Hi Eric, the pkcs11 module is only required with smart cards. Otherwise you just can ignore the warning.
Usually no route tweaking is required. Only if you have a default INPUT/OUTPUT drop policy then you need the leftfirewall=yes to insert an INPUT/OUTPUT rule pair for the tunneled traffic. Best regards Andreas [email protected] wrote: > Andreas, > Correction I meant OpenSuse 11.2. I have just disabled the custom order. > > I change the order because I could not get charon to work correctly, i > had to move stroke further up the order. But now its working without > order manipulation. > > Other than the opensc-pkcs11.so error, I seem to be error free now but > still I am not passing encrypted traffic to the other side. > I am verifying with tcpdump by monitoring mysql traffic. > > Do i need some type of routing tweaking or iptables manipulation to pass > traffic through the tunnel. > > Or is the pkcs11 module error something I must correct first? > > Thanks -Eric > > Apr 27 09:34:27 radius02 ipsec_starter[27031]: Starting strongSwan 4.3.4 > IPsec [starter]... > Apr 27 09:34:27 radius02 modprobe: WARNING: All config files need .conf: > /etc/modprobe.d/vmware-tools, it will be ignored in a future release. > Apr 27 09:34:27 radius02 modprobe: WARNING: All config files need .conf: > /etc/modprobe.d/vmware-tools, it will be ignored in a future release. > Apr 27 09:34:27 radius02 modprobe: WARNING: All config files need .conf: > /etc/modprobe.d/vmware-tools, it will be ignored in a future release. > Apr 27 09:34:27 radius02 modprobe: WARNING: All config files need .conf: > /etc/modprobe.d/vmware-tools, it will be ignored in a future release. > Apr 27 09:34:27 radius02 modprobe: WARNING: All config files need .conf: > /etc/modprobe.d/vmware-tools, it will be ignored in a future release. > Apr 27 09:34:27 radius02 pluto[27040]: Starting IKEv1 pluto daemon > (strongSwan 4.3.4) THREADS SMARTCARD VENDORID CISCO_QUIRKS > Apr 27 09:34:27 radius02 pluto[27040]: loaded plugins: curl ldap aes des > sha1 sha2 md5 random pubkey openssl gcrypt hmac gmp > Apr 27 09:34:27 radius02 pluto[27040]: including NAT-Traversal patch > (Version 0.6c) [disabled] > Apr 27 09:34:27 radius02 pluto[27040]: failed to load pkcs11 module > '/usr/lib64/opensc-pkcs11.so' > Apr 27 09:34:27 radius02 pluto[27040]: Using Linux 2.6 IPsec interface code > Apr 27 09:34:27 radius02 ipsec_starter[27039]: pluto (27040) started > after 20 ms > Apr 27 09:34:27 radius02 charon: 01[DMN] Starting IKEv2 charon daemon > (strongSwan 4.3.4) > Apr 27 09:34:28 radius02 charon: 01[KNL] listening on interfaces: > Apr 27 09:34:28 radius02 charon: 01[KNL] eth1 > Apr 27 09:34:28 radius02 charon: 01[KNL] 172.16.31.15 > Apr 27 09:34:28 radius02 charon: 01[KNL] fe80::250:56ff:fea0:3ace > Apr 27 09:34:28 radius02 charon: 01[CFG] loading ca certificates from > '/etc/ipsec.d/cacerts' > Apr 27 09:34:28 radius02 charon: 01[LIB] loaded certificate file > '/etc/ipsec.d/cacerts/strongswanCert.der' > Apr 27 09:34:28 radius02 charon: 01[CFG] loading aa certificates from > '/etc/ipsec.d/aacerts' > Apr 