subject:"\[strongSwan\] Strongswan 5.4 issue using certificates"

Re: [strongSwan] Strongswan 5.4 issue using certificates

2016-10-05 Thread rajeev nohria

I am all set after adding libatomic.so.1 in lib directory.

On Tue, Oct 4, 2016 at 3:05 PM, rajeev nohria  wrote:

> Andreas,
>
> Thank you for all your help.  I have compiled the Strongswan with
> petalinux .  Whenever I run the charon I get the following error. Is there
> any flag I can add in makefile to get this fixed?
>
> #charon
> charon: error while loading shared libraries: libatomic.so.1: cannot open
> shared object file: No such file or directory
>
> Thanks,
> Rajeev
>
>
> On Fri, Sep 16, 2016 at 4:33 AM, Andreas Steffen <
> andreas.stef...@strongswan.org> wrote:
>
>> Hi Rajeev,
>>
>> yes, you have to load the private key file in your management tool
>> and transfer it via the VICI interface as a binary blob.
>>
>> Regards
>>
>> Andreas
>>
>> On 15.09.2016 21:20, rajeev nohria wrote:
>> > Anderas,
>> >
>> > When using davici-
>> > For the loading of private rsa keys, that has to be loaded like the
>> > certificate?
>> >
>> > Thanks,
>> > Rajeev
>> >
>> > On Thu, Sep 15, 2016 at 3:19 PM, rajeev nohria > > > wrote:
>> >
>> > Anderas,
>> >
>> > For the loading of private rsa keys, that has to be loaded like the
>> > certificate?
>> >
>> > Thanks,
>> > Rajeev
>> >
>> > On Thu, Aug 4, 2016 at 12:16 AM, Andreas Steffen
>> > > > > wrote:
>> >
>> > Hi Rajeev,
>> >
>> > different to the stroke protocol and ipsec.conf where the
>> filename
>> > of the certificate gets transferred via the stroke socket and
>> the
>> > charon daemon loads the certificate, vici transfers the
>> certificate
>> > itself either as a binary DER or a base64-endocded PEM blob.
>> Thus
>> > your management application has to load the certificate and
>> transfer
>> > it over the vici socket using davici.
>> >
>> > Regards
>> >
>> > Andreas
>> >
>> > On 04.08.2016 05:03, rajeev nohria wrote:
>> > > Thanks Andreas,
>> > >
>> > > It worked, I know started to implement in Davici. I had PSK
>> working in
>> > > Davici. With certificates, I am having  following issue during
>> > > parse_certs().
>> > >
>> > > 09[LIB]   file coded in unknown format, discarded
>> > > 09[LIB] building CRED_CERTIFICATE - X509 failed, tried 4
>> builders
>> > >
>> > >
>> > >
>> > > Corresponding code is for Davici is
>> > > davici_list_start(r,"certs");
>> > >
>> > > davici_list_itemf(r,"%s","/usr/local/etc/swanctl/x509/hostCe
>> rt.pem");
>> > > davici_list_end(r);
>> > >
>> > >
>> > > I have tried file name with and without path.
>> > >
>> > > certs = hostCert.pem worked in swanctl.conf as attached in
>> previous email.
>> > >
>> > >
>> > > Do you know what could be issue here? Looks like software is
>> not able to
>> > > recognize the pem format but again it worked when using
>> swanctl.conf file.
>> > >
>> > > Thanks,
>> > > Rajeev
>> > >
>> > >
>> > > On Tue, Aug 2, 2016 at 5:41 AM, Andreas Steffen
>> > > > > 
>> > > > >>
>> > > wrote:
>> > >
>> > > Hi,
>> > >
>> > > according to your log, the initiator and responder create
>> > their
>> > > own Root CA certificate and store it locally in
>> > > /usr/local/etc/swanctl/x509ca. Therefore it is not
>> surprising
>> > > that no trust into the received host certificate can be
>> > established
>> > > because it has been signed with the private key of a
>> different
>> > > root CA (although the Distinguished Name of the issuer is
>> > the same).
>> > >
>> > > Fix: Generate only one private key and matching
>> self-signed
>> > > Root CA certificate. Use the private Root CA key to sign
>> both
>> > > initiator and responder host certificates and deploy the
>> > Root CA
>> > > certificate on both hosts.
>> > >
>> > > Best regards
>> > >
>> > > Andreas
>> > >
>> > > On 01.08.2016 21:24, rajeev nohria wrote:
>> > > >
>> > > > I was able to establish IKE connection using PSK but
>> > when using pubkey I
>> > > > am not able to able to establish the IKE connection.
>> > > >
>> > > > When I issue sudo swanctl --initiate --child net
>> > > >
>> > > >
>> > > > At receptor, it returns the Auth_failed.  Please see the
>> > swanctl.conf,
>> > > > strongswan.conf and charo

Re: [strongSwan] Strongswan 5.4 issue using certificates

2016-10-04 Thread rajeev nohria

Andreas,

Thank you for all your help.  I have compiled the Strongswan with petalinux
.  Whenever I run the charon I get the following error. Is there any flag I
can add in makefile to get this fixed?

