[strongSwan] Strongswan 5.4 issue using certificates
rajeev nohria
rajnohria at gmail.com
Wed Oct 5 20:51:41 CEST 2016
I am all set after adding libatomic.so.1 in lib directory.
On Tue, Oct 4, 2016 at 3:05 PM, rajeev nohria <rajnohria at gmail.com> wrote:
> Andreas,
>
> Thank you for all your help. I have compiled the Strongswan with
> petalinux . Whenever I run the charon I get the following error. Is there
> any flag I can add in makefile to get this fixed?
>
> #charon
> charon: error while loading shared libraries: libatomic.so.1: cannot open
> shared object file: No such file or directory
>
> Thanks,
> Rajeev
>
>
> On Fri, Sep 16, 2016 at 4:33 AM, Andreas Steffen <
> andreas.steffen at strongswan.org> wrote:
>
>> Hi Rajeev,
>>
>> yes, you have to load the private key file in your management tool
>> and transfer it via the VICI interface as a binary blob.
>>
>> Regards
>>
>> Andreas
>>
>> On 15.09.2016 21:20, rajeev nohria wrote:
>> > Anderas,
>> >
>> > When using davici-
>> > For the loading of private rsa keys, that has to be loaded like the
>> > certificate?
>> >
>> > Thanks,
>> > Rajeev
>> >
>> > On Thu, Sep 15, 2016 at 3:19 PM, rajeev nohria <rajnohria at gmail.com
>> > <mailto:rajnohria at gmail.com>> wrote:
>> >
>> > Anderas,
>> >
>> > For the loading of private rsa keys, that has to be loaded like the
>> > certificate?
>> >
>> > Thanks,
>> > Rajeev
>> >
>> > On Thu, Aug 4, 2016 at 12:16 AM, Andreas Steffen
>> > <andreas.steffen at strongswan.org
>> > <mailto:andreas.steffen at strongswan.org>> wrote:
>> >
>> > Hi Rajeev,
>> >
>> > different to the stroke protocol and ipsec.conf where the
>> filename
>> > of the certificate gets transferred via the stroke socket and
>> the
>> > charon daemon loads the certificate, vici transfers the
>> certificate
>> > itself either as a binary DER or a base64-endocded PEM blob.
>> Thus
>> > your management application has to load the certificate and
>> transfer
>> > it over the vici socket using davici.
>> >
>> > Regards
>> >
>> > Andreas
>> >
>> > On 04.08.2016 05:03, rajeev nohria wrote:
>> > > Thanks Andreas,
>> > >
>> > > It worked, I know started to implement in Davici. I had PSK
>> working in
>> > > Davici. With certificates, I am having following issue during
>> > > parse_certs().
>> > >
>> > > 09[LIB] file coded in unknown format, discarded
>> > > 09[LIB] building CRED_CERTIFICATE - X509 failed, tried 4
>> builders
>> > >
>> > >
>> > >
>> > > Corresponding code is for Davici is
>> > > davici_list_start(r,"certs");
>> > >
>> > > davici_list_itemf(r,"%s","/usr/local/etc/swanctl/x509/hostCe
>> rt.pem");
>> > > davici_list_end(r);
>> > >
>> > >
>> > > I have tried file name with and without path.
>> > >
>> > > certs = hostCert.pem worked in swanctl.conf as attached in
>> previous email.
>> > >
>> > >
>> > > Do you know what could be issue here? Looks like software is
>> not able to
>> > > recognize the pem format but again it worked when using
>> swanctl.conf file.
>> > >
>> > > Thanks,
>> > > Rajeev
>> > >
>> > >
>> > > On Tue, Aug 2, 2016 at 5:41 AM, Andreas Steffen
>> > > <andreas.steffen at strongswan.org
>> > <mailto:andreas.steffen at strongswan.org>
>> > <mailto:andreas.steffen at strongswan.org
>> > <mailto:andreas.steffen at strongswan.org>>>
>> > > wrote:
>> > >
>> > > Hi,
>> > >
>> > > according to your log, the initiator and responder create
>> > their
>> > > own Root CA certificate and store it locally in
>> > > /usr/local/etc/swanctl/x509ca. Therefore it is not
>> surprising
>> > > that no trust into the received host certificate can be
>> > established
>> > > because it has been signed with the private key of a
>> different
>> > > root CA (although the Distinguished Name of the issuer is
>> > the same).
>> > >
>> > > Fix: Generate only one private key and matching
>> self-signed
>> > > Root CA certificate. Use the private Root CA key to sign
>> both
>> > > initiator and responder host certificates and deploy the
>> > Root CA
>> > > certificate on both hosts.
>> > >
>> > > Best regards
>> > >
>> > > Andreas
>> > >
>> > > On 01.08.2016 21:24, rajeev nohria wrote:
>> > > >
>> > > > I was able to establish IKE connection using PSK but
>> > when using pubkey I
>> > > > am not able to able to establish the IKE connection.
>> > > >
>> > > > When I issue sudo swanctl --initiate --child net
>> > > >
>> > > >
>> > > > At receptor, it returns the Auth_failed. Please see the
>> > swanctl.conf,
>> > > > strongswan.conf and charon.log.
