[strongSwan] Authentication Problem using certificates
Andreas Steffen
andreas.steffen at strongswan.org
Wed Nov 17 14:13:34 CET 2010
Hello Laurence,
the normal thing to do is to put the end entity certificate MyBTS1.pem
with subject DN
"C=DE, O=Alcatel-Lucent, OU=Wireless, CN=SWAN"
into /etc/ipsec.d/certs/ and the root CA certificate with subject DN
"C=DE, ST=Germany, L=Stuttgart, O=Alcatel-Lucent, OU=Wireless,
CN=SwanRoot"
into /etc/ipsec.d/cacerts. What you are doing is to switch the location
of the two certificates.
- All certificates from /etc/ipsec.d/cacerts are automatically loaded
during the startup of the IKEv2 daemon:
: 01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
: 01[LIB] loaded certificate file '/etc/ipsec.d/cacerts/MyBTS1.pem'
The loading of MyBTS1.pem as an end entity certificate fails since
the implicit path (/etc/ipsec.d/certs/) is incorrect:
: 08[CFG] leftcert=MyBTS1.pem
Therefore as a consequence the following error occurs:
: 08[LIB] reading file '/etc/ipsec.d/certs/MyBTS1.pem' failed
The end entity certificate can still be retrieved since all certificates
are kept in the same store with the CA certificates possessing a
CA flag.
The received certificate request for the Root CA
: 14[IKE] received cert request for unknown ca with keyid
12:c4:8b:7e:aa:dd:51:29:cd:a1:17:18:a0:71:71:ff:60:79:bc:3b
cannot be decoded because the Root Certificate is not stored in
/etc/ipsec.d/cacerts but charon sends in turn a certificate request
for its end entity certificate
: 14[IKE] sending cert request for "C=DE, O=Alcatel-Lucent, OU=Wireless,
CN=SWAN
since it is stored in /etc/ipsec.d/cacerts.
So for Christ's sake what do you want to achieve by exchanging the
location of end entity and Root CA certificate???
Regards
Andreas
On 17.11.2010 13:55, Groebl, Laurence (Laurence) wrote:
>
> Hello,
> we have some problems with IKEv2 authentication with certificates.
> We put our client certificate (MyBTS1.pem) into /etc/ipsec.d/cacerts,
> and the root certificate of the peer in /etc/ipsec.d/certs.
> and got the following error: *reading file
> '/etc/ipsec.d/certs/MyBTS1.pem' failed*
>
> However it seems that Strongswan finds the certificate since we get the
> following information from its certificate "MyBTS1.pem"
> *sending cert request for "C=DE, O=Alcatel-Lucent, OU=Wireless, CN=SWAN"*
>
> What is wrong in our configuration?
> You can find the details below,
> best regards,
> Laurence
>
>
>
> Nov 17 13:28:39 destgd0h003661 ipsec_starter[22089]: Starting strongSwan
> 4.3.4 IPsec [starter]...
> Nov 17 13:28:39 destgd0h003661 charon: 01[DMN] Starting IKEv2 charon
> daemon (strongSwan 4.3.4)
> Nov 17 13:28:39 destgd0h003661 charon: 01[KNL] listening on interfaces:
> Nov 17 13:28:39 destgd0h003661 charon: 01[KNL] eth1
> Nov 17 13:28:39 destgd0h003661 charon: 01[KNL] 192.168.20.51
> Nov 17 13:28:39 destgd0h003661 charon: 01[KNL] fe80::217:3fff:fed0:772c
> Nov 17 13:28:39 destgd0h003661 charon: 01[KNL] eth0
> Nov 17 13:28:39 destgd0h003661 charon: 01[KNL] 149.204.17.51
> Nov 17 13:28:39 destgd0h003661 charon: 01[KNL] fe80::224:81ff:fe1d:d4fa
> *Nov 17 13:28:39 destgd0h003661 charon: 01[CFG] loading ca certificates
> from '/etc/ipsec.d/cacerts'*
> *Nov 17 13:28:39 destgd0h003661 charon: 01[LIB] loaded certificate