#charon
charon: error while loading shared libraries: libatomic.so.1: cannot open
shared object file: No such file or directory

Thanks,
Rajeev


On Fri, Sep 16, 2016 at 4:33 AM, Andreas Steffen <
andreas.stef...@strongswan.org> wrote:

> Hi Rajeev,
>
> yes, you have to load the private key file in your management tool
> and transfer it via the VICI interface as a binary blob.
>
> Regards
>
> Andreas
>
> On 15.09.2016 21:20, rajeev nohria wrote:
> > Anderas,
> >
> > When using davici-
> > For the loading of private rsa keys, that has to be loaded like the
> > certificate?
> >
> > Thanks,
> > Rajeev
> >
> > On Thu, Sep 15, 2016 at 3:19 PM, rajeev nohria  > > wrote:
> >
> > Anderas,
> >
> > For the loading of private rsa keys, that has to be loaded like the
> > certificate?
> >
> > Thanks,
> > Rajeev
> >
> > On Thu, Aug 4, 2016 at 12:16 AM, Andreas Steffen
> >  > > wrote:
> >
> > Hi Rajeev,
> >
> > different to the stroke protocol and ipsec.conf where the
> filename
> > of the certificate gets transferred via the stroke socket and the
> > charon daemon loads the certificate, vici transfers the
> certificate
> > itself either as a binary DER or a base64-endocded PEM blob. Thus
> > your management application has to load the certificate and
> transfer
> > it over the vici socket using davici.
> >
> > Regards
> >
> > Andreas
> >
> > On 04.08.2016 05:03, rajeev nohria wrote:
> > > Thanks Andreas,
> > >
> > > It worked, I know started to implement in Davici. I had PSK
> working in
> > > Davici. With certificates, I am having  following issue during
> > > parse_certs().
> > >
> > > 09[LIB]   file coded in unknown format, discarded
> > > 09[LIB] building CRED_CERTIFICATE - X509 failed, tried 4
> builders
> > >
> > >
> > >
> > > Corresponding code is for Davici is
> > > davici_list_start(r,"certs");
> > >
> > > davici_list_itemf(r,"%s","/usr/local/etc/swanctl/x509/
> hostCert.pem");
> > > davici_list_end(r);
> > >
> > >
> > > I have tried file name with and without path.
> > >
> > > certs = hostCert.pem worked in swanctl.conf as attached in
> previous email.
> > >
> > >
> > > Do you know what could be issue here? Looks like software is
> not able to
> > > recognize the pem format but again it worked when using
> swanctl.conf file.
> > >
> > > Thanks,
> > > Rajeev
> > >
> > >
> > > On Tue, Aug 2, 2016 at 5:41 AM, Andreas Steffen
> > >  > 
> >  > >>
> > > wrote:
> > >
> > > Hi,
> > >
> > > according to your log, the initiator and responder create
> > their
> > > own Root CA certificate and store it locally in
> > > /usr/local/etc/swanctl/x509ca. Therefore it is not
> surprising
> > > that no trust into the received host certificate can be
> > established
> > > because it has been signed with the private key of a
> different
> > > root CA (although the Distinguished Name of the issuer is
> > the same).
> > >
> > > Fix: Generate only one private key and matching self-signed
> > > Root CA certificate. Use the private Root CA key to sign
> both
> > > initiator and responder host certificates and deploy the
> > Root CA
> > > certificate on both hosts.
> > >
> > > Best regards
> > >
> > > Andreas
> > >
> > > On 01.08.2016 21:24, rajeev nohria wrote:
> > > >
> > > > I was able to establish IKE connection using PSK but
> > when using pubkey I
> > > > am not able to able to establish the IKE connection.
> > > >
> > > > When I issue sudo swanctl --initiate --child net
> > > >
> > > >
> > > > At receptor, it returns the Auth_failed.  Please see the
> > swanctl.conf,
> > > > strongswan.conf and charon.log.
> > > >
> > > > Aug  1 12:09:21 12[CFG]  no issuer certificate
> > found for "C=US,
> > > > ST=MA, L=Lowell, O=Arris, CN=10.13.199.185"
> > > > Aug  1 12:09:21 12[IKE]  no trusted RSA public key
> > found for
> >

Re: [strongSwan] Strongswan 5.4 issue using certificates

2016-09-16 Thread Andreas Steffen

Hi Rajeev,

yes, you have to load the private key file in your management tool
and transfer it via the VICI interface as a binary blob.

