<div>Hi strongSwan team,</div>
<div> </div>
<div>I am trying to establish a tunnel between two end-points. They do not support pki, so I had to create the certficates using openssl. When I did this, gave "ipsec start" and then checked "ipsec listcacerts", it shows nothing. The following lines are also present in the logs:</div>
<div> </div>
<div>Jan 1 02:44:40 localhost charon: 05[CFG] received stroke: add ca 'strongswan'<br>Jan 1 02:44:40 localhost charon: 05[LIB] loaded certificate file '/etc/ipsec/certs/ipsec.d/cacerts/cacert.pem'<br>
Jan 1 02:44:40 localhost charon: 05[CFG] ca certificate must have ca basic constraint set, discarded<br></div>
<div>Please find below the commands used to create the CA cert:</div>
<div>
<p style="MARGIN: 0cm 0cm 0pt"><span style="FONT-FAMILY: 'Courier New'; FONT-SIZE: 11pt">openssl genrsa -des3 -out cakey.pem 2048 </span></p>
<p style="MARGIN: 0cm 0cm 0pt"><span style="FONT-FAMILY: 'Courier New'; FONT-SIZE: 11pt">openssl req -new -key cakey.pem -out cacert.csr </span></p>
<p style="MARGIN: 0cm 0cm 0pt"><span style="FONT-FAMILY: 'Courier New'; FONT-SIZE: 11pt">cp cakey.pem <a href="http://cakey.pem.org/" target="_blank">cakey.pem.org</a> </span></p>
<p style="MARGIN: 0cm 0cm 0pt" class="MsoNormal"><span style="FONT-FAMILY: 'Courier New'; FONT-SIZE: 11pt">openssl rsa -in <a href="http://cakey.pem.org/" target="_blank">cakey.pem.org</a> -out cakey.pem </span></p>
<p style="MARGIN: 0cm 0cm 0pt" class="MsoNormal"><span style="FONT-FAMILY: 'Courier New'; COLOR: black; FONT-SIZE: 11pt">openssl x509 -req -days 365 -in cacert.csr -signkey cakey.pem -out cacert.pem </span></p></div>
<div> </div>
<div>Please find below the required conf files and logs:</div>
<div> </div>
<div><u><strong>End-point1:</strong></u></div>
<div><a href="mailto:root@localhost:/root" target="_blank">root@localhost:/root</a>><br><a href="mailto:root@localhost:/root" target="_blank">root@localhost:/root</a>> /usr/local/6bin/ipsec start<br>Starting strongSwan 4.3.1 IPsec [starter]...<br>
<a href="mailto:root@localhost:/root" target="_blank">root@localhost:/root</a>> /usr/local/6bin/ipsec status<br>Security Associations:<br> none<br><a href="mailto:root@localhost:/root" target="_blank">root@localhost:/root</a>> tail -40 /var/log/messages<br>
Aug 19 12:03:31 localhost charon: 01[DMN] signal of type SIGINT received. Shutting down<br>Aug 19 12:00:13 localhost charon: 01[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.1)<br>Aug 19 12:00:13 localhost charon: 01[CFG] loading ca certificates from '/etc/ipsec/certs/ipsec.d/cacerts'<br>
Aug 19 12:00:13 localhost charon: 01[LIB] loaded certificate file '/etc/ipsec/certs/ipsec.d/cacerts/cacert.pem'<br>Aug 19 12:00:13 localhost charon: 01[CFG] ca certificate must have ca basic constraint set, discarded<br>
Aug 19 12:00:13 localhost charon: 01[CFG] loading aa certificates from '/etc/ipsec/certs/ipsec.d/aacerts'<br>Aug 19 12:00:13 localhost charon: 01[CFG] loading ocsp signer certificates from '/etc/ipsec/certs/ipsec.d/ocspcerts'<br>
Aug 19 12:00:13 localhost charon: 01[CFG] loading attribute certificates from '/etc/ipsec/certs/ipsec.d/acerts'<br>Aug 19 12:00:13 localhost charon: 01[CFG] loading crls from '/etc/ipsec/certs/ipsec.d/crls'<br>
Aug 19 12:00:13 localhost charon: 01[CFG] loading secrets from '/etc/ipsec.secrets'<br>Aug 19 12:00:14 localhost charon: 01[CFG] loaded private key file '/etc/ipsec/certs/ipsec.d/private/f1key.pem'<br>Aug 19 12:00:14 localhost charon: 01[KNL] listening on interfaces:<br>
