Strongswan/swanctl - unable to handle certificates

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi guys.

I have certs I have to use but strongswan fails to load those:

-> $ swanctl --load-all
loading '/etc/swanctl/x509/vpn.ui.crt' failed: parsing X509 certificate failed
loaded eap secret 'eap'
no authorities found, 0 unloaded
no pools found, 0 unloaded
loading connection 'to-amuni' failed: invalid value for: certs, config discarded
loaded 0 of 1 connections, 1 failed to load, 0 unloaded

I even failed a bug report - https://github.com/openwrt/packages/issues/18819
Has anybody managed to run 'swanctl' with certificates successfully?
My case it's for client side, road-warrior side of swan but I'd imagine for the server it must be the same failure.
The certificates 'swanctl' fails to use/load otherwise are viewable/printable with other tools in oWRT.

and for the sake of better picture:

-> $ swanctl --stats
uptime: 2 days, since Jul 12 08:25:24 2022
worker threads: 16 total, 11 idle, working: 4/0/1/0
job queues: 0/0/0/0
jobs scheduled: 0
IKE_SAs: 0 total, 0 half-open
loaded plugins: charon aes des sha1 md4 md5 random nonce x509 pubkey openssl gmp gmpdh xcbc hmac kernel-netlink socket-default stroke vici updown eap-mschapv2

many thanks, L

2

For those who may stumble upon same/similar issue - as you can see I showed:

...
loaded plugins: charon aes des sha1 md4 md5 random nonce x509 pubkey openssl gmp gmpdh xcbc hmac kernel-netlink socket-default stroke vici updown eap-mschapv2

I did not realize that doing:

-> $ service swanctl restart

does not really do what I expected - changes for new configs, newly added plugins do not get picked up that way, in fact 'logread' shows:
...
Thu Jul 14 13:59:28 2022 authpriv.info ipsec_starter[15161]: starter is already running (/var/run/starter.charon.pid exists) -- no fork done
...
It is instead:

-> $ service ipsec restart

which does the trick and then:

-> $ swanctl --stats
...
loaded plugins: charon aes des sha1 md4 md5 random nonce x509 pubkey pem openssl gmp gmpdh xcbc hmac kernel-netlink socket-default stroke vici updown eap-mschapv2

and now 'swanctl' sees and is able to use certificates.

thanks, L.

3

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.