[strongSwan] need help for host2host-cert setup

Abbhishek Misra abhishekfishy2000 at gmail.com
Thu Mar 25 10:52:46 CET 2010 

Hello Andreas,

That may / may not be a possibility.  To check that I removed all contents of
/etc/ipsec.conf

its empty now  and reread all

plm56:~/abhishek # ipsec rereadall
002 forgetting secrets
002 loading secrets from "/etc/ipsec.secrets"
002   loaded private key file '/etc/ipsec.d/private/newkey.pem' (963 bytes)
002   loaded private key file '/etc/ipsec.d/private/cakey.pem' (963 bytes)
002 Changing to directory '/etc/ipsec.d/cacerts'
002   loaded CA cert file 'cacert.pem' (3125 bytes)
002 Changing to directory '/etc/ipsec.d/aacerts'
002 Changing to directory '/etc/ipsec.d/ocspcerts'
002 Changing to directory '/etc/ipsec.d/acerts'
002 Changing to directory '/etc/ipsec.d/crls'
plm56:~/abhishek #


In Messages I still see same issue

Mar 25 09:30:25 plm56 pluto[10190]: forgetting secrets
Mar 25 09:30:25 plm56 pluto[10190]: loading secrets from "/etc/ipsec.secrets"
Mar 25 09:30:25 plm56 pluto[10190]:   loaded private key file
'/etc/ipsec.d/private/newkey.pem' (963 bytes)
Mar 25 09:30:25 plm56 pluto[10190]:   loaded private key file
'/etc/ipsec.d/private/cakey.pem' (963 bytes)
Mar 25 09:30:25 plm56 pluto[10190]: Changing to directory '/etc/ipsec.d/cacerts'
Mar 25 09:30:25 plm56 pluto[10190]:   loaded CA cert file 'cacert.pem'
(3125 bytes)
Mar 25 09:30:25 plm56 pluto[10190]: Changing to directory '/etc/ipsec.d/aacerts'
Mar 25 09:30:25 plm56 pluto[10190]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Mar 25 09:30:25 plm56 pluto[10190]: Changing to directory '/etc/ipsec.d/acerts'
Mar 25 09:30:25 plm56 pluto[10190]: Changing to directory '/etc/ipsec.d/crls'
Mar 25 09:30:25 plm56 charon: 12[CFG] rereading secrets
Mar 25 09:30:25 plm56 charon: 12[CFG] loading secrets from '/etc/ipsec.secrets'
Mar 25 09:30:25 plm56 charon: 12[CFG]   loaded private key file
'/etc/ipsec.d/private/newkey.pem'
Mar 25 09:30:25 plm56 charon: 12[CFG]   loaded private key file
'/etc/ipsec.d/private/cakey.pem'
Mar 25 09:30:25 plm56 charon: 12[CFG] rereading ca certificates from
'/etc/ipsec.d/cacerts'
Mar 25 09:30:25 plm56 charon: 12[LIB] failed to create a builder for
credential type CRED_PUBLIC_KEY, subtype (0)
Mar 25 09:30:25 plm56 charon: 12[LIB]   could not parse loaded
certificate file '/etc/ipsec.d/cacerts/cacert.pem'
Mar 25 09:30:25 plm56 charon: 12[LIB] failed to create a builder for
credential type CRED_CERTIFICATE, subtype (1)
Mar 25 09:30:25 plm56 charon: 12[CFG] rereading ocsp signer
certificates from '/etc/ipsec.d/ocspcerts'
Mar 25 09:30:25 plm56 charon: 12[CFG] rereading aa certificates from
'/etc/ipsec.d/aacerts'
Mar 25 09:30:25 plm56 charon: 12[CFG] rereading attribute certificates
from '/etc/ipsec.d/acerts'
Mar 25 09:30:25 plm56 charon: 12[CFG] rereading crls from '/etc/ipsec.d/crls'

Here I'll list how I created the certificates

Step 1 : /usr/share/ssl/misc/CA.sh -newca

this created

/etc/ipsec.d/newcerts/00.pem

demoCA/
cacert.pem  careq.pem  certs  crl  index.txt  newcerts  private  serial

demoCA/private/cakey.pem

Step 2:  /usr/share/ssl/misc/CA.sh -newreq

this created  newkey.pem  newreq.pem in my local dir

Step 3: /usr/share/ssl/misc/CA.sh -sign

this created newcert.pem


I copied all files created in ipsec.d

plm56:~/abhishek # ls /etc/ipsec.d/newcerts/
00.pem  01.pem
plm56:~/abhishek #
plm56:~/abhishek # ls /etc/ipsec.d/certs/
newcert.pem
plm56:~/abhishek #
plm56:~/abhishek # ls /etc/ipsec.d/private/
cakey.pem  newkey.pem
plm56:~/abhishek #
plm56:~/abhishek # ls /etc/ipsec.d/cacerts/
cacert.pem
plm56:~/abhishek #


