[strongSwan] strongswan client configuration

Alexandre Chapellon a.chapellon at horoa.net
Mon Jun 13 13:07:12 CEST 2011 

Thanks Andreas,

It now works as expected.
I added the peer (VON gateway... let's say Moon) certificate generated 
with my self-signed CA.
I have another question (well a lot in fact):

When using gnome-nm here is what I need to configure the ipsec tunnel on 
the client (carol) side:

  - CA Certificate
  - Carol's Certificate
  - Carol's Private key
  - Ask for virtual IP.

When using CLI:
  - Moon's certificate
  - Carol's Certificate
  - Carol's private key
  - Ask for virtual IP

How comes it is different?

Le 13/06/2011 11:29, Andreas Steffen a écrit :
> Hello Alexandre,
>
> the peer does not send a certificate payload in the IKE_AUTH response.
> Therefore it is not surprising that the following error message is
> issued:
>
> no trusted RSA public key found for 'vpn.domain.tld'
>
> If you are using self-signed certificates or raw RSA keys, then
> you must import the peer's cert or key locally either via
>
>   rightcert=...
>
> or
>
>   rightrsasigkey=...
>
> whereas the latter approach is deeply deprecated. As an alternative
> set up a Certification Authority and issue to signed certificates
> for your two endpoints.
>
> Best regards
>
> Andreas
>
> On 06/13/2011 10:50 AM, Alexandre Chapellon wrote:
>> OK, finally got my policy problem: I didn't new I had to do ipsec
>> route... After doing ipsec route I can see my poolicies correctly setup.
>>
>> Unfortunately it still don't work, I have the following error message on
>> the client side:
>>
>> initiating IKE_SA horoa[1] to 21.12.5.22
>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> sending packet: from 172.17.2.71[500] to 21.12.5.22[500]
>> received packet: from 21.12.5.22[500] to 172.17.2.71[500]
>> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
>> CERTREQ N(MULT_AUTH) ]
>> local host is behind NAT, sending keep alives
>> received cert request for unknown ca with keyid
>> 87:d2:41:4a:86:d0:c2:1d:5e:23:9b:ed:17:2d:bf:a3:95:f4:30:c6
>> authentication of 'C=FR, O=customer1, CN=elronde' (myself) with RSA
>> signature successful
>> sending end entity cert "C=FR, O=customer1, CN=elronde"
>> establishing CHILD_SA horoa
>> generating IKE_AUTH request 1 [ IDi CERT IDr AUTH CP(ADDR DNS DNS NBNS)
>> SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
>> sending packet: from 172.17.2.71[4500] to 21.12.5.22[4500]
>> received packet: from 21.12.5.22[4500] to 172.17.2.71[4500]
>> parsed IKE_AUTH response 1 [ IDr AUTH CP(ADDR) SA TSi TSr N(AUTH_LFT)
>> N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
>> no trusted RSA public key found for 'vpn.domain.tld'
>>
>> Any idea where my config is wrong, or how to further debug it?
>>
>> Le 12/06/2011 16:50, Alexandre Chapellon a écrit :
>>> Hello,
>>>
>>> I new to strongswan, and not so familiar with ipsec. I want to setup an
>>> ipsec VPN gateway for site to site and roadwarriors.
>>> I have installed strongswan on a debian 6 system. I have generated x509
>>> certificates and rsa keys as described here:
>>>
>>> http://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA
>>>
>>> On the client side I have installed the strongswan network-manager
>>> plugin. I can succesfully establish vpn connections and route packet
>>> from and to the roadwarrior client.
>>> I'd like to do the same but without using the network-manager gui... 
>>> and
>>> here it fails.
>>> I guess my certs are ok as connections works just fine with gui. 
>>> Here is
>>> my ipsec.conf on the rw side:
>>>
>>> config setup
>>>        strictcrlpolicy=no
>>>        charonstart=yes
>>>        plutostart=yes
>>>
>>> ca horoa
>>>        cacert=/home/some1/ssl/pki/ca.crt
>>>
>>> conn %default
>>>        ikelifetime=60m
>>>        keylife=20m
>>>        rekeymargin=3m
>>>        keyingtries=1
>>>        keyexchange=ikev2
>>>
>>> conn strongswan
>>>        left=%defaultroute
>>>        leftcert=/home/some1/ssl/pki/elronde.crt
>>>        leftrsasigkey=/home/some1/ssl/pki/elronde.key
>>>        leftsourceip=%config
>>>        right=21.12.5.22
>>>        rightid=vpn.domain.tld
>>>        rightsubnet=172.20.0.0/23
>>>        auto=add
>>>
>>> when I type sudo ipsec up strongswan, connection seems to come up, but
>>> routing does not work and looking ip xfrm policy I can see there is
>>> none. Does any know where is my issue?
>
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==

More information about the Users mailing list