<div dir="ltr">Andreas,<div><br></div><div>Strongswan 5.4.0</div><div>swanctl.conf</div><div> </div><div><br></div><div><br></div><div>when I tried to initiate the connections  (swanctl -initiate --child net, I get following error. "<b>no trusted RSA public key found"</b></div><div><br></div><div>I did make  peerKey.der based on following link and copied to /etc/swanctl/rsa directory.</div><div><a href="https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA">https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA</a><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><div>07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]</div><div>07[IKE] 10.13.199.185 is initiating an IKE_SA</div><div>07[IKE] sending cert request for "C=US, O=ARRIS, CN=RPD"</div><div>07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]</div><div>07[NET] sending packet: from 10.13.199.130[500] to 10.13.199.185[500] (289 bytes)</div><div>09[NET] received packet: from 10.13.199.185[4500] to 10.13.199.130[4500] (1312 bytes)</div><div>09[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]</div><div>09[IKE] received 1 cert requests for an unknown ca</div><div>09[IKE] received end entity cert "C=US, O=ARRIS, CN=RPD"</div><div>09[CFG] looking for peer configs matching 10.13.199.130[%any]...10.13.199.185[<a href="mailto:rnohria@arris.com">rnohria@arris.com</a>]</div><div>09[CFG] selected peer config 'rw'</div><div><b>09[IKE] no trusted RSA public key found for '<a href="mailto:rnohria@arris.com">rnohria@arris.com</a>'</b></div><div>09[IKE] peer supports MOBIKE</div><div>09[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]</div><div>09[NET] sending packet: from 10.13.199.130[4500] to 10.13.199.185[4500] (80 bytes)</div></div><div><br></div><div><br></div><div> Thanks,</div><div>Rajeev</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, May 11, 2016 at 9:18 AM, Andreas Steffen <span dir="ltr"><<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Rajeev,<br>
<br>
there seems something wrong with your user certificate.<br>
<br>
You can configure the charon daemon dynamically using the<br>
VICI interface. There are VICI bindings for the Perl, Ruby<br>
and Python script languages which can be used by your<br>
IPsec management application to communicate with the<br>
charon daemon. For details have a look at<br>
<br>
<a href="https://github.com/strongswan/strongswan/blob/master/src/libcharon/plugins/vici/README.md" rel="noreferrer" target="_blank">https://github.com/strongswan/strongswan/blob/master/src/libcharon/plugins/vici/README.md</a><br>
<br>
If you intend to write your management application in C or C++<br>
then consider the DAVICI library:<br>
<br>
<a href="https://github.com/strongswan/davici/blob/master/README.md" rel="noreferrer" target="_blank">https://github.com/strongswan/davici/blob/master/README.md</a><br>
<br>
Regards<br>
<span class="HOEnZb"><font color="#888888"><br>
Andreas<br>
</font></span><span class="im HOEnZb"><br>
On 11.05.2016 13:50, rajeev nohria wrote:<br>
> Andreas,<br>
><br>
> I appreciate helping me out.  Now I am making progress with Charon<br>
> running, Not sure why it was stopping before.  I am getting following<br>
> error now, I am going over my config files. Hopefully I will find the<br>
> issue.<br>
><br>
> rnohria@ubuntu:~$ sudo swanctl --load-conns<br>
> 06[LIB] OpenSSL X.509 parsing failed<br>
> 06[LIB] building CRED_CERTIFICATE - X509 failed, tried 4 builders<br>
> loading connection 'rw' failed: invalid value for: certs, config discarded<br>
> loaded 0 of 1 connections, 1 failed to load, 0 unloaded<br>
><br>
><br>
> Question:<br>
><br>
> Can I use Strongswan to make connections dynamically, not via config<br>
> file. For config file we need to know information beforehand. If I don't<br>
> know all the information beforehand like local and remote IP address. Is<br>
> there any interface exist in Strongswan to support dynamic connection.<br>
><br>
> Thanks,<br>
> Rajeev<br>
><br>
><br>
><br>
><br>
><br>
> On Wed, May 11, 2016 at 4:41 AM, Andreas Steffen<br>
</span><span class="im HOEnZb">> <<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a> <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>>><br>
> wrote:<br>
><br>
>     Hi Rajeev,<br>
><br>
>     try running charon in the foreground:<br>
><br>
>        sudo /usr/local/libexec/ipsec/charon<br>
><br>
>     and check for error messages in the console window.<br>
><br>
>     Cheers Andreas<br>
><br>
>     On 11.05.2016 11:53, rajeev nohria wrote:<br>
><br>
>         Andreas,<br>
><br>
>         It seems like Charon daemon is not running, When I run the charon<br>
>         command, it immediately stops it. Where can I find the charon<br>
>         log to see<br>
>         if there is any issue?<br>
><br>
>         rnohria@ubuntu:~$ sudo /usr/local/libexec/ipsec/charon&<br>
>         [1] 7272<br>
>         rnohria@ubuntu:~$<br>
><br>
>         [1]+  Stopped                 sudo /usr/local/libexec/ipsec/charon<br>
><br>
>         Thanks,<br>
>         Rajeev<br>
><br>
><br>
>         On Wed, May 11, 2016 at 2:55 AM, Andreas Steffen<br>
>         <<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>