> file '/etc/ipsec.d/cacerts/MyBTS1.pem'*
> Nov 17 13:28:39 destgd0h003661 charon: 01[CFG] loading aa certificates
> from '/etc/ipsec.d/aacerts'
> Nov 17 13:28:39 destgd0h003661 charon: 01[CFG] loading ocsp signer
> certificates from '/etc/ipsec.d/ocspcerts'
> Nov 17 13:28:39 destgd0h003661 charon: 01[CFG] loading attribute
> certificates from '/etc/ipsec.d/acerts'
> Nov 17 13:28:39 destgd0h003661 charon: 01[CFG] loading crls from
> '/etc/ipsec.d/crls'
> Nov 17 13:28:39 destgd0h003661 charon: 01[LIB] loaded crl file
> '/etc/ipsec.d/crls/crl_Myroot1.pem'
> Nov 17 13:28:39 destgd0h003661 charon: 01[LIB] loaded crl file
> '/etc/ipsec.d/crls/crl_Myroot2.pem'
> Nov 17 13:28:39 destgd0h003661 charon: 01[CFG] loading secrets from
> '/etc/ipsec.secrets'
> *Nov 17 13:28:39 destgd0h003661 charon: 01[CFG] loaded private key
> file '/etc/ipsec.d/private/MyBTS1_key.pem'*
> Nov 17 13:28:39 destgd0h003661 charon: 01[DMN] loaded plugins: curl ldap
> aes des sha1 sha2 md5 fips-prf random x509 pubkey openssl gcrypt xcbc
> hmac gmp kernel-netlink stroke updown attr resolv-conf
> Nov 17 13:28:39 destgd0h003661 charon: 01[JOB] spawning 16 worker threads
> Nov 17 13:28:39 destgd0h003661 ipsec_starter[22110]: charon (22111)
> started after 20 ms
> Nov 17 13:28:39 destgd0h003661 charon: 05[CFG] stroke message => 272
> bytes @ 0xb596f160
> Nov 17 13:28:39 destgd0h003661 charon: 05[CFG] 0: 10 01 79 B7 0C 00
> 00 00 FF FF FF FF 01 00 00 00 ..y.............
> Nov 17 13:28:39 destgd0h003661 charon: 05[CFG] 16: 18 66 B9 BF 6B 86
> 06 08 A0 89 01 00 60 A6 06 08 .f..k.......`...
> Nov 17 13:28:39 destgd0h003661 charon: 05[CFG] 32: 18 66 B9 BF F7 65
> B9 BF 00 34 79 32 32 31 31 30 .f...e...4y22110
> Nov 17 13:28:39 destgd0h003661 charon: 05[CFG] 48: 08 00 00 00 74 86
> 06 08 10 00 00 00 08 00 00 00 ....t...........
> Nov 17 13:28:39 destgd0h003661 charon: 05[CFG] 64: F4 3F 79 B7 58 86
> 06 08 00 00 00 00 A0 53 79 B7 .?y.X........Sy.
> Nov 17 13:28:39 destgd0h003661 charon: 05[CFG] 80: 50 26 6A B7 13 68
> 6A B7 C0 2F 79 B7 02 00 00 00 P&j..hj../y.....
> Nov 17 13:28:39 destgd0h003661 charon: 05[CFG] 96: C0 41 06 08 08 20
> 00 00 F4 3F 79 B7 60 86 06 08 .A... ...?y.`...
> Nov 17 13:28:39 destgd0h003661 charon: 05[CFG] 112: 13 68 6A B7 E8 15
> 00 00 F0 56 79 B7 C0 76 63 B7 .hj......Vy..vc.
> Nov 17 13:28:39 destgd0h003661 charon: 05[CFG] 128: 03 39 6A B7 28 2A
> 06 08 00 00 00 00 F4 3F 79 B7 .9j.(*.......?y.
> Nov 17 13:28:39 destgd0h003661 charon: 05[CFG] 144: 50 A9 01 00 B0 86
> 06 08 28 2A 06 08 F4 3F 79 B7 P.......(*...?y.
> Nov 17 13:28:39 destgd0h003661 charon: 05[CFG] 160: A0 53 79 B7 00 00
> 00 00 C0 76 63 B7 DD 9F 6A B7 .Sy......vc...j.
> Nov 17 13:28:39 destgd0h003661 charon: 05[CFG] 176: 00 00 00 00 F4 3F
> 79 B7 F4 3F 79 B7 A0 53 79 B7 .....?y..?y..Sy.
> Nov 17 13:28:39 destgd0h003661 charon: 05[CFG] 192: 28 2A 06 08 C0 76
> 63 B7 DD 9F 6A B7 C0 76 63 B7 (*...vc...j..vc.
> Nov 17 13:28:39 destgd0h003661 charon: 05[CFG] 208: F4 3F 79 B7 F4 3F
> 79 B7 14 00 00 00 77 69 70 B7 .?y..?y.....wip.
> Nov 17 13:28:39 destgd0h003661 charon: 05[CFG] 224: 60 86 06 08 60 86
> 06 08 4C 00 00 00 00 40 00 00 `...`...L.... at ..
> Nov 17 13:28:39 destgd0h003661 charon: 05[CFG] 240: 00 34 79 B7 E0 39
> 79 B7 02 00 00 00 27 00 00 00 .4y..9y.....'...
