from:"rajeev nohria"

Re: [strongSwan] Davici parsing of terminating an IKE connection

2018-08-07 Thread rajeev nohria

Let me know if I am incorrect ,  user_data is the last parameter in the
davici_queue?

1) Now Is it right practice to add few more elements in tester stucture to
passed in call back function? These additional elements  can be used to
mange the response of deleting the connections.

2) If there are many davici requests are happening in parallel , For each
request does davici make copy of user_Data, or it is overwritten with last
call of  tester structure information.

3) Is there any limit of size of data can be added?

Thanks,
Rajeev

On Tue, Jun 26, 2018 at 8:00 AM, Tobias Brunner 
wrote:

> > Question: Is there way to know when we parse response from Davici that
> > which conenction is deleted? If yes what parameter of davici we get
> > information? i see reqcb() parse the davici reponse.
>
> Two things:  1. Requests queued on the same connection are processed
> sequentially.  2. You can pass user data when queuing a request that's
> later passed to the callback.
>
> Regards,
> Tobias
>

Re: [strongSwan] Davici parsing of terminating an IKE connection

2018-06-26 Thread rajeev nohria

Thanks a lot..
Rajeev

On Tue, Jun 26, 2018 at 8:00 AM, Tobias Brunner 
wrote:

> > Question: Is there way to know when we parse response from Davici that
> > which conenction is deleted? If yes what parameter of davici we get
> > information? i see reqcb() parse the davici reponse.
>
> Two things:  1. Requests queued on the same connection are processed
> sequentially.  2. You can pass user data when queuing a request that's
> later passed to the callback.
>
> Regards,
> Tobias
>

[strongSwan] Davici parsing of terminating an IKE connection

2018-06-26 Thread rajeev nohria

Scenario: Strongswan has established  multiple  IKE connections with
different peers.

Lets say we have three different connections. Out of those we plan to
delete two connections via initiating using davici terminate command.

Question: Is there way to know when we parse response from Davici that
which conenction is deleted? If yes what parameter of davici we get
information? i see reqcb() parse the davici reponse.

Thanks,
Rajeev

Re: [strongSwan] Stronswan to ignore IKE-SA-INIT response from a bogus IPv6 address

2018-06-26 Thread rajeev nohria

Hi Tobias,

Which  parameter to configure the specific remote IP address for a
connection, so that we can reject the messages from any other IP address?
 I am assuming we are talking about one of parameter in  swanctl.conf.

If we are talking about  connections..remote_addrs..
I did configure remote_addrs, that does not help in   Stronswan to ignore
IKE-SA-INIT response from a bogus IPv6 address.  Is iptables only way to
stop it.

Thanks,
Rajeev

On Wed, May 23, 2018 at 3:42 AM, Tobias Brunner 
wrote:

> Hi Rajeev,
>
> > I would
> > imagine it should be rejected.
>
> Why?  Unless you configure specific remote IP addresses for a connection
> there is no reason to reject messages from any IPs.
>
> Regards,
> Tobias
>

Re: [strongSwan] Stronswan to ignore IKE-SA-INIT response from a bogus IPv6 address

2018-05-22 Thread rajeev nohria

 For following scenario, is it Strongswan bug?  Responder IP address is
*fc00:cada:c406::200. *But if reply come from even different IPv6 address
everything goes successful like nothing is wrong.   In following case
IKE_SA_INIT
response came from  *fc00:cada:c406::500.  *I would imagine it should be
rejected.


9[KNL] creating acquire job for policy fc00:cada:c406:607::1001/128[tcp/57861]
=== fc00:cada:c406::200/128[tcp/8190] with reqid {2}
07[IKE] initiating IKE_SA rpdfc00:cada:c406::200[1] to fc00:cada:c406::200
07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
07[NET] sending packet: from fc00:cada:c406:607::1001[500] to
*fc00:cada:c406::200*[500] (456 bytes)
08[NET] received packet: from *fc00:cada:c406::500*[500] to
fc00:cada:c406:607::1001[500] (453 bytes)
08[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ]
08[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
CN=TEST CableLabs Root Certification Authority"
08[IKE] received 1 cert requests for an unknown ca
08[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
CN=TEST CableLabs Device Certification Authority"
08[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
CN=TEST CableLabs Root Certification Authority"
08[IKE] authentication of 'C=US, O=ARRIS Group, OU=DCA Remote Device
Certificate, CN=00:01:5c:b0:04:ad' (myself) with RSA signature successful
08[IKE] sending end entity cert "C=US, O=ARRIS Group, OU=DCA Remote Device
Certificate, CN=00:01:5c:b0:04:ad"
08[IKE] sending issuer cert "C=US, O=CableLabs, OU=TEST Device CA01,
CN=TEST CableLabs Device Certification Authority"
08[IKE] establishing CHILD_SA gcpfc00:cada:c406::200{2}
08[ENC] generating IKE_AUTH request 1 [ IDi CERT CERT CERTREQ AUTH
N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ]
08[NET] sending packet: from fc00:cada:c406:607::1001[500] to
fc00:cada:c406::200[500] (3200 bytes)
15[NET] received packet: from fc00:cada:c406::200[500] to
fc00:cada:c406:607::1001[500] (7280 bytes)
15[ENC] parsed IKE_AUTH response 1 [ N(ESP_TFC_PAD_N) N(USE_TRANSP) IDr
CERT CERT CERT CERT CERT AUTH SA TSi TSr ]
15[IKE] received end entity cert "C=US, O=CableLabs, CN=00:01:5c:96:16:00"
15[IKE] received issuer cert "C=US, O=CableLabs, OU=Device CA01,
CN=CableLabs Device Certification Authority"
15[IKE] received issuer cert "C=US, O=CableLabs, OU=Device CA02,
CN=CableLabs Device Certification Authority"
15[IKE] received issuer cert "C=US, O=CableLabs, OU=TEST Device CA01,
CN=TEST CableLabs Device Certification Authority"
15[IKE] received issuer cert "C=US, O=CableLabs, OU=TEST Service Provider
CA01, CN=TEST CableLabs Service Provider Certification Authority"
15[CFG]   using certificate "C=US, O=CableLabs, CN=00:01:5c:96:16:00"
15[CFG]   using untrusted intermediate certificate "C=US, O=CableLabs,
OU=TEST Service Provider CA01, CN=TEST CableLabs Service Provider
Certification Authority"
15[CFG] checking certificate status of "C=US, O=CableLabs,
CN=00:01:5c:96:16:00"
15[CFG] certificate status is not available
15[CFG]   using trusted ca certificate "C=US, O=CableLabs, OU=TEST Root
CA01, CN=TEST CableLabs Root Certification Authority"
15[CFG] checking certificate status of "C=US, O=CableLabs, OU=TEST Service
Provider CA01, CN=TEST CableLabs Service Provider Certification Authority"
15[CFG] certificate status is not available
15[CFG]   reached self-signed root ca with a path length of 1
15[IKE] authentication of 'C=US, O=CableLabs, CN=00:01:5c:96:16:00' with
RSA signature successful
15[IKE] IKE_SA rpdfc00:cada:c406::200[1] established between
fc00:cada:c406:607::1001[C=US, O=ARRIS Group, OU=DCA Remote Device
Certificate, CN=00:01:5c:b0:04:ad]...fc00:cada:c406::200[C=US, O=CableLabs,
CN=00:01:5c:96:16:00]
15[IKE] scheduling rekeying in 13604s
15[IKE] maximum IKE_SA lifetime 15044s


On Tue, May 22, 2018 at 9:08 AM, Tobias Brunner 
wrote:

> Hi Rajeev,
>
> > Is there way to Stronswan to ignore IKE-SA-INIT response from a bogus
> > IPv6 address? Strongswan replies to all the IKE-SA-INIT receive from all
> > IP addresses.
>
> Use iptables.
>
> Regards,
> Tobias
>

[strongSwan] Stronswan to ignore IKE-SA-INIT response from a bogus IPv6 address

2018-05-22 Thread rajeev nohria

 I use Davici Interface with Strongswan 5.5

Is there way to Stronswan to ignore IKE-SA-INIT response from a bogus IPv6
address? Strongswan replies to all the IKE-SA-INIT receive from all IP
addresses.

thanks,
Rajeev

Re: [strongSwan] Cleaning up SAs

2018-04-29 Thread rajeev nohria

Thanks, I initiate the "terminate" command to clear the IKE connection.
This command will tear down the SAs as well. But there is retries mechanism
to tear down SA. When issued "terminate",  I would like delete immediately
instead of going through retries mechanism.
Thanks,
Rajeev

On Fri, Apr 27, 2018 at 5:08 PM, Phil Frost <p...@postmates.com> wrote:

> Does dpdaction=clear do what you need?
>
>
> On Fri, Apr 27, 2018, 10:11 rajeev nohria <rajnoh...@gmail.com> wrote:
>
>> I am using Strongswan5.5.0 and using Davici interface. Is there way (any
>> options) to delete the SA immediately if peer goes down instead of  going
>> through retries?
>>
>> Any help is appreciated. I could not find anything so far..
>>
>> Thanks,
>> Rajeev
>>
>

[strongSwan] Cleaning up SAs

2018-04-27 Thread rajeev nohria

I am using Strongswan5.5.0 and using Davici interface. Is there way (any
options) to delete the SA immediately if peer goes down instead of  going
through retries?

Any help is appreciated. I could not find anything so far..

Thanks,
Rajeev

[strongSwan] DAVICI related question

2018-03-06 Thread rajeev nohria

In DAVICI, what are the events and what are they for? I see davici_register
and davici_unregister function.

I am looking for events like  certificate failed or certificate revoked or
IKEv2 connection failed.  I do see it is in log but I would like to receive
those events so that code can react to it. How can I do that?

Thanks,
Rajeev

Re: [strongSwan] Strongswan 5.5 - no private key found-

2018-02-12 Thread rajeev nohria

Thanks, Based on response i was able to resolve my issue.  I was removing
"/" when reading the subject.

-Rajeev

On Fri, Feb 9, 2018 at 11:02 AM, Tobias Brunner 
wrote:

> Hi Rajeev,
>
> > Using DAVICI, I did make sure local.id is  "C=US,
> > O=ARRIS Group, Inc., OU=DCA Remote Device Certificate,
> CN=FF:FF:05:E6:E7:80"
>
> The comma between "Group" and "Inc." in the O RDN lets the identity
> string parser fail and this string will not be treated as ASN.1 DN but
> as opaque key ID, this won't match your private key during the lookup.
> If you want to configure DNs that contain commas you can either use /
> instead of comma to separate the RDNs (the whole string has to start
> with a slash then):
>
> /C=US/O=ARRIS Group, Inc./OU=DCA Remote Device
> Certificate/CN=FF:FF:05:E6:E7:80
>
> Or you may configure the identity as binary ASN.1 value with the asn1dn:
> prefix (use the pki --dn utility).  Also an option is to not configure
> an identity in the local auth config but instead the client certificate,
> then the identity should default to the subject DN of the certificate.
>
> Regards,
> Tobias
>

Re: [strongSwan] Strongswan 5.5 - no private key found-

2018-02-08 Thread rajeev nohria

Let me know I can send you more information.

On Thu, Feb 8, 2018 at 12:19 PM, rajeev nohria <rajnoh...@gmail.com> wrote:

>
>
> Now I am getting the following error and not able to resolve this for
> sometime. Any inkling is helpful here.
>
>
> Using DAVICI, I did make sure local.id is  "C=US, O=ARRIS Group, Inc.,
> OU=DCA Remote Device Certificate, CN=FF:FF:05:E6:E7:80"
>
> What else I be missing?
>
>
> writing RSA key
> 11[CFG] loaded RSA private key
> 11[CFG] loaded certificate 'C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST
> CableLabs Root Certification Authority'
> 11[CFG] loaded certificate 'C=US, O=ARRIS Group, Inc., OU=DCA Remote
> Device Certificate, CN=FF:FF:05:E6:E7:80'
> 11[CFG] loaded certificate 'C=US, O=CableLabs, OU=TEST Device CA01,
> CN=TEST CableLabs Device Certification Authority'
> Key Value success
> Davici End
> Key Value success
> Davici End
> Key Value success
> Davici End
> Key Value success
> Davici End
>
>
> 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
> 06[NET] sending packet: from fc00:cada:c404:607::1001[500] to
> fc00:cada:c404::200[500] (456 bytes)
> 13[NET] received packet: from fc00:cada:c404::200[500] to
> fc00:cada:c404:607::1001[500] (453 bytes)
> 13[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ]
> 13[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
> CN=TEST CableLabs Root Certification Authority"
> 13[IKE] received 1 cert requests for an unknown ca
> 13[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
> CN=TEST CableLabs Device Certification Authority"
> 13[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
> CN=TEST CableLabs Root Certification Authority"
> 1*3[IKE] no private key found for 'C=US, O=ARRIS Group, Inc., OU=DCA
> Remote Device Certificate, CN=FF:FF:05:E6:E7:80'*
>
> L4-RPD1-O6k>#
> L4-RPD1-O6k># ipsec listcerts
>
> List of X.509 End Entity Certificates
>
>   subject:  "C=US, O=ARRIS Group, Inc., OU=DCA Remote Device Certificate,
> CN=FF:FF:05:E6:E7:80"
>   issuer:   "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs
> Device Certification Authority"
>   validity:  not before Sep 14 16:13:25 2017, ok
>  not after  Sep 14 16:13:25 2018, ok (expires in 218 days)
>   serial:01:ff:ff:05:e6:e7:80
>   authkeyId: f6:dc:40:8a:89:b6:7b:7a:08:f6:78:b5:4a:28:7a:7f:57:9b:f9:9b
>   subjkeyId: 39:9c:b3:7d:20:23:f5:73:46:ce:fc:1a:84:a4:c0:6f:f6:e7:4c:18
>   pubkey:RSA 2048 bits, has private key
>   keyid: 32:28:f2:70:8b:72:f1:33:05:47:9d:26:ae:00:a2:ea:93:b4:e2:a2
>   subjkey:   39:9c:b3:7d:20:23:f5:73:46:ce:fc:1a:84:a4:c0:6f:f6:e7:4c:18
> L4-RPD1-O6k>#
>
> L4-RPD1-O6k># pki --print --type x509 --in 
>   subject:  "C=US, O=ARRIS Group, Inc., OU=DCA Remote Device Certificate,
> CN=FF:FF:05:E6:E7:80"
>   issuer:   "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs
> Device Certification Authority"
>   validity:  not before Sep 14 16:13:25 2017, ok
>  not after  Sep 14 16:13:25 2018, ok (expires in 218 days)
>   serial:01:ff:ff:05:e6:e7:80
>   authkeyId: f6:dc:40:8a:89:b6:7b:7a:08:f6:78:b5:4a:28:7a:7f:57:9b:f9:9b
>   subjkeyId: 39:9c:b3:7d:20:23:f5:73:46:ce:fc:1a:84:a4:c0:6f:f6:e7:4c:18
>   pubkey:RSA 2048 bits
>   keyid: 32:28:f2:70:8b:72:f1:33:05:47:9d:26:ae:00:a2:ea:93:b4:e2:a2
>   subjkey:   39:9c:b3:7d:20:23:f5:73:46:ce:fc:1a:84:a4:c0:6f:f6:e7:4c:18
> L4-RPD1-O6k>#
>
>
> L4-RPD1-O6k># pki --print --type rsa-priv --in 
>   privkey:   RSA 2048 bits
>   keyid: 32:28:f2:70:8b:72:f1:33:05:47:9d:26:ae:00:a2:ea:93:b4:e2:a2
>   subjkey:   39:9c:b3:7d:20:23:f5:73:46:ce:fc:1a:84:a4:c0:6f:f6:e7:4c:18
>
>
>
>
>
>

[strongSwan] Strongswan 5.5 - no private key found-

2018-02-08 Thread rajeev nohria

Now I am getting the following error and not able to resolve this for
sometime. Any inkling is helpful here.


Using DAVICI, I did make sure local.id is  "C=US, O=ARRIS Group, Inc.,
OU=DCA Remote Device Certificate, CN=FF:FF:05:E6:E7:80"

What else I be missing?


writing RSA key
11[CFG] loaded RSA private key
11[CFG] loaded certificate 'C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST
CableLabs Root Certification Authority'
11[CFG] loaded certificate 'C=US, O=ARRIS Group, Inc., OU=DCA Remote Device
Certificate, CN=FF:FF:05:E6:E7:80'
11[CFG] loaded certificate 'C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST
CableLabs Device Certification Authority'
Key Value success
Davici End
Key Value success
Davici End
Key Value success
Davici End
Key Value success
Davici End


06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
06[NET] sending packet: from fc00:cada:c404:607::1001[500] to
fc00:cada:c404::200[500] (456 bytes)
13[NET] received packet: from fc00:cada:c404::200[500] to
fc00:cada:c404:607::1001[500] (453 bytes)
13[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ]
13[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
CN=TEST CableLabs Root Certification Authority"
13[IKE] received 1 cert requests for an unknown ca
13[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
CN=TEST CableLabs Device Certification Authority"
13[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
CN=TEST CableLabs Root Certification Authority"
1*3[IKE] no private key found for 'C=US, O=ARRIS Group, Inc., OU=DCA Remote
Device Certificate, CN=FF:FF:05:E6:E7:80'*

L4-RPD1-O6k>#
L4-RPD1-O6k># ipsec listcerts

List of X.509 End Entity Certificates

  subject:  "C=US, O=ARRIS Group, Inc., OU=DCA Remote Device Certificate,
CN=FF:FF:05:E6:E7:80"
  issuer:   "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs
Device Certification Authority"
  validity:  not before Sep 14 16:13:25 2017, ok
 not after  Sep 14 16:13:25 2018, ok (expires in 218 days)
  serial:01:ff:ff:05:e6:e7:80
  authkeyId: f6:dc:40:8a:89:b6:7b:7a:08:f6:78:b5:4a:28:7a:7f:57:9b:f9:9b
  subjkeyId: 39:9c:b3:7d:20:23:f5:73:46:ce:fc:1a:84:a4:c0:6f:f6:e7:4c:18
  pubkey:RSA 2048 bits, has private key
  keyid: 32:28:f2:70:8b:72:f1:33:05:47:9d:26:ae:00:a2:ea:93:b4:e2:a2
  subjkey:   39:9c:b3:7d:20:23:f5:73:46:ce:fc:1a:84:a4:c0:6f:f6:e7:4c:18
L4-RPD1-O6k>#

L4-RPD1-O6k># pki --print --type x509 --in 
  subject:  "C=US, O=ARRIS Group, Inc., OU=DCA Remote Device Certificate,
CN=FF:FF:05:E6:E7:80"
  issuer:   "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs
Device Certification Authority"
  validity:  not before Sep 14 16:13:25 2017, ok
 not after  Sep 14 16:13:25 2018, ok (expires in 218 days)
  serial:01:ff:ff:05:e6:e7:80
  authkeyId: f6:dc:40:8a:89:b6:7b:7a:08:f6:78:b5:4a:28:7a:7f:57:9b:f9:9b
  subjkeyId: 39:9c:b3:7d:20:23:f5:73:46:ce:fc:1a:84:a4:c0:6f:f6:e7:4c:18
  pubkey:RSA 2048 bits
  keyid: 32:28:f2:70:8b:72:f1:33:05:47:9d:26:ae:00:a2:ea:93:b4:e2:a2
  subjkey:   39:9c:b3:7d:20:23:f5:73:46:ce:fc:1a:84:a4:c0:6f:f6:e7:4c:18
L4-RPD1-O6k>#


L4-RPD1-O6k># pki --print --type rsa-priv --in 
  privkey:   RSA 2048 bits
  keyid: 32:28:f2:70:8b:72:f1:33:05:47:9d:26:ae:00:a2:ea:93:b4:e2:a2
  subjkey:   39:9c:b3:7d:20:23:f5:73:46:ce:fc:1a:84:a4:c0:6f:f6:e7:4c:18

Re: [strongSwan] Strongswan 5.5

2018-02-08 Thread rajeev nohria

Andreas,

There was an issue with creating private RSA key. That has been resolved
now. Thanks for the direction.

