[strongSwan] certificate troubles
richard Knight
rjknight at us.ibm.com
Fri Jun 18 08:15:42 CEST 2010
Hello,
I am running the tahi test suite for IKEv2 against my embedded linux system
running strongswan 4.1.10. I am having some trouble with the tests for the
certificate exchange. The authentication seems to fail every time. But I am not
sure why.
Any assistance would be welcome. Thank you.
The test is looking for the following result, but I fail on the IKE auth.
The NUT is my embeded linux system, the other is a BSD box which generates
packets to get a response from my setup.
NUT TN1
(End-node) (End-Node)
| |
|<-------------------| IKE_SA_INIT request (HDR, SAi1, KEi, Ni)
| | (Packet #1)
|------------------->| IKE_SA_INIT Response (HDR, SAr1, KEr, Nr)
| | (Judgement #1)
| |
|<-------------------| IKE_AUTH request (HDR, SK {IDi, CERTREQ, AUTH, N,
SAi2, TSi, TSr})
| | (Packet #2)
|------------------->| IKE_AUTH response (HDR, SK {IDr, CERT, AUTH, N, SAr2,
TSi, TSr})
| | (Judgement #2)
| |
V V
$ cat /etc/ipsec.conf
config setup
crlcheckinterval=180
strictcrlpolicy=no
plutostart=no
charondebug="ike 3, knl 2, cfg 3 "
ca NUT
cacert=cacert.pem
auto=add
conn %default
ikelifetime=300
keylife=30
rekeymargin=0
keyingtries=1
mobike=no
keyexchange=ikev2
conn host-host
left=2001:0db8:0001:0001::1234
right=2001:0db8:000f:0001::1
leftid=2001:0db8:0001:0001::1234
leftcert=NUTcert.pem
type=transport
auto=start
rightsubnet=2001:0db8:000f:0002::5/64
$ ipsec listall
List of X.509 End Entity Certificates:
Oct 20 03:45:02 2010
subject: 'C=AU, ST=texas, L=Austin, O=Internet Widgits Pty Ltd, OU=PFD,
CN=j63a, E=rjknight'
issuer: 'C=AU, ST=texas, L=Austin, O=Internet Widgits Pty Ltd, OU=PFD,
CN=j63a, E=rjknight'
serial: 01
validity: not before Jun 11 18:16:04 2010, ok
not after Jun 11 18:16:04 2011, ok
keyid: ee:c7:e3:f8:3e:e0:a2:b7:c2:6b:c9:ef:3c:e4:ef:05:aa:14:9d:c3
subjkey: c4:9d:f0:b5:5d:ac:b3:0e:9f:87:5e:0b:b3:42:b4:f6:ad:10:7e:47
authkey: 05:97:3c:b1:a4:8c:18:15:67:17:9b:75:4d:d5:17:69:f2:ec:98:5f
pubkey: RSA 1024 bits, status unknown, has private key
List of X.509 CA Certificates:
Oct 20 03:45:01 2010
subject: 'C=AU, ST=texas, L=Austin, O=Internet Widgits Pty Ltd, OU=PFD,
CN=j63a, E=rjknight'
issuer: 'C=AU, ST=texas, L=Austin, O=Internet Widgits Pty Ltd, OU=PFD,
CN=j63a, E=rjknight'
serial: 00:cf:21:c3:e1:39:9a:4f:7f
validity: not before Jun 11 18:15:17 2010, ok
not after Jun 11 18:15:17 2011, ok
keyid: fb:17:fb:5a:64:55:1c:e1:05:cd:59:a0:c2:66:e6:26:1b:54:c8:f3
subjkey: 05:97:3c:b1:a4:8c:18:15:67:17:9b:75:4d:d5:17:69:f2:ec:98:5f
authkey: 05:97:3c:b1:a4:8c:18:15:67:17:9b:75:4d:d5:17:69:f2:ec:98:5f
aserial: 00:cf:21:c3:e1:39:9a:4f:7f
pubkey: RSA 1024 bits, status good until Jun 11 18:15:17 2011
List of X.509 CA Information Records:
Oct 20 03:45:01 2010, "NUT"
authname: 'C=AU, ST=texas, L=Austin, O=Internet Widgits Pty Ltd, OU=PFD,
CN=j63a, E=rjknight'
authkey: 05:97:3c:b1:a4:8c:18:15:67:17:9b:75:4d:d5:17:69:f2:ec:98:5f
keyid: fb:17:fb:5a:64:55:1c:e1:05:cd:59:a0:c2:66:e6:26:1b:54:c8:f3
$ cat /etc/ipsec.conf
Trace from the failure
00027313.808239| 666|SYSLOG | 225|<30>Oct 20 03:45:10 charon: 12[IKE]
16: A5 52 08 C7 .R..
