key of a > different > > > root CA (although the Distinguished Name of the issuer is > > the same). > > > > > > Fix: Generate only one private key and matching self-signed > > > Root CA certificate. Use the private Root CA key to sign > both > > > initiator and responder host certificates and deploy the > > Root CA > > > certifica
Re: [strongSwan] Strongswan 5.4 issue using certificates
Anderas, When using davici- For the loading of private rsa keys, that has to be loaded like the certificate? Thanks, Rajeev On Thu, Sep 15, 2016 at 3:19 PM, rajeev nohria <rajnoh...@gmail.com> wrote: > Anderas, > > For the loading of private rsa keys, that has to be loaded like the > certificate? > > Thanks, > Rajeev > > On Thu, Aug 4, 2016 at 12:16 AM, Andreas Steffen < > andreas.stef...@strongswan.org> wrote: > >> Hi Rajeev, >> >> different to the stroke protocol and ipsec.conf where the filename >> of the certificate gets transferred via the stroke socket and the >> charon daemon loads the certificate, vici transfers the certificate >> itself either as a binary DER or a base64-endocded PEM blob. Thus >> your management application has to load the certificate and transfer >> it over the vici socket using davici. >> >> Regards >> >> Andreas >> >> On 04.08.2016 05:03, rajeev nohria wrote: >> > Thanks Andreas, >> > >> > It worked, I know started to implement in Davici. I had PSK working in >> > Davici. With certificates, I am having following issue during >> > parse_certs(). >> > >> > 09[LIB] file coded in unknown format, discarded >> > 09[LIB] building CRED_CERTIFICATE - X509 failed, tried 4 builders >> > >> > >> > >> > Corresponding code is for Davici is >> > davici_list_start(r,"certs"); >> > >> > davici_list_itemf(r,"%s","/usr/local/etc/swanctl/x509/hostCert.pem"); >> > davici_list_end(r); >> > >> > >> > I have tried file name with and without path. >> > >> > certs = hostCert.pem worked in swanctl.conf as attached in previous >> email. >> > >> > >> > Do you know what could be issue here? Looks like software is not able to >> > recognize the pem format but again it worked when using swanctl.conf >> file. >> > >> > Thanks, >> > Rajeev >> > >> > >> > On Tue, Aug 2, 2016 at 5:41 AM, Andreas Steffen >> > <andreas.stef...@strongswan.org <mailto:andreas.stef...@strongswan.org >> >> >> > wrote: >> > >> > Hi, >> > >> > according to your log, the initiator and responder create their >> > own Root CA certificate and store it locally in >> > /usr/local/etc/swanctl/x509ca. Therefore it is not surprising >> > that no trust into the received host certificate can be established >> > because it has been signed with the private key of a different >> > root CA (although the Distinguished Name of the issuer is the same). >> > >> > Fix: Generate only one private key and matching self-signed >> > Root CA certificate. Use the private Root CA key to sign both >> > initiator and responder host certificates and deploy the Root CA >> > certificate on both hosts. >> > >> > Best regards >> > >> > Andreas >> > >> > On 01.08.2016 21:24, rajeev nohria wrote: >> > > >> > > I was able to establish IKE connection using PSK but when using >> pubkey I >> > > am not able to able to establish the IKE connection. >> > > >> > > When I issue sudo swanctl --initiate --child net >> > > >> > > >> > > At receptor, it returns the Auth_failed. Please see the >> swanctl.conf, >> > > strongswan.conf and charon.log. >> > > >> > > Aug 1 12:09:21 12[CFG] <rw|1> no issuer certificate found for >> "C=US, >> > > ST=MA, L=Lowell, O=Arris, CN=10.13.199.185" >> > > Aug 1 12:09:21 12[IKE] <rw|1> no trusted RSA public key found for >> > > '10.13.199.185' >> > > Aug 1 12:09:21 12[IKE] <rw|1> peer supports MOBIKE >> > > Aug 1 12:09:21 12[ENC] <rw|1> added payload of type NOTIFY to >> message >> > > Aug 1 12:09:21 12[ENC] <rw|1> order payloads in message >> > > Aug 1 12:09:21 12[ENC] <rw|1> added payload of type NOTIFY to >> message >> > > Aug 1 12:09:21 12[ENC] <rw|1> generating IKE_AUTH response 1 [ >> > > N(AUTH_FAILED) ] >> > > >> > > I used following commands to create certificates. >> > > >> > > *Initiator:* >> > > --- >> >
Re: [strongSwan] Strongswan 5.4 issue using certificates
Anderas, For the loading of private rsa keys, that has to be loaded like the certificate? Thanks, Rajeev On Thu, Aug 4, 2016 at 12:16 AM, Andreas Steffen < andreas.stef...@strongswan.org> wrote: > Hi Rajeev, > > different to the stroke protocol and ipsec.conf where the filename > of the certificate gets transferred via the stroke socket and the > charon daemon loads the certificate, vici transfers the certificate > itself either as a binary DER or a base64-endocded PEM blob. Thus > your management application has to load the certificate and transfer > it over the vici socket using davici. > > Regards > > Andreas > > On 04.08.2016 05:03, rajeev nohria wrote: > > Thanks Andreas, > > > > It worked, I know started to implement in Davici. I had PSK working in > > Davici. With certificates, I am having following issue during > > parse_certs(). > > > > 09[LIB] file coded in unknown format, discarded > > 09[LIB] building CRED_CERTIFICATE - X509 failed, tried 4 builders > > > > > > > > Corresponding code is for Davici is > > davici_list_start(r,"certs"); > > > > davici_list_itemf(r,"%s","/usr/local/etc/swanctl/x509/hostCert.pem"); > > davici_list_end(r); > > > > > > I have tried file name with and without path. > > > > certs = hostCert.pem worked in swanctl.conf as attached in previous > email. > > > > > > Do you know what could be issue here? Looks like software is not able to > > recognize the pem format but again it worked when using swanctl.conf > file. > > > > Thanks, > > Rajeev > > > > > > On Tue, Aug 2, 2016 at 5:41 AM, Andreas Steffen > > <andreas.stef...