Rajeev

On Wed, Feb 7, 2018 at 1:05 AM, Andreas Steffen <
andreas.stef...@strongswan.org> wrote:

> Hi Rajeev,
>
> the private key itself does not pass the key integrity tests of
> the gpm plugin. How did you create the private RSA key?
>
> Regards
>
> Andreas
>
> On 07.02.2018 04:43, rajeev nohria wrote:
> >
> >
> > I am getting following error.
> >
> > writing RSA key
> > 11[LIB] key integrity tests failed
> > 11[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 8 builders
> >
> > What could be wrong? I verified the certificate and private key from
> > following site and they matched.
> >
> > https://www.sslshopper.com/certificate-key-matcher.html
> >
> >
> > Thanks in advance,
> >
> > Rajeev
> >
>
> --
> ==
> Andreas Steffen andreas.stef...@strongswan.org
> strongSwan - the Open Source VPN Solution!  www.strongswan.org
> Institute for Networked Solutions
> HSR University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===[INS-HSR]==
>
>

[strongSwan] Strongswan 5.5

2018-02-06 Thread rajeev nohria

I am getting following error.

writing RSA key
11[LIB] key integrity tests failed
11[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 8 builders

What could be wrong? I verified the certificate and private key from
following site and they matched.

https://www.sslshopper.com/certificate-key-matcher.html


Thanks in advance,

Rajeev

Re: [strongSwan] Question related to ESP_TFC_PADDING_NOT_SUPPORTED

2018-01-10 Thread rajeev nohria

Let me ask question again..

On local I did not configure TFC and by default it should be disabled.
>From remote I am receiving following message

12[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding

What exactly it mean  "not using ESPv3 TFC padding"  does it means  local
is also not using TFC padding?

Why would local would send msg with TFC when TFC disabled by default. I
have tried tfc_padding = 0 in configuration and get the same message.  Just
trying to understand..





On Wed, Jan 10, 2018 at 10:51 AM, rajeev nohria <rajnoh...@gmail.com> wrote:

> I am trying to understand if ESP_TFC_PADDING_NOT_SUPPORTED means Local is
> using the TFC.
>
> I am getting ESP_TFC_PADDING_NOT_SUPPORTED msg from remote. Is that means
> local is using the TFC.
> On local I have to configured tfc_padding and by default it is disabled.
> If by default it is disabled why local side is sending packet with TFC.
>
>
>
>
>
> 12[CFG] certificate status is not available
>
> 12[CFG]   reached self-signed root ca with a path length of 1
>
> 12[IKE] authentication of 'C=US, O=CableLabs, CN=00:01:5c:96:16:00' with
> RSA signature successful
>
> 12[IKE] IKE_SA rpdfc00:cada:c406::200[1] established between
> fc00:cada:c406:607::1001[C=US, O=ARRIS, OU=LOWELL,
> CN=00:33:5f:ab:8c:9e]...fc00:cada:c406::200[C=US, O=CableLabs,
> CN=00:01:5c:96:16:00]
>
> 12[IKE] scheduling rekeying in 13218s
>
> 12[IKE] maximum IKE_SA lifetime 14658s
>
> 12[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
>
> [  274.326216] alg: No test for authenc(hmac(sha256),ecb(cipher_null))
> (authenc(hmac(sha256-generic),ecb-cipher_null))
>
> 12[IKE] CHILD_SA gcpfc00:cada:c406::200{3} established with SPIs
> c2b4f3ce_i 2bcba3d9_o and TS fc00:cada:c406:607::1001/128[tcp] ===
> fc00:cada:c406::200/128[tcp/8190]
>
>
>
> Thanks,
>
> Rajeev
>

[strongSwan] Question related to ESP_TFC_PADDING_NOT_SUPPORTED

2018-01-10 Thread rajeev nohria

I am trying to understand if ESP_TFC_PADDING_NOT_SUPPORTED means Local is
using the TFC.

I am getting ESP_TFC_PADDING_NOT_SUPPORTED msg from remote. Is that means
local is using the TFC.
On local I have to configured tfc_padding and by default it is disabled.
If by default it is disabled why local side is sending packet with TFC.





12[CFG] certificate status is not available

12[CFG]   reached self-signed root ca with a path length of 1

12[IKE] authentication of 'C=US, O=CableLabs, CN=00:01:5c:96:16:00' with
RSA signature successful

12[IKE] IKE_SA rpdfc00:cada:c406::200[1] established between
fc00:cada:c406:607::1001[C=US, O=ARRIS, OU=LOWELL,
CN=00:33:5f:ab:8c:9e]...fc00:cada:c406::200[C=US, O=CableLabs,
CN=00:01:5c:96:16:00]

12[IKE] scheduling rekeying in 13218s

12[IKE] maximum IKE_SA lifetime 14658s

12[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding

[  274.326216] alg: No test for authenc(hmac(sha256),ecb(cipher_null))
(authenc(hmac(sha256-generic),ecb-cipher_null))

12[IKE] CHILD_SA gcpfc00:cada:c406::200{3} established with SPIs c2b4f3ce_i
2bcba3d9_o and TS fc00:cada:c406:607::1001/128[tcp] ===
fc00:cada:c406::200/128[tcp/8190]



Thanks,

Rajeev

Re: [strongSwan] No private key found

2017-12-12 Thread rajeev nohria

PEM format files..

On Tue, Dec 12, 2017 at 9:33 AM, rajeev nohria <rajnoh...@gmail.com> wrote:

> This is at originator side where we are seeing the issue..
>
> ~# ipsec listcerts
>
> List of X.509 End Entity Certificates
>
>   subject:  "C=US, O=ARRIS Group, Inc., OU=DCA Remote Device Certificate,
> CN=FF:FF:05:E6:E6:20"
>   issuer:   "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs
> Device Certification Authority"
>   validity:  not before Sep 14 16:13:24 2017, ok
>  not after  Sep 14 16:13:24 2018, ok (expires in 276 days)
>   serial:01:ff:ff:05:e6:e6:20
>   authkeyId: f6:dc:40:8a:89:b6:7b:7a:08:f6:78:b5:4a:28:7a:7f:57:9b:f9:9b
>   subjkeyId: 71:83:c0:b4:3e:40:06:f1:e5:30:d2:14:2c:82:e7:76:13:37:f4:6f
>   pubkey:RSA 2048 bits, has private key
>   keyid: 85:d3:eb:51:9a:a8:1e:f6:ff:14:ee:cc:64:f6:2f:e0:32:99:1b:ce
>   subjkey:   71:83:c0:b4:3e:40:06:f1:e5:30:d2:14:2c:82:e7:76:13:37:f4:6f
>
> On Mon, Dec 11, 2017 at 4:11 PM, rajeev nohria <rajnoh...@gmail.com>
> wrote:
>
>> Let me know if you need more info..
>>
>> On Mon, Dec 11, 2017 at 2:45 PM, rajeev nohria <rajnoh...@gmail.com>
>> wrote:
>>
>>> Please find the key and config.  I am using davici so I am printing the
>>> configuration from log as commands are executing.
>>>
>>>  Load-Connection command
>>>   Section start rpdfc00:cada:c404::200
>>>   Version is 2
>>>  Local_addrs  is fc00:cada:c404:607::1004
>>>  remote_addrs is fc00:cada:c404::200
>>>   local_port is 500
>>>   remote_port is 500
>>>   proposals is aes128-sha256-modp2048
>>>   local section
>>>  auth is pubkey
>>>  RPD ip address is fc00:cada:c404:607::1004
>>>  id is C=US, O=ARRIS Group, Inc., OU=DCA Remote Device Certificate,
>>> CN=FF:FF:05:E6:E6:20
>>>   remote
>>>   id is %any
>>>   auth is pubkey
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Mon, Dec 11, 2017 at 10:39 AM, Jafar Al-Gharaibeh <ja...@atcorp.com>
>>> wrote:
>>>
>>>> Can  you share your config/secret files ?
>>>>
>>>> --Jafar
>>>>
>>>>
>>>> On 12/11/2017 9:17 AM, rajeev nohria wrote:
>>>>
>>>> Anyone can help in this issue, I have setup the id with Subject id.
>>>> Still have this issue. Is anything else I am missing?
>>>> Thanks,
>>>> Rajeev
>>>>
>>>> On Tue, Nov 14, 2017 at 12:44 PM, rajeev nohria <rajnoh...@gmail.com>
>>>> wrote:
>>>>
>>>>>
>>>>> Not sure what is wrong here,  Can you let me know if  I am missing
>>>>> something here.
>>>>>
>>>>>
>>>>>
>>>>> 16[KNL] creating acquire job for policy 
>>>>> fc00:cada:c406:607::1001/128[tcp/43005]
>>>>> === fc00:cada:c406::200/128[tcp/8190] with reqid {2}
>>>>>
>>>>> 2017-11-13 15:58:56,001-HalTransport.py-94-INFO-Start a agent
>>>>> transport interface, path = [/tmp/Hal/agent/client/1/push]
>>>>>
>>>>> 15[IKE] initiating IKE_SA rpdfc00:cada:c406::200[1] to
>>>>> fc00:cada:c406::200
>>>>>
>>>>> 15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
>>>>> N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
>>>>>
>>>>> 15[NET] sending packet: from fc00:cada:c406:607::1001[500] to
>>>>> fc00:cada:c406::200[500] (456 bytes)
>>>>>
>>>>> 10[NET] received packet: from fc00:cada:c406::200[500] to
>>>>> fc00:cada:c406:607::1001[500] (453 bytes)
>>>>>
>>>>> 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ]
>>>>>
>>>>> 10[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root
>>>>> CA01, CN=TEST CableLabs Root Certification Authority"
>>>>>
>>>>> 10[IKE] received 1 cert requests for an unknown ca
>>>>>
>>>>> 10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device
>>>>> CA01, CN=TEST CableLabs Device Certification Authority"
>>>>>
>>>>> 10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root
>>>>> CA01, CN=TEST CableLabs Root Certification Authority"
>>>>>
>>>>> 10[IKE] no private key found for 'C=US, O

Re: [strongSwan] No private key found

2017-12-11 Thread rajeev nohria

Let me know if you need more info..

On Mon, Dec 11, 2017 at 2:45 PM, rajeev nohria <rajnoh...@gmail.com> wrote:

> Please find the key and config.  I am using davici so I am printing the
> configuration from log as commands are executing.
>
>  Load-Connection command
>   Section start rpdfc00:cada:c404::200
>   Version is 2
>  Local_addrs  is fc00:cada:c404:607::1004
>  remote_addrs is fc00:cada:c404::200
>   local_port is 500
>   remote_port is 500
>   proposals is aes128-sha256-modp2048
>   local section
>  auth is pubkey
>  RPD ip address is fc00:cada:c404:607::1004
>  id is C=US, O=ARRIS Group, Inc., OU=DCA Remote Device Certificate,
> CN=FF:FF:05:E6:E6:20
>   remote
>   id is %any
>   auth is pubkey
>
>
>
>
>
>
>
>
>
>
> On Mon, Dec 11, 2017 at 10:39 AM, Jafar Al-Gharaibeh <ja...@atcorp.com>
> wrote:
>
>> Can  you share your config/secret files ?
>>
>> --Jafar
>>
>>
>> On 12/11/2017 9:17 AM, rajeev nohria wrote:
>>
>> Anyone can help in this issue, I have setup the id with Subject id.
>> Still have this issue. Is anything else I am missing?
>> Thanks,
>> Rajeev
>>
>> On Tue, Nov 14, 2017 at 12:44 PM, rajeev nohria <rajnoh...@gmail.com>
>> wrote:
>>
>>>
>>> Not sure what is wrong here,  Can you let me know if  I am missing
>>> something here.
>>>
>>>
>>>
>>> 16[KNL] creating acquire job for policy 
>>> fc00:cada:c406:607::1001/128[tcp/43005]
>>> === fc00:cada:c406::200/128[tcp/8190] with reqid {2}
>>>
>>> 2017-11-13 15:58:56,001-HalTransport.py-94-INFO-Start a agent transport
>>> interface, path = [/tmp/Hal/agent/client/1/push]
>>>
>>> 15[IKE] initiating IKE_SA rpdfc00:cada:c406::200[1] to
>>> fc00:cada:c406::200
>>>
>>> 15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
>>> N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
>>>
>>> 15[NET] sending packet: from fc00:cada:c406:607::1001[500] to
>>> fc00:cada:c406::200[500] (456 bytes)
>>>
>>> 10[NET] received packet: from fc00:cada:c406::200[500] to
>>> fc00:cada:c406:607::1001[500] (453 bytes)
>>>
>>> 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ]
>>>
>>> 10[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
>>> CN=TEST CableLabs Root Certification Authority"
>>>
>>> 10[IKE] received 1 cert requests for an unknown ca
>>>
>>> 10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device
>>> CA01, CN=TEST CableLabs Device Certification Authority"
>>>
>>> 10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
>>> CN=TEST CableLabs Root Certification Authority"
>>>
>>> 10[IKE] no private key found for 'C=US, O=ARRIS Group, Inc., OU=DCA
>>> Remote Device Certificate, CN=FF:FF:05:E6:E6:20'
>>>
>>> 13[KNL] creating delete job for CHILD_SA ESP/0x/fc00:cada:c406:
>>> :200
>>>
>>> 08[JOB] CHILD_SA ESP/0x/fc00:cada:c406::200 not found for delete
>>>
>>> 06[KNL] creating acquire job for policy 
>>> fc00:cada:c406:607::1001/128[tcp/39047]
>>> === fc00:cada:c406::200/128[tcp/8190] with reqid {2}
>>>
>>> 16[IKE] initiating IKE_SA rpdfc00:cada:c406::200[2] to
>>> fc00:cada:c406::200
>>>
>>> 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
>>> N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
>>>
>>> 16[NET] sending packet: from fc00:cada:c406:607::1001[500] to
>>> fc00:cada:c406::200[500] (456 bytes)
>>>
>>> 11[NET] received packet: from fc00:cada:c406::200[500] to
>>> fc00:cada:c406:607::1001[500] (453 bytes)
>>>
>>> 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ]
>>>
>>> 11[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
>>> CN=TEST CableLabs Root Certification Authority"
>>>
>>> 11[IKE] received 1 cert requests for an unknown ca
>>>
>>> 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device
>>> CA01, CN=TEST CableLabs Device Certification Authority"
>>>
>>> 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
>>> CN=TEST CableLabs Root Certification Authority"
>>>
>>> 11[IKE] no private key found for 'C=US, O=ARRIS Group, Inc., OU=DCA
>>> Remote Devi

Re: [strongSwan] No private key found

2017-12-11 Thread rajeev nohria

Please find the key and config.  I am using davici so I am printing the
configuration from log as commands are executing.

