<div dir="ltr">I am all set after adding libatomic.so.1 in lib directory. </div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Oct 4, 2016 at 3:05 PM, rajeev nohria <span dir="ltr"><<a href="mailto:rajnohria@gmail.com" target="_blank">rajnohria@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Andreas,<div><br><div>Thank you for all your help.  I have compiled the Strongswan with petalinux .  Whenever I run the charon I get the following error. Is there any flag I can add in makefile to get this fixed? </div></div><div><br></div><div><div>#charon</div><div>charon: error while loading shared libraries: libatomic.so.1: cannot open shared object file: No such file or directory</div></div><div><br></div><div>Thanks,</div><div>Rajeev</div><div><br></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Sep 16, 2016 at 4:33 AM, Andreas Steffen <span dir="ltr"><<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.<wbr>org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Rajeev,<br>
<br>
yes, you have to load the private key file in your management tool<br>
and transfer it via the VICI interface as a binary blob.<br>
<br>
Regards<br>
<br>
Andreas<br>
<span><br>
On 15.09.2016 21:20, rajeev nohria wrote:<br>
> Anderas,<br>
><br>
> When using davici-<br>
> For the loading of private rsa keys, that has to be loaded like the<br>
> certificate?<br>
><br>
> Thanks,<br>
> Rajeev<br>
><br>
> On Thu, Sep 15, 2016 at 3:19 PM, rajeev nohria <<a href="mailto:rajnohria@gmail.com" target="_blank">rajnohria@gmail.com</a><br>
</span><span>> <mailto:<a href="mailto:rajnohria@gmail.com" target="_blank">rajnohria@gmail.com</a>>> wrote:<br>
><br>
>     Anderas,<br>
><br>
>     For the loading of private rsa keys, that has to be loaded like the<br>
>     certificate?<br>
><br>
>     Thanks,<br>
>     Rajeev<br>
><br>
>     On Thu, Aug 4, 2016 at 12:16 AM, Andreas Steffen<br>
>     <<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.o<wbr>rg</a><br>
</span><div><div class="m_-1140093366151399082h5">>     <mailto:<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@stron<wbr>gswan.org</a>>> wrote:<br>
><br>
>         Hi Rajeev,<br>
><br>
>         different to the stroke protocol and ipsec.conf where the filename<br>
>         of the certificate gets transferred via the stroke socket and the<br>
>         charon daemon loads the certificate, vici transfers the certificate<br>
>         itself either as a binary DER or a base64-endocded PEM blob. Thus<br>
>         your management application has to load the certificate and transfer<br>
>         it over the vici socket using davici.<br>
><br>
>         Regards<br>
><br>
>         Andreas<br>
><br>
>         On 04.08.2016 05:03, rajeev nohria wrote:<br>
>         > Thanks Andreas,<br>
>         ><br>
>         > It worked, I know started to implement in Davici. I had PSK working in<br>
>         > Davici. With certificates, I am having  following issue during<br>
>         > parse_certs().<br>
>         ><br>
>         > 09[LIB]   file coded in unknown format, discarded<br>
>         > 09[LIB] building CRED_CERTIFICATE - X509 failed, tried 4 builders<br>
>         ><br>
>         ><br>
>         ><br>
>         > Corresponding code is for Davici is<br>
>         >         davici_list_start(r,"certs");<br>
>         ><br>
>         > davici_list_itemf(r,"%s","/usr<wbr>/local/etc/swanctl/x509/hostCe<wbr>rt.pem");<br>
>         >         davici_list_end(r);<br>
>         ><br>
>         ><br>
>         > I have tried file name with and without path.<br>
>         ><br>
>         > certs = hostCert.pem worked in swanctl.conf as attached in previous email.<br>
>         ><br>
>         ><br>
>         > Do you know what could be issue here? Looks like software is not able to<br>
>         > recognize the pem format but again it worked when using swanctl.conf file.<br>
>         ><br>
>         > Thanks,<br>
>         > Rajeev<br>
>         ><br>
>         ><br>
>         > On Tue, Aug 2, 2016 at 5:41 AM, Andreas Steffen<br>
>         > <<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.or<wbr>g</a><br>
