Project

General

Profile

Issue #3090

How to load a certificate-authenticated connection using vici?

Added by Bin Liu 6 days ago. Updated 6 days ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
vici
Affected version:
5.8.0
Resolution:

Description

The vici message I constructed is as follows:

    davici_new_cmd("load-conn",&req);
    davici_section_start(req, (const char *)"tunnel-0");
    davici_kvf(req,"version","%s","2");
    davici_kvf(req,"keyingtries","%s","1");
    davici_kvf(req,"dpd_delay","%s","10s");
    davici_kvf(req,"encap","%s","yes");
    davici_kvf(req,"mobike","%s","no");
    davici_kvf(req,"reauth_time","%s","0s");
    davici_kvf(req,"rekey_time","%s","0s");
    davici_list_start(req, (const char *)"vips");
        davici_list_item(req, (const void *)"0.0.0.0", strlen("0.0.0.0"));
        davici_list_end(req);
    davici_list_start(req, (const char *)"local_addrs");
        davici_list_item(req, (const void *)"10.252.1.54", strlen("10.252.1.54"));
        davici_list_end(req);
    davici_list_start(req, (const char *)"remote_addrs");
        davici_list_item(req, (const void *)"10.252.101.151", strlen("10.252.101.151"));
        davici_list_end(req);
    davici_section_start(req, (const char *)"local");
    davici_kvf(req,"auth","%s","pubkey");
    davici_kvf(req,"id","%s","CN=testAltname");
    davici_section_start(req, (const char *)"cert");
    davici_kvf(req,"file","%s","/mnt/data/ipsec/ipsec.d/certs/HenbCert-0");
    davici_section_end(req);

    davici_section_end(req);
    davici_section_start(req, (const char *)"remote");
    davici_kvf(req,"auth","%s","pubkey");
    davici_section_end(req);
    davici_section_start(req, (const char *)"children");
    davici_section_start(req, (const char *)"tunnel-0");
    davici_list_start(req, (const char *)"remote_ts");
        davici_list_item(req, (const char *)"0.0.0.0", strlen("0.0.0.0"));
        davici_list_end(req);
    davici_kvf(req,"rekey_time","%s","0s");
    davici_kvf(req,"dpd_action","%s","restart");
    davici_kvf(req,"close_action","%s","start");
    davici_kvf(req,"start_action","%s","none");
    davici_section_end(req);
    davici_section_end(req);
    davici_section_end(req);
    davici_queue(conn, req, (davici_cb)event_cb, NULL);

I use the "cert" section transmit the cert file,But when I use the list-conns command to display loaded connections,the transmitted certificate was not found.:

    root@OpenWrt:/mnt/data/ipsec/swanctl# /tmp/ltever/ipsec/strongSwan/sbin/swanctl --list-conns 
   tunnel-0: IKEv2, no reauthentication, no rekeying
  local:  10.252.1.54
  remote: 10.252.101.151
  local public key authentication:
    id: CN=testAltname
  remote public key authentication:
  tunnel-0: TUNNEL, no rekeying
    local:  dynamic
    remote: 0.0.0.0/32

Can you help me? I don't know what went wrong.

History

#1 Updated by Tobias Brunner 6 days ago

  • Description updated (diff)
  • Category set to vici
  • Status changed from New to Feedback

Read the daemon's log. If it tried to load the certificate and it didn't work you should get a message.

Also available in: Atom PDF