[strongSwan] Help, charon: 03[CFG] issuer of fetched CRL does not match CRL issuer
Jacky.He
jacky.he at gmail.com
Sat Jul 23 06:47:38 CEST 2011
Hello,
first I use strongswan v4.5.2 in my centos 5.5.
when ipsec daemon start, I found /etc/ipsec.d/crls/crl.pem loaded
successfully:
Jul 23 03:06:20 lag3 pluto[30328]: loading aa certificates from
'/etc/ipsec.d/aacerts'
Jul 23 03:06:20 lag3 pluto[30328]: loading ocsp certificates from
'/etc/ipsec.d/ocspcerts'
Jul 23 03:06:20 lag3 pluto[30328]: Changing to directory '/etc/ipsec.d/crls'
Jul 23 03:06:20 lag3 pluto[30328]: loaded crl from 'crl.der'
Jul 23 03:06:20 lag3 pluto[30328]: loading attribute certificates from
'/etc/ipsec.d/acerts'
Jul 23 03:06:20 lag3 pluto[30328]: spawning 4 worker threads
Jul 23 03:06:20 lag3 ipsec_starter[30327]: pluto (30328) started after 20 ms
And
Jul 23 03:06:20 lag3 charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Jul 23 03:06:20 lag3 charon: 00[CFG] loaded ca certificate "C=US, ST=CO,
L=Denver, O=igvpn.com, CN=igvpn.com CA, E=info at igvpn.com" from
'/etc/ipsec.d/cacerts/ca.crt'
Jul 23 03:06:20 lag3 charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Jul 23 03:06:20 lag3 charon: 00[CFG] loading ocsp signer certificates from
'/etc/ipsec.d/ocspcerts'
Jul 23 03:06:20 lag3 charon: 00[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts'
Jul 23 03:06:20 lag3 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jul 23 03:06:20 lag3 charon: 00[CFG] loaded crl from
'/etc/ipsec.d/crls/crl.der'
Jul 23 03:06:20 lag3 charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Actually, I have 30 certificates revoked in my CRLs.
#ipsec listcrls
000
000 List of X.509 CRLs:
000
000 issuer: "C=US, ST=CO, L=Denver, O=igvpn.com, CN=igvpn.com CA,
E=info at igvpn.com"
000 revoked: 30 certificates
000 distPts: 'file:///etc/ipsec.d/crls/crl.der'
000 updates: this Jul 21 00:31:08 2011
000 next Aug 20 00:31:08 2011 ok
List of X.509 CRLs:
issuer: "C=US, ST=CO, L=Denver, O=igvpn.com, CN=igvpn.com CA,
E=info at igvpn.com"
revoked: 30 certificates
updates: this Jul 21 00:31:08 2011
next Aug 20 00:31:08 2011, ok
I use one of the revoked certificate to connect to my Strongswan server, the
IKEv1 daemon Pluto can correctly reject this certs:
ul 23 12:16:23 lag3 pluto[4778]: packet from 218.249.58.137:1117: size
(1160) differs from size specified in ISAKMP HDR (1144)
Jul 23 12:16:23 lag3 pluto[4778]: packet from 218.249.58.137:1117: Cisco VPN
client appends 16 surplus NULL bytes
Jul 23 12:16:23 lag3 pluto[4778]: packet from 218.249.58.137:1117: received
Vendor ID payload [XAUTH]
Jul 23 12:16:23 lag3 pluto[4778]: packet from 218.249.58.137:1117: received
Vendor ID payload [Dead Peer Detection]
Jul 23 12:16:23 lag3 pluto[4778]: packet from 218.249.58.137:1117: ignoring
Vendor ID payload [FRAGMENTATION 80000000]
