[strongSwan] RSA-encr authentication IKEv1 - loading public key failed

Alex Zetaeffesse fzetafs at gmail.com
Sun May 3 18:03:02 CEST 2015 

On Sun, May 3, 2015 at 5:30 PM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:

> Hi Alex,
>
> charon does not load the pubkey plugin and is therefore not able to
> process raw RSA public keys. Are you using an explicit
>
> charon {
>   load =
> }
>
> statement in /etc/strongswan.conf where pubkey is missing?
>
> Best regards
>
> Andreas
>
>
Hi Andreas,

long story short yes I missed the plugin. Below more details.
BTW I think I increased the verbosity of the cfg module but still the
information was poor (just "loading public key.... failed")
Is there a way to get more meaningful output from the cfg module and how?

Many thanks for spotting what the root cause was :-)

Alex

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

My strongswan.conf was as follows

charon {
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
}

include strongswan.d/*.conf

As per https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist the
plugin pubkey should have been loaded by default

The logs when I start ipsec (ipsec start) were as follows

May  2 16:20:03 ubuntu charon: 00[DMN] Starting IKE charon daemon
(strongSwan 5.1.2, Linux 3.16.0-36-generic, x86_64)
May  2 16:20:03 ubuntu charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
May  2 16:20:03 ubuntu charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
May  2 16:20:03 ubuntu charon: 00[CFG] loading ocsp signer certificates
from '/etc/ipsec.d/ocspcerts'
May  2 16:20:03 ubuntu charon: 00[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts'
May  2 16:20:03 ubuntu charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
May  2 16:20:03 ubuntu charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
May  2 16:20:03 ubuntu charon: 00[CFG]   loaded RSA private key from
'/etc/ipsec.d/private/ubuntu_prv.key'
May  2 16:20:03 ubuntu charon: 00[LIB] loaded plugins: charon addrblock
attr ccm cmac constraints ctr eap-identity gcm md4 openssl pkcs12 pkcs7
pkcs8 rc2 resolve sha1 test-vectors xcbc sha2 md5 aes hmac pem pkcs1 x509
revocation random nonce kernel-netlink socket-default updown stroke
May  2 16:20:03 ubuntu charon: 00[LIB] unable to load 5 plugin features (5
due to unmet dependencies)
May  2 16:20:03 ubuntu charon: 00[LIB] dropped capabilities, running as uid
0, gid 0
May  2 16:20:03 ubuntu charon: 00[JOB] spawning 16 worker threads
May  2 16:20:03 ubuntu charon: 11[CFG] received stroke: add connection
'gre-ipsec'
May  2 16:20:03 ubuntu charon: 11[LIB] building CRED_CERTIFICATE -
TRUSTED_PUBKEY failed, tried 0 builders
May  2 16:20:03 ubuntu charon: 11[CFG]   loading public key for
"192.168.72.144" from '/etc/ipsec.d/R14_pub.key' failed
May  2 16:20:03 ubuntu charon: 11[CFG] added configuration 'gre-ipsec'

I didn't see pubkey loaded. And it was not installed either (Ubuntu 14.04.2
LTS)

p   strongswan-plugin-pubkey
     - strongSwan plugin for raw public keys

After installing it, everything went OK

May  2 16:23:55 ubuntu charon: 11[CFG]   loaded RSA public key for
"192.168.72.144" from '/etc/ipsec.d/R14_pub.key'

FYI when the plugin was mentioned in strongswan.conf** but not installed I
saw this in the syslog

May  2 16:12:33 ubuntu charon: 00[DMN] Starting IKE charon daemon
(strongSwan 5.1.2, Linux 3.16.0-36-generic, x86_64)
May  2 16:12:33 ubuntu kernel: [88688.272922] charon[15413]: segfault at 0
ip 00007f49ba144aea sp 00007ffc51d184a8 error 4 in libc-2.19.so
[7f49ba0bc000+1bb000]


**
charon {
        load_modular = yes
        plugins {
                pubkey
                include strongswan.d/charon/*.conf
        }
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150503/22d99280/attachment.html>

More information about the Users mailing list