[strongSwan] CA cert being discarded

Meera Sudhakar mira.sudhakar at gmail.com
Fri Aug 19 08:45:16 CEST 2011 

Hi strongSwan team,

I am trying to establish a tunnel between two end-points. They do not
support pki, so I had to create the certficates using openssl. When I did
this, gave "ipsec start" and then checked "ipsec listcacerts", it shows
nothing. The following lines are also present in the logs:

Jan  1 02:44:40 localhost charon: 05[CFG] received stroke: add ca
'strongswan'
Jan  1 02:44:40 localhost charon: 05[LIB]   loaded certificate file
'/etc/ipsec/certs/ipsec.d/cacerts/cacert.pem'
Jan  1 02:44:40 localhost charon: 05[CFG]   ca certificate must have ca
basic constraint set, discarded
Please find below the commands used to create the CA cert:

openssl genrsa -des3 -out cakey.pem 2048

openssl req -new -key cakey.pem -out cacert.csr

cp cakey.pem cakey.pem.org

openssl rsa -in cakey.pem.org -out cakey.pem

openssl x509 -req -days 365 -in cacert.csr -signkey cakey.pem -out
cacert.pem

Please find below the required conf files and logs:

*End-point1:*
root at localhost:/root>
root at localhost:/root> /usr/local/6bin/ipsec start
Starting strongSwan 4.3.1 IPsec [starter]...
root at localhost:/root> /usr/local/6bin/ipsec status
Security Associations:
  none
root at localhost:/root> tail -40 /var/log/messages
Aug 19 12:03:31 localhost charon: 01[DMN] signal of type SIGINT received.
Shutting down
Aug 19 12:00:13 localhost charon: 01[DMN] Starting IKEv2 charon daemon
(strongSwan 4.3.1)
Aug 19 12:00:13 localhost charon: 01[CFG] loading ca certificates from
'/etc/ipsec/certs/ipsec.d/cacerts'
Aug 19 12:00:13 localhost charon: 01[LIB]   loaded certificate file
'/etc/ipsec/certs/ipsec.d/cacerts/cacert.pem'
Aug 19 12:00:13 localhost charon: 01[CFG]   ca certificate must have ca
basic constraint set, discarded
Aug 19 12:00:13 localhost charon: 01[CFG] loading aa certificates from
'/etc/ipsec/certs/ipsec.d/aacerts'
Aug 19 12:00:13 localhost charon: 01[CFG] loading ocsp signer certificates
from '/etc/ipsec/certs/ipsec.d/ocspcerts'
Aug 19 12:00:13 localhost charon: 01[CFG] loading attribute certificates
from '/etc/ipsec/certs/ipsec.d/acerts'
Aug 19 12:00:13 localhost charon: 01[CFG] loading crls from
'/etc/ipsec/certs/ipsec.d/crls'
Aug 19 12:00:13 localhost charon: 01[CFG] loading secrets from
'/etc/ipsec.secrets'
Aug 19 12:00:14 localhost charon: 01[CFG]   loaded private key file
'/etc/ipsec/certs/ipsec.d/private/f1key.pem'
Aug 19 12:00:14 localhost charon: 01[KNL] listening on interfaces:
Aug 19 12:00:14 localhost charon: 01[KNL]   fpn0
Aug 19 12:00:14 localhost charon: 01[KNL]     fe80::dead:be00:6ef:0
Aug 19 12:00:14 localhost charon: 01[KNL]   eth0
Aug 19 12:00:14 localhost charon: 01[KNL]     192.168.255.97
Aug 19 12:00:14 localhost charon: 01[KNL]     fe80::200:0:700:1801
Aug 19 12:00:14 localhost charon: 01[KNL]   eth1
Aug 19 12:00:14 localhost charon: 01[KNL]     169.254.0.71
Aug 19 12:00:14 localhost charon: 01[KNL]     fe80::200:0:800:1803
Aug 19 12:00:14 localhost charon: 01[KNL]   eth2
Aug 19 12:00:14 localhost charon: 01[KNL]     169.254.1.71
Aug 19 12:00:14 localhost charon: 01[KNL]     fe80::40:4300:931:3317
Aug 19 12:00:14 localhost charon: 01[KNL]   eth3
Aug 19 12:00:14 localhost charon: 01[KNL]     192.168.0.9
Aug 19 12:00:14 localhost charon: 01[KNL]     fe80::40:4300:a31:331b
Aug 19 12:00:14 localhost charon: 01[DMN] loaded plugins: openssl random
x509 pubkey hmac xcbc stroke kernel-netlink
Aug 19 12:00:14 localhost charon: 01[JOB] spawning 16 worker threads
Aug 19 12:00:14 localhost charon: 02[CFG] received stroke: add ca
'strongswan'
Aug 19 12:00:14 localhost charon: 02[LIB]   loaded certificate file
'/etc/ipsec/certs/ipsec.d/cacerts/cacert.pem'
Aug 19 12:00:14 localhost charon: 02[CFG]   ca certificate must have ca
basic constraint set, discarded