 Load-Connection command
  Section start rpdfc00:cada:c404::200
  Version is 2
 Local_addrs  is fc00:cada:c404:607::1004
 remote_addrs is fc00:cada:c404::200
  local_port is 500
  remote_port is 500
  proposals is aes128-sha256-modp2048
  local section
 auth is pubkey
 RPD ip address is fc00:cada:c404:607::1004
 id is C=US, O=ARRIS Group, Inc., OU=DCA Remote Device Certificate,
CN=FF:FF:05:E6:E6:20
  remote
  id is %any
  auth is pubkey










On Mon, Dec 11, 2017 at 10:39 AM, Jafar Al-Gharaibeh <ja...@atcorp.com>
wrote:

> Can  you share your config/secret files ?
>
> --Jafar
>
>
> On 12/11/2017 9:17 AM, rajeev nohria wrote:
>
> Anyone can help in this issue, I have setup the id with Subject id.  Still
> have this issue. Is anything else I am missing?
> Thanks,
> Rajeev
>
> On Tue, Nov 14, 2017 at 12:44 PM, rajeev nohria <rajnoh...@gmail.com>
> wrote:
>
>>
>> Not sure what is wrong here,  Can you let me know if  I am missing
>> something here.
>>
>>
>>
>> 16[KNL] creating acquire job for policy 
>> fc00:cada:c406:607::1001/128[tcp/43005]
>> === fc00:cada:c406::200/128[tcp/8190] with reqid {2}
>>
>> 2017-11-13 15:58:56,001-HalTransport.py-94-INFO-Start a agent transport
>> interface, path = [/tmp/Hal/agent/client/1/push]
>>
>> 15[IKE] initiating IKE_SA rpdfc00:cada:c406::200[1] to fc00:cada:c406::200
>>
>> 15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
>> N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
>>
>> 15[NET] sending packet: from fc00:cada:c406:607::1001[500] to
>> fc00:cada:c406::200[500] (456 bytes)
>>
>> 10[NET] received packet: from fc00:cada:c406::200[500] to
>> fc00:cada:c406:607::1001[500] (453 bytes)
>>
>> 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ]
>>
>> 10[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
>> CN=TEST CableLabs Root Certification Authority"
>>
>> 10[IKE] received 1 cert requests for an unknown ca
>>
>> 10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
>> CN=TEST CableLabs Device Certification Authority"
>>
>> 10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
>> CN=TEST CableLabs Root Certification Authority"
>>
>> 10[IKE] no private key found for 'C=US, O=ARRIS Group, Inc., OU=DCA
>> Remote Device Certificate, CN=FF:FF:05:E6:E6:20'
>>
>> 13[KNL] creating delete job for CHILD_SA ESP/0x/fc00:cada:c406:
>> :200
>>
>> 08[JOB] CHILD_SA ESP/0x/fc00:cada:c406::200 not found for delete
>>
>> 06[KNL] creating acquire job for policy 
>> fc00:cada:c406:607::1001/128[tcp/39047]
>> === fc00:cada:c406::200/128[tcp/8190] with reqid {2}
>>
>> 16[IKE] initiating IKE_SA rpdfc00:cada:c406::200[2] to fc00:cada:c406::200
>>
>> 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
>> N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
>>
>> 16[NET] sending packet: from fc00:cada:c406:607::1001[500] to
>> fc00:cada:c406::200[500] (456 bytes)
>>
>> 11[NET] received packet: from fc00:cada:c406::200[500] to
>> fc00:cada:c406:607::1001[500] (453 bytes)
>>
>> 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ]
>>
>> 11[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
>> CN=TEST CableLabs Root Certification Authority"
>>
>> 11[IKE] received 1 cert requests for an unknown ca
>>
>> 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
>> CN=TEST CableLabs Device Certification Authority"
>>
>> 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
>> CN=TEST CableLabs Root Certification Authority"
>>
>> 11[IKE] no private key found for 'C=US, O=ARRIS Group, Inc., OU=DCA
>> Remote Device Certificate, CN=FF:FF:05:E6:E6:20
>>
>>
>>
>>
>>
>>
>>
>> root@plnx_aarch64:~# ip -s xfrm state
>>
>> src fc00:cada:c406:607::1001 dst fc00:cada:c406::200
>>
>> proto esp spi 0x(0) reqid 2(0x0002) mode transport
>>
>> replay-window 0 seq 0x0002 flag  (0x)
>>
>> anti-replay context: seq 0x0, oseq 0x0, bitmap 0x
>>
>> sel src fc00:cada:c406:607::1001/128 dst fc00:cada:c406::200/128
>> proto tcp sport 39047 dport 8190 uid 0
>>
>> lifetime config:
>>
>>   lim

Re: [strongSwan] No private key found

2017-12-11 Thread rajeev nohria

Anyone can help in this issue, I have setup the id with Subject id.  Still
have this issue. Is anything else I am missing?
Thanks,
Rajeev

On Tue, Nov 14, 2017 at 12:44 PM, rajeev nohria <rajnoh...@gmail.com> wrote:

>
> Not sure what is wrong here,  Can you let me know if  I am missing
> something here.
>
>
>
> 16[KNL] creating acquire job for policy 
> fc00:cada:c406:607::1001/128[tcp/43005]
> === fc00:cada:c406::200/128[tcp/8190] with reqid {2}
>
> 2017-11-13 15:58:56,001-HalTransport.py-94-INFO-Start a agent transport
> interface, path = [/tmp/Hal/agent/client/1/push]
>
> 15[IKE] initiating IKE_SA rpdfc00:cada:c406::200[1] to fc00:cada:c406::200
>
> 15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
>
> 15[NET] sending packet: from fc00:cada:c406:607::1001[500] to
> fc00:cada:c406::200[500] (456 bytes)
>
> 10[NET] received packet: from fc00:cada:c406::200[500] to
> fc00:cada:c406:607::1001[500] (453 bytes)
>
> 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ]
>
> 10[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
> CN=TEST CableLabs Root Certification Authority"
>
> 10[IKE] received 1 cert requests for an unknown ca
>
> 10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
> CN=TEST CableLabs Device Certification Authority"
>
> 10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
> CN=TEST CableLabs Root Certification Authority"
>
> 10[IKE] no private key found for 'C=US, O=ARRIS Group, Inc., OU=DCA Remote
> Device Certificate, CN=FF:FF:05:E6:E6:20'
>
> 13[KNL] creating delete job for CHILD_SA ESP/0x/fc00:cada:c406:
> :200
>
> 08[JOB] CHILD_SA ESP/0x/fc00:cada:c406::200 not found for delete
>
> 06[KNL] creating acquire job for policy 
> fc00:cada:c406:607::1001/128[tcp/39047]
> === fc00:cada:c406::200/128[tcp/8190] with reqid {2}
>
> 16[IKE] initiating IKE_SA rpdfc00:cada:c406::200[2] to fc00:cada:c406::200
>
> 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
>
> 16[NET] sending packet: from fc00:cada:c406:607::1001[500] to
> fc00:cada:c406::200[500] (456 bytes)
>
> 11[NET] received packet: from fc00:cada:c406::200[500] to
> fc00:cada:c406:607::1001[500] (453 bytes)
>
> 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ]
>
> 11[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
> CN=TEST CableLabs Root Certification Authority"
>
> 11[IKE] received 1 cert requests for an unknown ca
>
> 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
> CN=TEST CableLabs Device Certification Authority"
>
> 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
> CN=TEST CableLabs Root Certification Authority"
>
> 11[IKE] no private key found for 'C=US, O=ARRIS Group, Inc., OU=DCA Remote
> Device Certificate, CN=FF:FF:05:E6:E6:20
>
>
>
>
>
>
>
> root@plnx_aarch64:~# ip -s xfrm state
>
> src fc00:cada:c406:607::1001 dst fc00:cada:c406::200
>
> proto esp spi 0x(0) reqid 2(0x0002) mode transport
>
> replay-window 0 seq 0x0002 flag  (0x)
>
> anti-replay context: seq 0x0, oseq 0x0, bitmap 0x
>
> sel src fc00:cada:c406:607::1001/128 dst fc00:cada:c406::200/128
> proto tcp sport 39047 dport 8190 uid 0
>
> lifetime config:
>
>   limit: soft (INF)(bytes), hard (INF)(bytes)
>
>   limit: soft (INF)(packets), hard (INF)(packets)
>
>   expire add: soft 0(sec), hard 165(sec)
>
>   expire use: soft 0(sec), hard 0(sec)
>
> lifetime current:
>
>   0(bytes), 0(packets)
>
>   add 2017-11-13 16:01:42 use -
>
> stats:
>
>   replay-wind
>
>
>
>
>
>
>
> root@plnx_aarch64:~# ip -s xfrm policy
>
> src fc00:cada:c406::200/128 dst fc00:cada:c406:607::1001/128 proto tcp
> uid 0
>
> dir in action allow index 88 priority 234336 share any flag
> (0x)
>
> lifetime config:
>
>   limit: soft (INF)(bytes), hard (INF)(bytes)
>
>   limit: soft (INF)(packets), hard (INF)(packets)
>
>   expire add: soft 0(sec), hard 0(sec)
>
>   expire use: soft 0(sec), hard 0(sec)
>
> lifetime current:
>
>   0(bytes), 0(packets)
>
>   add 2017-11-13 15:58:55 use -
>
> tmpl src :: dst ::
>
> proto esp spi 0x(0) reqid 2(0x0002) mode
> transport
>
>

[strongSwan] No private key found

2017-11-14 Thread rajeev nohria

Not sure what is wrong here,  Can you let me know if  I am missing
something here.



16[KNL] creating acquire job for policy
fc00:cada:c406:607::1001/128[tcp/43005] ===
fc00:cada:c406::200/128[tcp/8190] with reqid {2}

2017-11-13 15:58:56,001-HalTransport.py-94-INFO-Start a agent transport
interface, path = [/tmp/Hal/agent/client/1/push]

15[IKE] initiating IKE_SA rpdfc00:cada:c406::200[1] to fc00:cada:c406::200

15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]

15[NET] sending packet: from fc00:cada:c406:607::1001[500] to
fc00:cada:c406::200[500] (456 bytes)

10[NET] received packet: from fc00:cada:c406::200[500] to
fc00:cada:c406:607::1001[500] (453 bytes)

10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ]

10[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
CN=TEST CableLabs Root Certification Authority"

10[IKE] received 1 cert requests for an unknown ca

10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
CN=TEST CableLabs Device Certification Authority"

10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
CN=TEST CableLabs Root Certification Authority"

10[IKE] no private key found for 'C=US, O=ARRIS Group, Inc., OU=DCA Remote
Device Certificate, CN=FF:FF:05:E6:E6:20'

13[KNL] creating delete job for CHILD_SA ESP/0x/fc00:cada:c406::200

08[JOB] CHILD_SA ESP/0x/fc00:cada:c406::200 not found for delete

06[KNL] creating acquire job for policy
fc00:cada:c406:607::1001/128[tcp/39047] ===
fc00:cada:c406::200/128[tcp/8190] with reqid {2}

16[IKE] initiating IKE_SA rpdfc00:cada:c406::200[2] to fc00:cada:c406::200

16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]

16[NET] sending packet: from fc00:cada:c406:607::1001[500] to
fc00:cada:c406::200[500] (456 bytes)

11[NET] received packet: from fc00:cada:c406::200[500] to
fc00:cada:c406:607::1001[500] (453 bytes)

11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ]

11[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
CN=TEST CableLabs Root Certification Authority"

11[IKE] received 1 cert requests for an unknown ca

11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
CN=TEST CableLabs Device Certification Authority"

11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
CN=TEST CableLabs Root Certification Authority"

11[IKE] no private key found for 'C=US, O=ARRIS Group, Inc., OU=DCA Remote
Device Certificate, CN=FF:FF:05:E6:E6:20







root@plnx_aarch64:~# ip -s xfrm state

src fc00:cada:c406:607::1001 dst fc00:cada:c406::200

proto esp spi 0x(0) reqid 2(0x0002) mode transport

replay-window 0 seq 0x0002 flag  (0x)

anti-replay context: seq 0x0, oseq 0x0, bitmap 0x

sel src fc00:cada:c406:607::1001/128 dst fc00:cada:c406::200/128
proto tcp sport 39047 dport 8190 uid 0

lifetime config:

  limit: soft (INF)(bytes), hard (INF)(bytes)

  limit: soft (INF)(packets), hard (INF)(packets)

  expire add: soft 0(sec), hard 165(sec)

  expire use: soft 0(sec), hard 0(sec)

lifetime current:

  0(bytes), 0(packets)

  add 2017-11-13 16:01:42 use -

stats:

  replay-wind







root@plnx_aarch64:~# ip -s xfrm policy

src fc00:cada:c406::200/128 dst fc00:cada:c406:607::1001/128 proto tcp uid 0

dir in action allow index 88 priority 234336 share any flag
(0x)

lifetime config:

  limit: soft (INF)(bytes), hard (INF)(bytes)

  limit: soft (INF)(packets), hard (INF)(packets)

  expire add: soft 0(sec), hard 0(sec)

  expire use: soft 0(sec), hard 0(sec)

lifetime current:

  0(bytes), 0(packets)

  add 2017-11-13 15:58:55 use -

tmpl src :: dst ::

proto esp spi 0x(0) reqid 2(0x0002) mode
transport

level required share any

enc-mask  auth-mask  comp-mask 

src fc00:cada:c406:607::1001/128 dst fc00:cada:c406::200/128 proto tcp uid 0

dir out action allow index 81 priority 234336 share any flag
(0x)

lifetime config:

  limit: soft (INF)(bytes), hard (INF)(bytes)

  limit: soft (INF)(packets), hard (INF)(packets)

  expire add: soft 0(sec), hard 0(sec)

  expire use: soft 0(sec), hard 0(sec)

lifetime current:

  0(bytes), 0(packets)

  add 2017-11-13 15:58:55 use -

tmpl src :: dst ::

proto esp spi 0x(0) reqid 2(0x0002) mode
transport

level required share any

enc-mask  auth-mask  comp-mask 

src fc00:cada:c406::200/128 dst fc00:cada:c406:607::1001/128 proto l2tp uid
0

dir in action allow index 72 priority 234336 share

Re: [strongSwan] no matching peer config found

2017-10-09 Thread rajeev nohria

I figured out, one of certificate was not loaded. Fixed it and working now.

On Mon, Oct 9, 2017 at 10:36 AM, rajeev nohria <rajnoh...@gmail.com> wrote:

> I am using swanctl, and having "no matching peer config found" issue.
>
> Please find logs and swanctl.conf in this email.
>
> Thanks,
> Rajeev
>
> 9[NET] received packet: from fc00:cada:c402:607::1001[500] to
> 2017::5002[500] (264 bytes)
> 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(HASH_ALG) N(REDIR_SUP) ]
> 09[CFG] looking for an ike config for 2017::5002...fc00:cada:c402:
> 607::1001
> 09[CFG] ike config match: 3100 (2017::5002 fc00:cada:c402:607::1001 IKEv2)
> 09[CFG]   candidate: 2017::5002...fc00:cada:C402:607::1001, prio 3100
> 09[CFG] found matching ike config: 2017::5002...fc00:cada:C402:607::1001
> with prio 3100
> 09[IKE] fc00:cada:c402:607::1001 is initiating an IKE_SA
> 09[IKE] IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
> 09[CFG] selecting proposal:
> 09[CFG]   proposal matches
> 09[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA2_256_
> 128/PRF_HMAC_SHA2_256/ECP_256
> 09[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_
> 128/PRF_HMAC_SHA2_256/ECP_256
> 09[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_
> 128/PRF_HMAC_SHA2_256/ECP_256
> 09[IKE] natd_chunk => 34 bytes @ 0x7f6d080009c0
> 09[IKE]0: 4D 98 3C 1D 83 58 E9 77 00 00 00 00 00 00 00 00
>  M.<..X.w
> 09[IKE]   16: 20 17 00 00 00 00 00 00 00 00 00 00 00 00 50 02
> .P.
> 09[IKE]   32: 01 F4..
> 09[IKE] natd_hash => 20 bytes @ 0x7f6d08005630
> 09[IKE]0: F8 0F 32 75 38 53 84 20 35 D3 D5 81 06 50 5B B1  ..2u8S.
> 5P[.
> 09[IKE]   16: 90 95 12 4B  ...K
> 09[IKE] natd_chunk => 34 bytes @ 0x7f6d080009c0
> 09[IKE]0: 4D 98 3C 1D 83 58 E9 77 00 00 00 00 00 00 00 00
>  M.<..X.w
> 09[IKE]   16: FC 00 CA DA C4 02 06 07 00 00 00 00 00 00 10 01
>  
> 09[IKE]   32: 01 F4..
> 09[IKE] natd_hash => 20 bytes @ 0x7f6d080056a0
> 09[IKE]0: 89 87 B4 7C 73 09 A9 F3 2A 92 E3 A9 C6 C6 64 35
>  ...|s...*.d5
> 09[IKE]   16: 95 BC 38 0F  ..8.
> 09[IKE] precalculated src_hash => 20 bytes @ 0x7f6d080056a0
> 09[IKE]0: 89 87 B4 7C 73 09 A9 F3 2A 92 E3 A9 C6 C6 64 35
>  ...|s...*.d5
> 09[IKE]   16: 95 BC 38 0F  ..8.
> 09[IKE] precalculated dst_hash => 20 bytes @ 0x7f6d08005630
> 09[IKE]0: F8 0F 32 75 38 53 84 20 35 D3 D5 81 06 50 5B B1  ..2u8S.
> 5P[.
> 09[IKE]   16: 90 95 12 4B  ...K
> 09[IKE] received src_hash => 20 bytes @ 0x7f6d08000eb0
> 09[IKE]0: 89 87 B4 7C 73 09 A9 F3 2A 92 E3 A9 C6 C6 64 35
>  ...|s...*.d5
> 09[IKE]   16: 95 BC 38 0F  ..8.
> 09[IKE] received dst_hash => 20 bytes @ 0x7f6d08000fd0
> 09[IKE]0: F8 0F 32 75 38 53 84 20 35 D3 D5 81 06 50 5B B1  ..2u8S.
> 5P[.
> 09[IKE]   16: 90 95 12 4B  ...K
> 09[IKE] shared Diffie Hellman secret => 32 bytes @ 0x7f6d08005600
> 09[IKE]0: 07 A8 18 F1 5B 97 39 47 DB AE 62 F1 56 DA 12 56
>  [.9G..b.V..V
> 09[IKE]   16: 5F 5F F9 55 F4 68 94 50 AB 11 2D 5D E4 8C A8 9A
>  __.U.h.P..-]
> 09[IKE] SKEYSEED => 32 bytes @ 0x7f6d08003240
> 09[IKE]0: C0 1A C8 49 7B ED 7C AD 07 02 B7 44 48 18 B3 B3
>  ...I{.|DH...
> 09[IKE]   16: 7D 43 E0 E7 5D 58 40 B2 5D 7B 90 D5 90 BD D3 99  }C..]X@
> .]{..
> 09[IKE] Sk_d secret => 32 bytes @ 0x7f6d08005600
> 09[IKE]0: BE 08 2D 04 64 4D BB CE FC 83 DD 05 C9 D9 F0 05
>  ..-.dM..
> 09[IKE]   16: 60 EF C4 53 88 C9 82 41 54 36 00 3A AC DD 40 A9
>  `..S...AT6.:..@.
> 09[IKE] Sk_ai secret => 32 bytes @ 0x7f6d08003240
> 09[IKE]0: 03 03 2C 1E 63 60 16 08 B6 E3 3E BA 8C 80 AA 34
>  ..,.c`>4
> 09[IKE]   16: A9 FA 0C 9A FF 0B A5 3C E8 2C 66 FE C6 A3 6D 85
>  ...<.,f...m.
> 09[IKE] Sk_ar secret => 32 bytes @ 0x7f6d08003240
> 09[IKE]0: 58 50 F7 80 69 2E F1 BF C6 3E 27 B2 7F 51 11 D2
>  XP..i>'..Q..
> 09[IKE]   16: 79 FE 18 9B 6E C7 71 20 2B E6 EB 7F D5 A2 E3 3D  y...n.q
> +..=
> 09[IKE] Sk_ei secret => 16 bytes @ 0x7f6d080017e0
> 09[IKE]0: FC CB 72 54 A1 2B C4 31 BF 80 E6 E3 62 50 3F 34
>  ..rT.+.1bP?4
> 09[IKE] Sk_er secret => 16 bytes @ 0x7f6d080017e0
> 09[IKE]0: F4 18 F2 91 64 3D 72 97 5C 71 06 7F A8 82 C6 41
>  d=r.\q.A
> 09[IKE] Sk_pi secret => 32 bytes @ 0x7f6d08003ea0
> 09[IKE]0: 9A 72 FC 50 C5 8E 55 FF EC 59 F3 AB A9 1B 71 58
>  .r

[strongSwan] no matching peer config found

2017-10-09 Thread rajeev nohria

I am using swanctl, and having "no matching peer config found" issue.