>         <mailto:<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@stron<wbr>gswan.org</a>><br>
</div></div>>         <mailto:<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@stron<wbr>gswan.org</a><br>
<div><div class="m_-1140093366151399082h5">>         <mailto:<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@stron<wbr>gswan.org</a>>>><br>
>         > wrote:<br>
>         ><br>
>         >     Hi,<br>
>         ><br>
>         >     according to your log, the initiator and responder create<br>
>         their<br>
>         >     own Root CA certificate and store it locally in<br>
>         >     /usr/local/etc/swanctl/<wbr>x509ca. Therefore it is not surprising<br>
>         >     that no trust into the received host certificate can be<br>
>         established<br>
>         >     because it has been signed with the private key of a different<br>
>         >     root CA (although the Distinguished Name of the issuer is<br>
>         the same).<br>
>         ><br>
>         >     Fix: Generate only one private key and matching self-signed<br>
>         >     Root CA certificate. Use the private Root CA key to sign both<br>
>         >     initiator and responder host certificates and deploy the<br>
>         Root CA<br>
>         >     certificate on both hosts.<br>
>         ><br>
>         >     Best regards<br>
>         ><br>
>         >     Andreas<br>
>         ><br>
>         >     On 01.08.2016 21:24, rajeev nohria wrote:<br>
>         >     ><br>
>         >     > I was able to establish IKE connection using PSK but<br>
>         when using pubkey I<br>
>         >     > am not able to able to establish the IKE connection.<br>
>         >     ><br>
>         >     > When I issue sudo swanctl --initiate --child net<br>
>         >     ><br>
>         >     ><br>
>         >     > At receptor, it returns the Auth_failed.  Please see the<br>
>         swanctl.conf,<br>
>         >     > strongswan.conf and charon.log.<br>
>         >     ><br>
>         >     > Aug  1 12:09:21 12[CFG] <rw|1> no issuer certificate<br>
>         found for "C=US,<br>
>         >     > ST=MA, L=Lowell, O=Arris, CN=10.13.199.185"<br>
>         >     > Aug  1 12:09:21 12[IKE] <rw|1> no trusted RSA public key<br>
>         found for<br>
>         >     > '10.13.199.185'<br>
>         >     > Aug  1 12:09:21 12[IKE] <rw|1> peer supports MOBIKE<br>
>         >     > Aug  1 12:09:21 12[ENC] <rw|1> added payload of type<br>
>         NOTIFY to message<br>
>         >     > Aug  1 12:09:21 12[ENC] <rw|1> order payloads in message<br>
>         >     > Aug  1 12:09:21 12[ENC] <rw|1> added payload of type<br>
>         NOTIFY to message<br>
>         >     > Aug  1 12:09:21 12[ENC] <rw|1> generating IKE_AUTH<br>
>         response 1 [<br>
>         >     > N(AUTH_FAILED) ]<br>
>         >     ><br>
>         >     > I used following commands to create certificates.<br>
>         >     ><br>
>         >     > *Initiator:*<br>
>         >     > -----------<br>
>         >     ><br>
>         >     > sudo ipsec pki --gen --type rsa --size 4096 --outform pem ><br>
>         >     > /usr/local/etc/swanctl/rsa/str<wbr>ongswanKey.pem<br>
>         >     ><br>
>         >     ><br>
>         >     > sudo chmod 600  /usr/local/etc/swanctl/rsa/str<wbr>ongswanKey.pem<br>
>         >     ><br>
>         >     ><br>
>         >     > sudo ipsec pki --self --ca --in<br>
>         >     > /usr/local/etc/swanctl/rsa/str<wbr>ongswanKey.pem --digest<br>
>         sha256 --dn "C=US,<br>
>         >     > ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem ><br>
>         >     > /usr/local/etc/swanctl/x509ca/<wbr>strongswanCert.pem<br>
>         >     ><br>
>         >     ><br>
>         >     > sudo ipsec pki --print --in<br>
>         /usr/local/etc/swanctl/<wbr>x509ca/strongswanCert.pem<br>
>         >     ><br>
>         >     ><br>
>         >     > sudo ipsec pki --gen --type rsa --size 4096 --outform pem ><br>
>         >     > /usr/local/etc/swanctl/rsa/hos<wbr>tKey.pem<br>
>         >     ><br>
>         >     ><br>
>         >     > sudo chmod 600 /usr/local/etc/swanctl/rsa/hos<wbr>tKey.pem<br>
>         >     ><br>