Regards

Andreas

On 15.09.2016 21:20, rajeev nohria wrote:
> Anderas, 
> 
> When using davici- 
> For the loading of private rsa keys, that has to be loaded like the
> certificate?
> 
> Thanks,
> Rajeev
> 
> On Thu, Sep 15, 2016 at 3:19 PM, rajeev nohria  > wrote:
> 
> Anderas, 
> 
> For the loading of private rsa keys, that has to be loaded like the
> certificate?
> 
> Thanks,
> Rajeev
> 
> On Thu, Aug 4, 2016 at 12:16 AM, Andreas Steffen
>  > wrote:
> 
> Hi Rajeev,
> 
> different to the stroke protocol and ipsec.conf where the filename
> of the certificate gets transferred via the stroke socket and the
> charon daemon loads the certificate, vici transfers the certificate
> itself either as a binary DER or a base64-endocded PEM blob. Thus
> your management application has to load the certificate and transfer
> it over the vici socket using davici.
> 
> Regards
> 
> Andreas
> 
> On 04.08.2016 05:03, rajeev nohria wrote:
> > Thanks Andreas,
> >
> > It worked, I know started to implement in Davici. I had PSK working 
> in
> > Davici. With certificates, I am having  following issue during
> > parse_certs().
> >
> > 09[LIB]   file coded in unknown format, discarded
> > 09[LIB] building CRED_CERTIFICATE - X509 failed, tried 4 builders
> >
> >
> >
> > Corresponding code is for Davici is
> > davici_list_start(r,"certs");
> >
> > 
> davici_list_itemf(r,"%s","/usr/local/etc/swanctl/x509/hostCert.pem");
> > davici_list_end(r);
> >
> >
> > I have tried file name with and without path.
> >
> > certs = hostCert.pem worked in swanctl.conf as attached in previous 
> email.
> >
> >
> > Do you know what could be issue here? Looks like software is not 
> able to
> > recognize the pem format but again it worked when using 
> swanctl.conf file.
> >
> > Thanks,
> > Rajeev
> >
> >
> > On Tue, Aug 2, 2016 at 5:41 AM, Andreas Steffen
> >  
>  >>
> > wrote:
> >
> > Hi,
> >
> > according to your log, the initiator and responder create
> their
> > own Root CA certificate and store it locally in
> > /usr/local/etc/swanctl/x509ca. Therefore it is not surprising
> > that no trust into the received host certificate can be
> established
> > because it has been signed with the private key of a different
> > root CA (although the Distinguished Name of the issuer is
> the same).
> >
> > Fix: Generate only one private key and matching self-signed
> > Root CA certificate. Use the private Root CA key to sign both
> > initiator and responder host certificates and deploy the
> Root CA
> > certificate on both hosts.
> >
> > Best regards
> >
> > Andreas
> >
> > On 01.08.2016 21:24, rajeev nohria wrote:
> > >
> > > I was able to establish IKE connection using PSK but
> when using pubkey I
> > > am not able to able to establish the IKE connection.
> > >
> > > When I issue sudo swanctl --initiate --child net
> > >
> > >
> > > At receptor, it returns the Auth_failed.  Please see the
> swanctl.conf,
> > > strongswan.conf and charon.log.
> > >
> > > Aug  1 12:09:21 12[CFG]  no issuer certificate
> found for "C=US,
> > > ST=MA, L=Lowell, O=Arris, CN=10.13.199.185"
> > > Aug  1 12:09:21 12[IKE]  no trusted RSA public key
> found for
> > > '10.13.199.185'
> > > Aug  1 12:09:21 12[IKE]  peer supports MOBIKE
> > > Aug  1 12:09:21 12[ENC]  added payload of type
> NOTIFY to message
> > > Aug  1 12:09:21 12[ENC]  order payloads in message
> > > Aug  1 12:09:21 12[ENC]  added payload of type
> NOTIFY to message
> > > Aug  1 12:09:21 12[ENC]  generating IKE_AUTH
> response 1 [
> > > N(AUTH_FAILED) ]
> > >
> > > I used following commands to create certificates.
> > >
> > > *Initiator:*
> > > ---
> > >
> > > sudo ips

Re: [strongSwan] Strongswan 5.4 issue using certificates

2016-09-15 Thread rajeev nohria

Anderas,

When using davici-
For the loading of private rsa keys, that has to be loaded like the
certificate?

Thanks,
Rajeev

On Thu, Sep 15, 2016 at 3:19 PM, rajeev nohria  wrote:

