thr's questions

I'm trying to setup a postgres server (version 10.4) with openssl access only. I created a self signed ca and the necessary private and public keys for the user and the server with easyrsa version 3 as described here and put it in the directories as stated here. Afterwards I added this line

hostssl  all  myname  192.168.0.0/16  cert

to the pg_hba.conf as described here and here But when I try to connect to the database with

psql -h 192.168.0.222 "sslmode=verify-ca sslcert=myname.crt sslkey=myname.key"

this error message pops up

couldn't read certificate "myname.crt": ca md too weak

and in the server log

couldn't accept SSL-connection: success

(maybe the messages are not literally correct, I translated them from German)

That is funny, because when I look at my certificates with

easyrsa show-cert myname

I see the following lines (and more):

Certificate: 
   Data: 
   Version: 3 (0x2) 
   Serial Number: 
       don't show it here
   Signature Algorithm: sha256WithRSAEncryption

and the same for my root certificate ca.crt and the certificate for the postgres server. So obviously the certificates are signed with sha256 method and not with md
What is even more funny, is that it worked in the beginning, and some days later, when I tried it again the above mentioned error message appeared and I'm quite sure that I didn't change any configuration meanwhile. Maybe some update of openssl or postgresql was in between.

I'm trying to connect to a ipsec/l2tp vpn from a private network behind a nat-router. It works from different windows clients, but from my linux machine (openSuSE 12.3, stronswan 5.1.3, xl2tp 1.3.0) I don't manage to connect. First problem was, that the server seems to handle just IKE v1 protocol. "keyexchange = ikev1" in ipsec.conf solved this issue. Now "ipsec statusall" shows:

Status of IKE charon daemon (strongSwan 5.1.3, Linux 3.16.7-53-desktop, x86_64):
  uptime: 6 minutes, since Dec 20 01:08:01 2016
  malloc: sbrk 2838528, mmap 0, used 652816, free 2185712
  worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: charon curl soup ldap pkcs11 aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default farp stroke smp updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-imc tnc-imv tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp certexpire led duplicheck radattr addrblock unity
Listening IP addresses:
  client_ip
Connections:
    L2TP-PSK:  %any...server_ip  IKEv1
    L2TP-PSK:   local:  [client_ip] uses pre-shared key authentication
    L2TP-PSK:   remote: [server_ip] uses pre-shared key authentication
    L2TP-PSK:   child:  dynamic[udp] === dynamic[udp/l2f] TRANSPORT
Security Associations (1 up, 0 connecting):
    L2TP-PSK[1]: ESTABLISHED 6 minutes ago, client_ip[client_ip]...server_ip[server_ip]
    L2TP-PSK[1]: IKEv1 SPIs: a505b49c4edac068_i* 829bf572900386be_r, pre-shared key reauthentication in 7 hours
    L2TP-PSK[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048

So everything seems fine on the side of ipsec When starting the l2tp protocol with "echo "c connection_name" > /var/run/xl2tpd/l2tp-control" I just see some timeouts in the systemlog:

    xl2tpd[16779]: get_call: allocating new tunnel for host server_ip, port 1701.
    xl2tpd[16779]: Connecting to host server_ip, port 1701
    xl2tpd[16779]: control_finish: message type is (null)(0).  Tunnel is 0, call is 0.

xl2tpd[16779]: control_finish: sending SCCRQ
    xl2tpd[16779]: network_thread: select timeout
    ... (5x)
    Maximum retries exceeded for tunnel 55245.  Closing.
    network_thread: select timeout
    ... (5x)
    Unable to deliver closing message for tunnel 55245. Destroying anyway.

Watching the traffic with

tcpdump host server_ip and port l2tp

shows only the following:

12:58:39.221494 IP client_ip.l2f > server_ip.l2f:  l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() *FIRM_VER(1680) *HOST_NAME(my_site) *VENDOR_NAME(xelerance.com) *ASSND_TUN_ID(49091) *RECV_WIN_SIZE(4)

repeatet 5 times and later 3 times:

12:58:44.226892 IP client_ip.l2f > server_ip.l2f:  l2tp:[TLS](0/0)Ns=1,Nr=0 *MSGTYPE(StopCCN) *ASSND_TUN_ID(49091) *RESULT_CODE(1/0 Timeout)

Obviously there is no answer from the server to the l2tp packages. But as said before, it works with several windows clients What could be wrong?

What can I do, to get more information about the l2tp connection?

I switched on all debugging option in the xl2tp.conf already. Here are my conf-files:

ipsec.conf

conn L2TP-PSK
        keyexchange = ikev1
        authby=secret
        auto=start
        keying=1
        rekey=yes
        ikelifetime=8h
        keylife=1h
        type=transport
        left=%any
        leftprotoport=udp/%any
        right=server_ip
        rightprotoport=udp/l2tp

xl2tp.conf

[global]
access control = yes
auth file = /etc/xl2tpd/l2tp-secrets
debug avp = yes
debug network = yes
debug state = yes
debug tunnel = yes

[lac connection_name]
lns = server-ip
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd.connection_name
length bit = yes
require authentication = yes
require chap = yes
refuse pap = yes
name = my_loginname