<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000066" bgcolor="#FFFFFF">
On 03/19/2018 11:16 AM, Info wrote:<br>
<blockquote type="cite"
cite="mid:183e8533-b400-7af3-48c3-e07783e2c8e2@quantum-equities.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
On 03/19/2018 10:45 AM, Tobias Brunner wrote:<br>
<blockquote type="cite"
cite="mid:c5177420-b91d-cec5-00cd-22e95955cf8a@strongswan.org">
<pre wrap="">Hi,
</pre>
<blockquote type="cite">
<pre wrap="">I've made its cert with --san quantum-equities.com,cygnus.darkmatter.org, because the LAN gateway is known outside as quantum-equities.com and the IPSec gateway is known in the LAN as cygnus.darkmatter.org.
</pre>
</blockquote>
<pre wrap="">That syntax is not valid. Just use --san multiple times for each SAN
(as the man page for pki --issue indicates).</pre>
</blockquote>
Thanks, I'll redo the certs again.<br>
<br>
<blockquote type="cite"
cite="mid:c5177420-b91d-cec5-00cd-22e95955cf8a@strongswan.org">
<blockquote type="cite">
<pre wrap="">I also tried to set --dn "C=US, O=Quantum, CN=quantum-equities.com,cygnus.darkmatter.org" -- but strongswan pki wasn't having it so I had to settle for just quantum-equities.com.
</pre>
</blockquote>
<pre wrap="">That's because commas separate RDNs (and `cygnus.darkmatter.org` is no
proper RDN) and strongSwan's DN string parser does not support
multi-value RDNs.</pre>
</blockquote>
It sounds like I can't use multiple --dn's. When my gateway must
validate with machines inside the LAN (as cygnus.darkmatter.org)
and outside (as quantum-equities.com), how can it prove that it's
the right machine if not DNS resolvable by checking CN=? <br>
<br>
And how does the phone prove it is who it is in the Android app
when its IP changes and is not resolvable? The responder has to
take its word for it since it has the private key? If so, why is
--san and --dn required?<br>
<br>
<blockquote type="cite"
cite="mid:c5177420-b91d-cec5-00cd-22e95955cf8a@strongswan.org">
<blockquote type="cite">
<pre wrap=""># swanctl -L
# swanctl -l
(no response, for some reason)
</pre>
</blockquote>
<pre wrap="">Yes, and that reason is: No config has been loaded. Did you run
swanctl --load-conns (-c) or --load-all (-q)?</pre>
</blockquote>
I haven't mentioned this, but I'm running CentOS7 which handles
this in systemd:<br>
ExecStart=/usr/sbin/charon-systemd<br>
ExecStartPost=/usr/sbin/swanctl --load-all --noprompt<br>
<br>
... and yet I still have nothing with <br>
<pre wrap=""># swanctl -L
# swanctl -l
Maybe this is the core of my problem with this horrid "<i>NO_PROPOSAL_CHOSEN</i>" in swanctl. That for some reason configs are not getting loaded?
No idea how to chase this down.
</pre>
</blockquote>
<br>
Even with the daemon started with systemd, I loaded manually.<br>
<br>
# swanctl --load-all<br>
loaded certificate from '/etc/strongswan/swanctl/x509/mars-Cert.pem'<br>
loaded certificate from
'/etc/strongswan/swanctl/x509/sirius-Cert.pem'<br>
loaded certificate from
'/etc/strongswan/swanctl/x509/gemini-Cert.pem'<br>
loaded certificate from
'/etc/strongswan/swanctl/x509/centauri-Cert.pem'<br>
loaded certificate from
'/etc/strongswan/swanctl/x509ca/cygnus-CAcert.pem'<br>
loaded rsa key from '/etc/strongswan/swanctl/private/mars-Key.pem'<br>
no authorities found, 0 unloaded<br>
no pools found, 0 unloaded<br>
no connections found, 0 unloaded<br>
# swanctl -L<br>
# swanctl -l<br>
<br>
Log is attached. Nothing. swanctl -L is to "<i>list loaded
configurations</i>" but I get nothing. This would be why the
remote phone cannot connect and finds no matching configs. There is
nothing related in journalctl, and nothing in charon.log as per the
attached.<br>
<br>
swanctl has no verbose mode, so I can't get more detail. It doesn't
seem to be recognizing my CA cert in x509ca as authoritative.
SELinux is turned off. Since this IPSec gateway can't load its
config it can't work with any remote device. Is this a RedHat bug?<br>
<br>
<br>
<br>
</body>
</html>