[strongSwan] certificate troubles

richard Knight rjknight at us.ibm.com
Fri Jun 18 08:15:42 CEST 2010


Hello,

I am running the tahi test suite for IKEv2 against my embedded linux system
running strongswan 4.1.10.  I am having some trouble with the tests for the
certificate exchange.  The authentication seems to fail every time. But I am not
sure why.

Any assistance would be welcome. Thank you.


The test is looking for the following result, but I fail on the IKE auth.

The NUT is my embeded linux system, the other is a BSD box which generates
packets to get a response from my setup.

   NUT                  TN1
(End-node)           (End-Node)
    |                    |
    |<-------------------| IKE_SA_INIT request (HDR, SAi1, KEi, Ni)
    |                    | (Packet #1)
    |------------------->| IKE_SA_INIT Response (HDR, SAr1, KEr, Nr)
    |                    | (Judgement #1)
    |                    |
    |<-------------------| IKE_AUTH request (HDR, SK {IDi, CERTREQ, AUTH, N,
SAi2, TSi, TSr})
    |                    | (Packet #2)
    |------------------->| IKE_AUTH response (HDR, SK {IDr, CERT, AUTH, N, SAr2,
TSi, TSr})
    |                    | (Judgement #2)
    |                    |
    V                    V




$ cat /etc/ipsec.conf    
config setup
        crlcheckinterval=180
        strictcrlpolicy=no
        plutostart=no
        charondebug="ike 3, knl 2, cfg 3 "
ca NUT
      cacert=cacert.pem
      auto=add
conn %default
        ikelifetime=300
        keylife=30
        rekeymargin=0
        keyingtries=1
        mobike=no
        keyexchange=ikev2
conn host-host
        left=2001:0db8:0001:0001::1234
        right=2001:0db8:000f:0001::1
        leftid=2001:0db8:0001:0001::1234
        leftcert=NUTcert.pem
        type=transport
        auto=start
        rightsubnet=2001:0db8:000f:0002::5/64





$ ipsec listall

List of X.509 End Entity Certificates:

Oct 20 03:45:02 2010
    subject:   'C=AU, ST=texas, L=Austin, O=Internet Widgits Pty Ltd, OU=PFD,
CN=j63a, E=rjknight'
    issuer:    'C=AU, ST=texas, L=Austin, O=Internet Widgits Pty Ltd, OU=PFD,
CN=j63a, E=rjknight'
    serial:     01
    validity:   not before Jun 11 18:16:04 2010, ok
                not after  Jun 11 18:16:04 2011, ok 
    keyid:      ee:c7:e3:f8:3e:e0:a2:b7:c2:6b:c9:ef:3c:e4:ef:05:aa:14:9d:c3
    subjkey:    c4:9d:f0:b5:5d:ac:b3:0e:9f:87:5e:0b:b3:42:b4:f6:ad:10:7e:47
    authkey:    05:97:3c:b1:a4:8c:18:15:67:17:9b:75:4d:d5:17:69:f2:ec:98:5f
    pubkey:     RSA 1024 bits, status unknown, has private key

List of X.509 CA Certificates:

Oct 20 03:45:01 2010
    subject:   'C=AU, ST=texas, L=Austin, O=Internet Widgits Pty Ltd, OU=PFD,
CN=j63a, E=rjknight'
    issuer:    'C=AU, ST=texas, L=Austin, O=Internet Widgits Pty Ltd, OU=PFD,
CN=j63a, E=rjknight'
    serial:     00:cf:21:c3:e1:39:9a:4f:7f
    validity:   not before Jun 11 18:15:17 2010, ok
                not after  Jun 11 18:15:17 2011, ok 
    keyid:      fb:17:fb:5a:64:55:1c:e1:05:cd:59:a0:c2:66:e6:26:1b:54:c8:f3
    subjkey:    05:97:3c:b1:a4:8c:18:15:67:17:9b:75:4d:d5:17:69:f2:ec:98:5f
    authkey:    05:97:3c:b1:a4:8c:18:15:67:17:9b:75:4d:d5:17:69:f2:ec:98:5f
    aserial:    00:cf:21:c3:e1:39:9a:4f:7f
    pubkey:     RSA 1024 bits, status good until Jun 11 18:15:17 2011

List of X.509 CA Information Records:

Oct 20 03:45:01 2010, "NUT"
    authname:  'C=AU, ST=texas, L=Austin, O=Internet Widgits Pty Ltd, OU=PFD,
CN=j63a, E=rjknight'
    authkey:    05:97:3c:b1:a4:8c:18:15:67:17:9b:75:4d:d5:17:69:f2:ec:98:5f
    keyid:      fb:17:fb:5a:64:55:1c:e1:05:cd:59:a0:c2:66:e6:26:1b:54:c8:f3
$ cat /etc/ipsec.conf    





