<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 12 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<div>
<div>
<div>
<div>
<p class="MsoNormal">Hi ,<br>
<br>
I am trying to establish the ipsec tunnel using 2 level Certificates.<o:p></o:p></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">But I am not able to do so. I am using strongswan-5.1.1 on both client and server side.<o:p></o:p></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">I got this error at the strongswan client.<br>
<br>
strongswan client logs upon failure<br>
===========================================================<br>
# /usr/sbin/ipsec up home<br>
initiating IKE_SA home[1] to 10.205.20.60<br>
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>
sending packet: from 192.168.51.103[500] to 10.205.20.60[500] (300 bytes)<br>
received packet: from 10.205.20.60[500] to 192.168.51.103[500] (353 bytes)<br>
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MUL T_AUTH) ]<br>
local host is behind NAT, sending keep alives<br>
received cert request for "CN=OpRootCA"<br>
received cert request for "CN=OpRootCA"<br>
sending cert request for "CN=OpRootCA"<br>
sending cert request for "CN=OpSubCA1"<br>
authentication of '<a href="mailto:0005B94234FD@data.ltefemto.abc.com">0005B94234FD@data.<span style="color:#1F497D">device</span>.abc.com</a>' (myself) with RSA sign ature
successful<br>
sending end entity cert "CN=0005B94234FD"<br>
sending issuer cert "CN=OpSubCA1"<br>
establishing CHILD_SA home<br>
generating IKE_AUTH request 1 [ IDi CERT CERT CERTREQ AUTH CPRQ(ADDR DNS) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]<br>
sending packet: from 192.168.51.103[4500] to 10.205.20.60[4500] (2292 bytes)<br>
received packet: from 10.205.20.60[4500] to 192.168.51.103[4500] (1332 bytes)<br>
parsed IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS) SA TSi TSr ]<br>
received end entity cert "CN=secgw"<br>
using certificate "CN=secgw"<br>
no issuer certificate found for "CN=secgw"<br>
no trusted RSA public key found for '<a href="mailto:secgw@data.ltefemto.abc.com">secgw@data.<span style="color:#1F497D">device</span>.abc.com</a>'<br>
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]<br>
sending packet: from 192.168.51.103[4500] to 10.205.20.60[4500] (68 bytes)<br>
establishing connection 'home' failed<br>
<br>
# /usr/sbin/ipsec listcacerts<br>
<br>
List of X.509 CA Certificates:<br>
<br>
subject: "CN=OpSubCA1"<br>
issuer: "CN=OpRootCA"<br>
serial: 51:4a:2f:1a:b5:0b:45:2d<br>
validity: not before Aug 17 13:07:04 2014, ok<br>
not after Aug 17 13:07:04 2015, ok<br>
pubkey: RSA 2048 bits<br>
keyid: 76:c6:78:43:a2:46:1a:54:48:c9:42:3f:61:9c:35:a9:59:17:52:db<br>
subjkey: d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29<br>
authkey: d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29<br>
<br>
subject: "CN=OpRootCA"<br>
issuer: "CN=OpRootCA"<br>
serial: 0b:40:68:5e:f3:92:34:79<br>
validity: not before Aug 16 15:03:15 2014, ok<br>
not after Aug 13 15:03:15 2024, ok<br>
pubkey: RSA 2048 bits<br>
keyid: 76:c6:78:43:a2:46:1a:54:48:c9:42:3f:61:9c:35:a9:59:17:52:db<br>
subjkey: d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29<br>
authkey: d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29<br>
# /usr/sbin/ipsec listcerts<br>
<br>
List of X.509 End Entity Certificates:<br>
<br>
altNames: <a href="mailto:0005B94234FD@data.ltefemto.abc.com">0005B94234FD@data.<span style="color:#1F497D">device</span>.abc.com</a><br>
subject: "CN=0005B94234FD"<br>
