<div dir="ltr">Andreas,<div><br></div><div>Strongswan 5.4.0</div><div>swanctl.conf</div><div> </div><div><br></div><div><br></div><div>when I tried to initiate the connections (swanctl -initiate --child net, I get following error. "<b>no trusted RSA public key found"</b></div><div><br></div><div>I did make peerKey.der based on following link and copied to /etc/swanctl/rsa directory.</div><div><a href="https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA">https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA</a><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><div>07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]</div><div>07[IKE] 10.13.199.185 is initiating an IKE_SA</div><div>07[IKE] sending cert request for "C=US, O=ARRIS, CN=RPD"</div><div>07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]</div><div>07[NET] sending packet: from 10.13.199.130[500] to 10.13.199.185[500] (289 bytes)</div><div>09[NET] received packet: from 10.13.199.185[4500] to 10.13.199.130[4500] (1312 bytes)</div><div>09[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]</div><div>09[IKE] received 1 cert requests for an unknown ca</div><div>09[IKE] received end entity cert "C=US, O=ARRIS, CN=RPD"</div><div>09[CFG] looking for peer configs matching 10.13.199.130[%any]...10.13.199.185[<a href="mailto:rnohria@arris.com">rnohria@arris.com</a>]</div><div>09[CFG] selected peer config 'rw'</div><div><b>09[IKE] no trusted RSA public key found for '<a href="mailto:rnohria@arris.com">rnohria@arris.com</a>'</b></div><div>09[IKE] peer supports MOBIKE</div><div>09[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]</div><div>09[NET] sending packet: from 10.13.199.130[4500] to 10.13.199.185[4500] (80 bytes)</div></div><div><br></div><div><br></div><div> Thanks,</div><div>Rajeev</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, May 11, 2016 at 9:18 AM, Andreas Steffen <span dir="ltr"><<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Rajeev,<br>
<br>
there seems something wrong with your user certificate.<br>
<br>
You can configure the charon daemon dynamically using the<br>
VICI interface. There are VICI bindings for the Perl, Ruby<br>
and Python script languages which can be used by your<br>
IPsec management application to communicate with the<br>
charon daemon. For details have a look at<br>
<br>
<a href="https://github.com/strongswan/strongswan/blob/master/src/libcharon/plugins/vici/README.md" rel="noreferrer" target="_blank">https://github.com/strongswan/strongswan/blob/master/src/libcharon/plugins/vici/README.md</a><br>
<br>
If you intend to write your management application in C or C++<br>
then consider the DAVICI library:<br>
<br>
<a href="https://github.com/strongswan/davici/blob/master/README.md" rel="noreferrer" target="_blank">https://github.com/strongswan/davici/blob/master/README.md</a><br>
<br>
Regards<br>
<span class="HOEnZb"><font color="#888888"><br>
Andreas<br>
</font></span><span class="im HOEnZb"><br>
On 11.05.2016 13:50, rajeev nohria wrote:<br>
> Andreas,<br>
><br>
> I appreciate helping me out. Now I am making progress with Charon<br>
> running, Not sure why it was stopping before. I am getting following<br>
> error now, I am going over my config files. Hopefully I will find the<br>
> issue.<br>
><br>
> rnohria@ubuntu:~$ sudo swanctl --load-conns<br>
> 06[LIB] OpenSSL X.509 parsing failed<br>
> 06[LIB] building CRED_CERTIFICATE - X509 failed, tried 4 builders<br>
> loading connection 'rw' failed: invalid value for: certs, config discarded<br>
> loaded 0 of 1 connections, 1 failed to load, 0 unloaded<br>
><br>
><br>
> Question:<br>
><br>
> Can I use Strongswan to make connections dynamically, not via config<br>
> file. For config file we need to know information beforehand. If I don't<br>
> know all the information beforehand like local and remote IP address. Is<br>
> there any interface exist in Strongswan to support dynamic connection.<br>
><br>
> Thanks,<br>
> Rajeev<br>
><br>
><br>
><br>
><br>
><br>
> On Wed, May 11, 2016 at 4:41 AM, Andreas Steffen<br>
</span><span class="im HOEnZb">> <<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a> <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>>><br>
> wrote:<br>
><br>
> Hi Rajeev,<br>
><br>
> try running charon in the foreground:<br>
><br>
> sudo /usr/local/libexec/ipsec/charon<br>
><br>
> and check for error messages in the console window.<br>
