[strongSwan] failed to create a builder for credential type CRED_CERTIFICATE, subtype (1)

Andreas Steffen andreas.steffen at strongswan.org
Tue Apr 27 06:42:00 CEST 2010


Hi Eric,

the x509, pem, and pkcs1 plugins are missing:

loaded plugins: curl ldap aes des sha1 sha2 md5 random pubkey
                openssl gcrypt hmac gmp

If you don't know exactly what the functionality of each plugin
is then you shouldn't use an explicit load = statement for pluto
in strongswan.conf.

Best regards

Andreas

Eric.Hernandez at allegiantair.com wrote:
> Hi,
> I am trying to setup a "host to host" strongswan solution using
> strongSwan 4.3.4 on OpenSuse 10.2.
> 
> I think I have everything setup correctly but I cannot pass encrypted
> traffic between the host.
> 
> I have two servers radius02 and radius03
> 
> I think part of my problems lies in this error
> failed to create a builder for credential type CRED_CERTIFICATE, subtype (1)
> 
> Also, do i need some kind of iptables our routing conig to make
> everything work the documentation is unclear.
> 
> 
> 
> config for radius02 -> please note where it says sanitized an IP would
> go there or email address in some cases.
> 
> config setup
> crlcheckinterval=180
> strictcrlpolicy=no
> 
> conn host-host
> left=%defaultroute
> leftcert=radius02Cert.pem
> leftsendcert=never
> right=sanitized
> rightid="C=US, ST=NV, O=allegiant, OU=it, CN=radius03"
> rightcert=radius03Cert.pem
> auto=start
> 
> 
> Apr 26 14:55:09 radius02 kernel: imklog 4.4.1, log source = /proc/kmsg
> started.
> Apr 26 14:55:09 radius02 rsyslogd: [origin software="rsyslogd"
> swVersion="4.4.1" x-pid="1619" x-info="http://www.rsyslog.com"] (re)start
> Apr 26 14:55:13 radius02 ipsec_starter[8047]: Starting strongSwan 4.3.4
> IPsec [starter]...
> Apr 26 14:55:13 radius02 modprobe: WARNING: All config files need .conf:
> /etc/modprobe.d/vmware-tools, it will be ignored in a future release.
> Apr 26 14:55:13 radius02 modprobe: WARNING: All config files need .conf:
> /etc/modprobe.d/vmware-tools, it will be ignored in a future release.
> Apr 26 14:55:13 radius02 modprobe: WARNING: All config files need .conf:
> /etc/modprobe.d/vmware-tools, it will be ignored in a future release.
> Apr 26 14:55:13 radius02 modprobe: WARNING: All config files need .conf:
> /etc/modprobe.d/vmware-tools, it will be ignored in a future release.
> Apr 26 14:55:13 radius02 modprobe: WARNING: All config files need .conf:
> /etc/modprobe.d/vmware-tools, it will be ignored in a future release.
> Apr 26 14:55:13 radius02 pluto[8056]: Starting IKEv1 pluto daemon
> (strongSwan 4.3.4) THREADS SMARTCARD VENDORID CISCO_QUIRKS
> Apr 26 14:55:13 radius02 pluto[8056]: loaded plugins: curl ldap aes des
> sha1 sha2 md5 random pubkey openssl gcrypt hmac gmp
> Apr 26 14:55:13 radius02 pluto[8056]: including NAT-Traversal patch
> (Version 0.6c) [disabled]
> Apr 26 14:55:13 radius02 pluto[8056]: failed to load pkcs11 module
> '/usr/lib64/opensc-pkcs11.so'
> Apr 26 14:55:13 radius02 pluto[8056]: Using Linux 2.6 IPsec interface code
> Apr 26 14:55:13 radius02 ipsec_starter[8055]: pluto (8056) started after
> 20 ms
> Apr 26 14:55:13 radius02 charon: 01[DMN] Starting IKEv2 charon daemon
> (strongSwan 4.3.4)
> Apr 26 14:55:13 radius02 charon: 01[CFG] loading ca certificates from
> '/etc/ipsec.d/cacerts'
> *Apr 26 14:55:13 radius02 charon: 01[LIB] failed to create a builder for
> credential type CRED_CERTIFICATE, subtype (1)*
> Apr 26 14:55:13 radius02 charon: 01[CFG] loading aa certificates from
> '/etc/ipsec.d/aacerts'
> Apr 26 14:55:13 radius02 charon: 01[CFG] loading ocsp signer
> certificates from '/etc/ipsec.d/ocspcerts'
> Apr 26 14:55:13 radius02 charon: 01[CFG] loading attribute certificates
> from '/etc/ipsec.d/acerts'
> Apr 26 14:55:13 radius02 charon: 01[CFG] loading crls from
> '/etc/ipsec.d/crls'
> Apr 26 14:55:13 radius02 charon: 01[CFG] loading secrets from
> '/etc/ipsec.secrets'
> Apr 26 14:55:13 radius02 charon: 01[CFG] loaded private key file
> '/etc/ipsec.d/private/strongswanKey.pem'
