[strongSwan-dev] How to configure openssl

Aaron (Bo) Zhang azhang at SonicWALL.com
Mon Mar 28 15:34:31 CEST 2011 

Hi Andreas,

I input the command,



ipsec statusal



It show that:



Status of IKEv2 charon daemon (strongSwan 4.3.6):

  uptime: 4 minutes, since Mar 28 20:00:20 2011

  worker threads: 9 idle of 16, job queue load: 0, scheduled events: 0

  loaded plugins: aes des sha1 md5 sha2 hmac pkcs1 openssl pem gmp random pubkey xcbc x509 stroke kernel-netlink eap-mschapv2 eap-identity eap-md5 updown

Virtual IP pools (size/online/offline):

  windows7: 255/0/0

Listening IP addresses:

  10.103.49.148

  192.168.169.88

  3ffe:501:ffff::1

Connections:

        test:  10.103.49.148...10.103.49.142

        test:   local:  [10.103.49.148] uses pre-shared key authentication

        test:   remote: [10.103.49.142] uses any authentication

        test:   child:  192.168.169.0/24 === 192.168.168.0/24

Security Associations:

  none



Then I start the ipsec with the command



 ipsec stroke loglevel any 4

ipsec stroke up test



It only show that:

initiating IKE_SA test[1] to 10.103.49.142



The log is :



Mar 28 20:00:15 Aaron charon: 15[CFG] stroke message => 313 bytes @ 0xaf30e180

Mar 28 20:00:15 Aaron charon: 15[CFG]    0: 39 01 00 00 00 00 00 00 01 00 00 00 34 01 00 00  9...........4...

Mar 28 20:00:15 Aaron charon: 15[CFG]   16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Mar 28 20:00:15 Aaron charon: 15[CFG]   32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Mar 28 20:00:15 Aaron charon: 15[CFG]   48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Mar 28 20:00:15 Aaron charon: 15[CFG]   64: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Mar 28 20:00:15 Aaron charon: 15[CFG]   80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Mar 28 20:00:15 Aaron charon: 15[CFG]   96: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Mar 28 20:00:15 Aaron charon: 15[CFG]  112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Mar 28 20:00:15 Aaron charon: 15[CFG]  128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Mar 28 20:00:15 Aaron charon: 15[CFG]  144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Mar 28 20:00:15 Aaron charon: 15[CFG]  160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Mar 28 20:00:15 Aaron charon: 15[CFG]  176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Mar 28 20:00:15 Aaron charon: 15[CFG]  192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Mar 28 20:00:15 Aaron charon: 15[CFG]  208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Mar 28 20:00:15 Aaron charon: 15[CFG]  224: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Mar 28 20:00:15 Aaron charon: 15[CFG]  240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Mar 28 20:00:15 Aaron charon: 15[CFG]  256: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Mar 28 20:00:15 Aaron charon: 15[CFG]  272: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Mar 28 20:00:15 Aaron charon: 15[CFG]  288: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Mar 28 20:00:15 Aaron charon: 15[CFG]  304: 00 00 00 00 74 65 73 74 00                       ....test.

Mar 28 20:00:15 Aaron charon: 15[CFG] received stroke: initiate 'test'

Mar 28 20:00:15 Aaron charon: 07[MGR] created IKE_SA

Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_INIT task

Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_VENDOR task

Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_NATD task

Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_CERT_PRE task

Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_AUTHENTICATE task

Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_CERT_POST task

Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_CONFIG task

Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_AUTH_LIFETIME task

Mar 28 20:00:15 Aaron charon: 07[IKE] queueing CHILD_CREATE task

Mar 28 20:00:15 Aaron charon: 07[IKE] activating new tasks

Mar 28 20:00:15 Aaron charon: 07[IKE]   activating IKE_INIT task

Mar 28 20:00:15 Aaron charon: 07[IKE]   activating IKE_VENDOR task

Mar 28 20:00:15 Aaron charon: 07[IKE]   activating IKE_NATD task

Mar 28 20:00:15 Aaron charon: 07[IKE]   activating IKE_CERT_PRE task

Mar 28 20:00:15 Aaron charon: 07[IKE]   activating IKE_AUTHENTICATE task

Mar 28 20:00:15 Aaron charon: 07[IKE]   activating IKE_CERT_POST task

Mar 28 20:00:15 Aaron charon: 07[IKE]   activating IKE_CONFIG task

Mar 28 20:00:15 Aaron charon: 07[IKE]   activating CHILD_CREATE task

Mar 28 20:00:15 Aaron charon: 07[IKE]   activating IKE_AUTH_LIFETIME task

Mar 28 20:00:15 Aaron charon: 07[IKE] initiating IKE_SA test[1] to 10.103.49.142

Mar 28 20:00:15 Aaron charon: 07[IKE] IKE_SA test[1] state change: CREATED => CONNECTING

Mar 28 20:00:15 Aaron ipsec_starter[26273]: charon has died -- restart scheduled (5sec)

Mar 28 20:00:20 Aaron ipsec_starter[26273]: charon (26347) started after 20 ms



My ipsec.conf is :



 config setup

         nat_traversal=yes

         charonstart=yes

 conn %default

         authby=secret

         keyexchange=ikev2

 conn test

       ike=aes128-sha256-ecp224

       esp=3des-sha1-ecp256

       left=10.103.49.148

            leftid=10.103.49.148

       leftsubnet=192.168.169.0/24

       right=10.103.49.142

       rightid=10.103.49.142

       rightsubnet=192.168.168.0/24

       auto=add



I capture the packet , but got nothing. It seems that it did not send any IKEv2 packet. From the log above, it seems that the demon charon crash.

But after I modify the configuration from ecp224 to modp1024, it works fine. So I think there only may be some problems to use the EC group. I am not sure what should I do?



Thanks

--Aaron







-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
Sent: 2011年3月28日 18:30
To: Aaron (Bo) Zhang
Cc: dev at lists.strongswan.org
Subject: Re: [strongSwan-dev] How to configure openssl



Hello Aaron,



the linking to the OpenSSL library should be done automatically.

Just make sure that the strongSwan openssl plugin is loaded.

You can verify this with the command



  ipsec statusall



which should produce the following output:



  loaded plugins: curl aes des sha1 sha2 md5 pem pkcs1 gmp x509 openssl

revocation random hmac stroke kernel-netlink socket-default updown



If you built strongSwan with the --enable-openssl in a source

directory where you first built strongSwan with the default plugins,

make sure to execute



  make clean



before make and make install so that the implicit plugin load list

will be updated and will include the openssl plugin.



A configuration example can be found here:



http://www.strongswan.org/uml/testresults/openssl-ikev2/alg-ecp-high/



Regards



Andreas



On 28.03.2011 11:34, Aaron (Bo) Zhang wrote:

> Hi all,

>

>

>

> I want to use the openssl lib to test the ECP group. It is highly

> appreciated that anyone can give me a example. I have built the

> strongswan with the configuration “--enable- openssl” and I also built

> the openssl lib. But I do not know how to link the openssl lib to

> strongswan.

>

>

>

> Thanks

>

> --Aaron



======================================================================

Andreas Steffen                         andreas.steffen at strongswan.org

strongSwan - the Linux VPN Solution!                www.strongswan.org

Institute for Internet Technologies and Applications

University of Applied Sciences Rapperswil

CH-8640 Rapperswil (Switzerland)

===========================================================[ITA-HSR]==
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20110328/19bcbba2/attachment.html>

More information about the Dev mailing list