<div dir="ltr">This was caused by a mismatch between strongSwan and OpenSSL regarding FIPS. OpenSSL was operating in FIPS mode, but a non-FIPS signature algorithm was being called, so it silently failed. I rebuilt strongSwan and OpenSSL and changed the FIPS config to agree and everything worked.</div><br><div class="gmail_quote"><div dir="ltr">On Tue, Jun 21, 2016 at 11:58 PM Stephen Wilcox <<a href="mailto:stephen@tyfone.com">stephen@tyfone.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>I'm attempting to use a Raspberry Pi as a StrongSwan peer with certificates for authentication. I have a certificate for the Pi signed by my own ca cert. When I try to bring the connection up, it seems it can't authenticate itself:</div><div>
<p><span><font face="monospace, monospace">authentication of 'C=US, ST=OR, L=Portland, O=Tyfone, OU=Shasta, CN=<a href="http://client.tyfone.com" target="_blank">client.tyfone.com</a>, E=<a href="mailto:contact@tyfone.com" target="_blank">contact@tyfone.com</a>' (myself) failed</font></span></p></div><div>The private key and ca cert are present in /etc/ipsec.d/private and cacerts respectively. Using the pki tool, I can verify that the cert is current and valid per the ca cert, and I can export the public keys from the private key and the cert and see that they match.</div><div><br></div><div><b>Here is my ipsec.conf on the Pi</b></div><div><br></div><div><div><font face="monospace, monospace">config setup</font></div><div><font face="monospace, monospace"> charondebug="ike 4, knl 4"</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">conn %default</font></div><div><font face="monospace, monospace"> ikelifetime=60m</font></div><div><font face="monospace, monospace"> keylife=20m</font></div><div><font face="monospace, monospace"> rekeymargin=3m</font></div><div><font face="monospace, monospace"> keyingtries=1</font></div><div><font face="monospace, monospace"> keyexchange=ikev1</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">conn work</font></div><div><font face="monospace, monospace"> left=%defaultroute #external IP address</font></div><div><font face="monospace, monospace"> leftsourceip=%config #external IP address</font></div><div><font face="monospace, monospace"> leftid="C=US, ST=OR, L=Portland, O=Tyfone, OU=Shasta, CN=<a href="http://client.tyfone.com" target="_blank">client.tyfone.com</a>, E=<a href="mailto:contact@tyfone.com" target="_blank">contact@tyfone.com</a>"</font></div><div><font face="monospace, monospace"> leftcert=clientCert.pem</font></div><div><font face="monospace, monospace"> leftfirewall=yes #automatically add firewall rules</font></div><div><font face="monospace, monospace"> auto=add</font></div><div><font face="monospace, monospace"> right=10.0.1.47 #strongSwan server external IP</font></div><div><font face="monospace, monospace"> rightsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> #route all traffic to the strongSwan server</font></div><div><font face="monospace, monospace"> rightid=@<a href="http://vpn.tyfone.com" target="_blank">vpn.tyfone.com</a> #unique id of server</font></div><div><font face="monospace, monospace"> rightcert=serverCert.der</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">include /var/lib/strongswan/ipsec.conf.inc</font></div></div><div><br></div><div><br></div><div><br></div><div><b>Here is what is shown for the client cert when I use <font face="monospace, monospace">ipsec listcerts</font></b></div><div><br></div><font face="monospace, monospace">subject: "C=US, ST=OR, L=Portland, O=Tyfone, OU=Shasta, CN=<a href="http://client.tyfone.com" target="_blank">client.tyfone.com</a>, E=<a href="mailto:contact@tyfone.com" target="_blank">contact@tyfone.com</a>"<br> issuer: "C=US, ST=OR, L=Portland, O=Tyfone, OU=Shasta, CN=<a href="http://ca.tyfone.com" target="_blank">ca.tyfone.com</a>, E=<a href="mailto:contact@tyfone.com" target="_blank">contact@tyfone.com</a>"<br> validity: not before Jun 17 12:02:02 2016, ok<br> not after Jun 17 12:02:02 2019, ok (expires in 1090 days)<br> serial: 4e:33:64:13:cb:2d:ea:65<br> altNames: 172.16.176.100<br> authkeyId: 59:fb:0e:30:6b:d0:ee:01:18:74:4c:e2:11:4e:84:a2:f6:8c:29:03<br> subjkeyId: 09:25:7a:55:22:cf:af:17:94:6f:d8:ea:81:9f:bc:fe:cd:69:e7:ec<br> pubkey: RSA 2048 bits, has private key<br> keyid: b3:54:9f:50:47:e4:95:fc:8e:b5:cf:a3:1f:96:e3:eb:9d:11:14:4c<br> subjkey: 09:25:7a:55:22:cf:af:17:94:6f:d8:ea:81:9f:bc:fe:cd:69:e7:ec</font><div><br></div><div><br></div><div><b>Here is the rest of the output from trying to bring up the work connection:</b></div><div><br></div><div>
<p><font face="monospace, monospace">initiating Main Mode IKE_SA work[2] to 10.0.1.47<br>generating ID_PROT request 0 [ SA V V V V ]<br>sending packet: from 10.0.1.5[500] to 10.0.1.47[500] (216 bytes)<br>received packet: from 10.0.1.47[500] to 10.0.1.5[500] (136 bytes)<br>parsed ID_PROT response 0 [ SA V V V ]<br>received XAuth vendor ID<br>received DPD vendor ID<br>received NAT-T (RFC 3947) vendor ID<br>generating ID_PROT request 0 [ KE No NAT-D NAT-D ]<br>sending packet: from 10.0.1.5[500] to 10.0.1.47[500] (524 bytes)<br>received packet: from 10.0.1.47[500] to 10.0.1.5[500] (670 bytes)<br>parsed ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]<br>received cert request for 'C=US, ST=OR, L=Portland, O=Tyfone, OU=Shasta, CN=<a href="http://ca.tyfone.com" target="_blank">ca.tyfone.com</a>, E=<a href="mailto:contact@tyfone.com" target="_blank">contact@tyfone.com</a>'<br>remote host is behind NAT<br>sending cert request for "C=US, ST=OR, L=Portland, O=Tyfone, OU=Shasta, CN=<a href="http://ca.tyfone.com" target="_blank">ca.tyfone.com</a>, E=<a href="mailto:contact@tyfone.com" target="_blank">contact@tyfone.com</a>"<br>authentication of 'C=US, ST=OR, L=Portland, O=Tyfone, OU=Shasta, CN=<a href="http://client.tyfone.com" target="_blank">client.tyfone.com</a>, E=<a href="mailto:contact@tyfone.com" target="_blank">contact@tyfone.com</a>' (myself) failed<br>generating INFORMATIONAL_V1 request 1793715306 [ HASH N(AUTH_FAILED) ]<br>sending packet: from 10.0.1.5[4500] to 10.0.1.47[4500] (108 bytes)<br>establishing connection 'work' failed</font></p><p><br></p></div><div>Any help is appreciated. Thanks in advance!</div><br clear="all"><div><div data-smartmail="gmail_signature"><div dir="ltr"><div>Cheers,</div><div> Stephen<br><font face="arial, sans-serif" size="3"><p style="border-collapse:collapse;margin:0px;color:rgb(102,102,102)"><br></p></font></div></div></div></div>
</div>
</blockquote></div>