[strongSwan] Looking for help with "no trusted RSA public key found for"

Andreas Steffen andreas.steffen at strongswan.org
Thu Apr 29 06:41:15 CEST 2010 

Hi Jim,

IPsec is not SSL! If your peer's identity is the IPv4 address
172.16.107.2 then it will not be checked against the CN= field
in the certificate. Instead the certificate must contain the
IP address as a subjectAltName extension.

It also seems that the host itself is using the same certificate.
You should use distinct certs for each VPN host.

Regards

Andreas

Jim Tessier wrote:
> Hello,
>    I am having no luck setting up a mutually authenticated tunnel
> using certificates.  I have tried mucking around with just about every
> ipsec.conf parameter, but no luck.  I also saw the FAQ, but could not
> make sense of the answer. Any help is appreciated!!!  Thanks.
> 
> Here is my output:
> 
> 04[CFG] added configuration 'home'
> 08[CFG] received stroke: initiate 'load'
> 08[CFG] no config named 'load'
> 08[CFG]
> 07[CFG] received stroke: initiate 'home'
> 10[IKE] initiating IKE_SA home[1] to 172.16.107.2
> 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> 10[NET] sending packet: from 2.2.2.3[500] to 172.16.107.2[500]
> 12[NET] received packet: from 172.16.107.2[500] to 2.2.2.3[500]
> 12[ENC] parsed IKE_SA_INIT response 0 [ N(COOKIE) ]
> 12[IKE] initiating IKE_SA home[1] to 172.16.107.2
> 12[ENC] generating IKE_SA_INIT request 0 [ N(COOKIE) SA KE No
> N(NATD_S_IP) N(NATD_D_IP) ]
> 12[NET] sending packet: from 2.2.2.3[500] to 172.16.107.2[500]
> 16[NET] received packet: from 172.16.107.2[500] to 2.2.2.3[500]
> 16[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) CERTREQ ]
> 16[IKE] local host is behind NAT, sending keep alives
> 16[IKE] received cert request for "O=AcmePacket, OU=CSE,
> E=akhindari at acmepacket.com, L=Burlington, ST=MA, C=US, CN=selab.com"
> 16[IKE] sending cert request for "O=AcmePacket, OU=CSE,
> E=akhindari at acmepacket.com, L=Burlington, ST=MA, C=US, CN=selab.com"
> 16[IKE] authentication of 'C=US, ST=Massachusetts, O=Acme Packet,
> OU=Systems Engineering, CN=172.16.107.2' (myself) with RSA signature
> successful
> 16[IKE] sending end entity cert "C=US, ST=Massachusetts, O=Acme
> Packet, OU=Systems Engineering, CN=172.16.107.2"
> 16[IKE] establishing CHILD_SA home
> 16[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH CP
> SA TSi TSr N(EAP_ONLY) ]
> 16[NET] sending packet: from 2.2.2.3[4500] to 172.16.107.2[4500]
> 13[NET] received packet: from 172.16.107.2[4500] to 2.2.2.3[4500]
> 13[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH CP SA TSi TSr ]
> 13[IKE] received end entity cert "C=US, ST=MA, L=Burlington,
> O=Engineering, CN=172.16.107.2"
> 13[IKE] no trusted RSA public key found for '172.16.107.2'
> 00[DMN] signal of type SIGINT received. Shutting down
> 00[KNL] received netlink error: Invalid argument (22)
> 
> And here is my ipsec.conf file:
> # ipsec.conf - strongSwan IPsec configuration file
> 
> # basic configuration
> 
> config setup
>         plutostart=no
>         charondebug=all
> 
> ca msg1
>         cacert=CA-SS-acmesec1.pem
>         auto=add
> 
> conn %default
>         ike=aes128-sha1-modp1024!
>         esp=aes128-sha1!
>         ikelifetime=23d
>         keylife=22d
>         rekeymargin=10m
>         keyingtries=1
>         keyexchange=ikev2
>         mobike=no
>         auto=add
>         lefthostaccess=no
>         dpdaction=restart
>         dpddelay=45
>         rekey=yes
>         reauth=no
>         forceencaps=yes
> 
> conn home
>         left=%defaultroute
>         leftsourceip=%modeconfig
>         leftcert=acmesec1Cert.pem
>         leftfirewall=yes
>         rightfirewall=yes
>         right=172.16.107.2
>         rightid=%172.16.107.2
>         rightsubnet=192.168.105.0/24
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3430 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100429/96181258/attachment.bin>

More information about the Users mailing list