Jul 23 12:16:23 lag3 pluto[4778]: packet from 218.249.58.137:1117: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jul 23 12:16:23 lag3 pluto[4778]: packet from 218.249.58.137:1117: ignoring
Vendor ID payload [Cisco-Unity]
Jul 23 12:16:23 lag3 pluto[4778]: "RW_IKEv1_RSA_XAUTH"[11]
218.249.58.137:1117 #21: responding to Main Mode from unknown peer
218.249.58.137:1117
Jul 23 12:16:23 lag3 pluto[4778]: "RW_IKEv1_RSA_XAUTH"[11]
218.249.58.137:1117 #21: peer requested 2147483 seconds which exceeds our
limit 86400 seconds
Jul 23 12:16:23 lag3 pluto[4778]: "RW_IKEv1_RSA_XAUTH"[11]
218.249.58.137:1117 #21: lifetime reduced to 86400 seconds (todo:
IPSEC_RESPONDER_LIFETIME notification)
Jul 23 12:16:23 lag3 pluto[4778]: packet from 218.249.58.137:1117: size
(352) differs from size specified in ISAKMP HDR (336)
Jul 23 12:16:23 lag3 pluto[4778]: packet from 218.249.58.137:1117: Cisco VPN
client appends 16 surplus NULL bytes
Jul 23 12:16:23 lag3 pluto[4778]: "RW_IKEv1_RSA_XAUTH"[11]
218.249.58.137:1117 #21: ignoring Vendor ID payload
[b86d2f5e92fd6cffdb3255aa8b2cc015]
Jul 23 12:16:23 lag3 pluto[4778]: "RW_IKEv1_RSA_XAUTH"[11]
218.249.58.137:1117 #21: ignoring Vendor ID payload [Cisco-Unity]
Jul 23 12:16:23 lag3 pluto[4778]: "RW_IKEv1_RSA_XAUTH"[11]
218.249.58.137:1117 #21: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Jul 23 12:16:23 lag3 pluto[4778]: "RW_IKEv1_RSA_XAUTH"[11]
218.249.58.137:1117 #21: ignoring informational payload, type
IPSEC_INITIAL_CONTACT
Jul 23 12:16:23 lag3 pluto[4778]: | protocol/port in Phase 1 ID Payload is
17/0. accepted with port_floating NAT-T
Jul 23 12:16:23 lag3 pluto[4778]: "RW_IKEv1_RSA_XAUTH"[11]
218.249.58.137:1117 #21: Peer ID is ID_DER_ASN1_DN: 'C=US, ST=CO, L=Denver,
O=igvpn.com, CN=ccfer.igvpn.com, E=info at igvpn.com'
Jul 23 12:16:23 lag3 pluto[4778]: "RW_IKEv1_RSA_XAUTH"[11]
218.249.58.137:1117 #21: certificate was revoked on Jul 20 16:29:25 UTC
2011, reason: unspecified
Jul 23 12:16:23 lag3 pluto[4778]: "RW_IKEv1_RSA_XAUTH"[11]
218.249.58.137:1117 #21: X.509 certificate rejected
Jul 23 12:16:23 lag3 pluto[4778]: "RW_IKEv1_RSA_XAUTH"[11]
218.249.58.137:1117 #21: no public key known for 'C=US, ST=CO, L=Denver,
O=igvpn.com, CN=ccfer.igvpn.com, E=info at igvpn.com'
Jul 23 12:16:23 lag3 pluto[4778]: "RW_IKEv1_RSA_XAUTH"[11]
218.249.58.137:1117 #21: sending encrypted notification
INVALID_KEY_INFORMATION to 218.249.58.137:1117
-------------------------
but charon daemon still accept the certs:
Jul 23 12:25:42 lag3 charon: 08[IKE] 117.136.0.52 is initiating an IKE_SA
Jul 23 12:25:42 lag3 charon: 08[IKE] remote host is behind NAT
Jul 23 12:25:42 lag3 charon: 08[IKE] sending cert request for "C=US, ST=CO,
L=Denver, O=igvpn.com, CN=igvpn.com CA, E=info at igvpn.com"
Jul 23 12:25:42 lag3 charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jul 23 12:25:42 lag3 charon: 08[NET] sending packet: from
