[strongSwan-dev] How to configure openssl

Andreas Steffen andreas.steffen at strongswan.org
Tue Mar 29 05:53:29 CEST 2011


Hello Aaron,

your openssl-1.0 library was compiled without ECC support.
You have to recompile it with the appropriate options.

Regards

Andreas


On 03/29/2011 04:53 AM, Aaron (Bo) Zhang wrote:
> Hi Andreas,
> 
>  
> 
> You are so kindly to give quick response. I use the command:
> 
>  
> 
> ipsec start --nofork
> 
> ipsec stroke up test
> 
>  
> 
> I found the cause that is
> 
> “/usr/local/libexec/ipsec/charon: symbol lookup error:
> /usr/local/libexec/ipsec/plugins/libstrongswan-openssl.so: undefined
> symbol: EC_KEY_new_by_curve_name”.
> 
>  
> 
> So there may be some link issue for openssl lib. I built the OpenSSL 1.0
> by myself. Is it possible the lib is in the wrong place??
> 
>  
> 
> Thanks
> 
> --Aaron
> 
>  
> 
> -----Original Message-----
> From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
> Sent: 2011年3月28日21:55
> To: Aaron (Bo) Zhang
> Cc: dev at lists.strongswan.org
> Subject: Re: [strongSwan-dev] How to configure openssl
> 
>  
> 
> Hi Aaron,
> 
>  
> 
> strange, charon is *not* supposed to crash! I'm not
> 
> aware that there were any issues with strongSwan 4.3.6
> 
> and ECP. Could you generate a core dump with
> 
> ulimit -c unlimited and send me the debugger output:
> 
>  
> 
> gdb /usr/libexec/ipsec/charon core
> 
>>where
> 
>  
> 
> Regards
> 
>  
> 
> Andreas
> 
>  
> 
> On 28.03.2011 15:34, Aaron (Bo) Zhang wrote:
> 
>> Hi Andreas,
> 
>> 
> 
>> I input the command,
> 
>> 
> 
>> 
> 
>> 
> 
>> ipsec statusal
> 
>> 
> 
>> 
> 
>> 
> 
>> It show that:
> 
>> 
> 
>> 
> 
>> 
> 
>> Status of IKEv2 charon daemon (strongSwan 4.3.6):
> 
>> 
> 
>>   uptime: 4 minutes, since Mar 28 20:00:20 2011
> 
>> 
> 
>>   worker threads: 9 idle of 16, job queue load: 0, scheduled events: 0
> 
>> 
> 
>>   loaded plugins: aes des sha1 md5 sha2 hmac pkcs1 openssl pem gmp
> 
>> random pubkey xcbc x509 stroke kernel-netlink eap-mschapv2 eap-identity
> 
>> eap-md5 updown
> 
>> 
> 
>> Virtual IP pools (size/online/offline):
> 
>> 
> 
>>   windows7: 255/0/0
> 
>> 
> 
>> Listening IP addresses:
> 
>> 
> 
>>   10.103.49.148
> 
>> 
> 
>>   192.168.169.88
> 
>> 
> 
>>   3ffe:501:ffff::1
> 
>> 
> 
>> Connections:
> 
>> 
> 
>>         test:  10.103.49.148...10.103.49.142
> 
>> 
> 
>>         test:   local:  [10.103.49.148] uses pre-shared key authentication
> 
>> 
> 
>>         test:   remote: [10.103.49.142] uses any authentication
> 
>> 
> 
>>         test:   child:  192.168.169.0/24 === 192.168.168.0/24
> 
>> 
> 
>> Security Associations:
> 
>> 
> 
>>   none
> 
>> 
> 
>> 
> 
>> 
> 
>> Then I start the ipsec with the command
> 
>> 
> 
>> 
> 
>> 
> 
>>  ipsec stroke loglevel any 4
> 
>> 
> 
>> ipsec stroke up test
> 
>> 
> 
>> 
> 
>> 
> 
>> It only show that:
> 
>> 
> 
>> initiating IKE_SA test[1] to 10.103.49.142
> 
>> 
> 
>> 
> 
>> 
> 
>> The log is :
> 
>> 
> 
>> 
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 15[CFG] stroke message => 313 bytes @
> 
>> 0xaf30e180
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 15[CFG]    0: 39 01 00 00 00 00 00 00 01
> 
>> 00 00 00 34 01 00 00  9...........4...
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 15[CFG]   16: 00 00 00 00 00 00 00 00 00
> 
>> 00 00 00 00 00 00 00  ................
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 15[CFG]   32: 00 00 00 00 00 00 00 00 00
> 
>> 00 00 00 00 00 00 00  ................
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 15[CFG]   48: 00 00 00 00 00 00 00 00 00
> 
>> 00 00 00 00 00 00 00  ................
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 15[CFG]   64: 00 00 00 00 00 00 00 00 00
> 
>> 00 00 00 00 00 00 00  ................
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 15[CFG]   80: 00 00 00 00 00 00 00 00 00
> 
>> 00 00 00 00 00 00 00  ................
