[strongSwan-dev] How to configure openssl

Aaron (Bo) Zhang azhang at SonicWALL.com
Tue Mar 29 09:02:10 CEST 2011 

Hi Andreas,

Maybe I found the root cause. I built the openssl-1.0 with the default option and it only generate static lib. But strongswan will use the dynamic openssl lib.
Is that true?
After I built the openssl with shared lib, strongswan works fine now.

Thanks very much.
--Aaron


-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
Sent: 2011年3月29日 11:53
To: Aaron (Bo) Zhang
Cc: dev at lists.strongswan.org
Subject: Re: [strongSwan-dev] How to configure openssl

Hello Aaron,

your openssl-1.0 library was compiled without ECC support.
You have to recompile it with the appropriate options.

Regards

Andreas


On 03/29/2011 04:53 AM, Aaron (Bo) Zhang wrote:
> Hi Andreas,
>
>
>
> You are so kindly to give quick response. I use the command:
>
>
>
> ipsec start --nofork
>
> ipsec stroke up test
>
>
>
> I found the cause that is
>
> “/usr/local/libexec/ipsec/charon: symbol lookup error:
> /usr/local/libexec/ipsec/plugins/libstrongswan-openssl.so: undefined
> symbol: EC_KEY_new_by_curve_name”.
>
>
>
> So there may be some link issue for openssl lib. I built the OpenSSL 1.0
> by myself. Is it possible the lib is in the wrong place??
>
>
>
> Thanks
>
> --Aaron
>
>
>
> -----Original Message-----
> From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
> Sent: 2011年3月28日21:55
> To: Aaron (Bo) Zhang
> Cc: dev at lists.strongswan.org
> Subject: Re: [strongSwan-dev] How to configure openssl
>
>
>
> Hi Aaron,
>
>
>
> strange, charon is *not* supposed to crash! I'm not
>
> aware that there were any issues with strongSwan 4.3.6
>
> and ECP. Could you generate a core dump with
>
> ulimit -c unlimited and send me the debugger output:
>
>
>
> gdb /usr/libexec/ipsec/charon core
>
>>where
>
>
>
> Regards
>
>
>
> Andreas
>
>
>
> On 28.03.2011 15:34, Aaron (Bo) Zhang wrote:
>
>> Hi Andreas,
>
>>
>
>> I input the command,
>
>>
>
>>
>
>>
>
>> ipsec statusal
>
>>
>
>>
>
>>
>
>> It show that:
>
>>
>
>>
>
>>
>
>> Status of IKEv2 charon daemon (strongSwan 4.3.6):
>
>>
>
>>   uptime: 4 minutes, since Mar 28 20:00:20 2011
>
>>
>
>>   worker threads: 9 idle of 16, job queue load: 0, scheduled events: 0
>
>>
>
>>   loaded plugins: aes des sha1 md5 sha2 hmac pkcs1 openssl pem gmp
>
>> random pubkey xcbc x509 stroke kernel-netlink eap-mschapv2 eap-identity
>
>> eap-md5 updown
>
>>
>
>> Virtual IP pools (size/online/offline):
>
>>
>
>>   windows7: 255/0/0
>
>>
>
>> Listening IP addresses:
>
>>
>
>>   10.103.49.148
>
>>
>
>>   192.168.169.88
>
>>
>
>>   3ffe:501:ffff::1
>
>>
>
>> Connections:
>
>>
>
>>         test:  10.103.49.148...10.103.49.142
>
>>
>
>>         test:   local:  [10.103.49.148] uses pre-shared key authentication
>
>>
>
>>         test:   remote: [10.103.49.142] uses any authentication
>
>>
>
>>         test:   child:  192.168.169.0/24 === 192.168.168.0/24
>
>>
>
>> Security Associations:
>
>>
>
>>   none
>
>>
>
>>
>
>>
>
>> Then I start the ipsec with the command
>
>>
>
>>
>
>>
>
>>  ipsec stroke loglevel any 4
>
>>
>
>> ipsec stroke up test
>
>>
>
>>
>
>>
>
>> It only show that:
>
>>
>
>> initiating IKE_SA test[1] to 10.103.49.142
>
>>
>
>>
>
>>
>
>> The log is :
>
>>
>
>>
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG] stroke message => 313 bytes @
>
>> 0xaf30e180
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG]    0: 39 01 00 00 00 00 00 00 01
>
>> 00 00 00 34 01 00 00  9...........4...
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG]   16: 00 00 00 00 00 00 00 00 00
>
>> 00 00 00 00 00 00 00  ................
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG]   32: 00 00 00 00 00 00 00 00 00
>
>> 00 00 00 00 00 00 00  ................
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG]   48: 00 00 00 00 00 00 00 00 00
>
>> 00 00 00 00 00 00 00  ................