Aug 19 12:00:14 localhost charon: 01[KNL] fpn0<br>Aug 19 12:00:14 localhost charon: 01[KNL] fe80::dead:be00:6ef:0<br>Aug 19 12:00:14 localhost charon: 01[KNL] eth0<br>Aug 19 12:00:14 localhost charon: 01[KNL] 192.168.255.97<br>
Aug 19 12:00:14 localhost charon: 01[KNL] fe80::200:0:700:1801<br>Aug 19 12:00:14 localhost charon: 01[KNL] eth1<br>Aug 19 12:00:14 localhost charon: 01[KNL] 169.254.0.71<br>Aug 19 12:00:14 localhost charon: 01[KNL] fe80::200:0:800:1803<br>
Aug 19 12:00:14 localhost charon: 01[KNL] eth2<br>Aug 19 12:00:14 localhost charon: 01[KNL] 169.254.1.71<br>Aug 19 12:00:14 localhost charon: 01[KNL] fe80::40:4300:931:3317<br>Aug 19 12:00:14 localhost charon: 01[KNL] eth3<br>
Aug 19 12:00:14 localhost charon: 01[KNL] 192.168.0.9<br>Aug 19 12:00:14 localhost charon: 01[KNL] fe80::40:4300:a31:331b<br>Aug 19 12:00:14 localhost charon: 01[DMN] loaded plugins: openssl random x509 pubkey hmac xcbc stroke kernel-netlink<br>
Aug 19 12:00:14 localhost charon: 01[JOB] spawning 16 worker threads<br>Aug 19 12:00:14 localhost charon: 02[CFG] received stroke: add ca 'strongswan'<br>Aug 19 12:00:14 localhost charon: 02[LIB] loaded certificate file '/etc/ipsec/certs/ipsec.d/cacerts/cacert.pem'<br>
Aug 19 12:00:14 localhost charon: 02[CFG] ca certificate must have ca basic constraint set, discarded<br>Aug 19 12:00:14 localhost charon: 02[CFG] received stroke: add connection 'sample-with-ca-cert'<br>Aug 19 12:00:14 localhost charon: 02[KNL] getting interface name for 10.58.115.131<br>
Aug 19 12:00:14 localhost charon: 02[KNL] 10.58.115.131 is not a local address<br>Aug 19 12:00:14 localhost charon: 02[KNL] getting interface name for 10.58.115.136<br>Aug 19 12:00:14 localhost charon: 02[KNL] 10.58.115.136 is not a local address<br>
Aug 19 12:00:14 localhost charon: 02[CFG] left nor right host is our side, assuming left=local<br>Aug 19 12:00:14 localhost charon: 02[LIB] loaded certificate file '/etc/ipsec/certs/ipsec.d/certs/f1cert.pem'<br>
Aug 19 12:00:14 localhost charon: 02[CFG] peerid 10.58.115.136 not confirmed by certificate, defaulting to subject DN: C=IN, ST=KA, L=BLR, O=NSN, OU=CIPS, CN=MS, <a href="mailto:E=ms@nsn.com" target="_blank">E=ms@nsn.com</a><br>
Aug 19 12:00:14 localhost charon: 02[CFG] added configuration 'sample-with-ca-cert'<br><a href="mailto:root@localhost:/root" target="_blank">root@localhost:/root</a>><br><a href="mailto:root@localhost:/root" target="_blank">root@localhost:/root</a>> /usr/local/6bin/ipsec listcacerts<br>
<a href="mailto:root@localhost:/root" target="_blank">root@localhost:/root</a>> /usr/local/6bin/ipsec listcerts</div>
<div>List of X.509 End Entity Certificates:</div>
<div> subject: "C=IN, ST=KA, L=BLR, O=NSN, OU=CIPS, CN=MS, <a href="mailto:E=ms@nsn.com" target="_blank">E=ms@nsn.com</a>"<br> issuer: "C=IN, ST=KA, L=BLR, O=NSN, OU=CIPS, CN=MS, <a href="mailto:E=ms@nsn.com" target="_blank">E=ms@nsn.com</a>"<br>
serial: 00:d5:4f:fd:7d:a9:d6:2c:dc<br> validity: not before Jan 01 01:45:22 2000, ok<br> not after Dec 31 01:45:22 2000, ok<br> pubkey: RSA 2048 bits, has private key<br> keyid: e6:67:be:9e:2f:cf:e5:66:ef:92:0c:5c:91:68:d9:52:1b:63:b1:af<br>
subjkey: 2a:5a:45:5d:83:40:34:fc:ba:91:fe:29:13:41:4c:bf:1a:ff:73:d8<br><a href="mailto:root@localhost:/root" target="_blank">root@localhost:/root</a>><br><a href="mailto:root@localhost:/root" target="_blank">root@localhost:/root</a>> cat /etc/ipsec.conf<br>
# ipsec.conf - strongSwan IPsec configuration file</div>
<div># basic configuration</div>
