[strongSwan] Strongswan[5.4.0] unix:///var/run/charon.vici
rajeev nohria
rajnohria at gmail.com
Mon May 16 16:20:46 CEST 2016
Andreas,
Strongswan 5.4.0
swanctl.conf
when I tried to initiate the connections (swanctl -initiate --child net, I
get following error. "*no trusted RSA public key found"*
I did make peerKey.der based on following link and copied to
/etc/swanctl/rsa directory.
https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA
07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(HASH_ALG) N(REDIR_SUP) ]
07[IKE] 10.13.199.185 is initiating an IKE_SA
07[IKE] sending cert request for "C=US, O=ARRIS, CN=RPD"
07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
07[NET] sending packet: from 10.13.199.130[500] to 10.13.199.185[500] (289
bytes)
09[NET] received packet: from 10.13.199.185[4500] to 10.13.199.130[4500]
(1312 bytes)
09[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(USE_TRANSP) SA
TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
09[IKE] received 1 cert requests for an unknown ca
09[IKE] received end entity cert "C=US, O=ARRIS, CN=RPD"
09[CFG] looking for peer configs matching
10.13.199.130[%any]...10.13.199.185[rnohria at arris.com]
09[CFG] selected peer config 'rw'
*09[IKE] no trusted RSA public key found for 'rnohria at arris.com
<rnohria at arris.com>'*
09[IKE] peer supports MOBIKE
09[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
09[NET] sending packet: from 10.13.199.130[4500] to 10.13.199.185[4500] (80
bytes)
Thanks,
Rajeev
On Wed, May 11, 2016 at 9:18 AM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:
> Hi Rajeev,
>
> there seems something wrong with your user certificate.
>
> You can configure the charon daemon dynamically using the
> VICI interface. There are VICI bindings for the Perl, Ruby
> and Python script languages which can be used by your
> IPsec management application to communicate with the
> charon daemon. For details have a look at
>
>
> https://github.com/strongswan/strongswan/blob/master/src/libcharon/plugins/vici/README.md
>
> If you intend to write your management application in C or C++
> then consider the DAVICI library:
>
> https://github.com/strongswan/davici/blob/master/README.md
>
> Regards
>
> Andreas
>
> On 11.05.2016 13:50, rajeev nohria wrote:
> > Andreas,
> >
> > I appreciate helping me out. Now I am making progress with Charon
> > running, Not sure why it was stopping before. I am getting following
> > error now, I am going over my config files. Hopefully I will find the
> > issue.
> >
> > rnohria at ubuntu:~$ sudo swanctl --load-conns
> > 06[LIB] OpenSSL X.509 parsing failed
> > 06[LIB] building CRED_CERTIFICATE - X509 failed, tried 4 builders
> > loading connection 'rw' failed: invalid value for: certs, config
> discarded
> > loaded 0 of 1 connections, 1 failed to load, 0 unloaded
> >
> >
> > Question:
> >
> > Can I use Strongswan to make connections dynamically, not via config
> > file. For config file we need to know information beforehand. If I don't
> > know all the information beforehand like local and remote IP address. Is
> > there any interface exist in Strongswan to support dynamic connection.
> >
> > Thanks,
> > Rajeev
> >
> >
> >
> >
> >
> > On Wed, May 11, 2016 at 4:41 AM, Andreas Steffen
> > <andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>>
> > wrote:
> >
> > Hi Rajeev,
> >
> > try running charon in the foreground:
> >
> > sudo /usr/local/libexec/ipsec/charon
> >
> > and check for error messages in the console window.
> >
> > Cheers Andreas
> >
> > On 11.05.2016 11:53, rajeev nohria wrote:
> >
> > Andreas,
> >
> > It seems like Charon daemon is not running, When I run the charon
> > command, it immediately stops it. Where can I find the charon
> > log to see
> > if there is any issue?
> >
> > rnohria at ubuntu:~$ sudo /usr/local/libexec/ipsec/charon&
> > [1] 7272
> > rnohria at ubuntu:~$
> >
> > [1]+ Stopped sudo
> /usr/local/libexec/ipsec/charon
> >
> > Thanks,
> > Rajeev
> >
> >
> > On Wed, May 11, 2016 at 2:55 AM, Andreas Steffen
> > <andreas.steffen at strongswan.org
> > <mailto:andreas.steffen at strongswan.org>
> > <mailto:andreas.steffen at strongswan.org
> > <mailto:andreas.steffen at strongswan.org>>>
> > wrote:
> >
> > Hi Rajeev,
> >
> > can you check in the charon log if the vici plugin has been
> > loaded?
> > And do you see the charon daemon running in the process
> status
> > (ps aux | grep charon)?
> >
> > Regards
> >
> > Andreas
> >
> > On 05/11/2016 04:04 AM, rajeev nohria wrote:
> > > Thanks Andreas,
> > >
> > > I ran the charon and also copied the charon script file to
> > /etc/init.d.
> > > Now when I run sudo swanctl --load-conn, I still get the
> > same issue.
> > > connecting to 'unix:///var/run/charon.vici' failed: No
> > such file or
> > > directory
> > > Error: connecting to 'default' URI failed: No such file or
> > directory
> > > strongSwan 5.4.0 swanctl
> > > usage:
> > > swanctl --load-conns [--raw|--pretty]
> > > --help (-h) show usage information
> > > --raw (-r) dump raw response
> message
> > > --pretty (-P) dump raw response
> > message in pretty print
> > > --debug (-v) set debug level,
> default: 1
> > > --options (-+) read command line
> > options from file
> > > --uri (-u) service URI to connect
> to
> > >
> > >
> > > Am I missing any other step?