@strongswan.org <mailto:andreas.stef...@strongswan.org>> > > wrote: > > > > Hi, > > > > according to your log, the initiator and responder create their > > own Root CA certificate and store it locally in > > /usr/local/etc/swanctl/x509ca. Therefore it is not surprising > > that no trust into the received host certificate can be established > > because it has been signed with the private key of a different > > root CA (although the Distinguished Name of the issuer is the same). > > > > Fix: Generate only one private key and matching self-signed > > Root CA certificate. Use the private Root CA key to sign both > > initiator and responder host certificates and deploy the Root CA > > certificate on both hosts. > > > > Best regards > > > > Andreas > > > > On 01.08.2016 21:24, rajeev nohria wrote: > > > > > > I was able to establish IKE connection using PSK but when using > pubkey I > > > am not able to able to establish the IKE connection. > > > > > > When I issue sudo swanctl --initiate --child net > > > > > > > > > At receptor, it returns the Auth_failed. Please see the > swanctl.conf, > > > strongswan.conf and charon.log. > > > > > > Aug 1 12:09:21 12[CFG] <rw|1> no issuer certificate found for > "C=US, > > > ST=MA, L=Lowell, O=Arris, CN=10.13.199.185" > > > Aug 1 12:09:21 12[IKE] <rw|1> no trusted RSA public key found for > > > '10.13.199.185' > > > Aug 1 12:09:21 12[IKE] <rw|1> peer supports MOBIKE > > > Aug 1 12:09:21 12[ENC] <rw|1> added payload of type NOTIFY to > message > > > Aug 1 12:09:21 12[ENC] <rw|1> order payloads in message > > > Aug 1 12:09:21 12[ENC] <rw|1> added payload of type NOTIFY to > message > > > Aug 1 12:09:21 12[ENC] <rw|1> generating IKE_AUTH response 1 [ > > > N(AUTH_FAILED) ] > > > > > > I used following commands to create certificates. > > > > > > *Initiator:* > > > --- > > > > > > sudo ipsec pki --gen --type rsa --size 4096 --outform pem > > > > /usr/local/etc/swanctl/rsa/strongswanKey.pem > > > > > > > > > sudo chmod 600 /usr/local/etc/swanctl/rsa/strongswanKey.pem > > > > > > > > > sudo ipsec pki --self --ca --in > > > /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest sha256 --dn > "C=US, > > > ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem > > > > /usr/local/etc/swanctl/x509ca/strongswanCert.pem > > > > > > > > > su
Re: [strongSwan] Strongswan 5.4 issue using certificates
Thanks Andreas, It worked, I know started to implement in Davici. I had PSK working in Davici. With certificates, I am having following issue during parse_certs(). 09[LIB] file coded in unknown format, discarded 09[LIB] building CRED_CERTIFICATE - X509 failed, tried 4 builders Corresponding code is for Davici is davici_list_start(r,"certs"); davici_list_itemf(r,"%s","/usr/local/etc/swanctl/x509/hostCert.pem"); davici_list_end(r); I have tried file name with and without path. certs = hostCert.pem worked in swanctl.conf as attached in previous email. Do you know what could be issue here? Looks like software is not able to recognize the pem format but again it worked when using swanctl.conf file. Thanks, Rajeev On Tue, Aug 2, 2016 at 5:41 AM, Andreas Steffen < andreas.stef...@strongswan.org> wrote: > Hi, > > according to your log, the initiator and responder create their > own Root CA certificate and store it locally in > /usr/local/etc/swanctl/x509ca. Therefore it is not surprising > that no trust into the received host certificate can be established > because it has been signed with the private key of a different > root CA (although the Distinguished Name of the issuer is the same). > > Fix: Generate only one private key and matching self-signed > Root CA certificate. Use the private Root CA key to sign both > initiator and responder host certificates and deploy the Root CA > certificate on both hosts. > > Best regards > > Andreas > > On 01.08.2016 21:24, rajeev nohria wrote: > > > > I was able to establish IKE connection using PSK but when using pubkey I > > am not able to able to establish the IKE connection. > > > > When I issue sudo swanctl --initiate --child net > > > > > > At receptor, it returns the Auth_failed. Please see the swanctl.conf, > > strongswan.conf and charon.log. > > > > Aug 1 12:09:21 12[CFG] <rw|1> no issuer certificate found for "C=US, > > ST=MA, L=Lowell, O=Arris, CN=10.13.199.185" > > Aug 1 12:09:21 12[IKE] <rw|1> no trusted RSA public key found for > > '10.13.199.185' > > Aug 1 12:09:21 12[IKE] <rw|1> peer supports MOBIKE > > Aug 1 12:09:21 12[ENC] <rw|1> added payload of type NOTIFY to message > > Aug 1 12:09:21 12[ENC] <rw|1> order payloads in message > > Aug 1 12:09:21 12[ENC] <rw|1> added payload of type NOTIFY to message > > Aug 1 12:09:21 12[ENC] <rw|1> generating IKE_AUTH response 1 [ > > N(AUTH_FAILED) ] > > > > I used following commands to create certificates. > > > > *Initiator:* > > --- > > > > sudo ipsec pki --gen --type rsa --size 4096 --outform pem > > > /usr/local/etc/swanctl/rsa/strongswanKey.pem > > > > > > sudo chmod 600 /usr/local/etc/swanctl/rsa/strongswanKey.pem > > > > > > sudo ipsec pki --self --ca --in > > /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest sha256 --dn "C=US, > > ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem > > > /usr/local/etc/swanctl/x509ca/strongswanCert.pem > > > > > > sudo ipsec pki --print --in > /usr/local/etc/swanctl/x509ca/strongswanCert.pem > > > > > > sudo ipsec pki --gen --type rsa --size 4096 --outform pem > > > /usr/local/etc/swanctl/rsa/hostKey.pem > > > > > > sudo chmod 600 /usr/local/etc/swanctl/rsa/hostKey.pem > > > > > > > > sudo ipsec pki --pub --in /usr/local/etc/swanctl/rsa/hostKey.pem --type > > rsa | ipsec pki --issue --digest sha256 --cacert > > /usr/local/etc/swanctl/x509ca/strongswanCert.pem --cakey > > /usr/local/etc/swanctl/rsa/strongswanKey.pem --dn "C=US, ST=MA, > > L=Lowell, O=Arris, CN=10.13.199.185" --san 10.13.199.185 pem > > > /usr/local/etc/swanctl/x509/hostCert.pem > > > > > > Receptor: > > -- > > * > > * > > *sudo ipsec pki --gen --type rsa --size 4096 --outform pem > > > /usr/local/etc/swanctl/rsa/strongswanKey.pem* > > * > > * > > *sudo chmod 600 /usr/local/etc/swanctl/rsa/strongswanKey.pem* > > * > > * > > *sudo ipsec pki --self --ca --in > > /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest sha256 --dn "C=US, > > ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem > > > /usr/local/etc/swanctl/x509ca/strongswanCert.pem* > > * > > * > > *sudo ipsec pki --print --in > > /usr/local/etc/swanctl/x509ca/strongswanCert.pem* > > * > > * > > *sudo ipsec pki --gen --type rsa --size 4096 --outform pem > > >
[strongSwan] Using davici API
I have very simple config file and trying to implement the same with DAVICI APIs. Please find attached file for config and its implementation. Not sure what is wrong, any insight would help me. Tester.c file is also compiled with cmd.c. Thanks, Rajeev /* * Copyright (C) 2015 CloudGuard Software AG * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation; either * version 2.1 of the License, or (at your option) any later version. * * This library is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. */ #include "tester.h" #include #include #include #include static char huge[4096]; static void echocb(struct tester *t, int fd) { char buf[sizeof(huge) * 2]; uint32_t len; len = tester_read_cmdreq(fd, "load-conns"); assert(len < sizeof(buf)); assert(read(fd, buf, len) == len); tester_write_cmdres(fd, buf, len); } static void reqcb(struct davici_conn *c, int err, const char *name, struct davici_response *res, void *user) { struct tester *t = user; char buf[64]; const char *h; unsigned int len; const void *v; int ret, i, j; assert(err >= 0); assert(davici_get_level(res) == 0); tester_complete(t); } int main(int argc, char *argv[]) { struct tester *t; struct davici_conn *c; struct davici_request *r; int err = 0; t = tester_create(echocb); assert(davici_connect_unix(tester_getpath(t), tester_davici_iocb, t, ) >= 0); assert(davici_new_cmd("load-conns", ) >= 0); davici_section_start(r, "home"); davici_kvf(r, "version", "%s", "2"); davici_kvf(r, "local_addrs", "%s", "10.13.199.185"); davici_kvf(r, "remote_addrs", "%s", "10.13.199.130"); davici_kvf(r, "local_port", "%s", "500"); davici_kvf(r, "remote_port", "%s", "500"); davici_kvf(r, "proposals", "%s", "aes128-sha256-ecp256"); davici_section_start(r, "local"); davici_kvf(r,"certs","%s", "peerCert.der"); davici_kvf(r,"auth", "%s", "psk"); davici_kvf(r,"id", "%s", "10.13.199.185"); davici_section_end(r); /* end local section*/ davici_section_start(r, "remote"); davici_kvf(r,"id", "%s", "10.13.199.130"); davici_kvf(r, "auth", "%s", "psk"); davici_section_end(r); /* end remote section*/ davici_section_start(r, "children"); davici_section_start(r, "home"); davici_kvf(r, "esp_proposals", "%s", "aes128-sha256-ecp256"); davici_kvf(r, "remote_ts", "%s", "dynamic"); davici_kvf(r, "mode", "%s", "transport"); davici_section_end(r); /* children */ davici_section_end(r);/* home */ davici_section_start(r, "secrets"); davici_section_start(r, "ike-initiator"); davici_kvf(r, "secret", "%s", "0sFpZAZqEN6Ti9sqt4ZP5EWcqx"); davici_kvf(r, "id", "%s", "10.13.199.185"); davici_section_end(r);/* home */ err=davici_queue(c, r, reqcb, t); printf(" Err is %d \n" , err); assert(err >= 0); tester_runio(t, c); davici_disconnect(c); assert(davici_connect_unix(tester_getpath(t), tester_davici_iocb, t, ) >= 0); assert(davici_new_cmd("initiate", ) >= 0); davici_kvf(r, "child", "%%", "home"); assert(davici_queue(c, r, reqcb, t) >= 0); tester_runio(t, c); davici_disconnect(c); tester_cleanup(t); return 0; } swanctl.conf Description: Binary data ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] trap not found, unable to acquire reqid
