[strongSwan] getting error "expanding file expression '/var/lib/strongswan/ipsec.secrets.inc' failed"

Meera Sudhakar mira.sudhakar at gmail.com
Fri Mar 18 13:20:54 CET 2011


Hi Andreas,

Thanks a lot for your reply. Please find my replies inline.

On Thu, Mar 17, 2011 at 10:08 PM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:

> On 17.03.2011 12:33, Meera Sudhakar wrote:
> > Hi Andreas,
> >
> > This problem was solved by the solution provided in
> > http://www.mail-archive.com/users@lists.strongswan.org/msg02152.html. I
> > now have a new problem for which I cannot find a solution. It would be
> > great if you could help me understand the problem, and hopefully provide
> > a solution too.
> >
> > I generated the private key and certificate for my machines (the
> > initiator and the receiver) by executing the following command on each
> > of them:
> >
> > openssl req -x509 -days 1460 -newkey rsa:2048 \
> >>             -keyout strongswanKey.pem -out strongswanCert.pem
> >
> This generates a self-signed CA certificate which cannot be used
> as a peer certificate.
>
> > I then placed the file strongswanKey.pem in the path
> > /etc/ipsec.d/private/, and the file strongswanCert.pem in the path
> > /etc/ipsec.d/certs. So now, the line " : RSA strongswanKey.pem "xxxx" "
> > is added to the file ipsec.secrets, and the line
> > "leftcert=strongswanCert.pem" is added to the file ipsec.conf.
> >
> > After starting strongswan, the following was seen in the log file:
> >
> > Mar 17 18:35:32 cip-Latitude-D520 charon: 00[CFG] loading secrets from
> > '/etc/ipsec.secrets'
> > Mar 17 18:35:32 cip-Latitude-D520 charon: 00[CFG]   loaded RSA private
> > key from '/etc/ipsec.d/private/strongswanKey.pem'
> > *Mar 17 18:35:32 cip-Latitude-D520 charon: 00[CFG] expanding file
> > expression '/var/lib/strongswan/ipsec.secrets.inc' failed
>
> do you include secrets from /var/lib/strongswan/ipsec.secrets.inc ?
>

The line "include /var/lib/strongswan/ipsec.secrets.inc" was present in
ipsec.conf. That file contains nothing though. So I now tried removing the
line from ipsec.conf, but I still see the above message in the logfile.

>
> > *Mar 17 18:35:32 cip-Latitude-D520 charon: 00[DMN] loaded plugins: curl
> > ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem
> > openssl fips-prf xcbc hmac agent gmp attr kernel-netlink socket-default
> > farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2
> > dhcp resolve
> >
> > Later on in the logs, I see that CHILD_SA was established, but IKE
> > authentication failed. I am not sure if this is connected to the above
> > problem. Please find a part of the logfile here:
> >
> > *Mar 17 18:35:44 cip-Latitude-D520 charon: 12[IKE] establishing CHILD_SA
> > sample-with-ca-cert
>
> This is just an announcement that a CHILD_SA is going to be established.
>

Ok.

>
> > *Mar 17 18:35:44 cip-Latitude-D520 charon: 12[ENC] generating IKE_AUTH
> > request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP)
> > N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> > Mar 17 18:35:44 cip-Latitude-D520 charon: 12[NET] sending packet: from
> > 10.58.114.215[4500] to 10.58.112.139[4500]
> > Mar 17 18:35:44 cip-Latitude-D520 charon: 13[NET] received packet: from
> > 10.58.112.139[4500] to 10.58.114.215[4500]
> > Mar 17 18:35:44 cip-Latitude-D520 charon: 13[ENC] parsed IKE_AUTH
> > response 1 [ N(AUTH_FAILED) ]
> > *Mar 17 18:35:44 cip-Latitude-D520 charon: 13[IKE] received
> > AUTHENTICATION_FAILED notify error
> > *
> The peer side has an authentication problem because you are sending
> a self-signed certificate. You must send an end entity certificate
> signed by the strongSwan CA and put strongswanCert.pem into
> /etc/ipsec.d/cacerts as a trust anchor.
>

Ok. This was something I hadn't realized.