>         <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>><br>
</span><div class="HOEnZb"><div class="h5">>         <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>
>         <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>>>><br>
>         wrote:<br>
><br>
>             Hi Rajeev,<br>
><br>
>             can you check in the charon log if the vici plugin has been<br>
>         loaded?<br>
>             And do you see the charon daemon running in the process status<br>
>             (ps aux | grep charon)?<br>
><br>
>             Regards<br>
><br>
>             Andreas<br>
><br>
>             On 05/11/2016 04:04 AM, rajeev nohria wrote:<br>
>             > Thanks Andreas,<br>
>             ><br>
>             > I ran the charon and also copied the charon script file to<br>
>         /etc/init.d.<br>
>             > Now when I run sudo swanctl --load-conn, I still get the<br>
>         same issue.<br>
>             > connecting to 'unix:///var/run/charon.vici' failed: No<br>
>         such file or<br>
>             > directory<br>
>             > Error: connecting to 'default' URI failed: No such file or<br>
>         directory<br>
>             > strongSwan 5.4.0 swanctl<br>
>             > usage:<br>
>             >   swanctl --load-conns [--raw|--pretty]<br>
>             >            --help            (-h)  show usage information<br>
>             >            --raw             (-r)  dump raw response message<br>
>             >            --pretty          (-P)  dump raw response<br>
>         message in pretty print<br>
>             >            --debug           (-v)  set debug level, default: 1<br>
>             >            --options         (-+)  read command line<br>
>         options from file<br>
>             >            --uri             (-u)  service URI to connect to<br>
>             ><br>
>             ><br>
>             > Am I missing any other step?<br>
>             ><br>
>             > Thanks,<br>
>             > Rajeev<br>
>             ><br>
>             > On Tue, May 10, 2016 at 3:59 AM, Andreas Steffen<br>
>              > <<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>
>         <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>><br>
>             <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>
>         <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>>><br>
>             <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>
>         <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>><br>
><br>
>             <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>
>         <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>>>>><br>
>              > wrote:<br>
>              ><br>
>              >     Hi Rajeev,<br>
>              ><br>
>              >     is the charon daemon running? If not, either start charon<br>
>             manually:<br>
>              ><br>
>              >       sudo /usr/local/libexec/ipsec/charon &<br>
>              ><br>
>              >     or if your Linux distribution still uses upstart,<br>
>         copy the<br>
>              >     following script to /etc/init.d/<br>
>              ><br>
>              ><br>
>              ><br>
><br>
>         <a href="https://wiki.strongswan.org/projects/strongswan/repository/revisions/master/entry/testing/hosts/default/etc/init.d/charon" rel="noreferrer" target="_blank">https://wiki.strongswan.org/projects/strongswan/repository/revisions/master/entry/testing/hosts/default/etc/init.d/charon</a><br>
>              ><br>
>              >     and start the charon daemon in the appropriate runlevels.<br>
>              ><br>
>              >     If your Linux distribution uses systemd instead,<br>
>         compile and<br>
>              >     install strongSwan with<br>
>              ><br>
>              >        ./config --enable-systemd<br>
>              ><br>
>              >     and enable and start the strongswan-swanctl service.<br>
>              ><br>
>              >     BTW - in order to use the vici socket you must be<br>
>         root. Thus<br>
>              ><br>
>              >       sudo swanctl --load-conn<br>
>              ><br>
>              >     Best regards<br>
>              ><br>
>              >     Andreas<br>
>              ><br>
>              ><br>
>              >     On 09.05.2016 16:34, rajeev nohria wrote:<br>
>              ><br>
>              >         I am new user of Strongswan and running 5.4.0.<br>
>         After creating<br>
>              >         certificates and configuring two Ubuntu m/c with<br>
>         Strongswan<br>
>              >         5.4.0. I try<br>
>              >         to create connection as following and get error.<br>
>         Please<br>
>             advise,<br>
>              >         how to<br>
>              >         resolve following issue?<br>
>              ><br>
>              >         $swanctl --load-conn<br>
>              >         connecting to 'unix:///var/run/charon.vici'<br>
>         failed: No<br>
>             such file or<br>
>              >         directory<br>
>              >         Error: connecting to 'default' URI failed: No<br>
>         such file<br>
>             or directory<br>
