[GUIDA] strongSwan per IPsec su OpenWrt e Homeware

  • 246 Risposte
  • 24289 Visite

0 Utenti e 1 Visitatore stanno visualizzando questo topic.

Offline a1pollo

  • Membro Anziano
  • ***
  • 172
Re:[GUIDA] strongSwan per IPsec su OpenWrt e Homeware
« Risposta #240 il: 13 Febbraio 2022, 18:43 »
Ora non mi viene in mente altro, fatti un backup dei seguenti file e conservali in luogo sicuro :
Codice: [Seleziona]
/etc/config/firewall
/etc/firewall.user
/etc/ipsec.conf
/etc/ipsec.secrets
/etc/strongswan.conf
/etc/strongswan.d/charon/dhcp.conf
/etc/ipsec.d/tutte le cartelle(ci sono i certificati del server e dalla ca)

Offline LuKePicci

  • Global Moderator
  • VIP
  • *****
  • 2779
Re:[GUIDA] strongSwan per IPsec su OpenWrt e Homeware
« Risposta #241 il: 17 Febbraio 2022, 09:52 »
Ha qualche problema nel file di conf. Di nuovo, se lo script era stato eseguito con pacchetti mancanti non mi aspetto che funzioni.

Offline kitt1997

  • Membro Giovane
  • **
  • 54
Re:[GUIDA] strongSwan per IPsec su OpenWrt e Homeware
« Risposta #242 il: 13 Aprile 2022, 08:34 »
Dovrebbe esserci un problema nello script di @FrancYescO .
Nelle configurazioni del file ipsec.conf ci deve essere rightca e non rightcert se si utilizza il certificato caCert.pem

Offline FrancYescO

  • VIP
  • *****
  • 3329
Re:[GUIDA] strongSwan per IPsec su OpenWrt e Homeware
« Risposta #243 il: 13 Aprile 2022, 08:51 »
Se qualcuno mi conferma modifico lo script, non vorrei che si comporta diversamente in base alla versione di IPSec/strongswan

Offline LuKePicci

  • Global Moderator
  • VIP
  • *****
  • 2779
Re:[GUIDA] strongSwan per IPsec su OpenWrt e Homeware
« Risposta #244 il: 17 Aprile 2022, 21:22 »
se lo scopo autenticare tutti i certificati emessi da una CA allora ci va rightca e non rightcert. Se invece si vuole autenticare solo uno specifico certificato allora ci va rightcert.

Non c'entra con la domanda ma aggiungo, essendomi tornato utile di recente,  che nel campo del rightid ci si possono mettere delle wildcard che matchano su parti del soggetto del certificato e cos facendo possibile dirottare soggetti specifici con certificati dalla stessa CA su conn distinte.

Offline kitt1997

  • Membro Giovane
  • **
  • 54
Re:[GUIDA] strongSwan per IPsec su OpenWrt e Homeware
« Risposta #245 il: 17 Aprile 2022, 23:01 »
Esatto, ma per come scritto adesso fa un ibrido tra i due e, almeno a me, non funzionava

Offline gfucka

  • Nuovo Iscritto
  • *
  • 13
Re:[GUIDA] strongSwan per IPsec su OpenWrt e Homeware
« Risposta #246 il: 25 Dicembre 2022, 23:28 »
Ciao a tutti ho un DGA4132 con la 2.3.3.
Sto provando ad installare strongswan con lo script ma mi vengono restituiti questi errori:

Codice: [Seleziona]
Building certificates for [ mioddns.duckdns.org ] and client [  (aka myVpnClients) ]
generating a new cakey for [ CATechnicolor ]
instantiation of DRBG_HMAC_SHA512 failed
building CRED_PRIVATE_KEY - RSA failed, tried 4 builders
private key generation failed
generating caCert for [ CATechnicolor ]...
  file coded in unknown format, discarded
building CRED_PRIVATE_KEY - ANY failed, tried 2 builders
loading private key failed
unable to load certificate
3065327632:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
Now building CA keys bundle
unable to load private key
3065171984:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY
generating server certificates for [ ghomenvr.duckdns.org ]...
instantiation of DRBG_HMAC_SHA512 failed
building CRED_PRIVATE_KEY - RSA failed, tried 4 builders
private key generation failed
  file coded in unknown format, discarded
building CRED_PRIVATE_KEY - ANY failed, tried 2 builders
parsing private key failed
  file coded in unknown format, discarded
building CRED_CERTIFICATE - X509 failed, tried 3 builders
parsing CA certificate failed
generating clientCert for [ myvpnclient1 (aka myVpnClients) ]...
instantiation of DRBG_HMAC_SHA512 failed
building CRED_PRIVATE_KEY - RSA failed, tried 4 builders
private key generation failed
  file coded in unknown format, discarded
building CRED_PRIVATE_KEY - ANY failed, tried 2 builders
parsing private key failed
  file coded in unknown format, discarded
building CRED_CERTIFICATE - X509 failed, tried 3 builders
parsing CA certificate failed
unable to load certificate
3065872400:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
Now building Client keys bundle for [ myvpnclient1 ]
unable to load private key
3065708560:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY
unable to load certificate
3065368592:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
generating clientCert for [ myvpnclient2 (aka myVpnClients) ]...
instantiation of DRBG_HMAC_SHA512 failed
building CRED_PRIVATE_KEY - RSA failed, tried 4 builders
private key generation failed
  file coded in unknown format, discarded
building CRED_PRIVATE_KEY - ANY failed, tried 2 builders
parsing private key failed
  file coded in unknown format, discarded
building CRED_CERTIFICATE - X509 failed, tried 3 builders
parsing CA certificate failed
unable to load certificate
3065249808:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
Now building Client keys bundle for [ myvpnclient2 ]
unable to load private key
3065770000:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY
unable to load certificate
3065450512:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
generating clientCert for [ myvpnclient3 (aka myVpnClients) ]...
instantiation of DRBG_HMAC_SHA512 failed
building CRED_PRIVATE_KEY - RSA failed, tried 4 builders
private key generation failed
  file coded in unknown format, discarded
building CRED_CERTIFICATE - X509 failed, tried 3 builders
parsing CA certificate failed
  file coded in unknown format, discarded
building CRED_PRIVATE_KEY - ANY failed, tried 2 builders
parsing private key failed
unable to load certificate
3065389072:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
Now building Client keys bundle for [ myvpnclient3 ]
unable to load private key
3065479184:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY
unable to load certificate
3065069584:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
generating clientCert for [ myvpnclient4 (aka myVpnClients) ]...
instantiation of DRBG_HMAC_SHA512 failed
building CRED_PRIVATE_KEY - RSA failed, tried 4 builders
private key generation failed
  file coded in unknown format, discarded
building CRED_PRIVATE_KEY - ANY failed, tried 2 builders
parsing private key failed
  file coded in unknown format, discarded
building CRED_CERTIFICATE - X509 failed, tried 3 builders
parsing CA certificate failed
unable to load certificate
3065880592:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
Now building Client keys bundle for [ myvpnclient4 ]
unable to load private key
3065200656:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY
unable to load certificate
3065495568:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
mv: can't rename 'ca.p12': No such file or directory
mv: can't rename 'client_*.p12': No such file or directory
mv: can't rename 'clientCert_*.crt': No such file or directory
**** THE END ****


Potete gentilmente darmi una mano a capire dov' il problema?  A quanto ho capito non riesce a generare i certificati per file in formato errato.

Grazie mille