[strongSwan] ID_IPV6_ADDR Strongswan 4.1.10

richard Knight rjknight at us.ibm.com
Thu Jun 24 06:47:57 CEST 2010


Hello, 

I am testing against strongswan 4.1.10 on an embedded linux ppc platform.  I am
seeing an issue and need some assistance.  

The purpose of this test is to verify an IKEv2 device transmits CERTREQ payload
and handles CERT payload properly. 

I would like to force the responders identifier to be its IPv6 address so that I
get ID_IPV6_ADDR as the identifer type in the response for this test. I try to
do that by setting up the subjectAltName in the certificate to be the IPv6
address and then add the leftid=myIpv6Address to the ipsec conf file.

I have created certificates with the IPV6 address as the subjectAltName seen 
below. 

We are limited to using strongswan 4.1.10 for now.  Is there any problem in 
that version which could cause what we are seeing? or is it a config issue?.

Thanks in advance.


$ cat /etc/ipsec.conf
config setup
        crlcheckinterval=180
        strictcrlpolicy=no
        plutostart=no
        charondebug="ike 3, cfg 3"
ca NUT
      cacert=cacert.pem
      auto=add
conn %default
        ikelifetime=300
        keylife=30
        rekeymargin=0
        keyingtries=1
        mobike=no
        keyexchange=ikev2
conn host-host
        left=2001:0db8:0001:0001::1234
        right=2001:0db8:000f:0001::1
        authby=
        leftid=2001:0db8:0001:0001::1234
        rightid=2001:0db8:000f:0001::1
        leftcert=NUTcert.pem
        ike=3des-sha1-modp1024
        esp=3des-sha1-modp1024
        type=transport
        auto=route
        leftsendcert=ifasked



//////////////////// certificate info from strongswan /////////////////
$ ipsec start
Starting strongSwan 4.1.10 IPsec [starter]...
$ ipsec listall

List of X.509 End Entity Certificates:

Oct 01 17:26:50 2010
    altNames:  '32.1.13.184'  <=== I think this should be an IPv6 address
    subject:   'C=US, ST=Texas, L=Austin, O=Internet Widgits Pty Ltd, OU=PFD,
                             CN=j63.austin.ibm.om, E=rjknight at us.ibm.com'
    issuer:    'C=UA, ST=texas, L=Austin, O=Internet Widgits Pty Ltd, OU=PFD,
                             CN=j63a.austin.ibm.com, E=rjknight at us.ibm.com'
    serial:     01
    validity:   not before Jun 21 20:16:13 2010, ok
                not after  Jun 21 20:16:13 2011, ok 
    keyid:      73:d3:57:56:13:02:e0:c3:52:30:43:89:39:ad:80:30:6e:8e:bf:c9
    subjkey:    45:96:7a:7c:5c:99:c9:d7:8f:07:12:8e:39:e2:58:11:a7:91:ad:03
    authkey:    ec:b7:7c:5b:6e:00:be:b1:07:dc:12:01:bd:f7:ce:ca:81:8d:2c:45
    pubkey:     RSA 1024 bits, status unknown, has private key

List of X.509 CA Certificates:

Oct 01 17:26:49 2010
    subject:   'C=UA, ST=texas, L=Austin, O=Internet Widgits Pty Ltd, OU=PFD,
                       CN=j63a.austin.ibm.com, E=rjknight at us.ibm.com'
    issuer:    'C=UA, ST=texas, L=Austin, O=Internet Widgits Pty Ltd, OU=PFD,
                       CN=j63a.austin.ibm.com, E=rjknight at us.ibm.com'
    serial:     00:87:69:54:61:75:66:55:ea
    validity:   not before Jun 21 20:15:38 2010, ok
                not after  Jun 21 20:15:38 2011, ok 
    keyid:      47:56:ce:70:c9:67:0e:0e:cc:f6:62:a5:40:b4:88:81:95:46:af:bd
    subjkey:    ec:b7:7c:5b:6e:00:be:b1:07:dc:12:01:bd:f7:ce:ca:81:8d:2c:45
    authkey:    ec:b7:7c:5b:6e:00:be:b1:07:dc:12:01:bd:f7:ce:ca:81:8d:2c:45
    aserial:    00:87:69:54:61:75:66:55:ea
    pubkey:     RSA 1024 bits, status good until Jun 21 20:15:38 2011