><br>
> Cheers Andreas<br>
><br>
> On 11.05.2016 11:53, rajeev nohria wrote:<br>
><br>
> Andreas,<br>
><br>
> It seems like Charon daemon is not running, When I run the charon<br>
> command, it immediately stops it. Where can I find the charon<br>
> log to see<br>
> if there is any issue?<br>
><br>
> rnohria@ubuntu:~$ sudo /usr/local/libexec/ipsec/charon&<br>
> [1] 7272<br>
> rnohria@ubuntu:~$<br>
><br>
> [1]+ Stopped sudo /usr/local/libexec/ipsec/charon<br>
><br>
> Thanks,<br>
> Rajeev<br>
><br>
><br>
> On Wed, May 11, 2016 at 2:55 AM, Andreas Steffen<br>
> <<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>
> <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>><br>
</span><div class="HOEnZb"><div class="h5">> <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>
> <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>>>><br>
> wrote:<br>
><br>
> Hi Rajeev,<br>
><br>
> can you check in the charon log if the vici plugin has been<br>
> loaded?<br>
> And do you see the charon daemon running in the process status<br>
> (ps aux | grep charon)?<br>
><br>
> Regards<br>
><br>
> Andreas<br>
><br>
> On 05/11/2016 04:04 AM, rajeev nohria wrote:<br>
> > Thanks Andreas,<br>
> ><br>
> > I ran the charon and also copied the charon script file to<br>
> /etc/init.d.<br>
> > Now when I run sudo swanctl --load-conn, I still get the<br>
> same issue.<br>
> > connecting to 'unix:///var/run/charon.vici' failed: No<br>
> such file or<br>
> > directory<br>
> > Error: connecting to 'default' URI failed: No such file or<br>
> directory<br>
> > strongSwan 5.4.0 swanctl<br>
> > usage:<br>
> > swanctl --load-conns [--raw|--pretty]<br>
> > --help (-h) show usage information<br>
> > --raw (-r) dump raw response message<br>
> > --pretty (-P) dump raw response<br>
> message in pretty print<br>
> > --debug (-v) set debug level, default: 1<br>
> > --options (-+) read command line<br>
> options from file<br>
> > --uri (-u) service URI to connect to<br>
> ><br>
> ><br>
> > Am I missing any other step?<br>
> ><br>
> > Thanks,<br>
> > Rajeev<br>
> ><br>
> > On Tue, May 10, 2016 at 3:59 AM, Andreas Steffen<br>
> > <<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>
> <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>><br>
> <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>
> <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>>><br>
> <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>
> <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>><br>
><br>
> <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>
> <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>>>>><br>
> > wrote:<br>
> ><br>
> > Hi Rajeev,<br>
> ><br>
> > is the charon daemon running? If not, either start charon<br>
> manually:<br>
> ><br>
> > sudo /usr/local/libexec/ipsec/charon &<br>
> ><br>
> > or if your Linux distribution still uses upstart,<br>
> copy the<br>
> > following script to /etc/init.d/<br>
> ><br>
> ><br>
> ><br>
><br>
> <a href="https://wiki.strongswan.org/projects/strongswan/repository/revisions/master/entry/testing/hosts/default/etc/init.d/charon" rel="noreferrer" target="_blank">https://wiki.strongswan.org/projects/strongswan/repository/revisions/master/entry/testing/hosts/default/etc/init.d/charon</a><br>
> ><br>
> > and start the charon daemon in the appropriate runlevels.<br>
> ><br>
> > If your Linux distribution uses systemd instead,<br>
> compile and<br>
> > install strongSwan with<br>
> ><br>
> > ./config --enable-systemd<br>
> ><br>
> > and enable and start the strongswan-swanctl service.<br>
> ><br>
> > BTW - in order to use the vici socket you must be<br>
> root. Thus<br>
> ><br>
> > sudo swanctl --load-conn<br>
> ><br>
> > Best regards<br>
> ><br>
> > Andreas<br>
> ><br>
> ><br>
> > On 09.05.2016 16:34, rajeev nohria wrote:<br>
> ><br>
> > I am new user of Strongswan and running 5.4.0.<br>
> After creating<br>
> > certificates and configuring two Ubuntu m/c with<br>
> Strongswan<br>
> > 5.4.0. I try<br>
> > to create connection as following and get error.<br>
> Please<br>
> advise,<br>
> > how to<br>
> > resolve following issue?<br>
> ><br>
> > $swanctl --load-conn<br>
> > connecting to 'unix:///var/run/charon.vici'<br>
> failed: No<br>
> such file or<br>
> > directory<br>
> > Error: connecting to 'default' URI failed: No<br>
> such file<br>
> or directory<br>
> > strongSwan 5.4.0 swanctl<br>
