[strongSwan] Strongswan 5.4 issue using certificates
rajeev nohria
rajnohria at gmail.com
Tue Oct 4 21:05:46 CEST 2016
Andreas,
Thank you for all your help. I have compiled the Strongswan with petalinux
. Whenever I run the charon I get the following error. Is there any flag I
can add in makefile to get this fixed?
#charon
charon: error while loading shared libraries: libatomic.so.1: cannot open
shared object file: No such file or directory
Thanks,
Rajeev
On Fri, Sep 16, 2016 at 4:33 AM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:
> Hi Rajeev,
>
> yes, you have to load the private key file in your management tool
> and transfer it via the VICI interface as a binary blob.
>
> Regards
>
> Andreas
>
> On 15.09.2016 21:20, rajeev nohria wrote:
> > Anderas,
> >
> > When using davici-
> > For the loading of private rsa keys, that has to be loaded like the
> > certificate?
> >
> > Thanks,
> > Rajeev
> >
> > On Thu, Sep 15, 2016 at 3:19 PM, rajeev nohria <rajnohria at gmail.com
> > <mailto:rajnohria at gmail.com>> wrote:
> >
> > Anderas,
> >
> > For the loading of private rsa keys, that has to be loaded like the
> > certificate?
> >
> > Thanks,
> > Rajeev
> >
> > On Thu, Aug 4, 2016 at 12:16 AM, Andreas Steffen
> > <andreas.steffen at strongswan.org
> > <mailto:andreas.steffen at strongswan.org>> wrote:
> >
> > Hi Rajeev,
> >
> > different to the stroke protocol and ipsec.conf where the
> filename
> > of the certificate gets transferred via the stroke socket and the
> > charon daemon loads the certificate, vici transfers the
> certificate
> > itself either as a binary DER or a base64-endocded PEM blob. Thus
> > your management application has to load the certificate and
> transfer
> > it over the vici socket using davici.
> >
> > Regards
> >
> > Andreas
> >
> > On 04.08.2016 05:03, rajeev nohria wrote:
> > > Thanks Andreas,
> > >
> > > It worked, I know started to implement in Davici. I had PSK
> working in
> > > Davici. With certificates, I am having following issue during
> > > parse_certs().
> > >
> > > 09[LIB] file coded in unknown format, discarded
> > > 09[LIB] building CRED_CERTIFICATE - X509 failed, tried 4
> builders
> > >
> > >
> > >
> > > Corresponding code is for Davici is
> > > davici_list_start(r,"certs");
> > >
> > > davici_list_itemf(r,"%s","/usr/local/etc/swanctl/x509/
> hostCert.pem");
> > > davici_list_end(r);
> > >
> > >
> > > I have tried file name with and without path.
> > >
> > > certs = hostCert.pem worked in swanctl.conf as attached in
> previous email.
> > >
> > >
> > > Do you know what could be issue here? Looks like software is
> not able to
> > > recognize the pem format but again it worked when using
> swanctl.conf file.
> > >
> > > Thanks,
> > > Rajeev
> > >
> > >
> > > On Tue, Aug 2, 2016 at 5:41 AM, Andreas Steffen
> > > <andreas.steffen at strongswan.org
> > <mailto:andreas.steffen at strongswan.org>
> > <mailto:andreas.steffen at strongswan.org
> > <mailto:andreas.steffen at strongswan.org>>>
> > > wrote:
> > >
> > > Hi,
> > >
> > > according to your log, the initiator and responder create
> > their
> > > own Root CA certificate and store it locally in
> > > /usr/local/etc/swanctl/x509ca. Therefore it is not
> surprising
> > > that no trust into the received host certificate can be
> > established
> > > because it has been signed with the private key of a
> different
> > > root CA (although the Distinguished Name of the issuer is
> > the same).
> > >
> > > Fix: Generate only one private key and matching self-signed
> > > Root CA certificate. Use the private Root CA key to sign
> both
> > > initiator and responder host certificates and deploy the
> > Root CA
> > > certificate on both hosts.
> > >
> > > Best regards
> > >
> > > Andreas
> > >
> > > On 01.08.2016 21:24, rajeev nohria wrote:
> > > >
> > > > I was able to establish IKE connection using PSK but
> > when using pubkey I
> > > > am not able to able to establish the IKE connection.
> > > >
> > > > When I issue sudo swanctl --initiate --child net
> > > >
> > > >
> > > > At receptor, it returns the Auth_failed. Please see the
> > swanctl.conf,
> > > > strongswan.conf and charon.log.