<div>config setup<br> # plutodebug=all<br> # crlcheckinterval=600<br> strictcrlpolicy=no<br> # cachecrls=yes<br> # nat_traversal=yes<br> charonstart=yes<br> plutostart=no<br>
charondebug="chd 2, knl 2"</div>
<div>ca strongswan<br> cacert=cacert.pem<br> auto=add</div>
<div>conn sample-with-ca-cert<br> left=10.58.115.136<br> leftsubnet=<a href="http://10.58.115.0/25" target="_blank">10.58.115.0/25</a><br> leftcert=f1cert.pem<br> #leftnexthop=10.58.112.1<br> right=10.58.115.131<br>
rightsubnet=<a href="http://10.58.115.0/25" target="_blank">10.58.115.0/25</a><br> #rightid="C=CH, O=strongSwan, CN=10.58.228.80"<br> keyexchange=ikev2<br> auto=add</div>
<div><a href="mailto:root@localhost:/root" target="_blank">root@localhost:/root</a>><br></div>
<div><strong><u>End-point2:</u></strong></div>
<div><a href="mailto:root@localhost:/root" target="_blank">root@localhost:/root</a>><br><a href="mailto:root@localhost:/root" target="_blank">root@localhost:/root</a>> /usr/local/6bin/ipsec start<br>Starting strongSwan 4.3.1 IPsec [starter]...<br>
<a href="mailto:root@localhost:/root" target="_blank">root@localhost:/root</a>> /usr/local/6bin/ipsec status<br>Security Associations:<br>sample-with-ca-cert[1]: CONNECTING 10.58.115.131[%any]...10.58.115.136[%any]<br>
sample-with-ca-cert[1]: IKE SPIs: 07431ac18bcde5db_i* <a href="mailto:0000000000000000_rroot@localhost:/root" target="_blank">0000000000000000_rroot@localhost:/root</a>><br><a href="mailto:root@localhost:/root" target="_blank">root@localhost:/root</a>> tail -40 /var/log/messages<br>
Aug 19 12:00:14 localhost charon: 01[KNL] 192.168.255.76<br>Aug 19 12:00:14 localhost charon: 01[KNL] fe80::40:4300:a31:2908<br>Aug 19 12:00:14 localhost charon: 01[KNL] bnet111<br>Aug 19 12:00:14 localhost charon: 01[KNL] 169.254.0.73<br>
Aug 19 12:00:14 localhost charon: 01[KNL] fe80::200:0:b00:1803<br>Aug 19 12:00:14 localhost charon: 01[KNL] bnet222<br>Aug 19 12:00:14 localhost charon: 01[KNL] 169.254.1.73<br>Aug 19 12:00:14 localhost charon: 01[KNL] fe80::40:4300:c31:2904<br>
Aug 19 12:00:14 localhost charon: 01[KNL] bnet333<br>Aug 19 12:00:14 localhost charon: 01[KNL] 192.168.0.11<br>Aug 19 12:00:14 localhost charon: 01[KNL] fe80::40:4300:d31:2908<br>Aug 19 12:00:14 localhost charon: 01[KNL] bnet112<br>
Aug 19 12:00:14 localhost charon: 01[KNL] fe80::200:0:e00:1803<br>Aug 19 12:00:14 localhost charon: 01[KNL] bnet334<br>Aug 19 12:00:14 localhost charon: 01[KNL] fe80::40:4300:f31:2908<br>Aug 19 12:00:14 localhost charon: 01[DMN] loaded plugins: openssl random x509 pubkey hmac xcbc stroke kernel-netlink<br>
Aug 19 12:00:14 localhost charon: 01[JOB] spawning 16 worker threads<br>Aug 19 12:00:14 localhost charon: 17[CFG] received stroke: add ca 'strongswan'<br>Aug 19 12:00:14 localhost charon: 17[LIB] loaded certificate file '/etc/ipsec/certs/ipsec.d/cacerts/cacert.pem'<br>
Aug 19 12:00:14 localhost charon: 17[CFG] ca certificate must have ca basic constraint set, discarded<br>Aug 19 12:00:14 localhost charon: 08[CFG] received stroke: add connection 'sample-with-ca-cert'<br>Aug 19 12:00:14 localhost charon: 08[KNL] getting interface name for 10.58.115.136<br>
Aug 19 12:00:14 localhost charon: 08[KNL] 10.58.115.136 is not a local address<br>Aug 19 12:00:14 localhost charon: 08[KNL] getting interface name for 10.58.115.131<br>Aug 19 12:00:14 localhost charon: 08[KNL] 10.58.115.131 is not a local address<br>
Aug 19 12:00:14 localhost charon: 08[CFG] left nor right host is our side, assuming left=local<br>Aug 19 12:00:14 localhost charon: 08[LIB] loaded certificate file '/etc/ipsec/certs/ipsec.d/certs/f2cert.pem'<br>