issuer: "CN=OpSubCA1"<br>
serial: 7f:10:2f:b3:42:a5:27:cb<br>
validity: not before Sep 03 12:01:52 2014, ok<br>
not after Aug 17 13:07:04 2015, ok<br>
pubkey: RSA 2048 bits, has private key<br>
keyid: 7f:73:b1:64:9b:cd:80:08:a3:68:42:24:9d:18:47:8f:a0:2b:e9:1d<br>
subjkey: a8:b8:dd:3c:9f:9a:0f:b0:f1:4a:55:03:67:d8:ff:a7:7a:cb:34:d3<br>
authkey: d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29<br>
<br>
<br>
<o:p></o:p></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">strongswan server side logs upon failure<br>
=====================================================<br>
root@PowerEdge-860:/etc/data# /usr/sbin/ipsec listcacerts<br>
<br>
List of X.509 CA Certificates:<br>
<br>
subject: "CN=OpSubCA1"<br>
issuer: "CN=OpRootCA"<br>
serial: 51:4a:2f:1a:b5:0b:45:2d<br>
validity: not before Aug 17 18:37:04 2014, ok<br>
not after Aug 17 18:37:04 2015, ok<br>
pubkey: RSA 2048 bits<br>
keyid: 76:c6:78:43:a2:46:1a:54:48:c9:42:3f:61:9c:35:a9:59:17:52:db<br>
subjkey: d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29<br>
authkey: d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29<br>
<br>
subject: "CN=OpRootCA"<br>
issuer: "CN=OpRootCA"<br>
serial: 0b:40:68:5e:f3:92:34:79<br>
validity: not before Aug 16 20:33:15 2014, ok<br>
not after Aug 13 20:33:15 2024, ok<br>
pubkey: RSA 2048 bits<br>
keyid: 76:c6:78:43:a2:46:1a:54:48:c9:42:3f:61:9c:35:a9:59:17:52:db<br>
subjkey: d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29<br>
authkey: d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29<br>
<br>
subject: "CN=OpSubCA2"<br>
issuer: "CN=OpRootCA"<br>
serial: 2d:75:61:0a:c8:ea:a0:bb<br>
validity: not before Aug 17 20:41:25 2014, ok<br>
not after Aug 17 20:41:25 2015, ok<br>
pubkey: RSA 2048 bits<br>
keyid: 76:c6:78:43:a2:46:1a:54:48:c9:42:3f:61:9c:35:a9:59:17:52:db<br>
subjkey: d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29<br>
authkey: d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29<o:p></o:p></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">root@PowerEdge-860:/etc/data# /usr/sbin/ipsec listcerts<br>
<br>
List of X.509 End Entity Certificates:<br>
<br>
altNames: <a href="mailto:0005B94234FD@data.ltefemto.abc.com">0005B94234FD@data.<span style="color:#1F497D">device</span>.abc.com</a><br>
subject: "CN=0005B94234FD"<br>
issuer: "CN=OpSubCA1"<br>
serial: 7f:10:2f:b3:42:a5:27:cb<br>
validity: not before Sep 03 17:31:52 2014, ok<br>
not after Aug 17 18:37:04 2015, ok<br>
pubkey: RSA 2048 bits<br>
keyid: 7f:73:b1:64:9b:cd:80:08:a3:68:42:24:9d:18:47:8f:a0:2b:e9:1d<br>
subjkey: a8:b8:dd:3c:9f:9a:0f:b0:f1:4a:55:03:67:d8:ff:a7:7a:cb:34:d3<br>
authkey: d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29<br>
<br>
altNames: <a href="mailto:secgw@data.ltefemto.abc.com">secgw@data.<span style="color:#1F497D">device</span>.abc.com</a><br>
subject: "CN=secgw"<br>
issuer: "CN=OpSubCA2"<br>
serial: 67:36:7a:7a:63:77:98:2b<br>
validity: not before Aug 17 20:33:06 2014, ok<br>
not after Aug 17 20:41:25 2015, ok<br>
pubkey: RSA 2048 bits, has private key<br>
keyid: bf:fe:1e:f5:3b:3a:51:54:db:69:a4:82:9a:d3:07:14:59:7c:77:e1<br>
subjkey: 2e:ac:0d:89:65:6f:40:d9:cc:ea:3b:8f:c8:2c:ef:36:0e:36:4e:3a<br>
authkey: d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29<br>
<br>
<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Can u please let me know from where do I start debugging ?<br>
<br>
Regards,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Murali.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>