> Anderas,
>
> For the loading of private rsa keys, that has to be loaded like the
> certificate?
>
> Thanks,
> Rajeev
>
> On Thu, Aug 4, 2016 at 12:16 AM, Andreas Steffen <
> andreas.stef...@strongswan.org> wrote:
>
>> Hi Rajeev,
>>
>> different to the stroke protocol and ipsec.conf where the filename
>> of the certificate gets transferred via the stroke socket and the
>> charon daemon loads the certificate, vici transfers the certificate
>> itself either as a binary DER or a base64-endocded PEM blob. Thus
>> your management application has to load the certificate and transfer
>> it over the vici socket using davici.
>>
>> Regards
>>
>> Andreas
>>
>> On 04.08.2016 05:03, rajeev nohria wrote:
>> > Thanks Andreas,
>> >
>> > It worked, I know started to implement in Davici. I had PSK working in
>> > Davici. With certificates, I am having  following issue during
>> > parse_certs().
>> >
>> > 09[LIB]   file coded in unknown format, discarded
>> > 09[LIB] building CRED_CERTIFICATE - X509 failed, tried 4 builders
>> >
>> >
>> >
>> > Corresponding code is for Davici is
>> > davici_list_start(r,"certs");
>> >
>> > davici_list_itemf(r,"%s","/usr/local/etc/swanctl/x509/hostCert.pem");
>> > davici_list_end(r);
>> >
>> >
>> > I have tried file name with and without path.
>> >
>> > certs = hostCert.pem worked in swanctl.conf as attached in previous
>> email.
>> >
>> >
>> > Do you know what could be issue here? Looks like software is not able to
>> > recognize the pem format but again it worked when using swanctl.conf
>> file.
>> >
>> > Thanks,
>> > Rajeev
>> >
>> >
>> > On Tue, Aug 2, 2016 at 5:41 AM, Andreas Steffen
>> > mailto:andreas.stef...@strongswan.org
>> >>
>> > wrote:
>> >
>> > Hi,
>> >
>> > according to your log, the initiator and responder create their
>> > own Root CA certificate and store it locally in
>> > /usr/local/etc/swanctl/x509ca. Therefore it is not surprising
>> > that no trust into the received host certificate can be established
>> > because it has been signed with the private key of a different
>> > root CA (although the Distinguished Name of the issuer is the same).
>> >
>> > Fix: Generate only one private key and matching self-signed
>> > Root CA certificate. Use the private Root CA key to sign both
>> > initiator and responder host certificates and deploy the Root CA
>> > certificate on both hosts.
>> >
>> > Best regards
>> >
>> > Andreas
>> >
>> > On 01.08.2016 21:24, rajeev nohria wrote:
>> > >
>> > > I was able to establish IKE connection using PSK but when using
>> pubkey I
>> > > am not able to able to establish the IKE connection.
>> > >
>> > > When I issue sudo swanctl --initiate --child net
>> > >
>> > >
>> > > At receptor, it returns the Auth_failed.  Please see the
>> swanctl.conf,
>> > > strongswan.conf and charon.log.
>> > >
>> > > Aug  1 12:09:21 12[CFG]  no issuer certificate found for
>> "C=US,
>> > > ST=MA, L=Lowell, O=Arris, CN=10.13.199.185"
>> > > Aug  1 12:09:21 12[IKE]  no trusted RSA public key found for
>> > > '10.13.199.185'
>> > > Aug  1 12:09:21 12[IKE]  peer supports MOBIKE
>> > > Aug  1 12:09:21 12[ENC]  added payload of type NOTIFY to
>> message
>> > > Aug  1 12:09:21 12[ENC]  order payloads in message
>> > > Aug  1 12:09:21 12[ENC]  added payload of type NOTIFY to
>> message
>> > > Aug  1 12:09:21 12[ENC]  generating IKE_AUTH response 1 [
>> > > N(AUTH_FAILED) ]
>> > >
>> > > I used following commands to create certificates.
>> > >
>> > > *Initiator:*
>> > > ---
>> > >
>> > > sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
>> > > /usr/local/etc/swanctl/rsa/strongswanKey.pem
>> > >
>> > >
>> > > sudo chmod 600  /usr/local/etc/swanctl/rsa/strongswanKey.pem
>> > >
>> > >
>> > > sudo ipsec pki --self --ca --in
>> > > /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest sha256
>> --dn "C=US,
>> > > ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem >
>> > > /usr/local/etc/swanctl/x509ca/strongswanCert.pem
>> > >
>> > >
>> > > sudo ipsec pki --print --in /usr/local/etc/swanctl/x509ca/
>> strongswanCert.pem
>> > >
>> > >
>> > > sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
>> > > /usr/local/etc/swanctl/rsa/hostKey.pem
>> > >
>> > >
>> > > sudo chmod 600 /usr/local/etc/swanctl/rsa/hostKey.pem
>> > >
>> > >
>> > >
>> > > sudo ipsec pki --pub --in /usr/local/etc/swanctl/rsa/hostKey.pem
>> --type
>> > > rsa | ipsec pki --issue --digest sha256 --cacert
>> > > /usr/local/etc/swanctl/x509ca/strongswanCert.pem --cakey
>> > > /usr/local/etc/swanctl/rsa/strongswanKey.pem --dn "C=U

Re: [strongSwan] Strongswan 5.4 issue using certificates

2016-09-15 Thread rajeev nohria

Anderas,

For the loading of private rsa keys, that has to be loaded like the
certificate?

Thanks,
Rajeev

On Thu, Aug 4, 2016 at 12:16 AM, Andreas Steffen <
andreas.stef...@strongswan.org> wrote:

> Hi Rajeev,
>
> different to the stroke protocol and ipsec.conf where the filename
> of the certificate gets transferred via the stroke socket and the
> charon daemon loads the certificate, vici transfers the certificate
> itself either as a binary DER or a base64-endocded PEM blob. Thus
> your management application has to load the certificate and transfer
> it over the vici socket using davici.
>
> Regards
>
> Andreas
>
> On 04.08.2016 05:03, rajeev nohria wrote:
> > Thanks Andreas,
> >
> > It worked, I know started to implement in Davici. I had PSK working in
> > Davici. With certificates, I am having  following issue during
> > parse_certs().
> >
> > 09[LIB]   file coded in unknown format, discarded
> > 09[LIB] building CRED_CERTIFICATE - X509 failed, tried 4 builders
> >
> >
> >
> > Corresponding code is for Davici is
> > davici_list_start(r,"certs");
> >
> > davici_list_itemf(r,"%s","/usr/local/etc/swanctl/x509/hostCert.pem");
> > davici_list_end(r);
> >
> >
> > I have tried file name with and without path.
> >
> > certs = hostCert.pem worked in swanctl.conf as attached in previous
> email.
> >
> >
> > Do you know what could be issue here? Looks like software is not able to
> > recognize the pem format but again it worked when using swanctl.conf
> file.
> >
> > Thanks,
> > Rajeev
> >
> >
> > On Tue, Aug 2, 2016 at 5:41 AM, Andreas Steffen
> > mailto:andreas.stef...@strongswan.org>>
> > wrote:
> >
> > Hi,
> >
> > according to your log, the initiator and responder create their
> > own Root CA certificate and store it locally in
> > /usr/local/etc/swanctl/x509ca. Therefore it is not surprising
> > that no trust into the received host certificate can be established
> > because it has been signed with the private key of a different
> > root CA (although the Distinguished Name of the issuer is the same).
> >
> > Fix: Generate only one private key and matching self-signed
> > Root CA certificate. Use the private Root CA key to sign both
> > initiator and responder host certificates and deploy the Root CA
> > certificate on both hosts.
> >
> > Best regards
> >
> > Andreas
> >
> > On 01.08.2016 21:24, rajeev nohria wrote:
> > >
> > > I was able to establish IKE connection using PSK but when using
> pubkey I
> > > am not able to able to establish the IKE connection.
> > >
> > > When I issue sudo swanctl --initiate --child net
> > >
> > >
> > > At receptor, it returns the Auth_failed.  Please see the
> swanctl.conf,
> > > strongswan.conf and charon.log.
> > >
> > > Aug  1 12:09:21 12[CFG]  no issuer certificate found for
> "C=US,
> > > ST=MA, L=Lowell, O=Arris, CN=10.13.199.185"
> > > Aug  1 12:09:21 12[IKE]  no trusted RSA public key found for
> > > '10.13.199.185'
> > > Aug  1 12:09:21 12[IKE]  peer supports MOBIKE
> > > Aug  1 12:09:21 12[ENC]  added payload of type NOTIFY to
> message
> > > Aug  1 12:09:21 12[ENC]  order payloads in message
> > > Aug  1 12:09:21 12[ENC]  added payload of type NOTIFY to
> message
> > > Aug  1 12:09:21 12[ENC]  generating IKE_AUTH response 1 [
> > > N(AUTH_FAILED) ]
> > >
> > > I used following commands to create certificates.
> > >
> > > *Initiator:*
> > > ---
> > >
> > > sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> > > /usr/local/etc/swanctl/rsa/strongswanKey.pem
> > >
> > >
> > > sudo chmod 600  /usr/local/etc/swanctl/rsa/strongswanKey.pem
> > >
> > >
> > > sudo ipsec pki --self --ca --in
> > > /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest sha256 --dn
> "C=US,
> > > ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem >
> > > /usr/local/etc/swanctl/x509ca/strongswanCert.pem
> > >
> > >
> > > sudo ipsec pki --print --in /usr/local/etc/swanctl/x509ca/
> strongswanCert.pem
> > >
> > >
> > > sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> > > /usr/local/etc/swanctl/rsa/hostKey.pem
> > >
> > >
> > > sudo chmod 600 /usr/local/etc/swanctl/rsa/hostKey.pem
> > >
> > >
> > >
> > > sudo ipsec pki --pub --in /usr/local/etc/swanctl/rsa/hostKey.pem
> --type
> > > rsa | ipsec pki --issue --digest sha256 --cacert
> > > /usr/local/etc/swanctl/x509ca/strongswanCert.pem --cakey
> > > /usr/local/etc/swanctl/rsa/strongswanKey.pem --dn "C=US, ST=MA,
> > > L=Lowell, O=Arris, CN=10.13.199.185" --san 10.13.199.185  pem >
> > > /usr/local/etc/swanctl/x509/hostCert.pem
> > >
> > >
> > > Receptor:
> > > --
> > > *
> > > *
> > > *sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> > > /usr/local/etc/swanctl/rsa/stro

Re: [strongSwan] Strongswan 5.4 issue using certificates

2016-08-03 Thread Andreas Steffen

Hi Rajeev,

different to the stroke protocol and ipsec.conf where the filename
of the certificate gets transferred via the stroke socket and the
charon daemon loads the certificate, vici transfers the certificate
itself either as a binary DER or a base64-endocded PEM blob. Thus
your management application has to load the certificate and transfer
it over the vici socket using davici.

