[strongSwan-dev] How to configure openssl
Andreas Steffen
andreas.steffen at strongswan.org
Tue Mar 29 05:53:29 CEST 2011
Hello Aaron,
your openssl-1.0 library was compiled without ECC support.
You have to recompile it with the appropriate options.
Regards
Andreas
On 03/29/2011 04:53 AM, Aaron (Bo) Zhang wrote:
> Hi Andreas,
>
>
>
> You are so kindly to give quick response. I use the command:
>
>
>
> ipsec start --nofork
>
> ipsec stroke up test
>
>
>
> I found the cause that is
>
> “/usr/local/libexec/ipsec/charon: symbol lookup error:
> /usr/local/libexec/ipsec/plugins/libstrongswan-openssl.so: undefined
> symbol: EC_KEY_new_by_curve_name”.
>
>
>
> So there may be some link issue for openssl lib. I built the OpenSSL 1.0
> by myself. Is it possible the lib is in the wrong place??
>
>
>
> Thanks
>
> --Aaron
>
>
>
> -----Original Message-----
> From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
> Sent: 2011年3月28日21:55
> To: Aaron (Bo) Zhang
> Cc: dev at lists.strongswan.org
> Subject: Re: [strongSwan-dev] How to configure openssl
>
>
>
> Hi Aaron,
>
>
>
> strange, charon is *not* supposed to crash! I'm not
>
> aware that there were any issues with strongSwan 4.3.6
>
> and ECP. Could you generate a core dump with
>
> ulimit -c unlimited and send me the debugger output:
>
>
>
> gdb /usr/libexec/ipsec/charon core
>
>>where
>
>
>
> Regards
>
>
>
> Andreas
>
>
>
> On 28.03.2011 15:34, Aaron (Bo) Zhang wrote:
>
>> Hi Andreas,
>
>>
>
>> I input the command,
>
>>
>
>>
>
>>
>
>> ipsec statusal
>
>>
>
>>
>
>>
>
>> It show that:
>
>>
>
>>
>
>>
>
>> Status of IKEv2 charon daemon (strongSwan 4.3.6):
>
>>
>
>> uptime: 4 minutes, since Mar 28 20:00:20 2011
>
>>
>
>> worker threads: 9 idle of 16, job queue load: 0, scheduled events: 0
>
>>
>
>> loaded plugins: aes des sha1 md5 sha2 hmac pkcs1 openssl pem gmp
>
>> random pubkey xcbc x509 stroke kernel-netlink eap-mschapv2 eap-identity
>
>> eap-md5 updown
>
>>
>
>> Virtual IP pools (size/online/offline):
>
>>
>
>> windows7: 255/0/0
>
>>
>
>> Listening IP addresses:
>
>>
>
>> 10.103.49.148
>
>>
>
>> 192.168.169.88
>
>>
>
>> 3ffe:501:ffff::1
>
>>
>
>> Connections:
>
>>
>
>> test: 10.103.49.148...10.103.49.142
>
>>
>
>> test: local: [10.103.49.148] uses pre-shared key authentication
>
>>
>
>> test: remote: [10.103.49.142] uses any authentication
>
>>
>
>> test: child: 192.168.169.0/24 === 192.168.168.0/24
>
>>
>
>> Security Associations:
>
>>
>
>> none
>
>>
>
>>
>
>>
>
>> Then I start the ipsec with the command
>
>>
>
>>
>
>>
>
>> ipsec stroke loglevel any 4
>
>>
>
>> ipsec stroke up test
>
>>
>
>>
>
>>
>
>> It only show that:
>
>>
>
>> initiating IKE_SA test[1] to 10.103.49.142
>
>>
>
>>
>
>>
>
>> The log is :
>
>>
>
>>
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG] stroke message => 313 bytes @
>
>> 0xaf30e180
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG] 0: 39 01 00 00 00 00 00 00 01
>
>> 00 00 00 34 01 00 00 9...........4...
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG] 16: 00 00 00 00 00 00 00 00 00
>
>> 00 00 00 00 00 00 00 ................
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG] 32: 00 00 00 00 00 00 00 00 00
>
>> 00 00 00 00 00 00 00 ................
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG] 48: 00 00 00 00 00 00 00 00 00
>
>> 00 00 00 00 00 00 00 ................
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG] 64: 00 00 00 00 00 00 00 00 00
>
>> 00 00 00 00 00 00 00 ................
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG] 80: 00 00 00 00 00 00 00 00 00
>
>> 00 00 00 00 00 00 00 ................
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG] 96: 00 00 00 00 00 00 00 00 00
>
>> 00 00 00 00 00 00 00 ................
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG] 112: 00 00 00 00 00 00 00 00 00
>
>> 00 00 00 00 00 00 00 ................
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG] 128: 00 00 00 00 00 00 00 00 00
>
>> 00 00 00 00 00 00 00 ................
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG] 144: 00 00 00 00 00 00 00 00 00
>
>> 00 00 00 00 00 00 00 ................
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG] 160: 00 00 00 00 00 00 00 00 00
>
>> 00 00 00 00 00 00 00 ................
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG] 176: 00 00 00 00 00 00 00 00 00
>
>> 00 00 00 00 00 00 00 ................
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG] 192: 00 00 00 00 00 00 00 00 00
>
>> 00 00 00 00 00 00 00 ................
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG] 208: 00 00 00 00 00 00 00 00 00
>
>> 00 00 00 00 00 00 00 ................
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG] 224: 00 00 00 00 00 00 00 00 00
>
>> 00 00 00 00 00 00 00 ................
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG] 240: 00 00 00 00 00 00 00 00 00
>
>> 00 00 00 00 00 00 00 ................