> Apr 26 14:55:13 radius02 charon: 01[CFG] loaded private key file
> '/etc/ipsec.d/private/radius02Key.pem'
> Apr 26 14:55:13 radius02 charon: 01[DMN] loaded plugins: aes des sha1
> md5 sha2 hmac gmp random pubkey xcbc stroke x509
> Apr 26 14:55:13 radius02 charon: 01[JOB] spawning 16 worker threads
> Apr 26 14:55:13 radius02 ipsec_starter[failed to create a builder for
> credential type CRED_CERTIFICATE, subtype (1)8055]: charon (8069)
> started after 20 ms
> Apr 26 14:55:13 radius02 charon: 05[CFG] received stroke: add connection
> 'host-host'
> Apr 26 14:55:13 radius02 charon: 05[CFG] left nor right host is our
> side, assuming left=local
> Apr 26 14:55:13 radius02 charon: 05[LIB] loaded certificate file
> '/etc/ipsec.d/certs/radius02Cert.pem'
> Apr 26 14:55:13 radius02 charon: 05[LIB] loaded certificate file
> '/etc/ipsec.d/certs/radius03Cert.pem'
> Apr 26 14:55:13 radius02 charon: 05[CFG] peerid C=US, ST=NV,
> O=allegiant, OU=it, CN=radius03 not confirmed by certificate, defaulting
> to subject DN: C=US, ST=NV, O=allegiant, OU=it, CN=radius03,
> E=sanitized at allegiantair.com
> Apr 26 14:55:13 radius02 charon: 05[CFG] added configuration 'host-host'
> Apr 26 14:55:13 radius02 pluto[8056]: Changing to directory
> '/etc/ipsec.d/cacerts'
> Apr 26 14:55:13 radius02 pluto[8056]: loaded CA cert file
> 'strongswanCert.der' (1183 bytes)
> Apr 26 14:55:13 radius02 pluto[8056]: Changing to directory
> '/etc/ipsec.d/aacerts'
> Apr 26 14:55:13 radius02 pluto[8056]: Changing to directory
> '/etc/ipsec.d/ocspcerts'
> Apr 26 14:55:13 radius02 pluto[8056]: Changing to directory
> '/etc/ipsec.d/crls'
> Apr 26 14:55:13 radius02 pluto[8056]: Changing to directory
> '/etc/ipsec.d/acerts'
> Apr 26 14:55:13 radius02 pluto[8056]: listening for IKE messages
> Apr 26 14:55:13 radius02 pluto[8056]: adding interface eth1/eth1
> 10.10.0.5:500
> Apr 26 14:55:13 radius02 pluto[8056]: adding interface lo/lo 127.0.0.2:500
> Apr 26 14:55:13 radius02 pluto[8056]: adding interface lo/lo 127.0.0.1:500
> Apr 26 14:55:13 radius02 pluto[8056]: adding interface lo/lo ::1:500
> Apr 26 14:55:13 radius02 pluto[8056]: loading secrets from
> "/etc/ipsec.secrets"
> Apr 26 14:55:13 radius02 pluto[8056]: loaded private key file
> '/etc/ipsec.d/private/strongswanKey.pem' (1751 bytes)
> Apr 26 14:55:13 radius02 pluto[8056]: loaded private key file
> '/etc/ipsec.d/private/radius02Key.pem' (963 bytes)
> Apr 26 14:55:13 radius02 pluto[8056]: loaded host cert file
> '/etc/ipsec.d/certs/radius02Cert.pem' (4066 bytes)
> Apr 26 14:55:13 radius02 pluto[8056]: loaded host cert file
> '/etc/ipsec.d/certs/radius03Cert.pem' (1342 bytes)
> Apr 26 14:55:13 radius02 pluto[8056]: added connection description
> "host-host"
> Apr 26 14:55:13 radius02 pluto[8056]: "host-host" #1: initiating Main Mode
> Apr 26 14:55:13 radius02 pluto[8056]: "host-host" #1: ignoring Vendor ID
> payload [strongSwan 4.3.4]
> Apr 26 14:55:13 radius02 pluto[8056]: "host-host" #1: ignoring Vendor ID
> payload [Cisco-Unity]
> Apr 26 14:55:13 radius02 pluto[8056]: "host-host" #1: received Vendor ID
> payload [XAUTH]
> Apr 26 14:55:13 radius02 pluto[8056]: "host-host" #1: received Vendor ID
> payload [Dead Peer Detection]
> Apr 26 14:55:13 radius02 pluto[8056]: "host-host" #1: we have a cert but
> are not sending it
> Apr 26 14:55:13 radius02 pluto[8056]: "host-host" #1: Peer ID is
> ID_DER_ASN1_DN: 'C=US, ST=NV, O=allegiant, OU=it, CN=radius03,
> E=sanitized at allegiantair.com'
> Apr 26 14:55:13 radius02 pluto[8056]: "host-host" #1: ISAKMP SA established
> Apr 26 14:55:13 radius02 pluto[8056]: "host-host" #2: initiating Quick
> Mode PUBKEY+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
> Apr 26 14:55:13 radius02 pluto[8056]: "host-host" #2: sent QI2, IPsec SA
> established {ESP=>0x6d76b463 <0x19a9a64b}
> 
> -Eric

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3430 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100427/705dff27/attachment.bin>


More information about the Users mailing list