Regards

Andreas

On 04.08.2016 05:03, rajeev nohria wrote:
> Thanks Andreas,
> 
> It worked, I know started to implement in Davici. I had PSK working in
> Davici. With certificates, I am having  following issue during
> parse_certs().
> 
> 09[LIB]   file coded in unknown format, discarded
> 09[LIB] building CRED_CERTIFICATE - X509 failed, tried 4 builders
> 
> 
> 
> Corresponding code is for Davici is 
> davici_list_start(r,"certs");
>
> davici_list_itemf(r,"%s","/usr/local/etc/swanctl/x509/hostCert.pem");
> davici_list_end(r);
> 
> 
> I have tried file name with and without path.   
> 
> certs = hostCert.pem worked in swanctl.conf as attached in previous email.  
> 
> 
> Do you know what could be issue here? Looks like software is not able to
> recognize the pem format but again it worked when using swanctl.conf file. 
> 
> Thanks,
> Rajeev
> 
> 
> On Tue, Aug 2, 2016 at 5:41 AM, Andreas Steffen
> mailto:andreas.stef...@strongswan.org>>
> wrote:
> 
> Hi,
> 
> according to your log, the initiator and responder create their
> own Root CA certificate and store it locally in
> /usr/local/etc/swanctl/x509ca. Therefore it is not surprising
> that no trust into the received host certificate can be established
> because it has been signed with the private key of a different
> root CA (although the Distinguished Name of the issuer is the same).
> 
> Fix: Generate only one private key and matching self-signed
> Root CA certificate. Use the private Root CA key to sign both
> initiator and responder host certificates and deploy the Root CA
> certificate on both hosts.
> 
> Best regards
> 
> Andreas
> 
> On 01.08.2016 21:24, rajeev nohria wrote:
> >
> > I was able to establish IKE connection using PSK but when using pubkey I
> > am not able to able to establish the IKE connection.
> >
> > When I issue sudo swanctl --initiate --child net
> >
> >
> > At receptor, it returns the Auth_failed.  Please see the swanctl.conf,
> > strongswan.conf and charon.log.
> >
> > Aug  1 12:09:21 12[CFG]  no issuer certificate found for "C=US,
> > ST=MA, L=Lowell, O=Arris, CN=10.13.199.185"
> > Aug  1 12:09:21 12[IKE]  no trusted RSA public key found for
> > '10.13.199.185'
> > Aug  1 12:09:21 12[IKE]  peer supports MOBIKE
> > Aug  1 12:09:21 12[ENC]  added payload of type NOTIFY to message
> > Aug  1 12:09:21 12[ENC]  order payloads in message
> > Aug  1 12:09:21 12[ENC]  added payload of type NOTIFY to message
> > Aug  1 12:09:21 12[ENC]  generating IKE_AUTH response 1 [
> > N(AUTH_FAILED) ]
> >
> > I used following commands to create certificates.
> >
> > *Initiator:*
> > ---
> >
> > sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> > /usr/local/etc/swanctl/rsa/strongswanKey.pem
> >
> >
> > sudo chmod 600  /usr/local/etc/swanctl/rsa/strongswanKey.pem
> >
> >
> > sudo ipsec pki --self --ca --in
> > /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest sha256 --dn "C=US,
> > ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem >
> > /usr/local/etc/swanctl/x509ca/strongswanCert.pem
> >
> >
> > sudo ipsec pki --print --in 
> /usr/local/etc/swanctl/x509ca/strongswanCert.pem
> >
> >
> > sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> > /usr/local/etc/swanctl/rsa/hostKey.pem
> >
> >
> > sudo chmod 600 /usr/local/etc/swanctl/rsa/hostKey.pem
> >
> >
> >
> > sudo ipsec pki --pub --in /usr/local/etc/swanctl/rsa/hostKey.pem --type
> > rsa | ipsec pki --issue --digest sha256 --cacert
> > /usr/local/etc/swanctl/x509ca/strongswanCert.pem --cakey
> > /usr/local/etc/swanctl/rsa/strongswanKey.pem --dn "C=US, ST=MA,
> > L=Lowell, O=Arris, CN=10.13.199.185" --san 10.13.199.185  pem >
> > /usr/local/etc/swanctl/x509/hostCert.pem
> >
> >
> > Receptor:
> > --
> > *
> > *
> > *sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> > /usr/local/etc/swanctl/rsa/strongswanKey.pem*
> > *
> > *
> > *sudo chmod 600  /usr/local/etc/swanctl/rsa/strongswanKey.pem*
> > *
> > *
> > *sudo ipsec pki --self --ca --in
> > /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest sha256 --dn "C=US,
> > ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem >
> > /usr/local/etc/swanctl/x509ca/strongswanCert.pem*
> > *
> > *
> > *sudo ipsec pki --print --in
> > /usr/lo

Re: [strongSwan] Strongswan 5.4 issue using certificates

2016-08-03 Thread rajeev nohria

Thanks Andreas,

It worked, I know started to implement in Davici. I had PSK working in
Davici. With certificates, I am having  following issue during
parse_certs().

09[LIB]   file coded in unknown format, discarded
09[LIB] building CRED_CERTIFICATE - X509 failed, tried 4 builders



Corresponding code is for Davici is
davici_list_start(r,"certs");

davici_list_itemf(r,"%s","/usr/local/etc/swanctl/x509/hostCert.pem");
davici_list_end(r);


I have tried file name with and without path.

certs = hostCert.pem worked in swanctl.conf as attached in previous email.