Please find logs and swanctl.conf in this email.

Thanks,
Rajeev

9[NET] received packet: from fc00:cada:c402:607::1001[500] to
2017::5002[500] (264 bytes)
09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(HASH_ALG) N(REDIR_SUP) ]
09[CFG] looking for an ike config for 2017::5002...fc00:cada:c402:607::1001
09[CFG] ike config match: 3100 (2017::5002 fc00:cada:c402:607::1001 IKEv2)
09[CFG]   candidate: 2017::5002...fc00:cada:C402:607::1001, prio 3100
09[CFG] found matching ike config: 2017::5002...fc00:cada:C402:607::1001
with prio 3100
09[IKE] fc00:cada:c402:607::1001 is initiating an IKE_SA
09[IKE] IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
09[CFG] selecting proposal:
09[CFG]   proposal matches
09[CFG] received proposals:
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
09[CFG] configured proposals:
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
09[CFG] selected proposal:
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
09[IKE] natd_chunk => 34 bytes @ 0x7f6d080009c0
09[IKE]0: 4D 98 3C 1D 83 58 E9 77 00 00 00 00 00 00 00 00
 M.<..X.w
09[IKE]   16: 20 17 00 00 00 00 00 00 00 00 00 00 00 00 50 02
.P.
09[IKE]   32: 01 F4..
09[IKE] natd_hash => 20 bytes @ 0x7f6d08005630
09[IKE]0: F8 0F 32 75 38 53 84 20 35 D3 D5 81 06 50 5B B1  ..2u8S.
5P[.
09[IKE]   16: 90 95 12 4B  ...K
09[IKE] natd_chunk => 34 bytes @ 0x7f6d080009c0
09[IKE]0: 4D 98 3C 1D 83 58 E9 77 00 00 00 00 00 00 00 00
 M.<..X.w
09[IKE]   16: FC 00 CA DA C4 02 06 07 00 00 00 00 00 00 10 01
 
09[IKE]   32: 01 F4..
09[IKE] natd_hash => 20 bytes @ 0x7f6d080056a0
09[IKE]0: 89 87 B4 7C 73 09 A9 F3 2A 92 E3 A9 C6 C6 64 35
 ...|s...*.d5
09[IKE]   16: 95 BC 38 0F  ..8.
09[IKE] precalculated src_hash => 20 bytes @ 0x7f6d080056a0
09[IKE]0: 89 87 B4 7C 73 09 A9 F3 2A 92 E3 A9 C6 C6 64 35
 ...|s...*.d5
09[IKE]   16: 95 BC 38 0F  ..8.
09[IKE] precalculated dst_hash => 20 bytes @ 0x7f6d08005630
09[IKE]0: F8 0F 32 75 38 53 84 20 35 D3 D5 81 06 50 5B B1  ..2u8S.
5P[.
09[IKE]   16: 90 95 12 4B  ...K
09[IKE] received src_hash => 20 bytes @ 0x7f6d08000eb0
09[IKE]0: 89 87 B4 7C 73 09 A9 F3 2A 92 E3 A9 C6 C6 64 35
 ...|s...*.d5
09[IKE]   16: 95 BC 38 0F  ..8.
09[IKE] received dst_hash => 20 bytes @ 0x7f6d08000fd0
09[IKE]0: F8 0F 32 75 38 53 84 20 35 D3 D5 81 06 50 5B B1  ..2u8S.
5P[.
09[IKE]   16: 90 95 12 4B  ...K
09[IKE] shared Diffie Hellman secret => 32 bytes @ 0x7f6d08005600
09[IKE]0: 07 A8 18 F1 5B 97 39 47 DB AE 62 F1 56 DA 12 56
 [.9G..b.V..V
09[IKE]   16: 5F 5F F9 55 F4 68 94 50 AB 11 2D 5D E4 8C A8 9A
 __.U.h.P..-]
09[IKE] SKEYSEED => 32 bytes @ 0x7f6d08003240
09[IKE]0: C0 1A C8 49 7B ED 7C AD 07 02 B7 44 48 18 B3 B3
 ...I{.|DH...
09[IKE]   16: 7D 43 E0 E7 5D 58 40 B2 5D 7B 90 D5 90 BD D3 99  }C..]X@
.]{..
09[IKE] Sk_d secret => 32 bytes @ 0x7f6d08005600
09[IKE]0: BE 08 2D 04 64 4D BB CE FC 83 DD 05 C9 D9 F0 05
 ..-.dM..
09[IKE]   16: 60 EF C4 53 88 C9 82 41 54 36 00 3A AC DD 40 A9
 `..S...AT6.:..@.
09[IKE] Sk_ai secret => 32 bytes @ 0x7f6d08003240
09[IKE]0: 03 03 2C 1E 63 60 16 08 B6 E3 3E BA 8C 80 AA 34
 ..,.c`>4
09[IKE]   16: A9 FA 0C 9A FF 0B A5 3C E8 2C 66 FE C6 A3 6D 85
 ...<.,f...m.
09[IKE] Sk_ar secret => 32 bytes @ 0x7f6d08003240
09[IKE]0: 58 50 F7 80 69 2E F1 BF C6 3E 27 B2 7F 51 11 D2
 XP..i>'..Q..
09[IKE]   16: 79 FE 18 9B 6E C7 71 20 2B E6 EB 7F D5 A2 E3 3D  y...n.q
+..=
09[IKE] Sk_ei secret => 16 bytes @ 0x7f6d080017e0
09[IKE]0: FC CB 72 54 A1 2B C4 31 BF 80 E6 E3 62 50 3F 34
 ..rT.+.1bP?4
09[IKE] Sk_er secret => 16 bytes @ 0x7f6d080017e0
09[IKE]0: F4 18 F2 91 64 3D 72 97 5C 71 06 7F A8 82 C6 41
 d=r.\q.A
09[IKE] Sk_pi secret => 32 bytes @ 0x7f6d08003ea0
09[IKE]0: 9A 72 FC 50 C5 8E 55 FF EC 59 F3 AB A9 1B 71 58
 .r.P..U..YqX
09[IKE]   16: 27 76 46 AB EE 5B 64 36 9F 9A 09 52 81 82 D3 A9
 'vF..[d6...R
09[IKE] Sk_pr secret => 32 bytes @ 0x7f6d08003f70
09[IKE]0: 3F A5 34 D7 4A B5 2E DB D4 F3 18 57 52 97 A8 EC
 ?.4.J..WR...
09[IKE]   16: 9D 87 5A 66 AE AF 18 F0 17 75 C7 67 4C 0F 39 4D
 ..Zf.u.gL.9M
09[IKE] natd_chunk => 34 bytes @ 0x7f6d08005730
09[IKE]0: 4D 98 3C 1D 83 58 E9 77 54 E5 64 60 22 20 BF A2
 M.<..X.wT.d`" ..
09[IKE]   16: 20 17 00 00 00 00 00 00 00 00 00 00 00 00 50 02
.P.
09[IKE]   32: 01 F4..
09[IKE] natd_hash => 20 bytes @ 0x7f6d08005510
09[IKE]0: 05 CB 8A 0D 44 85 26 3F 29 89 80 B8 35 8E ED DE
 D.&?)...5...
09[IKE]   16: D4 48

Re: [strongSwan] No private key found

2017-10-08 Thread rajeev nohria

I resolved the issue by setting up id properly. Thanks for the direction.

On Fri, Oct 6, 2017 at 8:37 AM, rajeev nohria <rajnoh...@gmail.com> wrote:

> Anderas,
>
> Thanks for reply. I am using davici interface instead of swanctl.conf.  I
> do set the id as  id: fc00:cada:c404:607::1001 but not the certs.  Since
> I am using davici, it does not know the certificate file name and its path,
> I am reading the certificate file and passing the data. How can I resolve
> the problem in this situation?
>
> Thanks,
> Rajeev
>
> On Thu, Oct 5, 2017 at 11:56 AM, Andreas Steffen <
> andreas.stef...@strongswan.org> wrote:
>
>> Hi,
>>
>> you must not set the IKEv2 ID to
>>
>> id: fc00:cada:c404:607::1001
>>
>> since this ID is not contained as a subjectAltName in the client
>> certificate.
>>
>> Probably you didn't use the "certs" parameter in the local section of
>> swanctl.conf so that the client certificate just got loaded from
>> /etc/swanctl/x509. If you don't define the "id" parameter in the local
>> section then the IPv6 address of the client is assumed as the "id" by
>> default and because the IP address is not contained as a subjectAltName
>> in the certificate then neither the certificate nor the corresponding
>> private key is found.
>>
>> So the best approach is to define the following in swanctl.conf:
>>
>> local {
>>auth = pubkey
>>certs = myCert.pem
>> }
>>
>> This first causes the private key to be found automatically based
>> on the fingerprint of the public key contained in the certificate and
>> the ID to be set to the subject distinguished name contained in the
>> certificate.
>>
>> Best regards
>>
>> Andreas
>>
>> On 05.10.2017 17:33, rajeev nohria wrote:
>> > I have seen this issue before and fixed it. But this time I am not able
>> > to figure you. Let me know if anyone see issue or any suggestion. Thanks
>> > in advance.
>> >
>> > Problem:
>> > Getting error while initiating the connection.
>> >
>> > *[IKE] no private key found for 'fc00:cada:c404:607::1001'*
>> >
>> > *11[IKE] no private key found for 'fc00:cada:c404:607::1001'*
>> >
>> > *
>> > *
>> >
>> > *
>> > *
>> >
>> > *
>> > *
>> >
>> >
>> > We are able to load the certificate and keys. looking at logs following
>> > are proof.
>> >
>> >
>> > messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info <http://daemon.info> :
>> > 08[CFG] loaded RSA private key
>> >
>> > messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info <http://daemon.info> :
>> > 08[CFG] loaded certificate 'C=US, O=CableLabs, OU=TEST Root CA01,
>> > CN=TEST CableLabs Root Certification Authority'
>> >
>> > messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info <http://daemon.info> :
>> > 08[CFG] loaded certificate 'C=US, O=ARRIS, OU=LOWELL,
>> CN=00:33:5f:ab:8c:9e'
>> >
>> > messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info <http://daemon.info> :
>> > 08[CFG] loaded certificate 'C=US, O=CableLabs, OU=TEST Device CA01,
>> > CN=TEST CableLabs Device Certification Authority'
>> >
>> >
>> >
>> > But when I initiate a connection, I get the following.
>> >
>> >
>> >
>> > root@E6kn-2016:# swanctl --initiate --child gcpfc00:cada:c404::200
>> >
>> > 07[CFG] vici initiate 'gcpfc00:cada:c404::200'
>> >
>> > 09[IKE] initiating IKE_SA rpdfc00:cada:c404::200[1] to 2017::5002
>> >
>> > [IKE] initiating IKE_SA rpdfc00:cada:c404::200[1] to 2017::5002
>> >
>> > [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
>> > N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
>> >
>> > 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
>> > N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
>> >
>> > [NET] sending packet: from fc00:cada:c404:607::1001[500] to
>> > 2017::5002[500] (264 bytes)
>> >
>> > 09[NET] sending packet: from fc00:cada:c404:607::1001[500] to
>> > 2017::5002[500] (264 bytes)
>> >
>> > 11[NET] received packet: from 2017::5002[500] to
>> > fc00:cada:c404:607::1001[500] (289 bytes)
>> >
>> > [NET] received packet: from 2017::5002[500] to
>> > fc00:cada:c404:607::1001[500] (289 bytes)
>> >
>> > 11[ENC] parsed IKE_SA_INIT response 0 [

Re: [strongSwan] No private key found

2017-10-07 Thread rajeev nohria

Anderas,

Thanks for reply. I am using davici interface instead of swanctl.conf.  I
do set the id as  id: fc00:cada:c404:607::1001 but not the certs.  Since I
am using davici, it does not know the certificate file name and its path, I
am reading the certificate file and passing the data. How can I resolve the
problem in this situation?

Thanks,
Rajeev

On Thu, Oct 5, 2017 at 11:56 AM, Andreas Steffen <
andreas.stef...@strongswan.org> wrote:

> Hi,
>
> you must not set the IKEv2 ID to
>
> id: fc00:cada:c404:607::1001
>
> since this ID is not contained as a subjectAltName in the client
> certificate.
>
> Probably you didn't use the "certs" parameter in the local section of
> swanctl.conf so that the client certificate just got loaded from
> /etc/swanctl/x509. If you don't define the "id" parameter in the local
> section then the IPv6 address of the client is assumed as the "id" by
> default and because the IP address is not contained as a subjectAltName
> in the certificate then neither the certificate nor the corresponding
> private key is found.
>
> So the best approach is to define the following in swanctl.conf:
>
> local {
>auth = pubkey
>certs = myCert.pem
> }
>
> This first causes the private key to be found automatically based
> on the fingerprint of the public key contained in the certificate and
> the ID to be set to the subject distinguished name contained in the
> certificate.
>
> Best regards
>
> Andreas
>
> On 05.10.2017 17:33, rajeev nohria wrote:
> > I have seen this issue before and fixed it. But this time I am not able
> > to figure you. Let me know if anyone see issue or any suggestion. Thanks
> > in advance.
> >
> > Problem:
> > Getting error while initiating the connection.
> >
> > *[IKE] no private key found for 'fc00:cada:c404:607::1001'*
> >
> > *11[IKE] no private key found for 'fc00:cada:c404:607::1001'*
> >
> > *
> > *
> >
> > *
> > *
> >
> > *
> > *
> >
> >
> > We are able to load the certificate and keys. looking at logs following
> > are proof.
> >
> >
> > messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info <http://daemon.info> :
> > 08[CFG] loaded RSA private key
> >
> > messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info <http://daemon.info> :
> > 08[CFG] loaded certificate 'C=US, O=CableLabs, OU=TEST Root CA01,
> > CN=TEST CableLabs Root Certification Authority'
> >
> > messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info <http://daemon.info> :
> > 08[CFG] loaded certificate 'C=US, O=ARRIS, OU=LOWELL,
> CN=00:33:5f:ab:8c:9e'
> >
> > messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info <http://daemon.info> :
> > 08[CFG] loaded certificate 'C=US, O=CableLabs, OU=TEST Device CA01,
> > CN=TEST CableLabs Device Certification Authority'
> >
> >
> >
> > But when I initiate a connection, I get the following.
> >
> >
> >
> > root@E6kn-2016:# swanctl --initiate --child gcpfc00:cada:c404::200
> >
> > 07[CFG] vici initiate 'gcpfc00:cada:c404::200'
> >
> > 09[IKE] initiating IKE_SA rpdfc00:cada:c404::200[1] to 2017::5002
> >
> > [IKE] initiating IKE_SA rpdfc00:cada:c404::200[1] to 2017::5002
> >
> > [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> > N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
> >
> > 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> > N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
> >
> > [NET] sending packet: from fc00:cada:c404:607::1001[500] to
> > 2017::5002[500] (264 bytes)
> >
> > 09[NET] sending packet: from fc00:cada:c404:607::1001[500] to
> > 2017::5002[500] (264 bytes)
> >
> > 11[NET] received packet: from 2017::5002[500] to
> > fc00:cada:c404:607::1001[500] (289 bytes)
> >
> > [NET] received packet: from 2017::5002[500] to
> > fc00:cada:c404:607::1001[500] (289 bytes)
> >
> > 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> > N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
> >
> > [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> > CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
> >
> > [IKE] received cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
> > CN=TEST CableLabs Device Certification Authority"
> >
> > 11[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Device
> > CA01, CN=TEST CableLabs Device Certification Authority"
> >
> > [IKE] sending cert request for "C=US, O=CableLabs, OU=TEST

[strongSwan] No private key found

2017-10-07 Thread rajeev nohria

I have seen this issue before and fixed it. But this time I am not able to
figure you. Let me know if anyone see issue or any suggestion. Thanks in
advance.

Problem:
Getting error while initiating the connection.