> Nov 17 13:28:39 destgd0h003661 charon: 05[CFG] 256: 1C 00 00 00 0D 00
> 00 00 11 00 00 00 0A 00 00 00 ................
> Nov 17 13:28:39 destgd0h003661 charon: 05[CFG] crl caching to
> /etc/ipsec.d/crls enabled
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] stroke message => 390
> bytes @ 0xb416c0e0
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] 0: 86 01 00 00 03 00
> 00 00 FF FF FF FF 10 01 00 00 ................
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] 16: 01 00 00 00 01 00
> 00 00 00 00 00 00 00 00 00 00 ................
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] 32: 00 00 00 00 02 00
> 00 00 00 00 00 00 00 00 00 00 ................
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] 48: 00 00 00 00 00 00
> 00 00 01 00 00 00 01 00 00 00 ................
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] 64: 01 00 00 00 18 01
> 00 00 2C 01 00 00 00 00 00 00 ........,.......
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] 80: D0 70 00 00 80 70
> 00 00 80 16 00 00 01 00 00 00 .p...p..........
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] 96: 64 00 00 00 3C 00
> 00 00 03 00 00 00 00 00 00 00 d...<...........
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] 112: 00 00 00 00 00 00
> 00 00 40 01 00 00 00 00 00 00 ........ at .......
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] 128: 00 00 00 00 00 00
> 00 00 00 00 00 00 47 01 00 00 ............G...
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] 144: 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 ................
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] 160: 00 00 00 00 52 01
> 00 00 00 00 00 00 01 00 00 00 ....R...........
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] 176: 00 00 00 00 01 00
> 00 00 00 00 00 00 01 00 00 00 ................
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] 192: 00 00 00 00 60 01
> 00 00 00 00 00 00 00 00 00 00 ....`...........
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] 208: 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 ................
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] 224: 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 ................
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] 240: 67 01 00 00 00 00
> 00 00 00 00 00 00 76 01 00 00 g...........v...
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] 256: 01 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 ................
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] 272: 6E 65 74 2D 6E 65
> 74 00 33 64 65 73 2D 73 68 61 net-net.3des-sha
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] 288: 31 2D 6D 6F 64 70
> 31 30 32 34 21 00 33 64 65 73 1-modp1024!.3des
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] 304: 2D 73 68 61 31 2D
> 6D 6F 64 70 31 30 32 34 21 00 -sha1-modp1024!.
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] 320: 72 73 61 73 69 67
> 00 4D 79 42 54 53 31 2E 70 65 rsasig.MyBTS1.pe
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] 336: 6D 00 31 39 32 2E
> 31 36 38 2E 32 30 2E 35 31 00 m.192.168.20.51.
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] 352: 72 73 61 73 69 67
> 00 31 39 32 2E 31 36 38 2E 32 rsasig.192.168.2
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] 368: 30 2E 32 35 34 00
> 31 39 32 2E 31 36 38 2E 33 30 0.254.192.168.30
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] 384: 2E 30 2F 32 34
> 00 .0/24.
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] received stroke: add
> connection 'net-net'
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] conn net-net
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] left=192.168.20.51
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] leftsubnet=(null)
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] leftsourceip=(null)
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] leftauth=rsasig
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] leftauth2=(null)
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] leftid=(null)
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] leftid2=(null)
> *Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] leftcert=MyBTS1.pem*
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] leftcert2=(null)
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] leftca=(null)
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] leftca2=(null)
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] leftgroups=(null)
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] leftupdown=(null)
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] right=192.168.20.254
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] rightsubnet=192.168.30.0/24
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] rightsourceip=(null)
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] rightauth=rsasig
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] rightauth2=(null)
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] rightid=(null)
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] rightid2=(null)
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] rightcert=(null)
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] rightcert2=(null)
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] rightca=(null)
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] rightca2=(null)
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] rightgroups=(null)
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] rightupdown=(null)
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] eap_identity=(null)
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] ike=3des-sha1-modp1024!
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] esp=3des-sha1-modp1024!
