[strongSwan] failed to create a builder for credential type CRED_CERTIFICATE, subtype (1)

Eric.Hernandez at allegiantair.com Eric.Hernandez at allegiantair.com
Mon Apr 26 23:59:47 CEST 2010 


Hi,
I am trying to setup a "host to host" strongswan solution using strongSwan
4.3.4 on OpenSuse 10.2.

I think I have everything setup correctly but I cannot pass encrypted
traffic between the host.

I have two servers radius02 and radius03

I think part of my problems lies in this error
failed to create a builder for credential type CRED_CERTIFICATE, subtype
(1)

Also, do i need some kind of iptables our routing conig to make everything
work the documentation is unclear.



config for radius02 -> please note where it says sanitized an IP would go
there or email address in some cases.

config setup
         crlcheckinterval=180
         strictcrlpolicy=no

conn host-host
     left=%defaultroute
     leftcert=radius02Cert.pem
     leftsendcert=never
     right=sanitized
     rightid="C=US, ST=NV, O=allegiant, OU=it, CN=radius03"
     rightcert=radius03Cert.pem
     auto=start


Apr 26 14:55:09 radius02 kernel: imklog 4.4.1, log source = /proc/kmsg
started.
Apr 26 14:55:09 radius02 rsyslogd: [origin software="rsyslogd"
swVersion="4.4.1" x-pid="1619" x-info="http://www.rsyslog.com"] (re)start
Apr 26 14:55:13 radius02 ipsec_starter[8047]: Starting strongSwan 4.3.4
IPsec [starter]...
Apr 26 14:55:13 radius02 modprobe: WARNING: All config files
need .conf: /etc/modprobe.d/vmware-tools, it will be ignored in a future
release.
Apr 26 14:55:13 radius02 modprobe: WARNING: All config files
need .conf: /etc/modprobe.d/vmware-tools, it will be ignored in a future
release.
Apr 26 14:55:13 radius02 modprobe: WARNING: All config files
need .conf: /etc/modprobe.d/vmware-tools, it will be ignored in a future
release.
Apr 26 14:55:13 radius02 modprobe: WARNING: All config files
need .conf: /etc/modprobe.d/vmware-tools, it will be ignored in a future
release.
Apr 26 14:55:13 radius02 modprobe: WARNING: All config files
need .conf: /etc/modprobe.d/vmware-tools, it will be ignored in a future
release.
Apr 26 14:55:13 radius02 pluto[8056]: Starting IKEv1 pluto daemon
(strongSwan 4.3.4) THREADS SMARTCARD VENDORID CISCO_QUIRKS
Apr 26 14:55:13 radius02 pluto[8056]: loaded plugins: curl ldap aes des
sha1 sha2 md5 random pubkey openssl gcrypt hmac gmp
Apr 26 14:55:13 radius02 pluto[8056]:   including NAT-Traversal patch
(Version 0.6c) [disabled]
Apr 26 14:55:13 radius02 pluto[8056]: failed to load pkcs11 module
'/usr/lib64/opensc-pkcs11.so'
Apr 26 14:55:13 radius02 pluto[8056]: Using Linux 2.6 IPsec interface code
Apr 26 14:55:13 radius02 ipsec_starter[8055]: pluto (8056) started after 20
ms
Apr 26 14:55:13 radius02 charon: 01[DMN] Starting IKEv2 charon daemon
(strongSwan 4.3.4)
Apr 26 14:55:13 radius02 charon: 01[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Apr 26 14:55:13 radius02 charon: 01[LIB] failed to create a builder for
credential type CRED_CERTIFICATE, subtype (1)
Apr 26 14:55:13 radius02 charon: 01[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Apr 26 14:55:13 radius02 charon: 01[CFG] loading ocsp signer certificates
from '/etc/ipsec.d/ocspcerts'
Apr 26 14:55:13 radius02 charon: 01[CFG] loading attribute certificates
from '/etc/ipsec.d/acerts'
Apr 26 14:55:13 radius02 charon: 01[CFG] loading crls from
'/etc/ipsec.d/crls'
Apr 26 14:55:13 radius02 charon: 01[CFG] loading secrets from
'/etc/ipsec.secrets'
Apr 26 14:55:13 radius02 charon: 01[CFG]   loaded private key file
'/etc/ipsec.d/private/strongswanKey.pem'
Apr 26 14:55:13 radius02 charon: 01[CFG]   loaded private key file
'/etc/ipsec.d/private/radius02Key.pem'