Noel, I was able to install policy using swanctl --install and a packet from data plane was able to trigger the SAs. Thanks for you help. Rajeev On Mon, Jun 13, 2016 at 1:24 PM, rajeev nohria <rajnoh...@gmail.com> wrote: > Noel, > I am using Strongswan 5.4 with swanctl.conf and strongswan.conf. There is > no option for auto=route. Is there anything equivalent? > Thanks, > Rajeev > > On Mon, Jun 6, 2016 at 10:15 AM, Noel Kuntze <n...@familie-kuntze.de> > wrote: > >> On 06.06.2016 14:28, rajeev nohria wrote: >> > >> > IKEv2 should be able to create SA when there are only policies >> installed and a packet matches with the policy. That was reason I was >> expecting for above ping to work. If that is not the case what is the use >> of ACQUIRE message? Let me know if I am missing something here. >> >> Charon can only initiate an SA to a remote host, if it has a >> configuration for that host. Because you installed the policies yourself, >> charon does not have a configuration. >> >> You have to configure it correctly and use auto=route. Do not install >> policies yourself. As you found out, it does not work if you do that. >> >> -- >> >> Mit freundlichen Grüßen/Kind Regards, >> Noel Kuntze >> >> GPG Key ID: 0x63EC6658 >> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 >> >> >> > ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] trap not found, unable to acquire reqid
Noel, I am using Strongswan 5.4 with swanctl.conf and strongswan.conf. There is no option for auto=route. Is there anything equivalent? Thanks, Rajeev On Mon, Jun 6, 2016 at 10:15 AM, Noel Kuntze <n...@familie-kuntze.de> wrote: > On 06.06.2016 14:28, rajeev nohria wrote: > > > > IKEv2 should be able to create SA when there are only policies installed > and a packet matches with the policy. That was reason I was expecting for > above ping to work. If that is not the case what is the use of ACQUIRE > message? Let me know if I am missing something here. > > Charon can only initiate an SA to a remote host, if it has a configuration > for that host. Because you installed the policies yourself, charon does not > have a configuration. > > You have to configure it correctly and use auto=route. Do not install > policies yourself. As you found out, it does not work if you do that. > > -- > > Mit freundlichen Grüßen/Kind Regards, > Noel Kuntze > > GPG Key ID: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > > ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Strongswan[5.4.0] unix:///var/run/charon.vici
Hi Andreas, We are planning to use davici library for the establishment of dynamic IKEv2 connection using Strongswan’s IKE client. Are there any licensing implications of using davici library? Please confirm/clarify. Thanks, Rajeev On Wed, May 11, 2016 at 9:18 AM, Andreas Steffen < andreas.stef...@strongswan.org> wrote: > Hi Rajeev, > > there seems something wrong with your user certificate. > > You can configure the charon daemon dynamically using the > VICI interface. There are VICI bindings for the Perl, Ruby > and Python script languages which can be used by your > IPsec management application to communicate with the > charon daemon. For details have a look at > > > https://github.com/strongswan/strongswan/blob/master/src/libcharon/plugins/vici/README.md > > If you intend to write your management application in C or C++ > then consider the DAVICI library: > > https://github.com/strongswan/davici/blob/master/README.md > > Regards > > Andreas > > On 11.05.2016 13:50, rajeev nohria wrote: > > Andreas, > > > > I appreciate helping me out. Now I am making progress with Charon > > running, Not sure why it was stopping before. I am getting following > > error now, I am going over my config files. Hopefully I will find the > > issue. > > > > rnohria@ubuntu:~$ sudo swanctl --load-conns > > 06[LIB] OpenSSL X.509 parsing failed > > 06[LIB] building CRED_CERTIFICATE - X509 failed, tried 4 builders > > loading connection 'rw' failed: invalid value for: certs, config > discarded > > loaded 0 of 1 connections, 1 failed to load, 0 unloaded > > > > > > Question: > > > > Can I use Strongswan to make connections dynamically, not via config > > file. For config file we need to know information beforehand. If I don't > > know all the information beforehand like local and remote IP address. Is > > there any interface exist in Strongswan to support dynamic connection. > > > > Thanks, > > Rajeev > > > > > > > > > > > > On Wed, May 11, 2016 at 4:41 AM, Andreas Steffen > > <andreas.stef...@strongswan.org <mailto:andreas.stef...@strongswan.org>> > > wrote: > > > > Hi Rajeev, > > > > try running charon in the foreground: > > > >sudo /usr/local/libexec/ipsec/charon > > > > and check for error messages in the console window. > > > > Cheers Andreas > > > > On 11.05.2016 11:53, rajeev nohria wrote: > > > > Andreas, > > > > It seems like Charon daemon is not running, When I run the charon > > command, it immediately stops it. Where can I find the charon > > log to see > > if there is any issue? > > > > rnohria@ubuntu:~$ sudo /usr/local/libexec/ipsec/charon& > > [1] 7272 > > rnohria@ubuntu:~$ > > > > [1]+ Stopped sudo > /usr/local/libexec/ipsec/charon > > > > Thanks, > > Rajeev > > > > > > On Wed, May 11, 2016 at 2:55 AM, Andreas Steffen > > <andreas.stef...@strongswan.org > > <mailto:andreas.stef...@strongswan.org> > > <mailto:andreas.stef...@strongswan.org > > <mailto:andreas.stef...@strongswan.org>>> > > wrote: > > > > Hi Rajeev, > > > > can you check in the charon log if the vici plugin has been > > loaded? > > And do you see the charon daemon running in the process > status > > (ps aux | grep charon)? > > > > Regards > > > > Andreas > > > > On 05/11/2016 04:04 AM, rajeev nohria wrote: > > > Thanks Andreas, > > > > > > I ran the charon and also copied the charon script file to > > /etc/init.d. > > > Now when I run sudo swanctl --load-conn, I still get the > > same issue. > > > connecting to 'unix:///var/run/charon.vici' failed: No > > such file or > > > directory > > > Error: connecting to 'default' URI failed: No such file or > > directory > > > strongSwan 5.4.0 swanctl > > > usage: > > > swanctl --load-conns [--raw|--pretty] > > >--help(-h) show usage information > > >--raw (-r) du
