Correction I meant OpenSuse 11.2. I have just disabled the custom order.
I change the order because I could not get charon to work correctly, i had to move stroke further up the order. But now its working without order manipulation.
Other than the opensc-pkcs11.so error, I seem to be error free now but still I am not passing encrypted traffic to the other side.
I am verifying with tcpdump by monitoring mysql traffic.
Do i need some type of routing tweaking or iptables manipulation to pass traffic through the tunnel.
Or is the pkcs11 module error something I must correct first?
Thanks -Eric
Apr 27 09:34:27 radius02 ipsec_starter[27031]: Starting strongSwan 4.3.4 IPsec [starter]...
Apr 27 09:34:27 radius02 modprobe: WARNING: All config files need .conf: /etc/modprobe.d/vmware-tools, it will be ignored in a future release.
Apr 27 09:34:27 radius02 modprobe: WARNING: All config files need .conf: /etc/modprobe.d/vmware-tools, it will be ignored in a future release.
Apr 27 09:34:27 radius02 modprobe: WARNING: All config files need .conf: /etc/modprobe.d/vmware-tools, it will be ignored in a future release.
Apr 27 09:34:27 radius02 modprobe: WARNING: All config files need .conf: /etc/modprobe.d/vmware-tools, it will be ignored in a future release.
Apr 27 09:34:27 radius02 modprobe: WARNING: All config files need .conf: /etc/modprobe.d/vmware-tools, it will be ignored in a future release.
Apr 27 09:34:27 radius02 pluto[27040]: Starting IKEv1 pluto daemon (strongSwan 4.3.4) THREADS SMARTCARD VENDORID CISCO_QUIRKS
Apr 27 09:34:27 radius02 pluto[27040]: loaded plugins: curl ldap aes des sha1 sha2 md5 random pubkey openssl gcrypt hmac gmp
Apr 27 09:34:27 radius02 pluto[27040]: including NAT-Traversal patch (Version 0.6c) [disabled]
Apr 27 09:34:27 radius02 pluto[27040]: failed to load pkcs11 module '/usr/lib64/opensc-pkcs11.so'
Apr 27 09:34:27 radius02 pluto[27040]: Using Linux 2.6 IPsec interface code
Apr 27 09:34:27 radius02 ipsec_starter[27039]: pluto (27040) started after 20 ms
Apr 27 09:34:27 radius02 charon: 01[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.4)
Apr 27 09:34:28 radius02 charon: 01[KNL] listening on interfaces:
Apr 27 09:34:28 radius02 charon: 01[KNL] eth1
Apr 27 09:34:28 radius02 charon: 01[KNL] 172.16.31.15
Apr 27 09:34:28 radius02 charon: 01[KNL] fe80::250:56ff:fea0:3ace
Apr 27 09:34:28 radius02 charon: 01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Apr 27 09:34:28 radius02 charon: 01[LIB] loaded certificate file '/etc/ipsec.d/cacerts/strongswanCert.der'
Apr 27 09:34:28 radius02 charon: 01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Apr 27 09:34:28 radius02 charon: 01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Apr 27 09:34:28 radius02 charon: 01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Apr 27 09:34:28 radius02 charon: 01[CFG] loading crls from '/etc/ipsec.d/crls'
Apr 27 09:34:28 radius02 charon: 01[CFG] loading secrets from '/etc/ipsec.secrets'
Apr 27 09:34:28 radius02 charon: 01[CFG] loaded private key file '/etc/ipsec.d/private/strongswanKey.pem'
Apr 27 09:34:28 radius02 charon: 01[CFG] loaded private key file '/etc/ipsec.d/private/radius02Key.pem'
Apr 27 09:34:28 radius02 pluto[27040]: Changing to directory '/etc/ipsec.d/cacerts'
Apr 27 09:34:28 radius02 pluto[27040]: loaded CA cert file 'strongswanCert.der' (1183 bytes)
Apr 27 09:34:28 radius02 pluto[27040]: Changing to directory '/etc/ipsec.d/aacerts'
Apr 27 09:34:28 radius02 pluto[27040]: Changing to directory '/etc/ipsec.d/ocspcerts'
