[strongSwan] ID_IPV6_ADDR Strongswan 4.1.10
richard Knight
rjknight at us.ibm.com
Thu Jun 24 06:47:57 CEST 2010
Hello,
I am testing against strongswan 4.1.10 on an embedded linux ppc platform. I am
seeing an issue and need some assistance.
The purpose of this test is to verify an IKEv2 device transmits CERTREQ payload
and handles CERT payload properly.
I would like to force the responders identifier to be its IPv6 address so that I
get ID_IPV6_ADDR as the identifer type in the response for this test. I try to
do that by setting up the subjectAltName in the certificate to be the IPv6
address and then add the leftid=myIpv6Address to the ipsec conf file.
I have created certificates with the IPV6 address as the subjectAltName seen
below.
We are limited to using strongswan 4.1.10 for now. Is there any problem in
that version which could cause what we are seeing? or is it a config issue?.
Thanks in advance.
$ cat /etc/ipsec.conf
config setup
crlcheckinterval=180
strictcrlpolicy=no
plutostart=no
charondebug="ike 3, cfg 3"
ca NUT
cacert=cacert.pem
auto=add
conn %default
ikelifetime=300
keylife=30
rekeymargin=0
keyingtries=1
mobike=no
keyexchange=ikev2
conn host-host
left=2001:0db8:0001:0001::1234
right=2001:0db8:000f:0001::1
authby=
leftid=2001:0db8:0001:0001::1234
rightid=2001:0db8:000f:0001::1
leftcert=NUTcert.pem
ike=3des-sha1-modp1024
esp=3des-sha1-modp1024
type=transport
auto=route
leftsendcert=ifasked
//////////////////// certificate info from strongswan /////////////////
$ ipsec start
Starting strongSwan 4.1.10 IPsec [starter]...
$ ipsec listall
List of X.509 End Entity Certificates:
Oct 01 17:26:50 2010
altNames: '32.1.13.184' <=== I think this should be an IPv6 address
subject: 'C=US, ST=Texas, L=Austin, O=Internet Widgits Pty Ltd, OU=PFD,
CN=j63.austin.ibm.om, E=rjknight at us.ibm.com'
issuer: 'C=UA, ST=texas, L=Austin, O=Internet Widgits Pty Ltd, OU=PFD,
CN=j63a.austin.ibm.com, E=rjknight at us.ibm.com'
serial: 01
validity: not before Jun 21 20:16:13 2010, ok
not after Jun 21 20:16:13 2011, ok
keyid: 73:d3:57:56:13:02:e0:c3:52:30:43:89:39:ad:80:30:6e:8e:bf:c9
subjkey: 45:96:7a:7c:5c:99:c9:d7:8f:07:12:8e:39:e2:58:11:a7:91:ad:03
authkey: ec:b7:7c:5b:6e:00:be:b1:07:dc:12:01:bd:f7:ce:ca:81:8d:2c:45
pubkey: RSA 1024 bits, status unknown, has private key
List of X.509 CA Certificates:
Oct 01 17:26:49 2010
subject: 'C=UA, ST=texas, L=Austin, O=Internet Widgits Pty Ltd, OU=PFD,
CN=j63a.austin.ibm.com, E=rjknight at us.ibm.com'
issuer: 'C=UA, ST=texas, L=Austin, O=Internet Widgits Pty Ltd, OU=PFD,
CN=j63a.austin.ibm.com, E=rjknight at us.ibm.com'
serial: 00:87:69:54:61:75:66:55:ea
validity: not before Jun 21 20:15:38 2010, ok
not after Jun 21 20:15:38 2011, ok
keyid: 47:56:ce:70:c9:67:0e:0e:cc:f6:62:a5:40:b4:88:81:95:46:af:bd