> > usage:<br>
> ><br>
> ><br>
> > Thanks,<br>
> > Rajeev<br>
> ><br>
> ><br>
> > _______________________________________________<br>
> > Users mailing list<br>
> > <a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>
> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>><br>
> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>
> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>>><br>
> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>
> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>><br>
> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>
> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>>>><br>
> ><a href="https://lists.strongswan.org/mailman/listinfo/users" rel="noreferrer" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br>
> ><br>
> ><br>
> > --<br>
> ><br>
> ======================================================================<br>
> > Andreas Steffen<br>
> > <a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>
> <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>><br>
> <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>
> <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>>><br>
> <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>
> <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>><br>
><br>
> <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>
> <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>>>><br>
> > strongSwan - the Open Source VPN Solution!<br>
> > <a href="http://www.strongswan.org" rel="noreferrer" target="_blank">www.strongswan.org</a> <<a href="http://www.strongswan.org" rel="noreferrer" target="_blank">http://www.strongswan.org</a>><br>
> <<a href="http://www.strongswan.org" rel="noreferrer" target="_blank">http://www.strongswan.org</a>><br>
> <<a href="http://www.strongswan.org" rel="noreferrer" target="_blank">http://www.strongswan.org</a>><br>
> > Institute for Internet Technologies and Applications<br>
> > University of Applied Sciences Rapperswil<br>
> > CH-8640 Rapperswil (Switzerland)<br>
> ><br>
><br>
> ===========================================================[ITA-HSR]==<br>
> ><br>
> ><br>
><br>
><br>
> --<br>
><br>
> ======================================================================<br>
> Andreas Steffen <a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>
> <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>><br>
> <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>
> <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>>><br>
> strongSwan - the Open Source VPN Solution!<br>
> <a href="http://www.strongswan.org" rel="noreferrer" target="_blank">www.strongswan.org</a> <<a href="http://www.strongswan.org" rel="noreferrer" target="_blank">http://www.strongswan.org</a>><br>
> <<a href="http://www.strongswan.org" rel="noreferrer" target="_blank">http://www.strongswan.org</a>><br>
> Institute for Internet Technologies and Applications<br>
> University of Applied Sciences Rapperswil<br>
> CH-8640 Rapperswil (Switzerland)<br>
><br>
> ===========================================================[ITA-HSR]==<br>
><br>
><br>
><br>
> --<br>
> ======================================================================<br>
> Andreas Steffen<br>
> <a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a> <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>><br>
> strongSwan - the Open Source VPN Solution!<br>
> <a href="http://www.strongswan.org" rel="noreferrer" target="_blank">www.strongswan.org</a> <<a href="http://www.strongswan.org" rel="noreferrer" target="_blank">http://www.strongswan.org</a>><br>
> Institute for Internet Technologies and Applications<br>
> University of Applied Sciences Rapperswil<br>
> CH-8640 Rapperswil (Switzerland)<br>
> ===========================================================[ITA-HSR]==<br>
><br>
><br>
<br>
--<br>
======================================================================<br>
Andreas Steffen <a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>
strongSwan - the Open Source VPN Solution! <a href="http://www.strongswan.org" rel="noreferrer" target="_blank">www.strongswan.org</a><br>
Institute for Internet Technologies and Applications<br>
University of Applied Sciences Rapperswil<br>
CH-8640 Rapperswil (Switzerland)<br>
===========================================================[ITA-HSR]==<br>
<br>
</div></div></blockquote></div><br></div>