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] mediation=no
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] mediated_by=(null)
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] me_peerid=(null)
> Nov 17 13:28:39 destgd0h003661 charon: 08[KNL] getting interface name
> for 192.168.20.254
> Nov 17 13:28:39 destgd0h003661 charon: 08[KNL] 192.168.20.254 is not a
> local address
> Nov 17 13:28:39 destgd0h003661 charon: 08[KNL] getting interface name
> for 192.168.20.51
> Nov 17 13:28:39 destgd0h003661 charon: 08[KNL] 192.168.20.51 is on
> interface eth1
> *Nov 17 13:28:39 destgd0h003661 charon: 08[LIB] reading file
> '/etc/ipsec.d/certs/MyBTS1.pem' failed*
> Nov 17 13:28:39 destgd0h003661 charon: 08[LIB] failed to create a
> builder for credential type CRED_CERTIFICATE, subtype (1)
> Nov 17 13:28:39 destgd0h003661 charon: 08[CFG] added configuration 'net-net'
> Nov 17 13:28:39 destgd0h003661 charon: 10[CFG] stroke message => 280
> bytes @ 0xb316a150
> Nov 17 13:28:39 destgd0h003661 charon: 10[CFG] 0: 18 01 00 00 00 00
> 00 00 FF FF FF FF 10 01 00 00 ................
> Nov 17 13:28:39 destgd0h003661 charon: 10[CFG] 16: 00 00 00 00 02 00
> 00 00 00 00 00 00 00 00 00 00 ................
> Nov 17 13:28:39 destgd0h003661 charon: 10[CFG] 32: 00 00 00 00 00 00
> 00 00 01 00 00 00 01 00 00 00 ................
> Nov 17 13:28:39 destgd0h003661 charon: 10[CFG] 48: 01 00 00 00 18 01
> 00 00 2C 01 00 00 00 00 00 00 ........,.......
> Nov 17 13:28:39 destgd0h003661 charon: 10[CFG] 64: D0 70 00 00 80 70
> 00 00 80 16 00 00 01 00 00 00 .p...p..........
> Nov 17 13:28:39 destgd0h003661 charon: 10[CFG] 80: 64 00 00 00 3C 00
> 00 00 03 00 00 00 00 00 00 00 d...<...........
> Nov 17 13:28:39 destgd0h003661 charon: 10[CFG] 96: 00 00 00 00 00 00
> 00 00 40 01 00 00 00 00 00 00 ........ at .......
> Nov 17 13:28:39 destgd0h003661 charon: 10[CFG] 112: 00 00 00 00 00 00
> 00 00 00 00 00 00 47 01 00 00 ............G...
> Nov 17 13:28:39 destgd0h003661 charon: 10[CFG] 128: 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 ................
> Nov 17 13:28:39 destgd0h003661 charon: 10[CFG] 144: 00 00 00 00 52 01
> 00 00 00 00 00 00 01 00 00 00 ....R...........
> Nov 17 13:28:39 destgd0h003661 charon: 10[CFG] 160: 00 00 00 00 01 00
> 00 00 00 00 00 00 01 00 00 00 ................
> Nov 17 13:28:39 destgd0h003661 charon: 10[CFG] 176: 00 00 00 00 60 01
> 00 00 00 00 00 00 00 00 00 00 ....`...........
> Nov 17 13:28:39 destgd0h003661 charon: 10[CFG] 192: 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 ................
> Nov 17 13:28:39 destgd0h003661 charon: 10[CFG] 208: 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 ................
> Nov 17 13:28:39 destgd0h003661 charon: 10[CFG] 224: 67 01 00 00 00 00
> 00 00 00 00 00 00 76 01 00 00 g...........v...
> Nov 17 13:28:39 destgd0h003661 charon: 10[CFG] 240: 01 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 ................
> Nov 17 13:28:39 destgd0h003661 charon: 10[CFG] 256: 6E 65 74 2D 6E 65
> 74 00 33 64 65 73 2D 73 68 61 net-net.3des-sha
> Nov 17 13:28:39 destgd0h003661 charon: 10[CFG] 272: 6E 65 74 2D 6E 65
> 74 00 net-net.