Aug 19 12:00:14 localhost charon: 08[CFG] peerid 10.58.115.131 not confirmed by certificate, defaulting to subject DN: C=IN, ST=KA, L=BLR, O=NSN, OU=CIPS, CN=MS, <a href="mailto:E=ms@nsn.com" target="_blank">E=ms@nsn.com</a><br>
Aug 19 12:00:14 localhost charon: 08[CFG] added configuration 'sample-with-ca-cert'<br>Aug 19 12:00:14 localhost charon: 10[CFG] received stroke: initiate 'sample-with-ca-cert'<br>Aug 19 12:00:14 localhost charon: 10[IKE] initiating IKE_SA sample-with-ca-cert[1] to 10.58.115.136<br>
Aug 19 12:00:14 localhost charon: 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>Aug 19 12:00:14 localhost charon: 10[NET] sending packet: from 10.58.115.131[500] to 10.58.115.136[500]<br>
Aug 19 12:00:14 localhost charon: 04[NET] error writing to socket: Invalid argument<br>Aug 19 12:00:18 localhost charon: 12[IKE] retransmit 1 of request with message ID 0<br>Aug 19 12:00:18 localhost charon: 12[NET] sending packet: from 10.58.115.131[500] to 10.58.115.136[500]<br>
Aug 19 12:00:18 localhost charon: 04[NET] error writing to socket: Invalid argument<br>Aug 19 12:00:25 localhost charon: 15[IKE] retransmit 2 of request with message ID 0<br>Aug 19 12:00:25 localhost charon: 15[NET] sending packet: from 10.58.115.131[500] to 10.58.115.136[500]<br>
Aug 19 12:00:25 localhost charon: 04[NET] error writing to socket: Invalid argument<br><a href="mailto:root@localhost:/root" target="_blank">root@localhost:/root</a>><br><a href="mailto:root@localhost:/root" target="_blank">root@localhost:/root</a>> /usr/local/6bin/ipsec listcacerts<br>
<a href="mailto:root@localhost:/root" target="_blank">root@localhost:/root</a>> /usr/local/6bin/ipsec listcerts</div>
<div>List of X.509 End Entity Certificates:</div>
<div> subject: "C=IN, ST=KA, L=BLR, O=NSN, OU=CIPS, CN=MS, <a href="mailto:E=ms@nsn.com" target="_blank">E=ms@nsn.com</a>"<br> issuer: "C=IN, ST=KA, L=BLR, O=NSN, OU=CIPS, CN=MS, <a href="mailto:E=ms@nsn.com" target="_blank">E=ms@nsn.com</a>"<br>
serial: 00:f6:a2:fd:e8:ee:51:e7:22<br> validity: not before Jan 01 01:09:24 2000, ok<br> not after Dec 31 01:09:24 2000, ok<br> pubkey: RSA 2048 bits, has private key<br> keyid: 30:b5:05:c2:27:13:46:d5:61:fe:fa:a7:4b:c7:ea:be:1b:cd:b2:07<br>
subjkey: 5a:d7:fb:ea:55:1f:d3:82:c4:51:48:8e:cc:4b:d3:55:7f:75:8d:91<br><a href="mailto:root@localhost:/root" target="_blank">root@localhost:/root</a>> cat /etc/ipsec.conf<br># ipsec.conf - strongSwan IPsec configuration file</div>
<div># basic configuration</div>
<div>config setup<br> # plutodebug=all<br> # crlcheckinterval=600<br> strictcrlpolicy=no<br> # cachecrls=yes<br> # nat_traversal=yes<br> charonstart=yes<br> plutostart=no<br>
charondebug="chd 2, knl 2"</div>
<div>ca strongswan<br> cacert=cacert.pem<br> auto=add</div>
<div>conn sample-with-ca-cert<br> left=10.58.115.131<br> leftsubnet=<a href="http://10.58.115.0/25" target="_blank">10.58.115.0/25</a><br> leftcert=f2cert.pem<br> #leftnexthop=10.58.228.1<br> right=10.58.115.136<br>
rightsubnet=<a href="http://10.58.115.0/25" target="_blank">10.58.115.0/25</a><br> #rightid="C=CH, O=strongSwan, CN=10.58.112.170"<br> keyexchange=ikev2<br> auto=start</div>
<div><a href="mailto:root@localhost:/root" target="_blank">root@localhost:/root</a>><br></div>
<div>I don't know why the message "error writing to socket: Invalid argument" comes up either. Please let me know if I have gone wrong anywhere, or whether there is anything else I need to do.</div>
<div> </div>
<div>Thanks and regards,</div>
<div>Meera <br></div>