List of X.509 CA Information Records:

Oct 01 17:26:49 2010
    authname:  'C=UA, ST=texas, L=Austin, O=Internet Widgits Pty Ltd, OU=PFD,
CN=j63a.austin.ibm.com, E=rjknight at us.ibm.com'
    authkey:    ec:b7:7c:5b:6e:00:be:b1:07:dc:12:01:bd:f7:ce:ca:81:8d:2c:45
    keyid:      47:56:ce:70:c9:67:0e:0e:cc:f6:62:a5:40:b4:88:81:95:46:af:bd


////////////////  output from openssl cmd ///////////////////////////////

[ipv6 at free181251# openssl x509 -text -in NUTcert.pem 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=UA, ST=texas, L=Austin, O=Internet Widgits Pty Ltd, OU=PFD,
CN=j63a.austin.ibm.com/emailAddress=rjknight at us.ibm.com
        Validity
            Not Before: Jun 21 20:16:13 2010 GMT
            Not After : Jun 21 20:16:13 2011 GMT
        Subject: C=US, ST=Texas, L=Austin, O=Internet Widgits Pty Ltd, OU=PFD,
CN=j63.austin.ibm.om/emailAddress=rjknight at us.ibm.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:b4:a1:80:8d:8f:d8:92:34:c1:15:05:9e:85:f3:
                    8e:93:e0:78:69:2b:be:75:ca:95:cb:5a:e1:0c:ff:
                    3b:46:2a:f7:6e:e5:3f:53:2a:a6:83:fa:c3:59:d8:
                    13:56:da:94:6c:17:d2:06:80:4d:1d:ff:e0:0e:18:
                    97:fa:4e:7b:88:ff:9b:a2:3f:1d:e3:2c:f5:b5:ef:
                    48:18:c2:1b:55:95:2f:cc:0c:65:d5:3b:3c:2c:00:
                    a1:67:79:d0:3b:30:98:12:ac:06:12:bb:c0:9f:c2:
                    a8:51:84:46:6d:28:42:65:4a:61:ec:48:be:87:37:
                    ea:c7:e2:8f:f3:69:d9:af:75
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
             OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
             45:96:7A:7C:5C:99:C9:D7:8F:07:12:8E:39:E2:58:11:A7:91:AD:03
            X509v3 Authority Key Identifier: 
             keyid:EC:B7:7C:5B:6E:00:BE:B1:07:DC:12:01:BD:F7:CE:CA:81:8D:2C:45

            X509v3 Subject Alternative Name: 
                IP Address:2001:DB8:1:1:0:0:0:1234
    Signature Algorithm: sha1WithRSAEncryption
        2c:56:16:96:85:ba:96:79:24:68:a1:fe:8a:6d:a0:2c:cd:3d:
        9d:e2:b7:91:66:2b:29:84:8e:bb:b1:f5:7d:57:58:36:0d:93:
        de:5e:93:c5:cb:4f:9f:b5:18:86:be:fc:76:5f:99:a7:3b:ba:
        fd:c4:d1:ab:e8:10:5e:72:79:97:1b:d1:d9:3b:b3:85:fa:af:
        df:eb:49:38:2c:01:af:76:3b:e5:69:73:30:bb:d3:f9:a2:9a:
        8a:89:4f:84:25:7e:79:92:bd:a5:16:d4:f2:98:48:8a:28:bf:
        56:95:24:f5:d4:5d:8b:3a:b4:45:f8:93:9b:85:8c:08:b7:be:
        04:09


data comparison recieved vs expected..
Identification Payload - Initiator
OK	nexttype:	(received: CERTREQ, expected: CERTREQ, comp: eq)
OK	critical:	(received: 0, expected: 0, comp: eq)
OK	reserved:	(received: 0, expected: 0, comp: eq)
NG	length:	(received: 170, expected: 24, comp: eq)
NG	type:	(received: DER_ASN1_DN, expected: IPV6_ADDR, comp: eq)
OK	reserved1:	(received: 0, expected: 0, comp: eq)
NG	value:	(received: UAustin1!0U
                   Internet Widgits Pty Ltd10
                    UPFD10Uj63.austin.ibm.
                    rjknight at us.ibm.com, 
                  expected: 20010DB8 00010001 00000000 00001234, comp: eq)







More information about the Users mailing list