199.119.201.165[500] to 117.136.0.52[46643]
Jul 23 12:25:43 lag3 charon: 10[NET] received packet: from
117.136.0.52[46644] to 199.119.201.165[4500]
Jul 23 12:25:43 lag3 charon: 10[ENC] parsed IKE_AUTH request 1 [ IDi CERT
N(INIT_CONTACT) CERTREQ AUTH CP(ADDR DNS) SA TSi TSr ]
Jul 23 12:25:43 lag3 charon: 10[IKE] received cert request for "C=US, ST=CO,
L=Denver, O=igvpn.com, CN=igvpn.com CA, E=info at igvpn.com"
Jul 23 12:25:43 lag3 charon: 10[IKE] received end entity cert "C=US, ST=CO,
L=Denver, O=igvpn.com, CN=ccfer.igvpn.com, E=info at igvpn.com"
Jul 23 12:25:43 lag3 charon: 10[CFG] looking for peer configs matching
199.119.201.165[%any]...117.136.0.52[C=US, ST=CO, L=Denver, O=igvpn.com,
CN=ccfer.igvpn.com, E=info at igvpn.com]
Jul 23 12:25:43 lag3 charon: 10[CFG] selected peer config 'RW_IKEv2_RSA'
Jul 23 12:25:43 lag3 charon: 10[CFG] using certificate "C=US, ST=CO,
L=Denver, O=igvpn.com, CN=ccfer.igvpn.com, E=info at igvpn.com"
Jul 23 12:25:43 lag3 charon: 10[CFG] using trusted ca certificate "C=US,
ST=CO, L=Denver, O=igvpn.com, CN=igvpn.com CA, E=info at igvpn.com"
Jul 23 12:25:43 lag3 charon: 10[CFG] checking certificate status of "C=US,
ST=CO, L=Denver, O=igvpn.com, CN=ccfer.igvpn.com, E=info at igvpn.com"
Jul 23 12:25:43 lag3 charon: 10[CFG] certificate status is not available
Jul 23 12:25:43 lag3 charon: 10[CFG] reached self-signed root ca with a
path length of 0
Jul 23 12:25:43 lag3 charon: 10[IKE] authentication of 'C=US, ST=CO,
L=Denver, O=igvpn.com, CN=ccfer.igvpn.com, E=info at igvpn.com' with RSA
signature successful
Jul 23 12:25:43 lag3 charon: 10[IKE] authentication of 'lag3.igvpn.com'
(myself) with RSA signature successful
Jul 23 12:25:43 lag3 charon: 10[IKE] IKE_SA RW_IKEv2_RSA[3] established
between 199.119.201.165[lag3.igvpn.com]...117.136.0.52[C=US, ST=CO,
L=Denver, O=igvpn.com, CN=ccfer.igvpn.com, E=info at igvpn.com]
Jul 23 12:25:43 lag3 charon: 10[IKE] scheduling reauthentication in 10207s
Jul 23 12:25:43 lag3 charon: 10[IKE] maximum IKE_SA lifetime 10747s
Jul 23 12:25:43 lag3 charon: 10[IKE] sending end entity cert "C=US, ST=CO,
L=Denver, O=igvpn.com, CN=lag3.igvpn.com, E=info at igvpn.com"
Jul 23 12:25:43 lag3 charon: 10[IKE] peer requested virtual IP %any
Jul 23 12:25:43 lag3 charon: 10[CFG] reassigning offline lease to 'C=US,
ST=CO, L=Denver, O=igvpn.com, CN=ccfer.igvpn.com, E=info at igvpn.com'
Jul 23 12:25:43 lag3 charon: 10[IKE] assigning virtual IP 10.0.6.3 to peer
'C=US, ST=CO, L=Denver, O=igvpn.com, CN=ccfer.igvpn.com, E=info at igvpn.com'
Jul 23 12:25:43 lag3 charon: 10[IKE] CHILD_SA RW_IKEv2_RSA{3} established
with SPIs c0c373b1_i 1228f27d_o and TS 0.0.0.0/0 === 10.0.6.3/32
Jul 23 12:25:43 lag3 vpn: + C=US, ST=CO, L=Denver, O=igvpn.com,
CN=ccfer.igvpn.com, E=info at igvpn.com 10.0.6.3/32 == 117.136.0.52 --
199.119.201.165 == 0.0.0.0/0