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG] 256: 00 00 00 00 00 00 00 00 00
>
>> 00 00 00 00 00 00 00 ................
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG] 272: 00 00 00 00 00 00 00 00 00
>
>> 00 00 00 00 00 00 00 ................
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG] 288: 00 00 00 00 00 00 00 00 00
>
>> 00 00 00 00 00 00 00 ................
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG] 304: 00 00 00 00 74 65 73 74
>
>> 00 ....test.
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG] received stroke: initiate 'test'
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[MGR] created IKE_SA
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_INIT task
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_VENDOR task
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_NATD task
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_CERT_PRE task
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_AUTHENTICATE task
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_CERT_POST task
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_CONFIG task
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_AUTH_LIFETIME task
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE] queueing CHILD_CREATE task
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE] activating new tasks
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE] activating IKE_INIT task
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE] activating IKE_VENDOR task
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE] activating IKE_NATD task
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE] activating IKE_CERT_PRE task
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE] activating IKE_AUTHENTICATE task
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE] activating IKE_CERT_POST task
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE] activating IKE_CONFIG task
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE] activating CHILD_CREATE task
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE] activating IKE_AUTH_LIFETIME task
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE] initiating IKE_SA test[1] to
>
>> 10.103.49.142
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE] IKE_SA test[1] state change:
>
>> CREATED => CONNECTING
>
>>
>
>> Mar 28 20:00:15 Aaron ipsec_starter[26273]: charon has died -- restart
>
>> scheduled (5sec)
>
>>
>
>> Mar 28 20:00:20 Aaron ipsec_starter[26273]: charon (26347) started after
>
>> 20 ms
>
>>
>
>>
>
>>
>
>> My ipsec.conf is :
>
>>
>
>>
>
>>
>
>> config setup
>
>>
>
>> nat_traversal=yes
>
>>
>
>> charonstart=yes
>
>>
>
>> conn %default
>
>>
>
>> authby=secret
>
>>
>
>> keyexchange=ikev2
>
>>
>
>> conn test
>
>>
>
>> ike=aes128-sha256-ecp224
>
>>
>
>> esp=3des-sha1-ecp256
>
>>
>
>> left=10.103.49.148
>
>>
>
>> leftid=10.103.49.148
>
>>
>
>> leftsubnet=192.168.169.0/24
>
>>
>
>> right=10.103.49.142
>
>>
>
>> rightid=10.103.49.142
>
>>
>
>> rightsubnet=192.168.168.0/24
>
>>
>
>> auto=add
>
>>
>
>>
>
>>
>
>> I capture the packet , but got nothing. It seems that it did not send
>
>> any IKEv2 packet. From the log above, it seems that the demon charon crash.
>
>>
>
>> But after I modify the configuration from ecp224 to modp1024, it works
>
>> fine. So I think there only may be some problems to use the EC group. I
>
>> am not sure what should I do?
>
>>
>
>>
>
>>
>
>> Thanks
>
>>
>
>> --Aaron
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>> -----Original Message-----
>
>> From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
>
>> Sent: 2011年3月28日18:30
>
>> To: Aaron (Bo) Zhang
>
>> Cc: dev at lists.strongswan.org
>
>> Subject: Re: [strongSwan-dev] How to configure openssl
>
>>
>
>>
>
>>
>
>> Hello Aaron,
>
>>
>
>>
>
>>
>
>> the linking to the OpenSSL library should be done automatically.
>
>>
>
>> Just make sure that the strongSwan openssl plugin is loaded.
>
>>
>
>> You can verify this with the command
>
>>
>
>>
>
>>
>
>> ipsec statusall
>
>>
>
>>
>
>>
>
>> which should produce the following output:
>
>>
>
>>
>
>>
>
>> loaded plugins: curl aes des sha1 sha2 md5 pem pkcs1 gmp x509 openssl
>
>>
>
>> revocation random hmac stroke kernel-netlink socket-default updown
>
>>
>
>>
>
>>
>
>> If you built strongSwan with the --enable-openssl in a source
>
>>
>
>> directory where you first built strongSwan with the default plugins,
>
>>
>
>> make sure to execute
>
>>
>
>>
>
>>
>
>> make clean
>
>>
>
>>
>
>>
>
>> before make and make install so that the implicit plugin load list
>
>>
>
>> will be updated and will include the openssl plugin.
>
>>
>
>>
>
>>
>
>> A configuration example can be found here:
>
>>
>
>>
>
>>
>
>> http://www.strongswan.org/uml/testresults/openssl-ikev2/alg-ecp-high/
>
>>
>
>>
>
>>
>
>> Regards
>
>>
>
>>
>
>>
>
>> Andreas
>
>>
>
>>
>
>>
>
>> On 28.03.2011 11:34, Aaron (Bo) Zhang wrote:
>
>>
>
>>> Hi all,
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>> I want to use the openssl lib to test the ECP group. It is highly
>
>>
>
>>> appreciated that anyone can give me a example. I have built the
>
>>
>
>>> strongswan with the configuration “--enable- openssl”and I also built
>
>>
>
>>> the openssl lib. But I do not know how to link the openssl lib to
>
>>
>
>>> strongswan.
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>> Thanks
>
>>
>
>>>
>
>>
>
>>> --Aaron
>
>
>
> ======================================================================
>
> Andreas Steffen andreas.steffen at strongswan.org
>
> strongSwan - the Linux VPN Solution! www.strongswan.org
>
> Institute for Internet Technologies and Applications
>
> University of Applied Sciences Rapperswil
>
> CH-8640 Rapperswil (Switzerland)
>
> ===========================================================[ITA-HSR]==
>
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Dev
mailing list