[strongSwan] Config Not Loaded

Info infosec at quantum-equities.com
Mon Mar 19 22:58:02 CET 2018

On 03/19/2018 11:16 AM, Info wrote:
> On 03/19/2018 10:45 AM, Tobias Brunner wrote:
>> Hi,
>>> I've made its cert with --san quantum-equities.com,cygnus.darkmatter.org, because the LAN gateway is known outside as quantum-equities.com and the IPSec gateway is known in the LAN as cygnus.darkmatter.org.
>> That syntax is not valid.  Just use --san multiple times for each SAN
>> (as the man page for pki --issue indicates).
> Thanks, I'll redo the certs again.
>>> I also tried to set --dn "C=US, O=Quantum, CN=quantum-equities.com,cygnus.darkmatter.org" -- but strongswan pki wasn't having it so I had to settle for just quantum-equities.com.
>> That's because commas separate RDNs (and `cygnus.darkmatter.org` is no
>> proper RDN) and strongSwan's DN string parser does not support
>> multi-value RDNs.
> It sounds like I can't use multiple --dn's.  When my gateway must
> validate with machines inside the LAN (as cygnus.darkmatter.org) and
> outside (as quantum-equities.com), how can it prove that it's the
> right machine if not DNS resolvable by checking CN=? 
> And how does the phone prove it is who it is in the Android app when
> its IP changes and is not resolvable?  The responder has to take its
> word for it since it has the private key?  If so, why is --san and
> --dn required?
>>> # swanctl -L
>>> # swanctl -l
>>> (no response, for some reason)
>> Yes, and that reason is:  No config has been loaded.  Did you run
>> swanctl --load-conns (-c) or --load-all (-q)?
> I haven't mentioned this, but I'm running CentOS7 which handles this
> in systemd:
> ExecStart=/usr/sbin/charon-systemd
> ExecStartPost=/usr/sbin/swanctl --load-all --noprompt
> ... and yet I still have nothing with
> # swanctl -L
> # swanctl -l
> Maybe this is the core of my problem with this horrid "/NO_PROPOSAL_CHOSEN/" in swanctl.  That for some reason configs are not getting loaded? 
> No idea how to chase this down.

Even with the daemon started with systemd, I loaded manually.

# swanctl --load-all
loaded certificate from '/etc/strongswan/swanctl/x509/mars-Cert.pem'
loaded certificate from '/etc/strongswan/swanctl/x509/sirius-Cert.pem'
loaded certificate from '/etc/strongswan/swanctl/x509/gemini-Cert.pem'
loaded certificate from '/etc/strongswan/swanctl/x509/centauri-Cert.pem'
loaded certificate from '/etc/strongswan/swanctl/x509ca/cygnus-CAcert.pem'
loaded rsa key from '/etc/strongswan/swanctl/private/mars-Key.pem'
no authorities found, 0 unloaded
no pools found, 0 unloaded
no connections found, 0 unloaded
# swanctl -L
# swanctl -l

Log is attached.  Nothing.  swanctl -L is to "/list loaded
configurations/" but I get nothing.  This would be why the remote phone
cannot connect and finds no matching configs.  There is nothing related
in journalctl, and nothing in charon.log as per the attached.

swanctl has no verbose mode, so I can't get more detail.  It doesn't
seem to be recognizing my CA cert in x509ca as authoritative.  SELinux
is turned off.  Since this IPSec gateway can't load its config it can't
work with any remote device.  Is this a RedHat bug?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180319/7c1e9faf/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: charon.log.bz2
Type: application/x-bzip
Size: 3638 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180319/7c1e9faf/attachment.bin>

More information about the Users mailing list