[strongSwan] CA cert being discarded

Andreas Steffen andreas.steffen at strongswan.org
Fri Aug 19 12:46:06 CEST 2011 

Hello Meera,

you should self-sign the CA certificate using the

 openssl req -new -x509 -key cakey.pem -out cacert.csr

command which will set the CA basic constraint to true.

Concerning the error to write to socket problem is
probably caused because either the socket-default plugin
(only IKEv2 charon daemon is running) or the socket-raw
plugin (both IKEv1 pluto and IKEv2 charon daemons are
running) has not be loaded. Do you define an explicit

charon {
  load = <plugin list>
}

entry in strongswan.conf where the socket plugin is missing?

Best regards

Andreas

 On 19.08.2011 08:45, Meera Sudhakar wrote:
> Hi strongSwan team,
>  
> I am trying to establish a tunnel between two end-points. They do not
> support pki, so I had to create the certficates using openssl. When I
> did this, gave "ipsec start" and then checked "ipsec listcacerts", it
> shows nothing. The following lines are also present in the logs:
>  
> Jan  1 02:44:40 localhost charon: 05[CFG] received stroke: add ca
> 'strongswan'
> Jan  1 02:44:40 localhost charon: 05[LIB]   loaded certificate file
> '/etc/ipsec/certs/ipsec.d/cacerts/cacert.pem'
> Jan  1 02:44:40 localhost charon: 05[CFG]   ca certificate must have ca
> basic constraint set, discarded
> Please find below the commands used to create the CA cert:
> 
> openssl genrsa -des3 -out cakey.pem 2048
> 
> openssl req -new -key cakey.pem -out cacert.csr
> 
> cp cakey.pem cakey.pem.org <http://cakey.pem.org/>
> 
> openssl rsa -in cakey.pem.org <http://cakey.pem.org/> -out cakey.pem
> 
> openssl x509 -req -days 365 -in cacert.csr -signkey cakey.pem -out
> cacert.pem
> 
>  
> Please find below the required conf files and logs:
>  
> _*End-point1:*_
> root at localhost:/root <mailto:root at localhost:/root>>
> root at localhost:/root <mailto:root at localhost:/root>>
> /usr/local/6bin/ipsec start
> Starting strongSwan 4.3.1 IPsec [starter]...
> root at localhost:/root <mailto:root at localhost:/root>>
> /usr/local/6bin/ipsec status
> Security Associations:
>   none
> root at localhost:/root <mailto:root at localhost:/root>> tail -40
> /var/log/messages
> Aug 19 12:03:31 localhost charon: 01[DMN] signal of type SIGINT
> received. Shutting down
> Aug 19 12:00:13 localhost charon: 01[DMN] Starting IKEv2 charon daemon
> (strongSwan 4.3.1)
> Aug 19 12:00:13 localhost charon: 01[CFG] loading ca certificates from
> '/etc/ipsec/certs/ipsec.d/cacerts'
> Aug 19 12:00:13 localhost charon: 01[LIB]   loaded certificate file
> '/etc/ipsec/certs/ipsec.d/cacerts/cacert.pem'
> Aug 19 12:00:13 localhost charon: 01[CFG]   ca certificate must have ca
> basic constraint set, discarded
> Aug 19 12:00:13 localhost charon: 01[CFG] loading aa certificates from
> '/etc/ipsec/certs/ipsec.d/aacerts'
> Aug 19 12:00:13 localhost charon: 01[CFG] loading ocsp signer
> certificates from '/etc/ipsec/certs/ipsec.d/ocspcerts'
> Aug 19 12:00:13 localhost charon: 01[CFG] loading attribute certificates
> from '/etc/ipsec/certs/ipsec.d/acerts'
> Aug 19 12:00:13 localhost charon: 01[CFG] loading crls from
> '/etc/ipsec/certs/ipsec.d/crls'
> Aug 19 12:00:13 localhost charon: 01[CFG] loading secrets from
> '/etc/ipsec.secrets'
> Aug 19 12:00:14 localhost charon: 01[CFG]   loaded private key file
> '/etc/ipsec/certs/ipsec.d/private/f1key.pem'
