[strongSwan] Can't connect with chained certificates

Andreas Steffen andreas.steffen at strongswan.org
Sun Apr 11 16:59:25 CEST 2010 

Hi Ygor,

is right = ***.***.***.*** contained as a subjectAltName in the rw.pem
certificate? If not then you must define rightid=<subject DN of rw.pem>
on the client side.

Regards

Andreas

Ygor Amadeo Sartori Regados wrote:
> Hi.
> 
> I have configured strongSwan with X.509 authentication for roadwarriors. 
> It uses IKEv1 (for some Windows clients) and IKEv2 (some Linux clients).
> 
> I'm trying to change the PKI to one using chained CAs. I created a Sub-CA 
> only for VPN roadwarriors' certificates. When I've changed the 
> certificates, I couldn't connect anymore. When I used my previous single-
> level CA, it worked fine.
> 
> Has anyone had such a problem? (sorry if my english is bad)
> 
> My configuration:
> *Server:*
> config setup
>     nat_traversal=yes
>     plutostderrlog=/var/log/pluto.log
> 
> ca principal
>     cacert = ca-principal.pem
>     auto = add
> 
> ca vpn
>     cacert = ca-vpn.pem
>     auto = add
> 
> conn %default
>     auto=add
>     leftfirewall=yes
>     rekey=no
>     dpdaction=clear
>     dpddelay=60
>     dpdtimeout=180
> 
> conn rw
>     left=%defaultroute
>     leftcert=rw.pem
>     leftsubnet=192.168.0.0/24
>     pfs=no
>     right=%any
>     rightsubnetwithin=0.0.0.0/0
> 
> *Client:*
> config setup
>     nat_traversal = yes
>     plutostart = yes
>     charonstart = yes
>     plutostderrlog = /var/log/pluto.log
> 
> conn %default
>     leftfirewall=yes
>     mobike=yes
>     compress=yes
>     auto=start
> 
> conn rw
>     leftcert = dst.pem
>     keyexchange=ikev2
>     left = %defaultroute
>     right = ***.***.***.***
>     rightsubnet = 192.168.0.0/24
> 
> Log on server (masked IP addresses and certificate info):
> 
> Apr 10 23:18:46 mailproxy charon: 13[NET] received packet: from +++.++.++
> +.+++[17615] to ***.***.***.***[500] 
> Apr 10 23:18:46 mailproxy charon: 13[ENC] parsed IKE_SA_INIT request 0 
> [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 
> Apr 10 23:18:46 mailproxy charon: 13[IKE] +++.++.+++.+++ is initiating an 
> IKE_SA 
> Apr 10 23:18:46 mailproxy charon: 13[IKE] remote host is behind NAT 
> Apr 10 23:18:46 mailproxy charon: 13[IKE] sending cert request for 
> "O=***, OU=***, E=****, L=****, ST=**, C=**, CN=AC Raiz"
> Apr 10 23:18:46 mailproxy charon: 13[IKE] sending cert request for "C=**, 
> ST=**, O=***, OU=***, CN=AC para VPNs, E=****" 
> Apr 10 23:18:46 mailproxy charon: 13[ENC] generating IKE_SA_INIT response 
> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] 
> Apr 10 23:18:46 mailproxy charon: 13[NET] sending packet: from 
> ***.***.***.***[500] to +++.++.+++.+++[17615] 
> Apr 10 23:18:46 mailproxy charon: 14[NET] received packet: from +++.++.++
> +.+++[17619] to ***.***.***.***[4500] 
> Apr 10 23:18:46 mailproxy charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi 
> CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N
> (MULT_AUTH) ] 
> Apr 10 23:18:46 mailproxy charon: 14[IKE] received cert request for 
> "C=**, ST=**, O=***, OU=***, CN=AC para VPNs, E=****" 
> Apr 10 23:18:46 mailproxy charon: 14[IKE] received cert request for 
> "O=***, OU=***, E=****, L=****, ST=**, C=**, CN=AC Raiz"
> Apr 10 23:18:46 mailproxy charon: 14[IKE] received end entity cert "C=**, 
> ST=**, O=***, OU=****, CN=Ygor A. S. Regados (PC), E=*******" 
> Apr 10 23:18:46 mailproxy charon: 14[CFG] looking for peer configs 
> matching ***.***.***.***[***.***.***.***]...+++.++.+++.+++[C=**, ST=**, 
> O=***, OU=***, CN=Ygor A. S. Regados (PC), E=*******] 
> Apr 10 23:18:46 mailproxy charon: 14[CFG] no matching peer config found 
> Apr 10 23:18:46 mailproxy charon: 14[IKE] peer supports MOBIKE 
> Apr 10 23:18:46 mailproxy charon: 14[ENC] generating IKE_AUTH response 1 
> [ N(AUTH_FAILED) ] 
> Apr 10 23:18:46 mailproxy charon: 14[NET] sending packet: from 
> ***.***.***.***[4500] to +++.++.+++.+++[17619] 

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list