Andreas, Strongswan 5.4.0 swanctl.conf
when I tried to initiate the connections (swanctl -initiate --child net, I get following error. "*no trusted RSA public key found"* I did make peerKey.der based on following link and copied to /etc/swanctl/rsa directory. https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ] 07[IKE] 10.13.199.185 is initiating an IKE_SA 07[IKE] sending cert request for "C=US, O=ARRIS, CN=RPD" 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ] 07[NET] sending packet: from 10.13.199.130[500] to 10.13.199.185[500] (289 bytes) 09[NET] received packet: from 10.13.199.185[4500] to 10.13.199.130[4500] (1312 bytes) 09[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] 09[IKE] received 1 cert requests for an unknown ca 09[IKE] received end entity cert "C=US, O=ARRIS, CN=RPD" 09[CFG] looking for peer configs matching 10.13.199.130[%any]...10.13.199.185[[email protected]] 09[CFG] selected peer config 'rw' *09[IKE] no trusted RSA public key found for '[email protected] <[email protected]>'* 09[IKE] peer supports MOBIKE 09[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] 09[NET] sending packet: from 10.13.199.130[4500] to 10.13.199.185[4500] (80 bytes) Thanks, Rajeev On Wed, May 11, 2016 at 9:18 AM, Andreas Steffen < [email protected]> wrote: > Hi Rajeev, > > there seems something wrong with your user certificate. > > You can configure the charon daemon dynamically using the > VICI interface. There are VICI bindings for the Perl, Ruby > and Python script languages which can be used by your > IPsec management application to communicate with the > charon daemon. For details have a look at > > > https://github.com/strongswan/strongswan/blob/master/src/libcharon/plugins/vici/README.md > > If you intend to write your management application in C or C++ > then consider the DAVICI library: > > https://github.com/strongswan/davici/blob/master/README.md > > Regards > > Andreas > > On 11.05.2016 13:50, rajeev nohria wrote: > > Andreas, > > > > I appreciate helping me out. Now I am making progress with Charon > > running, Not sure why it was stopping before. I am getting following > > error now, I am going over my config files. Hopefully I will find the > > issue. > > > > rnohria@ubuntu:~$ sudo swanctl --load-conns > > 06[LIB] OpenSSL X.509 parsing failed > > 06[LIB] building CRED_CERTIFICATE - X509 failed, tried 4 builders > > loading connection 'rw' failed: invalid value for: certs, config > discarded > > loaded 0 of 1 connections, 1 failed to load, 0 unloaded > > > > > > Question: > > > > Can I use Strongswan to make connections dynamically, not via config > > file. For config file we need to know information beforehand. If I don't > > know all the information beforehand like local and remote IP address. Is > > there any interface exist in Strongswan to support dynamic connection. > > > > Thanks, > > Rajeev > > > > > > > > > > > > On Wed, May 11, 2016 at 4:41 AM, Andreas Steffen > > <[email protected] <mailto:[email protected]>> > > wrote: > > > > Hi Rajeev, > > > > try running charon in the foreground: > > > > sudo /usr/local/libexec/ipsec/charon > > > > and check for error messages in the console window. > > > > Cheers Andreas > > > > On 11.05.2016 11:53, rajeev nohria wrote: > > > > Andreas, > > > > It seems like Charon daemon is not running, When I run the charon > > command, it immediately stops it. Where can I find the charon > > log to see > > if there is any issue? > > > > rnohria@ubuntu:~$ sudo /usr/local/libexec/ipsec/charon& > > [1] 7272 > > rnohria@ubuntu:~$ > > > > [1]+ Stopped sudo > /usr/local/libexec/ipsec/charon > > > > Thanks, > > Rajeev > > > > > > On Wed, May 11, 2016 at 2:55 AM, Andreas Steffen > > <[email protected] > > <mailto:[email protected]> > > <mailto:[email protected] > > <mailto:[email protected]>>> > > wrote: > > > > Hi Rajeev, > > > > can you check in the charon log if the vici plugin has been > > loaded? > > And do you see the charon daemon running in the process > status > > (ps aux | grep charon)? > > > > Regards > > > > Andreas > > > > On 05/11/2016 04:04 AM, rajeev nohria wrote: > > > Thanks Andreas, > > > > > > I ran the charon and also copied the charon script file to > > /etc/init.d. > > > Now when I run sudo swanctl --load-conn, I still get the > > same issue. > > > connecting to 'unix:///var/run/charon.vici' failed: No > > such file or > > > directory > > > Error: connecting to 'default' URI failed: No such file or > > directory > > > strongSwan 5.4.0 swanctl > > > usage: > > > swanctl --load-conns [--raw|--pretty] > > > --help (-h) show usage information > > > --raw (-r) dump raw response > message > > > --pretty (-P) dump raw response > > message in pretty print > > > --debug (-v) set debug level, > default: 1 > > > --options (-+) read command line > > options from file > > > --uri (-u) service URI to connect > to > > > > > > > > > Am I missing any other step? > > > > > > Thanks, > > > Rajeev > > > > > > On Tue, May 10, 2016 at 3:59 AM, Andreas Steffen > > > <[email protected] > > <mailto:[email protected]> > > <mailto:[email protected] > > <mailto:[email protected]>> > > <mailto:[email protected] > > <mailto:[email protected]> > > > > <mailto:[email protected] > > <mailto:[email protected]>>>> > > > wrote: > > > > > > Hi Rajeev, > > > > > > is the charon daemon running? If not, either start > charon > > manually: > > > > > > sudo /usr/local/libexec/ipsec/charon & > > > > > > or if your Linux distribution still uses upstart, > > copy the > > > following script to /etc/init.d/ > > > > > > > > > > > > > > https://wiki.strongswan.org/projects/strongswan/repository/revisions/master/entry/testing/hosts/default/etc/init.d/charon > > > > > > and start the charon daemon in the appropriate > runlevels. > > > > > > If your Linux distribution uses systemd instead, > > compile and > > > install strongSwan with > > > > > > ./config --enable-systemd > > > > > > and enable and start the strongswan-swanctl service. > > > > > > BTW - in order to use the vici socket you must be > > root. Thus > > > > > > sudo swanctl --load-conn > > > > > > Best regards > > > > > > Andreas > > > > > > > > > On 09.05.2016 16:34, rajeev nohria wrote: > > > > > > I am new user of Strongswan and running 5.4.0. > > After creating > > > certificates and configuring two Ubuntu m/c with > > Strongswan > > > 5.4.0. I try > > > to create connection as following and get error. > > Please > > advise, > > > how to > > > resolve following issue? > > > > > > $swanctl --load-conn > > > connecting to 'unix:///var/run/charon.vici' > > failed: No > > such file or > > > directory > > > Error: connecting to 'default' URI failed: No > > such file > > or directory > > > strongSwan 5.4.0 swanctl > > > usage: > > > > > > > > > Thanks, > > > Rajeev > > > > > > > > > _______________________________________________ > > > Users mailing list > > > [email protected] > > <mailto:[email protected]> > > <mailto:[email protected] > > <mailto:[email protected]>> > > <mailto:[email protected] > > <mailto:[email protected]> > > <mailto:[email protected] > > <mailto:[email protected]>>> > > >https://lists.strongswan.org/mailman/listinfo/users > > > > > > > > > -- > > > > > > ====================================================================== > > > Andreas Steffen > > > [email protected] > > <mailto:[email protected]> > > <mailto:[email protected] > > <mailto:[email protected]>> > > <mailto:[email protected] > > <mailto:[email protected]> > > > > <mailto:[email protected] > > <mailto:[email protected]>>> > > > strongSwan - the Open Source VPN Solution! > > > www.strongswan.org <http://www.strongswan.org> > > <http://www.strongswan.org> > > <http://www.strongswan.org> > > > Institute for Internet Technologies and Applications > > > University of Applied Sciences Rapperswil > > > CH-8640 Rapperswil (Switzerland) > > > > > > > > ===========================================================[ITA-HSR]== > > > > > > > > > > > > -- > > > > > ====================================================================== > > Andreas Steffen [email protected] > > <mailto:[email protected]> > > <mailto:[email protected] > > <mailto:[email protected]>> > > strongSwan - the Open Source VPN Solution! > > www.strongswan.org <http://www.strongswan.org> > > <http://www.strongswan.org> > > Institute for Internet Technologies and Applications > > University of Applied Sciences Rapperswil > > CH-8640 Rapperswil (Switzerland) > > > > > ===========================================================[ITA-HSR]== > > > > > > > > -- > > > ====================================================================== > > Andreas Steffen > > [email protected] <mailto: > [email protected]> > > strongSwan - the Open Source VPN Solution! > > www.strongswan.org <http://www.strongswan.org> > > Institute for Internet Technologies and Applications > > University of Applied Sciences Rapperswil > > CH-8640 Rapperswil (Switzerland) > > > ===========================================================[ITA-HSR]== > > > > > > -- > ====================================================================== > Andreas Steffen [email protected] > strongSwan - the Open Source VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== > >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