Aug 19 12:00:14 localhost charon: 02[CFG] received stroke: add connection
'sample-with-ca-cert'
Aug 19 12:00:14 localhost charon: 02[KNL] getting interface name for
10.58.115.131
Aug 19 12:00:14 localhost charon: 02[KNL] 10.58.115.131 is not a local
address
Aug 19 12:00:14 localhost charon: 02[KNL] getting interface name for
10.58.115.136
Aug 19 12:00:14 localhost charon: 02[KNL] 10.58.115.136 is not a local
address
Aug 19 12:00:14 localhost charon: 02[CFG] left nor right host is our side,
assuming left=local
Aug 19 12:00:14 localhost charon: 02[LIB]   loaded certificate file
'/etc/ipsec/certs/ipsec.d/certs/f1cert.pem'
Aug 19 12:00:14 localhost charon: 02[CFG]   peerid 10.58.115.136 not
confirmed by certificate, defaulting to subject DN: C=IN, ST=KA, L=BLR,
O=NSN, OU=CIPS, CN=MS, E=ms at nsn.com
Aug 19 12:00:14 localhost charon: 02[CFG] added configuration
'sample-with-ca-cert'
root at localhost:/root>
root at localhost:/root> /usr/local/6bin/ipsec listcacerts
root at localhost:/root> /usr/local/6bin/ipsec listcerts
List of X.509 End Entity Certificates:
  subject:  "C=IN, ST=KA, L=BLR, O=NSN, OU=CIPS, CN=MS, E=ms at nsn.com"
  issuer:   "C=IN, ST=KA, L=BLR, O=NSN, OU=CIPS, CN=MS, E=ms at nsn.com"
  serial:    00:d5:4f:fd:7d:a9:d6:2c:dc
  validity:  not before Jan 01 01:45:22 2000, ok
             not after  Dec 31 01:45:22 2000, ok
  pubkey:    RSA 2048 bits, has private key
  keyid:     e6:67:be:9e:2f:cf:e5:66:ef:92:0c:5c:91:68:d9:52:1b:63:b1:af
  subjkey:   2a:5a:45:5d:83:40:34:fc:ba:91:fe:29:13:41:4c:bf:1a:ff:73:d8
root at localhost:/root>
root at localhost:/root> cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
        # plutodebug=all
        # crlcheckinterval=600
        strictcrlpolicy=no
        # cachecrls=yes
        # nat_traversal=yes
        charonstart=yes
        plutostart=no
        charondebug="chd 2, knl 2"
ca strongswan
        cacert=cacert.pem
        auto=add
conn sample-with-ca-cert
      left=10.58.115.136
      leftsubnet=10.58.115.0/25
      leftcert=f1cert.pem
      #leftnexthop=10.58.112.1
      right=10.58.115.131
      rightsubnet=10.58.115.0/25
      #rightid="C=CH, O=strongSwan, CN=10.58.228.80"
      keyexchange=ikev2
      auto=add
root at localhost:/root>
*End-point2:*
root at localhost:/root>
root at localhost:/root> /usr/local/6bin/ipsec start
Starting strongSwan 4.3.1 IPsec [starter]...
root at localhost:/root>  /usr/local/6bin/ipsec status
Security Associations:
sample-with-ca-cert[1]: CONNECTING 10.58.115.131[%any]...10.58.115.136[%any]
sample-with-ca-cert[1]: IKE SPIs: 07431ac18bcde5db_i*
0000000000000000_rroot at localhost:/root>
root at localhost:/root> tail -40 /var/log/messages
Aug 19 12:00:14 localhost charon: 01[KNL]     192.168.255.76
Aug 19 12:00:14 localhost charon: 01[KNL]     fe80::40:4300:a31:2908
Aug 19 12:00:14 localhost charon: 01[KNL]   bnet111
Aug 19 12:00:14 localhost charon: 01[KNL]     169.254.0.73
Aug 19 12:00:14 localhost charon: 01[KNL]     fe80::200:0:b00:1803
Aug 19 12:00:14 localhost charon: 01[KNL]   bnet222
Aug 19 12:00:14 localhost charon: 01[KNL]     169.254.1.73
Aug 19 12:00:14 localhost charon: 01[KNL]     fe80::40:4300:c31:2904
Aug 19 12:00:14 localhost charon: 01[KNL]   bnet333
Aug 19 12:00:14 localhost charon: 01[KNL]     192.168.0.11
Aug 19 12:00:14 localhost charon: 01[KNL]     fe80::40:4300:d31:2908
Aug 19 12:00:14 localhost charon: 01[KNL]   bnet112
Aug 19 12:00:14 localhost charon: 01[KNL]     fe80::200:0:e00:1803
Aug 19 12:00:14 localhost charon: 01[KNL]   bnet334
Aug 19 12:00:14 localhost charon: 01[KNL]     fe80::40:4300:f31:2908
Aug 19 12:00:14 localhost charon: 01[DMN] loaded plugins: openssl random
x509 pubkey hmac xcbc stroke kernel-netlink
Aug 19 12:00:14 localhost charon: 01[JOB] spawning 16 worker threads
Aug 19 12:00:14 localhost charon: 17[CFG] received stroke: add ca
