[strongSwan] strongswan client configuration

Andreas Steffen andreas.steffen at strongswan.org
Mon Jun 13 11:29:42 CEST 2011


Hello Alexandre,

the peer does not send a certificate payload in the IKE_AUTH response.
Therefore it is not surprising that the following error message is
issued:

no trusted RSA public key found for 'vpn.domain.tld'

If you are using self-signed certificates or raw RSA keys, then
you must import the peer's cert or key locally either via

   rightcert=...

or

   rightrsasigkey=...

whereas the latter approach is deeply deprecated. As an alternative
set up a Certification Authority and issue to signed certificates
for your two endpoints.

Best regards

Andreas

On 06/13/2011 10:50 AM, Alexandre Chapellon wrote:
> OK, finally got my policy problem: I didn't new I had to do ipsec
> route... After doing ipsec route I can see my poolicies correctly setup.
>
> Unfortunately it still don't work, I have the following error message on
> the client side:
>
> initiating IKE_SA horoa[1] to 21.12.5.22
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> sending packet: from 172.17.2.71[500] to 21.12.5.22[500]
> received packet: from 21.12.5.22[500] to 172.17.2.71[500]
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> CERTREQ N(MULT_AUTH) ]
> local host is behind NAT, sending keep alives
> received cert request for unknown ca with keyid
> 87:d2:41:4a:86:d0:c2:1d:5e:23:9b:ed:17:2d:bf:a3:95:f4:30:c6
> authentication of 'C=FR, O=customer1, CN=elronde' (myself) with RSA
> signature successful
> sending end entity cert "C=FR, O=customer1, CN=elronde"
> establishing CHILD_SA horoa
> generating IKE_AUTH request 1 [ IDi CERT IDr AUTH CP(ADDR DNS DNS NBNS)
> SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> sending packet: from 172.17.2.71[4500] to 21.12.5.22[4500]
> received packet: from 21.12.5.22[4500] to 172.17.2.71[4500]
> parsed IKE_AUTH response 1 [ IDr AUTH CP(ADDR) SA TSi TSr N(AUTH_LFT)
> N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
> no trusted RSA public key found for 'vpn.domain.tld'
>
> Any idea where my config is wrong, or how to further debug it?
>
> Le 12/06/2011 16:50, Alexandre Chapellon a écrit :
>> Hello,
>>
>> I new to strongswan, and not so familiar with ipsec. I want to setup an
>> ipsec VPN gateway for site to site and roadwarriors.
>> I have installed strongswan on a debian 6 system. I have generated x509
>> certificates and rsa keys as described here:
>>
>> http://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA
>>
>> On the client side I have installed the strongswan network-manager
>> plugin. I can succesfully establish vpn connections and route packet
>> from and to the roadwarrior client.
>> I'd like to do the same but without using the network-manager gui... and
>> here it fails.
>> I guess my certs are ok as connections works just fine with gui. Here is
>> my ipsec.conf on the rw side:
>>
>> config setup
>>        strictcrlpolicy=no
>>        charonstart=yes
>>        plutostart=yes
>>
>> ca horoa
>>        cacert=/home/some1/ssl/pki/ca.crt
>>
>> conn %default
>>        ikelifetime=60m
>>        keylife=20m
>>        rekeymargin=3m
>>        keyingtries=1
>>        keyexchange=ikev2
>>
>> conn strongswan
>>        left=%defaultroute
>>        leftcert=/home/some1/ssl/pki/elronde.crt
>>        leftrsasigkey=/home/some1/ssl/pki/elronde.key
>>        leftsourceip=%config
>>        right=21.12.5.22
>>        rightid=vpn.domain.tld
>>        rightsubnet=172.20.0.0/23
>>        auto=add
>>
>> when I type sudo ipsec up strongswan, connection seems to come up, but
>> routing does not work and looking ip xfrm policy I can see there is
>> none. Does any know where is my issue?

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list