> > >
> > > Thanks,
> > > Rajeev
> > >
> > > On Tue, May 10, 2016 at 3:59 AM, Andreas Steffen
> > > <andreas.steffen at strongswan.org
> > <mailto:andreas.steffen at strongswan.org>
> > <mailto:andreas.steffen at strongswan.org
> > <mailto:andreas.steffen at strongswan.org>>
> > <mailto:andreas.steffen at strongswan.org
> > <mailto:andreas.steffen at strongswan.org>
> >
> > <mailto:andreas.steffen at strongswan.org
> > <mailto:andreas.steffen at strongswan.org>>>>
> > > wrote:
> > >
> > > Hi Rajeev,
> > >
> > > is the charon daemon running? If not, either start
> charon
> > manually:
> > >
> > > sudo /usr/local/libexec/ipsec/charon &
> > >
> > > or if your Linux distribution still uses upstart,
> > copy the
> > > following script to /etc/init.d/
> > >
> > >
> > >
> >
> >
> https://wiki.strongswan.org/projects/strongswan/repository/revisions/master/entry/testing/hosts/default/etc/init.d/charon
> > >
> > > and start the charon daemon in the appropriate
> runlevels.
> > >
> > > If your Linux distribution uses systemd instead,
> > compile and
> > > install strongSwan with
> > >
> > > ./config --enable-systemd
> > >
> > > and enable and start the strongswan-swanctl service.
> > >
> > > BTW - in order to use the vici socket you must be
> > root. Thus
> > >
> > > sudo swanctl --load-conn
> > >
> > > Best regards
> > >
> > > Andreas
> > >
> > >
> > > On 09.05.2016 16:34, rajeev nohria wrote:
> > >
> > > I am new user of Strongswan and running 5.4.0.
> > After creating
> > > certificates and configuring two Ubuntu m/c with
> > Strongswan
> > > 5.4.0. I try
> > > to create connection as following and get error.
> > Please
> > advise,
> > > how to
> > > resolve following issue?
> > >
> > > $swanctl --load-conn
> > > connecting to 'unix:///var/run/charon.vici'
> > failed: No
> > such file or
> > > directory
> > > Error: connecting to 'default' URI failed: No
> > such file
> > or directory
> > > strongSwan 5.4.0 swanctl
> > > usage:
> > >
> > >
> > > Thanks,
> > > Rajeev
> > >
> > >
> > > _______________________________________________
> > > Users mailing list
> > > Users at lists.strongswan.org
> > <mailto:Users at lists.strongswan.org>
> > <mailto:Users at lists.strongswan.org
> > <mailto:Users at lists.strongswan.org>>
> > <mailto:Users at lists.strongswan.org
> > <mailto:Users at lists.strongswan.org>
> > <mailto:Users at lists.strongswan.org
> > <mailto:Users at lists.strongswan.org>>>
> > >https://lists.strongswan.org/mailman/listinfo/users
> > >
> > >
> > > --
> > >
> >
> ======================================================================
> > > Andreas Steffen
> > > andreas.steffen at strongswan.org
> > <mailto:andreas.steffen at strongswan.org>
> > <mailto:andreas.steffen at strongswan.org
> > <mailto:andreas.steffen at strongswan.org>>
> > <mailto:andreas.steffen at strongswan.org
> > <mailto:andreas.steffen at strongswan.org>
> >
> > <mailto:andreas.steffen at strongswan.org
> > <mailto:andreas.steffen at strongswan.org>>>
> > > strongSwan - the Open Source VPN Solution!
> > > www.strongswan.org <http://www.strongswan.org>
> > <http://www.strongswan.org>
> > <http://www.strongswan.org>
> > > Institute for Internet Technologies and Applications
> > > University of Applied Sciences Rapperswil
> > > CH-8640 Rapperswil (Switzerland)
> > >
> >
> >
> ===========================================================[ITA-HSR]==
> > >
> > >
> >
> >
> > --
> >
> >
> ======================================================================
> > Andreas Steffen andreas.steffen at strongswan.org
> > <mailto:andreas.steffen at strongswan.org>
> > <mailto:andreas.steffen at strongswan.org
> > <mailto:andreas.steffen at strongswan.org>>
> > strongSwan - the Open Source VPN Solution!
> > www.strongswan.org <http://www.strongswan.org>
> > <http://www.strongswan.org>
> > Institute for Internet Technologies and Applications
> > University of Applied Sciences Rapperswil
> > CH-8640 Rapperswil (Switzerland)
> >
> >
> ===========================================================[ITA-HSR]==
> >
> >
> >
> > --
> >
> ======================================================================
> > Andreas Steffen
> > andreas.steffen at strongswan.org <mailto:
> andreas.steffen at strongswan.org>
> > strongSwan - the Open Source VPN Solution!
> > www.strongswan.org <http://www.strongswan.org>
> > Institute for Internet Technologies and Applications
> > University of Applied Sciences Rapperswil
> > CH-8640 Rapperswil (Switzerland)
> >
> ===========================================================[ITA-HSR]==
> >
> >
>
> --
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160516/4a31c416/attachment-0001.html>
More information about the Users
mailing list