Do you know what could be issue here? Looks like software is not able to
recognize the pem format but again it worked when using swanctl.conf file.

Thanks,
Rajeev


On Tue, Aug 2, 2016 at 5:41 AM, Andreas Steffen <
andreas.stef...@strongswan.org> wrote:

> Hi,
>
> according to your log, the initiator and responder create their
> own Root CA certificate and store it locally in
> /usr/local/etc/swanctl/x509ca. Therefore it is not surprising
> that no trust into the received host certificate can be established
> because it has been signed with the private key of a different
> root CA (although the Distinguished Name of the issuer is the same).
>
> Fix: Generate only one private key and matching self-signed
> Root CA certificate. Use the private Root CA key to sign both
> initiator and responder host certificates and deploy the Root CA
> certificate on both hosts.
>
> Best regards
>
> Andreas
>
> On 01.08.2016 21:24, rajeev nohria wrote:
> >
> > I was able to establish IKE connection using PSK but when using pubkey I
> > am not able to able to establish the IKE connection.
> >
> > When I issue sudo swanctl --initiate --child net
> >
> >
> > At receptor, it returns the Auth_failed.  Please see the swanctl.conf,
> > strongswan.conf and charon.log.
> >
> > Aug  1 12:09:21 12[CFG]  no issuer certificate found for "C=US,
> > ST=MA, L=Lowell, O=Arris, CN=10.13.199.185"
> > Aug  1 12:09:21 12[IKE]  no trusted RSA public key found for
> > '10.13.199.185'
> > Aug  1 12:09:21 12[IKE]  peer supports MOBIKE
> > Aug  1 12:09:21 12[ENC]  added payload of type NOTIFY to message
> > Aug  1 12:09:21 12[ENC]  order payloads in message
> > Aug  1 12:09:21 12[ENC]  added payload of type NOTIFY to message
> > Aug  1 12:09:21 12[ENC]  generating IKE_AUTH response 1 [
> > N(AUTH_FAILED) ]
> >
> > I used following commands to create certificates.
> >
> > *Initiator:*
> > ---
> >
> > sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> > /usr/local/etc/swanctl/rsa/strongswanKey.pem
> >
> >
> > sudo chmod 600  /usr/local/etc/swanctl/rsa/strongswanKey.pem
> >
> >
> > sudo ipsec pki --self --ca --in
> > /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest sha256 --dn "C=US,
> > ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem >
> > /usr/local/etc/swanctl/x509ca/strongswanCert.pem
> >
> >
> > sudo ipsec pki --print --in
> /usr/local/etc/swanctl/x509ca/strongswanCert.pem
> >
> >
> > sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> > /usr/local/etc/swanctl/rsa/hostKey.pem
> >
> >
> > sudo chmod 600 /usr/local/etc/swanctl/rsa/hostKey.pem
> >
> >
> >
> > sudo ipsec pki --pub --in /usr/local/etc/swanctl/rsa/hostKey.pem --type
> > rsa | ipsec pki --issue --digest sha256 --cacert
> > /usr/local/etc/swanctl/x509ca/strongswanCert.pem --cakey
> > /usr/local/etc/swanctl/rsa/strongswanKey.pem --dn "C=US, ST=MA,
> > L=Lowell, O=Arris, CN=10.13.199.185" --san 10.13.199.185  pem >
> > /usr/local/etc/swanctl/x509/hostCert.pem
> >
> >
> > Receptor:
> > --
> > *
> > *
> > *sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> > /usr/local/etc/swanctl/rsa/strongswanKey.pem*
> > *
> > *
> > *sudo chmod 600  /usr/local/etc/swanctl/rsa/strongswanKey.pem*
> > *
> > *
> > *sudo ipsec pki --self --ca --in
> > /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest sha256 --dn "C=US,
> > ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem >
> > /usr/local/etc/swanctl/x509ca/strongswanCert.pem*
> > *
> > *
> > *sudo ipsec pki --print --in
> > /usr/local/etc/swanctl/x509ca/strongswanCert.pem*
> > *
> > *
> > *sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> > /usr/local/etc/swanctl/rsa/hostKey.pem*
> > *
> > *
> > *sudo chmod 600 /usr/local/etc/swanctl/rsa/hostKey.pem*
> >
> > *sudo ipsec pki --pub --in /usr/local/etc/swanctl/rsa/hostKey.pem --type
> > rsa | ipsec pki --issue --digest sha256 --cacert
> > /usr/local/etc/swanctl/x509ca/strongswanCert.pem --cakey
> > /usr/local/etc/swanctl/rsa/strongswanKey.pem --dn "C=US, ST=MA,
> > L=Lowell, O=Arris, CN=10.13.199.130" --san 10.13.199.130 --outform pem >
> > /usr/local/etc/swanctl/x509/hostCert.pem*
> >
> >
> >
> >
> >
> >
> > ___
> > Users mailing list
> > Users@lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
> >
>
> --
> ==
> Andreas Ste

Re: [strongSwan] Strongswan 5.4 issue using certificates

2016-08-02 Thread Andreas Steffen

Hi,

according to your log, the initiator and responder create their
own Root CA certificate and store it locally in
/usr/local/etc/swanctl/x509ca. Therefore it is not surprising
that no trust into the received host certificate can be established
because it has been signed with the private key of a different
root CA (although the Distinguished Name of the issuer is the same).

