Picon

[strongSwan] No private key found for (Yeah, yeah again...)

Hello, Daniel.

Sorry for delay and thanks for your answer.

"Now the certificate request can be signed by the CA with the command
openssl ca -in hostReq.pem -days 730 -out hostCert.pem -notext"

In my case:
openssl ca -policy policy_anything -in sw1Req.pem -days 730 -out sw1Cert.pem

But i still have the same problems...
Could you help me with simple example how-to create certificates
without CA ?

Вы писали 31 марта 2009 г., 17:38:13:

> Никоноров Григорий wrote:
>> I followed quick installation guide http://www.strongswan.org/docs/readme42.htm#section_3
>> and create X.509 certificates by the command:
>> openssl req -x509 -days 1460 -newkey rsa:2048 -keyout sw1priKey.pem -out strongswanCert.pem
>> 
>> Then create host certificate and signed certificate request by the CA
>> by the command:
>> openssl req -newkey rsa:1024 -keyout sw1hostKey.pem -out sw1Req.pem
>> 
>> Thats all

> Is that the complete list? What I can see is:

> - You're creating a self-signed root CA. You save the private key for 
(Continue reading)

abhishek kumar | 1 Apr 08:58 2009
Picon

[strongSwan] success in host-host ikev2

Hello Strongswan team..

I have successfully established the host-host ikev2 connection.
I copied the strongswanCert.pem from
/opt/strongswan-4.2.11/testing/hosts/winnetou/etc/openssl/strongswanCert.pem
to /etc/pki/tls (where configuration of openssl is kept).
copied strongswanKey.pem from
/opt/strongswan-4.2.11/testing/hosts/winnetou/etc/openssl/strongswanKey.pem
to /etc/pki/tls/private

then we created hosts key and get signature verified to create host
certificate. [ but in this case we used -nodes option in the openssl command
which given in README for creating hostKey.pem, by giving -nodes option the
key will not have password ].

sun=abhishek;
moon=ishan;

I have doubt here when we satrted ipsec up host-host at moon side. it was
not able to detect the sun peer. so we cancle it by ctrl+c. but when we did
the same command at sun it shows the successful connection. this same thing
we repeated from sun side. got the same problem.

But anyway its working. :)

-----------------------------------------------------------------------------
This is moon side:=
[root <at> ishan ishan]# ipsec start
Starting strongSwan 4.2.11 IPsec [starter]...
insmod /lib/modules/2.6.27.5-117.fc10.i686.PAE/kernel/net/key/af_key.ko
(Continue reading)

Picon

[strongSwan] No private key found for (Yeah, yeah again...)

Hello strongSwan team !

Problem solved.
The problem has decided to use the certificates from the example (moon and sun) and config from ikev2
host2host-transport example.

Daniel,

Please send me complete list of commands to create CA plus host
certificates.

Thanks in advance!

You wrote 31 марта 2009 г., 17:38:13:

> Никоноров Григорий wrote:
>> I followed quick installation guide http://www.strongswan.org/docs/readme42.htm#section_3
>> and create X.509 certificates by the command:
>> openssl req -x509 -days 1460 -newkey rsa:2048 -keyout sw1priKey.pem -out strongswanCert.pem
>> 
>> Then create host certificate and signed certificate request by the CA
>> by the command:
>> openssl req -newkey rsa:1024 -keyout sw1hostKey.pem -out sw1Req.pem
>> 
>> Thats all

> Is that the complete list? What I can see is:

> - You're creating a self-signed root CA. You save the private key for 
> the CA in sw1priKey.pem and the CA certificate in strongswanCert.pem. 
(Continue reading)

Picon

[strongSwan] no ipsec0 interface

Hello strongSwan team!

Here discusses the problem of virtual interfaces --> https://lists.strongswan.org/pipermail/users/2008-May/002435.html
Solution with  leftfirewall=yes doesn't work. Option leftfirewall=yes enabled on both gateways. Any
suggestions ?

####ipsec.conf####

config setup
        crlcheckinterval=180
        strictcrlpolicy=no
        plutostart=no
conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        mobike=no
        keyexchange=ikev2
conn host-host
        leftfirewall=yes
        left=192.168.164.117
        leftcert=sunCert.pem
        leftid= <at> sun.strongswan.org
        right=192.168.164.116
        rightid= <at> moon.strongswan.org
        type=transport
        auto=add
--

-- 
С уважением,
(Continue reading)

Andreas Steffen | 1 Apr 16:43 2009

Re: [strongSwan] no ipsec0 interface

Hi,

I don't know what your actual problem is. Is the IPsec SA established
successfully? Can't you get any ESP traffic across? Do you have a
firewall? Do you have a static input and output iptables rule for
the ESP protocol?  Please give some details. Otherwise we cannot help
you.

