[strongSwan] Strongswan 5.4 issue using certificates

rajeev nohria rajnohria at gmail.com
Tue Oct 4 21:05:46 CEST 2016


Andreas,

Thank you for all your help.  I have compiled the Strongswan with petalinux
.  Whenever I run the charon I get the following error. Is there any flag I
can add in makefile to get this fixed?

#charon
charon: error while loading shared libraries: libatomic.so.1: cannot open
shared object file: No such file or directory

Thanks,
Rajeev


On Fri, Sep 16, 2016 at 4:33 AM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:

> Hi Rajeev,
>
> yes, you have to load the private key file in your management tool
> and transfer it via the VICI interface as a binary blob.
>
> Regards
>
> Andreas
>
> On 15.09.2016 21:20, rajeev nohria wrote:
> > Anderas,
> >
> > When using davici-
> > For the loading of private rsa keys, that has to be loaded like the
> > certificate?
> >
> > Thanks,
> > Rajeev
> >
> > On Thu, Sep 15, 2016 at 3:19 PM, rajeev nohria <rajnohria at gmail.com
> > <mailto:rajnohria at gmail.com>> wrote:
> >
> >     Anderas,
> >
> >     For the loading of private rsa keys, that has to be loaded like the
> >     certificate?
> >
> >     Thanks,
> >     Rajeev
> >
> >     On Thu, Aug 4, 2016 at 12:16 AM, Andreas Steffen
> >     <andreas.steffen at strongswan.org
> >     <mailto:andreas.steffen at strongswan.org>> wrote:
> >
> >         Hi Rajeev,
> >
> >         different to the stroke protocol and ipsec.conf where the
> filename
> >         of the certificate gets transferred via the stroke socket and the
> >         charon daemon loads the certificate, vici transfers the
> certificate
> >         itself either as a binary DER or a base64-endocded PEM blob. Thus
> >         your management application has to load the certificate and
> transfer
> >         it over the vici socket using davici.
> >
> >         Regards
> >
> >         Andreas
> >
> >         On 04.08.2016 05:03, rajeev nohria wrote:
> >         > Thanks Andreas,
> >         >
> >         > It worked, I know started to implement in Davici. I had PSK
> working in
> >         > Davici. With certificates, I am having  following issue during
> >         > parse_certs().
> >         >
> >         > 09[LIB]   file coded in unknown format, discarded
> >         > 09[LIB] building CRED_CERTIFICATE - X509 failed, tried 4
> builders
> >         >
> >         >
> >         >
> >         > Corresponding code is for Davici is
> >         >         davici_list_start(r,"certs");
> >         >
> >         > davici_list_itemf(r,"%s","/usr/local/etc/swanctl/x509/
> hostCert.pem");
> >         >         davici_list_end(r);
> >         >
> >         >
> >         > I have tried file name with and without path.
> >         >
> >         > certs = hostCert.pem worked in swanctl.conf as attached in
> previous email.
> >         >
> >         >
> >         > Do you know what could be issue here? Looks like software is
> not able to
> >         > recognize the pem format but again it worked when using
> swanctl.conf file.
> >         >
> >         > Thanks,
> >         > Rajeev
> >         >
> >         >
> >         > On Tue, Aug 2, 2016 at 5:41 AM, Andreas Steffen
> >         > <andreas.steffen at strongswan.org
> >         <mailto:andreas.steffen at strongswan.org>
> >         <mailto:andreas.steffen at strongswan.org
> >         <mailto:andreas.steffen at strongswan.org>>>
> >         > wrote:
> >         >
> >         >     Hi,
> >         >
> >         >     according to your log, the initiator and responder create
> >         their
> >         >     own Root CA certificate and store it locally in
> >         >     /usr/local/etc/swanctl/x509ca. Therefore it is not
> surprising
> >         >     that no trust into the received host certificate can be
> >         established
> >         >     because it has been signed with the private key of a
> different
> >         >     root CA (although the Distinguished Name of the issuer is
> >         the same).
> >         >
> >         >     Fix: Generate only one private key and matching self-signed
> >         >     Root CA certificate. Use the private Root CA key to sign
> both
> >         >     initiator and responder host certificates and deploy the
> >         Root CA
> >         >     certificate on both hosts.
> >         >
> >         >     Best regards
> >         >
> >         >     Andreas
> >         >
> >         >     On 01.08.2016 21:24, rajeev nohria wrote:
> >         >     >
> >         >     > I was able to establish IKE connection using PSK but
> >         when using pubkey I
> >         >     > am not able to able to establish the IKE connection.
> >         >     >
> >         >     > When I issue sudo swanctl --initiate --child net
> >         >     >
> >         >     >
> >         >     > At receptor, it returns the Auth_failed.  Please see the
> >         swanctl.conf,
> >         >     > strongswan.conf and charon.log.
> >         >     >
> >         >     > Aug  1 12:09:21 12[CFG] <rw|1> no issuer certificate
> >         found for "C=US,