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 15[CFG]   96: 00 00 00 00 00 00 00 00 00
> 
>> 00 00 00 00 00 00 00  ................
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 15[CFG]  112: 00 00 00 00 00 00 00 00 00
> 
>> 00 00 00 00 00 00 00  ................
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 15[CFG]  128: 00 00 00 00 00 00 00 00 00
> 
>> 00 00 00 00 00 00 00  ................
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 15[CFG]  144: 00 00 00 00 00 00 00 00 00
> 
>> 00 00 00 00 00 00 00  ................
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 15[CFG]  160: 00 00 00 00 00 00 00 00 00
> 
>> 00 00 00 00 00 00 00  ................
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 15[CFG]  176: 00 00 00 00 00 00 00 00 00
> 
>> 00 00 00 00 00 00 00  ................
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 15[CFG]  192: 00 00 00 00 00 00 00 00 00
> 
>> 00 00 00 00 00 00 00  ................
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 15[CFG]  208: 00 00 00 00 00 00 00 00 00
> 
>> 00 00 00 00 00 00 00  ................
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 15[CFG]  224: 00 00 00 00 00 00 00 00 00
> 
>> 00 00 00 00 00 00 00  ................
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 15[CFG]  240: 00 00 00 00 00 00 00 00 00
> 
>> 00 00 00 00 00 00 00  ................
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 15[CFG]  256: 00 00 00 00 00 00 00 00 00
> 
>> 00 00 00 00 00 00 00  ................
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 15[CFG]  272: 00 00 00 00 00 00 00 00 00
> 
>> 00 00 00 00 00 00 00  ................
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 15[CFG]  288: 00 00 00 00 00 00 00 00 00
> 
>> 00 00 00 00 00 00 00  ................
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 15[CFG]  304: 00 00 00 00 74 65 73 74
> 
>> 00                       ....test.
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 15[CFG] received stroke: initiate 'test'
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 07[MGR] created IKE_SA
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_INIT task
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_VENDOR task
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_NATD task
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_CERT_PRE task
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_AUTHENTICATE task
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_CERT_POST task
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_CONFIG task
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_AUTH_LIFETIME task
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 07[IKE] queueing CHILD_CREATE task
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 07[IKE] activating new tasks
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 07[IKE]   activating IKE_INIT task
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 07[IKE]   activating IKE_VENDOR task
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 07[IKE]   activating IKE_NATD task
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 07[IKE]   activating IKE_CERT_PRE task
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 07[IKE]   activating IKE_AUTHENTICATE task
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 07[IKE]   activating IKE_CERT_POST task
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 07[IKE]   activating IKE_CONFIG task
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 07[IKE]   activating CHILD_CREATE task
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 07[IKE]   activating IKE_AUTH_LIFETIME task
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 07[IKE] initiating IKE_SA test[1] to
> 
>> 10.103.49.142
> 
>> 
> 
>> Mar 28 20:00:15 Aaron charon: 07[IKE] IKE_SA test[1] state change:
> 
>> CREATED => CONNECTING
> 
>> 