Re: [strongSwan] trap not found, unable to acquire reqid
Noel, IKEv2 should be able to create SA when there are only policies installed and a packet matches with the policy. That was reason I was expecting for above ping to work. If that is not the case what is the use of ACQUIRE message? Let me know if I am missing something here. Regards, Rajeev On Thu, Jun 2, 2016 at 1:34 PM, Noel Kuntze <n...@familie-kuntze.de> wrote: > Keep it on the mailing lists. > Then don't use a keying daemon. The only things a keying daemon does is > install SAs, SPs and routes. > If you don't want charon to do any of those things, don't use it. > > And there's still the VICI API to charon that you can use to dynamically > load and unload any configuration. > > On 02.06.2016 19:26, rajeev nohria wrote: > > Noel, > > > > We are planning to install SA and policies dynamically. We don't want to > use the swanctl.conf for configuration using Strongswan 5.4. > > > > Thanks, > > Rajeev > > > > On Thu, Jun 2, 2016 at 12:12 PM, Noel Kuntze <n...@familie-kuntze.de > <mailto:n...@familie-kuntze.de>> wrote: > > > > That's because you installed the policies by yourself. Don't do that. > > > > On 02.06.2016 17:25, rajeev nohria wrote: > > > I added manual entries for policy using "ip xfrm policy" both at > receptor and initiator. Both are host and IP address of 10.13.199.185 and > 10.13.199.130. > > > > > > Initiator: > > > > > > sudo ip xfrm policy add src 10.13.199.185 dst 10.13.199.130 dir > out tmpl src 10.13.199.185 dst 10.13.199.130 proto esp reqid 16386 mode > transport > > > > > > sudo ip xfrm policy add src 10.13.199.130 dst 10.13.199.185 dir in > tmpl src 10.13.199.130 dst 10.13.199.185 proto esp reqid 16386 mode > transport > > > > > > > > > > > > > > > > > > Receptor: > > > > > > sudo ip xfrm policy add src 10.13.199.130 dst 10.13.199.185 dir > out tmpl src 10.13.199.130 dst 10.13.199.185 proto esp reqid 16386 mode > transport > > > > > > sudo ip xfrm policy add src 10.13.199.185 dst 10.13.199.130 dir in > tmpl src 10.13.199.185 dst 10.13.199.130 proto esp reqid 16386 mode > transport > > > > > > > > > > > > > > > when I try to ping, I get following error. I expect it to create > dynamic SA and ping to be successful. > > > > > > Jun 2 08:03:52 05[KNL] received a XFRM_MSG_ACQUIRE > > > Jun 2 08:03:52 05[KNL] XFRMA_TMPL > > > Jun 2 08:03:52 05[KNL] creating acquire job for policy > 10.13.199.185/32[udp/48785] <http://10.13.199.185/32[udp/48785]> < > http://10.13.199.185/32[udp/48785]> === 10.13.199.130/32[udp/1025] < > http://10.13.199.130/32[udp/1025]> <http://10.13.199.130/32[udp/1025]> > with reqid {16386} > > > Jun 2 08:03:52 07[CFG] trap not found, unable to acquire reqid > 16386 > > > > > > > > > Thanks, > > > Raj > > > > > > > > > -- > > > > Mit freundlichen Grüßen/Kind Regards, > > Noel Kuntze > > > > GPG Key ID: 0x63EC6658 > > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > > > > > > > > -- > > Mit freundlichen Grüßen/Kind Regards, > Noel Kuntze > > GPG Key ID: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > > ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] DAVICI example
Does anyone has example of DAVICI code example and willing to share? Rajeev ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] trap not found, unable to acquire reqid
I added manual entries for policy using "ip xfrm policy" both at receptor and initiator. Both are host and IP address of 10.13.199.185 and 10.13.199.130. Initiator: sudo ip xfrm policy add src 10.13.199.185 dst 10.13.199.130 dir out tmpl src 10.13.199.185 dst 10.13.199.130 proto esp reqid 16386 mode transport sudo ip xfrm policy add src 10.13.199.130 dst 10.13.199.185 dir in tmpl src 10.13.199.130 dst 10.13.199.185 proto esp reqid 16386 mode transport Receptor: sudo ip xfrm policy add src 10.13.199.130 dst 10.13.199.185 dir out tmpl src 10.13.199.130 dst 10.13.199.185 proto esp reqid 16386 mode transport sudo ip xfrm policy add src 10.13.199.185 dst 10.13.199.130 dir in tmpl src 10.13.199.185 dst 10.13.199.130 proto esp reqid 16386 mode transport when I try to ping, I get following error. I expect it to create dynamic SA and ping to be successful. Jun 2 08:03:52 05[KNL] received a XFRM_MSG_ACQUIRE Jun 2 08:03:52 05[KNL] XFRMA_TMPL Jun 2 08:03:52 05[KNL] creating acquire job for policy 10.13.199.185/32[udp/48785] === 10.13.199.130/32[udp/1025] with reqid {16386} Jun 2 08:03:52 07[CFG] trap not found, unable to acquire reqid 16386 Thanks, Raj ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] strongSwan [ no trusted RSA public key found for '10.13.199.185']