Apr 27 09:34:28 radius02 pluto[27040]: Changing to directory '/etc/ipsec.d/crls'
Apr 27 09:34:28 radius02 pluto[27040]: Changing to directory '/etc/ipsec.d/acerts'
Apr 27 09:34:28 radius02 pluto[27040]: listening for IKE messages
Apr 27 09:34:28 radius02 pluto[27040]: adding interface eth1/eth1 172.16.31.15:500
Apr 27 09:34:28 radius02 pluto[27040]: adding interface lo/lo 127.0.0.2:500
Apr 27 09:34:28 radius02 pluto[27040]: adding interface lo/lo 127.0.0.1:500
Apr 27 09:34:28 radius02 pluto[27040]: adding interface lo/lo ::1:500
Apr 27 09:34:28 radius02 pluto[27040]: loading secrets from "/etc/ipsec.secrets"
Apr 27 09:34:28 radius02 pluto[27040]: loaded private key file '/etc/ipsec.d/private/strongswanKey.pem' (1751 bytes)
Apr 27 09:34:28 radius02 charon: 01[DMN] loaded plugins: curl ldap aes des sha1 sha2 md5 fips-prf random x509 pubkey openssl gcrypt xcbc hmac gmp kernel-netlink stroke upd
Apr 27 09:34:28 radius02 charon: 01[JOB] spawning 16 worker threads
Apr 27 09:34:28 radius02 pluto[27040]: loaded private key file '/etc/ipsec.d/private/radius02Key.pem' (963 bytes)
Apr 27 09:34:28 radius02 ipsec_starter[27039]: charon (27053) started after 80 ms
Apr 27 09:34:28 radius02 charon: 05[CFG] received stroke: add connection 'host-host'
Apr 27 09:34:28 radius02 charon: 05[LIB] loaded certificate file '/etc/ipsec.d/certs/radius02Cert.pem'
Apr 27 09:34:28 radius02 charon: 05[LIB] loaded certificate file '/etc/ipsec.d/certs/radius03Cert.pem'
Apr 27 09:34:28 radius02 charon: 05[CFG] peerid C=US, ST=NV, O=allegiant, OU=it, CN=radius03 not confirmed by certificate, defaulting to subject DN: C=US, ST=NV, O=allegm
Apr 27 09:34:28 radius02 charon: 05[CFG] added configuration 'host-host'
Apr 27 09:34:28 radius02 pluto[27040]: loaded host cert file '/etc/ipsec.d/certs/radius02Cert.pem' (4066 bytes)
Apr 27 09:34:28 radius02 pluto[27040]: loaded host cert file '/etc/ipsec.d/certs/radius03Cert.pem' (1342 bytes)
Apr 27 09:34:28 radius02 pluto[27040]: added connection description "host-host"
Apr 27 09:34:28 radius02 pluto[27040]: "host-host" #1: initiating Main Mode
Apr 27 09:34:28 radius02 pluto[27040]: "host-host" #1: ignoring Vendor ID payload [strongSwan 4.3.4]
Apr 27 09:34:28 radius02 pluto[27040]: "host-host" #1: ignoring Vendor ID payload [Cisco-Unity]
Apr 27 09:34:28 radius02 pluto[27040]: "host-host" #1: received Vendor ID payload [XAUTH]
Apr 27 09:34:28 radius02 pluto[27040]: "host-host" #1: received Vendor ID payload [Dead Peer Detection]
Apr 27 09:34:28 radius02 pluto[27040]: "host-host" #1: we have a cert but are not sending it
Apr 27 09:34:28 radius02 pluto[27040]: "host-host" #1: Peer ID is ID_DER_ASN1_DN: 'C=US, ST=NV, O=allegiant, OU=it, CN=radius03, [email protected]'
Apr 27 09:34:28 radius02 pluto[27040]: "host-host" #1: ISAKMP SA established
Apr 27 09:34:28 radius02 pluto[27040]: "host-host" #2: initiating Quick Mode PUBKEY+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Apr 27 09:34:28 radius02 pluto[27040]: "host-host" #2: sent QI2, IPsec SA established {ESP=>0xb7e9ba68 <0xd5a6a6f8}
Apr 27 09:34:36 radius02 pluto[27040]: "host-host" #1: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x6e9727c1) not found (maybe expired)
Apr 27 09:34:36 radius02 pluto[27040]: packet from 172.16.0.7:500: ignoring Vendor ID payload [strongSwan 4.3.4]
Apr 27 09:34:36 radius02 pluto[27040]: packet from 172.16.0.7:500: ignoring Vendor ID payload [Cisco-Unity]
Apr 27 09:34:36 radius02 pluto[27040]: packet from 172.16.0.7:500: received Vendor ID payload [XAUTH]