subjkey: ec:b7:7c:5b:6e:00:be:b1:07:dc:12:01:bd:f7:ce:ca:81:8d:2c:45
authkey: ec:b7:7c:5b:6e:00:be:b1:07:dc:12:01:bd:f7:ce:ca:81:8d:2c:45
aserial: 00:87:69:54:61:75:66:55:ea
pubkey: RSA 1024 bits, status good until Jun 21 20:15:38 2011
List of X.509 CA Information Records:
Oct 01 17:26:49 2010
authname: 'C=UA, ST=texas, L=Austin, O=Internet Widgits Pty Ltd, OU=PFD,
CN=j63a.austin.ibm.com, E=rjknight at us.ibm.com'
authkey: ec:b7:7c:5b:6e:00:be:b1:07:dc:12:01:bd:f7:ce:ca:81:8d:2c:45
keyid: 47:56:ce:70:c9:67:0e:0e:cc:f6:62:a5:40:b4:88:81:95:46:af:bd
//////////////// output from openssl cmd ///////////////////////////////
[ipv6 at free181251# openssl x509 -text -in NUTcert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=UA, ST=texas, L=Austin, O=Internet Widgits Pty Ltd, OU=PFD,
CN=j63a.austin.ibm.com/emailAddress=rjknight at us.ibm.com
Validity
Not Before: Jun 21 20:16:13 2010 GMT
Not After : Jun 21 20:16:13 2011 GMT
Subject: C=US, ST=Texas, L=Austin, O=Internet Widgits Pty Ltd, OU=PFD,
CN=j63.austin.ibm.om/emailAddress=rjknight at us.ibm.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b4:a1:80:8d:8f:d8:92:34:c1:15:05:9e:85:f3:
8e:93:e0:78:69:2b:be:75:ca:95:cb:5a:e1:0c:ff:
3b:46:2a:f7:6e:e5:3f:53:2a:a6:83:fa:c3:59:d8:
13:56:da:94:6c:17:d2:06:80:4d:1d:ff:e0:0e:18:
97:fa:4e:7b:88:ff:9b:a2:3f:1d:e3:2c:f5:b5:ef:
48:18:c2:1b:55:95:2f:cc:0c:65:d5:3b:3c:2c:00:
a1:67:79:d0:3b:30:98:12:ac:06:12:bb:c0:9f:c2:
a8:51:84:46:6d:28:42:65:4a:61:ec:48:be:87:37:
ea:c7:e2:8f:f3:69:d9:af:75
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
45:96:7A:7C:5C:99:C9:D7:8F:07:12:8E:39:E2:58:11:A7:91:AD:03
X509v3 Authority Key Identifier:
keyid:EC:B7:7C:5B:6E:00:BE:B1:07:DC:12:01:BD:F7:CE:CA:81:8D:2C:45
X509v3 Subject Alternative Name:
IP Address:2001:DB8:1:1:0:0:0:1234
Signature Algorithm: sha1WithRSAEncryption
2c:56:16:96:85:ba:96:79:24:68:a1:fe:8a:6d:a0:2c:cd:3d:
9d:e2:b7:91:66:2b:29:84:8e:bb:b1:f5:7d:57:58:36:0d:93:
de:5e:93:c5:cb:4f:9f:b5:18:86:be:fc:76:5f:99:a7:3b:ba:
fd:c4:d1:ab:e8:10:5e:72:79:97:1b:d1:d9:3b:b3:85:fa:af:
df:eb:49:38:2c:01:af:76:3b:e5:69:73:30:bb:d3:f9:a2:9a:
8a:89:4f:84:25:7e:79:92:bd:a5:16:d4:f2:98:48:8a:28:bf:
56:95:24:f5:d4:5d:8b:3a:b4:45:f8:93:9b:85:8c:08:b7:be:
04:09
data comparison recieved vs expected..
Identification Payload - Initiator
OK nexttype: (received: CERTREQ, expected: CERTREQ, comp: eq)
OK critical: (received: 0, expected: 0, comp: eq)
OK reserved: (received: 0, expected: 0, comp: eq)
NG length: (received: 170, expected: 24, comp: eq)
NG type: (received: DER_ASN1_DN, expected: IPV6_ADDR, comp: eq)
OK reserved1: (received: 0, expected: 0, comp: eq)
NG value: (received: UAustin1!0U
Internet Widgits Pty Ltd10
UPFD10Uj63.austin.ibm.
rjknight at us.ibm.com,
expected: 20010DB8 00010001 00000000 00001234, comp: eq)
More information about the Users
mailing list