I'll just check by using proper subjectAltName.

regards
Abhishek







On Thu, Mar 25, 2010 at 2:02 PM, Andreas Steffen
<andreas.steffen at strongswan.org> wrote:
> Hi,
>
> could it be that you are using a leftid=@plm56.in.ibm.com
> which is not contained as a subjectAltName in your certificate
> newcert.pem?
>
> Regards
>
> Andreas
>
> On 25.03.2010 06:22, Abbhishek Misra wrote:
>>
>> Thanks for a quick reply Andreas. It able to read secret as shown
>> below but does not list it.
>>
>> There is nothing in  /var/log/messages related to  listing secrets
>>
>> plm56:~/abhishek # ipsec rereadsecrets
>> plm56:~/abhishek #
>> plm56:~/abhishek # tail  /var/log/messages
>> Mar 25 05:00:03 plm56 su: (to nobody) root on none
>> Mar 25 05:00:03 plm56 su: pam_unix_session(su:session): session opened
>> for user nobody by (uid=0)
>> Mar 25 05:00:03 plm56 su: pam_unix_session(su:session): session closed
>> for user nobody
>> Mar 25 05:00:03 plm56 su: (to nobody) root on none
>> Mar 25 05:00:03 plm56 su: pam_unix_session(su:session): session opened
>> for user nobody by (uid=0)
>> Mar 25 05:00:17 plm56 su: pam_unix_session(su:session): session closed
>> for user nobody
>> Mar 25 05:00:18 plm56 /usr/sbin/cron[4251]:
>> pam_unix_session(crond:session): session closed for user root
>> Mar 25 05:11:37 plm56 charon: 16[CFG] rereading secrets
>> Mar 25 05:11:37 plm56 charon: 16[CFG] loading secrets from
>> '/etc/ipsec.secrets'
>> Mar 25 05:11:37 plm56 charon: 16[CFG]   loaded private key file
>> '/etc/ipsec.d/private/newkey.pem'
>> plm56:~/abhishek #
>>
>>
>> On Wed, Mar 24, 2010 at 7:07 PM, Andreas Steffen
>> <andreas.steffen at strongswan.org>  wrote:
>>>
>>> Execute
>>>
>>>   ipsec rereadsecrets
>>>
>>> and look for error messages in the log. It might be that your passphrase
>>> is not correct.
>>>
>>>   ipsec listcerts
>>>
>>> should show your certificate with the comment
>>>
>>>   .., has private key
>>>
>>> Best regards
>>>
>>> Andreas
>>>
>>> On 24.03.2010 14:01, Abbhishek Misra wrote:
>>>>
>>>>   Hello All,
>>>>
>>>>   I'm trying to setup  host2host-cert example but very basic steps are
>>>>   not going through.
>>>>
>>>>
>>>>   plm56:~/abhishek # ipsec up host-host
>>>>   initiating IKE_SA host-host[1] to 9.182.176.61
>>>>   generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) (NATD_D_IP) ]
>>>>   sending packet: from 9.182.176.56[500] to 9.182.176.61[500]
>>>>   received packet: from 9.182.176.61[500] to 9.182.176.56[500]
>>>>   parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) (NATD_D_IP)
>>>>   N(MULT_AUTH) ]
>>>>   no private key found for 'plm56.in.ibm.com'
>>>>   plm56:~/abhishek #
>>>>
>>>>
>>>>   I have used all conf files as mentioned in the example
>>>>
>>>>   ipsec listcerts is not showing my certificates that i generated using
>>>>   this doc http://www.ipsec-howto.org/x595.html
>>>>
>>>>   This is how my secrets file looks
>>>>
>>>>          plm56:~/abhishek # cat /etc/ipsec.secrets
>>>>          # /etc/ipsec.secrets - strongSwan IPsec secrets file
>>>>          : RSA newkey.pem "abhishek"
>>>>
>>>>
>>>>   following is my dir listing
>>>>  http://pastebin.com/PZUgn6zQ
>>>>
>>>>   this is my /etc/ssl/openssl.cnf          http://pastebin.com/w3v2zymm
>>>>
>>>>   i have gone through
>>>>   https://lists.strongswan.org/pipermail/users/2009-August/003771.html
>>>>   and verified modulus for newcert.pem and newkey.pem
>>>>
>>>>   Please take a look at these and let me know what more should I do to
>>>>   get through.
>>>>
>>>>
>>>>   regards
>>>>   Abhishek Misra
>
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>

More information about the Users mailing list