Apr 27 09:34:36 radius02 pluto[27040]: packet from 172.16.0.7:500: received Vendor ID payload [Dead Peer Detection]
Apr 27 09:34:36 radius02 pluto[27040]: "host-host" #3: responding to Main Mode
Apr 27 09:34:36 radius02 pluto[27040]: "host-host" #3: Peer ID is ID_DER_ASN1_DN: 'C=US, ST=NV, O=allegiant, OU=it, CN=radius03, [email protected]'
Apr 27 09:34:36 radius02 pluto[27040]: "host-host" #3: we have a cert but are not sending it
Apr 27 09:34:36 radius02 pluto[27040]: "host-host" #3: sent MR3, ISAKMP SA established
Apr 27 09:34:36 radius02 pluto[27040]: "host-host" #4: responding to Quick Mode
Apr 27 09:34:36 radius02 pluto[27040]: "host-host" #4: IPsec SA established {ESP=>0x6c642987 <0xdf4b4942}
Apr 27 09:36:19 radius02 pluto[27040]: "host-host" #1: received Delete SA payload: replace IPSEC State #4 in 10 seconds
Apr 27 09:36:19 radius02 pluto[27040]: "host-host" #1: received Delete SA(0xb7e9ba68) payload: deleting IPSEC State #2
Apr 27 09:36:19 radius02 pluto[27040]: "host-host" #3: received Delete SA payload: deleting ISAKMP State #3
Apr 27 09:36:19 radius02 pluto[27040]: "host-host" #1: received Delete SA payload: deleting ISAKMP State #1
Apr 27 09:36:23 radius02 pluto[27040]: packet from 172.16.0.7:500: ignoring Vendor ID payload [strongSwan 4.3.4]
Apr 27 09:36:23 radius02 pluto[27040]: packet from 172.16.0.7:500: ignoring Vendor ID payload [Cisco-Unity]
Apr 27 09:36:23 radius02 pluto[27040]: packet from 172.16.0.7:500: received Vendor ID payload [XAUTH]
Apr 27 09:36:23 radius02 pluto[27040]: packet from 172.16.0.7:500: received Vendor ID payload [Dead Peer Detection]
Apr 27 09:36:23 radius02 pluto[27040]: "host-host" #5: responding to Main Mode
Apr 27 09:36:23 radius02 pluto[27040]: "host-host" #5: Peer ID is ID_DER_ASN1_DN: 'C=US, ST=NV, O=allegiant, OU=it, CN=radius03, [email protected]'
Apr 27 09:36:23 radius02 pluto[27040]: "host-host" #5: we have a cert but are not sending it
Apr 27 09:36:23 radius02 pluto[27040]: "host-host" #5: sent MR3, ISAKMP SA established
Apr 27 09:36:23 radius02 pluto[27040]: "host-host" #6: responding to Quick Mode
Apr 27 09:36:24 radius02 pluto[27040]: "host-host" #6: IPsec SA established {ESP=>0x81b70935 <0xc58a0e43}
To: [email protected]
From: Andreas Steffen <[email protected]>
Sent by: users-bounces+eric.hernandez=allegiantair....@lists.strongswan.org
Date: 04/26/2010 09:42PM
Cc: [email protected]
Subject: Re: [strongSwan] failed to create a builder for credential type CRED_CERTIFICATE, subtype (1)
Hi Eric,
the x509, pem, and pkcs1 plugins are missing:
loaded plugins: curl ldap aes des sha1 sha2 md5 random pubkey
openssl gcrypt hmac gmp
If you don't know exactly what the functionality of each plugin
is then you shouldn't use an explicit load = statement for pluto
in strongswan.conf.
Best regards
Andreas
[email protected] wrote:
> Hi,
> I am trying to setup a "host to host" strongswan solution using
> strongSwan 4.3.4 on OpenSuse 10.2.
>
> I think I have everything setup correctly but I cannot pass encrypted
> traffic between the host.
>
> I have two servers radius02 and radius03
>
> I think part of my problems lies in this error
> failed to create a builder for credential type CRED_CERTIFICATE, subtype (1)
>
> Also, do i need some kind of iptables our routing conig to make
> everything work the documentation is unclear.
>
>
>
> config for radius02 -> please note where it says sanitized an IP would
> go there or email address in some cases.