Jul 23 12:25:43 lag3 charon: 10[ENC] generating IKE_AUTH response 1 [ IDr
CERT AUTH CP(ADDR DNS NBNS DNS NBNS) SA TSi TSr N(AUTH_LFT) ]
Jul 23 12:25:43 lag3 charon: 10[NET] sending packet: from
199.119.201.165[4500] to 117.136.0.52[46644]
Jul 23 12:25:52 lag3 charon: 11[NET] received packet: from
117.136.0.52[46644] to 199.119.201.165[4500]
My original ipsec.conf
config setup
plutostart=yes
#plutodebug=control
#plutodebug=all
uniqueids=yes
nat_traversal=yes
charonstart=yes
strictcrlpolicy=no
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!172
.19.32.0/24
When I change ipsec.conf to this:
config setup
plutostart=yes
#plutodebug=control
#plutodebug=all
uniqueids=yes
nat_traversal=yes
charonstart=yes
crlcheckinterval=600s
strictcrlpolicy=yes
charondebug="ike control"
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!172
.19.32.0/24
ca IGVPN
cacert=ca.crt
crluri="http://www.igvpn.com:8000/crl/crl.der"
auto=add
and restart ipsec daemon, I use the revoked certs to connect to Strongswan
using IKEv2, I found something different in charon log:
------------------------
Jul 23 12:41:26 lag3 charon: 08[IKE] 117.136.0.7 is initiating an IKE_SA
Jul 23 12:41:26 lag3 charon: 08[IKE] remote host is behind NAT
Jul 23 12:41:26 lag3 charon: 08[IKE] sending cert request for "C=US, ST=CO,
L=Denver, O=igvpn.com, CN=igvpn.com CA, E=info at igvpn.com"
Jul 23 12:41:26 lag3 charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jul 23 12:41:26 lag3 charon: 08[NET] sending packet: from
199.119.201.165[500] to 117.136.0.7[41191]
Jul 23 12:41:28 lag3 charon: 03[NET] received packet: from
117.136.0.7[29600] to 199.119.201.165[4500]
Jul 23 12:41:28 lag3 charon: 03[ENC] parsed IKE_AUTH request 1 [ IDi CERT
N(INIT_CONTACT) CERTREQ AUTH CP(ADDR DNS) SA TSi TSr ]
Jul 23 12:41:28 lag3 charon: 03[IKE] received cert request for "C=US, ST=CO,
L=Denver, O=igvpn.com, CN=igvpn.com CA, E=info at igvpn.com"
Jul 23 12:41:28 lag3 charon: 03[IKE] received end entity cert "C=US, ST=CO,
L=Denver, O=igvpn.com, CN=ccfer.igvpn.com, E=info at igvpn.com"
Jul 23 12:41:28 lag3 charon: 03[CFG] looking for peer configs matching
199.119.201.165[%any]...117.136.0.7[C=US, ST=CO, L=Denver, O=igvpn.com,
CN=ccfer.igvpn.com, E=info at igvpn.com]
Jul 23 12:41:28 lag3 charon: 03[CFG] selected peer config 'RW_IKEv2_RSA'
Jul 23 12:41:28 lag3 charon: 03[CFG] using certificate "C=US, ST=CO,
L=Denver, O=igvpn.com, CN=ccfer.igvpn.com, E=info at igvpn.com"
Jul 23 12:41:28 lag3 charon: 03[CFG] using trusted ca certificate "C=US,
ST=CO, L=Denver, O=igvpn.com, CN=igvpn.com CA, E=info at igvpn.com"
Jul 23 12:41:28 lag3 charon: 03[CFG] checking certificate status of "C=US,
ST=CO, L=Denver, O=igvpn.com, CN=ccfer.igvpn.com, E=info at igvpn.com"
Jul 23 12:41:28 lag3 charon: 03[CFG] fetching crl from
'http://www.igvpn.com:8000/crl/crl.der' ...
