<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<tt>Hi,</tt><tt><br>
</tt><tt><br>
</tt><tt>I am trying to setup a IPsec site-site network based on </tt><tt><b>X.509
certificates</b></tt><tt> and the </tt><tt><b>kernel-libipsec</b></tt><tt>
plugin for userland IPsec ESP encryption.
</tt><tt><br>
</tt><tt><br>
</tt><tt>But I am getting error as 'no trusted RSA public key found.</tt><tt><br>
</tt><tt><br>
Configuration on both side looks like:</tt><tt><br>
</tt><tt><br>
</tt><tt>sun:</tt><tt><br>
</tt><tt><br>
</tt><tt> cat ipsec.conf</tt><tt><br>
</tt><tt>config setup</tt><tt><br>
</tt><tt><br>
</tt><tt>conn %default</tt><tt><br>
</tt><tt> ikelifetime=60m</tt><tt><br>
</tt><tt> keylife=20m</tt><tt><br>
</tt><tt> rekeymargin=3m</tt><tt><br>
</tt><tt> keyingtries=1</tt><tt><br>
</tt><tt> keyexchange=ikev2</tt><tt><br>
</tt><tt> mobike=no</tt><tt><br>
</tt><tt><br>
</tt><tt>conn test</tt><tt><br>
</tt><tt> left=12.0.0.189</tt><tt><br>
</tt><tt> leftcert=sunCert.pem</tt><tt><br>
</tt><tt> leftsubnet=11.0.0.0/24</tt><tt><br>
</tt><tt> <a class="moz-txt-link-abbreviated" href="mailto:leftid=sun@test.com">leftid=sun@test.com</a></tt><tt><br>
</tt><tt> leftupdown=/etc/updown</tt><tt><br>
</tt><tt> right=12.0.0.167</tt><tt><br>
</tt><tt> rightsubnet=10.0.0.0/24</tt><tt><br>
</tt><tt> <a class="moz-txt-link-abbreviated" href="mailto:rightid=moon@test.com">rightid=moon@test.com</a></tt><tt><br>
</tt><tt> auto=add</tt><tt><br>
</tt><tt><br>
</tt><tt>cat ipsec.secrets</tt><tt><br>
</tt><tt> : RSA sunKey.pem</tt><tt><br>
</tt><tt><br>
</tt><tt>cat strongswan.conf</tt><tt><br>
</tt><tt>charon {</tt><tt><br>
</tt><tt> load = aes des rc2 sha1 sha2 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-libipsec
kernel-netlink resolve socket-default stroke updown xauth-generic</tt><tt><br>
</tt><tt> multiple_authentication = no</tt><tt><br>
</tt><tt> debug = 4</tt><tt><br>
</tt><tt> }</tt><tt><br>
</tt><tt><br>
</tt><tt>ipsec listall | more</tt><tt><br>
</tt><tt><br>
</tt><tt>List of X.509 End Entity Certificates:</tt><tt><br>
</tt><tt><br>
</tt><tt> altNames: <a class="moz-txt-link-abbreviated" href="mailto:sun@test.com">sun@test.com</a></tt><tt><br>
</tt><tt> subject: "C=UK, O=Adax Remote unit, <a class="moz-txt-link-abbreviated" href="mailto:CN=sun@test.com">CN=sun@test.com</a>"</tt><tt><br>
</tt><tt> issuer: "C=UK, O=Adax unit, CN=Adax Inc"</tt><tt><br>
</tt><tt> serial: 58:67:70:fd:12:9c:61:ad</tt><tt><br>
</tt><tt> validity: not before Jul 07 15:58:59 2014, ok</tt><tt><br>
</tt><tt> not after Jul 06 15:58:59 2017, ok</tt><tt><br>
</tt><tt> pubkey: RSA 1024 bits, has private key</tt><tt><br>
</tt><tt> keyid:
3a:e6:24:0c:69:6a:96:a8:cf:ef:04:56:c7:f9:2d:5c:b9:9a:89:a2</tt><tt><br>
</tt><tt> subjkey:
bf:b9:81:e2:86:d9:11:e5:69:a1:da:40:6b:48:45:9f:d4:89:cf:d2</tt><tt><br>
</tt><tt> authkey:
79:5d:18:1e:c3:e5:65:3d:51:fd:8e:0f:f6:91:62:cb:7a:12:09:25</tt><tt><br>
</tt><tt><br>
</tt><tt>List of X.509 CRLs:</tt><tt><br>
</tt><tt><br>
</tt><tt> issuer: "C=UK, O=Adax unit, CN=Adax Inc"</tt><tt><br>
</tt><tt> serial: 01</tt><tt><br>
</tt><tt> revoked: 0 certificates</tt><tt><br>
</tt><tt> updates: this Jul 07 16:01:35 2014</tt><tt><br>
</tt><tt> next Jul 22 16:01:35 2014, ok</tt><tt><br>
</tt><tt> authkey:
79:5d:18:1e:c3:e5:65:3d:51:fd:8e:0f:f6:91:62:cb:7a:12:09:25</tt><tt><br>