27 09:34:28 radius02 charon: 01[CFG] loading ocsp signer > certificates from '/etc/ipsec.d/ocspcerts' > Apr 27 09:34:28 radius02 charon: 01[CFG] loading attribute certificates > from '/etc/ipsec.d/acerts' > Apr 27 09:34:28 radius02 charon: 01[CFG] loading crls from > '/etc/ipsec.d/crls' > Apr 27 09:34:28 radius02 charon: 01[CFG] loading secrets from > '/etc/ipsec.secrets' > Apr 27 09:34:28 radius02 charon: 01[CFG] loaded private key file > '/etc/ipsec.d/private/strongswanKey.pem' > Apr 27 09:34:28 radius02 charon: 01[CFG] loaded private key file > '/etc/ipsec.d/private/radius02Key.pem' > Apr 27 09:34:28 radius02 pluto[27040]: Changing to directory > '/etc/ipsec.d/cacerts' > Apr 27 09:34:28 radius02 pluto[27040]: loaded CA cert file > 'strongswanCert.der' (1183 bytes) > Apr 27 09:34:28 radius02 pluto[27040]: Changing to directory > '/etc/ipsec.d/aacerts' > Apr 27 09:34:28 radius02 pluto[27040]: Changing to directory > '/etc/ipsec.d/ocspcerts' > Apr 27 09:34:28 radius02 pluto[27040]: Changing to directory > '/etc/ipsec.d/crls' > Apr 27 09:34:28 radius02 pluto[27040]: Changing to directory > '/etc/ipsec.d/acerts' > Apr 27 09:34:28 radius02 pluto[27040]: listening for IKE messages > Apr 27 09:34:28 radius02 pluto[27040]: adding interface eth1/eth1 > 172.16.31.15:500 > Apr 27 09:34:28 radius02 pluto[27040]: adding interface lo/lo 127.0.0.2:500 > Apr 27 09:34:28 radius02 pluto[27040]: adding interface lo/lo 127.0.0.1:500 > Apr 27 09:34:28 radius02 pluto[27040]: adding interface lo/lo ::1:500 > Apr 27 09:34:28 radius02 pluto[27040]: loading secrets from > "/etc/ipsec.secrets" > Apr 27 09:34:28 radius02 pluto[27040]: loaded private key file > '/etc/ipsec.d/private/strongswanKey.pem' (1751 bytes) > Apr 27 09:34:28 radius02 charon: 01[DMN] loaded plugins: curl ldap aes > des sha1 sha2 md5 fips-prf random x509 pubkey openssl gcrypt xcbc hmac > gmp kernel-netlink stroke upd > Apr 27 09:34:28 radius02 charon: 01[JOB] spawning 16 worker threads > Apr 27 09:34:28 radius02 pluto[27040]: loaded private key file > '/etc/ipsec.d/private/radius02Key.pem' (963 bytes) > Apr 27 09:34:28 radius02 ipsec_starter[27039]: charon (27053) started > after 80 ms > Apr 27 09:34:28 radius02 charon: 05[CFG] received stroke: add connection > 'host-host' > Apr 27 09:34:28 radius02 charon: 05[LIB] loaded certificate file > '/etc/ipsec.d/certs/radius02Cert.pem' > Apr 27 09:34:28 radius02 charon: 05[LIB] loaded certificate file > '/etc/ipsec.d/certs/radius03Cert.pem' > Apr 27 09:34:28 radius02 charon: 05[CFG] peerid C=US, ST=NV, > O=allegiant, OU=it, CN=radius03 not confirmed by certificate, defaulting > to subject DN: C=US, ST=NV, O=allegm > Apr 27 09:34:28 radius02 charon: 05[CFG] added configuration 'host-host' > Apr 27 09:34:28 radius02 pluto[27040]: loaded host cert file > '/etc/ipsec.d/certs/radius02Cert.pem' (4066 bytes) > Apr 27 09:34:28 radius02 pluto[27040]: loaded host cert file > '/etc/ipsec.d/certs/radius03Cert.pem' (1342 bytes) > Apr 27 09:34:28 radius02 pluto[27040]: added connection description > "host-host" > Apr 27 