> Aug 19 12:00:14 localhost charon: 01[KNL] listening on interfaces:
> Aug 19 12:00:14 localhost charon: 01[KNL]   fpn0
> Aug 19 12:00:14 localhost charon: 01[KNL]     fe80::dead:be00:6ef:0
> Aug 19 12:00:14 localhost charon: 01[KNL]   eth0
> Aug 19 12:00:14 localhost charon: 01[KNL]     192.168.255.97
> Aug 19 12:00:14 localhost charon: 01[KNL]     fe80::200:0:700:1801
> Aug 19 12:00:14 localhost charon: 01[KNL]   eth1
> Aug 19 12:00:14 localhost charon: 01[KNL]     169.254.0.71
> Aug 19 12:00:14 localhost charon: 01[KNL]     fe80::200:0:800:1803
> Aug 19 12:00:14 localhost charon: 01[KNL]   eth2
> Aug 19 12:00:14 localhost charon: 01[KNL]     169.254.1.71
> Aug 19 12:00:14 localhost charon: 01[KNL]     fe80::40:4300:931:3317
> Aug 19 12:00:14 localhost charon: 01[KNL]   eth3
> Aug 19 12:00:14 localhost charon: 01[KNL]     192.168.0.9
> Aug 19 12:00:14 localhost charon: 01[KNL]     fe80::40:4300:a31:331b
> Aug 19 12:00:14 localhost charon: 01[DMN] loaded plugins: openssl random
> x509 pubkey hmac xcbc stroke kernel-netlink
> Aug 19 12:00:14 localhost charon: 01[JOB] spawning 16 worker threads
> Aug 19 12:00:14 localhost charon: 02[CFG] received stroke: add ca
> 'strongswan'
> Aug 19 12:00:14 localhost charon: 02[LIB]   loaded certificate file
> '/etc/ipsec/certs/ipsec.d/cacerts/cacert.pem'
> Aug 19 12:00:14 localhost charon: 02[CFG]   ca certificate must have ca
> basic constraint set, discarded
> Aug 19 12:00:14 localhost charon: 02[CFG] received stroke: add
> connection 'sample-with-ca-cert'
> Aug 19 12:00:14 localhost charon: 02[KNL] getting interface name for
> 10.58.115.131
> Aug 19 12:00:14 localhost charon: 02[KNL] 10.58.115.131 is not a local
> address
> Aug 19 12:00:14 localhost charon: 02[KNL] getting interface name for
> 10.58.115.136
> Aug 19 12:00:14 localhost charon: 02[KNL] 10.58.115.136 is not a local
> address
> Aug 19 12:00:14 localhost charon: 02[CFG] left nor right host is our
> side, assuming left=local
> Aug 19 12:00:14 localhost charon: 02[LIB]   loaded certificate file
> '/etc/ipsec/certs/ipsec.d/certs/f1cert.pem'
> Aug 19 12:00:14 localhost charon: 02[CFG]   peerid 10.58.115.136 not
> confirmed by certificate, defaulting to subject DN: C=IN, ST=KA, L=BLR,
> O=NSN, OU=CIPS, CN=MS, E=ms at nsn.com <mailto:E=ms at nsn.com>
> Aug 19 12:00:14 localhost charon: 02[CFG] added configuration
> 'sample-with-ca-cert'
> root at localhost:/root <mailto:root at localhost:/root>>
> root at localhost:/root <mailto:root at localhost:/root>>
> /usr/local/6bin/ipsec listcacerts
> root at localhost:/root <mailto:root at localhost:/root>>
> /usr/local/6bin/ipsec listcerts
> List of X.509 End Entity Certificates:
>   subject:  "C=IN, ST=KA, L=BLR, O=NSN, OU=CIPS, CN=MS, E=ms at nsn.com
> <mailto:E=ms at nsn.com>"
>   issuer:   "C=IN, ST=KA, L=BLR, O=NSN, OU=CIPS, CN=MS, E=ms at nsn.com
> <mailto:E=ms at nsn.com>"
>   serial:    00:d5:4f:fd:7d:a9:d6:2c:dc
>   validity:  not before Jan 01 01:45:22 2000, ok
>              not after  Dec 31 01:45:22 2000, ok
>   pubkey:    RSA 2048 bits, has private key
>   keyid:     e6:67:be:9e:2f:cf:e5:66:ef:92:0c:5c:91:68:d9:52:1b:63:b1:af
>   subjkey:   2a:5a:45:5d:83:40:34:fc:ba:91:fe:29:13:41:4c:bf:1a:ff:73:d8
> root at localhost:/root <mailto:root at localhost:/root>>
> root at localhost:/root <mailto:root at localhost:/root>> cat /etc/ipsec.conf
> # ipsec.conf - strongSwan IPsec configuration file
> # basic configuration
> config setup
