[strongSwan] Small Problems with 5.2
Dirk Hartmann
dha at heise.de
Fri Jul 11 09:04:36 CEST 2014
Hi Noel,
--On Thursday, July 10, 2014 06:35:40 PM +0200 Noel Kuntze
<noel at familie-kuntze.de> wrote:
> Can you please provide your strongswan.conf?
sure.
Server now back on 5.1.3 is simple using still the single
strongswan.conf:
=================
charon {
threads = 16
cisco_unity = yes
send_vendor_id = yes
plugins {
sql {
loglevel = -1
}
attr {
dns = xx.xx.xx.xx, xx.xx.xx.xx
nbns = xx.xx.xx.xx
}
}
libhydra {
plugins {
attr-sql {
database = sqlite:///etc/ipsec.d/database/strongswandb.sqlite
}
}
}
pluto {
}
libstrongswan {
}
=====================
I think it's a good time to remove pluto from it.
Client still running 5.2 using the split config:
=====================
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf
aes {
load = yes
}
attr {
load = yes
}
blowfish {
load = yes
}
cmac {
load = yes
}
constraints {
load = yes
}
curl {
load = yes
}
des {
load = yes
}
dnskey {
load = yes
}
fips-prf {
load = yes
}
gmp {
load = yes
}
hmac {
load = yes
}
kernel-netlink {
load = yes
}
md5 {
load = yes
}
nonce {
load = yes
}
ntru {
load = yes
}
openssl {
load = yes
}
pem {
load = yes
}
pgp {
load = yes
}
pkcs12 {
load = yes
}
pkcs1 {
load = yes
}
pkcs7 {
load = yes
}
pkcs8 {
load = yes
}
pubkey {
load = yes
}
random {
load = yes
}
rc2 {
load = yes
}
resolve {
file = /etc/resolve.strongswan
load = yes
resolvconf {
}
}
revocation {
load = yes
}
sha1 {
load = yes
}
sha2 {
load = yes
}
socket-default {
load = yes
}
sshkey {
load = yes
}
stroke {
load = yes
}
updown {
load = yes
}
x509 {
load = yes
}
xcbc {
load = yes
}
charon {
send_vendor_id = yes
crypto_test {
}
host_resolver {
}
leak_detective {
}
processor {
priority_threads {
}
}
tls {
}
x509 {
}
}
charon {
filelog {
}
syslog {
auth {
default = 1
enc = 0
lib = 0
knl = 0
job = 0
}
}
}
pki {
}
scepclient {
}
starter {
}
openac {
}
pki {
}
scepclient {
}
=================
Thanks
Dirk
> Am 10.07.2014 15:54, schrieb Dirk Hartmann:
>> Hi,
>>
>> I hit two problems after upgrading to 5.2.
>> System on both sides is a Debian wheezy 64. Strongswan compiled with:
>> [client]
>> ./configure --prefix=/usr --sysconfdir=/etc --enable-blowfish
>> --enable-curl --enable-openssl --disable-ikev1 --enable-ntru
>>
>> [gateway]
>> ./configure --prefix=/usr --sysconfdir=/etc --enable-blowfish
>> --enable-curl --enable-eap-radius --enable-ha --enable-openssl
>> --enable-xauth-eap --enable-eap-mschapv2 --enable-eap-identity
>> --enable-sql --enable-attr-sql --enable-sqlite --enable-xauth-noauth
>> --enable-ntru
>>
>> 1. I get this error on both systems after upgrade:
>> ipsec_starter[3318]: notifying watcher failed: Broken pipe
>>
>> 2. I had to roll back to 5.1.3 on the gateway because I couldn't
>> connect from other linux IKEv2 clients which authenticate via X.509
>> certificates. I got: no trusted RSA public key found for NAME
>>
>> On the other side IKEv1 connections from Mac/iOS with certificates
>> and IKEv2 connections from Windows clients with eap-mschapv2 had no
>> problems. (No Win7 Client with IKEv2 and X509 certificates try to
>> connect that time)
>>
>> As the gateway is in productive use I coudn't debug the problem for
>> long.
>>
>> I have a second server with the same configuration that I can use to
>> dig deeper into the problem. What further information would you
>> need, what debug levels should I use?
>>
>> All the while the gateway is back on 5.1.3 while my home client is
>> still on 5.2 and can connect despite the Broken Pipe error.
>>
>> Best Regards
>> Dirk
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJTvsDcAAoJEDg5KY9j7GZY5NwQAJU4RfQJ763TjqYIGkMOZlzG
> sg7U66+Fxwe39pzyr6qL/vrSBMyMDrogc4unvT6N3vfRduK24n7ZOqo+UjcsM62X
> gJON8ODTNywIxP08zXm2zWkJwfXqr3H/ApBveVlMyPJ/9pBFe3o7vBoKN+XOJkrY
> b8oqhHxOJ0LTu+N03U7GjFLPE/RVVg4LzRrRXQoAISiCo9te0kFjC5Ah3xjwpABz
> zMFjt5fnKXN6nVvOboQSO7sAK9EHy0f6IqCQp6LApa809FBDrLvcOLd1Wes3K8L6
> PD+PVRQKXtZhx8nBBo4sZAXCSTNDTlrTXfm8aMjzjNyJoqluga/qrj0o7NmsXqx9
> wDYmNcSSwpqAiRT9fN8uHuMZK1m51ZD1anDM1+fzMbG33zkqwPKPKWbw8Rm8r1Xg
> p8/iHpQqFtAf7lElaCHboUXffz+YDFM/iDTRb0W2XFqe73CWL85gNUvdA1XEAcB+
> hwjcY/1cgWeK9mJzQ2zl1rB7vLP4TD6wtY4EjFvvXRNfx5VO1gwq/m2GI5gEWtS4
> MNb3aGtJmrq9ZvztoqwWJ8NEp7Tz1axB14VxwyhEI998R+Hyf9sFcujHW+oPkBis
> YlTrTXIqacObqcKf3q/gnUCgLK1OdFgp6bOHq+SGulKJ6w6pDXeDJr/GU8Uurjam
> wC7poreK5XYAjGTnpO6/
> =f+Xu
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
--
Dirk Hartmann, Heise Zeitschriften Verlag GmbH & Co. KG
IT-Systemmanagement, Karl-Wiechert-Allee 10, D-30625 Hannover
E-Mail: dha at heise.de - Tel.: +49 511 5352 494 - FAX: - 479
PGP-Fingerprint 4153 7C95 3259 C39F 49AA 9BAA 6833 A8DC 6D90 050E
Don't blame me for the following spam, blame european government:
Heise Zeitschriften Verlag GmbH & Co. KG
Registergericht: Amtsgericht Hannover HRA 26709
Persönlich haftende Gesellschafterin:
Heise Zeitschriften Verlag Geschäftsführung GmbH
Registergericht: Amtsgericht Hannover, HRB 60405
Geschäftsführer: Ansgar Heise, Dr. Alfons Schräder
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140711/8605bf70/attachment-0001.pgp>
More information about the Users
mailing list