09:34:28 radius02 pluto[27040]: "host-host" #1: initiating Main Mode > Apr 27 09:34:28 radius02 pluto[27040]: "host-host" #1: ignoring Vendor > ID payload [strongSwan 4.3.4] > Apr 27 09:34:28 radius02 pluto[27040]: "host-host" #1: ignoring Vendor > ID payload [Cisco-Unity] > Apr 27 09:34:28 radius02 pluto[27040]: "host-host" #1: received Vendor > ID payload [XAUTH] > Apr 27 09:34:28 radius02 pluto[27040]: "host-host" #1: received Vendor > ID payload [Dead Peer Detection] > Apr 27 09:34:28 radius02 pluto[27040]: "host-host" #1: we have a cert > but are not sending it > Apr 27 09:34:28 radius02 pluto[27040]: "host-host" #1: Peer ID is > ID_DER_ASN1_DN: 'C=US, ST=NV, O=allegiant, OU=it, CN=radius03, > [email protected]' > Apr 27 09:34:28 radius02 pluto[27040]: "host-host" #1: ISAKMP SA established > Apr 27 09:34:28 radius02 pluto[27040]: "host-host" #2: initiating Quick > Mode PUBKEY+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1} > Apr 27 09:34:28 radius02 pluto[27040]: "host-host" #2: sent QI2, IPsec > SA established {ESP=>0xb7e9ba68 <0xd5a6a6f8} > Apr 27 09:34:36 radius02 pluto[27040]: "host-host" #1: ignoring Delete > SA payload: PROTO_IPSEC_ESP SA(0x6e9727c1) not found (maybe expired) > Apr 27 09:34:36 radius02 pluto[27040]: packet from 172.16.0.7:500: > ignoring Vendor ID payload [strongSwan 4.3.4] > Apr 27 09:34:36 radius02 pluto[27040]: packet from 172.16.0.7:500: > ignoring Vendor ID payload [Cisco-Unity] > Apr 27 09:34:36 radius02 pluto[27040]: packet from 172.16.0.7:500: > received Vendor ID payload [XAUTH] > Apr 27 09:34:36 radius02 pluto[27040]: packet from 172.16.0.7:500: > received Vendor ID payload [Dead Peer Detection] > Apr 27 09:34:36 radius02 pluto[27040]: "host-host" #3: responding to > Main Mode > Apr 27 09:34:36 radius02 pluto[27040]: "host-host" #3: Peer ID is > ID_DER_ASN1_DN: 'C=US, ST=NV, O=allegiant, OU=it, CN=radius03, > [email protected]' > Apr 27 09:34:36 radius02 pluto[27040]: "host-host" #3: we have a cert > but are not sending it > Apr 27 09:34:36 radius02 pluto[27040]: "host-host" #3: sent MR3, ISAKMP > SA established > Apr 27 09:34:36 radius02 pluto[27040]: "host-host" #4: responding to > Quick Mode > Apr 27 09:34:36 radius02 pluto[27040]: "host-host" #4: IPsec SA > established {ESP=>0x6c642987 <0xdf4b4942} > Apr 27 09:36:19 radius02 pluto[27040]: "host-host" #1: received Delete > SA payload: replace IPSEC State #4 in 10 seconds > Apr 27 09:36:19 radius02 pluto[27040]: "host-host" #1: received Delete > SA(0xb7e9ba68) payload: deleting IPSEC State #2 > Apr 27 09:36:19 radius02 pluto[27040]: "host-host" #3: received Delete > SA payload: deleting ISAKMP State #3 > Apr 27 09:36:19 radius02 pluto[27040]: "host-host" #1: received Delete > SA payload: deleting ISAKMP State #1 > Apr 27 09:36:23 radius02 pluto[27040]: packet from 172.16.0.7:500: > ignoring Vendor ID payload [strongSwan 4.3.4] > Apr 27 09:36:23 radius02 pluto[27040]: packet from 172.16.0.7:500: > ignoring Vendor ID payload [Cisco-Unity] > Apr 27 09:36:23 radius02 pluto[27040]: packet from 172.16.0.7:500: > received