[strongSwan] help with ext-auth plugin
Andreas Steffen
andreas.steffen at strongswan.org
Sat Aug 4 13:10:21 CEST 2018
Hello Amit,
your log says:
00[CFG] no script for ext-auth script defined, disabled
The ex-auth plugin description
https://wiki.strongswan.org/projects/strongswan/wiki/Ext-auth
or man strongswan.conf
charon.plugins.ext-auth.script []
Command to pass to the system shell for peer authorization.
Authorization is considered successful if the command executes
normally with an exit code of zero. For all other exit codes
IKE_SA authorization is rejected.
The following environment variables get passed to the script:
IKE_UNIQUE_ID: The IKE_SA numerical unique identifier.
IKE_NAME: The peer configuration connection name.
IKE_LOCAL_HOST: Local IKE IP address.
IKE_REMOTE_HOST: Remote IKE IP address.
IKE_LOCAL_ID: Local IKE identity.
IKE_REMOTE_ID: Remote IKE identity.
IKE_REMOTE_EAP_ID: Remote EAP or XAuth identity, if used.
Thus you have to define an authentication script in strongswan.conf:
charon {
plugins {
ext-auth {
script = <path to authentication script>
}
}
}
Regards
Andreas
On 02.08.2018 18:55, Amit Priyadarshi wrote:
>
> Hello Strongswan experts,
>
> I am a strongswan-rookie and need some experts advice here.
> I am trying to configure strongswan to use external auth script.
> i followed below steps.
>
> root at ampriyad-Inspiron-3558:/home/ampriyad/strongswan/strongswan-5.6.3#
> ./configure --enable-ext-auth
>
> then i went ahead and did a
> make followed by
> make install.
> When i lauched ipsec i got below run logs
> Note that the plug in "ext-auth" did not gt loaded.
>
> root at ampriyad-Inspiron-3558:/home/ampriyad/strongswan/strongswan-5.6.3#
> ipsec start --debug-all --nofork
> Starting strongSwan 5.6.3 IPsec [starter]...
> Loading config setup
> found netkey IPsec stack
> Attempting to start charon...
> 00[DMN] Starting IKE charon daemon (strongSwan 5.6.3, Linux
> 4.15.0-29-generic, x86_64)
> 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
> 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
> 00[CFG] loading ocsp signer certificates from
> '/usr/local/etc/ipsec.d/ocspcerts'
> 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
> 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
> 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
> 00[CFG] no script for ext-auth script defined, disabled
> 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 mgf1 random
> nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
> dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac attr
> kernel-netlink resolve socket-default stroke vici updown xauth-generic
> counters
> 00[JOB] spawning 16 worker threads
>
> Please guide me on what did i miss?
>
> --
> Regards,
> Amit Priyadarshi
>
>
>
>
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2945 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180804/75187c6c/attachment.bin>
More information about the Users
mailing list