> Nov 17 13:28:39 destgd0h003661 charon: 10[CFG] received stroke: initiate
> 'net-net'
> Nov 17 13:28:39 destgd0h003661 charon: 10[IKE] queueing IKE_INIT task
> Nov 17 13:28:39 destgd0h003661 charon: 10[IKE] queueing IKE_NATD task
> Nov 17 13:28:39 destgd0h003661 charon: 10[IKE] queueing IKE_CERT_PRE task
> Nov 17 13:28:39 destgd0h003661 charon: 10[IKE] queueing IKE_AUTHENTICATE
> task
> Nov 17 13:28:39 destgd0h003661 charon: 10[IKE] queueing IKE_CERT_POST task
> Nov 17 13:28:39 destgd0h003661 charon: 10[IKE] queueing IKE_CONFIG task
> Nov 17 13:28:39 destgd0h003661 charon: 10[IKE] queueing
> IKE_AUTH_LIFETIME task
> Nov 17 13:28:39 destgd0h003661 charon: 10[IKE] queueing CHILD_CREATE task
> Nov 17 13:28:39 destgd0h003661 charon: 10[IKE] activating new tasks
> Nov 17 13:28:39 destgd0h003661 charon: 10[IKE] activating IKE_INIT task
> Nov 17 13:28:39 destgd0h003661 charon: 10[IKE] activating IKE_NATD task
> Nov 17 13:28:39 destgd0h003661 charon: 10[IKE] activating IKE_CERT_PRE
> task
> Nov 17 13:28:39 destgd0h003661 charon: 10[IKE] activating
> IKE_AUTHENTICATE task
> Nov 17 13:28:39 destgd0h003661 charon: 10[IKE] activating
> IKE_CERT_POST task
> Nov 17 13:28:39 destgd0h003661 charon: 10[IKE] activating IKE_CONFIG task
> Nov 17 13:28:39 destgd0h003661 charon: 10[IKE] activating CHILD_CREATE
> task
> Nov 17 13:28:39 destgd0h003661 charon: 10[IKE] activating
> IKE_AUTH_LIFETIME task
> Nov 17 13:28:39 destgd0h003661 charon: 10[IKE] initiating IKE_SA
> net-net[1] to 192.168.20.254
> Nov 17 13:28:39 destgd0h003661 charon: 10[IKE] initiating IKE_SA
> net-net[1] to 192.168.20.254
> Nov 17 13:28:39 destgd0h003661 charon: 10[IKE] IKE_SA net-net[1] state
> change: CREATED => CONNECTING
> Nov 17 13:28:39 destgd0h003661 charon: 10[IKE] natd_chunk => 22 bytes @
> 0x80a82f0
> Nov 17 13:28:39 destgd0h003661 charon: 10[IKE] 0: 8B 18 D0 6F 40 1B
> 14 6F 00 00 00 00 00 00 00 00 ...o at ..o........
> Nov 17 13:28:39 destgd0h003661 charon: 10[IKE] 16: C0 A8 14 FE 01
> F4 ......
> Nov 17 13:28:39 destgd0h003661 charon: 10[IKE] natd_hash => 20 bytes @
> 0x80a72b8
> Nov 17 13:28:39 destgd0h003661 charon: 10[IKE] 0: FF 8B 8D 69 15 94
> 12 15 CD 0E CB 78 62 51 41 BC ...i.......xbQA.
> Nov 17 13:28:39 destgd0h003661 charon: 10[IKE] 16: FD 64 3E
> 36 .d>6
> Nov 17 13:28:39 destgd0h003661 charon: 10[IKE] natd_chunk => 22 bytes @
> 0x80a82f0
> Nov 17 13:28:39 destgd0h003661 charon: 10[IKE] 0: 8B 18 D0 6F 40 1B
> 14 6F 00 00 00 00 00 00 00 00 ...o at ..o........
> Nov 17 13:28:39 destgd0h003661 charon: 10[IKE] 16: C0 A8 14 33 01
> F4 ...3..
> Nov 17 13:28:39 destgd0h003661 charon: 10[IKE] natd_hash => 20 bytes @
> 0x80a72b8
> Nov 17 13:28:39 destgd0h003661 charon: 10[IKE] 0: 86 F7 C8 89 FE 61
> D1 F8 B4 4A EB 95 48 7A 34 B5 .....a...J..Hz4.
> Nov 17 13:28:39 destgd0h003661 charon: 10[IKE] 16: DB 7E 74
> BA .~t.
> Nov 17 13:28:39 destgd0h003661 charon: 10[ENC] generating IKE_SA_INIT
> request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Nov 17 13:28:39 destgd0h003661 charon: 10[NET] sending packet: from
> 192.168.20.51[500] to 192.168.20.254[500]
> Nov 17 13:28:39 destgd0h003661 charon: 14[NET] received packet: from
> 192.168.20.254[500] to 192.168.20.51[500]
> Nov 17 13:28:39 destgd0h003661 charon: 14[ENC] parsed IKE_SA_INIT
> response 0 [ SA KE No CERTREQ ]
> Nov 17 13:28:39 destgd0h003661 charon: 14[CFG] selecting proposal:
> Nov 17 13:28:39 destgd0h003661 charon: 14[CFG] proposal matches
> Nov 17 13:28:39 destgd0h003661 charon: 14[CFG] received proposals:
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> Nov 17 13:28:39 destgd0h003661 charon: 14[CFG] configured proposals:
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> Nov 17 13:28:39 destgd0h003661 charon: 14[CFG] selected proposal:
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] shared Diffie Hellman
> secret => 128 bytes @ 0x80a9738
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] 0: EC 68 34 B0 F5 BD
> 62 59 30 58 A4 2F 95 0F 1C 2A .h4...bY0X./...*
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] 16: D7 D6 E3 88 2C 52
> 70 39 F0 72 73 B8 76 5E 98 44 ....,Rp9.rs.v^.D
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] 32: FF E2 22 76 9D 8F
> A8 C3 B9 6A 63 4B 90 80 A4 1D .."v.....jcK....
