<div dir="ltr"><div>When changing the client config as follows the logs is changed as further down: <br></div><div><br></div><div><span style="font-family:monospace">conn %default<br> ikelifetime=8h<br> keyingtries=%forever<br> ike=aes128-sha1-modp2048!<br> esp=aes128-sha1-modp2048!<br> dpdaction=restart<br> compress=no<br> fragmentation=yes<br> leftfirewall=yes<br><br>conn ipsec-ikev2<br> keyexchange=ikev2<br> authby=pubkey<br> type=tunnel<br> left=%any<br> leftid="C=GR, O=HUB, CN=Client"<br><b> leftca=ca-cert.pem<br> leftcert=client-cert.pem</b><br> leftsubnet=<a href="http://192.168.100.0/24">192.168.100.0/24</a><br> right=172.30.0.45<br> rightid="C=GR, O=HUB, CN=172.30.0.45"<br> rightsubnet=<a href="http://10.55.55.0/24">10.55.55.0/24</a><br> auto=start</span></div><div><br></div><div><b>Client logs: </b><br></div><div><span style="font-family:monospace">Apr 3 12:43:01 Client-VM charon: 08[IKE] sending cert request for "C=GR, O=HUB, CN=172.30.0.45"<br>Apr 3 12:43:01 Client-VM charon: 08[IKE] authentication of 'C=GR, O=HUB, CN=Client' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful<br>Apr 3 12:43:01 Client-VM charon: 08[IKE] establishing CHILD_SA ipsec-ikev2<br>Apr 3 12:43:01 Client-VM charon: 08[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]<br>Apr 3 12:43:01 Client-VM charon: 08[NET] sending packet: from 192.168.28.14[4500] to 172.30.0.45[4500] (620 bytes)<br>Apr 3 12:43:01 Client-VM charon: 09[NET] received packet: from 172.30.0.45[4500] to 192.168.28.14[4500] (76 bytes)<br>Apr 3 12:43:01 Client-VM charon: 09[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]<br>Apr 3 12:43:01 Client-VM charon: 09[IKE] received AUTHENTICATION_FAILED notify error</span></div><div><br></div><div>While the server seems to not be able to find a corresponding public key: <br></div><div><span style="font-family:monospace">Apr 3 07:43:01 debian9 charon: 05[IKE] received cert request for "C=GR, O=HUB, CN=172.30.0.45"<br><b>Apr 3 07:43:01 debian9 charon: 05[CFG] looking for peer configs matching 172.30.0.45[C=GR, O=HUB, CN=172.30.0.45]...172.30.0.180[C=GR, O=HUB, CN=Client]</b><br>Apr 3 07:43:01 debian9 charon: 05[CFG] selected peer config 'ipsec-ikev2'<br><b>Apr 3 07:43:01 debian9 charon: 05[IKE] no trusted RSA public key found for 'C=GR, O=HUB, CN=Client'</b><br>Apr 3 07:43:01 debian9 charon: 05[IKE] peer supports MOBIKE<br>Apr 3 07:43:01 debian9 charon: 05[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]<br>Apr 3 07:43:01 debian9 charon: 05[NET] sending packet: from 172.30.0.45[4500] to 172.30.0.180[4500] (76 bytes)</span></div><div><br></div><div>I'm not sure what I am missing. <br></div><div><br></div><div>Alex<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Apr 3, 2020 at 3:25 PM Alex K <<a href="mailto:rightkicktech@gmail.com">rightkicktech@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Hi all, <br></div><div><br></div><div>I've been trying to setup an IPsec VPN between two hosts, running strongswan 5.5.1. I was able to setup the tunnel with pre-shared keys. What I am trying now to accomplish is to have same setup with certs instead. I tried to search the web and trying several parameters though I am failing to find how to address the issue I am facing (client does not conect with the error:
<b>no private key found</b>) and hope I could have some assistance or pointers. <br></div><div><br></div><div>My config is as follows: <br></div><div><b><br></b></div><div><b>Server side config: </b><br></div><div><span style="font-family:monospace">config setup<br><br>conn %default<br> ikelifetime=8h<br> keylife=1h<br> rekeymargin=3m<br> keyingtries=%forever<br> ike=aes128-sha1-modp2048!<br> esp=aes128-sha1-modp2048!