*[IKE] no private key found for 'fc00:cada:c404:607::1001'*

*11[IKE] no private key found for 'fc00:cada:c404:607::1001'*





We are able to load the certificate and keys. looking at logs following are
proof.


messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info : 08[CFG] loaded RSA
private key

messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info : 08[CFG] loaded
certificate 'C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root
Certification Authority'

messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info : 08[CFG] loaded
certificate 'C=US, O=ARRIS, OU=LOWELL, CN=00:33:5f:ab:8c:9e'

messages.0:Jan  1 09:09:23 E6kn-2016 daemon.info : 08[CFG] loaded
certificate 'C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs
Device Certification Authority'



But when I initiate a connection, I get the following.



root@E6kn-2016:# swanctl --initiate --child gcpfc00:cada:c404::200

07[CFG] vici initiate 'gcpfc00:cada:c404::200'

09[IKE] initiating IKE_SA rpdfc00:cada:c404::200[1] to 2017::5002

[IKE] initiating IKE_SA rpdfc00:cada:c404::200[1] to 2017::5002

[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(HASH_ALG) N(REDIR_SUP) ]

09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]

[NET] sending packet: from fc00:cada:c404:607::1001[500] to 2017::5002[500]
(264 bytes)

09[NET] sending packet: from fc00:cada:c404:607::1001[500] to
2017::5002[500] (264 bytes)

11[NET] received packet: from 2017::5002[500] to
fc00:cada:c404:607::1001[500] (289 bytes)

[NET] received packet: from 2017::5002[500] to
fc00:cada:c404:607::1001[500] (289 bytes)

11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
CERTREQ N(HASH_ALG) N(MULT_AUTH) ]

[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
CERTREQ N(HASH_ALG) N(MULT_AUTH) ]

[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
CN=TEST CableLabs Device Certification Authority"

11[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
CN=TEST CableLabs Device Certification Authority"

[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
CN=TEST CableLabs Device Certification Authority"

11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
CN=TEST CableLabs Device Certification Authority"

[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
CN=TEST CableLabs Root Certification Authority"

11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
CN=TEST CableLabs Root Certification Authority"

*[IKE] no private key found for 'fc00:cada:c404:607::1001'*

*11[IKE] no private key found for 'fc00:cada:c404:607::1001'*

*initiate failed: establishing CHILD_SA 'gcpfc00:cada:c404::200' failed*





root@E6kn-2016:# swanctl --list-conns

rpdfc00:cada:c404::200: IKEv2, no reauthentication, rekeying every 14400s

  local:  fc00:cada:c404:607::1001

  remote: 2017::5002

  local public key authentication:

id: fc00:cada:c404:607::1001

  remote public key authentication:

  gcpfc00:cada:c404::200: TRANSPORT, rekeying every 3600s

local:  fc00:cada:c404:607::1001/128[tcp]

remote: 2017::5002/128[tcp]

  l2tpfc00:cada:c404::200: TRANSPORT, rekeying every 3600s

local:  fc00:cada:c404:607::1001/128[l2tp]

remote: 2017::5002/128[l2tp]




root@E6kn-2016:# swanctl --list-certs


List of X.509 End Entity Certificates


  subject:  "C=US, O=ARRIS, OU=LOWELL, CN=00:33:5f:ab:8c:9e"

  issuer:   "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs
Device Certification Authority"

  validity:  not before Sep 28 18:18:53 2017, ok

 not after  Sep 28 18:18:53 2037, ok (expires in 7300 days)

  serial:dd:dc:09:21:36:f2:e8:71

  authkeyId: f6:dc:40:8a:89:b6:7b:7a:08:f6:78:b5:4a:28:7a:7f:57:9b:f9:9b

  subjkeyId: 9d:c7:c5:20:f7:bf:0c:fb:39:d2:5d:a2:8f:73:37:f1:f3:e0:a4:f9

  pubkey:RSA 2048 bits, has private key

  keyid: 8d:40:7d:fb:38:7b:4b:e2:fe:00:ba:72:6c:82:63:2b:6b:75:30:6e

  subjkey:   9d:c7:c5:20:f7:bf:0c:fb:39:d2:5d:a2:8f:73:37:f1:f3:e0:a4:f9


List of X.509 CA Certificates


  subject:  "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs
Device Certification Authority"

  issuer:   "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root
Certification Authority"

  validity:  not before Dec 09 23:08:49 2014, ok

 not after  Dec 09 23:08:49 2049, ok (expires in 11755 days)

  serial:a0:16:bc:73:85:0e:65:37

  altNames:  CN=SYMC-3072-5

  flags: CA CRLSign

  pathlen:   0

  authkeyId: 89:62:79:3d:b4:07:c9:f3:c6:97:59:dd:b6:dc:65:0b:33:54:ff:fb

  subjkeyId: f6:dc:40:8a:89:b6:7b:7a:08:f6:78:b5:4a:28:7a:7f:57:9b:f9:9b

  pubkey:RSA 3072 bits

  keyid:

[strongSwan] PSK-IKEv2- DAVICI

2017-06-19 Thread rajeev nohria

Following capture is taken on responder side.  Can you give any idea what
could be wrong?

15[ENC] parsed IKE_AUTH request 1 [ IDi IDr AUTH N(USE_TRANSP) SA TSi TSr
N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
15[CFG] looking for peer configs matching 2001:2016:0:1::23e[2001:2016:0
:1::23e]...2001:2016:0:1::24b[2001:2016:0:1::24b]
15[CFG] peer config match local: 20 (ID_IPV6_ADDR ->
20:01:20:16:00:00:00:01:00:00:00:00:00:00:02:3e)
15[CFG] peer config match remote: 20 (ID_IPV6_ADDR ->
20:01:20:16:00:00:00:01:00:00:00:00:00:00:02:4b)
15[CFG] ike config match: 3100 (2001:2016:0:1::23e 2001:2016:0:1::24b IKEv2)
15[CFG]   candidate "rw", match: 20/20/3100 (me/other/ike)
15[CFG] selected peer config 'rw'
*15[IKE] tried 0 shared keys for '2001:2016:0:1::23e' -
'2001:2016:0:1::24b', but MAC matched*
*15[IKE] no shared key found for '2001:2016:0:1::23e' -
'2001:2016:0:1::24b'*
*15[IKE] peer supports MOBIKE*
*15[IKE] got additional MOBIKE peer address: 10.14.37.97*
*15[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]*
15[NET] sending packet: from 2001:2016:0:1::23e[4500] to
2001:2016:0:1::24b[4500] (80 bytes)
15[IKE] IKE_SA rw[2] state change: CONNECTING => DESTROYING



*Initiator*
*--*
2001:2016:0:1::24b
Uses Davici code



   char str[] = "password";

  davici_new_cmd("load-shared", );
  davici_kvf(dvReq, "type", "%s", "ike");
  davici_kv(dvReq,"data",str, strlen(str));
  davici_list_start(dvReq,"owners");


 davici_list_itemf(dvReq,"%s",ipAddrStr);
 davici_list_end(dvReq);

 err=davici_queue(dvConn, dvReq, reqcb, dvTester);

err = davici_write(dvConn);










*Receptor*

2001:2016:0:1::23e
uses swanctl.conf See attached file.

i tried secret as password as well as 0spassword*.*


swanctl.conf
Description: Binary data

Re: [strongSwan] Error while running Charon

2016-10-27 Thread rajeev nohria

Ok, I will register on the issue tracker.

On Thu, Oct 27, 2016 at 2:37 PM, Noel Kuntze <n...@familie-kuntze.de> wrote:

> On 27.10.2016 20:34, rajeev nohria wrote:
> >
> > I am getting similar to following issue. Not sure how it was resolved.
> > https://wiki.strongswan.org/issues/1299
> It wasn't resolved. The person didn't answer to Tobias' question and then
> the issue was closed.
> If you care enough about your problem to want it be resolved, register on
> the issue tracker and comment on it.
>
> --
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
>
>
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Error while running Charon

2016-10-27 Thread rajeev nohria

Problem 1:
root@Xilinx-ZCU102-2016_1:/lib# charon
00[DMN] Starting IKE charon daemon (strongSwan 5.5.0, Linux 4.4.0, aarch64)
00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet
dependency: NONCE_GEN
00[LIB] feature CUSTOM:libcharon-receiver in critical plugin 'charon' has
unmet dependency: HASHER:HASH_SHA1
00[LIB] feature CUSTOM:libcharon-sa-managers in critical plugin 'charon'
has unmet dependency: HASHER:HASH_SHA1
00[LIB] failed to load 3 critical plugin features
00[DMN] initialization failed - aborting charon

How does charon knows that where to look for the plugins?  I used
--enable-monolithic options and that means all the plugins should be there
in libstrongswan and libcharon and libvici.

I am getting similar to following issue. Not sure how it was resolved.
https://wiki.strongswan.org/issues/1299


root@Xilinx-ZCU102-2016_1:~# cd /usr/lib/ipsec

root@Xilinx-ZCU102-2016_1:/usr/lib/ipsec# ls

libcharon.a   libstrongswan.a   libvici.a plugins

libcharon.la  libstrongswan.la  libvici.la

root@Xilinx-ZCU102-2016_1:/usr/lib/ipsec# cd plugins/

root@Xilinx-ZCU102-2016_1:/usr/lib/ipsec/plugins# ls

libstrongswan-aes.a  libstrongswan-pkcs7.a

libstrongswan-aes.la libstrongswan-pkcs7.la

libstrongswan-attr.a libstrongswan-pkcs8.a

libstrongswan-attr.lalibstrongswan-pkcs8.la

libstrongswan-cmac.a libstrongswan-pubkey.a

libstrongswan-cmac.lalibstrongswan-pubkey.la

libstrongswan-constraints.a  libstrongswan-random.a

libstrongswan-constraints.la libstrongswan-random.la

libstrongswan-des.a  libstrongswan-rc2.a

libstrongswan-des.la libstrongswan-rc2.la

libstrongswan-dnskey.a   libstrongswan-resolve.a

libstrongswan-dnskey.la  libstrongswan-resolve.la

libstrongswan-fips-prf.a libstrongswan-revocation.a

libstrongswan-fips-prf.lalibstrongswan-revocation.la

libstrongswan-hmac.a libstrongswan-sha1.a

libstrongswan-hmac.lalibstrongswan-sha1.la

libstrongswan-kernel-netlink.a   libstrongswan-sha2.a

libstrongswan-kernel-netlink.la  libstrongswan-sha2.la

libstrongswan-md5.a  libstrongswan-socket-default.a

libstrongswan-md5.la libstrongswan-socket-default.la

libstrongswan-nonce.alibstrongswan-sshkey.a

libstrongswan-nonce.la   libstrongswan-sshkey.la

libstrongswan-openssl.a  libstrongswan-stroke.a

libstrongswan-openssl.la libstrongswan-stroke.la

libstrongswan-pem.a  libstrongswan-updown.a

libstrongswan-pem.la libstrongswan-updown.la

libstrongswan-pgp.a  libstrongswan-vici.a

libstrongswan-pgp.la libstrongswan-vici.la

libstrongswan-pkcs1.alibstrongswan-x509.a

libstrongswan-pkcs1.la   libstrongswan-x509.la

libstrongswan-pkcs11.a   libstrongswan-xauth-generic.a

libstrongswan-pkcs11.la  libstrongswan-xauth-generic.la

libstrongswan-pkcs12.a   libstrongswan-xcbc.a

libstrongswan-pkcs12.la  libstrongswan-xcbc.la





Problem 2:

When running swanctl, I am getting following issue? Any pointer?


root@Xilinx-ZCU102-2016_1:/lib#
root@Xilinx-ZCU102-2016_1:/lib#
root@Xilinx-ZCU102-2016_1:/lib# swanctl
strongSwan 5.5.0 swanctl
loaded plugins:
usage:
  swanctl --initiate (-i)  initiate a connection
  swanctl --terminate(-t)  terminate a connection
  swanctl --redirect (-d)  redirect an IKE_SA
  swanctl --uninstall(-u)  uninstall a trap or shunt policy
  swanctl --install  (-p)  install a trap or shunt policy
  swanctl --list-sas (-l)  list currently active IKE_SAs
  swanctl --monitor-sa   (-m)  monitor for IKE_SA and CHILD_SA changes
  swanctl --list-pols(-P)  list currently installed policies
  swanctl --list-authorities (-B)  list loaded authority configurations
  swanctl --list-conns   (-L)  list loaded configurations
  swanctl --list-certs   (-x)  list stored certificates
  swanctl --list-pools   (-A)  list loaded pool configurations
  swanctl --list-algs(-g)  show loaded algorithms
  swanctl --load-all (-q)  load credentials, authorities, pools and
connections
  swanctl --load-authorities (-b)  (re-)load authority configuration
  swanctl --load-conns   (-c)  (re-)load connection configuration
  swanctl --load-creds   (-s)  (re-)load credentials
  swanctl --load-pools   (-a)  (re-)load pool configuration
  swanctl --log  (-T)  trace logging output
  swanctl --version  (-v)  show version information
  swanctl --stats(-S)  show daemon stats information
  swanctl --reload-settings  (-r)  reload daemon strongswan.conf
  swanctl --help (-h)  show usage information
libgcc_s.so.1 must be installed for pthread_cancel to work
Aborted



On Wed, Oct 19, 2016 at 2:43 PM, rajeev nohria <rajnoh...@gmail.com> wrote:

> Thom

Re: [strongSwan] Error while running Charon

2016-10-19 Thread rajeev nohria

Thomas,

I tired both way and did not help. Not sure what I could be missing.  In
following I also tried removing swanctl section, that also did not work.


# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

swanctl {
  load = pem pkcs1 x509 revocation constraints pubkey openssl random
}


charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}

 filelog {
/var/log/charon.log {
# add a timestamp prefix
time_format = %b %e %T
# prepend connection name, simplifies grepping
ike_name = yes
# overwrite existing files
append = no
# increase default loglevel for all daemon subsystems
default = 10
# flush each line to disk
flush_line = yes
}
stderr {
# more detailed loglevel for a specific subsystem, overriding
the
# default loglevel.
ike = 4
   cfg = 4
   asn = 4
   app = 4
tls = 4
 esp = 4
chd = 4
knl = 0

}
}



include strongswan.d/charon/*.conf





*root@Xilinx-ZCU102-2016_1:/usr/etc/strongswan.d/charon# ls*
aes.conf pem.conf sha1.conf
attr.confpgp.conf sha2.conf
cmac.confpkcs1.conf   socket-default.conf
constraints.conf pkcs11.conf  sshkey.conf
des.conf pkcs12.conf  stroke.conf
dnskey.conf  pkcs7.conf   updown.conf
fips-prf.confpkcs8.conf   vici.conf
hmac.confpubkey.conf  x509.conf
kernel-netlink.conf  random.conf  xauth-generic.conf
md5.conf rc2.conf xcbc.conf
nonce.conf   resolve.conf
openssl.conf revocation.conf


root@Xilinx-ZCU102-2016_1:/usr/etc/strongswan.d/charon# *cat nonce.conf*
nonce {

# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes

}







On Tue, Oct 18, 2016 at 3:03 PM, Thomas Egerer <hakke_...@gmx.de> wrote:

> Rajeev,
>
> I guess, the config option '--enable-monolithic' option
> builds charon with all plugins compiled into one binary
> blob. Try and remove this option. Then remove the
> load_modular option from your strongwan.conf, or place
> the configuration snippets in your file system as
> described in [1]. Then of course, you would have to
> remove the load keyword from your strongswan.conf.
>
> Cheers,
> Thomas
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/Strongs
> wandirectory
>
>
> On 10/18/2016 04:37 PM, rajeev nohria wrote:
>
>> Noel,
>>
>> I still having issue after going through many hit and trial method to
>> fix this,
>>
>> root@Xilinx-ZCU102-2016_1:~# charon
>> 00[DMN] Starting IKE charon daemon (strongSwan 5.5.0, Linux 4.4.0,
>> aarch64)
>> 00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet
>> dependency: NONCE_GEN
>> 00[LIB] feature CUSTOM:libcharon-receiver in critical plugin 'charon'
>> has unmet dependency: HASHER:HASH_SHA1
>> 00[LIB] feature CUSTOM:libcharon-sa-managers in critical plugin 'charon'
>> has unmet dependency: HASHER:HASH_SHA1
>> 00[LIB] failed to load 3 critical plugin features
>> 00[DMN] initialization failed - aborting charon
>>
>>
>> Makefile:
>>
>> CONF_OPTS +=  --disable-gmp --enable-monolithic --enable-openssl
>> --enable-pkcs11 --enable-vici --enable-x509 --enable-nonce
>>
>>
>>
>>
>> strongswan.conf
>> # strongswan.conf - strongSwan configuration file
>> #
>> # Refer to the strongswan.conf(5) manpage for details
>> #
>> # Configuration changes should be made in the included files
>>
>> swanctl {
>>   load = pem pkcs1 x509 revocation constraints pubkey openssl random
>> }
>>
>> charon {
>> load_modular = yes
>>  load = sha1 pem pkcs1 x509 revocation constraints pubkey openssl random
>> nonce curl kernel-netlink socket-default updown vici
>>
>> plugins {
>> include strongswan.d/charon/*.conf
>> }
>> }
>>
>>  filelog {
>> /var/log/charon.log {
>> # add a timestamp prefix
>> time_format = %b %e %T
>> # prepend connection name, simplifies grepping
>> ike_name = yes
>> # overwrite existing files
>> append = no
>> # increase default loglevel for all daemon subsystems
>> default = 10
>> # flush each line to disk
>> flush_line = yes
>> }
&

Re: [strongSwan] Error while running Charon

2016-10-18 Thread rajeev nohria

Noel,

I still having issue after going through many hit and trial method to fix
this,

root@Xilinx-ZCU102-2016_1:~# charon
00[DMN] Starting IKE charon daemon (strongSwan 5.5.0, Linux 4.4.0, aarch64)
00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet
dependency: NONCE_GEN
00[LIB] feature CUSTOM:libcharon-receiver in critical plugin 'charon' has
unmet dependency: HASHER:HASH_SHA1
00[LIB] feature CUSTOM:libcharon-sa-managers in critical plugin 'charon'
has unmet dependency: HASHER:HASH_SHA1
00[LIB] failed to load 3 critical plugin features
00[DMN] initialization failed - aborting charon


Makefile:

CONF_OPTS +=  --disable-gmp --enable-monolithic --enable-openssl
--enable-pkcs11 --enable-vici --enable-x509 --enable-nonce




strongswan.conf
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

swanctl {
  load = pem pkcs1 x509 revocation constraints pubkey openssl random
}

charon {
load_modular = yes
 load = sha1 pem pkcs1 x509 revocation constraints pubkey openssl random
nonce curl kernel-netlink socket-default updown vici

plugins {
include strongswan.d/charon/*.conf
}
}

 filelog {
/var/log/charon.log {
# add a timestamp prefix
time_format = %b %e %T
# prepend connection name, simplifies grepping
ike_name = yes
# overwrite existing files
append = no
# increase default loglevel for all daemon subsystems
default = 10
# flush each line to disk
flush_line = yes
}
stderr {
# more detailed loglevel for a specific subsystem, overriding
the
# default loglevel.
ike = 4
   cfg = 4
   asn = 4
   app = 4
tls = 4
 esp = 4
chd = 4
knl = 0

}
}


On Sat, Oct 8, 2016 at 7:41 PM, Noel Kuntze  wrote:

> Hello Rajeevm
> >
> > 00[DMN] Starting IKE charon daemon (strongSwan 5.5.0, Linux 4.4.0,
> aarch64)
> > 00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet
> dependency: NONCE_GEN
> > 00[LIB] feature CUSTOM:libcharon-receiver in critical plugin 'charon'
> has unmet dependency: HASHER:HASH_SHA1
> > 00[LIB] feature CUSTOM:libcharon-sa-managers in critical plugin 'charon'
> has unmet dependency: HASHER:HASH_SHA1
> > 00[LIB] failed to load 3 critical plugin features
> > 00[DMN] initialization failed - aborting charon
>
> You need the sha1 or the openssl plugin, as well as the nonce plugin.
> Please use google[1] next time.
>
> [1] https://encrypted.google.com/search?hl=en=site%3Awiki.
> strongswan.org%20%22libcharon%20in%20critical%20plugin%20%
> 27charon%27%20has%20unmet%20dependency%3A%20NONCE_GEN%22
>
> --
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
>
>
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Strongswan 5.4 issue using certificates

2016-10-05 Thread rajeev nohria

I am all set after adding libatomic.so.1 in lib directory.