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] 48: 59 35 7A E6 64 18
> B6 9F DE F6 5C 17 A3 5E 6F 99 Y5z.d.....\..^o.
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] 64: 81 E9 A5 58 DF D3
> C7 F5 B3 90 8D D1 50 4B 8E C2 ...X........PK..
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] 80: F5 24 60 51 C5 1D
> C3 3D AB 4C 00 1B 8E D9 3A D6 .$`Q...=.L....:.
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] 96: 79 8E D5 D0 81 21
> 6A 47 DC 75 93 7F 8B C4 16 C2 y....!jG.u......
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] 112: 8C E8 4C CC EE A4
> 10 56 72 99 D2 7E A5 3A 7F 5C ..L....Vr..~.:.\
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] SKEYSEED => 20 bytes @
> 0x80a83d8
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] 0: 31 82 44 BC 61 81
> DE F5 68 25 B1 89 4C AE BA 4C 1.D.a...h%..L..L
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] 16: F6 A5 A7
> 53 ...S
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] Sk_d secret => 20 bytes @
> 0x80a83d8
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] 0: 2A 49 57 20 1C 3C
> EB 52 95 21 47 71 9F 10 91 9D *IW .<.R.!Gq....
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] 16: 0A A0 C7
> E2 ....
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] Sk_ai secret => 20 bytes
> @ 0x80a7d50
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] 0: 47 30 43 D0 44 81
> 0F 39 0A 21 44 27 B4 45 E7 43 G0C.D..9.!D'.E.C
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] 16: 5D B3 79
> BE ].y.
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] Sk_ar secret => 20 bytes
> @ 0x80a7d50
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] 0: 7F E4 49 0B 68 35
> 20 7A 12 90 7A 19 DE 5E 93 70 ..I.h5 z..z..^.p
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] 16: 21 0B 41
> B0 !.A.
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] Sk_ei secret => 24 bytes
> @ 0x80a8c40
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] 0: 9A 3E 6F A8 DB 44
> 04 38 EF F2 7A 6D A3 E3 70 F9 .>o..D.8..zm..p.
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] 16: F5 64 4A 95 1B 97
> F2 89 .dJ.....
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] Sk_er secret => 24 bytes
> @ 0x80a8c40
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] 0: BB FE 7F 01 7B D1
> 3B 07 9F 52 E0 DE BB 6C 40 EB ....{.;..R...l at .
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] 16: 29 E1 64 04 EA 20
> 82 77 ).d.. .w
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] Sk_pi secret => 20 bytes
> @ 0x80a9490
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] 0: 91 3A 86 49 1D 66
> AB 72 F7 0D E1 40 A0 DA 83 32 .:.I.f.r... at ...2
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] 16: 13 31 A8
> 0C .1..
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] Sk_pr secret => 20 bytes
> @ 0x80a5950
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] 0: B4 64 C6 AE 1F 3A
> EF 79 D8 A7 8F 88 83 21 BD 48 .d...:.y.....!.H
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] 16: B6 78 D8
> 85 .x..
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] natd_chunk => 22 bytes @
> 0x80a8c40
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] 0: 8B 18 D0 6F 40 1B
> 14 6F E6 83 21 4A 2E EE 6D 3A ...o at ..o..!J..m:
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] 16: C0 A8 14 33 01
> F4 ...3..
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] natd_hash => 20 bytes @
> 0x80a8000
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] 0: 18 41 FB 10 AC B2
> EB 16 27 BA 2E 01 89 66 58 99 .A......'....fX.
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] 16: AC F7 4A
> E2 ..J.
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] natd_chunk => 22 bytes @
> 0x80a8c40
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] 0: 8B 18 D0 6F 40 1B
> 14 6F E6 83 21 4A 2E EE 6D 3A ...o at ..o..!J..m:
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] 16: C0 A8 14 FE 01
> F4 ......
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] natd_hash => 20 bytes @
> 0x80a97b0
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] 0: B4 87 15 9C 51 45
> 0D F9 C9 A1 6C 2A 3D D1 47 17 ....QE....l*=.G.
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] 16: BA F0 D8
> B7 ....
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] precalculated src_hash =>
> 20 bytes @ 0x80a97b0
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] 0: B4 87 15 9C 51 45
> 0D F9 C9 A1 6C 2A 3D D1 47 17 ....QE....l*=.G.
