[strongSwan] Strongswan 5.4 issue using certificates
Andreas Steffen
andreas.steffen at strongswan.org
Fri Sep 16 10:33:37 CEST 2016
Hi Rajeev,
yes, you have to load the private key file in your management tool
and transfer it via the VICI interface as a binary blob.
Regards
Andreas
On 15.09.2016 21:20, rajeev nohria wrote:
> Anderas,
>
> When using davici-
> For the loading of private rsa keys, that has to be loaded like the
> certificate?
>
> Thanks,
> Rajeev
>
> On Thu, Sep 15, 2016 at 3:19 PM, rajeev nohria <rajnohria at gmail.com
> <mailto:rajnohria at gmail.com>> wrote:
>
> Anderas,
>
> For the loading of private rsa keys, that has to be loaded like the
> certificate?
>
> Thanks,
> Rajeev
>
> On Thu, Aug 4, 2016 at 12:16 AM, Andreas Steffen
> <andreas.steffen at strongswan.org
> <mailto:andreas.steffen at strongswan.org>> wrote:
>
> Hi Rajeev,
>
> different to the stroke protocol and ipsec.conf where the filename
> of the certificate gets transferred via the stroke socket and the
> charon daemon loads the certificate, vici transfers the certificate
> itself either as a binary DER or a base64-endocded PEM blob. Thus
> your management application has to load the certificate and transfer
> it over the vici socket using davici.
>
> Regards
>
> Andreas
>
> On 04.08.2016 05:03, rajeev nohria wrote:
> > Thanks Andreas,
> >
> > It worked, I know started to implement in Davici. I had PSK working in
> > Davici. With certificates, I am having following issue during
> > parse_certs().
> >
> > 09[LIB] file coded in unknown format, discarded
> > 09[LIB] building CRED_CERTIFICATE - X509 failed, tried 4 builders
> >
> >
> >
> > Corresponding code is for Davici is
> > davici_list_start(r,"certs");
> >
> > davici_list_itemf(r,"%s","/usr/local/etc/swanctl/x509/hostCert.pem");
> > davici_list_end(r);
> >
> >
> > I have tried file name with and without path.
> >
> > certs = hostCert.pem worked in swanctl.conf as attached in previous email.
> >
> >
> > Do you know what could be issue here? Looks like software is not able to
> > recognize the pem format but again it worked when using swanctl.conf file.
> >
> > Thanks,
> > Rajeev
> >
> >
> > On Tue, Aug 2, 2016 at 5:41 AM, Andreas Steffen
> > <andreas.steffen at strongswan.org
> <mailto:andreas.steffen at strongswan.org>
> <mailto:andreas.steffen at strongswan.org
> <mailto:andreas.steffen at strongswan.org>>>
> > wrote:
> >
> > Hi,
> >
> > according to your log, the initiator and responder create
> their
> > own Root CA certificate and store it locally in
> > /usr/local/etc/swanctl/x509ca. Therefore it is not surprising
> > that no trust into the received host certificate can be
> established
> > because it has been signed with the private key of a different
> > root CA (although the Distinguished Name of the issuer is
> the same).
> >
> > Fix: Generate only one private key and matching self-signed
> > Root CA certificate. Use the private Root CA key to sign both
> > initiator and responder host certificates and deploy the
> Root CA
> > certificate on both hosts.
> >
> > Best regards
> >
> > Andreas
> >
> > On 01.08.2016 21:24, rajeev nohria wrote:
> > >
> > > I was able to establish IKE connection using PSK but
> when using pubkey I
> > > am not able to able to establish the IKE connection.
> > >
> > > When I issue sudo swanctl --initiate --child net
> > >
> > >
> > > At receptor, it returns the Auth_failed. Please see the
> swanctl.conf,
> > > strongswan.conf and charon.log.