Vendor ID payload [XAUTH] > Apr 27 09:36:23 radius02 pluto[27040]: packet from 172.16.0.7:500: > received Vendor ID payload [Dead Peer Detection] > Apr 27 09:36:23 radius02 pluto[27040]: "host-host" #5: responding to > Main Mode > Apr 27 09:36:23 radius02 pluto[27040]: "host-host" #5: Peer ID is > ID_DER_ASN1_DN: 'C=US, ST=NV, O=allegiant, OU=it, CN=radius03, > [email protected]' > Apr 27 09:36:23 radius02 pluto[27040]: "host-host" #5: we have a cert > but are not sending it > Apr 27 09:36:23 radius02 pluto[27040]: "host-host" #5: sent MR3, ISAKMP > SA established > Apr 27 09:36:23 radius02 pluto[27040]: "host-host" #6: responding to > Quick Mode > Apr 27 09:36:24 radius02 pluto[27040]: "host-host" #6: IPsec SA > established {ESP=>0x81b70935 <0xc58a0e43} > > > > -----users-bounces+eric.hernandez=allegiantair....@lists.strongswan.org > wrote: ----- > > To: [email protected] > From: Andreas Steffen <[email protected]> > Sent by: > users-bounces+eric.hernandez=allegiantair....@lists.strongswan.org > Date: 04/26/2010 09:42PM > Cc: [email protected] > Subject: Re: [strongSwan] failed to create a builder for credential > type CRED_CERTIFICATE, subtype (1) > > Hi Eric, > > the x509, pem, and pkcs1 plugins are missing: > > loaded plugins: curl ldap aes des sha1 sha2 md5 random pubkey > openssl gcrypt hmac gmp > > If you don't know exactly what the functionality of each plugin > is then you shouldn't use an explicit load = statement for pluto > in strongswan.conf. > > Best regards > > Andreas > > [email protected] wrote: > > Hi, > > I am trying to setup a "host to host" strongswan solution using > > strongSwan 4.3.4 on OpenSuse 10.2. > > > > I think I have everything setup correctly but I cannot pass encrypted > > traffic between the host. > > > > I have two servers radius02 and radius03 > > > > I think part of my problems lies in this error > > failed to create a builder for credential type CRED_CERTIFICATE, > subtype (1) > > > > Also, do i need some kind of iptables our routing conig to make > > everything work the documentation is unclear. > > > > > > > > config for radius02 -> please note where it says sanitized an IP would > > go there or email address in some cases. > > > > config setup > > crlcheckinterval=180 > > strictcrlpolicy=no > > > > conn host-host > > left=%defaultroute > > leftcert=radius02Cert.pem > > leftsendcert=never > > right=sanitized > > rightid="C=US, ST=NV, O=allegiant, OU=it, CN=radius03" > > rightcert=radius03Cert.pem > > auto=start > > > > > > Apr 26 14:55:09 radius02 kernel: imklog 4.4.1, log source = /proc/kmsg > > started. > > Apr 26 14:55:09 radius02 rsyslogd: [origin software="rsyslogd" > > swVersion="4.4.1" x-pid="1619" x-info="http://www.rsyslog.com";] > (re)start > > Apr 26 14:55:13 radius02 ipsec_starter[8047]: Starting strongSwan > 4.3.4 > > IPsec [starter]... > > Apr 26 14:55:13 radius02 modprobe: WARNING: All config files need > .conf: > > /etc/modprobe.d/vmware-tools, it will be ignored in a future release. > > Apr 26 14:55:13 radius02 modprobe: WARNING: All config files need > .conf: > > /etc/modprobe.d/vmware-tools, it will be ignored in a future release. > > Apr 26 14:55:13 radius02 modprobe: WARNING: All config files need > .conf: > > /etc/modprobe.d/vmware-tools, it will be ignored in a future release. > > Apr 26 14:55:13 radius02 modprobe: WARNING: All config files need > .conf: > > /etc/modprobe.d/vmware-tools, it will be ignored in a future release. > > Apr 26 14:55:13 radius02 modprobe: WARNING: All config files need > .conf: > > /etc/modprobe.d/vmware-tools, it will be ignored in a future release. > > Apr 26 14:55:13 radius02 pluto[8056]: Starting IKEv1 pluto daemon > > (strongSwan 4.3.4) THREADS SMARTCARD VENDORID CISCO_QUIRKS > > Apr 26 14:55:13 radius02 pluto[8056]: loaded plugins: curl ldap > aes des > > sha1 sha2 md5 random pubkey openssl gcrypt hmac gmp > > Apr 26 14:55:13 radius02 pluto[8056]: including NAT-Traversal patch > > (Version 0.6c) [disabled] > > Apr 26 14:55:13 radius02 pluto[8056]: failed to load pkcs11 module > > '/usr/lib64/opensc-pkcs11.so' > > Apr 26 14:55:13 radius02 pluto[8056]: Using Linux 2.6 IPsec > interface code > > Apr 26 14:55:13 radius02 ipsec_starter[8055]: pluto (8056) started > after > > 20 ms > > Apr 26 14:55:13 radius02 charon: 01[DMN] Starting IKEv2 charon daemon > > (strongSwan 4.3.4) > > Apr 26 14:55:13 radius02 charon: 01[CFG] loading ca certificates from > > '/etc/ipsec.d/cacerts' > > *Apr 26 14:55:13 radius02 charon: 01[LIB] failed to create a > builder for > > credential type CRED_CERTIFICATE, subtype (1)* > > Apr 26 14:55:13 radius02 charon: 01[CFG] loading aa certificates from > > '/etc/ipsec.d/aacerts' > > Apr 26 14:55:13 radius02 charon: 01[CFG] loading ocsp signer > > certificates from '/etc/ipsec.d/ocspcerts' > > Apr 26 14:55:13 radius02 charon: 01[CFG] loading attribute > certificates > > from '/etc/ipsec.d/acerts' > > Apr 26 14:55:13 radius02 charon: 01[CFG] loading crls from > > '/etc/ipsec.d/crls' > > Apr 26 14:55:13 radius02 charon: 01[CFG] loading secrets from > > '/etc/ipsec.secrets' > > Apr 26 14:55:13 radius02 charon: 01[CFG] loaded private key file > > '/etc/ipsec.d/private/strongswanKey.pem' > > Apr 26 14:55:13 radius02 charon: 01[CFG] loaded private key file > > '/etc/ipsec.d/private/radius02Key.pem' > > Apr 26 14:55:13 radius02 charon: 01[DMN] loaded plugins: aes des sha1 > > md5 sha2 hmac gmp random pubkey xcbc stroke x509 > > Apr 26 14:55:13 radius02 charon: 01[JOB] spawning 16 worker threads > > Apr 26 14:55:13 radius02 ipsec_starter[failed to create a builder for > > credential type CRED_CERTIFICATE, subtype (1)8055]: charon (8069) > > started after 20 ms > > Apr 26 14:55:13 radius02 charon: 05[CFG] received stroke: add > connection > > 'host-host' > > Apr 26 14:55:13 radius02 charon: 05[CFG] left nor right host is our > > side, assuming left=local > > Apr 26 14:55:13 radius02 charon: 05[LIB] loaded certificate file > > '/etc/ipsec.d/certs/radius02Cert.pem' > > Apr 26 14:55:13 radius02 charon: 05[LIB] loaded certificate file > > '/etc/ipsec.d/certs/radius03Cert.pem' > > Apr 26 14:55:13 radius02 charon: 