[strongSwan] trying to get basic pubkey strongswan connection with certificates up and running

Noel Kuntze noel at familie-kuntze.de
Sat Sep 13 12:24:30 CEST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Cindy,

As network manager doesn't run as your user, you need to give
 it access to the certificate and the private key in your home directory.
You can do this by changing the group of those files to a group
the network manager user is in and giving said group read
access to the file and execute access down the path to said files.

Yes, the error message indicates a configuration mismatch
between the server and the client.

I think you need to indent the section parameters with a tab for strongSwan to read them correctly.
Check with "ipsec statusall", if it correctly read all the conn definitions.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 13.09.2014 um 00:05 schrieb Cindy Moore:
> Hi, I'm hoping I can get some tips or direction here, because I've
> been banging my head on this for a while.
>
> I have strongswan 5 installed on ubuntu 14.04 with all the latest updates, etc:
> root at vpn:/etc# ipsec version
> Linux strongSwan U5.1.2/K3.13.0-35-generic
>
> This part seems to be functioning fine.  I've used the ipsec pki to
> generate a vpn cacert, and then a couple of certs to test things with.
> (For reference, I've included the steps I took to create those below,
> along with my ipsec.conf)
>
> All I want is to set up a connection between two machines, both
> running 14.04.  "vpn" is a server install, client is a desktop
> install.  I've installed the network-manager-strongswan (version
> 1.3.0-1ubuntu1) and restarted the network manager.  I've tried to
> configure it as per
> https://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager
> but there are already some differences in what's shown and what I get.
>
> Instead of Authentication, there is now Client, with Authentication
> under that (and additional options depending on what is chosen for
> Authentication.  The choices for Authentication are
> Certificate/private key, Certificate/ssh-agent, Smartcard, EAP.  I
> have questions about the ssh-agent, but I'll tabulate those for now.
> Anyway, so when I choose Certificate/private key, I get two more
> options below Authentication, which are Certificate and Private key.
>
> So for Gateway, I've got down vpn.example.com (name changed to protect
> guilty of course :) )
> and for Certificate, I have vpnHostCert.pem (see below).  For
> Authentication, Certifcate/private key, for Certificate, moiCert.pem
> (see below) and for private key moiKey.pem (see below). I've checked
> the options to request an inner IP address, and to enforce udp
> encapsulation, but have left the ip compression unchecked.
>
> Under the General and IPv4 settings, I've left the latter to the
> deafult Automatic (VPN), for the former, I've tried both checking and
> unchecking "all users may connect..."
>
> [NB: I find that I MUST have all .pem files set to 644 and any
> directory along their path to 755 or else Network Manager stalls with
> asking me for a password and the client's syslog contains "charon-nm:
> 15[LIB] opening 'path/to/moiKey.pem' filed: Permission denied", which
> strikes me as rather strange: to force a private key to be readable??