On Tue, Oct 4, 2016 at 3:05 PM, rajeev nohria <rajnoh...@gmail.com> wrote:

> Andreas,
>
> Thank you for all your help.  I have compiled the Strongswan with
> petalinux .  Whenever I run the charon I get the following error. Is there
> any flag I can add in makefile to get this fixed?
>
> #charon
> charon: error while loading shared libraries: libatomic.so.1: cannot open
> shared object file: No such file or directory
>
> Thanks,
> Rajeev
>
>
> On Fri, Sep 16, 2016 at 4:33 AM, Andreas Steffen <
> andreas.stef...@strongswan.org> wrote:
>
>> Hi Rajeev,
>>
>> yes, you have to load the private key file in your management tool
>> and transfer it via the VICI interface as a binary blob.
>>
>> Regards
>>
>> Andreas
>>
>> On 15.09.2016 21:20, rajeev nohria wrote:
>> > Anderas,
>> >
>> > When using davici-
>> > For the loading of private rsa keys, that has to be loaded like the
>> > certificate?
>> >
>> > Thanks,
>> > Rajeev
>> >
>> > On Thu, Sep 15, 2016 at 3:19 PM, rajeev nohria <rajnoh...@gmail.com
>> > <mailto:rajnoh...@gmail.com>> wrote:
>> >
>> > Anderas,
>> >
>> > For the loading of private rsa keys, that has to be loaded like the
>> > certificate?
>> >
>> > Thanks,
>> > Rajeev
>> >
>> > On Thu, Aug 4, 2016 at 12:16 AM, Andreas Steffen
>> > <andreas.stef...@strongswan.org
>> > <mailto:andreas.stef...@strongswan.org>> wrote:
>> >
>> > Hi Rajeev,
>> >
>> > different to the stroke protocol and ipsec.conf where the
>> filename
>> > of the certificate gets transferred via the stroke socket and
>> the
>> > charon daemon loads the certificate, vici transfers the
>> certificate
>> > itself either as a binary DER or a base64-endocded PEM blob.
>> Thus
>> > your management application has to load the certificate and
>> transfer
>> > it over the vici socket using davici.
>> >
>> > Regards
>> >
>> > Andreas
>> >
>> > On 04.08.2016 05:03, rajeev nohria wrote:
>> > > Thanks Andreas,
>> > >
>> > > It worked, I know started to implement in Davici. I had PSK
>> working in
>> > > Davici. With certificates, I am having  following issue during
>> > > parse_certs().
>> > >
>> > > 09[LIB]   file coded in unknown format, discarded
>> > > 09[LIB] building CRED_CERTIFICATE - X509 failed, tried 4
>> builders
>> > >
>> > >
>> > >
>> > > Corresponding code is for Davici is
>> > > davici_list_start(r,"certs");
>> > >
>> > > davici_list_itemf(r,"%s","/usr/local/etc/swanctl/x509/hostCe
>> rt.pem");
>> > > davici_list_end(r);
>> > >
>> > >
>> > > I have tried file name with and without path.
>> > >
>> > > certs = hostCert.pem worked in swanctl.conf as attached in
>> previous email.
>> > >
>> > >
>> > > Do you know what could be issue here? Looks like software is
>> not able to
>> > > recognize the pem format but again it worked when using
>> swanctl.conf file.
>> > >
>> > > Thanks,
>> > > Rajeev
>> > >
>> > >
>> > > On Tue, Aug 2, 2016 at 5:41 AM, Andreas Steffen
>> > > <andreas.stef...@strongswan.org
>> > <mailto:andreas.stef...@strongswan.org>
>> > <mailto:andreas.stef...@strongswan.org
>> > <mailto:andreas.stef...@strongswan.org>>>
>> > > wrote:
>> > >
>> > > Hi,
>> > >
>> > > according to your log, the initiator and responder create
>> > their
>> > > own Root CA certificate and store it locally in
>> > > /usr/local/etc/swanctl/x509ca. Therefore it is not
>> surprising
>> > &

Re: [strongSwan] Strongswan 5.4 issue using certificates

2016-10-04 Thread rajeev nohria

Andreas,

Thank you for all your help.  I have compiled the Strongswan with petalinux
.  Whenever I run the charon I get the following error. Is there any flag I
can add in makefile to get this fixed?

#charon
charon: error while loading shared libraries: libatomic.so.1: cannot open
shared object file: No such file or directory

Thanks,
Rajeev


On Fri, Sep 16, 2016 at 4:33 AM, Andreas Steffen <
andreas.stef...@strongswan.org> wrote:

> Hi Rajeev,
>
> yes, you have to load the private key file in your management tool
> and transfer it via the VICI interface as a binary blob.
>
> Regards
>
> Andreas
>
> On 15.09.2016 21:20, rajeev nohria wrote:
> > Anderas,
> >
> > When using davici-
> > For the loading of private rsa keys, that has to be loaded like the
> > certificate?
> >
> > Thanks,
> > Rajeev
> >
> > On Thu, Sep 15, 2016 at 3:19 PM, rajeev nohria <rajnoh...@gmail.com
> > <mailto:rajnoh...@gmail.com>> wrote:
> >
> > Anderas,
> >
> > For the loading of private rsa keys, that has to be loaded like the
> > certificate?
> >
> > Thanks,
> > Rajeev
> >
> > On Thu, Aug 4, 2016 at 12:16 AM, Andreas Steffen
> > <andreas.stef...@strongswan.org
> > <mailto:andreas.stef...@strongswan.org>> wrote:
> >
> > Hi Rajeev,
> >
> > different to the stroke protocol and ipsec.conf where the
> filename
> > of the certificate gets transferred via the stroke socket and the
> > charon daemon loads the certificate, vici transfers the
> certificate
> > itself either as a binary DER or a base64-endocded PEM blob. Thus
> > your management application has to load the certificate and
> transfer
> > it over the vici socket using davici.
> >
> > Regards
> >
> > Andreas
> >
> > On 04.08.2016 05:03, rajeev nohria wrote:
> > > Thanks Andreas,
> > >
> > > It worked, I know started to implement in Davici. I had PSK
> working in
> > > Davici. With certificates, I am having  following issue during
> > > parse_certs().
> > >
> > > 09[LIB]   file coded in unknown format, discarded
> > > 09[LIB] building CRED_CERTIFICATE - X509 failed, tried 4
> builders
> > >
> > >
> > >
> > > Corresponding code is for Davici is
> > > davici_list_start(r,"certs");
> > >
> > > davici_list_itemf(r,"%s","/usr/local/etc/swanctl/x509/
> hostCert.pem");
> > > davici_list_end(r);
> > >
> > >
> > > I have tried file name with and without path.
> > >
> > > certs = hostCert.pem worked in swanctl.conf as attached in
> previous email.
> > >
> > >
> > > Do you know what could be issue here? Looks like software is
> not able to
> > > recognize the pem format but again it worked when using
> swanctl.conf file.
> > >
> > > Thanks,
> > > Rajeev
> > >
> > >
> > > On Tue, Aug 2, 2016 at 5:41 AM, Andreas Steffen
> > > <andreas.stef...@strongswan.org
> > <mailto:andreas.stef...@strongswan.org>
> > <mailto:andreas.stef...@strongswan.org
> > <mailto:andreas.stef...@strongswan.org>>>
> > > wrote:
> > >
> > > Hi,
> > >
> > > according to your log, the initiator and responder create
> > their
> > > own Root CA certificate and store it locally in
> > > /usr/local/etc/swanctl/x509ca. Therefore it is not
> surprising
> > > that no trust into the received host certificate can be
> > established
> > > because it has been signed with the private key of a
> different
> > > root CA (although the Distinguished Name of the issuer is
> > the same).
> > >
> > > Fix: Generate only one private key and matching self-signed
> > > Root CA certificate. Use the private Root CA key to sign
> both
> > > initiator and responder host certificates and deploy the
> > Root CA
> > > certifica

Re: [strongSwan] Strongswan 5.4 issue using certificates

2016-09-15 Thread rajeev nohria

Anderas,

When using davici-
For the loading of private rsa keys, that has to be loaded like the
certificate?

Thanks,
Rajeev

On Thu, Sep 15, 2016 at 3:19 PM, rajeev nohria <rajnoh...@gmail.com> wrote:

> Anderas,
>
> For the loading of private rsa keys, that has to be loaded like the
> certificate?
>
> Thanks,
> Rajeev
>
> On Thu, Aug 4, 2016 at 12:16 AM, Andreas Steffen <
> andreas.stef...@strongswan.org> wrote:
>
>> Hi Rajeev,
>>
>> different to the stroke protocol and ipsec.conf where the filename
>> of the certificate gets transferred via the stroke socket and the
>> charon daemon loads the certificate, vici transfers the certificate
>> itself either as a binary DER or a base64-endocded PEM blob. Thus
>> your management application has to load the certificate and transfer
>> it over the vici socket using davici.
>>
>> Regards
>>
>> Andreas
>>
>> On 04.08.2016 05:03, rajeev nohria wrote:
>> > Thanks Andreas,
>> >
>> > It worked, I know started to implement in Davici. I had PSK working in
>> > Davici. With certificates, I am having  following issue during
>> > parse_certs().
>> >
>> > 09[LIB]   file coded in unknown format, discarded
>> > 09[LIB] building CRED_CERTIFICATE - X509 failed, tried 4 builders
>> >
>> >
>> >
>> > Corresponding code is for Davici is
>> > davici_list_start(r,"certs");
>> >
>> > davici_list_itemf(r,"%s","/usr/local/etc/swanctl/x509/hostCert.pem");
>> > davici_list_end(r);
>> >
>> >
>> > I have tried file name with and without path.
>> >
>> > certs = hostCert.pem worked in swanctl.conf as attached in previous
>> email.
>> >
>> >
>> > Do you know what could be issue here? Looks like software is not able to
>> > recognize the pem format but again it worked when using swanctl.conf
>> file.
>> >
>> > Thanks,
>> > Rajeev
>> >
>> >
>> > On Tue, Aug 2, 2016 at 5:41 AM, Andreas Steffen
>> > <andreas.stef...@strongswan.org <mailto:andreas.stef...@strongswan.org
>> >>
>> > wrote:
>> >
>> > Hi,
>> >
>> > according to your log, the initiator and responder create their
>> > own Root CA certificate and store it locally in
>> > /usr/local/etc/swanctl/x509ca. Therefore it is not surprising
>> > that no trust into the received host certificate can be established
>> > because it has been signed with the private key of a different
>> > root CA (although the Distinguished Name of the issuer is the same).
>> >
>> > Fix: Generate only one private key and matching self-signed
>> > Root CA certificate. Use the private Root CA key to sign both
>> > initiator and responder host certificates and deploy the Root CA
>> > certificate on both hosts.
>> >
>> > Best regards
>> >
>> > Andreas
>> >
>> > On 01.08.2016 21:24, rajeev nohria wrote:
>> > >
>> > > I was able to establish IKE connection using PSK but when using
>> pubkey I
>> > > am not able to able to establish the IKE connection.
>> > >
>> > > When I issue sudo swanctl --initiate --child net
>> > >
>> > >
>> > > At receptor, it returns the Auth_failed.  Please see the
>> swanctl.conf,
>> > > strongswan.conf and charon.log.
>> > >
>> > > Aug  1 12:09:21 12[CFG] <rw|1> no issuer certificate found for
>> "C=US,
>> > > ST=MA, L=Lowell, O=Arris, CN=10.13.199.185"
>> > > Aug  1 12:09:21 12[IKE] <rw|1> no trusted RSA public key found for
>> > > '10.13.199.185'
>> > > Aug  1 12:09:21 12[IKE] <rw|1> peer supports MOBIKE
>> > > Aug  1 12:09:21 12[ENC] <rw|1> added payload of type NOTIFY to
>> message
>> > > Aug  1 12:09:21 12[ENC] <rw|1> order payloads in message
>> > > Aug  1 12:09:21 12[ENC] <rw|1> added payload of type NOTIFY to
>> message
>> > > Aug  1 12:09:21 12[ENC] <rw|1> generating IKE_AUTH response 1 [
>> > > N(AUTH_FAILED) ]
>> > >
>> > > I used following commands to create certificates.
>> > >
>> > > *Initiator:*
>> > > ---
>> >

Re: [strongSwan] Strongswan 5.4 issue using certificates

2016-09-15 Thread rajeev nohria

Anderas,

For the loading of private rsa keys, that has to be loaded like the
certificate?

Thanks,
Rajeev

On Thu, Aug 4, 2016 at 12:16 AM, Andreas Steffen <
andreas.stef...@strongswan.org> wrote:

> Hi Rajeev,
>
> different to the stroke protocol and ipsec.conf where the filename
> of the certificate gets transferred via the stroke socket and the
> charon daemon loads the certificate, vici transfers the certificate
> itself either as a binary DER or a base64-endocded PEM blob. Thus
> your management application has to load the certificate and transfer
> it over the vici socket using davici.
>
> Regards
>
> Andreas
>
> On 04.08.2016 05:03, rajeev nohria wrote:
> > Thanks Andreas,
> >
> > It worked, I know started to implement in Davici. I had PSK working in
> > Davici. With certificates, I am having  following issue during
> > parse_certs().
> >
> > 09[LIB]   file coded in unknown format, discarded
> > 09[LIB] building CRED_CERTIFICATE - X509 failed, tried 4 builders
> >
> >
> >
> > Corresponding code is for Davici is
> > davici_list_start(r,"certs");
> >
> > davici_list_itemf(r,"%s","/usr/local/etc/swanctl/x509/hostCert.pem");
> > davici_list_end(r);
> >
> >
> > I have tried file name with and without path.
> >
> > certs = hostCert.pem worked in swanctl.conf as attached in previous
> email.
> >
> >
> > Do you know what could be issue here? Looks like software is not able to
> > recognize the pem format but again it worked when using swanctl.conf
> file.
> >
> > Thanks,
> > Rajeev
> >
> >
> > On Tue, Aug 2, 2016 at 5:41 AM, Andreas Steffen
> > <andreas.stef...@strongswan.org <mailto:andreas.stef...@strongswan.org>>
> > wrote:
> >
> > Hi,
> >
> > according to your log, the initiator and responder create their
> > own Root CA certificate and store it locally in
> > /usr/local/etc/swanctl/x509ca. Therefore it is not surprising
> > that no trust into the received host certificate can be established
> > because it has been signed with the private key of a different
> > root CA (although the Distinguished Name of the issuer is the same).
> >
> > Fix: Generate only one private key and matching self-signed
> > Root CA certificate. Use the private Root CA key to sign both
> > initiator and responder host certificates and deploy the Root CA
> > certificate on both hosts.
> >
> > Best regards
> >
> > Andreas
> >
> > On 01.08.2016 21:24, rajeev nohria wrote:
> > >
> > > I was able to establish IKE connection using PSK but when using
> pubkey I
> > > am not able to able to establish the IKE connection.
> > >
> > > When I issue sudo swanctl --initiate --child net
> > >
> > >
> > > At receptor, it returns the Auth_failed.  Please see the
> swanctl.conf,
> > > strongswan.conf and charon.log.
> > >
> > > Aug  1 12:09:21 12[CFG] <rw|1> no issuer certificate found for
> "C=US,
> > > ST=MA, L=Lowell, O=Arris, CN=10.13.199.185"
> > > Aug  1 12:09:21 12[IKE] <rw|1> no trusted RSA public key found for
> > > '10.13.199.185'
> > > Aug  1 12:09:21 12[IKE] <rw|1> peer supports MOBIKE
> > > Aug  1 12:09:21 12[ENC] <rw|1> added payload of type NOTIFY to
> message
> > > Aug  1 12:09:21 12[ENC] <rw|1> order payloads in message
> > > Aug  1 12:09:21 12[ENC] <rw|1> added payload of type NOTIFY to
> message
> > > Aug  1 12:09:21 12[ENC] <rw|1> generating IKE_AUTH response 1 [
> > > N(AUTH_FAILED) ]
> > >
> > > I used following commands to create certificates.
> > >
> > > *Initiator:*
> > > ---
> > >
> > > sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> > > /usr/local/etc/swanctl/rsa/strongswanKey.pem
> > >
> > >
> > > sudo chmod 600  /usr/local/etc/swanctl/rsa/strongswanKey.pem
> > >
> > >
> > > sudo ipsec pki --self --ca --in
> > > /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest sha256 --dn
> "C=US,
> > > ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem >
> > > /usr/local/etc/swanctl/x509ca/strongswanCert.pem
> > >
> > >
> > > su

Re: [strongSwan] Strongswan 5.4 issue using certificates

2016-08-03 Thread rajeev nohria

Thanks Andreas,

It worked, I know started to implement in Davici. I had PSK working in
Davici. With certificates, I am having  following issue during
parse_certs().

09[LIB]   file coded in unknown format, discarded
09[LIB] building CRED_CERTIFICATE - X509 failed, tried 4 builders



Corresponding code is for Davici is
davici_list_start(r,"certs");

davici_list_itemf(r,"%s","/usr/local/etc/swanctl/x509/hostCert.pem");
davici_list_end(r);


I have tried file name with and without path.

certs = hostCert.pem worked in swanctl.conf as attached in previous email.


Do you know what could be issue here? Looks like software is not able to
recognize the pem format but again it worked when using swanctl.conf file.