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG]   64: 00 00 00 00 00 00 00 00 00
>
>> 00 00 00 00 00 00 00  ................
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG]   80: 00 00 00 00 00 00 00 00 00
>
>> 00 00 00 00 00 00 00  ................
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG]   96: 00 00 00 00 00 00 00 00 00
>
>> 00 00 00 00 00 00 00  ................
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG]  112: 00 00 00 00 00 00 00 00 00
>
>> 00 00 00 00 00 00 00  ................
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG]  128: 00 00 00 00 00 00 00 00 00
>
>> 00 00 00 00 00 00 00  ................
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG]  144: 00 00 00 00 00 00 00 00 00
>
>> 00 00 00 00 00 00 00  ................
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG]  160: 00 00 00 00 00 00 00 00 00
>
>> 00 00 00 00 00 00 00  ................
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG]  176: 00 00 00 00 00 00 00 00 00
>
>> 00 00 00 00 00 00 00  ................
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG]  192: 00 00 00 00 00 00 00 00 00
>
>> 00 00 00 00 00 00 00  ................
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG]  208: 00 00 00 00 00 00 00 00 00
>
>> 00 00 00 00 00 00 00  ................
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG]  224: 00 00 00 00 00 00 00 00 00
>
>> 00 00 00 00 00 00 00  ................
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG]  240: 00 00 00 00 00 00 00 00 00
>
>> 00 00 00 00 00 00 00  ................
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG]  256: 00 00 00 00 00 00 00 00 00
>
>> 00 00 00 00 00 00 00  ................
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG]  272: 00 00 00 00 00 00 00 00 00
>
>> 00 00 00 00 00 00 00  ................
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG]  288: 00 00 00 00 00 00 00 00 00
>
>> 00 00 00 00 00 00 00  ................
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG]  304: 00 00 00 00 74 65 73 74
>
>> 00                       ....test.
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 15[CFG] received stroke: initiate 'test'
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[MGR] created IKE_SA
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_INIT task
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_VENDOR task
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_NATD task
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_CERT_PRE task
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_AUTHENTICATE task
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_CERT_POST task
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_CONFIG task
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE] queueing IKE_AUTH_LIFETIME task
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE] queueing CHILD_CREATE task
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE] activating new tasks
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE]   activating IKE_INIT task
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE]   activating IKE_VENDOR task
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE]   activating IKE_NATD task
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE]   activating IKE_CERT_PRE task
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE]   activating IKE_AUTHENTICATE task
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE]   activating IKE_CERT_POST task
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE]   activating IKE_CONFIG task
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE]   activating CHILD_CREATE task
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE]   activating IKE_AUTH_LIFETIME task