> > > >
> > > > Aug 1 12:09:21 12[CFG] <rw|1> no issuer certificate
> > found for "C=US,
> > > > ST=MA, L=Lowell, O=Arris, CN=10.13.199.185"
> > > > Aug 1 12:09:21 12[IKE] <rw|1> no trusted RSA public key
> > found for
> > > > '10.13.199.185'
> > > > Aug 1 12:09:21 12[IKE] <rw|1> peer supports MOBIKE
> > > > Aug 1 12:09:21 12[ENC] <rw|1> added payload of type
> > NOTIFY to message
> > > > Aug 1 12:09:21 12[ENC] <rw|1> order payloads in message
> > > > Aug 1 12:09:21 12[ENC] <rw|1> added payload of type
> > NOTIFY to message
> > > > Aug 1 12:09:21 12[ENC] <rw|1> generating IKE_AUTH
> > response 1 [
> > > > N(AUTH_FAILED) ]
> > > >
> > > > I used following commands to create certificates.
> > > >
> > > > *Initiator:*
> > > > -----------
> > > >
> > > > sudo ipsec pki --gen --type rsa --size 4096 --outform
> pem >
> > > > /usr/local/etc/swanctl/rsa/strongswanKey.pem
> > > >
> > > >
> > > > sudo chmod 600 /usr/local/etc/swanctl/rsa/
> strongswanKey.pem
> > > >
> > > >
> > > > sudo ipsec pki --self --ca --in
> > > > /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest
> > sha256 --dn "C=US,
> > > > ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem >
> > > > /usr/local/etc/swanctl/x509ca/strongswanCert.pem
> > > >
> > > >
> > > > sudo ipsec pki --print --in
> > /usr/local/etc/swanctl/x509ca/strongswanCert.pem
> > > >
> > > >
> > > > sudo ipsec pki --gen --type rsa --size 4096 --outform
> pem >
> > > > /usr/local/etc/swanctl/rsa/hostKey.pem
> > > >
> > > >
> > > > sudo chmod 600 /usr/local/etc/swanctl/rsa/hostKey.pem
> > > >
> > > >
> > > >
> > > > sudo ipsec pki --pub --in
> > /usr/local/etc/swanctl/rsa/hostKey.pem --type
> > > > rsa | ipsec pki --issue --digest sha256 --cacert
> > > > /usr/local/etc/swanctl/x509ca/strongswanCert.pem --cakey
> > > > /usr/local/etc/swanctl/rsa/strongswanKey.pem --dn "C=US,
> > ST=MA,
> > > > L=Lowell, O=Arris, CN=10.13.199.185" --san
> > 10.13.199.185 pem >
> > > > /usr/local/etc/swanctl/x509/hostCert.pem
> > > >
> > > >
> > > > Receptor:
> > > > --------------
> > > > *
> > > > *
> > > > *sudo ipsec pki --gen --type rsa --size 4096 --outform
> pem >
> > > > /usr/local/etc/swanctl/rsa/strongswanKey.pem*
> > > > *
> > > > *
> > > > *sudo chmod 600
> > /usr/local/etc/swanctl/rsa/strongswanKey.pem*
> > > > *
> > > > *
> > > > *sudo ipsec pki --self --ca --in
> > > > /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest
> > sha256 --dn "C=US,
> > > > ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem >
> > > > /usr/local/etc/swanctl/x509ca/strongswanCert.pem*
> > > > *
> > > > *
> > > > *sudo ipsec pki --print --in
> > > > /usr/local/etc/swanctl/x509ca/strongswanCert.pem*
> > > > *
> > > > *
> > > > *sudo ipsec pki --gen --type rsa --size 4096 --outform
> pem >
> > > > /usr/local/etc/swanctl/rsa/hostKey.pem*
> > > > *
> > > > *
> > > > *sudo chmod 600 /usr/local/etc/swanctl/rsa/hostKey.pem*
> > > >
> > > > *sudo ipsec pki --pub --in
> > /usr/local/etc/swanctl/rsa/hostKey.pem
> > > --type
> > > > rsa | ipsec pki --issue --digest sha256 --cacert
> > > > /usr/local/etc/swanctl/x509ca/strongswanCert.pem --cakey
> > > > /usr/local/etc/swanctl/rsa/strongswanKey.pem --dn "C=US,
> > ST=MA,
> > > > L=Lowell, O=Arris, CN=10.13.199.130" --san 10.13.199.130
> > --outform pem >
> > > > /usr/local/etc/swanctl/x509/hostCert.pem*
> >
> > ============================================================
> ==========
> > Andreas Steffen
> > andreas.steffen at strongswan.org
> > <mailto:andreas.steffen at strongswan.org>
> > strongSwan - the Open Source VPN Solution!
> > www.strongswan.org <http://www.strongswan.org>
> > Institute for Internet Technologies and Applications
> > University of Applied Sciences Rapperswil
> > CH-8640 Rapperswil (Switzerland)
> > ===========================================================[
> ITA-HSR]==
> >
> >
> >
>
> --
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161004/e0fbdfcb/attachment-0001.html>
More information about the Users
mailing list