I am testing between two Ubuntus. We are using Strongswan 5.4.0. with certificate and keys in swanctl/x509, swanctl/x509ca and swanctl/rsa. I could not figure how to resolve this. I am creating certificates using ipsec pki as an example on strongSwan website. Is it anything obvious I am missing? Any help in this appreciated. 06[CFG] no issuer certificate found for "C=US, O=ARRIS, CN=peer" 06[IKE] no trusted RSA public key found for '10.13.199.185' Initiator receives -- 11[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] 11[IKE] received AUTHENTICATION_FAILED notify error Receptor - rnohria@ubuntu:/$ sudo /usr/local/libexec/ipsec/charon [sudo] password for rnohria: 00[DMN] Starting IKE charon daemon (strongSwan 5.4.0, Linux 3.16.0-30-generic, x86_64) 00[LIB] loaded plugins: charon pem pkcs1 x509 revocation constraints pubkey openssl random nonce kernel-netlink socket-default updown vici 00[JOB] spawning 16 worker threads 08[CFG] added vici connection: rw 11[CFG] loaded certificate 'C=US, O=ARRIS, CN=peer' 06[CFG] loaded certificate 'C=US, O=ARRIS, CN=RPD' 15[CFG] loaded RSA private key 09[NET] received packet: from 10.13.199.185[500] to 10.13.199.130[500] (264 bytes) 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ] 09[IKE] 10.13.199.185 is initiating an IKE_SA 09[IKE] sending cert request for "C=US, O=ARRIS, CN=RPD" 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ] 09[NET] sending packet: from 10.13.199.130[500] to 10.13.199.185[500] (289 bytes) 06[NET] received packet: from 10.13.199.185[4500] to 10.13.199.130[4500] (1328 bytes) 06[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] 06[IKE] received 1 cert requests for an unknown ca 06[IKE] received end entity cert "C=US, O=ARRIS, CN=peer" 06[CFG] looking for peer configs matching 10.13.199.130[10.13.199.130]...10.13.199.185[10.13.199.185] 06[CFG] selected peer config 'rw' 06[CFG] using certificate "C=US, O=ARRIS, CN=peer" 06[CFG] no issuer certificate found for "C=US, O=ARRIS, CN=peer" 06[IKE] no trusted RSA public key found for '10.13.199.185' 06[IKE] peer supports MOBIKE 06[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] 06[NET] sending packet: from 10.13.199.130[4500] to 10.13.199.185[4500] (80 bytes) ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Strongswan[5.4.0] unix:///var/run/charon.vici
Andreas, Strongswan 5.4.0 swanctl.conf when I tried to initiate the connections (swanctl -initiate --child net, I get following error. "*no trusted RSA public key found"* I did make peerKey.der based on following link and copied to /etc/swanctl/rsa directory. https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ] 07[IKE] 10.13.199.185 is initiating an IKE_SA 07[IKE] sending cert request for "C=US, O=ARRIS, CN=RPD" 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ] 07[NET] sending packet: from 10.13.199.130[500] to 10.13.199.185[500] (289 bytes) 09[NET] received packet: from 10.13.199.185[4500] to 10.13.199.130[4500] (1312 bytes) 09[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] 09[IKE] received 1 cert requests for an unknown ca 09[IKE] received end entity cert "C=US, O=ARRIS, CN=RPD" 09[CFG] looking for peer configs matching 10.13.199.130[%any]...10.13.199.185[rnoh...@arris.com] 09[CFG] selected peer config 'rw' *09[IKE] no trusted RSA public key found for 'rnoh...@arris.com <rnoh...@arris.com>'* 09[IKE] peer supports MOBIKE 09[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] 09[NET] sending packet: from 10.13.199.130[4500] to 10.13.199.185[4500] (80 bytes) Thanks, Rajeev On Wed, May 11, 2016 at 9:18 AM, Andreas Steffen < andreas.stef...@strongswan.org> wrote: > Hi Rajeev, > > there seems something wrong with your user certificate. > > You can configure the charon daemon dynamically using the > VICI interface. There are VICI bindings for the Perl, Ruby > and Python script languages which can be used by your > IPsec management application to communicate with the > charon daemon. For details have a look at > > > https://github.com/strongswan/strongswan/blob/master/src/libcharon/plugins/vici/README.md > > If you intend to write your management application in C or C++ > then consider the DAVICI library: > > https://github.com/strongswan/davici/blob/master/README.md > > Regards > > Andreas > > On 11.05.2016 13:50, rajeev nohria wrote: > > Andreas, > > > > I appreciate helping me out. Now I am making progress with Charon > > running, Not sure why it was stopping before. I am getting following > > error now, I am going over my config files. Hopefully I will find the > > issue. > > > > rnohria@ubuntu:~$ sudo swanctl --load-conns > > 06[LIB] OpenSSL X.509 parsing failed > > 06[LIB] building CRED_CERTIFICATE - X509 failed, tried 4 builders > > loading connection 'rw' failed: invalid value for: certs, config > discarded > > loaded 0 of 1 connections, 1 failed to load, 0 unloaded > > > > > > Question: > > > > Can I use Strongswan to make connections dynamically, not via config > > file. For config file we need to know information beforehand. If I don't > > know all the information beforehand like local and remote IP address. Is > > there any interface exist in Strongswan to support dynamic connection. > > > > Thanks, > > Rajeev > > > > > > > > > > > > On Wed, May 11, 2016 at 4:41 AM, Andreas Steffen > > <andreas.stef...@strongswan.org <mailto:andreas.stef...@strongswan.org>> > > wrote: > > > > Hi Rajeev, > > > > try running charon in the foreground: > > > >sudo /usr/local/libexec/ipsec/charon > > > > and check for error messages in the console window. > > > > Cheers Andreas > > > > On 11.05.2016 11:53, rajeev nohria wrote: > > > > Andreas, > > > > It seems like Charon daemon is not running, When I run the charon > > command, it immediately stops it. Where can I find the charon > > log to see > > if there is any issue? > > > > rnohria@ubuntu:~$ sudo /usr/local/libexec/ipsec/charon& > > [1] 7272 > > rnohria@ubuntu:~$ > > > > [1]+ Stopped sudo > /usr/local/libexec/ipsec/charon > > > > Thanks, > > Rajeev > > > > > > On Wed, May 11, 2016 at 2:55 AM, Andreas Steffen > > <andreas.stef...@strongswan.org > > <mailto:andreas.stef...@strongswan.org> > > <mailto:andreas.stef...@strongswan.org > > <mailto:andreas.stef...@strongswan.org>>> > > wrote: > > > > Hi Rajeev, > > > >
