[strongSwan] certificate troubles

J.Witvliet at mindef.nl J.Witvliet at mindef.nl
Fri Jun 18 15:06:57 CEST 2010 

First guess, invalid certificate:

    validity:   not before Jun 11 18:15:17 2010, ok
                not after  Jun 11 18:15:17 2011, ok 
 

-----Original Message-----
From: users-bounces+j.witvliet=mindef.nl at lists.strongswan.org [mailto:users-bounces+j.witvliet=mindef.nl at lists.strongswan.org] On Behalf Of richard Knight
Sent: Friday, June 18, 2010 8:16 AM
To: users at lists.strongswan.org
Subject: [strongSwan] certificate troubles

Hello,

I am running the tahi test suite for IKEv2 against my embedded linux system running strongswan 4.1.10.  I am having some trouble with the tests for the certificate exchange.  The authentication seems to fail every time. But I am not sure why.

Any assistance would be welcome. Thank you.


The test is looking for the following result, but I fail on the IKE auth.

The NUT is my embeded linux system, the other is a BSD box which generates packets to get a response from my setup.

   NUT                  TN1
(End-node)           (End-Node)
    |                    |
    |<-------------------| IKE_SA_INIT request (HDR, SAi1, KEi, Ni)
    |                    | (Packet #1)
    |------------------->| IKE_SA_INIT Response (HDR, SAr1, KEr, Nr)
    |                    | (Judgement #1)
    |                    |
    |<-------------------| IKE_AUTH request (HDR, SK {IDi, CERTREQ, AUTH, N, SAi2, TSi, TSr})
    |                    | (Packet #2)
    |------------------->| IKE_AUTH response (HDR, SK {IDr, CERT, AUTH, N, SAr2, TSi, TSr})
    |                    | (Judgement #2)
    |                    |
    V                    V




$ cat /etc/ipsec.conf    
config setup
        crlcheckinterval=180
        strictcrlpolicy=no
        plutostart=no
        charondebug="ike 3, knl 2, cfg 3 "
ca NUT
      cacert=cacert.pem
      auto=add
conn %default
        ikelifetime=300
        keylife=30
        rekeymargin=0
        keyingtries=1
        mobike=no
        keyexchange=ikev2
conn host-host
        left=2001:0db8:0001:0001::1234
        right=2001:0db8:000f:0001::1
        leftid=2001:0db8:0001:0001::1234
        leftcert=NUTcert.pem
        type=transport
        auto=start
        rightsubnet=2001:0db8:000f:0002::5/64





$ ipsec listall

List of X.509 End Entity Certificates:

Oct 20 03:45:02 2010
    subject:   'C=AU, ST=texas, L=Austin, O=Internet Widgits Pty Ltd, OU=PFD,
CN=j63a, E=rjknight'
    issuer:    'C=AU, ST=texas, L=Austin, O=Internet Widgits Pty Ltd, OU=PFD,
CN=j63a, E=rjknight'
    serial:     01
    validity:   not before Jun 11 18:16:04 2010, ok
                not after  Jun 11 18:16:04 2011, ok 
    keyid:      ee:c7:e3:f8:3e:e0:a2:b7:c2:6b:c9:ef:3c:e4:ef:05:aa:14:9d:c3
    subjkey:    c4:9d:f0:b5:5d:ac:b3:0e:9f:87:5e:0b:b3:42:b4:f6:ad:10:7e:47
    authkey:    05:97:3c:b1:a4:8c:18:15:67:17:9b:75:4d:d5:17:69:f2:ec:98:5f
    pubkey:     RSA 1024 bits, status unknown, has private key

List of X.509 CA Certificates:

Oct 20 03:45:01 2010
    subject:   'C=AU, ST=texas, L=Austin, O=Internet Widgits Pty Ltd, OU=PFD,
CN=j63a, E=rjknight'
    issuer:    'C=AU, ST=texas, L=Austin, O=Internet Widgits Pty Ltd, OU=PFD,
CN=j63a, E=rjknight'
    serial:     00:cf:21:c3:e1:39:9a:4f:7f
    validity:   not before Jun 11 18:15:17 2010, ok
                not after  Jun 11 18:15:17 2011, ok 
    keyid:      fb:17:fb:5a:64:55:1c:e1:05:cd:59:a0:c2:66:e6:26:1b:54:c8:f3
    subjkey:    05:97:3c:b1:a4:8c:18:15:67:17:9b:75:4d:d5:17:69:f2:ec:98:5f
    authkey:    05:97:3c:b1:a4:8c:18:15:67:17:9b:75:4d:d5:17:69:f2:ec:98:5f
    aserial:    00:cf:21:c3:e1:39:9a:4f:7f
    pubkey:     RSA 1024 bits, status good until Jun 11 18:15:17 2011

List of X.509 CA Information Records:

Oct 20 03:45:01 2010, "NUT"
    authname:  'C=AU, ST=texas, L=Austin, O=Internet Widgits Pty Ltd, OU=PFD, CN=j63a, E=rjknight'
    authkey:    05:97:3c:b1:a4:8c:18:15:67:17:9b:75:4d:d5:17:69:f2:ec:98:5f
    keyid:      fb:17:fb:5a:64:55:1c:e1:05:cd:59:a0:c2:66:e6:26:1b:54:c8:f3
$ cat /etc/ipsec.conf    





Trace from the failure

00027313.808239|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 12[IKE]
  16: A5 52 08 C7                                      .R.. 
00027313.809923|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 12[IKE]
requesting certificate issued by 'C=AU, ST=texas, L=Austin, O=Internet Widgits Pty Ltd, OU=PFD, CN=j63a, E=rjknight' 
00027313.810852|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 12[IKE]
  with keyid fb:17:fb:5a:64:55:1c:e1:05:cd:59:a0:c2:66:e6:26:1b:54:c8:f3 
00027313.811637|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 12[ENC]
generating IKE_SA_INIT response 0 [ SA KE No CERTREQ ] 
00027313.812994|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 12[NET]
sending packet: from 2001:db8:1:1::1234[500] to 2001:db8:f:1::1[500] 
00027313.986972|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 13[NET]
received packet: from 2001:db8:f:1::1[500] to 2001:db8:1:1::1234[500] 
00027313.989067|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 13[ENC]
parsed IKE_AUTH request 1 [ IDi CERTREQ AUTH N(USE_TRANSP) SA TSi TSr ] 
00027313.989825|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 13[IKE]
no shared key found for '%any' - '2001:db8:f:1::1' 
00027313.990493|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 13[AUD]
authentication of '2001:db8:f:1::1' with pre-shared key failed 
00027313.991106|  666|SYSLOG          | 225|<86>Oct 20 03:45:10 charon: 13[AUD]
authentication of '2001:db8:f:1::1' with pre-shared key failed 
00027313.991623|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 13[CFG]
looking for a config for %any...2001:db8:f:1::1 
00027313.992488|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 13[CFG]
  candidate 'host-host': C=AU, ST=texas, L=Austin, O=Internet Widgits Pty Ltd, OU=PFD, CN=j63a, E=rjknight...2001:db8:f:1::1, prio 112 
00027313.993380|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 13[CFG]
found matching config "host-host": C=AU, ST=texas, L=Austin, O=Internet Widgits Pty Ltd, OU=PFD, CN=j63a, E=rjknight...2001:db8:f:1::1, prio 112 
00027313.994233|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 13[CFG]
selecting traffic selectors for us: 
00027313.995013|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 13[CFG]
 config: 2001:db8:1:1::1234/128, received: 2001:db8:1:1::1234/128 => match:
2001:db8:1:1::1234/128 
00027313.995700|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 13[CFG]
selecting traffic selectors for other: 
00027313.996629|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 13[CFG]
 config: 2001:db8:f:2::/64, received: 2001:db8:f:1::1/128 => no match 
00027313.997594|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 13[IKE]
authentication of 'C=AU, ST=texas, L=Austin, O=Internet Widgits Pty Ltd, OU=PFD, CN=j63a, E=rjknight' (myself) with RSA signature 
00027313.998385|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 13[IKE]
looking for RSA public key belonging to 'C=AU, ST=texas, L=Austin, O=Internet Widgits Pty Ltd, OU=PFD, CN=j63a, E=rjknight'... 
00027313.999135|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 13[IKE]
  matching RSA public key found 
00027313.999932|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 13[IKE]
looking for RSA private key with keyid
ee:c7:e3:f8:3e:e0:a2:b7:c2:6b:c9:ef:3c:e4:ef:05:aa:14:9d:c3... 
00027314.000592|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 13[IKE]
  matching RSA private key found 
00027314.014506|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 13[IKE]
successfully signed with RSA private key 
00027314.015234|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 13[ENC]
generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] 
00027314.016668|  666|SYSLOG          | 225|<30>Oct 20 03:45:10 charon: 13[NET]
sending packet: from 2001:db8:1:1::1234[500] to 2001:db8:f:1::1[500] 
00027317.873320|  666|SYSLOG          | 225|<30>Oct 20 03:45:14 charon: 14[IKE]
retransmit 2 of request with message ID 0 
00027317.873416|  666|SYSLOG          | 225|<30>Oct 20 03:45:14 charon: 14[NET]
sending packet: from 2001:db8:1:1::1234[500] to 2001:db8:f:1::1[500] 
00027330.837400|  666|SYSLOG          | 225|<30>Oct 20 03:45:27 charon: 15[IKE]
retransmit 3 of request with message ID 0 
00027330.837493|  666|SYSLOG          | 225|<30>Oct 20 03:45:27 charon: 15[NET]
sending packet: from 2001:db8:1:1::1234[500] to 2001:db8:f:1::1[500] 
00027337.294039|  666|SYSLOG          | 225|<38>Oct 20 03:45:33 login[15841]:
root login  on `pts/0' from `free181251.austin.ibm.com' 





_______________________________________________
Users mailing list
Users at lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

______________________________________________________________________
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.

More information about the Users mailing list