
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">


<head>


<meta http-equiv="Content-Type" content="text/html; charset=utf-8">


<meta name="Generator" content="Microsoft Word 12 (filtered medium)">


<style><!--


/* Font Definitions */


@font-face


        {font-family:"Cambria Math";


        panose-1:2 4 5 3 5 4 6 3 2 4;}


@font-face


        {font-family:Calibri;


        panose-1:2 15 5 2 2 2 4 3 2 4;}


/* Style Definitions */


p.MsoNormal, li.MsoNormal, div.MsoNormal


        {margin:0in;


        margin-bottom:.0001pt;


        font-size:12.0pt;


        font-family:"Times New Roman","serif";}


a:link, span.MsoHyperlink


        {mso-style-priority:99;


        color:blue;


        text-decoration:underline;}


a:visited, span.MsoHyperlinkFollowed


        {mso-style-priority:99;


        color:purple;


        text-decoration:underline;}


span.EmailStyle17


        {mso-style-type:personal-reply;


        font-family:"Calibri","sans-serif";


        color:#1F497D;}


.MsoChpDefault


        {mso-style-type:export-only;}


@page WordSection1


        {size:8.5in 11.0in;


        margin:1.0in 1.0in 1.0in 1.0in;}


div.WordSection1


        {page:WordSection1;}


--></style><!--[if gte mso 9]><xml>


<o:shapedefaults v:ext="edit" spidmax="1026" />


</xml><![endif]--><!--[if gte mso 9]><xml>


<o:shapelayout v:ext="edit">


<o:idmap v:ext="edit" data="1" />


</o:shapelayout></xml><![endif]-->


</head>


<body lang="EN-US" link="blue" vlink="purple">


<div class="WordSection1">


<div>


<div>


<div>


<div>


<p class="MsoNormal">Hi ,<br>


<br>


I am trying to establish the ipsec tunnel using 2 level Certificates.<o:p></o:p></p>


</div>


<p class="MsoNormal" style="margin-bottom:12.0pt">But I am not able to do so. I am using strongswan-5.1.1 on both client and server side.<o:p></o:p></p>


</div>


<p class="MsoNormal" style="margin-bottom:12.0pt">I got this error at the strongswan client.<br>


<br>


strongswan client logs upon failure<br>


===========================================================<br>


# /usr/sbin/ipsec up home<br>


initiating IKE_SA home[1] to 10.205.20.60<br>


generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>


sending packet: from 192.168.51.103[500] to 10.205.20.60[500] (300 bytes)<br>


received packet: from 10.205.20.60[500] to 192.168.51.103[500] (353 bytes)<br>


parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MUL                                                                                        T_AUTH) ]<br>


local host is behind NAT, sending keep alives<br>


received cert request for "CN=OpRootCA"<br>


received cert request for "CN=OpRootCA"<br>


sending cert request for "CN=OpRootCA"<br>


sending cert request for "CN=OpSubCA1"<br>


authentication of '<a href="mailto:0005B94234FD@data.ltefemto.abc.com">0005B94234FD@data.<span style="color:#1F497D">device</span>.abc.com</a>' (myself) with RSA sign                                                                                        ature


 successful<br>


sending end entity cert "CN=0005B94234FD"<br>


sending issuer cert "CN=OpSubCA1"<br>


establishing CHILD_SA home<br>


generating IKE_AUTH request 1 [ IDi CERT CERT CERTREQ AUTH CPRQ(ADDR DNS) SA TSi                                                                                         TSr N(MULT_AUTH) N(EAP_ONLY) ]<br>


sending packet: from 192.168.51.103[4500] to 10.205.20.60[4500] (2292 bytes)<br>


received packet: from 10.205.20.60[4500] to 192.168.51.103[4500] (1332 bytes)<br>


parsed IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS) SA TSi TSr ]<br>


received end entity cert "CN=secgw"<br>


  using certificate "CN=secgw"<br>


no issuer certificate found for "CN=secgw"<br>


no trusted RSA public key found for '<a href="mailto:secgw@data.ltefemto.abc.com">secgw@data.<span style="color:#1F497D">device</span>.abc.com</a>'<br>


generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]<br>


sending packet: from 192.168.51.103[4500] to 10.205.20.60[4500] (68 bytes)<br>


establishing connection 'home' failed<br>


<br>


# /usr/sbin/ipsec listcacerts<br>


<br>


List of X.509 CA Certificates:<br>


<br>


  subject:  "CN=OpSubCA1"<br>


  issuer:   "CN=OpRootCA"<br>


  serial:    51:4a:2f:1a:b5:0b:45:2d<br>


  validity:  not before Aug 17 13:07:04 2014, ok<br>


             not after  Aug 17 13:07:04 2015, ok<br>


  pubkey:    RSA 2048 bits<br>


  keyid:     76:c6:78:43:a2:46:1a:54:48:c9:42:3f:61:9c:35:a9:59:17:52:db<br>


  subjkey:   d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29<br>


  authkey:   d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29<br>


<br>


  subject:  "CN=OpRootCA"<br>


  issuer:   "CN=OpRootCA"<br>


  serial:    0b:40:68:5e:f3:92:34:79<br>


  validity:  not before Aug 16 15:03:15 2014, ok<br>


             not after  Aug 13 15:03:15 2024, ok<br>


  pubkey:    RSA 2048 bits<br>


  keyid:     76:c6:78:43:a2:46:1a:54:48:c9:42:3f:61:9c:35:a9:59:17:52:db<br>


  subjkey:   d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29<br>


  authkey:   d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29<br>


# /usr/sbin/ipsec listcerts<br>


<br>


List of X.509 End Entity Certificates:<br>


<br>


  altNames:  <a href="mailto:0005B94234FD@data.ltefemto.abc.com">0005B94234FD@data.<span style="color:#1F497D">device</span>.abc.com</a><br>