Jul 23 12:41:28 lag3 charon: 03[CFG] issuer of fetched CRL 'C=US, ST=CO,
L=Denver, O=igvpn.com, CN=igvpn.com CA, E=info at igvpn.com' does not match CRL
issuer '9b:00:ad:ef:3d:af:74:3b:72:6e:28:33:f5:33:4a:6a:e8:77:2e:bb'
Jul 23 12:41:28 lag3 charon: 03[CFG] certificate status is not available
Jul 23 12:41:28 lag3 charon: 03[CFG] reached self-signed root ca with a
path length of 0
Jul 23 12:41:28 lag3 charon: 03[IKE] authentication of 'C=US, ST=CO,
L=Denver, O=igvpn.com, CN=ccfer.igvpn.com, E=info at igvpn.com' with RSA
signature successful
Jul 23 12:41:28 lag3 charon: 03[CFG] constraint check failed:
RULE_OCSP_VALIDATION is FAILED, but requires at least GOOD
Jul 23 12:41:28 lag3 charon: 03[CFG] selected peer config 'RW_IKEv2_RSA'
inacceptable
Jul 23 12:41:28 lag3 charon: 03[CFG] switching to peer config
'RW_IKEv2_MSEAPV2'
Jul 23 12:41:28 lag3 charon: 03[CFG] constraint requires EAP authentication,
but public key was used
Jul 23 12:41:28 lag3 charon: 03[CFG] selected peer config 'RW_IKEv2_MSEAPV2'
inacceptable
Jul 23 12:41:28 lag3 charon: 03[CFG] switching to peer config 'RW_IKEv1_RSA'
Jul 23 12:41:28 lag3 charon: 03[CFG] constraint check failed:
RULE_OCSP_VALIDATION is FAILED, but requires at least GOOD
Jul 23 12:41:28 lag3 charon: 03[CFG] selected peer config 'RW_IKEv1_RSA'
inacceptable
Jul 23 12:41:28 lag3 charon: 03[CFG] switching to peer config
'RW_IKEv1_PSK_XAUTH'
Jul 23 12:41:28 lag3 charon: 03[CFG] constraint check failed:
RULE_OCSP_VALIDATION is FAILED, but requires at least GOOD
Jul 23 12:41:28 lag3 charon: 03[CFG] selected peer config
'RW_IKEv1_PSK_XAUTH' inacceptable
Jul 23 12:41:28 lag3 charon: 03[CFG] switching to peer config
'RW_IKEv1_RSA_XAUTH'
Jul 23 12:41:28 lag3 charon: 03[CFG] constraint check failed:
RULE_OCSP_VALIDATION is FAILED, but requires at least GOOD
Jul 23 12:41:28 lag3 charon: 03[CFG] selected peer config
'RW_IKEv1_RSA_XAUTH' inacceptable
Jul 23 12:41:28 lag3 charon: 03[CFG] switching to peer config
'RW_IKEv1_L2TP_PSK'
Jul 23 12:41:28 lag3 charon: 03[CFG] constraint check failed:
RULE_OCSP_VALIDATION is FAILED, but requires at least GOOD
Jul 23 12:41:28 lag3 charon: 03[CFG] selected peer config
'RW_IKEv1_L2TP_PSK' inacceptable
Jul 23 12:41:28 lag3 charon: 03[CFG] no alternative config found
Jul 23 12:41:28 lag3 charon: 03[ENC] generating IKE_AUTH response 1 [
N(AUTH_FAILED) ]
Jul 23 12:41:28 lag3 charon: 03[NET] sending packet: from
199.119.201.165[4500] to 117.136.0.7[29600]
Please help.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110723/6938893d/attachment.html>
More information about the Users
mailing list