[strongSwan] charon and unbound

Modster, Anthony Anthony.Modster at Teledyne.com
Tue Apr 21 19:37:28 CEST 2020


Hello

I am not seeing unbound being used by charon for OCSP or CRL, the log file does not show an attempt to start unbound.

Attached is the log file, and below are configuration and events.

What should I check for ?

I am using the default configuration of charon (which is):
strongswan unbound configuration
                charon.plugins.unbound.resolv_conf
                                /etc/resolv.conf "default path"
                                Currently this is present and empty on the COMM+
                charon.plugins.unbound.trust_anchors
                                /etc/ipsec.d/dnssec.keys "default path"
                                copy the keys file from previous tests to the COMM+
                                File to read DNSSEC trust anchors from (usually root zone KSK).
                                The format of the file is the standard DNS Zone file format, anchors can be stored as DS or DNSKEY entries in the file.

charon [info] 00[DMN] Starting IKE charon daemon (strongSwan 5.8.2, Linux 2.6.32.46.cge-TDY711999J-2E.12MAR2020+, mips64)

charon [info] 00[LIB] loaded plugins: charon unbound ldap aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 xcbc cmac hmac ntru drbg curl files attr kernel-netlink resolve socket-default vici updown eap-identity eap-mschapv2 eap-dynamic eap-radius eap-tls eap-peap xauth-generic xauth-eap error-notify counters

charon [info] 12[CFG]   requesting ocsp status from \'http://www.carillon.ca/sha2-ocsp\' ...
charon [info] 12[LIB] libcurl request failed [6]: Couldn\'t resolve host \'www.carillon.ca\'
charon [info] 12[CFG] ocsp request to http://www.carillon.ca/sha2-ocsp failed
charon [info] 12[CFG] ocsp check failed, fallback to crl
charon [info] 12[CFG]   fetching crl from \'http://www.carillon.ca/caops/test-signca2-crl.crl\' ...
charon [info] 12[LIB] libcurl request failed [6]: Couldn\'t resolve host \'www.carillon.ca\'
charon [info] 12[CFG] crl fetching failed
charon [info] 12[CFG] certificate status is not available
charon [info] 12[CFG]   certificate \"C=US, O=Teledyne Controls Engineering, OU=Systems Engineering, CN=TDY Test SCA 2\" key: 2048 bit RSA
charon [info] 12[CFG]   using trusted ca certificate \"C=US, O=Teledyne Controls Engineering, OU=Systems Engineering, CN=TDY Test Root CA\"
charon [info] 12[CFG] checking certificate status of \"C=US, O=Teledyne Controls Engineering, OU=Systems Engineering, CN=TDY Test SCA 2\"
charon [info] 12[CFG] ocsp check skipped, no ocsp found
charon [info] 12[CFG]   fetching crl from \'http://www.carillon.ca/caops/TEST-cisRCA1.crl\' ...
charon [info] 12[LIB] libcurl request failed [6]: Couldn\'t resolve host \'www.carillon.ca\'
charon [info] 12[CFG] crl fetching failed


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200421/ad82a7a9/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: security-charon.log
Type: application/octet-stream
Size: 61937 bytes
Desc: security-charon.log
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200421/ad82a7a9/attachment-0001.obj>


More information about the Users mailing list