>         # plutodebug=all
>         # crlcheckinterval=600
>         strictcrlpolicy=no
>         # cachecrls=yes
>         # nat_traversal=yes
>         charonstart=yes
>         plutostart=no
>         charondebug="chd 2, knl 2"
> ca strongswan
>         cacert=cacert.pem
>         auto=add
> conn sample-with-ca-cert
>       left=10.58.115.136
>       leftsubnet=10.58.115.0/25 <http://10.58.115.0/25>
>       leftcert=f1cert.pem
>       #leftnexthop=10.58.112.1
>       right=10.58.115.131
>       rightsubnet=10.58.115.0/25 <http://10.58.115.0/25>
>       #rightid="C=CH, O=strongSwan, CN=10.58.228.80"
>       keyexchange=ikev2
>       auto=add
> root at localhost:/root <mailto:root at localhost:/root>>
> *_End-point2:_*
> root at localhost:/root <mailto:root at localhost:/root>>
> root at localhost:/root <mailto:root at localhost:/root>>
> /usr/local/6bin/ipsec start
> Starting strongSwan 4.3.1 IPsec [starter]...
> root at localhost:/root <mailto:root at localhost:/root>> 
> /usr/local/6bin/ipsec status
> Security Associations:
> sample-with-ca-cert[1]: CONNECTING 10.58.115.131[%any]...10.58.115.136[%any]
> sample-with-ca-cert[1]: IKE SPIs: 07431ac18bcde5db_i*
> 0000000000000000_rroot at localhost:/root
> <mailto:0000000000000000_rroot at localhost:/root>>
> root at localhost:/root <mailto:root at localhost:/root>> tail -40
> /var/log/messages
> Aug 19 12:00:14 localhost charon: 01[KNL]     192.168.255.76
> Aug 19 12:00:14 localhost charon: 01[KNL]     fe80::40:4300:a31:2908
> Aug 19 12:00:14 localhost charon: 01[KNL]   bnet111
> Aug 19 12:00:14 localhost charon: 01[KNL]     169.254.0.73
> Aug 19 12:00:14 localhost charon: 01[KNL]     fe80::200:0:b00:1803
> Aug 19 12:00:14 localhost charon: 01[KNL]   bnet222
> Aug 19 12:00:14 localhost charon: 01[KNL]     169.254.1.73
> Aug 19 12:00:14 localhost charon: 01[KNL]     fe80::40:4300:c31:2904
> Aug 19 12:00:14 localhost charon: 01[KNL]   bnet333
> Aug 19 12:00:14 localhost charon: 01[KNL]     192.168.0.11
> Aug 19 12:00:14 localhost charon: 01[KNL]     fe80::40:4300:d31:2908
> Aug 19 12:00:14 localhost charon: 01[KNL]   bnet112
> Aug 19 12:00:14 localhost charon: 01[KNL]     fe80::200:0:e00:1803
> Aug 19 12:00:14 localhost charon: 01[KNL]   bnet334
> Aug 19 12:00:14 localhost charon: 01[KNL]     fe80::40:4300:f31:2908
> Aug 19 12:00:14 localhost charon: 01[DMN] loaded plugins: openssl random
> x509 pubkey hmac xcbc stroke kernel-netlink
> Aug 19 12:00:14 localhost charon: 01[JOB] spawning 16 worker threads
> Aug 19 12:00:14 localhost charon: 17[CFG] received stroke: add ca
> 'strongswan'
> Aug 19 12:00:14 localhost charon: 17[LIB]   loaded certificate file
> '/etc/ipsec/certs/ipsec.d/cacerts/cacert.pem'
> Aug 19 12:00:14 localhost charon: 17[CFG]   ca certificate must have ca
> basic constraint set, discarded
> Aug 19 12:00:14 localhost charon: 08[CFG] received stroke: add
> connection 'sample-with-ca-cert'
> Aug 19 12:00:14 localhost charon: 08[KNL] getting interface name for
> 10.58.115.136
> Aug 19 12:00:14 localhost charon: 08[KNL] 10.58.115.136 is not a local
> address
> Aug 19 12:00:14 localhost charon: 08[KNL] getting interface name for
> 10.58.115.131
> Aug 19 12:00:14 localhost charon: 08[KNL] 10.58.115.131 is not a local
> address
> Aug 19 12:00:14 localhost charon: 08[CFG] left nor right host is our
> side, assuming left=local
> Aug 19 12:00:14 localhost charon: 08[LIB]   loaded certificate file