<br> fragmentation=yes<br> dpdaction=clear<br> keyexchange=ikev2<br> authby=pubkey<br> type=tunnel<br> compress=no<br><br>conn ipsec-ikev2<br> left=172.30.0.45<br> leftid="C=GR, O=HUB, CN=172.30.0.45"<br> leftcert=server-cert.pem<br> leftsendcert=always<br> leftsubnet=<a href="http://10.55.55.0/24" target="_blank">10.55.55.0/24</a><br> leftfirewall=yes<br> right=%any<br> rightid="C=GR, O=HUB, CN=Client"<br> rightsubnet=<a href="http://192.168.100.0/24" target="_blank">192.168.100.0/24</a><br> rightsendcert=never<br> auto=add</span></div><div><br></div>/etc/ipsec.secrets:<div><span style="font-family:monospace"> : RSA server-key.pem</span></div><div><br></div><div>The server keys/certs where generated as follows: <br></div><div><br></div><div><span style="font-family:monospace">cd /etc/ipsec.d/<br></span></div><div><span style="font-family:monospace">ipsec pki --gen --type rsa --size 4096 --outform pem > private/ca-key.pem<br>chmod 600 private/ca-key.pem<br>ipsec pki --self --in private/ca-key.pem --dn "C=GR, O=HUB, CN=172.30.0.45" --lifetime 3650 --ca \</span></div><div><span style="font-family:monospace">--outform pem > cacerts/ca-cert.pem</span></div><div><span style="font-family:monospace">ipsec pki --gen --type rsa --size 2048 --outform pem > private/server-key.pem<br>ipsec pki --pub --in private/server-key.pem | ipsec pki --issue --cacert cacerts/ca-cert.pem \<br>--cakey private/ca-key.pem --lifetime 365 --dn "C=GR, O=HUB, CN=172.30.0.45" --san="172.30.0.45" \<br>--flag serverAuth --flag ikeIntermediate --outform pem > certs/server-cert.pem<br></span></div><div><br></div><div>The server's IP address is 172.30.0.45, while the client is behind NAT and has IP 192.168.28.14 which is then NATed at 172.30.0.180. <br></div><div><br></div><div><b>Client side config: </b><br></div><div><span style="font-family:monospace">conn %default<br> ikelifetime=8h<br> keyingtries=%forever<br> ike=aes128-sha1-modp2048!<br> esp=aes128-sha1-modp2048!<br> dpdaction=restart<br> compress=no<br> fragmentation=yes<br> leftfirewall=yes<br><br>conn ipsec-ikev2<br> keyexchange=ikev2<br> authby=pubkey<br> type=tunnel<br> left=%any<br> leftid="C=GR, O=HUB, CN=Client"<br> #leftca=ca-cert.pem<br> #leftcert=client-cert.pem<br> leftsubnet=<a href="http://192.168.100.0/24" target="_blank">192.168.100.0/24</a><br> right=172.30.0.45<br> rightid="C=GR, O=HUB, CN=172.30.0.45"<br> rightsubnet=<a href="http://10.55.55.0/24" target="_blank">10.55.55.0/24</a><br> auto=start</span></div><div><br></div><div>cat /etc/ipsec.secrets<br><span style="font-family:monospace"># : P12 client-cert.p12 12345678<br> : RSA client-key.pem</span></div><div><br></div><div>The client keys were generated as follows: <br></div><div><span style="font-family:monospace">
<span style="font-family:monospace">cd /etc/ipsec.d/</span>
</span></div><div><span style="font-family:monospace">mkdir certs/clients/<br>ipsec pki --gen --type rsa --size 2048 --outform pem > /etc/ipsec.d/certs/clients/client-key.pem<br>ipsec pki --pub --in /etc/ipsec.d/certs/clients/client-key.pem | ipsec pki --issue --cacert cacerts/ca-cert.pem --cakey private/ca-key.pem \<br>--lifetime 365 --dn "C=GR, O=HUB, CN=Client" --san="Client" --outform pem > /etc/ipsec.d/certs/clients/client-cert.pem</span></div><div><span style="font-family:monospace">openssl pkcs12 -export -inkey /etc/ipsec.d/certs/clients/client-key.pem -in /etc/ipsec.d/certs/clients/client-cert.pem -name "Client" -certfile cacerts/ca-cert.pem \<br>-caname "172.30.0.45" -out /etc/ipsec.d/certs/clients/client-cert.p12</span><br></div><div><br></div><div>I had packaged the client keys with the passphrase "<span style="font-family:monospace">12345678</span>" for testing. In both cases, either with P12 or RSA at secrets file, I get the following logged at client side: <br></div><div><br></div><div><span style="font-family:monospace">Apr 3 12:01:42 Client-VM charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, Linux 4.9.0-3-amd64, x86_64)<br>Apr 3 12:01:42 Client-VM charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'<br>Apr 3 12:01:42 Client-VM charon: 00[CFG] loaded ca certificate "C=GR, O=HUB, CN=172.30.0.45" from '/etc/ipsec.d/cacerts/ca-cert.pem'<br>Apr 3 12:01:42 Client-VM charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'<br>Apr 3 12:01:42 Client-VM charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'<br>Apr 3 12:01:42 Client-VM charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'<br>Apr 3 12:01:42 Client-VM charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'<br>Apr 3 12:01:42 Client-VM charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'<br>Apr 3 12:01:42 Client-VM charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/client-key.pem'<br>Apr 3 12:01:42 Client-VM charon: 00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown<br>Apr 3 12:01:42 Client-VM charon: 00[LIB] dropped capabilities, running as uid 0, gid 0<br>Apr 3 12:01:42 Client-VM charon: 00[JOB] spawning 16 worker threads<br>Apr 3 12:01:42 Client-VM charon: 06[CFG] received stroke: add connection 'ipsec-ikev2'<br>Apr 3 12:01:42 Client-VM charon: 06[CFG] added configuration 'ipsec-ikev2'<br>Apr 3 12:01:42 Client-VM charon: 08[CFG] received stroke: initiate 'ipsec-ikev2'<br>Apr 3 12:01:42 Client-VM charon: 08[IKE] initiating IKE_SA ipsec-ikev2[1] to 172.30.0.45<br>Apr 3 12:01:42 Client-VM charon: 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]<br>Apr 3 12:01:42 Client-VM charon: 08[NET] sending packet: from 192.168.28.14[500] to 172.30.0.45[500] (464 bytes)<br>Apr 3 12:01:42 Client-VM charon: 10[NET] received packet: from 172.30.0.45[500] to 192.168.28.14[500] (464 bytes)<br>Apr 3 12:01:42 Client-VM charon: 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]<br>Apr 3 12:01:42 Client-VM charon: 10[IKE] local host is behind NAT, sending keep alives<br>Apr 3 12:01:42 Client-VM charon: 10[IKE] sending cert request for "C=GR, O=HUB, CN=172.30.0.45"<br><b>Apr 3 12:01:42 Client-VM charon: 10[IKE] no private key found for 'C=GR, O=HUB, CN=Client'</b></span></div><div><br></div><div>While the server logs: <br></div><div><span style="font-family:monospace">Apr 3 07:01:34 debian9 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, Linux 4.9.0-12-amd64, x86_64)<br>Apr 3 07:01:34 debian9 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'<br>Apr 3 07:01:34 debian9 charon: 00[CFG] loaded ca certificate "C=GR, O=HUB, CN=172.30.0.45" from '/etc/ipsec.d/cacerts/ca-cert.pem'<br>Apr 3 07:01:34 debian9 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'<br>Apr 3 07:01:34 debian9 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'<br>Apr 3 07:01:34 debian9 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'<br>Apr 3 07:01:34 debian9 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'<br>Apr 3 07:01:34 debian9 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'<br>Apr 3 07:01:34 debian9 charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/server-key.pem'<br>Apr 3 07:01:34 debian9 charon: 00[LIB] loaded plugins: charon aesni aes rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown<br>Apr 3 07:01:34 debian9 charon: 00[LIB] dropped capabilities, running as uid 0, gid 0<br>Apr 3 07:01:34 debian9 charon: 00[JOB] spawning 16 worker threads<br>Apr 3 07:01:34 debian9 charon: 05[CFG] received stroke: add connection 'ipsec-ikev2'<br>Apr 3 07:01:34 debian9 charon: 05[CFG] loaded certificate "C=GR, O=HUB, CN=172.30.0.45" from 'server-cert.pem'<br>Apr 3 07:01:34 debian9 charon: 05[CFG] added configuration 'ipsec-ikev2'</span></div><div><br></div><div><span style="font-family:arial,sans-serif">and on client connection attempt: </span><br></div><div><br></div><div><span style="font-family:monospace">Apr 3 07:01:42 debian9 charon: 07[NET] received packet: from 172.30.0.180[500] to 172.30.0.45[500] (464 bytes)<br>Apr 3 07:01:42 debian9 charon: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]<br>Apr 3 07:01:42 debian9 charon: 07[IKE] 172.30.0.180 is initiating an IKE_SA<br>Apr 3 07:01:42 debian9 charon: 07[IKE] remote host is behind NAT<br>Apr 3 07:01:42 debian9 charon: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]<br>Apr 3 07:01:42 debian9 charon: 07[NET] sending packet: from 172.30.0.45[500] to 172.30.0.180[500] (464 bytes)<br>Apr 3 07:02:12 debian9 charon: 08[JOB] deleting half open IKE_SA after timeout</span></div><div><br></div><div>I've configured the firewall (iptables stateful) to allow all outgoing traffic from CLient to server. <br></div><div>Not sure if I could provide anything in addition to help isolating the issue. <br></div><div>Thank you for your patience and appreciate any help. <br></div><div><br></div><div>Alex<br></div></div>
</blockquote></div>