Apr 26 14:55:13 radius02 charon: 01[DMN] loaded plugins: aes des sha1 md5
sha2 hmac gmp random pubkey xcbc stroke x509
Apr 26 14:55:13 radius02 charon: 01[JOB] spawning 16 worker threads
Apr 26 14:55:13 radius02 ipsec_starter[failed to create a builder for
credential type CRED_CERTIFICATE, subtype (1)8055]: charon (8069) started
after 20 ms
Apr 26 14:55:13 radius02 charon: 05[CFG] received stroke: add connection
'host-host'
Apr 26 14:55:13 radius02 charon: 05[CFG] left nor right host is our side,
assuming left=local
Apr 26 14:55:13 radius02 charon: 05[LIB]   loaded certificate file
'/etc/ipsec.d/certs/radius02Cert.pem'
Apr 26 14:55:13 radius02 charon: 05[LIB]   loaded certificate file
'/etc/ipsec.d/certs/radius03Cert.pem'
Apr 26 14:55:13 radius02 charon: 05[CFG]   peerid C=US, ST=NV, O=allegiant,
OU=it, CN=radius03 not confirmed by certificate, defaulting to subject DN:
C=US, ST=NV, O=allegiant, OU=it, CN=radius03, E=sanitized at allegiantair.com
Apr 26 14:55:13 radius02 charon: 05[CFG] added configuration 'host-host'
Apr 26 14:55:13 radius02 pluto[8056]: Changing to directory
'/etc/ipsec.d/cacerts'
Apr 26 14:55:13 radius02 pluto[8056]:   loaded CA cert file
'strongswanCert.der' (1183 bytes)
Apr 26 14:55:13 radius02 pluto[8056]: Changing to directory
'/etc/ipsec.d/aacerts'
Apr 26 14:55:13 radius02 pluto[8056]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Apr 26 14:55:13 radius02 pluto[8056]: Changing to directory
'/etc/ipsec.d/crls'
Apr 26 14:55:13 radius02 pluto[8056]: Changing to directory
'/etc/ipsec.d/acerts'
Apr 26 14:55:13 radius02 pluto[8056]: listening for IKE messages
Apr 26 14:55:13 radius02 pluto[8056]: adding interface eth1/eth1
10.10.0.5:500
Apr 26 14:55:13 radius02 pluto[8056]: adding interface lo/lo 127.0.0.2:500
Apr 26 14:55:13 radius02 pluto[8056]: adding interface lo/lo 127.0.0.1:500
Apr 26 14:55:13 radius02 pluto[8056]: adding interface lo/lo ::1:500
Apr 26 14:55:13 radius02 pluto[8056]: loading secrets from
"/etc/ipsec.secrets"
Apr 26 14:55:13 radius02 pluto[8056]:   loaded private key file
'/etc/ipsec.d/private/strongswanKey.pem' (1751 bytes)
Apr 26 14:55:13 radius02 pluto[8056]:   loaded private key file
'/etc/ipsec.d/private/radius02Key.pem' (963 bytes)
Apr 26 14:55:13 radius02 pluto[8056]:   loaded host cert file
'/etc/ipsec.d/certs/radius02Cert.pem' (4066 bytes)
Apr 26 14:55:13 radius02 pluto[8056]:   loaded host cert file
'/etc/ipsec.d/certs/radius03Cert.pem' (1342 bytes)
Apr 26 14:55:13 radius02 pluto[8056]: added connection description
"host-host"
Apr 26 14:55:13 radius02 pluto[8056]: "host-host" #1: initiating Main Mode
Apr 26 14:55:13 radius02 pluto[8056]: "host-host" #1: ignoring Vendor ID
payload [strongSwan 4.3.4]
Apr 26 14:55:13 radius02 pluto[8056]: "host-host" #1: ignoring Vendor ID
payload [Cisco-Unity]
Apr 26 14:55:13 radius02 pluto[8056]: "host-host" #1: received Vendor ID
payload [XAUTH]
Apr 26 14:55:13 radius02 pluto[8056]: "host-host" #1: received Vendor ID
payload [Dead Peer Detection]
Apr 26 14:55:13 radius02 pluto[8056]: "host-host" #1: we have a cert but
are not sending it
Apr 26 14:55:13 radius02 pluto[8056]: "host-host" #1: Peer ID is
ID_DER_ASN1_DN: 'C=US, ST=NV, O=allegiant, OU=it, CN=radius03,
E=sanitized at allegiantair.com'
Apr 26 14:55:13 radius02 pluto[8056]: "host-host" #1: ISAKMP SA established
Apr 26 14:55:13 radius02 pluto[8056]: "host-host" #2: initiating Quick Mode
PUBKEY+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Apr 26 14:55:13 radius02 pluto[8056]: "host-host" #2: sent QI2, IPsec SA
established {ESP=>0x6d76b463 <0x19a9a64b}

-Eric
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100426/9436a949/attachment.html>

More information about the Users mailing list