Fix: Generate only one private key and matching self-signed
Root CA certificate. Use the private Root CA key to sign both
initiator and responder host certificates and deploy the Root CA
certificate on both hosts.

Best regards

Andreas

On 01.08.2016 21:24, rajeev nohria wrote:
> 
> I was able to establish IKE connection using PSK but when using pubkey I
> am not able to able to establish the IKE connection.
> 
> When I issue sudo swanctl --initiate --child net
> 
> 
> At receptor, it returns the Auth_failed.  Please see the swanctl.conf,
> strongswan.conf and charon.log. 
> 
> Aug  1 12:09:21 12[CFG]  no issuer certificate found for "C=US,
> ST=MA, L=Lowell, O=Arris, CN=10.13.199.185"
> Aug  1 12:09:21 12[IKE]  no trusted RSA public key found for
> '10.13.199.185'
> Aug  1 12:09:21 12[IKE]  peer supports MOBIKE
> Aug  1 12:09:21 12[ENC]  added payload of type NOTIFY to message
> Aug  1 12:09:21 12[ENC]  order payloads in message
> Aug  1 12:09:21 12[ENC]  added payload of type NOTIFY to message
> Aug  1 12:09:21 12[ENC]  generating IKE_AUTH response 1 [
> N(AUTH_FAILED) ]
> 
> I used following commands to create certificates.
> 
> *Initiator:*
> ---
> 
> sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> /usr/local/etc/swanctl/rsa/strongswanKey.pem
> 
> 
> sudo chmod 600  /usr/local/etc/swanctl/rsa/strongswanKey.pem
> 
> 
> sudo ipsec pki --self --ca --in
> /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest sha256 --dn "C=US,
> ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem >
> /usr/local/etc/swanctl/x509ca/strongswanCert.pem
> 
> 
> sudo ipsec pki --print --in /usr/local/etc/swanctl/x509ca/strongswanCert.pem
> 
> 
> sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> /usr/local/etc/swanctl/rsa/hostKey.pem
> 
> 
> sudo chmod 600 /usr/local/etc/swanctl/rsa/hostKey.pem
> 
> 
> 
> sudo ipsec pki --pub --in /usr/local/etc/swanctl/rsa/hostKey.pem --type
> rsa | ipsec pki --issue --digest sha256 --cacert
> /usr/local/etc/swanctl/x509ca/strongswanCert.pem --cakey
> /usr/local/etc/swanctl/rsa/strongswanKey.pem --dn "C=US, ST=MA,
> L=Lowell, O=Arris, CN=10.13.199.185" --san 10.13.199.185  pem >
> /usr/local/etc/swanctl/x509/hostCert.pem
> 
> 
> Receptor:
> --
> *
> *
> *sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> /usr/local/etc/swanctl/rsa/strongswanKey.pem*
> *
> *
> *sudo chmod 600  /usr/local/etc/swanctl/rsa/strongswanKey.pem*
> *
> *
> *sudo ipsec pki --self --ca --in
> /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest sha256 --dn "C=US,
> ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem >
> /usr/local/etc/swanctl/x509ca/strongswanCert.pem*
> *
> *
> *sudo ipsec pki --print --in
> /usr/local/etc/swanctl/x509ca/strongswanCert.pem*
> *
> *
> *sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> /usr/local/etc/swanctl/rsa/hostKey.pem*
> *
> *
> *sudo chmod 600 /usr/local/etc/swanctl/rsa/hostKey.pem*
> 
> *sudo ipsec pki --pub --in /usr/local/etc/swanctl/rsa/hostKey.pem --type
> rsa | ipsec pki --issue --digest sha256 --cacert
> /usr/local/etc/swanctl/x509ca/strongswanCert.pem --cakey
> /usr/local/etc/swanctl/rsa/strongswanKey.pem --dn "C=US, ST=MA,
> L=Lowell, O=Arris, CN=10.13.199.130" --san 10.13.199.130 --outform pem >
> /usr/local/etc/swanctl/x509/hostCert.pem*
> 
> 
> 
> 
> 
> 
> ___
> Users mailing list
> Users@lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 

-- 
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution!  www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==



smime.p7s
Description: S/MIME Cryptographic Signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Strongswan 5.4 issue using certificates

Re: [strongSwan] Strongswan 5.4 issue using certificates

Re: [strongSwan] Strongswan 5.4 issue using certificates

Re: [strongSwan] Strongswan 5.4 issue using certificates

Re: [strongSwan] Strongswan 5.4 issue using certificates

Re: [strongSwan] Strongswan 5.4 issue using certificates

Re: [strongSwan] Strongswan 5.4 issue using certificates

Re: [strongSwan] Strongswan 5.4 issue using certificates

8 matches

Site Navigation

Mail list logo

Footer information