</tt><tt><br>
</tt><tt><br>
</tt><tt>moon:</tt><tt><br>
</tt><tt><br>
</tt><tt>cat ipsec.conf</tt><tt><br>
</tt><tt>config setup</tt><tt><br>
</tt><tt><br>
</tt><tt>conn %default</tt><tt><br>
</tt><tt> ikelifetime=60m</tt><tt><br>
</tt><tt> keylife=20m</tt><tt><br>
</tt><tt> rekeymargin=3m</tt><tt><br>
</tt><tt> keyingtries=1</tt><tt><br>
</tt><tt> keyexchange=ikev2</tt><tt><br>
</tt><tt> mobike=no</tt><tt><br>
</tt><tt><br>
</tt><tt>conn test</tt><tt><br>
</tt><tt> left=12.0.0.167</tt><tt><br>
</tt><tt> leftcert=moonCert.pem</tt><tt><br>
</tt><tt> leftsubnet=10.0.0.0/24</tt><tt><br>
</tt><tt> <a class="moz-txt-link-abbreviated" href="mailto:leftid=moon@test.com">leftid=moon@test.com</a></tt><tt><br>
</tt><tt> leftupdown=/etc/updown</tt><tt><br>
</tt><tt> right=12.0.0.189</tt><tt><br>
</tt><tt> rightsubnet=11.0.0.0/24</tt><tt><br>
</tt><tt> <a class="moz-txt-link-abbreviated" href="mailto:rightid=sun@test.com">rightid=sun@test.com</a></tt><tt><br>
</tt><tt> auto=add</tt><tt><br>
</tt><tt><br>
</tt><tt>cat ipsec.secrets</tt><tt><br>
</tt><tt> : RSA moonKey.pem</tt><tt><br>
</tt><tt><br>
</tt><tt>ipsec listall | more</tt><tt><br>
</tt><tt><br>
</tt><tt>List of X.509 End Entity Certificates:</tt><tt><br>
</tt><tt><br>
</tt><tt> altNames: <a class="moz-txt-link-abbreviated" href="mailto:moon@test.com">moon@test.com</a></tt><tt><br>
</tt><tt> subject: "C=UK, O=Adax remote moon unit,
<a class="moz-txt-link-abbreviated" href="mailto:CN=moon@test.com">CN=moon@test.com</a>"</tt><tt><br>
</tt><tt> issuer: "C=UK, O=Adax unit, CN=Adax Inc"</tt><tt><br>
</tt><tt> serial: 23:65:47:ec:54:e5:05:08</tt><tt><br>
</tt><tt> validity: not before Jul 07 16:00:47 2014, ok</tt><tt><br>
</tt><tt> not after Jul 06 16:00:47 2017, ok</tt><tt><br>
</tt><tt> pubkey: RSA 1024 bits, has private key</tt><tt><br>
</tt><tt> keyid:
e5:bc:2e:35:dd:a9:80:70:a9:05:67:4c:27:19:40:75:fc:5e:28:ce</tt><tt><br>
</tt><tt> subjkey:
f4:d7:b7:e0:d0:4d:3e:ba:c8:06:f3:0d:6a:da:c8:ea:3f:49:86:48</tt><tt><br>
</tt><tt> authkey:
79:5d:18:1e:c3:e5:65:3d:51:fd:8e:0f:f6:91:62:cb:7a:12:09:25</tt><tt><br>
</tt><tt><br>
</tt><tt>List of X.509 CRLs:</tt><tt><br>
</tt><tt><br>
</tt><tt> issuer: "C=UK, O=Adax unit, CN=Adax Inc"</tt><tt><br>
</tt><tt> serial: 01</tt><tt><br>
</tt><tt> revoked: 0 certificates</tt><tt><br>
</tt><tt> updates: this Jul 07 16:01:35 2014</tt><tt><br>
</tt><tt> next Jul 22 16:01:35 2014, ok</tt><tt><br>
</tt><tt> authkey:
79:5d:18:1e:c3:e5:65:3d:51:fd:8e:0f:f6:91:62:cb:7a:12:09:25</tt><tt><br>
</tt><tt><br>
</tt><tt>#############</tt><tt><br>
</tt><tt><br>
</tt><tt>When I am running 'ipsec up test' from sun side following
error is logged:</tt><tt><br>
</tt><tt><br>
</tt><tt>sun</tt><tt><br>
</tt><tt><br>
</tt><tt>Jul 7 16:16:33 ZNYX9210 charon: 14[CFG] received stroke:
initiate 'test'</tt><tt><br>
</tt><tt>Jul 7 16:16:33 ZNYX9210 charon: 15[IKE] initiating IKE_SA
test[2] to 12.0.0.167</tt><tt><br>
</tt><tt>Jul 7 16:16:33 ZNYX9210 charon: 15[ENC] generating
IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]</tt><tt><br>
</tt><tt>Jul 7 16:16:33 ZNYX9210 charon: 15[NET] sending packet:
from 12.0.0.189[500] to 12.0.0.167[500] (708 bytes)</tt><tt><br>
</tt><tt>Jul 7 16:16:33 ZNYX9210 charon: 06[NET] received packet:
from 12.0.0.167[500] to 12.0.0.189[500] (432 bytes)</tt><tt><br>
