Thanks for the information Rajiv, <div><br></div><div> As per my previous post i had followed the same steps but with different names right ? Its not working for me :( . Also u have told to copy the responder_key.pem to responder side. Which means we are SHARING A PRIVATE KEY ???? !!!! which should not be done right ??? except this step am following all the steps u have told. Still no luck :(</div>
<div><br></div><div>On Sat, Apr 14, 2012 at 11:48 PM, Rajiv Kulkarni <span dir="ltr"><<a href="mailto:rajivkulkarni69@gmail.com">rajivkulkarni69@gmail.com</a>></span> wrote:</div><div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>Hi</div>
<div> </div>
<div>why dont't you try the below steps (it worked for me):</div>
<div> </div>
<div>1. you will need to first access the following link</div>
<div><a href="http://wiki.strongswan.org/projects/strongswan/repository/entry/src/libcharon/plugins/load_tester/load_tester_creds.c" target="_blank">http://wiki.strongswan.org/projects/strongswan/repository/entry/src/libcharon/plugins/load_tester/load_tester_creds.c</a></div>
<div>and then </div>
<div>- copy the RSA private-key into 2 files and name them "initiator_key.pem" and "responder_key.pem"</div>
<div> </div>
<div>- copy the self-signed cert into 3 files and name them "cacert.pem", "initiator_cert.pem" and "responder_cert.pem"</div>
<div>-----------------------------------------------------------------------------------------------</div>
<div>On the Initiator GW/PC/Machine (enabled with the LoadTester-Plugim)<br>-------------------------------------------------------------------<br>- Please note that the load-tester plugin can only act in and as a road-warrior-client simulator mode. So you should be enabling the load-tester plugin on only the initiator linux-machine running the strongswan package</div>
<div>- The ipsec.conf file on this initiator is NEVER used or NOT required just comment out all config statments</div>
<div>- copy the cacert.pem, initiator_cert.pem and the initiator_key.pem to the respective locations "cacerts", "certs" and "private" under .../ipsec.d/ folder</div>
<div>- in the ipsec.secrets file, include the statement <br>: RSA initiator_key.pem</div>
<div>- The strongswan.conf file should be as below:</div>
<div>------------------------------------------<br>charon {<br> reuse_ikesa = no<br> threads = 32</div>
<div> plugins {<br> load-tester {<br> # enable the plugin<br> enable = yes<br> # example: 10 connections, 5 in parallel<br> initiators = 5<br> iterations = 2<br>
# use a delay of 100ms, overall time is: iterations * delay = 100s<br> delay = 100<br> # address of the gateway<br> remote = 172.17.10.10<br> # IKE-proposal to use<br>
proposal = aes128-sha1-modp1024<br> # use faster PSK authentication instead of 1024bit RSA<br> initiator_auth = pubkey<br> responder_auth = pubkey<br> # request a virtual IP using configuration payloads<br>
request_virtual_ip = yes<br> # disable IKE_SA rekeying (default)<br> ike_rekey = 0<br> # enable CHILD_SA every 60s<br> child_rekey = 60<br> # do not delete the IKE_SA after it has been established (default)<br>
delete_after_established = no<br> # do not shut down the daemon if all IKE_SAs established<br> shutdown_when_complete = no<br> }<br> }<br>}<br>-----------------------------------------------------------</div>
<div>On the Responder GW/PC/Machine<br>******************************<br>- do not enable load-tester plugin here. just configure this machine as a Road-Warrior-VPN-Server</div>
<div> </div>
<div>- the ipsec.conf file shoule be as below:</div>
<div># /etc/ipsec.conf - strongSwan IPsec configuration file</div>
<div>config setup<br> strictcrlpolicy=no<br> crlcheckinterval=180<br> plutostart=no<br> charonstart=yes</div>
<div> </div>
<div>conn %default<br> ikelifetime=60m<br> keylife=30m<br> rekeymargin=3m<br> keyingtries=1<br> keyexchange=ikev2<br> mobike=no</div>
<div> </div>
<div>conn rw-server<br> left=172.17.10.10<br> leftsubnet=<a href="http://192.168.20.0/24" target="_blank">192.168.20.0/24</a><br> right=%any<br> rightsourceip=<a href="http://10.3.0.0/16" target="_blank">10.3.0.0/16</a><br>
leftid="CN=srv, OU=load-test, O=strongSwan"<br>
leftcert=respcert.pem<br> authby=pubkey<br> keyexchange=ikev2<br> type=tunnel<br> auto=add<br>#</div>
<div> </div>
<div>- copy the cacert.pem, responder_cert.pem and responder_key.pem to the respective locations under ipsec.d folder</div>
<div> </div>
<div>- The ipsec.secrets file should have an entry as below:</div>
<div>: RSA responder_key.pem</div>
<div><br>2. That's it, now you start strongswan ipsec on both initiator and responder (first on this) using "ipsec start" or "ipsec start --nofork"</div>
<div> </div>
<div>- you will see that as configured in the strongswan.conf, there will be 10 IKEv2 tunnels established, but ofcourse no ipsec SAs are established, as per design of the plugin</div>