05[CFG] peerid C=US, ST=NV, > > O=allegiant, OU=it, CN=radius03 not confirmed by certificate, > defaulting > > to subject DN: C=US, ST=NV, O=allegiant, OU=it, CN=radius03, > > [email protected] > > Apr 26 14:55:13 radius02 charon: 05[CFG] added configuration > 'host-host' > > Apr 26 14:55:13 radius02 pluto[8056]: Changing to directory > > '/etc/ipsec.d/cacerts' > > Apr 26 14:55:13 radius02 pluto[8056]: loaded CA cert file > > 'strongswanCert.der' (1183 bytes) > > Apr 26 14:55:13 radius02 pluto[8056]: Changing to directory > > '/etc/ipsec.d/aacerts' > > Apr 26 14:55:13 radius02 pluto[8056]: Changing to directory > > '/etc/ipsec.d/ocspcerts' > > Apr 26 14:55:13 radius02 pluto[8056]: Changing to directory > > '/etc/ipsec.d/crls' > > Apr 26 14:55:13 radius02 pluto[8056]: Changing to directory > > '/etc/ipsec.d/acerts' > > Apr 26 14:55:13 radius02 pluto[8056]: listening for IKE messages > > Apr 26 14:55:13 radius02 pluto[8056]: adding interface eth1/eth1 > > 172.16.31.5:500 > > Apr 26 14:55:13 radius02 pluto[8056]: adding interface lo/lo > 127.0.0.2:500 > > Apr 26 14:55:13 radius02 pluto[8056]: adding interface lo/lo > 127.0.0.1:500 > > Apr 26 14:55:13 radius02 pluto[8056]: adding interface lo/lo ::1:500 > > Apr 26 14:55:13 radius02 pluto[8056]: loading secrets from > > "/etc/ipsec.secrets" > > Apr 26 14:55:13 radius02 pluto[8056]: loaded private key file > > '/etc/ipsec.d/private/strongswanKey.pem' (1751 bytes) > > Apr 26 14:55:13 radius02 pluto[8056]: loaded private key file > > '/etc/ipsec.d/private/radius02Key.pem' (963 bytes) > > Apr 26 14:55:13 radius02 pluto[8056]: loaded host cert file > > '/etc/ipsec.d/certs/radius02Cert.pem' (4066 bytes) > > Apr 26 14:55:13 radius02 pluto[8056]: loaded host cert file > > '/etc/ipsec.d/certs/radius03Cert.pem' (1342 bytes) > > Apr 26 14:55:13 radius02 pluto[8056]: added connection description > > "host-host" > > Apr 26 14:55:13 radius02 pluto[8056]: "host-host" #1: initiating > Main Mode > > Apr 26 14:55:13 radius02 pluto[8056]: "host-host" #1: ignoring > Vendor ID > > payload [strongSwan 4.3.4] > > Apr 26 14:55:13 radius02 pluto[8056]: "host-host" #1: ignoring > Vendor ID > > payload [Cisco-Unity] > > Apr 26 14:55:13 radius02 pluto[8056]: "host-host" #1: received > Vendor ID > > payload [XAUTH] > > Apr 26 14:55:13 radius02 pluto[8056]: "host-host" #1: received > Vendor ID > > payload [Dead Peer Detection] > > Apr 26 14:55:13 radius02 pluto[8056]: "host-host" #1: we have a > cert but > > are not sending it > > Apr 26 14:55:13 radius02 pluto[8056]: "host-host" #1: Peer ID is > > ID_DER_ASN1_DN: 'C=US, ST=NV, O=allegiant, OU=it, CN=radius03, > > [email protected]' > > Apr 26 14:55:13 radius02 pluto[8056]: "host-host" #1: ISAKMP SA > established > > Apr 26 14:55:13 radius02 pluto[8056]: "host-host" #2: initiating Quick > > Mode PUBKEY+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1} > > Apr 26 14:55:13 radius02 pluto[8056]: "host-host" #2: sent QI2, > IPsec SA > > established {ESP=>0x6d76b463 <0x19a9a64b} > > > > -Eric ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