Andreas

Никоноров Григорий wrote:
> Hello strongSwan team!
> 
> Here discusses the problem of virtual interfaces --> https://lists.strongswan.org/pipermail/users/2008-May/002435.html
> Solution with  leftfirewall=yes doesn't work. Option leftfirewall=yes enabled on both gateways. Any
suggestions ?
> 
> ####ipsec.conf####
> 
> config setup
>         crlcheckinterval=180
>         strictcrlpolicy=no
>         plutostart=no
> conn %default
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=3m
>         keyingtries=1
>         mobike=no
>         keyexchange=ikev2
(Continue reading)

abhishek kumar | 5 Apr 11:27 2009
Picon

[strongSwan] apidoc

hello ..

can i get whole links of "/apidoc" (www.strongswan.org/apidoc) in one folder
or something like that. This apidoc is very organised way of learning about
strongSwan.
antonio quisillo | 6 Apr 09:05 2009
Picon

[strongSwan] mobike

Hi all,
I have a problem. I have been training to use MobIKE in order to simulate a
mobile scenario: I create two wireless net with two SSID (net A amd net B),
the Initiator has only one wireless interface (ath0) and moves to net A from
net B. In order to send a HTTP request to YouTube.com server  the Initiator
contact the Responder gateway. Hitherto all is going well: the Initiator set
up a tunnel to the Responder and receives a responce from the server. But
when the Initiator switches to net A from net B while it receives a video
stream the connection goes down.

Why this happen? How can I resolve? Why I can't use an Initiator with only
one interface?

This is the daemon log from the Initiator:

Apr  6 08:34:35 csp-laptop charon: 01[DMN] starting charon (strongSwan
Version 4.2.12)
Apr  6 08:34:35 csp-laptop charon: 01[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Apr  6 08:34:35 csp-laptop charon: 01[LIB]   loaded certificate file
'/etc/ipsec.d/cacerts/testCaCert.pem'
Apr  6 08:34:35 csp-laptop charon: 01[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Apr  6 08:34:35 csp-laptop charon: 01[CFG] loading ocsp signer certificates
from '/etc/ipsec.d/ocspcerts'
Apr  6 08:34:35 csp-laptop charon: 01[CFG] loading attribute certificates
from '/etc/ipsec.d/acerts'
Apr  6 08:34:35 csp-laptop charon: 01[CFG] loading crls from
'/etc/ipsec.d/crls'
Apr  6 08:34:35 csp-laptop charon: 01[CFG] loading secrets from
(Continue reading)

Martin Willi | 6 Apr 09:44 2009

Re: [strongSwan] apidoc

Hi,

> can i get whole links of "/apidoc" (www.strongswan.org/apidoc) in one folder
> or something like that. 

There is a make target that allows you to build the apidoc from sources.
Running "make apidoc" in configured sources will build the apidoc folder
(you'll need Doxygen installed).

Regards
Martin
Martin Willi | 6 Apr 10:04 2009

Re: [strongSwan] mobike

Hi,

> Apr  6 08:36:57 csp-laptop charon: 17[IKE] requesting address change using
> MOBIKE
> Apr  6 08:36:57 csp-laptop charon: 17[ENC] generating INFORMATIONAL request
> 2 [ ]
> Apr  6 08:36:57 csp-laptop charon: 17[IKE] checking path 192.168.5.80[4500]
> - 194.116.5.51[4500]
> Apr  6 08:36:57 csp-laptop charon: 17[NET] sending packet: from
> 192.168.5.80[4500] to 194.116.5.51[4500]
> Apr  6 08:36:57 csp-laptop charon: 06[NET] error writing to socket: Invalid
> argument
...
> Apr  6 08:37:22 csp-laptop charon: 17[IKE] path probing attempt 10
> Apr  6 08:37:22 csp-laptop charon: 17[IKE] checking path 192.168.5.80[4500]
> - 194.116.5.51[4500]
> Apr  6 08:37:22 csp-laptop charon: 17[NET] sending packet: from
> 192.168.5.80[4500] to 194.116.5.51[4500]
> Apr  6 08:37:22 csp-laptop charon: 06[NET] error writing to socket: Invalid
> argument
> Apr  6 08:37:25 csp-laptop charon: 03[IKE] giving up after 10 path probings

Charon tries to find a valid path within 25 seconds or so, but closes
the IKE_SA if migrating the tunnel fails. It seems that this is not
enough for your reconnect to the second AP. 
You may try to change the path probing behavior by changing [1] or [2].

This behavior is probably not optimal: we probably should use a routing
lookup to see if we can still reach the gateway and set the SA state to
something like STALE until we have a vaild route. But this is currently
(Continue reading)

J.Witvliet | 6 Apr 14:53 2009
Picon

[strongSwan] Supported hardware

Does anybody have any experience with crypto hardware?

Like:
www.silicom-usa.com/downloads/pdf/PESB62.pdf
or
http://www.securehq.com/images/checkpoint/accelerator_DataSheet.pdf

Hans

Defensie/CDC/IVENT/Research en Innovation Centrum
Ing J. (Hans) Witvliet Systeembeheer, CAcert-assurer
T   0174-539053
mailto:j.witvliet@...
Coldenhovelaan 1, 3155RC Maasland, kamer A109

Please, disregard any meaningless signatures below, that are attached
beyond my control....

______________________________________________________________________
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit
bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te
verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband
houdt met risico's verbonden aan het elektronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are not the addressee or if this
message was sent to you by mistake, you are requested to inform the sender and delete the message. The State
accepts no liability for damage of any kind resulting from the risks inherent in the electronic
transmission of messages.

Gmane