<div> </div>
<div>- also, it did not work for me with PSK (using fqdn) as mentioned in the link below:<br><a href="http://wiki.strongswan.org/projects/strongswan/wiki/LoadTests" target="_blank">http://wiki.strongswan.org/projects/strongswan/wiki/LoadTests</a></div>
<div>---------------------------------------------------------------------------------------------------------------------</div>
<div>As far as i understand, there is no need to create another set of certs, crl, etc.. </div>
<div> </div>
<div>regards</div>
<div>rajiv</div>
<div> </div>
<div>PS:</div>
<div>Just as an aside info and not really used for above setup, your steps to create the required certs are wrong. Use the below instead, if you really want to:</div>
<div> </div>
<div>-----------------------------</div>
<div> </div>
<div>for a new root-ca:</div>
<div> </div>
<div>1. openssl req -new -x509 -config /etc/ssl/openssl.cnf -newkey rsa:1024 -keyout private/cakey.pem -days 3650 -out cacert.pem</div>
<div> </div>
<div>for generating a new-device cert1:</div>
<div>2. openssl req -new -config /etc/ssl/openssl.cnf -nodes -newkey rsa:1024 -keyout private/host1key.pem -days 730 -out host1CSR.pem</div>
<div> </div>
<div>for cert sign by the above root-CA:</div>
<div> </div>
<div>3. openssl ca -config /etc/ssl/openssl.cnf -policy policy_anything -out certs/host1cert.pem </div>
<div>-infiles host1CSR.pem<br></div>
<div>now you will need to copy the cacert.pem, host1cert.pem and host1key.pem to the respective locations for strongswan configuration. create another set of host2cert and host2key for the remote host to use</div>
<div> </div>
<div>for subjectAltname, it is initiatlly a long procedure to configure openssl.cnf each time for each device cert to include the subjectaltname...<br></div>
<div>-------------------------------********************************************-------------------------------</div>
<div class="gmail_quote"><div><div></div><div class="h5">On Thu, Apr 12, 2012 at 4:34 PM, Narendra K A <span dir="ltr"><<a href="mailto:naren.ka@gmail.com" target="_blank">naren.ka@gmail.com</a>></span> wrote:<br>
</div></div><blockquote style="BORDER-LEFT:#ccc 1px solid;MARGIN:0px 0px 0px 0.8ex;PADDING-LEFT:1ex" class="gmail_quote"><div><div></div><div class="h5">Hi Everyone,
<div><br></div>
<div> I am using strongswan load tester to load my server. I am trying with option initiator_auth=pubkey in strongswan.conf file. Currently i am trying to use the certificate present in the strongswan load_tester_creds.c file. These are the steps am following. </div>
<div><br></div>
<div>1. Copy the certificate in the load_tester_creds.c file to CACERT.pem, and place it in /etc/ipsec.d/cacerts/ directory and also in /etc/ipsec.d/certs/ directory as initiator_cert.pem file. </div>
<div><br></div>
<div>2. Copy the private key in the load_tester_creds.c file to PRIKEY.pem and place it in /etc/ipsec.d/private/ directory</div>
<div><br></div>
<div>3. Alter the content of /etc/ipsec.secrets file as : RSA PRIKEY.pem</div>
<div><br></div>
<div>4. Create a CSR from the server and sign it with the strongswan CACERT.pem and PRIKEY.pem with the following command</div>
<div> <b>openssl x509 -req -days 365 -in srv.csr -CA CACERT.pem -CAkey PRIKEY.pem -set_serial 01 -out ServCert.pem</b></div>
<div><br></div>
<div>5. Now, create a CRL withe the following command</div>
<div> <b> openssl ca -gencrl -keyfile PRIVKEY.pem -cert CACERT.pem -out strcrl.pem -crldays 30</b></div>
<div><br></div>
<div><b>6. Now IMPORT all the CACERT.pem, ServCert.pem and strcrl.pem on to the server. </b></div>
<div><br></div>
<div>7. Initiate the command ipsec start from the client.</div>
<div><br></div>
<div>After doing all these My server is telling <b><font size="4">Certificate not found. !!!!!</font></b></div>
<div><br></div>
<div>Also, CSR of the server contains a subjectAltName, but when i extracted the information <b>(openssl x509 -text -in ca-cer.pem)</b> from the strongswan certificate <b>IT WAS NOT HAVING</b> subjectAltName. </div>
<div><br></div>
<div>Can i somehow add subjectAltName to strongswan certificate ? or can i create a CSR from strongswan side ? </div>
<div><br></div>
<div>Also i enabled the detailed logs in ipsec.conf, i can see NO ERRORS in the log, but after IKE_SA_INIT, i can see strongswan is sending IKE_AUTH (5 times since retransmit_tries=5 ) and telling peer not responding. In the server side it is telling Certificate not found !!. </div>
<div><br></div>
<div>Please help me to solve this problem. </div><br></div></div>_______________________________________________<br>Users mailing list<br><a href="mailto:Users@lists.strongswan.org" target="_blank">Users@lists.strongswan.org</a><br>
<a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br>
</blockquote></div><br>
</blockquote></div><br></div>