Re: [strongSwan] Strongswan[5.4.0] unix:///var/run/charon.vici
Andreas, I can ping6 fe80::20c:29ff:fe9d:7d88 and when I tried to establish Ipsec connection using charon-cmd, I get following error. Do I need to setup anything to following to work? ubuntu:/var/log$ sudo charon-cmd --host fe80::20c:29ff:fe9d:7d88 --identity fe80::20c:29ff:fe32:ba9c 00[DMN] Starting charon-cmd IKE client (strongSwan 5.4.0, Linux 3.16.0-30-generic, x86_64) 00[LIB] loaded plugins: charon-cmd pkcs11 aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 sshkey pem openssl fips-prf gmp xcbc cmac hmac kernel-netlink resolve socket-default xauth-generic 00[JOB] spawning 16 worker threads 06[IKE] unable to resolve fe80::20c:29ff:fe9d:7d88, initiate aborted 06[MGR] tried to checkin and delete nonexisting IKE_SA ubuntu:/var/log$ Thanks, Rajeev On Tue, May 10, 2016 at 3:59 AM, Andreas Steffen < andreas.stef...@strongswan.org> wrote: > Hi Rajeev, > > is the charon daemon running? If not, either start charon manually: > > sudo /usr/local/libexec/ipsec/charon & > > or if your Linux distribution still uses upstart, copy the > following script to /etc/init.d/ > > > > https://wiki.strongswan.org/projects/strongswan/repository/revisions/master/entry/testing/hosts/default/etc/init.d/charon > > and start the charon daemon in the appropriate runlevels. > > If your Linux distribution uses systemd instead, compile and > install strongSwan with > >./config --enable-systemd > > and enable and start the strongswan-swanctl service. > > BTW - in order to use the vici socket you must be root. Thus > > sudo swanctl --load-conn > > Best regards > > Andreas > > > On 09.05.2016 16:34, rajeev nohria wrote: > >> I am new user of Strongswan and running 5.4.0. After creating >> certificates and configuring two Ubuntu m/c with Strongswan 5.4.0. I try >> to create connection as following and get error. Please advise, how to >> resolve following issue? >> >> $swanctl --load-conn >> connecting to 'unix:///var/run/charon.vici' failed: No such file or >> directory >> Error: connecting to 'default' URI failed: No such file or directory >> strongSwan 5.4.0 swanctl >> usage: >> >> >> Thanks, >> Rajeev >> >> >> ___ >> Users mailing list >> Users@lists.strongswan.org >> https://lists.strongswan.org/mailman/listinfo/users >> >> > -- > == > Andreas Steffen andreas.stef...@strongswan.org > strongSwan - the Open Source VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===[ITA-HSR]== > > ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Strongswan[5.4.0] unix:///var/run/charon.vici
Andreas, I appreciate helping me out. Now I am making progress with Charon running, Not sure why it was stopping before. I am getting following error now, I am going over my config files. Hopefully I will find the issue. rnohria@ubuntu:~$ sudo swanctl --load-conns 06[LIB] OpenSSL X.509 parsing failed 06[LIB] building CRED_CERTIFICATE - X509 failed, tried 4 builders loading connection 'rw' failed: invalid value for: certs, config discarded loaded 0 of 1 connections, 1 failed to load, 0 unloaded Question: Can I use Strongswan to make connections dynamically, not via config file. For config file we need to know information beforehand. If I don't know all the information beforehand like local and remote IP address. Is there any interface exist in Strongswan to support dynamic connection. Thanks, Rajeev On Wed, May 11, 2016 at 4:41 AM, Andreas Steffen < andreas.stef...@strongswan.org> wrote: > Hi Rajeev, > > try running charon in the foreground: > >sudo /usr/local/libexec/ipsec/charon > > and check for error messages in the console window. > > Cheers Andreas > > On 11.05.2016 11:53, rajeev nohria wrote: > >> Andreas, >> >> It seems like Charon daemon is not running, When I run the charon >> command, it immediately stops it. Where can I find the charon log to see >> if there is any issue? >> >> rnohria@ubuntu:~$ sudo /usr/local/libexec/ipsec/charon& >> [1] 7272 >> rnohria@ubuntu:~$ >> >> [1]+ Stopped sudo /usr/local/libexec/ipsec/charon >> >> Thanks, >> Rajeev >> >> >> On Wed, May 11, 2016 at 2:55 AM, Andreas Steffen >> <andreas.stef...@strongswan.org <mailto:andreas.stef...@strongswan.org>> >> wrote: >> >> Hi Rajeev, >> >> can you check in the charon log if the vici plugin has been loaded? >> And do you see the charon daemon running in the process status >> (ps aux | grep charon)? >> >> Regards >> >> Andreas >> >> On 05/11/2016 04:04 AM, rajeev nohria wrote: >> > Thanks Andreas, >> > >> > I ran the charon and also copied the charon script file to >> /etc/init.d. >> > Now when I run sudo swanctl --load-conn, I still get the same issue. >> > connecting to 'unix:///var/run/charon.vici' failed: No such file or >> > directory >> > Error: connecting to 'default' URI failed: No such file or directory >> > strongSwan 5.4.0 swanctl >> > usage: >> > swanctl --load-conns [--raw|--pretty] >> >--help(-h) show usage information >> >--raw (-r) dump raw response message >> >--pretty (-P) dump raw response message in >> pretty print >> >--debug (-v) set debug level, default: 1 >> >--options (-+) read command line options from >> file >> >--uri (-u) service URI to connect to >> > >> > >> > Am I missing any other step? >> > >> > Thanks, >> > Rajeev >> > >> > On Tue, May 10, 2016 at 3:59 AM, Andreas Steffen >> > <andreas.stef...