>         >     ><br>
>         >     ><br>
>         >     > sudo ipsec pki --pub --in<br>
>         /usr/local/etc/swanctl/rsa/ho<wbr>stKey.pem --type<br>
>         >     > rsa | ipsec pki --issue --digest sha256 --cacert<br>
>         >     > /usr/local/etc/swanctl/x509ca/<wbr>strongswanCert.pem --cakey<br>
>         >     > /usr/local/etc/swanctl/rsa/str<wbr>ongswanKey.pem --dn "C=US,<br>
>         ST=MA,<br>
>         >     > L=Lowell, O=Arris, CN=10.13.199.185" --san<br>
>         10.13.199.185  pem ><br>
>         >     > /usr/local/etc/swanctl/x509/ho<wbr>stCert.pem<br>
>         >     ><br>
>         >     ><br>
>         >     > Receptor:<br>
>         >     > --------------<br>
>         >     > *<br>
>         >     > *<br>
>         >     > *sudo ipsec pki --gen --type rsa --size 4096 --outform pem ><br>
>         >     > /usr/local/etc/swanctl/rsa/str<wbr>ongswanKey.pem*<br>
>         >     > *<br>
>         >     > *<br>
>         >     > *sudo chmod 600<br>
>         /usr/local/etc/swanctl/rsa/st<wbr>rongswanKey.pem*<br>
>         >     > *<br>
>         >     > *<br>
>         >     > *sudo ipsec pki --self --ca --in<br>
>         >     > /usr/local/etc/swanctl/rsa/str<wbr>ongswanKey.pem --digest<br>
>         sha256 --dn "C=US,<br>
>         >     > ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem ><br>
>         >     > /usr/local/etc/swanctl/x509ca/<wbr>strongswanCert.pem*<br>
>         >     > *<br>
>         >     > *<br>
>         >     > *sudo ipsec pki --print --in<br>
>         >     > /usr/local/etc/swanctl/x509ca/<wbr>strongswanCert.pem*<br>
>         >     > *<br>
>         >     > *<br>
>         >     > *sudo ipsec pki --gen --type rsa --size 4096 --outform pem ><br>
>         >     > /usr/local/etc/swanctl/rsa/hos<wbr>tKey.pem*<br>
>         >     > *<br>
>         >     > *<br>
>         >     > *sudo chmod 600 /usr/local/etc/swanctl/rsa/hos<wbr>tKey.pem*<br>
>         >     ><br>
>         >     > *sudo ipsec pki --pub --in<br>
>         /usr/local/etc/swanctl/rsa/ho<wbr>stKey.pem<br>
>         >     --type<br>
>         >     > rsa | ipsec pki --issue --digest sha256 --cacert<br>
>         >     > /usr/local/etc/swanctl/x509ca/<wbr>strongswanCert.pem --cakey<br>
>         >     > /usr/local/etc/swanctl/rsa/str<wbr>ongswanKey.pem --dn "C=US,<br>
>         ST=MA,<br>
>         >     > L=Lowell, O=Arris, CN=10.13.199.130" --san 10.13.199.130<br>
>         --outform pem ><br>
>         >     > /usr/local/etc/swanctl/x509/ho<wbr>stCert.pem*<br>
><br>
>         =============================<wbr>==============================<wbr>===========<br>
>         Andreas Steffen<br>
>          <a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.org</a><br>
</div></div>>         <mailto:<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@stron<wbr>gswan.org</a>><br>
<span>>         strongSwan - the Open Source VPN Solution!<br>
</span>>         <a href="http://www.strongswan.org" rel="noreferrer" target="_blank">www.strongswan.org</a> <<a href="http://www.strongswan.org" rel="noreferrer" target="_blank">http://www.strongswan.org</a>><br>
<span>>         Institute for Internet Technologies and Applications<br>
>         University of Applied Sciences Rapperswil<br>
>         CH-8640 Rapperswil (Switzerland)<br>
>         =============================<wbr>==============================<wbr>[ITA-HSR]==<br>
><br>
><br>
><br>
<br>
</span>--<br>
<div class="m_-1140093366151399082HOEnZb"><div class="m_-1140093366151399082h5">==============================<wbr>==============================<wbr>==========<br>
Andreas Steffen                         <a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.<wbr>org</a><br>
strongSwan - the Open Source VPN Solution!          <a href="http://www.strongswan.org" rel="noreferrer" target="_blank">www.strongswan.org</a><br>
Institute for Internet Technologies and Applications<br>
University of Applied Sciences Rapperswil<br>
CH-8640 Rapperswil (Switzerland)<br>
==============================<wbr>=============================[<wbr>ITA-HSR]==<br>
<br>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>