>              >         strongSwan 5.4.0 swanctl<br>
>              >         usage:<br>
>              ><br>
>              ><br>
>              >         Thanks,<br>
>              >         Rajeev<br>
>              ><br>
>              ><br>
>              >         _______________________________________________<br>
>              >         Users mailing list<br>
>              > <a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>
>         <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>><br>
>         <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>
>         <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>>><br>
>             <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>
>         <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>><br>
>         <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>
>         <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>>>><br>
>             ><a href="https://lists.strongswan.org/mailman/listinfo/users" rel="noreferrer" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br>
>             ><br>
>             ><br>
>             >     --<br>
>             ><br>
>          ======================================================================<br>
>             >     Andreas Steffen<br>
>              > <a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>
>         <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>><br>
>             <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>
>         <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>>><br>
>             <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>
>         <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>><br>
><br>
>             <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>
>         <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>>>><br>
>             >     strongSwan - the Open Source VPN Solution!<br>
>              > <a href="http://www.strongswan.org" rel="noreferrer" target="_blank">www.strongswan.org</a> <<a href="http://www.strongswan.org" rel="noreferrer" target="_blank">http://www.strongswan.org</a>><br>
>         <<a href="http://www.strongswan.org" rel="noreferrer" target="_blank">http://www.strongswan.org</a>><br>
>             <<a href="http://www.strongswan.org" rel="noreferrer" target="_blank">http://www.strongswan.org</a>><br>
>              >     Institute for Internet Technologies and Applications<br>
>              >     University of Applied Sciences Rapperswil<br>
>              >     CH-8640 Rapperswil (Switzerland)<br>
>              ><br>
><br>
>         ===========================================================[ITA-HSR]==<br>
>              ><br>
>              ><br>
><br>
><br>
>             --<br>
><br>
>         ======================================================================<br>
>             Andreas Steffen <a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>
>         <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>><br>
>             <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>
>         <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>>><br>
>             strongSwan - the Open Source VPN Solution!<br>
>         <a href="http://www.strongswan.org" rel="noreferrer" target="_blank">www.strongswan.org</a> <<a href="http://www.strongswan.org" rel="noreferrer" target="_blank">http://www.strongswan.org</a>><br>
>             <<a href="http://www.strongswan.org" rel="noreferrer" target="_blank">http://www.strongswan.org</a>><br>
>             Institute for Internet Technologies and Applications<br>
>             University of Applied Sciences Rapperswil<br>
>             CH-8640 Rapperswil (Switzerland)<br>
><br>
>         ===========================================================[ITA-HSR]==<br>
><br>
><br>
><br>
>     --<br>
>     ======================================================================<br>
>     Andreas Steffen<br>
>      <a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a> <mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>><br>
>     strongSwan - the Open Source VPN Solution!<br>
>     <a href="http://www.strongswan.org" rel="noreferrer" target="_blank">www.strongswan.org</a> <<a href="http://www.strongswan.org" rel="noreferrer" target="_blank">http://www.strongswan.org</a>><br>
>     Institute for Internet Technologies and Applications<br>
>     University of Applied Sciences Rapperswil<br>
>     CH-8640 Rapperswil (Switzerland)<br>
>     ===========================================================[ITA-HSR]==<br>
><br>
><br>
<br>
--<br>
======================================================================<br>
Andreas Steffen                         <a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>
strongSwan - the Open Source VPN Solution!          <a href="http://www.strongswan.org" rel="noreferrer" target="_blank">www.strongswan.org</a><br>
Institute for Internet Technologies and Applications<br>
University of Applied Sciences Rapperswil<br>
CH-8640 Rapperswil (Switzerland)<br>
===========================================================[ITA-HSR]==<br>
<br>
</div></div></blockquote></div><br></div>