Thanks,
Rajeev


On Tue, Aug 2, 2016 at 5:41 AM, Andreas Steffen <
andreas.stef...@strongswan.org> wrote:

> Hi,
>
> according to your log, the initiator and responder create their
> own Root CA certificate and store it locally in
> /usr/local/etc/swanctl/x509ca. Therefore it is not surprising
> that no trust into the received host certificate can be established
> because it has been signed with the private key of a different
> root CA (although the Distinguished Name of the issuer is the same).
>
> Fix: Generate only one private key and matching self-signed
> Root CA certificate. Use the private Root CA key to sign both
> initiator and responder host certificates and deploy the Root CA
> certificate on both hosts.
>
> Best regards
>
> Andreas
>
> On 01.08.2016 21:24, rajeev nohria wrote:
> >
> > I was able to establish IKE connection using PSK but when using pubkey I
> > am not able to able to establish the IKE connection.
> >
> > When I issue sudo swanctl --initiate --child net
> >
> >
> > At receptor, it returns the Auth_failed.  Please see the swanctl.conf,
> > strongswan.conf and charon.log.
> >
> > Aug  1 12:09:21 12[CFG] <rw|1> no issuer certificate found for "C=US,
> > ST=MA, L=Lowell, O=Arris, CN=10.13.199.185"
> > Aug  1 12:09:21 12[IKE] <rw|1> no trusted RSA public key found for
> > '10.13.199.185'
> > Aug  1 12:09:21 12[IKE] <rw|1> peer supports MOBIKE
> > Aug  1 12:09:21 12[ENC] <rw|1> added payload of type NOTIFY to message
> > Aug  1 12:09:21 12[ENC] <rw|1> order payloads in message
> > Aug  1 12:09:21 12[ENC] <rw|1> added payload of type NOTIFY to message
> > Aug  1 12:09:21 12[ENC] <rw|1> generating IKE_AUTH response 1 [
> > N(AUTH_FAILED) ]
> >
> > I used following commands to create certificates.
> >
> > *Initiator:*
> > ---
> >
> > sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> > /usr/local/etc/swanctl/rsa/strongswanKey.pem
> >
> >
> > sudo chmod 600  /usr/local/etc/swanctl/rsa/strongswanKey.pem
> >
> >
> > sudo ipsec pki --self --ca --in
> > /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest sha256 --dn "C=US,
> > ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem >
> > /usr/local/etc/swanctl/x509ca/strongswanCert.pem
> >
> >
> > sudo ipsec pki --print --in
> /usr/local/etc/swanctl/x509ca/strongswanCert.pem
> >
> >
> > sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> > /usr/local/etc/swanctl/rsa/hostKey.pem
> >
> >
> > sudo chmod 600 /usr/local/etc/swanctl/rsa/hostKey.pem
> >
> >
> >
> > sudo ipsec pki --pub --in /usr/local/etc/swanctl/rsa/hostKey.pem --type
> > rsa | ipsec pki --issue --digest sha256 --cacert
> > /usr/local/etc/swanctl/x509ca/strongswanCert.pem --cakey
> > /usr/local/etc/swanctl/rsa/strongswanKey.pem --dn "C=US, ST=MA,
> > L=Lowell, O=Arris, CN=10.13.199.185" --san 10.13.199.185  pem >
> > /usr/local/etc/swanctl/x509/hostCert.pem
> >
> >
> > Receptor:
> > --
> > *
> > *
> > *sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> > /usr/local/etc/swanctl/rsa/strongswanKey.pem*
> > *
> > *
> > *sudo chmod 600  /usr/local/etc/swanctl/rsa/strongswanKey.pem*
> > *
> > *
> > *sudo ipsec pki --self --ca --in
> > /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest sha256 --dn "C=US,
> > ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem >
> > /usr/local/etc/swanctl/x509ca/strongswanCert.pem*
> > *
> > *
> > *sudo ipsec pki --print --in
> > /usr/local/etc/swanctl/x509ca/strongswanCert.pem*
> > *
> > *
> > *sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> >

[strongSwan] Using davici API

2016-07-06 Thread rajeev nohria

I have very simple config file and trying to implement the same with DAVICI
APIs. Please find attached file for config and its implementation. Not sure
what is wrong, any insight would help me. Tester.c file is also compiled
with cmd.c.


Thanks,
Rajeev
/*
 * Copyright (C) 2015 CloudGuard Software AG
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 */

#include "tester.h"

#include 
#include 
#include 
#include 

static char huge[4096];



static void echocb(struct tester *t, int fd)
{
	char buf[sizeof(huge) * 2];
	uint32_t len;

	len = tester_read_cmdreq(fd, "load-conns");
	assert(len < sizeof(buf));
	assert(read(fd, buf, len) == len);
	tester_write_cmdres(fd, buf, len);
}

static void reqcb(struct davici_conn *c, int err, const char *name,
  struct davici_response *res, void *user)
{
	struct tester *t = user;
	char buf[64];
	const char *h;
	unsigned int len;
	const void *v;
	int ret, i, j;

	assert(err >= 0);
	assert(davici_get_level(res) == 0);

	tester_complete(t);
	


}



int main(int argc, char *argv[])
{
	struct tester *t;
	struct davici_conn *c;
	struct davici_request *r;
int err = 0;

	t = tester_create(echocb);

	assert(davici_connect_unix(tester_getpath(t),
			   tester_davici_iocb, t, ) >= 0);

	assert(davici_new_cmd("load-conns", ) >= 0);


	davici_section_start(r, "home");

	davici_kvf(r, "version", "%s", "2");

	davici_kvf(r, "local_addrs", "%s", "10.13.199.185");

	davici_kvf(r, "remote_addrs", "%s", "10.13.199.130");

	davici_kvf(r, "local_port", "%s", "500");

	davici_kvf(r, "remote_port", "%s", "500");

	davici_kvf(r, "proposals", "%s", "aes128-sha256-ecp256");
	
	davici_section_start(r, "local");

	davici_kvf(r,"certs","%s", "peerCert.der");

	davici_kvf(r,"auth", "%s", "psk");

	davici_kvf(r,"id", "%s", "10.13.199.185");

   davici_section_end(r); /* end local section*/

	davici_section_start(r, "remote");

 davici_kvf(r,"id", "%s", "10.13.199.130");

	davici_kvf(r, "auth", "%s", "psk");

	davici_section_end(r); /* end remote section*/

	davici_section_start(r, "children");

	davici_section_start(r, "home");

davici_kvf(r, "esp_proposals", "%s", "aes128-sha256-ecp256");

davici_kvf(r, "remote_ts", "%s", "dynamic");

davici_kvf(r, "mode", "%s", "transport");

	davici_section_end(r); /* children */

	davici_section_end(r);/* home */

	davici_section_start(r, "secrets");

	davici_section_start(r, "ike-initiator");

davici_kvf(r, "secret", "%s", "0sFpZAZqEN6Ti9sqt4ZP5EWcqx");

davici_kvf(r, "id", "%s", "10.13.199.185");




	davici_section_end(r);/* home */
	
	err=davici_queue(c, r, reqcb, t);
printf(" Err is %d \n" , err);
	assert(err >= 0);
	

	tester_runio(t, c);
	davici_disconnect(c);

	assert(davici_connect_unix(tester_getpath(t),
			tester_davici_iocb, t, ) >= 0);
	assert(davici_new_cmd("initiate", ) >= 0);

	davici_kvf(r, "child", "%%", "home");

	assert(davici_queue(c, r, reqcb, t) >= 0);

	tester_runio(t, c);

	davici_disconnect(c);

	tester_cleanup(t);

	return 0;
}


swanctl.conf
Description: Binary data
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] trap not found, unable to acquire reqid

2016-06-13 Thread rajeev nohria

Noel,
I was able to install policy using swanctl --install and a packet from data
plane was able to trigger the SAs.
Thanks for you help.

Rajeev


On Mon, Jun 13, 2016 at 1:24 PM, rajeev nohria <rajnoh...@gmail.com> wrote:

> Noel,
> I am using Strongswan 5.4 with swanctl.conf and strongswan.conf.  There is
> no option for auto=route. Is there anything equivalent?
> Thanks,
> Rajeev
>
> On Mon, Jun 6, 2016 at 10:15 AM, Noel Kuntze <n...@familie-kuntze.de>
> wrote:
>
>> On 06.06.2016 14:28, rajeev nohria wrote:
>> >
>> > IKEv2 should be able to create SA when there are only policies
>> installed and a packet matches with the policy. That was reason I was
>> expecting for above ping to work. If that is not the case what is the use
>> of ACQUIRE message? Let me know if I am missing something here.
>>
>> Charon can only initiate an SA to a remote host, if it has a
>> configuration for that host. Because you installed the policies yourself,
>> charon does not have a configuration.
>>
>> You have to configure it correctly and use auto=route. Do not install
>> policies yourself. As you found out, it does not work if you do that.
>>
>> --
>>
>> Mit freundlichen Grüßen/Kind Regards,
>> Noel Kuntze
>>
>> GPG Key ID: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>
>>
>>
>
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] trap not found, unable to acquire reqid

2016-06-13 Thread rajeev nohria

Noel,
I am using Strongswan 5.4 with swanctl.conf and strongswan.conf.  There is
no option for auto=route. Is there anything equivalent?
Thanks,
Rajeev

On Mon, Jun 6, 2016 at 10:15 AM, Noel Kuntze <n...@familie-kuntze.de> wrote:

> On 06.06.2016 14:28, rajeev nohria wrote:
> >
> > IKEv2 should be able to create SA when there are only policies installed
> and a packet matches with the policy. That was reason I was expecting for
> above ping to work. If that is not the case what is the use of ACQUIRE
> message? Let me know if I am missing something here.
>
> Charon can only initiate an SA to a remote host, if it has a configuration
> for that host. Because you installed the policies yourself, charon does not
> have a configuration.
>
> You have to configure it correctly and use auto=route. Do not install
> policies yourself. As you found out, it does not work if you do that.
>
> --
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
>
>
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Strongswan[5.4.0] unix:///var/run/charon.vici

2016-06-13 Thread rajeev nohria

Hi Andreas,

We are planning to use davici library for the establishment of dynamic
IKEv2 connection using Strongswan’s IKE client.  Are there any licensing
implications of using davici library?   Please confirm/clarify.


Thanks,

Rajeev

On Wed, May 11, 2016 at 9:18 AM, Andreas Steffen <
andreas.stef...@strongswan.org> wrote:

> Hi Rajeev,
>
> there seems something wrong with your user certificate.
>
> You can configure the charon daemon dynamically using the
> VICI interface. There are VICI bindings for the Perl, Ruby
> and Python script languages which can be used by your
> IPsec management application to communicate with the
> charon daemon. For details have a look at
>
>
> https://github.com/strongswan/strongswan/blob/master/src/libcharon/plugins/vici/README.md
>
> If you intend to write your management application in C or C++
> then consider the DAVICI library:
>
> https://github.com/strongswan/davici/blob/master/README.md
>
> Regards
>
> Andreas
>
> On 11.05.2016 13:50, rajeev nohria wrote:
> > Andreas,
> >
> > I appreciate helping me out.  Now I am making progress with Charon
> > running, Not sure why it was stopping before.  I am getting following
> > error now, I am going over my config files. Hopefully I will find the
> > issue.
> >
> > rnohria@ubuntu:~$ sudo swanctl --load-conns
> > 06[LIB] OpenSSL X.509 parsing failed
> > 06[LIB] building CRED_CERTIFICATE - X509 failed, tried 4 builders
> > loading connection 'rw' failed: invalid value for: certs, config
> discarded
> > loaded 0 of 1 connections, 1 failed to load, 0 unloaded
> >
> >
> > Question:
> >
> > Can I use Strongswan to make connections dynamically, not via config
> > file. For config file we need to know information beforehand. If I don't
> > know all the information beforehand like local and remote IP address. Is
> > there any interface exist in Strongswan to support dynamic connection.
> >
> > Thanks,
> > Rajeev
> >
> >
> >
> >
> >
> > On Wed, May 11, 2016 at 4:41 AM, Andreas Steffen
> > <andreas.stef...@strongswan.org <mailto:andreas.stef...@strongswan.org>>
> > wrote:
> >
> > Hi Rajeev,
> >
> > try running charon in the foreground:
> >
> >sudo /usr/local/libexec/ipsec/charon
> >
> > and check for error messages in the console window.
> >
> > Cheers Andreas
> >
> > On 11.05.2016 11:53, rajeev nohria wrote:
> >
> > Andreas,
> >
> > It seems like Charon daemon is not running, When I run the charon
> > command, it immediately stops it. Where can I find the charon
> > log to see
> > if there is any issue?
> >
> > rnohria@ubuntu:~$ sudo /usr/local/libexec/ipsec/charon&
> > [1] 7272
> > rnohria@ubuntu:~$
> >
> > [1]+  Stopped sudo
> /usr/local/libexec/ipsec/charon
> >
> > Thanks,
> > Rajeev
> >
> >
> > On Wed, May 11, 2016 at 2:55 AM, Andreas Steffen
> > <andreas.stef...@strongswan.org
> > <mailto:andreas.stef...@strongswan.org>
> > <mailto:andreas.stef...@strongswan.org
> > <mailto:andreas.stef...@strongswan.org>>>
> > wrote:
> >
> > Hi Rajeev,
> >
> > can you check in the charon log if the vici plugin has been
> > loaded?
> > And do you see the charon daemon running in the process
> status
> > (ps aux | grep charon)?
> >
> > Regards
> >
> > Andreas
> >
> > On 05/11/2016 04:04 AM, rajeev nohria wrote:
> > > Thanks Andreas,
> > >
> > > I ran the charon and also copied the charon script file to
> > /etc/init.d.
> > > Now when I run sudo swanctl --load-conn, I still get the
> > same issue.
> > > connecting to 'unix:///var/run/charon.vici' failed: No
> > such file or
> > > directory
> > > Error: connecting to 'default' URI failed: No such file or
> > directory
> > > strongSwan 5.4.0 swanctl
> > > usage:
> > >   swanctl --load-conns [--raw|--pretty]
> > >--help(-h)  show usage information
> > >--raw (-r)  du

Re: [strongSwan] trap not found, unable to acquire reqid

2016-06-06 Thread rajeev nohria

Noel,

IKEv2 should be able to create SA when there are only policies installed
and a packet matches with the policy. That was reason I was expecting for
above ping to work. If that is not the case what is the use of ACQUIRE
message? Let me know if I am missing something here.

Regards,
Rajeev

On Thu, Jun 2, 2016 at 1:34 PM, Noel Kuntze <n...@familie-kuntze.de> wrote:

> Keep it on the mailing lists.
> Then don't use a keying daemon. The only things a keying daemon does is
> install SAs, SPs and routes.
> If you don't want charon to do any of those things, don't use it.
>
> And there's still the VICI API to charon that you can use to dynamically
> load and unload any configuration.
>
> On 02.06.2016 19:26, rajeev nohria wrote:
> > Noel,
> >
> > We are planning to install SA and policies dynamically. We don't want to
> use the swanctl.conf for configuration using Strongswan 5.4.
> >
> > Thanks,
> > Rajeev
> >
> > On Thu, Jun 2, 2016 at 12:12 PM, Noel Kuntze <n...@familie-kuntze.de
> <mailto:n...@familie-kuntze.de>> wrote:
> >
> >     That's because you installed the policies by yourself. Don't do that.
> >
> > On 02.06.2016 17:25, rajeev nohria wrote:
> > > I added manual entries for  policy using "ip xfrm policy"  both at
> receptor and initiator. Both are host and IP address of 10.13.199.185 and
> 10.13.199.130.
> > >
> > > Initiator:
> > >
> > > sudo ip xfrm policy add src 10.13.199.185 dst 10.13.199.130 dir
> out tmpl src 10.13.199.185 dst 10.13.199.130 proto esp reqid 16386 mode
> transport
> > >
> > > sudo ip xfrm policy add src 10.13.199.130 dst 10.13.199.185 dir in
> tmpl src 10.13.199.130 dst 10.13.199.185 proto esp reqid 16386 mode
> transport
> > >
> > >
> > >
> > >
> > >
> > > Receptor:
> > >
> > >  sudo ip xfrm policy add src 10.13.199.130 dst 10.13.199.185 dir
> out tmpl src 10.13.199.130 dst 10.13.199.185 proto esp reqid 16386 mode
> transport
> > >
> > > sudo ip xfrm policy add src 10.13.199.185 dst 10.13.199.130 dir in
> tmpl src 10.13.199.185 dst 10.13.199.130 proto esp reqid 16386 mode
> transport
> > >
> > >
> > >
> > >
> > > when I try to ping, I get following error. I expect it to create
> dynamic SA and ping to be successful.
> > >
> > > Jun  2 08:03:52 05[KNL] received a XFRM_MSG_ACQUIRE
> > > Jun  2 08:03:52 05[KNL]   XFRMA_TMPL
> > > Jun  2 08:03:52 05[KNL] creating acquire job for policy
> 10.13.199.185/32[udp/48785] <http://10.13.199.185/32[udp/48785]> <
> http://10.13.199.185/32[udp/48785]> === 10.13.199.130/32[udp/1025] <
> http://10.13.199.130/32[udp/1025]> <http://10.13.199.130/32[udp/1025]>
> with reqid {16386}
> > > Jun  2 08:03:52 07[CFG] trap not found, unable to acquire reqid
> 16386
> > >
> > >
> > > Thanks,
> > > Raj
> > >
> >
> >
> > --
> >
> > Mit freundlichen Grüßen/Kind Regards,
> > Noel Kuntze
> >
> > GPG Key ID: 0x63EC6658
> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> >
> >
> >
>
>
> --
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
>
>
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] DAVICI example

2016-06-03 Thread rajeev nohria

Does anyone has example of DAVICI code example and willing to share?
Rajeev
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] trap not found, unable to acquire reqid

2016-06-02 Thread rajeev nohria

I added manual entries for  policy using "ip xfrm policy"  both at receptor
and initiator. Both are host and IP address of 10.13.199.185 and
10.13.199.130.

Initiator:

sudo ip xfrm policy add src 10.13.199.185 dst 10.13.199.130 dir out tmpl
src 10.13.199.185 dst 10.13.199.130 proto esp reqid 16386 mode transport

sudo ip xfrm policy add src 10.13.199.130 dst 10.13.199.185 dir in tmpl src
10.13.199.130 dst 10.13.199.185 proto esp reqid 16386 mode transport





Receptor:

 sudo ip xfrm policy add src 10.13.199.130 dst 10.13.199.185 dir out tmpl
src 10.13.199.130 dst 10.13.199.185 proto esp reqid 16386 mode transport

sudo ip xfrm policy add src 10.13.199.185 dst 10.13.199.130 dir in tmpl src
10.13.199.185 dst 10.13.199.130 proto esp reqid 16386 mode transport



when I try to ping, I get following error. I expect it to create dynamic SA
and ping to be successful.

Jun  2 08:03:52 05[KNL] received a XFRM_MSG_ACQUIRE
Jun  2 08:03:52 05[KNL]   XFRMA_TMPL
Jun  2 08:03:52 05[KNL] creating acquire job for policy
10.13.199.185/32[udp/48785] === 10.13.199.130/32[udp/1025] with reqid
{16386}
Jun  2 08:03:52 07[CFG] trap not found, unable to acquire reqid 16386


Thanks,
Raj
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] strongSwan [ no trusted RSA public key found for '10.13.199.185']

2016-05-20 Thread rajeev nohria

I am testing  between two Ubuntus. We are using  Strongswan 5.4.0. with
certificate and keys in swanctl/x509, swanctl/x509ca and swanctl/rsa.

I could not figure how to resolve this. I am creating certificates using
ipsec pki as an example on strongSwan website. Is it anything obvious I am
missing? Any help in this appreciated.


