Discussion:
[strongSwan] help with ext-auth plugin
Amit Priyadarshi
2018-08-02 16:55:09 UTC
Permalink
Hello Strongswan experts,

I am a strongswan-rookie and need some experts advice here.
I am trying to configure strongswan to use external auth script.
i followed below steps.

***@ampriyad-Inspiron-3558:/home/ampriyad/strongswan/strongswan-5.6.3#
./configure --enable-ext-auth

then i went ahead and did a
make followed by
make install.
When i lauched ipsec i got below run logs
Note that the plug in "ext-auth" did not gt loaded.

***@ampriyad-Inspiron-3558:/home/ampriyad/strongswan/strongswan-5.6.3#
ipsec start --debug-all --nofork
Starting strongSwan 5.6.3 IPsec [starter]...
Loading config setup
found netkey IPsec stack
Attempting to start charon...
00[DMN] Starting IKE charon daemon (strongSwan 5.6.3, Linux
4.15.0-29-generic, x86_64)
00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from
'/usr/local/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG] no script for ext-auth script defined, disabled
00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 mgf1 random nonce
x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
sshkey pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink
resolve socket-default stroke vici updown xauth-generic counters
00[JOB] spawning 16 worker threads

Please guide me on what did i miss?
--
Regards,
Amit Priyadarshi
Andreas Steffen
2018-08-04 11:10:21 UTC
Permalink
Hello Amit,

your log says:

00[CFG] no script for ext-auth script defined, disabled

The ex-auth plugin description

https://wiki.strongswan.org/projects/strongswan/wiki/Ext-auth

or man strongswan.conf

charon.plugins.ext-auth.script []
Command to pass to the system shell for peer authorization.
Authorization is considered successful if the command executes
normally with an exit code of zero. For all other exit codes
IKE_SA authorization is rejected.

The following environment variables get passed to the script:
IKE_UNIQUE_ID: The IKE_SA numerical unique identifier.
IKE_NAME: The peer configuration connection name.
IKE_LOCAL_HOST: Local IKE IP address.
IKE_REMOTE_HOST: Remote IKE IP address.
IKE_LOCAL_ID: Local IKE identity.
IKE_REMOTE_ID: Remote IKE identity.
IKE_REMOTE_EAP_ID: Remote EAP or XAuth identity, if used.

Thus you have to define an authentication script in strongswan.conf:

charon {
plugins {
ext-auth {
script = <path to authentication script>
}
}
}

Regards

Andreas
Post by Amit Priyadarshi
Hello Strongswan experts,
I am a strongswan-rookie and need some experts advice here.
I am trying to configure strongswan to use external auth script.
i followed below steps.
./configure --enable-ext-auth
then i went ahead and did a 
make followed by 
make install.
When i lauched ipsec i got below run logs
Note that the plug in "ext-auth" did not gt loaded.
ipsec start --debug-all --nofork
Starting strongSwan 5.6.3 IPsec [starter]...
Loading config setup
found netkey IPsec stack
Attempting to start charon...
00[DMN] Starting IKE charon daemon (strongSwan 5.6.3, Linux
4.15.0-29-generic, x86_64)
00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from
'/usr/local/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG] no script for ext-auth script defined, disabled
00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 mgf1 random
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac attr
kernel-netlink resolve socket-default stroke vici updown xauth-generic
counters
00[JOB] spawning 16 worker threads
Please guide me on what did i miss?
--
Regards,
Amit Priyadarshi
 
 
 
--
======================================================================
Andreas Steffen ***@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==
Loading...