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] 16: BA F0 D8
> B7 ....
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] precalculated dst_hash =>
> 20 bytes @ 0x80a8000
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] 0: 18 41 FB 10 AC B2
> EB 16 27 BA 2E 01 89 66 58 99 .A......'....fX.
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] 16: AC F7 4A
> E2 ..J.
> *Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] received cert request
> for unknown ca with keyid
> 12:c4:8b:7e:aa:dd:51:29:cd:a1:17:18:a0:71:71:ff:60:79:bc:3b*
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] reinitiating already
> active tasks
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] IKE_CERT_PRE task
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] IKE_AUTHENTICATE task
> *Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] sending cert request for
> "C=DE, O=Alcatel-Lucent, OU=Wireless, CN=SWAN"*
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] no private key found for
> '192.168.20.51'
> Nov 17 13:28:39 destgd0h003661 charon: 14[IKE] IKE_SA net-net[1] state
> change: CONNECTING => DESTROYING
>
> ---------
>
> *BTS1.pem:*
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 317 (0x13d)
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=DE, ST=Germany, L=Stuttgart, O=Alcatel-Lucent,
> OU=Wireless, CN=SwanRoot
> Validity
> Not Before: Nov 17 10:39:46 2010 GMT
> Not After : Nov 14 10:39:46 2020 GMT
> *Subject: C=DE, O=Alcatel-Lucent, OU=Wireless, CN=SWAN*
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (2048 bit)
> Modulus (2048 bit):
> 00:cd:86:b6:3e:f8:06:d4:55:87:ae:ea:9b:f7:62:
> 22:35:db:7d:73:3f:50:aa:86:91:a6:fe:d6:69:bb:
> 64:ba:9b:00:ae:81:72:b0:b1:fa:be:85:5f:99:4b:
> f7:05:e9:8a:1e:62:c5:5d:4b:9e:e0:17:f8:ad:7a:
> f9:11:70:50:84:b2:e8:09:ee:d9:7d:5f:6b:b7:10:
> e2:a2:b1:e7:9d:97:15:08:d0:ec:00:d3:ac:0a:de:
> 6d:81:b7:30:bf:1f:ec:3b:95:df:ec:36:96:0f:ea:
> 61:99:1e:4f:a3:38:87:4a:95:37:c8:92:48:ca:9b:
> fc:92:d8:4f:f3:3b:cb:c2:89:71:fc:db:e4:ac:ba:
> 59:88:23:b8:be:ed:03:65:30:5c:a7:9c:b8:2f:34:
> 84:a4:70:42:1a:17:01:0e:fa:f2:05:02:ed:ca:57:
> f9:d5:63:35:9e:8c:37:bd:b2:3a:cd:48:af:e9:a7:
> 66:24:06:fb:c1:b7:1a:dd:e7:fe:f5:f6:44:0d:f8:
> e5:d9:0b:c5:9a:f9:95:fd:1b:ce:18:c2:99:5c:9a:
> 7d:37:e2:83:5e:cb:38:be:32:b1:3b:b6:25:55:77:
> 8b:24:8c:82:1b:95:79:7e:e7:ef:c5:4c:18:fd:77:
> a0:f4:d6:d5:dc:f1:c3:1f:dd:b1:46:fd:34:29:4b:
> 6c:a9
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Basic Constraints:
> CA:TRUE, pathlen:1
> Netscape Comment:
> OpenSSL Generated Certificate
> X509v3 Subject Key Identifier:
> B5:3C:65:1A:86:11:F4:C1:B2:0E:BE:B9:5A:ED:0B:21:73:2A:9C:E1
> X509v3 Authority Key Identifier:
>