> >         >     > ST=MA, L=Lowell, O=Arris, CN=10.13.199.185"
> >         >     > Aug  1 12:09:21 12[IKE] <rw|1> no trusted RSA public key
> >         found for
> >         >     > '10.13.199.185'
> >         >     > Aug  1 12:09:21 12[IKE] <rw|1> peer supports MOBIKE
> >         >     > Aug  1 12:09:21 12[ENC] <rw|1> added payload of type
> >         NOTIFY to message
> >         >     > Aug  1 12:09:21 12[ENC] <rw|1> order payloads in message
> >         >     > Aug  1 12:09:21 12[ENC] <rw|1> added payload of type
> >         NOTIFY to message
> >         >     > Aug  1 12:09:21 12[ENC] <rw|1> generating IKE_AUTH
> >         response 1 [
> >         >     > N(AUTH_FAILED) ]
> >         >     >
> >         >     > I used following commands to create certificates.
> >         >     >
> >         >     > *Initiator:*
> >         >     > -----------
> >         >     >
> >         >     > sudo ipsec pki --gen --type rsa --size 4096 --outform
> pem >
> >         >     > /usr/local/etc/swanctl/rsa/strongswanKey.pem
> >         >     >
> >         >     >
> >         >     > sudo chmod 600  /usr/local/etc/swanctl/rsa/
> strongswanKey.pem
> >         >     >
> >         >     >
> >         >     > sudo ipsec pki --self --ca --in
> >         >     > /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest
> >         sha256 --dn "C=US,
> >         >     > ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem >
> >         >     > /usr/local/etc/swanctl/x509ca/strongswanCert.pem
> >         >     >
> >         >     >
> >         >     > sudo ipsec pki --print --in
> >         /usr/local/etc/swanctl/x509ca/strongswanCert.pem
> >         >     >
> >         >     >
> >         >     > sudo ipsec pki --gen --type rsa --size 4096 --outform
> pem >
> >         >     > /usr/local/etc/swanctl/rsa/hostKey.pem
> >         >     >
> >         >     >
> >         >     > sudo chmod 600 /usr/local/etc/swanctl/rsa/hostKey.pem
> >         >     >
> >         >     >
> >         >     >
> >         >     > sudo ipsec pki --pub --in
> >         /usr/local/etc/swanctl/rsa/hostKey.pem --type
> >         >     > rsa | ipsec pki --issue --digest sha256 --cacert
> >         >     > /usr/local/etc/swanctl/x509ca/strongswanCert.pem --cakey
> >         >     > /usr/local/etc/swanctl/rsa/strongswanKey.pem --dn "C=US,
> >         ST=MA,
> >         >     > L=Lowell, O=Arris, CN=10.13.199.185" --san
> >         10.13.199.185  pem >
> >         >     > /usr/local/etc/swanctl/x509/hostCert.pem
> >         >     >
> >         >     >
> >         >     > Receptor:
> >         >     > --------------
> >         >     > *
> >         >     > *
> >         >     > *sudo ipsec pki --gen --type rsa --size 4096 --outform
> pem >
> >         >     > /usr/local/etc/swanctl/rsa/strongswanKey.pem*
> >         >     > *
> >         >     > *
> >         >     > *sudo chmod 600
> >         /usr/local/etc/swanctl/rsa/strongswanKey.pem*
> >         >     > *
> >         >     > *
> >         >     > *sudo ipsec pki --self --ca --in
> >         >     > /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest
> >         sha256 --dn "C=US,
> >         >     > ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem >
> >         >     > /usr/local/etc/swanctl/x509ca/strongswanCert.pem*
> >         >     > *
> >         >     > *
> >         >     > *sudo ipsec pki --print --in
> >         >     > /usr/local/etc/swanctl/x509ca/strongswanCert.pem*
> >         >     > *
> >         >     > *
> >         >     > *sudo ipsec pki --gen --type rsa --size 4096 --outform
> pem >
> >         >     > /usr/local/etc/swanctl/rsa/hostKey.pem*
> >         >     > *
> >         >     > *
> >         >     > *sudo chmod 600 /usr/local/etc/swanctl/rsa/hostKey.pem*
> >         >     >
> >         >     > *sudo ipsec pki --pub --in
> >         /usr/local/etc/swanctl/rsa/hostKey.pem
> >         >     --type
> >         >     > rsa | ipsec pki --issue --digest sha256 --cacert
> >         >     > /usr/local/etc/swanctl/x509ca/strongswanCert.pem --cakey
> >         >     > /usr/local/etc/swanctl/rsa/strongswanKey.pem --dn "C=US,
> >         ST=MA,
> >         >     > L=Lowell, O=Arris, CN=10.13.199.130" --san 10.13.199.130
> >         --outform pem >
> >         >     > /usr/local/etc/swanctl/x509/hostCert.pem*
> >
> >         ============================================================
> ==========
> >         Andreas Steffen
> >          andreas.steffen at strongswan.org
> >         <mailto:andreas.steffen at strongswan.org>
> >         strongSwan - the Open Source VPN Solution!
> >         www.strongswan.org <http://www.strongswan.org>
> >         Institute for Internet Technologies and Applications
> >         University of Applied Sciences Rapperswil
> >         CH-8640 Rapperswil (Switzerland)
> >         ===========================================================[
> ITA-HSR]==
> >
> >
> >
>
> --
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution!          www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161004/e0fbdfcb/attachment-0001.html>


More information about the Users mailing list