<div dir="ltr">Anderas,<div><br></div><div>Thanks for reply. I am using davici interface instead of swanctl.conf. I do set the id as <span style="color:rgb(80,0,80);font-size:12.8px"> </span><span style="color:rgb(80,0,80);font-size:12.8px">id: fc00:cada:c404:607::1001 but not the certs. Since I am using davici, it does not know the certificate file name and its path, I am reading the certificate file and passing the data. How can I resolve the problem in this situation?</span></div><div><span style="color:rgb(80,0,80);font-size:12.8px"><br></span></div><div><span style="color:rgb(80,0,80);font-size:12.8px">Thanks,</span></div><div><span style="color:rgb(80,0,80);font-size:12.8px">Rajeev</span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Oct 5, 2017 at 11:56 AM, Andreas Steffen <span dir="ltr"><<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
you must not set the IKEv2 ID to<br>
<span class=""><br>
id: fc00:cada:c404:607::1001<br>
<br>
</span>since this ID is not contained as a subjectAltName in the client<br>
certificate.<br>
<br>
Probably you didn't use the "certs" parameter in the local section of<br>
swanctl.conf so that the client certificate just got loaded from<br>
/etc/swanctl/x509. If you don't define the "id" parameter in the local<br>
section then the IPv6 address of the client is assumed as the "id" by<br>
default and because the IP address is not contained as a subjectAltName<br>
in the certificate then neither the certificate nor the corresponding<br>
private key is found.<br>
<br>
So the best approach is to define the following in swanctl.conf:<br>
<br>
local {<br>
auth = pubkey<br>
certs = myCert.pem<br>
}<br>
<br>
This first causes the private key to be found automatically based<br>
on the fingerprint of the public key contained in the certificate and<br>
the ID to be set to the subject distinguished name contained in the<br>
certificate.<br>
<br>
Best regards<br>
<br>
Andreas<br>
<span class=""><br>
On 05.10.2017 17:33, rajeev nohria wrote:<br>
> I have seen this issue before and fixed it. But this time I am not able<br>
> to figure you. Let me know if anyone see issue or any suggestion. Thanks<br>
> in advance.<br>
><br>
> Problem: <br>
> Getting error while initiating the connection.<br>
><br>
</span>> *[IKE] no private key found for 'fc00:cada:c404:607::1001'*<br>
><br>
> *11[IKE] no private key found for 'fc00:cada:c404:607::1001'*<br>
><br>
> *<br>
> *<br>
><br>
> *<br>
> *<br>
><br>
> *<br>
> *<br>
<span class="">><br>
><br>
> We are able to load the certificate and keys. looking at logs following<br>
> are proof.<br>
> <br>
><br>
</span>> messages.0:Jan 1 09:09:23 E6kn-2016 <a href="http://daemon.info" rel="noreferrer" target="_blank">daemon.info</a> <<a href="http://daemon.info" rel="noreferrer" target="_blank">http://daemon.info</a>> :<br>
<span class="">> 08[CFG] loaded RSA private key<br>
><br>
</span>> messages.0:Jan 1 09:09:23 E6kn-2016 <a href="http://daemon.info" rel="noreferrer" target="_blank">daemon.info</a> <<a href="http://daemon.info" rel="noreferrer" target="_blank">http://daemon.info</a>> :<br>
<span class="">> 08[CFG] loaded certificate 'C=US, O=CableLabs, OU=TEST Root CA01,<br>
> CN=TEST CableLabs Root Certification Authority'<br>
><br>
</span>> messages.0:Jan 1 09:09:23 E6kn-2016 <a href="http://daemon.info" rel="noreferrer" target="_blank">daemon.info</a> <<a href="http://daemon.info" rel="noreferrer" target="_blank">http://daemon.info</a>> :<br>
