[strongSwan-dev] How to configure openssl

Aaron (Bo) Zhang azhang at SonicWALL.com
Tue Mar 29 04:53:57 CEST 2011 

Hi Andreas,



You are so kindly to give quick response. I use the command:



ipsec start --nofork

ipsec stroke up test



I found the cause that is

“/usr/local/libexec/ipsec/charon: symbol lookup error: /usr/local/libexec/ipsec/plugins/libstrongswan-openssl.so: undefined symbol: EC_KEY_new_by_curve_name”.



So there may be some link issue for openssl lib. I built the OpenSSL 1.0 by myself. Is it possible the lib is in the wrong place??



Thanks

--Aaron



-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
Sent: 2011年3月28日 21:55
To: Aaron (Bo) Zhang
Cc: dev at lists.strongswan.org
Subject: Re: [strongSwan-dev] How to configure openssl



Hi Aaron,



strange, charon is *not* supposed to crash! I'm not

aware that there were any issues with strongSwan 4.3.6

and ECP. Could you generate a core dump with

ulimit -c unlimited and send me the debugger output:



gdb /usr/libexec/ipsec/charon core

>where



Regards



Andreas



On 28.03.2011 15:34, Aaron (Bo) Zhang wrote:

> Hi Andreas,

>

> I input the command,

>

>

>

> ipsec statusal

>

>

>

> It show that:

>

>

>

> Status of IKEv2 charon daemon (strongSwan 4.3.6):

>

>   uptime: 4 minutes, since Mar 28 20:00:20 2011

>

>   worker threads: 9 idle of 16, job queue load: 0, scheduled events: 0

>

>   loaded plugins: aes des sha1 md5 sha2 hmac pkcs1 openssl pem gmp

> random pubkey xcbc x509 stroke kernel-netlink eap-mschapv2 eap-identity

> eap-md5 updown

>

> Virtual IP pools (size/online/offline):

>

>   windows7: 255/0/0

>

> Listening IP addresses:

>

>   10.103.49.148

>

>   192.168.169.88

>

>   3ffe:501:ffff::1

>

> Connections:

>

>         test:  10.103.49.148...10.103.49.142

>

>         test:   local:  [10.103.49.148] uses pre-shared key authentication

>

>         test:   remote: [10.103.49.142] uses any authentication

>

>         test:   child:  192.168.169.0/24 === 192.168.168.0/24

>

> Security Associations:

>

>   none

>

>

>

> Then I start the ipsec with the command

>

>

>

>  ipsec stroke loglevel any 4

>

> ipsec stroke up test

>

>

>

> It only show that:

>

> initiating IKE_SA test[1] to 10.103.49.142

>

>

>

> The log is :

>

>

>

> Mar 28 20:00:15 Aaron charon: 15[CFG] stroke message => 313 bytes @

> 0xaf30e180

>

> Mar 28 20:00:15 Aaron charon: 15[CFG]    0: 39 01 00 00 00 00 00 00 01

> 00 00 00 34 01 00 00  9...........4...

>

> Mar 28 20:00:15 Aaron charon: 15[CFG]   16: 00 00 00 00 00 00 00 00 00

> 00 00 00 00 00 00 00  ................

>

> Mar 28 20:00:15 Aaron charon: 15[CFG]   32: 00 00 00 00 00 00 00 00 00

> 00 00 00 00 00 00 00  ................

>

> Mar 28 20:00:15 Aaron charon: 15[CFG]   48: 00 00 00 00 00 00 00 00 00

> 00 00 00 00 00 00 00  ................

>

> Mar 28 20:00:15 Aaron charon: 15[CFG]   64: 00 00 00 00 00 00 00 00 00

> 00 00 00 00 00 00 00  ................

>

> Mar 28 20:00:15 Aaron charon: 15[CFG]   80: 00 00 00 00 00 00 00 00 00

> 00 00 00 00 00 00 00  ................