> >
> > Could you please help me sort this out?
> >
> Consult the following link how to set up a simple PKI:
>
> http://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA
>

I went through the intructions in the link mentioned here. It's mentioned in
the link that it was kept "as simple as possible", but I still have a couple
of doubts here :-)

1. I have an initiator and a responder. So, I will first create a private
key and self-signed CA certificate. This self-signed certificate will help
me generate end-entity certificates. (I hope my understanding is right). I
created these on the initiator first.
2. I then created the peer key and end-entity certificate for the initiator,
using the CA private key and CA certificate created in step 1.
3. Now, I copied the CA private key and the CA certificate (created in step
1) to the responder, and there, I created the peer key and end-entity
certificate for the responder.
4. In each of the machines, I stored the peer key in /etc/ipsec.d/private,
and the end-entity certificate in /etc/ipsec.d/certs. The CA cert is stored
in /etc/ipsec.d/cacerts.
5. I hope whatever I have done is correct. Please let me know if I
understood the instructions correctly. Once I did this and started
strongswan, I got the following messages in the logfile:

Mar 18 19:14:33 cip-Latitude-D520 charon: 12[ENC] parsed IKE_AUTH request 1
[ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR)
N(MULT_AUTH) N(EAP_ONLY) ]
Mar 18 19:14:33 cip-Latitude-D520 charon: 12[IKE] received cert request for
"C=CH, O=strongSwan, CN=strongSwan CA"
Mar 18 19:14:33 cip-Latitude-D520 charon: 12[IKE] received end entity cert
"C=CH, O=strongSwan, CN=peer"
Mar 18 19:14:33 cip-Latitude-D520 charon: 12[CFG] looking for peer configs
matching 10.58.114.215[C=CH, O=strongSwan, CN=peer]...10.58.112.139[C=CH,
O=strongSwan, CN=peer]
Mar 18 19:14:33 cip-Latitude-D520 charon: 12[CFG] selected peer config
'sample-with-ca-cert'
Mar 18 19:14:33 cip-Latitude-D520 charon: 12[CFG]   using trusted ca
certificate "C=CH, O=strongSwan, CN=strongSwan CA"
Mar 18 19:14:33 cip-Latitude-D520 charon: 12[CFG] checking certificate
status of "C=CH, O=strongSwan, CN=peer"
Mar 18 19:14:33 cip-Latitude-D520 charon: 12[CFG] certificate status is not
available
Mar 18 19:14:33 cip-Latitude-D520 charon: 12[CFG]   reached self-signed root
ca with a path length of 0
Mar 18 19:14:33 cip-Latitude-D520 charon: 12[CFG]   using trusted
certificate "C=CH, O=strongSwan, CN=peer"
Mar 18 19:14:33 cip-Latitude-D520 charon: 12[IKE] signature validation
failed, looking for another key
Mar 18 19:14:33 cip-Latitude-D520 charon: 12[CFG]   using certificate "C=CH,
O=strongSwan, CN=peer"
Mar 18 19:14:33 cip-Latitude-D520 charon: 12[CFG]   using trusted ca
certificate "C=CH, O=strongSwan, CN=strongSwan CA"
Mar 18 19:14:33 cip-Latitude-D520 charon: 12[CFG] checking certificate
status of "C=CH, O=strongSwan, CN=peer"
Mar 18 19:14:33 cip-Latitude-D520 charon: 12[CFG] certificate status is not
available
Mar 18 19:14:33 cip-Latitude-D520 charon: 12[CFG]   reached self-signed root
ca with a path length of 0
Mar 18 19:14:33 cip-Latitude-D520 charon: 12[IKE] authentication of 'C=CH,
O=strongSwan, CN=peer' with RSA signature successful
Mar 18 19:14:33 cip-Latitude-D520 charon: 12[CFG] constraint check failed:
peer not authenticated with peer cert 'C=CH, O=strongSwan, CN=peer'.
Mar 18 19:14:33 cip-Latitude-D520 charon: 12[CFG] selected peer config
'sample-with-ca-cert' inacceptable
Mar 18 19:14:33 cip-Latitude-D520 charon: 12[CFG] no alternative config
found
I really feel I have done something wrong :-(

Also, I read in the link http://wiki.strongswan.org/issues/103 that "If
authentication is based on X.509 certificates then the identity of the peer
*must always* be contained in the peer certificate". This is something I did
not do. I just copied the commands from the link you had mentioned. So,
should I mention the peer's IP address while creating its certificate (in
the dn)?

Thanks and regards,
Meera



>
> > Thanks in advance,
> >
> > Meera
>
> Regards
>
> Andreas
>
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110318/a9ea1a15/attachment.html>


More information about the Users mailing list