<span class="">> 08[CFG] loaded certificate 'C=US, O=ARRIS, OU=LOWELL, CN=00:33:5f:ab:8c:9e'<br>
><br>
</span>> messages.0:Jan 1 09:09:23 E6kn-2016 <a href="http://daemon.info" rel="noreferrer" target="_blank">daemon.info</a> <<a href="http://daemon.info" rel="noreferrer" target="_blank">http://daemon.info</a>> :<br>
<div><div class="h5">> 08[CFG] loaded certificate 'C=US, O=CableLabs, OU=TEST Device CA01,<br>
> CN=TEST CableLabs Device Certification Authority'<br>
><br>
><br>
><br>
> But when I initiate a connection, I get the following.<br>
><br>
><br>
><br>
> root@E6kn-2016:# swanctl --initiate --child gcpfc00:cada:c404::200<br>
><br>
> 07[CFG] vici initiate 'gcpfc00:cada:c404::200'<br>
><br>
> 09[IKE] initiating IKE_SA rpdfc00:cada:c404::200[1] to 2017::5002<br>
><br>
> [IKE] initiating IKE_SA rpdfc00:cada:c404::200[1] to 2017::5002<br>
><br>
> [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)<br>
> N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]<br>
><br>
> 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)<br>
> N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]<br>
><br>
> [NET] sending packet: from fc00:cada:c404:607::1001[500] to<br>
> 2017::5002[500] (264 bytes)<br>
><br>
> 09[NET] sending packet: from fc00:cada:c404:607::1001[500] to<br>
> 2017::5002[500] (264 bytes)<br>
><br>
> 11[NET] received packet: from 2017::5002[500] to<br>
> fc00:cada:c404:607::1001[500] (289 bytes)<br>
><br>
> [NET] received packet: from 2017::5002[500] to<br>
> fc00:cada:c404:607::1001[500] (289 bytes)<br>
><br>
> 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)<br>
> N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]<br>
><br>
> [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)<br>
> CERTREQ N(HASH_ALG) N(MULT_AUTH) ]<br>
><br>
> [IKE] received cert request for "C=US, O=CableLabs, OU=TEST Device CA01,<br>
> CN=TEST CableLabs Device Certification Authority"<br>
><br>
> 11[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Device<br>
> CA01, CN=TEST CableLabs Device Certification Authority"<br>
><br>
> [IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01,<br>
> CN=TEST CableLabs Device Certification Authority"<br>
><br>
> 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device<br>
> CA01, CN=TEST CableLabs Device Certification Authority"<br>
><br>
> [IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,<br>
> CN=TEST CableLabs Root Certification Authority"<br>
><br>
> 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,<br>
> CN=TEST CableLabs Root Certification Authority"<br>
><br>
</div></div>> *[IKE] no private key found for 'fc00:cada:c404:607::1001'*<br>
><br>
> *11[IKE] no private key found for 'fc00:cada:c404:607::1001'*<br>
><br>
> **<br>
><br>
> *initiate failed: establishing CHILD_SA 'gcpfc00:cada:c404::200' failed*<br>
<div class="HOEnZb"><div class="h5">><br>
><br>
><br>
><br>
><br>
> root@E6kn-2016:# swanctl --list-conns<br>
><br>
> rpdfc00:cada:c404::200: IKEv2, no reauthentication, rekeying every 14400s<br>
><br>
> local: fc00:cada:c404:607::1001<br>
><br>
> remote: 2017::5002<br>
><br>
> local public key authentication:<br>
><br>
> id: fc00:cada:c404:607::1001<br>
><br>
> remote public key authentication:<br>
><br>
> gcpfc00:cada:c404::200: TRANSPORT, rekeying every 3600s<br>
><br>
> local: fc00:cada:c404:607::1001/128[<wbr>tcp]<br>
><br>
> remote: 2017::5002/128[tcp]<br>
><br>
> l2tpfc00:cada:c404::200: TRANSPORT, rekeying every 3600s<br>
><br>
> local: fc00:cada:c404:607::1001/128[<wbr>l2tp]<br>
><br>
> remote: 2017::5002/128[l2tp]<br>