>

> Mar 28 20:00:15 Aaron charon: 15[CFG]   96: 00 00 00 00 00 00 00 00 00

> 00 00 00 00 00 00 00  ................

>

> Mar 28 20:00:15 Aaron charon: 15[CFG]  112: 00 00 00 00 00 00 00 00 00

> 00 00 00 00 00 00 00  ................

>

> Mar 28 20:00:15 Aaron charon: 15[CFG]  128: 00 00 00 00 00 00 00 00 00

> 00 00 00 00 00 00 00  ................

>

> Mar 28 20:00:15 Aaron charon: 15[CFG]  144: 00 00 00 00 00 00 00 00 00

> 00 00 00 00 00 00 00  ................

>

> Mar 28 20:00:15 Aaron charon: 15[CFG]  160: 00 00 00 00 00 00 00 00 00

> 00 00 00 00 00 00 00  ................

>

> Mar 28 20:00:15 Aaron charon: 15[CFG]  176: 00 00 00 00 00 00 00 00 00

> 00 00 00 00 00 00 00  ................

>

> Mar 28 20:00:15 Aaron charon: 15[CFG]  192: 00 00 00 00 00 00 00 00 00

> 00 00 00 00 00 00 00  ................

>

> Mar 28 20:00:15 Aaron charon: 15[CFG]  208: 00 00 00 00 00 00 00 00 00

> 00 00 00 00 00 00 00  ................

>

> Mar 28 20:00:15 Aaron charon: 15[CFG]  224: 00 00 00 00 00 00 00 00 00

> 00 00 00 00 00 00 00  ................

>

> Mar 28 20:00:15 Aaron charon: 15[CFG]  240: 00 00 00 00 00 00 00 00 00

> 00 00 00 00 00 00 00  ................

>

> Mar 28 20:00:15 Aaron charon: 15[CFG]  256: 00 00 00 00 00 00 00 00 00

> 00 00 00 00 00 00 00  ................

>

> Mar 28 20:00:15 Aaron charon: 15[CFG]  272: 00 00 00 00 00 00 00 00 00

> 00 00 00 00 00 00 00  ................

>

> Mar 28 20:00:15 Aaron charon: 15[CFG]  288: 00 00 00 00 00 00 00 00 00

> 00 00 00 00 00 00 00  ................

>

> Mar 28 20:00:15 Aaron charon: 15[CFG]  304: 00 00 00 00 74 65 73 74

> 00                       ....test.

>

> Mar 28 20:00:15 Aaron charon: 15[CFG] received stroke: initiate 'test'

>

> Mar 28 20:00:15 Aaron charon: 07[MGR] created IKE_SA

>

> Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_INIT task

>

> Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_VENDOR task

>

> Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_NATD task

>

> Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_CERT_PRE task

>

> Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_AUTHENTICATE task

>

> Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_CERT_POST task

>

> Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_CONFIG task

>

> Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_AUTH_LIFETIME task

>

> Mar 28 20:00:15 Aaron charon: 07[IKE] queueing CHILD_CREATE task

>

> Mar 28 20:00:15 Aaron charon: 07[IKE] activating new tasks

>

> Mar 28 20:00:15 Aaron charon: 07[IKE]   activating IKE_INIT task

>

> Mar 28 20:00:15 Aaron charon: 07[IKE]   activating IKE_VENDOR task

>

> Mar 28 20:00:15 Aaron charon: 07[IKE]   activating IKE_NATD task

>

> Mar 28 20:00:15 Aaron charon: 07[IKE]   activating IKE_CERT_PRE task

>

> Mar 28 20:00:15 Aaron charon: 07[IKE]   activating IKE_AUTHENTICATE task

>

> Mar 28 20:00:15 Aaron charon: 07[IKE]   activating IKE_CERT_POST task

>

> Mar 28 20:00:15 Aaron charon: 07[IKE]   activating IKE_CONFIG task

>

> Mar 28 20:00:15 Aaron charon: 07[IKE]   activating CHILD_CREATE task

>

> Mar 28 20:00:15 Aaron charon: 07[IKE]   activating IKE_AUTH_LIFETIME task

>

> Mar 28 20:00:15 Aaron charon: 07[IKE] initiating IKE_SA test[1] to

> 10.103.49.142

>

> Mar 28 20:00:15 Aaron charon: 07[IKE] IKE_SA test[1] state change:

> CREATED => CONNECTING

>

> Mar 28 20:00:15 Aaron ipsec_starter[26273]: charon has died -- restart

> scheduled (5sec)

>

> Mar 28 20:00:20 Aaron ipsec_starter[26273]: charon (26347) started after

> 20 ms

>

>

>

> My ipsec.conf is :

>

>

>

>  config setup

>

>          nat_traversal=yes

>

>          charonstart=yes

>

>  conn %default

>

>          authby=secret

>

>          keyexchange=ikev2

>

>  conn test

>

>        ike=aes128-sha256-ecp224

>

>        esp=3des-sha1-ecp256

>

>        left=10.103.49.148

>

>             leftid=10.103.49.148

>

>        leftsubnet=192.168.169.0/24

>

>        right=10.103.49.142

>

>        rightid=10.103.49.142

>

>        rightsubnet=192.168.168.0/24

>

>        auto=add

>

>

>

> I capture the packet , but got nothing. It seems that it did not send

> any IKEv2 packet. From the log above, it seems that the demon charon crash.

>

> But after I modify the configuration from ecp224 to modp1024, it works

> fine. So I think there only may be some problems to use the EC group. I

> am not sure what should I do?

>

>

>

> Thanks

>

> --Aaron

>

>

>

>

>

>

>

> -----Original Message-----

> From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]

> Sent: 2011年3月28日18:30

> To: Aaron (Bo) Zhang

> Cc: dev at lists.strongswan.org

> Subject: Re: [strongSwan-dev] How to configure openssl

>

>

>

> Hello Aaron,

>

>

>

> the linking to the OpenSSL library should be done automatically.

>

> Just make sure that the strongSwan openssl plugin is loaded.

>

> You can verify this with the command

>

>

>

>   ipsec statusall

>

>

>

> which should produce the following output:

>

>

>

>   loaded plugins: curl aes des sha1 sha2 md5 pem pkcs1 gmp x509 openssl

>

> revocation random hmac stroke kernel-netlink socket-default updown

>

>

>

> If you built strongSwan with the --enable-openssl in a source

>

> directory where you first built strongSwan with the default plugins,

>

> make sure to execute

>

>

>

>   make clean

>

>

>

> before make and make install so that the implicit plugin load list

>

> will be updated and will include the openssl plugin.

>

>

>

> A configuration example can be found here:

>

>

>

> http://www.strongswan.org/uml/testresults/openssl-ikev2/alg-ecp-high/

>

>

>

> Regards

>

>

>

> Andreas

>

>

>

> On 28.03.2011 11:34, Aaron (Bo) Zhang wrote:

>

>> Hi all,

>

>>

>

>>

>

>>

>

>> I want to use the openssl lib to test the ECP group. It is highly

>

>> appreciated that anyone can give me a example. I have built the

>

>> strongswan with the configuration “--enable- openssl”and I also built

>

>> the openssl lib. But I do not know how to link the openssl lib to

>

>> strongswan.

>

>>

>

>>

>

>>

>

>> Thanks

>

>>

>

>> --Aaron



======================================================================

Andreas Steffen                         andreas.steffen at strongswan.org

strongSwan - the Linux VPN Solution!                www.strongswan.org

Institute for Internet Technologies and Applications

University of Applied Sciences Rapperswil

CH-8640 Rapperswil (Switzerland)

===========================================================[ITA-HSR]==
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20110328/ce23a2ea/attachment.html>

More information about the Dev mailing list