00027313.809923| 666|SYSLOG | 225|<30>Oct 20 03:45:10 charon: 12[IKE]
requesting certificate issued by 'C=AU, ST=texas, L=Austin, O=Internet Widgits
Pty Ltd, OU=PFD, CN=j63a, E=rjknight'
00027313.810852| 666|SYSLOG | 225|<30>Oct 20 03:45:10 charon: 12[IKE]
with keyid fb:17:fb:5a:64:55:1c:e1:05:cd:59:a0:c2:66:e6:26:1b:54:c8:f3
00027313.811637| 666|SYSLOG | 225|<30>Oct 20 03:45:10 charon: 12[ENC]
generating IKE_SA_INIT response 0 [ SA KE No CERTREQ ]
00027313.812994| 666|SYSLOG | 225|<30>Oct 20 03:45:10 charon: 12[NET]
sending packet: from 2001:db8:1:1::1234[500] to 2001:db8:f:1::1[500]
00027313.986972| 666|SYSLOG | 225|<30>Oct 20 03:45:10 charon: 13[NET]
received packet: from 2001:db8:f:1::1[500] to 2001:db8:1:1::1234[500]
00027313.989067| 666|SYSLOG | 225|<30>Oct 20 03:45:10 charon: 13[ENC]
parsed IKE_AUTH request 1 [ IDi CERTREQ AUTH N(USE_TRANSP) SA TSi TSr ]
00027313.989825| 666|SYSLOG | 225|<30>Oct 20 03:45:10 charon: 13[IKE]
no shared key found for '%any' - '2001:db8:f:1::1'
00027313.990493| 666|SYSLOG | 225|<30>Oct 20 03:45:10 charon: 13[AUD]
authentication of '2001:db8:f:1::1' with pre-shared key failed
00027313.991106| 666|SYSLOG | 225|<86>Oct 20 03:45:10 charon: 13[AUD]
authentication of '2001:db8:f:1::1' with pre-shared key failed
00027313.991623| 666|SYSLOG | 225|<30>Oct 20 03:45:10 charon: 13[CFG]
looking for a config for %any...2001:db8:f:1::1
00027313.992488| 666|SYSLOG | 225|<30>Oct 20 03:45:10 charon: 13[CFG]
candidate 'host-host': C=AU, ST=texas, L=Austin, O=Internet Widgits Pty Ltd,
OU=PFD, CN=j63a, E=rjknight...2001:db8:f:1::1, prio 112
00027313.993380| 666|SYSLOG | 225|<30>Oct 20 03:45:10 charon: 13[CFG]
found matching config "host-host": C=AU, ST=texas, L=Austin, O=Internet Widgits
Pty Ltd, OU=PFD, CN=j63a, E=rjknight...2001:db8:f:1::1, prio 112
00027313.994233| 666|SYSLOG | 225|<30>Oct 20 03:45:10 charon: 13[CFG]
selecting traffic selectors for us:
00027313.995013| 666|SYSLOG | 225|<30>Oct 20 03:45:10 charon: 13[CFG]
config: 2001:db8:1:1::1234/128, received: 2001:db8:1:1::1234/128 => match:
2001:db8:1:1::1234/128
00027313.995700| 666|SYSLOG | 225|<30>Oct 20 03:45:10 charon: 13[CFG]
selecting traffic selectors for other:
00027313.996629| 666|SYSLOG | 225|<30>Oct 20 03:45:10 charon: 13[CFG]
config: 2001:db8:f:2::/64, received: 2001:db8:f:1::1/128 => no match
00027313.997594| 666|SYSLOG | 225|<30>Oct 20 03:45:10 charon: 13[IKE]
authentication of 'C=AU, ST=texas, L=Austin, O=Internet Widgits Pty Ltd, OU=PFD,
CN=j63a, E=rjknight' (myself) with RSA signature
00027313.998385| 666|SYSLOG | 225|<30>Oct 20 03:45:10 charon: 13[IKE]
looking for RSA public key belonging to 'C=AU, ST=texas, L=Austin, O=Internet
Widgits Pty Ltd, OU=PFD, CN=j63a, E=rjknight'...
00027313.999135| 666|SYSLOG | 225|<30>Oct 20 03:45:10 charon: 13[IKE]
matching RSA public key found
00027313.999932| 666|SYSLOG | 225|<30>Oct 20 03:45:10 charon: 13[IKE]
looking for RSA private key with keyid
ee:c7:e3:f8:3e:e0:a2:b7:c2:6b:c9:ef:3c:e4:ef:05:aa:14:9d:c3...
00027314.000592| 666|SYSLOG | 225|<30>Oct 20 03:45:10 charon: 13[IKE]
matching RSA private key found
00027314.014506| 666|SYSLOG | 225|<30>Oct 20 03:45:10 charon: 13[IKE]
successfully signed with RSA private key
00027314.015234| 666|SYSLOG | 225|<30>Oct 20 03:45:10 charon: 13[ENC]
generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
00027314.016668| 666|SYSLOG | 225|<30>Oct 20 03:45:10 charon: 13[NET]
sending packet: from 2001:db8:1:1::1234[500] to 2001:db8:f:1::1[500]
00027317.873320| 666|SYSLOG | 225|<30>Oct 20 03:45:14 charon: 14[IKE]
retransmit 2 of request with message ID 0
00027317.873416| 666|SYSLOG | 225|<30>Oct 20 03:45:14 charon: 14[NET]
sending packet: from 2001:db8:1:1::1234[500] to 2001:db8:f:1::1[500]
00027330.837400| 666|SYSLOG | 225|<30>Oct 20 03:45:27 charon: 15[IKE]
retransmit 3 of request with message ID 0
00027330.837493| 666|SYSLOG | 225|<30>Oct 20 03:45:27 charon: 15[NET]
sending packet: from 2001:db8:1:1::1234[500] to 2001:db8:f:1::1[500]
00027337.294039| 666|SYSLOG | 225|<38>Oct 20 03:45:33 login[15841]:
root login on `pts/0' from `free181251.austin.ibm.com'
More information about the Users
mailing list