</tt><tt>Jul 7 16:16:33 ZNYX9210 charon: 06[ENC] parsed IKE_SA_INIT
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]</tt><tt><br>
</tt><tt>Jul 7 16:16:33 ZNYX9210 charon: 06[IKE] authentication of
'<a class="moz-txt-link-abbreviated" href="mailto:sun@test.com">sun@test.com</a>' (myself) with RSA signature successful</tt><tt><br>
</tt><tt>Jul 7 16:16:33 ZNYX9210 charon: 06[IKE] establishing
CHILD_SA test</tt><tt><br>
</tt><tt>Jul 7 16:16:33 ZNYX9210 charon: 06[ENC] generating
IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr
N(EAP_ONLY) ]</tt><tt><br>
</tt><tt>Jul 7 16:16:33 ZNYX9210 charon: 06[NET] sending packet:
from 12.0.0.189[500] to 12.0.0.167[500] (492 bytes)</tt><tt><br>
</tt><tt>Jul 7 16:16:33 ZNYX9210 charon: 05[NET] received packet:
from 12.0.0.167[500] to 12.0.0.189[500] (76 bytes)</tt><tt><br>
</tt><tt>Jul 7 16:16:33 ZNYX9210 charon: 05[ENC] parsed IKE_AUTH
response 1 [ N(AUTH_FAILED) ]</tt><tt><br>
</tt><tt>Jul 7 16:16:33 ZNYX9210 charon: 05[IKE] received
AUTHENTICATION_FAILED notify error</tt><tt><br>
</tt><tt><br>
</tt><tt>moon</tt><tt><br>
</tt><tt><br>
</tt><tt>Jul 7 16:16:37 RAID_server charon: 07[NET] received
packet: from 12.0.0.189[500] to 12.0.0.167[500] (708 bytes)</tt><tt><br>
</tt><tt>Jul 7 16:16:37 RAID_server charon: 07[ENC] parsed
IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]</tt><tt><br>
</tt><tt>Jul 7 16:16:37 RAID_server charon: 07[IKE] 12.0.0.189 is
initiating an IKE_SA</tt><tt><br>
</tt><tt>Jul 7 16:16:37 RAID_server charon: 07[ENC] generating
IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]</tt><tt><br>
</tt><tt>Jul 7 16:16:37 RAID_server charon: 07[NET] sending packet:
from 12.0.0.167[500] to 12.0.0.189[500] (432 bytes)</tt><tt><br>
</tt><tt>Jul 7 16:16:37 RAID_server charon: 08[NET] received
packet: from 12.0.0.189[500] to 12.0.0.167[500] (492 bytes)</tt><tt><br>
</tt><tt>Jul 7 16:16:37 RAID_server charon: 08[ENC] parsed IKE_AUTH
request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(EAP_ONLY) ]</tt><tt><br>
</tt><tt>Jul 7 16:16:37 RAID_server charon: 08[CFG] looking for
peer configs matching
12.0.0.167[<a class="moz-txt-link-abbreviated" href="mailto:moon@test.com">moon@test.com</a>]...12.0.0.189[<a class="moz-txt-link-abbreviated" href="mailto:sun@test.com">sun@test.com</a>]</tt><tt><br>
</tt><tt>Jul 7 16:16:37 RAID_server charon: 08[CFG] selected peer
config 'test'</tt><tt><br>
</tt><tt>Jul 7 16:16:37 RAID_server charon: 08[IKE] no trusted RSA
public key found for '<a class="moz-txt-link-abbreviated" href="mailto:sun@test.com">sun@test.com</a>'</tt><tt><br>
</tt><tt>Jul 7 16:16:37 RAID_server charon: 08[ENC] generating
IKE_AUTH response 1 [ N(AUTH_FAILED) ]</tt><tt><br>
</tt><tt>Jul 7 16:16:37 RAID_server charon: 08[NET] sending packet:
from 12.0.0.167[500] to 12.0.0.189[500] (76 bytes)</tt><tt><br>
</tt><tt><br>
</tt><tt>Can you please help what could be the reason for this
failure?</tt><tt><br>
</tt><tt><br>
</tt><tt>Thanks,</tt><tt><br>
</tt><tt>Shahreen</tt><br>
<br>
<pre class="moz-signature" cols="72">--
Shahreen Noor Ahmed
Network Support Department
Adax Europe Ltd
url: <a class="moz-txt-link-abbreviated" href="http://www.adax.com">www.adax.com</a>
e-mail: <a class="moz-txt-link-abbreviated" href="mailto:sahmed@adax.co.uk">sahmed@adax.co.uk</a>
Direct line: +44(0)118 952 2804</pre>
</body>
</html>