06[CFG] no issuer certificate found for "C=US, O=ARRIS, CN=peer"
06[IKE] no trusted RSA public key found for '10.13.199.185'




Initiator receives
--
11[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
11[IKE] received AUTHENTICATION_FAILED notify error


Receptor
-
rnohria@ubuntu:/$ sudo /usr/local/libexec/ipsec/charon
[sudo] password for rnohria:
00[DMN] Starting IKE charon daemon (strongSwan 5.4.0, Linux
3.16.0-30-generic, x86_64)
00[LIB] loaded plugins: charon pem pkcs1 x509 revocation constraints pubkey
openssl random nonce kernel-netlink socket-default updown vici
00[JOB] spawning 16 worker threads
08[CFG] added vici connection: rw
11[CFG] loaded certificate 'C=US, O=ARRIS, CN=peer'
06[CFG] loaded certificate 'C=US, O=ARRIS, CN=RPD'
15[CFG] loaded RSA private key
09[NET] received packet: from 10.13.199.185[500] to 10.13.199.130[500] (264
bytes)
09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(HASH_ALG) N(REDIR_SUP) ]
09[IKE] 10.13.199.185 is initiating an IKE_SA
09[IKE] sending cert request for "C=US, O=ARRIS, CN=RPD"
09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
09[NET] sending packet: from 10.13.199.130[500] to 10.13.199.185[500] (289
bytes)
06[NET] received packet: from 10.13.199.185[4500] to 10.13.199.130[4500]
(1328 bytes)
06[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH N(USE_TRANSP)
SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
06[IKE] received 1 cert requests for an unknown ca
06[IKE] received end entity cert "C=US, O=ARRIS, CN=peer"
06[CFG] looking for peer configs matching
10.13.199.130[10.13.199.130]...10.13.199.185[10.13.199.185]
06[CFG] selected peer config 'rw'
06[CFG]   using certificate "C=US, O=ARRIS, CN=peer"
06[CFG] no issuer certificate found for "C=US, O=ARRIS, CN=peer"
06[IKE] no trusted RSA public key found for '10.13.199.185'
06[IKE] peer supports MOBIKE
06[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
06[NET] sending packet: from 10.13.199.130[4500] to 10.13.199.185[4500] (80
bytes)
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Strongswan[5.4.0] unix:///var/run/charon.vici

2016-05-16 Thread rajeev nohria

Andreas,

Strongswan 5.4.0
swanctl.conf



when I tried to initiate the connections  (swanctl -initiate --child net, I
get following error. "*no trusted RSA public key found"*

I did make  peerKey.der based on following link and copied to
/etc/swanctl/rsa directory.
https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA




07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(HASH_ALG) N(REDIR_SUP) ]
07[IKE] 10.13.199.185 is initiating an IKE_SA
07[IKE] sending cert request for "C=US, O=ARRIS, CN=RPD"
07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
07[NET] sending packet: from 10.13.199.130[500] to 10.13.199.185[500] (289
bytes)
09[NET] received packet: from 10.13.199.185[4500] to 10.13.199.130[4500]
(1312 bytes)
09[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(USE_TRANSP) SA
TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
09[IKE] received 1 cert requests for an unknown ca
09[IKE] received end entity cert "C=US, O=ARRIS, CN=RPD"
09[CFG] looking for peer configs matching
10.13.199.130[%any]...10.13.199.185[rnoh...@arris.com]
09[CFG] selected peer config 'rw'
*09[IKE] no trusted RSA public key found for 'rnoh...@arris.com
<rnoh...@arris.com>'*
09[IKE] peer supports MOBIKE
09[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
09[NET] sending packet: from 10.13.199.130[4500] to 10.13.199.185[4500] (80
bytes)


 Thanks,
Rajeev

On Wed, May 11, 2016 at 9:18 AM, Andreas Steffen <
andreas.stef...@strongswan.org> wrote:

> Hi Rajeev,
>
> there seems something wrong with your user certificate.
>
> You can configure the charon daemon dynamically using the
> VICI interface. There are VICI bindings for the Perl, Ruby
> and Python script languages which can be used by your
> IPsec management application to communicate with the
> charon daemon. For details have a look at
>
>
> https://github.com/strongswan/strongswan/blob/master/src/libcharon/plugins/vici/README.md
>
> If you intend to write your management application in C or C++
> then consider the DAVICI library:
>
> https://github.com/strongswan/davici/blob/master/README.md
>
> Regards
>
> Andreas
>
> On 11.05.2016 13:50, rajeev nohria wrote:
> > Andreas,
> >
> > I appreciate helping me out.  Now I am making progress with Charon
> > running, Not sure why it was stopping before.  I am getting following
> > error now, I am going over my config files. Hopefully I will find the
> > issue.
> >
> > rnohria@ubuntu:~$ sudo swanctl --load-conns
> > 06[LIB] OpenSSL X.509 parsing failed
> > 06[LIB] building CRED_CERTIFICATE - X509 failed, tried 4 builders
> > loading connection 'rw' failed: invalid value for: certs, config
> discarded
> > loaded 0 of 1 connections, 1 failed to load, 0 unloaded
> >
> >
> > Question:
> >
> > Can I use Strongswan to make connections dynamically, not via config
> > file. For config file we need to know information beforehand. If I don't
> > know all the information beforehand like local and remote IP address. Is
> > there any interface exist in Strongswan to support dynamic connection.
> >
> > Thanks,
> > Rajeev
> >
> >
> >
> >
> >
> > On Wed, May 11, 2016 at 4:41 AM, Andreas Steffen
> > <andreas.stef...@strongswan.org <mailto:andreas.stef...@strongswan.org>>
> > wrote:
> >
> > Hi Rajeev,
> >
> > try running charon in the foreground:
> >
> >sudo /usr/local/libexec/ipsec/charon
> >
> > and check for error messages in the console window.
> >
> > Cheers Andreas
> >
> > On 11.05.2016 11:53, rajeev nohria wrote:
> >
> > Andreas,
> >
> > It seems like Charon daemon is not running, When I run the charon
> > command, it immediately stops it. Where can I find the charon
> > log to see
> > if there is any issue?
> >
> > rnohria@ubuntu:~$ sudo /usr/local/libexec/ipsec/charon&
> > [1] 7272
> > rnohria@ubuntu:~$
> >
> > [1]+  Stopped sudo
> /usr/local/libexec/ipsec/charon
> >
> > Thanks,
> > Rajeev
> >
> >
> > On Wed, May 11, 2016 at 2:55 AM, Andreas Steffen
> > <andreas.stef...@strongswan.org
> > <mailto:andreas.stef...@strongswan.org>
> > <mailto:andreas.stef...@strongswan.org
> > <mailto:andreas.stef...@strongswan.org>>>
> > wrote:
> >
> > Hi Rajeev,
> >
> >

Re: [strongSwan] Strongswan[5.4.0] unix:///var/run/charon.vici

2016-05-12 Thread rajeev nohria

Andreas,

I can ping6   fe80::20c:29ff:fe9d:7d88 and when I tried to establish Ipsec
connection using charon-cmd, I get following error. Do I need to setup
anything to following to work?

ubuntu:/var/log$ sudo charon-cmd --host fe80::20c:29ff:fe9d:7d88 --identity
fe80::20c:29ff:fe32:ba9c
00[DMN] Starting charon-cmd IKE client (strongSwan 5.4.0, Linux
3.16.0-30-generic, x86_64)
00[LIB] loaded plugins: charon-cmd pkcs11 aes des rc2 sha2 sha1 md5 random
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 sshkey
pem openssl fips-prf gmp xcbc cmac hmac kernel-netlink resolve
socket-default xauth-generic
00[JOB] spawning 16 worker threads
06[IKE] unable to resolve fe80::20c:29ff:fe9d:7d88, initiate aborted
06[MGR] tried to checkin and delete nonexisting IKE_SA
ubuntu:/var/log$


Thanks,
Rajeev

On Tue, May 10, 2016 at 3:59 AM, Andreas Steffen <
andreas.stef...@strongswan.org> wrote:

> Hi Rajeev,
>
> is the charon daemon running? If not, either start charon manually:
>
>   sudo /usr/local/libexec/ipsec/charon &
>
> or if your Linux distribution still uses upstart, copy the
> following script to /etc/init.d/
>
>
>
> https://wiki.strongswan.org/projects/strongswan/repository/revisions/master/entry/testing/hosts/default/etc/init.d/charon
>
> and start the charon daemon in the appropriate runlevels.
>
> If your Linux distribution uses systemd instead, compile and
> install strongSwan with
>
>./config --enable-systemd
>
> and enable and start the strongswan-swanctl service.
>
> BTW - in order to use the vici socket you must be root. Thus
>
>   sudo swanctl --load-conn
>
> Best regards
>
> Andreas
>
>
> On 09.05.2016 16:34, rajeev nohria wrote:
>
>> I am new user of Strongswan and running 5.4.0. After creating
>> certificates and configuring two Ubuntu m/c with Strongswan 5.4.0. I try
>> to create connection as following and get error. Please advise, how to
>> resolve following issue?
>>
>> $swanctl --load-conn
>> connecting to 'unix:///var/run/charon.vici' failed: No such file or
>> directory
>> Error: connecting to 'default' URI failed: No such file or directory
>> strongSwan 5.4.0 swanctl
>> usage:
>>
>>
>> Thanks,
>> Rajeev
>>
>>
>> ___
>> Users mailing list
>> Users@lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>>
> --
> ==
> Andreas Steffen andreas.stef...@strongswan.org
> strongSwan - the Open Source VPN Solution!  www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===[ITA-HSR]==
>
>
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Strongswan[5.4.0] unix:///var/run/charon.vici

2016-05-11 Thread rajeev nohria

Andreas,

I appreciate helping me out.  Now I am making progress with Charon running,
Not sure why it was stopping before.  I am getting following error now, I
am going over my config files. Hopefully I will find the issue.

rnohria@ubuntu:~$ sudo swanctl --load-conns
06[LIB] OpenSSL X.509 parsing failed
06[LIB] building CRED_CERTIFICATE - X509 failed, tried 4 builders
loading connection 'rw' failed: invalid value for: certs, config discarded
loaded 0 of 1 connections, 1 failed to load, 0 unloaded


Question:

Can I use Strongswan to make connections dynamically, not via config file.
For config file we need to know information beforehand. If I don't know all
the information beforehand like local and remote IP address. Is there any
interface exist in Strongswan to support dynamic connection.

Thanks,
Rajeev





On Wed, May 11, 2016 at 4:41 AM, Andreas Steffen <
andreas.stef...@strongswan.org> wrote:

> Hi Rajeev,
>
> try running charon in the foreground:
>
>sudo /usr/local/libexec/ipsec/charon
>
> and check for error messages in the console window.
>
> Cheers Andreas
>
> On 11.05.2016 11:53, rajeev nohria wrote:
>
>> Andreas,
>>
>> It seems like Charon daemon is not running, When I run the charon
>> command, it immediately stops it. Where can I find the charon log to see
>> if there is any issue?
>>
>> rnohria@ubuntu:~$ sudo /usr/local/libexec/ipsec/charon&
>> [1] 7272
>> rnohria@ubuntu:~$
>>
>> [1]+  Stopped sudo /usr/local/libexec/ipsec/charon
>>
>> Thanks,
>> Rajeev
>>
>>
>> On Wed, May 11, 2016 at 2:55 AM, Andreas Steffen
>> <andreas.stef...@strongswan.org <mailto:andreas.stef...@strongswan.org>>
>> wrote:
>>
>> Hi Rajeev,
>>
>> can you check in the charon log if the vici plugin has been loaded?
>> And do you see the charon daemon running in the process status
>> (ps aux | grep charon)?
>>
>> Regards
>>
>> Andreas
>>
>> On 05/11/2016 04:04 AM, rajeev nohria wrote:
>> > Thanks Andreas,
>> >
>> > I ran the charon and also copied the charon script file to
>> /etc/init.d.
>> > Now when I run sudo swanctl --load-conn, I still get the same issue.
>> > connecting to 'unix:///var/run/charon.vici' failed: No such file or
>> > directory
>> > Error: connecting to 'default' URI failed: No such file or directory
>> > strongSwan 5.4.0 swanctl
>> > usage:
>> >   swanctl --load-conns [--raw|--pretty]
>> >--help(-h)  show usage information
>> >--raw (-r)  dump raw response message
>> >--pretty  (-P)  dump raw response message in
>> pretty print
>> >--debug   (-v)  set debug level, default: 1
>> >--options (-+)  read command line options from
>> file
>> >--uri (-u)  service URI to connect to
>> >
>> >
>> > Am I missing any other step?
>> >
>> > Thanks,
>> > Rajeev
>> >
>> > On Tue, May 10, 2016 at 3:59 AM, Andreas Steffen
>>  > <andreas.stef...@strongswan.org
>> <mailto:andreas.stef...@strongswan.org>
>> <mailto:andreas.stef...@strongswan.org
>>
>> <mailto:andreas.stef...@strongswan.org>>>
>>  > wrote:
>>  >
>>  > Hi Rajeev,
>>  >
>>  > is the charon daemon running? If not, either start charon
>> manually:
>>  >
>>  >   sudo /usr/local/libexec/ipsec/charon &
>>  >
>>  > or if your Linux distribution still uses upstart, copy the
>>  > following script to /etc/init.d/
>>  >
>>  >
>>  >
>>
>> https://wiki.strongswan.org/projects/strongswan/repository/revisions/master/entry/testing/hosts/default/etc/init.d/charon
>>  >
>>  > and start the charon daemon in the appropriate runlevels.
>>  >
>>  > If your Linux distribution uses systemd instead, compile and
>>  > install strongSwan with
>>  >
>>  >./config --enable-systemd
>>  >
>>  > and enable and start the strongswan-swanctl service.
>>  >
>>  > BTW - in order to use the vici socket you must be root. Thus
>>  >
>>  >   sudo swanctl --load-conn
>>

Re: [strongSwan] Strongswan[5.4.0] unix:///var/run/charon.vici

2016-05-11 Thread rajeev nohria

Andreas,

It seems like Charon daemon is not running, When I run the charon command,
it immediately stops it. Where can I find the charon log to see if there is
any issue?

rnohria@ubuntu:~$ sudo /usr/local/libexec/ipsec/charon&
[1] 7272
rnohria@ubuntu:~$

[1]+  Stopped sudo /usr/local/libexec/ipsec/charon

Thanks,
Rajeev


On Wed, May 11, 2016 at 2:55 AM, Andreas Steffen <
andreas.stef...@strongswan.org> wrote:

> Hi Rajeev,
>
> can you check in the charon log if the vici plugin has been loaded?
> And do you see the charon daemon running in the process status
> (ps aux | grep charon)?
>
> Regards
>
> Andreas
>
> On 05/11/2016 04:04 AM, rajeev nohria wrote:
> > Thanks Andreas,
> >
> > I ran the charon and also copied the charon script file to /etc/init.d.
> > Now when I run sudo swanctl --load-conn, I still get the same issue.
> > connecting to 'unix:///var/run/charon.vici' failed: No such file or
> > directory
> > Error: connecting to 'default' URI failed: No such file or directory
> > strongSwan 5.4.0 swanctl
> > usage:
> >   swanctl --load-conns [--raw|--pretty]
> >--help(-h)  show usage information
> >--raw (-r)  dump raw response message
> >--pretty  (-P)  dump raw response message in pretty
> print
> >--debug   (-v)  set debug level, default: 1
> >--options (-+)  read command line options from file
> >--uri (-u)  service URI to connect to
> >
> >
> > Am I missing any other step?
> >
> > Thanks,
> > Rajeev
> >
> > On Tue, May 10, 2016 at 3:59 AM, Andreas Steffen
> > <andreas.stef...@strongswan.org <mailto:andreas.stef...@strongswan.org>>
> > wrote:
> >
> > Hi Rajeev,
> >
> > is the charon daemon running? If not, either start charon manually:
> >
> >   sudo /usr/local/libexec/ipsec/charon &
> >
> > or if your Linux distribution still uses upstart, copy the
> > following script to /etc/init.d/
> >
> >
> >
> https://wiki.strongswan.org/projects/strongswan/repository/revisions/master/entry/testing/hosts/default/etc/init.d/charon
> >
> > and start the charon daemon in the appropriate runlevels.
> >
> > If your Linux distribution uses systemd instead, compile and
> > install strongSwan with
> >
> >./config --enable-systemd
> >
> > and enable and start the strongswan-swanctl service.
> >
> > BTW - in order to use the vici socket you must be root. Thus
> >
> >   sudo swanctl --load-conn
> >
> > Best regards
> >
> > Andreas
> >
> >
> > On 09.05.2016 16:34, rajeev nohria wrote:
> >
> > I am new user of Strongswan and running 5.4.0. After creating
> > certificates and configuring two Ubuntu m/c with Strongswan
> > 5.4.0. I try
> > to create connection as following and get error. Please advise,
> > how to
> > resolve following issue?
> >
> > $swanctl --load-conn
> > connecting to 'unix:///var/run/charon.vici' failed: No such file
> or
> > directory
> > Error: connecting to 'default' URI failed: No such file or
> directory
> > strongSwan 5.4.0 swanctl
> > usage:
> >
> >
> > Thanks,
> > Rajeev
> >
> >
> > ___
> > Users mailing list
> > Users@lists.strongswan.org <mailto:Users@lists.strongswan.org>
> > https://lists.strongswan.org/mailman/listinfo/users
> >
> >
> > --
> >
>  ==
> > Andreas Steffen
> >  andreas.stef...@strongswan.org  andreas.stef...@strongswan.org>
> > strongSwan - the Open Source VPN Solution!
> > www.strongswan.org <http://www.strongswan.org>
> > Institute for Internet Technologies and Applications
> > University of Applied Sciences Rapperswil
> > CH-8640 Rapperswil (Switzerland)
> >
>  ===[ITA-HSR]==
> >
> >
>
>
> --
> ==
> Andreas Steffen andreas.stef...@strongswan.org
> strongSwan - the Open Source VPN Solution!  www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===[ITA-HSR]==
>
>
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Strongswan[5.4.0] unix:///var/run/charon.vici

2016-05-09 Thread rajeev nohria

I am new user of Strongswan and running 5.4.0. After creating certificates
and configuring two Ubuntu m/c with Strongswan 5.4.0. I try to create
connection as following and get error. Please advise, how to resolve
following issue?

$swanctl --load-conn
connecting to 'unix:///var/run/charon.vici' failed: No such file or
directory
Error: connecting to 'default' URI failed: No such file or directory
strongSwan 5.4.0 swanctl
usage:


Thanks,
Rajeev
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

49 matches

Mail list logo