[strongSwan] Looking for help with "no trusted RSA public key found for"

Jim Tessier jimtess at gmail.com
Thu Apr 29 17:15:46 CEST 2010 

Thanks for the tip!  I added the subjectAltName to my openssl.cnf
file, regenerated the certificate and now it is working!

[ v3_req ]
basicConstraints                        = CA:FALSE
subjectKeyIdentifier                    = hash
subjectAltName                          = @alt_names

[alt_names]
IP.1                                    = 172.16.107.2

On Thu, Apr 29, 2010 at 12:41 AM, Andreas Steffen
<andreas.steffen at strongswan.org> wrote:
> Hi Jim,
>
> IPsec is not SSL! If your peer's identity is the IPv4 address
> 172.16.107.2 then it will not be checked against the CN= field
> in the certificate. Instead the certificate must contain the
> IP address as a subjectAltName extension.
>
> It also seems that the host itself is using the same certificate.
> You should use distinct certs for each VPN host.
>
> Regards
>
> Andreas
>
> Jim Tessier wrote:
>> Hello,
>>    I am having no luck setting up a mutually authenticated tunnel
>> using certificates.  I have tried mucking around with just about every
>> ipsec.conf parameter, but no luck.  I also saw the FAQ, but could not
>> make sense of the answer. Any help is appreciated!!!  Thanks.
>>
>> Here is my output:
>>
>> 04[CFG] added configuration 'home'
>> 08[CFG] received stroke: initiate 'load'
>> 08[CFG] no config named 'load'
>> 08[CFG]
>> 07[CFG] received stroke: initiate 'home'
>> 10[IKE] initiating IKE_SA home[1] to 172.16.107.2
>> 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> 10[NET] sending packet: from 2.2.2.3[500] to 172.16.107.2[500]
>> 12[NET] received packet: from 172.16.107.2[500] to 2.2.2.3[500]
>> 12[ENC] parsed IKE_SA_INIT response 0 [ N(COOKIE) ]
>> 12[IKE] initiating IKE_SA home[1] to 172.16.107.2
>> 12[ENC] generating IKE_SA_INIT request 0 [ N(COOKIE) SA KE No
>> N(NATD_S_IP) N(NATD_D_IP) ]
>> 12[NET] sending packet: from 2.2.2.3[500] to 172.16.107.2[500]
>> 16[NET] received packet: from 172.16.107.2[500] to 2.2.2.3[500]
>> 16[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
>> N(NATD_D_IP) CERTREQ ]
>> 16[IKE] local host is behind NAT, sending keep alives
>> 16[IKE] received cert request for "O=AcmePacket, OU=CSE,
>> E=akhindari at acmepacket.com, L=Burlington, ST=MA, C=US, CN=selab.com"
>> 16[IKE] sending cert request for "O=AcmePacket, OU=CSE,
>> E=akhindari at acmepacket.com, L=Burlington, ST=MA, C=US, CN=selab.com"
>> 16[IKE] authentication of 'C=US, ST=Massachusetts, O=Acme Packet,
>> OU=Systems Engineering, CN=172.16.107.2' (myself) with RSA signature
>> successful
>> 16[IKE] sending end entity cert "C=US, ST=Massachusetts, O=Acme
>> Packet, OU=Systems Engineering, CN=172.16.107.2"
>> 16[IKE] establishing CHILD_SA home
>> 16[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH CP
>> SA TSi TSr N(EAP_ONLY) ]
>> 16[NET] sending packet: from 2.2.2.3[4500] to 172.16.107.2[4500]
>> 13[NET] received packet: from 172.16.107.2[4500] to 2.2.2.3[4500]
>> 13[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH CP SA TSi TSr ]
>> 13[IKE] received end entity cert "C=US, ST=MA, L=Burlington,
>> O=Engineering, CN=172.16.107.2"
>> 13[IKE] no trusted RSA public key found for '172.16.107.2'
>> 00[DMN] signal of type SIGINT received. Shutting down
>> 00[KNL] received netlink error: Invalid argument (22)
>>
>> And here is my ipsec.conf file:
>> # ipsec.conf - strongSwan IPsec configuration file
>>
>> # basic configuration
>>
>> config setup
>>         plutostart=no
>>         charondebug=all
>>
>> ca msg1
>>         cacert=CA-SS-acmesec1.pem
>>         auto=add
>>
>> conn %default
>>         ike=aes128-sha1-modp1024!
>>         esp=aes128-sha1!
>>         ikelifetime=23d
>>         keylife=22d
>>         rekeymargin=10m
>>         keyingtries=1
>>         keyexchange=ikev2
>>         mobike=no
>>         auto=add
>>         lefthostaccess=no
>>         dpdaction=restart
>>         dpddelay=45
>>         rekey=yes
>>         reauth=no
>>         forceencaps=yes
>>
>> conn home
>>         left=%defaultroute
>>         leftsourceip=%modeconfig
>>         leftcert=acmesec1Cert.pem
>>         leftfirewall=yes
>>         rightfirewall=yes
>>         right=172.16.107.2
>>         rightid=%172.16.107.2
>>         rightsubnet=192.168.105.0/24
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
>
> --
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>

More information about the Users mailing list