>
> config setup
> crlcheckinterval=180
> strictcrlpolicy=no
>
> conn host-host
> left=%defaultroute
> leftcert=radius02Cert.pem
> leftsendcert=never
> right=sanitized
> rightid="C=US, ST=NV, O=allegiant, OU=it, CN=radius03"
> rightcert=radius03Cert.pem
> auto=start
>
>
> Apr 26 14:55:09 radius02 kernel: imklog 4.4.1, log source = /proc/kmsg
> started.
> Apr 26 14:55:09 radius02 rsyslogd: [origin software="rsyslogd"
> swVersion="4.4.1" x-pid="1619" x-info="http://www.rsyslog.com"] (re)start
> Apr 26 14:55:13 radius02 ipsec_starter[8047]: Starting strongSwan 4.3.4
> IPsec [starter]...
> Apr 26 14:55:13 radius02 modprobe: WARNING: All config files need .conf:
> /etc/modprobe.d/vmware-tools, it will be ignored in a future release.
> Apr 26 14:55:13 radius02 modprobe: WARNING: All config files need .conf:
> /etc/modprobe.d/vmware-tools, it will be ignored in a future release.
> Apr 26 14:55:13 radius02 modprobe: WARNING: All config files need .conf:
> /etc/modprobe.d/vmware-tools, it will be ignored in a future release.
> Apr 26 14:55:13 radius02 modprobe: WARNING: All config files need .conf:
> /etc/modprobe.d/vmware-tools, it will be ignored in a future release.
> Apr 26 14:55:13 radius02 modprobe: WARNING: All config files need .conf:
> /etc/modprobe.d/vmware-tools, it will be ignored in a future release.
> Apr 26 14:55:13 radius02 pluto[8056]: Starting IKEv1 pluto daemon
> (strongSwan 4.3.4) THREADS SMARTCARD VENDORID CISCO_QUIRKS
> Apr 26 14:55:13 radius02 pluto[8056]: loaded plugins: curl ldap aes des
> sha1 sha2 md5 random pubkey openssl gcrypt hmac gmp
> Apr 26 14:55:13 radius02 pluto[8056]: including NAT-Traversal patch
> (Version 0.6c) [disabled]
> Apr 26 14:55:13 radius02 pluto[8056]: failed to load pkcs11 module
> '/usr/lib64/opensc-pkcs11.so'
> Apr 26 14:55:13 radius02 pluto[8056]: Using Linux 2.6 IPsec interface code
> Apr 26 14:55:13 radius02 ipsec_starter[8055]: pluto (8056) started after
> 20 ms
> Apr 26 14:55:13 radius02 charon: 01[DMN] Starting IKEv2 charon daemon
> (strongSwan 4.3.4)
> Apr 26 14:55:13 radius02 charon: 01[CFG] loading ca certificates from
> '/etc/ipsec.d/cacerts'
> *Apr 26 14:55:13 radius02 charon: 01[LIB] failed to create a builder for
> credential type CRED_CERTIFICATE, subtype (1)*
> Apr 26 14:55:13 radius02 charon: 01[CFG] loading aa certificates from
> '/etc/ipsec.d/aacerts'
> Apr 26 14:55:13 radius02 charon: 01[CFG] loading ocsp signer
> certificates from '/etc/ipsec.d/ocspcerts'
> Apr 26 14:55:13 radius02 charon: 01[CFG] loading attribute certificates
> from '/etc/ipsec.d/acerts'
> Apr 26 14:55:13 radius02 charon: 01[CFG] loading crls from
> '/etc/ipsec.d/crls'
> Apr 26 14:55:13 radius02 charon: 01[CFG] loading secrets from
> '/etc/ipsec.secrets'
> Apr 26 14:55:13 radius02 charon: 01[CFG] loaded private key file
> '/etc/ipsec.d/private/strongswanKey.pem'
> Apr 26 14:55:13 radius02 charon: 01[CFG] loaded private key file
> '/etc/ipsec.d/private/radius02Key.pem'
> Apr 26 14:55:13 radius02 charon: 01[DMN] loaded plugins: aes des sha1
> md5 sha2 hmac gmp random pubkey xcbc stroke x509
> Apr 26 14:55:13 radius02 charon: 01[JOB] spawning 16 worker threads
> Apr 26 14:55:13 radius02 ipsec_starter[failed to create a builder for
> credential type CRED_CERTIFICATE, subtype (1)8055]: charon (8069)
> started after 20 ms
> Apr 26 14:55:13 radius02 charon: 05[CFG] received stroke: add connection
> 'host-host'