'strongswan'
Aug 19 12:00:14 localhost charon: 17[LIB]   loaded certificate file
'/etc/ipsec/certs/ipsec.d/cacerts/cacert.pem'
Aug 19 12:00:14 localhost charon: 17[CFG]   ca certificate must have ca
basic constraint set, discarded
Aug 19 12:00:14 localhost charon: 08[CFG] received stroke: add connection
'sample-with-ca-cert'
Aug 19 12:00:14 localhost charon: 08[KNL] getting interface name for
10.58.115.136
Aug 19 12:00:14 localhost charon: 08[KNL] 10.58.115.136 is not a local
address
Aug 19 12:00:14 localhost charon: 08[KNL] getting interface name for
10.58.115.131
Aug 19 12:00:14 localhost charon: 08[KNL] 10.58.115.131 is not a local
address
Aug 19 12:00:14 localhost charon: 08[CFG] left nor right host is our side,
assuming left=local
Aug 19 12:00:14 localhost charon: 08[LIB]   loaded certificate file
'/etc/ipsec/certs/ipsec.d/certs/f2cert.pem'
Aug 19 12:00:14 localhost charon: 08[CFG]   peerid 10.58.115.131 not
confirmed by certificate, defaulting to subject DN: C=IN, ST=KA, L=BLR,
O=NSN, OU=CIPS, CN=MS, E=ms at nsn.com
Aug 19 12:00:14 localhost charon: 08[CFG] added configuration
'sample-with-ca-cert'
Aug 19 12:00:14 localhost charon: 10[CFG] received stroke: initiate
'sample-with-ca-cert'
Aug 19 12:00:14 localhost charon: 10[IKE] initiating IKE_SA
sample-with-ca-cert[1] to 10.58.115.136
Aug 19 12:00:14 localhost charon: 10[ENC] generating IKE_SA_INIT request 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Aug 19 12:00:14 localhost charon: 10[NET] sending packet: from
10.58.115.131[500] to 10.58.115.136[500]
Aug 19 12:00:14 localhost charon: 04[NET] error writing to socket: Invalid
argument
Aug 19 12:00:18 localhost charon: 12[IKE] retransmit 1 of request with
message ID 0
Aug 19 12:00:18 localhost charon: 12[NET] sending packet: from
10.58.115.131[500] to 10.58.115.136[500]
Aug 19 12:00:18 localhost charon: 04[NET] error writing to socket: Invalid
argument
Aug 19 12:00:25 localhost charon: 15[IKE] retransmit 2 of request with
message ID 0
Aug 19 12:00:25 localhost charon: 15[NET] sending packet: from
10.58.115.131[500] to 10.58.115.136[500]
Aug 19 12:00:25 localhost charon: 04[NET] error writing to socket: Invalid
argument
root at localhost:/root>
root at localhost:/root>  /usr/local/6bin/ipsec listcacerts
root at localhost:/root> /usr/local/6bin/ipsec listcerts
List of X.509 End Entity Certificates:
  subject:  "C=IN, ST=KA, L=BLR, O=NSN, OU=CIPS, CN=MS, E=ms at nsn.com"
  issuer:   "C=IN, ST=KA, L=BLR, O=NSN, OU=CIPS, CN=MS, E=ms at nsn.com"
  serial:    00:f6:a2:fd:e8:ee:51:e7:22
  validity:  not before Jan 01 01:09:24 2000, ok
             not after  Dec 31 01:09:24 2000, ok
  pubkey:    RSA 2048 bits, has private key
  keyid:     30:b5:05:c2:27:13:46:d5:61:fe:fa:a7:4b:c7:ea:be:1b:cd:b2:07
  subjkey:   5a:d7:fb:ea:55:1f:d3:82:c4:51:48:8e:cc:4b:d3:55:7f:75:8d:91
root at localhost:/root> cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
        # plutodebug=all
        # crlcheckinterval=600
        strictcrlpolicy=no
        # cachecrls=yes
        # nat_traversal=yes
        charonstart=yes
        plutostart=no
        charondebug="chd 2, knl 2"
ca strongswan
        cacert=cacert.pem
        auto=add
conn sample-with-ca-cert
      left=10.58.115.131
      leftsubnet=10.58.115.0/25
      leftcert=f2cert.pem
      #leftnexthop=10.58.228.1
      right=10.58.115.136
      rightsubnet=10.58.115.0/25
      #rightid="C=CH, O=strongSwan, CN=10.58.112.170"
      keyexchange=ikev2
      auto=start
root at localhost:/root>
I don't know why the message "error writing to socket: Invalid argument"
comes up either. Please let me know if I have gone wrong anywhere, or
whether there is anything else I need to do.

Thanks and regards,
Meera
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110819/3477de59/attachment.html>

More information about the Users mailing list