@strongswan.org >> <mailto:andreas.stef...@strongswan.org> >> <mailto:andreas.stef...@strongswan.org >> >> <mailto:andreas.stef...@strongswan.org>>> >> > wrote: >> > >> > Hi Rajeev, >> > >> > is the charon daemon running? If not, either start charon >> manually: >> > >> > sudo /usr/local/libexec/ipsec/charon & >> > >> > or if your Linux distribution still uses upstart, copy the >> > following script to /etc/init.d/ >> > >> > >> > >> >> https://wiki.strongswan.org/projects/strongswan/repository/revisions/master/entry/testing/hosts/default/etc/init.d/charon >> > >> > and start the charon daemon in the appropriate runlevels. >> > >> > If your Linux distribution uses systemd instead, compile and >> > install strongSwan with >> > >> >./config --enable-systemd >> > >> > and enable and start the strongswan-swanctl service. >> > >> > BTW - in order to use the vici socket you must be root. Thus >> > >> > sudo swanctl --load-conn >>
Re: [strongSwan] Strongswan[5.4.0] unix:///var/run/charon.vici
Andreas, It seems like Charon daemon is not running, When I run the charon command, it immediately stops it. Where can I find the charon log to see if there is any issue? rnohria@ubuntu:~$ sudo /usr/local/libexec/ipsec/charon& [1] 7272 rnohria@ubuntu:~$ [1]+ Stopped sudo /usr/local/libexec/ipsec/charon Thanks, Rajeev On Wed, May 11, 2016 at 2:55 AM, Andreas Steffen < andreas.stef...@strongswan.org> wrote: > Hi Rajeev, > > can you check in the charon log if the vici plugin has been loaded? > And do you see the charon daemon running in the process status > (ps aux | grep charon)? > > Regards > > Andreas > > On 05/11/2016 04:04 AM, rajeev nohria wrote: > > Thanks Andreas, > > > > I ran the charon and also copied the charon script file to /etc/init.d. > > Now when I run sudo swanctl --load-conn, I still get the same issue. > > connecting to 'unix:///var/run/charon.vici' failed: No such file or > > directory > > Error: connecting to 'default' URI failed: No such file or directory > > strongSwan 5.4.0 swanctl > > usage: > > swanctl --load-conns [--raw|--pretty] > >--help(-h) show usage information > >--raw (-r) dump raw response message > >--pretty (-P) dump raw response message in pretty > print > >--debug (-v) set debug level, default: 1 > >--options (-+) read command line options from file > >--uri (-u) service URI to connect to > > > > > > Am I missing any other step? > > > > Thanks, > > Rajeev > > > > On Tue, May 10, 2016 at 3:59 AM, Andreas Steffen > > <andreas.stef...@strongswan.org <mailto:andreas.stef...@strongswan.org>> > > wrote: > > > > Hi Rajeev, > > > > is the charon daemon running? If not, either start charon manually: > > > > sudo /usr/local/libexec/ipsec/charon & > > > > or if your Linux distribution still uses upstart, copy the > > following script to /etc/init.d/ > > > > > > > https://wiki.strongswan.org/projects/strongswan/repository/revisions/master/entry/testing/hosts/default/etc/init.d/charon > > > > and start the charon daemon in the appropriate runlevels. > > > > If your Linux distribution uses systemd instead, compile and > > install strongSwan with > > > >./config --enable-systemd > > > > and enable and start the strongswan-swanctl service. > > > > BTW - in order to use the vici socket you must be root. Thus > > > > sudo swanctl --load-conn > > > > Best regards > > > > Andreas > > > > > > On 09.05.2016 16:34, rajeev nohria wrote: > > > > I am new user of Strongswan and running 5.4.0. After creating > > certificates and configuring two Ubuntu m/c with Strongswan > > 5.4.0. I try > > to create connection as following and get error. Please advise, > > how to > > resolve following issue? > > > > $swanctl --load-conn > > connecting to 'unix:///var/run/charon.vici' failed: No such file > or > > directory > > Error: connecting to 'default' URI failed: No such file or > directory > > strongSwan 5.4.0 swanctl > > usage: > > > > > > Thanks, > > Rajeev > > > > > > ___ > > Users mailing list > > Users@lists.strongswan.org <mailto:Users@lists.strongswan.org> > > https://lists.strongswan.org/mailman/listinfo/users > > > > > > -- > > > == > > Andreas Steffen > > andreas.stef...@strongswan.org andreas.stef...@strongswan.org> > > strongSwan - the Open Source VPN Solution! > > www.strongswan.org <http://www.strongswan.org> > > Institute for Internet Technologies and Applications > > University of Applied Sciences Rapperswil > > CH-8640 Rapperswil (Switzerland) > > > ===[ITA-HSR]== > > > > > > > -- > == > Andreas Steffen andreas.stef...@strongswan.org > strongSwan - the Open Source VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===[ITA-HSR]== > > ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Strongswan[5.4.0] unix:///var/run/charon.vici
I am new user of Strongswan and running 5.4.0. After creating certificates and configuring two Ubuntu m/c with Strongswan 5.4.0. I try to create connection as following and get error. Please advise, how to resolve following issue? $swanctl --load-conn connecting to 'unix:///var/run/charon.vici' failed: No such file or directory Error: connecting to 'default' URI failed: No such file or directory strongSwan 5.4.0 swanctl usage: Thanks, Rajeev ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users