Trace from the failure

00027313.808239|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 12[IKE]
  16: A5 52 08 C7                                      .R.. 
00027313.809923|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 12[IKE]
requesting certificate issued by 'C=AU, ST=texas, L=Austin, O=Internet Widgits
Pty Ltd, OU=PFD, CN=j63a, E=rjknight' 
00027313.810852|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 12[IKE]
  with keyid fb:17:fb:5a:64:55:1c:e1:05:cd:59:a0:c2:66:e6:26:1b:54:c8:f3 
00027313.811637|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 12[ENC]
generating IKE_SA_INIT response 0 [ SA KE No CERTREQ ] 
00027313.812994|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 12[NET]
sending packet: from 2001:db8:1:1::1234[500] to 2001:db8:f:1::1[500] 
00027313.986972|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 13[NET]
received packet: from 2001:db8:f:1::1[500] to 2001:db8:1:1::1234[500] 
00027313.989067|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 13[ENC]
parsed IKE_AUTH request 1 [ IDi CERTREQ AUTH N(USE_TRANSP) SA TSi TSr ] 
00027313.989825|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 13[IKE]
no shared key found for '%any' - '2001:db8:f:1::1' 
00027313.990493|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 13[AUD]
authentication of '2001:db8:f:1::1' with pre-shared key failed 
00027313.991106|  666|SYSLOG          | 225|<86>Oct 20 03:45:10 charon: 13[AUD]
authentication of '2001:db8:f:1::1' with pre-shared key failed 
00027313.991623|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 13[CFG]
looking for a config for %any...2001:db8:f:1::1 
00027313.992488|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 13[CFG]
  candidate 'host-host': C=AU, ST=texas, L=Austin, O=Internet Widgits Pty Ltd,
OU=PFD, CN=j63a, E=rjknight...2001:db8:f:1::1, prio 112 
00027313.993380|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 13[CFG]
found matching config "host-host": C=AU, ST=texas, L=Austin, O=Internet Widgits
Pty Ltd, OU=PFD, CN=j63a, E=rjknight...2001:db8:f:1::1, prio 112 
00027313.994233|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 13[CFG]
selecting traffic selectors for us: 
00027313.995013|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 13[CFG]
 config: 2001:db8:1:1::1234/128, received: 2001:db8:1:1::1234/128 => match:
2001:db8:1:1::1234/128 
00027313.995700|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 13[CFG]
selecting traffic selectors for other: 
00027313.996629|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 13[CFG]
 config: 2001:db8:f:2::/64, received: 2001:db8:f:1::1/128 => no match 
00027313.997594|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 13[IKE]
authentication of 'C=AU, ST=texas, L=Austin, O=Internet Widgits Pty Ltd, OU=PFD,
CN=j63a, E=rjknight' (myself) with RSA signature 
00027313.998385|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 13[IKE]
looking for RSA public key belonging to 'C=AU, ST=texas, L=Austin, O=Internet
Widgits Pty Ltd, OU=PFD, CN=j63a, E=rjknight'... 
00027313.999135|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 13[IKE]
  matching RSA public key found 
00027313.999932|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 13[IKE]
looking for RSA private key with keyid
ee:c7:e3:f8:3e:e0:a2:b7:c2:6b:c9:ef:3c:e4:ef:05:aa:14:9d:c3... 
00027314.000592|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 13[IKE]
  matching RSA private key found 
00027314.014506|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 13[IKE]
successfully signed with RSA private key 
00027314.015234|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 13[ENC]
generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] 
00027314.016668|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 13[NET]
sending packet: from 2001:db8:1:1::1234[500] to 2001:db8:f:1::1[500] 
00027317.873320|  666|SYSLOG          | 225|<30>Oct 20 03:45:14 charon: 14[IKE]
retransmit 2 of request with message ID 0 
00027317.873416|  666|SYSLOG          | 225|<30>Oct 20 03:45:14 charon: 14[NET]
sending packet: from 2001:db8:1:1::1234[500] to 2001:db8:f:1::1[500] 
00027330.837400|  666|SYSLOG          | 225|<30>Oct 20 03:45:27 charon: 15[IKE]
retransmit 3 of request with message ID 0 
00027330.837493|  666|SYSLOG          | 225|<30>Oct 20 03:45:27 charon: 15[NET]
sending packet: from 2001:db8:1:1::1234[500] to 2001:db8:f:1::1[500] 
00027337.294039|  666|SYSLOG          | 225|<38>Oct 20 03:45:33 login[15841]:
root login  on `pts/0' from `free181251.austin.ibm.com' 








More information about the Users mailing list