> DirName:/C=DE/ST=Germany/L=Stuttgart/O=Alcatel-Lucent/OU=Wireless/CN=SwanRoot
> serial:8E:05:6A:2B:17:47:C5:E8
>
> X509v3 Subject Alternative Name:
> email:swanClient at alcatel-lucent.com
> Signature Algorithm: sha1WithRSAEncryption
> 4c:e1:f1:02:a2:a6:a2:cc:ed:0d:98:23:a9:a1:12:36:37:33:
> f5:40:b6:ec:a0:43:c2:2f:49:7d:7f:72:1f:52:03:54:fd:d6:
> 33:dc:37:d2:68:5a:02:9e:78:d9:3a:6a:b1:b2:a9:de:42:a9:
> 7e:4d:d1:8e:60:71:58:3f:6d:2a:06:42:74:cb:97:6b:3c:93:
> 93:78:06:0d:79:60:3a:48:06:28:e0:10:5d:30:10:64:81:01:
> a0:83:32:84:7e:6b:b6:71:c2:77:2e:2b:06:47:a3:24:09:e5:
> cc:21:f2:8a:89:d3:84:bc:2a:a7:24:60:f7:5a:de:79:89:6f:
> a2:83:d7:37:4b:4c:65:02:d6:67:64:07:5b:69:49:1c:a9:26:
> 43:e1:b2:ef:cc:31:be:fa:92:db:09:1e:62:08:9f:17:ed:bd:
> 2e:a3:43:90:82:b2:97:a8:c7:86:4c:dc:13:b7:dd:ea:34:12:
> f6:44:72:57:b3:2b:c0:99:d6:e7:7b:5e:dc:93:44:b5:d6:89:
> 8f:9a:09:01:6c:06:6c:ab:5a:f0:54:62:a3:28:0a:ee:f0:0b:
> 63:e8:f1:c1:20:a9:b4:0e:77:90:99:9e:30:ff:55:33:4d:9d:
> 93:9d:a8:47:cb:35:58:f5:73:9d:8a:1f:76:85:bc:a9:96:87:
> d8:9d:7b:cc
> -----BEGIN CERTIFICATE-----
> MIIEVTCCAz2gAwIBAgICAT0wDQYJKoZIhvcNAQEFBQAwcjELMAkGA1UEBhMCREUx
> EDAOBgNVBAgTB0dlcm1hbnkxEjAQBgNVBAcTCVN0dXR0Z2FydDEXMBUGA1UEChMO
> QWxjYXRlbC1MdWNlbnQxETAPBgNVBAsTCFdpcmVsZXNzMREwDwYDVQQDEwhTd2Fu
> Um9vdDAeFw0xMDExMTcxMDM5NDZaFw0yMDExMTQxMDM5NDZaMEgxCzAJBgNVBAYT
> AkRFMRcwFQYDVQQKEw5BbGNhdGVsLUx1Y2VudDERMA8GA1UECxMIV2lyZWxlc3Mx
> DTALBgNVBAMTBFNXQU4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDN
> hrY++AbUVYeu6pv3YiI1231zP1CqhpGm/tZpu2S6mwCugXKwsfq+hV+ZS/cF6Yoe
> YsVdS57gF/itevkRcFCEsugJ7tl9X2u3EOKiseedlxUI0OwA06wK3m2BtzC/H+w7
> ld/sNpYP6mGZHk+jOIdKlTfIkkjKm/yS2E/zO8vCiXH82+SsulmII7i+7QNlMFyn
> nLgvNISkcEIaFwEO+vIFAu3KV/nVYzWejDe9sjrNSK/pp2YkBvvBtxrd5/719kQN
> +OXZC8Wa+ZX9G84Ywplcmn034oNeyzi+MrE7tiVVd4skjIIblXl+5+/FTBj9d6D0
> 1tXc8cMf3bFG/TQpS2ypAgMBAAGjggEdMIIBGTAPBgNVHRMECDAGAQH/AgEBMCwG
> CWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV
> HQ4EFgQUtTxlGoYR9MGyDr65Wu0LIXMqnOEwgY4GA1UdIwSBhjCBg6F2pHQwcjEL
> MAkGA1UEBhMCREUxEDAOBgNVBAgTB0dlcm1hbnkxEjAQBgNVBAcTCVN0dXR0Z2Fy
> dDEXMBUGA1UEChMOQWxjYXRlbC1MdWNlbnQxETAPBgNVBAsTCFdpcmVsZXNzMREw
> DwYDVQQDEwhTd2FuUm9vdIIJAI4FaisXR8XoMCgGA1UdEQQhMB+BHXN3YW5DbGll
> bnRAYWxjYXRlbC1sdWNlbnQuY29tMA0GCSqGSIb3DQEBBQUAA4IBAQBM4fECoqai
> zO0NmCOpoRI2NzP1QLbsoEPCL0l9f3IfUgNU/dYz3DfSaFoCnnjZOmqxsqneQql+
> TdGOYHFYP20qBkJ0y5drPJOTeAYNeWA6SAYo4BBdMBBkgQGggzKEfmu2ccJ3LisG
> R6MkCeXMIfKKidOEvCqnJGD3Wt55iW+ig9c3S0xlAtZnZAdbaUkcqSZD4bLvzDG+
> +pLbCR5iCJ8X7b0uo0OQgrKXqMeGTNwTt93qNBL2RHJXsyvAmdbne17ck0S11omP
> mgkBbAZsq1rwVGKjKAru8Atj6PHBIKm0DneQmZ4w/1UzTZ2TnahHyzVY9XOdih92
> hbyplofYnXvM
> -----END CERTIFICATE-----
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list