> > >
> > > Aug 1 12:09:21 12[CFG] <rw|1> no issuer certificate
> found for "C=US,
> > > ST=MA, L=Lowell, O=Arris, CN=10.13.199.185"
> > > Aug 1 12:09:21 12[IKE] <rw|1> no trusted RSA public key
> found for
> > > '10.13.199.185'
> > > Aug 1 12:09:21 12[IKE] <rw|1> peer supports MOBIKE
> > > Aug 1 12:09:21 12[ENC] <rw|1> added payload of type
> NOTIFY to message
> > > Aug 1 12:09:21 12[ENC] <rw|1> order payloads in message
> > > Aug 1 12:09:21 12[ENC] <rw|1> added payload of type
> NOTIFY to message
> > > Aug 1 12:09:21 12[ENC] <rw|1> generating IKE_AUTH
> response 1 [
> > > N(AUTH_FAILED) ]
> > >
> > > I used following commands to create certificates.
> > >
> > > *Initiator:*
> > > -----------
> > >
> > > sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> > > /usr/local/etc/swanctl/rsa/strongswanKey.pem
> > >
> > >
> > > sudo chmod 600 /usr/local/etc/swanctl/rsa/strongswanKey.pem
> > >
> > >
> > > sudo ipsec pki --self --ca --in
> > > /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest
> sha256 --dn "C=US,
> > > ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem >
> > > /usr/local/etc/swanctl/x509ca/strongswanCert.pem
> > >
> > >
> > > sudo ipsec pki --print --in
> /usr/local/etc/swanctl/x509ca/strongswanCert.pem
> > >
> > >
> > > sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> > > /usr/local/etc/swanctl/rsa/hostKey.pem
> > >
> > >
> > > sudo chmod 600 /usr/local/etc/swanctl/rsa/hostKey.pem
> > >
> > >
> > >
> > > sudo ipsec pki --pub --in
> /usr/local/etc/swanctl/rsa/hostKey.pem --type
> > > rsa | ipsec pki --issue --digest sha256 --cacert
> > > /usr/local/etc/swanctl/x509ca/strongswanCert.pem --cakey
> > > /usr/local/etc/swanctl/rsa/strongswanKey.pem --dn "C=US,
> ST=MA,
> > > L=Lowell, O=Arris, CN=10.13.199.185" --san
> 10.13.199.185 pem >
> > > /usr/local/etc/swanctl/x509/hostCert.pem
> > >
> > >
> > > Receptor:
> > > --------------
> > > *
> > > *
> > > *sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> > > /usr/local/etc/swanctl/rsa/strongswanKey.pem*
> > > *
> > > *
> > > *sudo chmod 600
> /usr/local/etc/swanctl/rsa/strongswanKey.pem*
> > > *
> > > *
> > > *sudo ipsec pki --self --ca --in
> > > /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest
> sha256 --dn "C=US,
> > > ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem >
> > > /usr/local/etc/swanctl/x509ca/strongswanCert.pem*
> > > *
> > > *
> > > *sudo ipsec pki --print --in
> > > /usr/local/etc/swanctl/x509ca/strongswanCert.pem*
> > > *
> > > *
> > > *sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> > > /usr/local/etc/swanctl/rsa/hostKey.pem*
> > > *
> > > *
> > > *sudo chmod 600 /usr/local/etc/swanctl/rsa/hostKey.pem*
> > >
> > > *sudo ipsec pki --pub --in
> /usr/local/etc/swanctl/rsa/hostKey.pem
> > --type
> > > rsa | ipsec pki --issue --digest sha256 --cacert
> > > /usr/local/etc/swanctl/x509ca/strongswanCert.pem --cakey
> > > /usr/local/etc/swanctl/rsa/strongswanKey.pem --dn "C=US,
> ST=MA,
> > > L=Lowell, O=Arris, CN=10.13.199.130" --san 10.13.199.130
> --outform pem >
> > > /usr/local/etc/swanctl/x509/hostCert.pem*
>
> ======================================================================
> Andreas Steffen
> andreas.steffen at strongswan.org
> <mailto:andreas.steffen at strongswan.org>
> strongSwan - the Open Source VPN Solution!
> www.strongswan.org <http://www.strongswan.org>
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
>
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3859 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160916/6c64d434/attachment.bin>
More information about the Users
mailing list