> In this case client is a personal laptop so maybe not that bad, but
> really?]
>
> In following the syslog output on the vpn host, I see:
>
> Sep 12 14:42:02 vpn charon: 04[CFG] looking for peer configs matching
> xxx.xxx.xxx.xxx[C=CH, O=strongSwan, CN=vpn.example.com]...<client's
> current IP addr>[C=CH, O=strongSwan, CN=moi]
> Sep 12 14:42:02 vpn charon: 04[CFG] no matching peer config found
>
> so my guess is the conn roadwarrior (see below) isn't properly configured?
>
> I would appreciate any help... getting this configured has been a huge
> headache.  Thanks.
>
> --------------
> Background info/files:
>
> CAcert/key:
>
> $ cd /etc/ipsec.d/
> $ ipsec pki --gen --type rsa --size 4096 \
> --outform pem \
>> private/strongswanKey.pem
> $ chmod 600 private/strongswanKey.pem
> $ ipsec pki --self --ca --lifetime 3650 \
> --in private/strongswanKey.pem --type rsa \
> --dn "C=CH, O=strongSwan, CN=strongSwan Root CA" \
> --outform pem \
>> cacerts/strongswanCert.pem
>
> vpnHostKey/Cert:
>
> $ cd /etc/ipsec.d/
> $ ipsec pki --gen --type rsa --size 2048 \
> --outform pem \
>> private/vpnHostKey.pem
> $ chmod 600 private/vpnHostKey.pem
> $ ipsec pki --pub --in private/vpnHostKey.pem --type rsa | \
> ipsec pki --issue --lifetime 730 \
> --cacert cacerts/strongswanCert.pem \
> --cakey private/strongswanKey.pem \
> --dn "C=CH, O=strongSwan, CN=vpn.example.com" \
> --san vpn.example.com \
> --flag serverAuth --flag ikeIntermediate \
> --outform pem > certs/vpnHostCert.pem
>
> Client cert/key:
>
> $ cd /etc/ipsec.d/
> $ ipsec pki --gen --type rsa --size 2048 \
> --outform pem \
>> private/moiKey.pem
> $ chmod 600 private/moiKey.pem
> $ ipsec pki --pub --in private/moiKey.pem --type rsa | \
> ipsec pki --issue --lifetime 730 \
> --cacert cacerts/strongswanCert.pem \
> --cakey private/strongswanKey.pem \
> --dn "C=CH, O=strongSwan, CN=moi" \
> --san moi \
> --outform pem > certs/moiCert.pem
>
> ("moi" is just a standin for my personal uid)
>
> ipsec.conf (note that this email client is munging the tabs, but ipsec
> reload is perfectly happy with this conf file's syntax)
>
> config setup
> # uniqueids=never
> charondebug="cfg 2, dmn 2, ike 2, net 2"
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> #note iOS, Android, xauth-pam are all ikev1!
> keyexchange=ike
>
> conn roadwarrior
> #vpn server
> left=xxx.xxx.xxx.xxx
> #allow full tunneling
> leftsubnet=0.0.0.0/0
> right=%any
> rightauth=pubkey
> #assign ip addr from this pool
> rightsourceip=xxx.xx.xx.0/24
> auto=add
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUFBteAAoJEDg5KY9j7GZYY4MP/jXYWIpfdFq6X7+8+pFVN/ye
HPUJvYWO+6T7EIo5surmiQQHQzfcdY6VjJySdtf5JxcH+56z7rgaOFgIXD8S5YKa
MrbObYvLo40lw/MtPWxrU/t4OFTBCAo2YkVKe6IimDYVQ+D1d5wIeJKAm8iWJNKr
GpEcHmlWbKrEfl2xkkZ2X3DgBKeKWHjjdbdRKXf7osBOAo9a4ASlYQUqqF83Vp6p
UcZdaHypLJk4/O5ft5ucwoGg3mxRkYAZPyzINaiFDEiPbGxYAo4bzJ9MTYqVJVKV
P6Z6mzQB/KVMrclVYoBN8P+INs4jOmCMc2XWa3lGFmvCIhLNaR1QS+zS0rRAQ5Mj
0E1P1ugiOHYxWTYmKZ5YAS4HysdenjQl7cIC6DUEUb8Eb3Jdiwz5gZ03sibTNkij
rVIeup6kEListN1RH8skLylNZbAalqY5Ff8y5fo6T3lS20h8bGiLtyZ/hWNnWHH1
phx/50sY6qFFSNnCKORJzNg6mk4+noUchSnGeTHAnO4pE/SwSOs8RRgCjH5Tm44u
eZAT89U9LmYiTv5L7iMB2Wn09ecIgGA9ONDcYUqHtCW1glZIDD0x94PBoRM/3Jag
VxEtW1YbPeCGS1wRJsHNz/+EikFFecbriZ4hI3gPL9Ni40TDXxUdljHSepCuKfrK
dFzyQ/4Nz6y/G98tmD16
=j3jf
-----END PGP SIGNATURE-----

More information about the Users mailing list