> 
>> Mar 28 20:00:15 Aaron ipsec_starter[26273]: charon has died -- restart
> 
>> scheduled (5sec)
> 
>> 
> 
>> Mar 28 20:00:20 Aaron ipsec_starter[26273]: charon (26347) started after
> 
>> 20 ms
> 
>> 
> 
>> 
> 
>> 
> 
>> My ipsec.conf is :
> 
>> 
> 
>> 
> 
>> 
> 
>>  config setup
> 
>> 
> 
>>          nat_traversal=yes
> 
>> 
> 
>>          charonstart=yes
> 
>> 
> 
>>  conn %default
> 
>> 
> 
>>          authby=secret
> 
>> 
> 
>>          keyexchange=ikev2
> 
>> 
> 
>>  conn test
> 
>> 
> 
>>        ike=aes128-sha256-ecp224
> 
>> 
> 
>>        esp=3des-sha1-ecp256
> 
>> 
> 
>>        left=10.103.49.148
> 
>> 
> 
>>             leftid=10.103.49.148
> 
>> 
> 
>>        leftsubnet=192.168.169.0/24
> 
>> 
> 
>>        right=10.103.49.142
> 
>> 
> 
>>        rightid=10.103.49.142
> 
>> 
> 
>>        rightsubnet=192.168.168.0/24
> 
>> 
> 
>>        auto=add
> 
>> 
> 
>> 
> 
>> 
> 
>> I capture the packet , but got nothing. It seems that it did not send
> 
>> any IKEv2 packet. From the log above, it seems that the demon charon crash.
> 
>> 
> 
>> But after I modify the configuration from ecp224 to modp1024, it works
> 
>> fine. So I think there only may be some problems to use the EC group. I
> 
>> am not sure what should I do?
> 
>> 
> 
>> 
> 
>> 
> 
>> Thanks
> 
>> 
> 
>> --Aaron
> 
>> 
> 
>> 
> 
>> 
> 
>> 
> 
>> 
> 
>> 
> 
>> 
> 
>> -----Original Message-----
> 
>> From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
> 
>> Sent: 2011年3月28日18:30
> 
>> To: Aaron (Bo) Zhang
> 
>> Cc: dev at lists.strongswan.org
> 
>> Subject: Re: [strongSwan-dev] How to configure openssl
> 
>> 
> 
>> 
> 
>> 
> 
>> Hello Aaron,
> 
>> 
> 
>> 
> 
>> 
> 
>> the linking to the OpenSSL library should be done automatically.
> 
>> 
> 
>> Just make sure that the strongSwan openssl plugin is loaded.
> 
>> 
> 
>> You can verify this with the command
> 
>> 
> 
>> 
> 
>> 
> 
>>   ipsec statusall
> 
>> 
> 
>> 
> 
>> 
> 
>> which should produce the following output:
> 
>> 
> 
>> 
> 
>> 
> 
>>   loaded plugins: curl aes des sha1 sha2 md5 pem pkcs1 gmp x509 openssl
> 
>> 
> 
>> revocation random hmac stroke kernel-netlink socket-default updown
> 
>> 
> 
>> 
> 
>> 
> 
>> If you built strongSwan with the --enable-openssl in a source
> 
>> 
> 
>> directory where you first built strongSwan with the default plugins,
> 
>> 
> 
>> make sure to execute
> 
>> 
> 
>> 
> 
>> 
> 
>>   make clean
> 
>> 
> 
>> 
> 
>> 
> 
>> before make and make install so that the implicit plugin load list
> 
>> 
> 
>> will be updated and will include the openssl plugin.
> 
>> 
> 
>> 
> 
>> 
> 
>> A configuration example can be found here:
> 
>> 
> 
>> 
> 
>> 
> 
>> http://www.strongswan.org/uml/testresults/openssl-ikev2/alg-ecp-high/
> 
>> 
> 
>> 
> 
>> 
> 
>> Regards
> 
>> 
> 
>> 
> 
>> 
> 
>> Andreas
> 
>> 
> 
>> 
> 
>> 
> 
>> On 28.03.2011 11:34, Aaron (Bo) Zhang wrote:
> 
>> 
> 
>>> Hi all,
> 
>> 
> 
>>> 
> 
>> 
> 
>>> 
> 
>> 
> 
>>> 
> 
>> 
> 
>>> I want to use the openssl lib to test the ECP group. It is highly
> 
>> 
> 
>>> appreciated that anyone can give me a example. I have built the
> 
>> 
> 
>>> strongswan with the configuration “--enable- openssl”and I also built
> 
>> 
> 
>>> the openssl lib. But I do not know how to link the openssl lib to
> 
>> 
> 
>>> strongswan.
> 
>> 
> 
>>> 
> 
>> 
> 
>>> 
> 
>> 
> 
>>> 
> 
>> 
> 
>>> Thanks
> 
>> 
> 
>>> 
> 
>> 
> 
>>> --Aaron
> 
>  
> 
> ======================================================================
> 
> Andreas Steffen                         andreas.steffen at strongswan.org
> 
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> 
> Institute for Internet Technologies and Applications
> 
> University of Applied Sciences Rapperswil
> 
> CH-8640 Rapperswil (Switzerland)
> 
> ===========================================================[ITA-HSR]==
> 


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Dev mailing list