> '/etc/ipsec/certs/ipsec.d/certs/f2cert.pem'
> Aug 19 12:00:14 localhost charon: 08[CFG]   peerid 10.58.115.131 not
> confirmed by certificate, defaulting to subject DN: C=IN, ST=KA, L=BLR,
> O=NSN, OU=CIPS, CN=MS, E=ms at nsn.com <mailto:E=ms at nsn.com>
> Aug 19 12:00:14 localhost charon: 08[CFG] added configuration
> 'sample-with-ca-cert'
> Aug 19 12:00:14 localhost charon: 10[CFG] received stroke: initiate
> 'sample-with-ca-cert'
> Aug 19 12:00:14 localhost charon: 10[IKE] initiating IKE_SA
> sample-with-ca-cert[1] to 10.58.115.136
> Aug 19 12:00:14 localhost charon: 10[ENC] generating IKE_SA_INIT request
> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Aug 19 12:00:14 localhost charon: 10[NET] sending packet: from
> 10.58.115.131[500] to 10.58.115.136[500]
> Aug 19 12:00:14 localhost charon: 04[NET] error writing to socket:
> Invalid argument
> Aug 19 12:00:18 localhost charon: 12[IKE] retransmit 1 of request with
> message ID 0
> Aug 19 12:00:18 localhost charon: 12[NET] sending packet: from
> 10.58.115.131[500] to 10.58.115.136[500]
> Aug 19 12:00:18 localhost charon: 04[NET] error writing to socket:
> Invalid argument
> Aug 19 12:00:25 localhost charon: 15[IKE] retransmit 2 of request with
> message ID 0
> Aug 19 12:00:25 localhost charon: 15[NET] sending packet: from
> 10.58.115.131[500] to 10.58.115.136[500]
> Aug 19 12:00:25 localhost charon: 04[NET] error writing to socket:
> Invalid argument
> root at localhost:/root <mailto:root at localhost:/root>>
> root at localhost:/root <mailto:root at localhost:/root>> 
> /usr/local/6bin/ipsec listcacerts
> root at localhost:/root <mailto:root at localhost:/root>>
> /usr/local/6bin/ipsec listcerts
> List of X.509 End Entity Certificates:
>   subject:  "C=IN, ST=KA, L=BLR, O=NSN, OU=CIPS, CN=MS, E=ms at nsn.com
> <mailto:E=ms at nsn.com>"
>   issuer:   "C=IN, ST=KA, L=BLR, O=NSN, OU=CIPS, CN=MS, E=ms at nsn.com
> <mailto:E=ms at nsn.com>"
>   serial:    00:f6:a2:fd:e8:ee:51:e7:22
>   validity:  not before Jan 01 01:09:24 2000, ok
>              not after  Dec 31 01:09:24 2000, ok
>   pubkey:    RSA 2048 bits, has private key
>   keyid:     30:b5:05:c2:27:13:46:d5:61:fe:fa:a7:4b:c7:ea:be:1b:cd:b2:07
>   subjkey:   5a:d7:fb:ea:55:1f:d3:82:c4:51:48:8e:cc:4b:d3:55:7f:75:8d:91
> root at localhost:/root <mailto:root at localhost:/root>> cat /etc/ipsec.conf
> # ipsec.conf - strongSwan IPsec configuration file
> # basic configuration
> config setup
>         # plutodebug=all
>         # crlcheckinterval=600
>         strictcrlpolicy=no
>         # cachecrls=yes
>         # nat_traversal=yes
>         charonstart=yes
>         plutostart=no
>         charondebug="chd 2, knl 2"
> ca strongswan
>         cacert=cacert.pem
>         auto=add
> conn sample-with-ca-cert
>       left=10.58.115.131
>       leftsubnet=10.58.115.0/25 <http://10.58.115.0/25>
>       leftcert=f2cert.pem
>       #leftnexthop=10.58.228.1
>       right=10.58.115.136
>       rightsubnet=10.58.115.0/25 <http://10.58.115.0/25>
>       #rightid="C=CH, O=strongSwan, CN=10.58.112.170"
>       keyexchange=ikev2
>       auto=start
> root at localhost:/root <mailto:root at localhost:/root>>
> I don't know why the message "error writing to socket: Invalid argument"
> comes up either. Please let me know if I have gone wrong anywhere, or
> whether there is anything else I need to do.
>  
> Thanks and regards,
> Meera

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list