>> > > >
>> > > > Aug 1 12:09:21 12[CFG] <rw|1> no issuer certificate
>> > found for "C=US,
>> > > > ST=MA, L=Lowell, O=Arris, CN=10.13.199.185"
>> > > > Aug 1 12:09:21 12[IKE] <rw|1> no trusted RSA public key
>> > found for
>> > > > '10.13.199.185'
>> > > > Aug 1 12:09:21 12[IKE] <rw|1> peer supports MOBIKE
>> > > > Aug 1 12:09:21 12[ENC] <rw|1> added payload of type
>> > NOTIFY to message
>> > > > Aug 1 12:09:21 12[ENC] <rw|1> order payloads in message
>> > > > Aug 1 12:09:21 12[ENC] <rw|1> added payload of type
>> > NOTIFY to message
>> > > > Aug 1 12:09:21 12[ENC] <rw|1> generating IKE_AUTH
>> > response 1 [
>> > > > N(AUTH_FAILED) ]
>> > > >
>> > > > I used following commands to create certificates.
>> > > >
>> > > > *Initiator:*
>> > > > -----------
>> > > >
>> > > > sudo ipsec pki --gen --type rsa --size 4096 --outform
>> pem >
>> > > > /usr/local/etc/swanctl/rsa/strongswanKey.pem
>> > > >
>> > > >
>> > > > sudo chmod 600 /usr/local/etc/swanctl/rsa/str
>> ongswanKey.pem
>> > > >
>> > > >
>> > > > sudo ipsec pki --self --ca --in
>> > > > /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest
>> > sha256 --dn "C=US,
>> > > > ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem >
>> > > > /usr/local/etc/swanctl/x509ca/strongswanCert.pem
>> > > >
>> > > >
>> > > > sudo ipsec pki --print --in
>> > /usr/local/etc/swanctl/x509ca/strongswanCert.pem
>> > > >
>> > > >
>> > > > sudo ipsec pki --gen --type rsa --size 4096 --outform
>> pem >
>> > > > /usr/local/etc/swanctl/rsa/hostKey.pem
>> > > >
>> > > >
>> > > > sudo chmod 600 /usr/local/etc/swanctl/rsa/hostKey.pem
>> > > >
>> > > >
>> > > >
>> > > > sudo ipsec pki --pub --in
>> > /usr/local/etc/swanctl/rsa/hostKey.pem --type
>> > > > rsa | ipsec pki --issue --digest sha256 --cacert
>> > > > /usr/local/etc/swanctl/x509ca/strongswanCert.pem
>> --cakey
>> > > > /usr/local/etc/swanctl/rsa/strongswanKey.pem --dn
>> "C=US,
>> > ST=MA,
>> > > > L=Lowell, O=Arris, CN=10.13.199.185" --san
>> > 10.13.199.185 pem >
>> > > > /usr/local/etc/swanctl/x509/hostCert.pem
>> > > >
>> > > >
>> > > > Receptor:
>> > > > --------------
>> > > > *
>> > > > *
>> > > > *sudo ipsec pki --gen --type rsa --size 4096 --outform
>> pem >
>> > > > /usr/local/etc/swanctl/rsa/strongswanKey.pem*
>> > > > *
>> > > > *
>> > > > *sudo chmod 600
>> > /usr/local/etc/swanctl/rsa/strongswanKey.pem*
>> > > > *
>> > > > *
>> > > > *sudo ipsec pki --self --ca --in
>> > > > /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest
>> > sha256 --dn "C=US,
>> > > > ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem >
>> > > > /usr/local/etc/swanctl/x509ca/strongswanCert.pem*
>> > > > *
>> > > > *
>> > > > *sudo ipsec pki --print --in
>> > > > /usr/local/etc/swanctl/x509ca/strongswanCert.pem*
>> > > > *
>> > > > *
>> > > > *sudo ipsec pki --gen --type rsa --size 4096 --outform
>> pem >
>> > > > /usr/local/etc/swanctl/rsa/hostKey.pem*
>> > > > *
>> > > > *
>> > > > *sudo chmod 600 /usr/local/etc/swanctl/rsa/hostKey.pem*
>> > > >
>> > > > *sudo ipsec pki --pub --in
>> > /usr/local/etc/swanctl/rsa/hostKey.pem
>> > > --type
>> > > > rsa | ipsec pki --issue --digest sha256 --cacert
>> > > > /usr/local/etc/swanctl/x509ca/strongswanCert.pem
>> --cakey
>> > > > /usr/local/etc/swanctl/rsa/strongswanKey.pem --dn
>> "C=US,
>> > ST=MA,
>> > > > L=Lowell, O=Arris, CN=10.13.199.130" --san 10.13.199.130
>> > --outform pem >
>> > > > /usr/local/etc/swanctl/x509/hostCert.pem*
>> >
>> > ===========================================================
>> ===========
>> > Andreas Steffen
>> > andreas.steffen at strongswan.org
>> > <mailto:andreas.steffen at strongswan.org>
>> > strongSwan - the Open Source VPN Solution!
>> > www.strongswan.org <http://www.strongswan.org>
>> > Institute for Internet Technologies and Applications
>> > University of Applied Sciences Rapperswil
>> > CH-8640 Rapperswil (Switzerland)
>> > ===========================================================
>> [ITA-HSR]==
>> >
>> >
>> >
>>
>> --
>> ======================================================================
>> Andreas Steffen andreas.steffen at strongswan.org
>> strongSwan - the Open Source VPN Solution! www.strongswan.org
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil
>> CH-8640 Rapperswil (Switzerland)
>> ===========================================================[ITA-HSR]==
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161005/f9dd0c87/attachment-0001.html>
More information about the Users
mailing list