><br>
><br>
><br>
><br>
> root@E6kn-2016:# swanctl --list-certs<br>
><br>
><br>
> List of X.509 End Entity Certificates<br>
><br>
><br>
> subject: "C=US, O=ARRIS, OU=LOWELL, CN=00:33:5f:ab:8c:9e"<br>
><br>
> issuer: "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs<br>
> Device Certification Authority"<br>
><br>
> validity: not before Sep 28 18:18:53 2017, ok<br>
><br>
> not after Sep 28 18:18:53 2037, ok (expires in 7300 days)<br>
><br>
> serial: dd:dc:09:21:36:f2:e8:71<br>
><br>
> authkeyId: f6:dc:40:8a:89:b6:7b:7a:08:f6:<wbr>78:b5:4a:28:7a:7f:57:9b:f9:9b<br>
><br>
> subjkeyId: 9d:c7:c5:20:f7:bf:0c:fb:39:d2:<wbr>5d:a2:8f:73:37:f1:f3:e0:a4:f9<br>
><br>
> pubkey: RSA 2048 bits, has private key<br>
><br>
> keyid: 8d:40:7d:fb:38:7b:4b:e2:fe:00:<wbr>ba:72:6c:82:63:2b:6b:75:30:6e<br>
><br>
> subjkey: 9d:c7:c5:20:f7:bf:0c:fb:39:d2:<wbr>5d:a2:8f:73:37:f1:f3:e0:a4:f9<br>
><br>
><br>
> List of X.509 CA Certificates<br>
><br>
><br>
> subject: "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs<br>
> Device Certification Authority"<br>
><br>
> issuer: "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs<br>
> Root Certification Authority"<br>
><br>
> validity: not before Dec 09 23:08:49 2014, ok<br>
><br>
> not after Dec 09 23:08:49 2049, ok (expires in 11755 days)<br>
><br>
> serial: a0:16:bc:73:85:0e:65:37<br>
><br>
> altNames: CN=SYMC-3072-5<br>
><br>
> flags: CA CRLSign <br>
><br>
> pathlen: 0<br>
><br>
> authkeyId: 89:62:79:3d:b4:07:c9:f3:c6:97:<wbr>59:dd:b6:dc:65:0b:33:54:ff:fb<br>
><br>
> subjkeyId: f6:dc:40:8a:89:b6:7b:7a:08:f6:<wbr>78:b5:4a:28:7a:7f:57:9b:f9:9b<br>
><br>
> pubkey: RSA 3072 bits<br>
><br>
> keyid: b7:98:32:e4:ae:30:02:57:f7:ad:<wbr>cb:2b:37:41:17:9c:1b:9d:79:28<br>
><br>
> subjkey: f6:dc:40:8a:89:b6:7b:7a:08:f6:<wbr>78:b5:4a:28:7a:7f:57:9b:f9:9b<br>
><br>
><br>
> subject: "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs<br>
> Root Certification Authority"<br>
><br>
> issuer: "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs<br>
> Root Certification Authority"<br>
><br>
> validity: not before Nov 11 17:19:44 2014, ok<br>
><br>
> not after Nov 11 17:19:44 2064, ok (expires in 17206 days)<br>
><br>
> serial: b1:b0:d3:be:83:ee:bf:e3<br>
><br>
> altNames: CN=MPKI-4096-1-206<br>
><br>
> flags: CA CRLSign self-signed <br>
><br>
> subjkeyId: 89:62:79:3d:b4:07:c9:f3:c6:97:<wbr>59:dd:b6:dc:65:0b:33:54:ff:fb<br>
><br>
> pubkey: RSA 4096 bits<br>
><br>
> keyid: bd:0e:4c:0f:21:cf:f0:49:af:19:<wbr>34:3b:c2:64:c5:31:a1:2e:11:07<br>
><br>
> subjkey: 89:62:79:3d:b4:07:c9:f3:c6:97:<wbr>59:dd:b6:dc:65:0b:33:54:ff:fb<br>
><br>
><br>
><br>
> pki --print --type rsa-priv --in privKey.pem<br>
><br>
> privkey: RSA 2048 bits<br>
><br>
> keyid: 8d:40:7d:fb:38:7b:4b:e2:fe:00:<wbr>ba:72:6c:82:63:2b:6b:75:30:6e<br>
><br>
> subjkey: 9d:c7:c5:20:f7:bf:0c:fb:39:d2:<wbr>5d:a2:8f:73:37:f1:f3:e0:a4:f9<br>
><br>
><br>
<br>
</div></div><span class="HOEnZb"><font color="#888888">--<br>
==============================<wbr>==============================<wbr>==========<br>
Andreas Steffen <a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>
strongSwan - the Open Source VPN Solution! <a href="http://www.strongswan.org" rel="noreferrer" target="_blank">www.strongswan.org</a><br>
Institute for Networked Solutions<br>
HSR University of Applied Sciences Rapperswil<br>
CH-8640 Rapperswil (Switzerland)<br>
==============================<wbr>=============================[<wbr>INS-HSR]==<br>
</font></span></blockquote></div><br></div>