[strongSwan] Faulty SubjectAltName
Johannes Tysiak
mail at tysiak.net
Fri Jun 25 15:21:52 CEST 2010
Hi Andreas,
thank you very much for your quick answer. Unfortunately your suggestion
did not solve my problem entirely. Let me give you some more information
on my setup.
I am running strongSwan 4.3.2 installed from the Ubuntu 10.04
repository. My /etc/ipsec.conf looks like this:
******
config setup
nat_traversal=yes
plutodebug=control
crlcheckinterval=180
strictcrlpolicy=no
charonstart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
conn xxx
left=%defaultroute
leftcert=<my-user-cert>.pem
leftid=<myid>
leftfirewall=yes
right=<real IP of the VPN-1 gateway>
rightid=<faulty IP found in the VPN-1 cert subjectAltName>
keyexchange=ikev1
ike=3des-sha1-modp1024,3des-md5-modp1024
auto=add
******
I extracted the key and certificate information like suggested in this
link: http://www.fw-1.de/aerasec/ng/vpn-freeswan/CP-FW1-NG
+Linux-FreeSWAN-RoadWarrior.html#freeswan-x509-roadwarrior
Currently the result looks like this:
******
ipsec up xxx
002 "xxx" #2: initiating Main Mode
104 "xxx" #2: STATE_MAIN_I1: initiate
003 "xxx" #2: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n]
002 "xxx" #2: enabling possible NAT-traversal with method RFC 3947
106 "xxx" #2: STATE_MAIN_I2: sent MI2, expecting MR2
003 "xxx" #2: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
002 "xxx" #2: we have a cert and are sending it upon request
108 "xxx" #2: STATE_MAIN_I3: sent MI3, expecting MR3
002 "xxx" #2: Peer ID is ID_IPV4_ADDR: '<real VPN-1 IP>'
003 "xxx" #2: no public key known for '<real VPN-1 IP>'
217 "xxx" #2: STATE_MAIN_I3: INVALID_KEY_INFORMATION
002 "xxx" #2: sending encrypted notification INVALID_KEY_INFORMATION to
<real VPN-1 IP>:4500
******
Any hints on what I could try next? I feel like I am running out of
ideas, though I still haven't given up.
Once more, thanks a lot for your help!
Best regards,
Johannes
On Fri, 2010-06-25 at 04:14 +0200, Andreas Steffen wrote:
> Hi Johannes,
>
> this is a well known Checkpoint VPN-1 phenomenon where the
> certicate contains the IP address the node-locked software
> license is tied to which is strangely enough sometimes not
> the same IP address the traffic is coming from.
>
> The workaround is simple. On the strongSwan box just define:
>
> right=<actual IP address of the VPN-1 box>
> rightid=<IP address contained in the subjectAltName>
>
> Best regards
>
> Andreas
>
> On 25.06.2010 00:43, Johannes Tysiak wrote:
> > Hello everyone,
> >
> > I am trying to connect to a Checkpoint VPN-1 using strongswan.
> > Unfortunately the VPN-1's certificate is faulty, i.e. the IP address in
> > the SubjectAltName differs from the IP address of the VPN-1. This causes
> > the following log:
> >
> > *****
> > ipsec up xxx
> >
> > 002 "xxx" #1: initiating Main Mode
> > 104 "xxx" #1: STATE_MAIN_I1: initiate
> > 003 "xxx" #1: received Vendor ID payload
> > [draft-ietf-ipsec-nat-t-ike-02_n]
> > 002 "xxx" #1: enabling possible NAT-traversal with method RFC 3947
> > 106 "xxx" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> > 003 "xxx" #1: NAT-Traversal: Result using
> > draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
> > 002 "xxx" #1: we have a cert and are sending it upon request
> > 108 "xxx" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> > 002 "xxx" #1: Peer ID is ID_IPV4_ADDR: 'w.x.y.z'
> > 003 "xxx" #1: no public key known for 'w.x.y.z'
> > 217 "xxx" #1: STATE_MAIN_I3: INVALID_KEY_INFORMATION
> > 002 "xxx" #1: sending encrypted notification INVALID_KEY_INFORMATION to
> > w.x.y.z:4500
> > *****
> >
> > I have no possibility to correct the wrong config on the VPN-1 side, so
> > I have to deal with the faulty certificate. Is there any way to achieve
> > this using strongswan (e.g. forcing a specific certificate to be used
> > while ignoring the faulty SubjectAltName?
> >
> > Thanks very much for your help.
> >
> > Cheers,
> > Johannes
> >
> >
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
>
>
--
Johannes Tysiak
Wagnerstr. 8
D-75173 Pforzheim
Mobile: +49 (0) 151 - 55 023 668
Fax: +49 (0) 180 - 10 211 322 62
Web: www.tysiak.net
Mail: mail at tysiak.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5035 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100625/3a4b9adc/attachment.bin>
More information about the Users
mailing list