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE] initiating IKE_SA test[1] to
>
>> 10.103.49.142
>
>>
>
>> Mar 28 20:00:15 Aaron charon: 07[IKE] IKE_SA test[1] state change:
>
>> CREATED => CONNECTING
>
>>
>
>> Mar 28 20:00:15 Aaron ipsec_starter[26273]: charon has died -- restart
>
>> scheduled (5sec)
>
>>
>
>> Mar 28 20:00:20 Aaron ipsec_starter[26273]: charon (26347) started after
>
>> 20 ms
>
>>
>
>>
>
>>
>
>> My ipsec.conf is :
>
>>
>
>>
>
>>
>
>>  config setup
>
>>
>
>>          nat_traversal=yes
>
>>
>
>>          charonstart=yes
>
>>
>
>>  conn %default
>
>>
>
>>          authby=secret
>
>>
>
>>          keyexchange=ikev2
>
>>
>
>>  conn test
>
>>
>
>>        ike=aes128-sha256-ecp224
>
>>
>
>>        esp=3des-sha1-ecp256
>
>>
>
>>        left=10.103.49.148
>
>>
>
>>             leftid=10.103.49.148
>
>>
>
>>        leftsubnet=192.168.169.0/24
>
>>
>
>>        right=10.103.49.142
>
>>
>
>>        rightid=10.103.49.142
>
>>
>
>>        rightsubnet=192.168.168.0/24
>
>>
>
>>        auto=add
>
>>
>
>>
>
>>
>
>> I capture the packet , but got nothing. It seems that it did not send
>
>> any IKEv2 packet. From the log above, it seems that the demon charon crash.
>
>>
>
>> But after I modify the configuration from ecp224 to modp1024, it works
>
>> fine. So I think there only may be some problems to use the EC group. I
>
>> am not sure what should I do?
>
>>
>
>>
>
>>
>
>> Thanks
>
>>
>
>> --Aaron
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>> -----Original Message-----
>
>> From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
>
>> Sent: 2011年3月28日18:30
>
>> To: Aaron (Bo) Zhang
>
>> Cc: dev at lists.strongswan.org
>
>> Subject: Re: [strongSwan-dev] How to configure openssl
>
>>
>
>>
>
>>
>
>> Hello Aaron,
>
>>
>
>>
>
>>
>
>> the linking to the OpenSSL library should be done automatically.
>
>>
>
>> Just make sure that the strongSwan openssl plugin is loaded.
>
>>
>
>> You can verify this with the command
>
>>
>
>>
>
>>
>
>>   ipsec statusall
>
>>
>
>>
>
>>
>
>> which should produce the following output:
>
>>
>
>>
>
>>
>
>>   loaded plugins: curl aes des sha1 sha2 md5 pem pkcs1 gmp x509 openssl
>
>>
>
>> revocation random hmac stroke kernel-netlink socket-default updown
>
>>
>
>>
>
>>
>
>> If you built strongSwan with the --enable-openssl in a source
>
>>
>
>> directory where you first built strongSwan with the default plugins,
>
>>
>
>> make sure to execute
>
>>
>
>>
>
>>
>
>>   make clean
>
>>
>
>>
>
>>
>
>> before make and make install so that the implicit plugin load list
>
>>
>
>> will be updated and will include the openssl plugin.
>
>>
>
>>
>
>>
>
>> A configuration example can be found here:
>
>>
>
>>
>
>>
>
>> http://www.strongswan.org/uml/testresults/openssl-ikev2/alg-ecp-high/
>
>>
>
>>
>
>>
>
>> Regards
>
>>
>
>>
>
>>
>
>> Andreas
>
>>
>
>>
>
>>
>
>> On 28.03.2011 11:34, Aaron (Bo) Zhang wrote:
>
>>
>
>>> Hi all,
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>> I want to use the openssl lib to test the ECP group. It is highly
>
>>
>
>>> appreciated that anyone can give me a example. I have built the
>
>>
>
>>> strongswan with the configuration “--enable- openssl”and I also built
>
>>
>
>>> the openssl lib. But I do not know how to link the openssl lib to
>
>>
>
>>> strongswan.
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>> Thanks
>
>>
>
>>>
>
>>
>
>>> --Aaron
>
>
>
> ======================================================================
>
> Andreas Steffen                         andreas.steffen at strongswan.org
>
> strongSwan - the Linux VPN Solution!                www.strongswan.org
>
> Institute for Internet Technologies and Applications
>
> University of Applied Sciences Rapperswil
>
> CH-8640 Rapperswil (Switzerland)
>
> ===========================================================[ITA-HSR]==
>


--
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Dev mailing list