> Apr 26 14:55:13 radius02 charon: 05[CFG] left nor right host is our
> side, assuming left=local
> Apr 26 14:55:13 radius02 charon: 05[LIB] loaded certificate file
> '/etc/ipsec.d/certs/radius02Cert.pem'
> Apr 26 14:55:13 radius02 charon: 05[LIB] loaded certificate file
> '/etc/ipsec.d/certs/radius03Cert.pem'
> Apr 26 14:55:13 radius02 charon: 05[CFG] peerid C=US, ST=NV,
> O=allegiant, OU=it, CN=radius03 not confirmed by certificate, defaulting
> to subject DN: C=US, ST=NV, O=allegiant, OU=it, CN=radius03,
> [email protected]
> Apr 26 14:55:13 radius02 charon: 05[CFG] added configuration 'host-host'
> Apr 26 14:55:13 radius02 pluto[8056]: Changing to directory
> '/etc/ipsec.d/cacerts'
> Apr 26 14:55:13 radius02 pluto[8056]: loaded CA cert file
> 'strongswanCert.der' (1183 bytes)
> Apr 26 14:55:13 radius02 pluto[8056]: Changing to directory
> '/etc/ipsec.d/aacerts'
> Apr 26 14:55:13 radius02 pluto[8056]: Changing to directory
> '/etc/ipsec.d/ocspcerts'
> Apr 26 14:55:13 radius02 pluto[8056]: Changing to directory
> '/etc/ipsec.d/crls'
> Apr 26 14:55:13 radius02 pluto[8056]: Changing to directory
> '/etc/ipsec.d/acerts'
> Apr 26 14:55:13 radius02 pluto[8056]: listening for IKE messages
> Apr 26 14:55:13 radius02 pluto[8056]: adding interface eth1/eth1
> 172.16.31.5:500
> Apr 26 14:55:13 radius02 pluto[8056]: adding interface lo/lo 127.0.0.2:500
> Apr 26 14:55:13 radius02 pluto[8056]: adding interface lo/lo 127.0.0.1:500
> Apr 26 14:55:13 radius02 pluto[8056]: adding interface lo/lo ::1:500
> Apr 26 14:55:13 radius02 pluto[8056]: loading secrets from
> "/etc/ipsec.secrets"
> Apr 26 14:55:13 radius02 pluto[8056]: loaded private key file
> '/etc/ipsec.d/private/strongswanKey.pem' (1751 bytes)
> Apr 26 14:55:13 radius02 pluto[8056]: loaded private key file
> '/etc/ipsec.d/private/radius02Key.pem' (963 bytes)
> Apr 26 14:55:13 radius02 pluto[8056]: loaded host cert file
> '/etc/ipsec.d/certs/radius02Cert.pem' (4066 bytes)
> Apr 26 14:55:13 radius02 pluto[8056]: loaded host cert file
> '/etc/ipsec.d/certs/radius03Cert.pem' (1342 bytes)
> Apr 26 14:55:13 radius02 pluto[8056]: added connection description
> "host-host"
> Apr 26 14:55:13 radius02 pluto[8056]: "host-host" #1: initiating Main Mode
> Apr 26 14:55:13 radius02 pluto[8056]: "host-host" #1: ignoring Vendor ID
> payload [strongSwan 4.3.4]
> Apr 26 14:55:13 radius02 pluto[8056]: "host-host" #1: ignoring Vendor ID
> payload [Cisco-Unity]
> Apr 26 14:55:13 radius02 pluto[8056]: "host-host" #1: received Vendor ID
> payload [XAUTH]
> Apr 26 14:55:13 radius02 pluto[8056]: "host-host" #1: received Vendor ID
> payload [Dead Peer Detection]
> Apr 26 14:55:13 radius02 pluto[8056]: "host-host" #1: we have a cert but
> are not sending it
> Apr 26 14:55:13 radius02 pluto[8056]: "host-host" #1: Peer ID is
> ID_DER_ASN1_DN: 'C=US, ST=NV, O=allegiant, OU=it, CN=radius03,
> [email protected]'
> Apr 26 14:55:13 radius02 pluto[8056]: "host-host" #1: ISAKMP SA established
> Apr 26 14:55:13 radius02 pluto[8056]: "host-host" #2: initiating Quick
> Mode PUBKEY+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
> Apr 26 14:55:13 radius02 pluto[8056]: "host-host" #2: sent QI2, IPsec SA
> established {ESP=>0x6d76b463 <0x19a9a64b}
>
> -Eric
======================================================================
Andreas Steffen [email protected]
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