  subject:  "CN=0005B94234FD"<br>


  issuer:   "CN=OpSubCA1"<br>


  serial:    7f:10:2f:b3:42:a5:27:cb<br>


  validity:  not before Sep 03 12:01:52 2014, ok<br>


             not after  Aug 17 13:07:04 2015, ok<br>


  pubkey:    RSA 2048 bits, has private key<br>


  keyid:     7f:73:b1:64:9b:cd:80:08:a3:68:42:24:9d:18:47:8f:a0:2b:e9:1d<br>


  subjkey:   a8:b8:dd:3c:9f:9a:0f:b0:f1:4a:55:03:67:d8:ff:a7:7a:cb:34:d3<br>


  authkey:   d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29<br>


<br>


<br>


<o:p></o:p></p>


</div>


<p class="MsoNormal" style="margin-bottom:12.0pt">strongswan server side logs upon failure<br>


=====================================================<br>


root@PowerEdge-860:/etc/data# /usr/sbin/ipsec listcacerts<br>


<br>


List of X.509 CA Certificates:<br>


<br>


  subject:  "CN=OpSubCA1"<br>


  issuer:   "CN=OpRootCA"<br>


  serial:    51:4a:2f:1a:b5:0b:45:2d<br>


  validity:  not before Aug 17 18:37:04 2014, ok<br>


             not after  Aug 17 18:37:04 2015, ok<br>


  pubkey:    RSA 2048 bits<br>


  keyid:     76:c6:78:43:a2:46:1a:54:48:c9:42:3f:61:9c:35:a9:59:17:52:db<br>


  subjkey:   d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29<br>


  authkey:   d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29<br>


<br>


  subject:  "CN=OpRootCA"<br>


  issuer:   "CN=OpRootCA"<br>


  serial:    0b:40:68:5e:f3:92:34:79<br>


  validity:  not before Aug 16 20:33:15 2014, ok<br>


             not after  Aug 13 20:33:15 2024, ok<br>


  pubkey:    RSA 2048 bits<br>


  keyid:     76:c6:78:43:a2:46:1a:54:48:c9:42:3f:61:9c:35:a9:59:17:52:db<br>


  subjkey:   d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29<br>


  authkey:   d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29<br>


<br>


  subject:  "CN=OpSubCA2"<br>


  issuer:   "CN=OpRootCA"<br>


  serial:    2d:75:61:0a:c8:ea:a0:bb<br>


  validity:  not before Aug 17 20:41:25 2014, ok<br>


             not after  Aug 17 20:41:25 2015, ok<br>


  pubkey:    RSA 2048 bits<br>


  keyid:     76:c6:78:43:a2:46:1a:54:48:c9:42:3f:61:9c:35:a9:59:17:52:db<br>


  subjkey:   d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29<br>


  authkey:   d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29<o:p></o:p></p>


<div>


<p class="MsoNormal" style="margin-bottom:12.0pt">root@PowerEdge-860:/etc/data# /usr/sbin/ipsec listcerts<br>


<br>


List of X.509 End Entity Certificates:<br>


<br>


  altNames:  <a href="mailto:0005B94234FD@data.ltefemto.abc.com">0005B94234FD@data.<span style="color:#1F497D">device</span>.abc.com</a><br>


  subject:  "CN=0005B94234FD"<br>


  issuer:   "CN=OpSubCA1"<br>


  serial:    7f:10:2f:b3:42:a5:27:cb<br>


  validity:  not before Sep 03 17:31:52 2014, ok<br>


             not after  Aug 17 18:37:04 2015, ok<br>


  pubkey:    RSA 2048 bits<br>


  keyid:     7f:73:b1:64:9b:cd:80:08:a3:68:42:24:9d:18:47:8f:a0:2b:e9:1d<br>


  subjkey:   a8:b8:dd:3c:9f:9a:0f:b0:f1:4a:55:03:67:d8:ff:a7:7a:cb:34:d3<br>


  authkey:   d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29<br>


<br>


  altNames:  <a href="mailto:secgw@data.ltefemto.abc.com">secgw@data.<span style="color:#1F497D">device</span>.abc.com</a><br>


  subject:  "CN=secgw"<br>


  issuer:   "CN=OpSubCA2"<br>


  serial:    67:36:7a:7a:63:77:98:2b<br>


  validity:  not before Aug 17 20:33:06 2014, ok<br>


             not after  Aug 17 20:41:25 2015, ok<br>


  pubkey:    RSA 2048 bits, has private key<br>


  keyid:     bf:fe:1e:f5:3b:3a:51:54:db:69:a4:82:9a:d3:07:14:59:7c:77:e1<br>


  subjkey:   2e:ac:0d:89:65:6f:40:d9:cc:ea:3b:8f:c8:2c:ef:36:0e:36:4e:3a<br>


  authkey:   d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29<br>


<br>


<o:p></o:p></p>


</div>


<div>


<p class="MsoNormal">Can u please let me know from where do I start debugging ?<br>


<br>


Regards,<o:p></o:p></p>


</div>


<div>


<p class="MsoNormal">Murali.<o:p></o:p></p>


</div>


<div>


<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>


<div>


<div>


<div>


<p class="MsoNormal"> <o:p></o:p></p>


</div>


</div>


</div>


</div>


</div>


</div>


</body>


</html>