[strongSwan] Certificate problem

Andreas Steffen andreas.steffen at strongswan.org
Thu Oct 13 08:55:09 CEST 2011 

Please hold your entrails back!

Are there any error messages while charon loads the private key?
with

  ipsec reloadsecrets

you can force a reload. Also check for failures while loading plugins
when charon is starting up.

Regards

Andreas

On 13.10.2011 07:55, Luke Pascoe wrote:
> Please save me, I'm about to commit Seppuku!
> 
> I'm trying to set up a roadwarrior terminator on Ubuntu 10.04 LTS. I've got a near identical setup working on Ubuntu 9.10 but this new one's being difficult.
> 
> It appears it's not associating the local certificate with it's private key properly, even though both appear to be being loaded correctly:
> 
> root at fw:~# ipsec listcerts
> 000  
> 000 List of X.509 End Certificates:
> 000  
> 000 Oct 13 18:28:47 2011, count: 2
> 000        subject:  'C=NZ, ST=N/A, O=XX.net.nz, CN=fw-1, E=noc at XX.net.nz'
> 000        issuer:   'CN=XX, C=NZ, ST=N/A, L=Auckland, O=XX.net.nz, E=noc at XX.net.nz'
> 000        serial:    05
> 000        validity:  not before Oct 13 18:27:55 2011 ok
> 000                   not after  Oct 11 18:27:55 2016 ok
> 000        pubkey:    RSA 2048 bits, has private key
> 000        keyid:     50:a2:07:10:19:fd:25:43:d0:e6:ee:1d:08:5c:54:9c:cd:7b:5a:e3
> 000        subjkey:   95:78:c9:25:ca:22:08:a3:6e:3d:f2:da:09:4d:51:9a:50:57:ad:54
> 000        authkey:   5c:4f:af:d8:e8:38:dc:e2:15:f2:4c:88:f3:0e:68:c8:ee:8a:55:b4
> 000        aserial:   00:d2:a1:e8:5e:53:ee:9f:63
> 
> List of X.509 End Entity Certificates:
> 
>   subject:  "C=NZ, ST=N/A, O=XX.net.nz, CN=fw-1, E=noc at XX.net.nz"
>   issuer:   "CN=XX, C=NZ, ST=N/A, L=Auckland, O=XX.net.nz, E=noc at XX.net.nz"
>   serial:    05
>   validity:  not before Oct 13 18:27:55 2011, ok
>              not after  Oct 11 18:27:55 2016, ok 
>   pubkey:    RSA 2048 bits
>   keyid:     50:a2:07:10:19:fd:25:43:d0:e6:ee:1d:08:5c:54:9c:cd:7b:5a:e3
>   subjkey:   95:78:c9:25:ca:22:08:a3:6e:3d:f2:da:09:4d:51:9a:50:57:ad:54
>   authkey:   5c:4f:af:d8:e8:38:dc:e2:15:f2:4c:88:f3:0e:68:c8:ee:8a:55:b4
> 
> Note the top says "has private key" but the bottom doesn't. WTF is up with that?
> 
> Here's what I'm getting in the logs when I try to connect, which pretty much matches the above:
> 
> Oct 13 18:03:02 tkh-fw charon: 09[NET] received packet: from 122.63.65.10[500] to x.x.x.x[500]
> Oct 13 18:03:02 tkh-fw charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Oct 13 18:03:02 tkh-fw charon: 09[IKE] 122.63.65.10 is initiating an IKE_SA
> Oct 13 18:03:02 tkh-fw charon: 09[IKE] remote host is behind NAT
> Oct 13 18:03:02 tkh-fw charon: 09[IKE] DH group ECP_192 inacceptable, requesting MODP_2048
> Oct 13 18:03:02 tkh-fw charon: 09[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
> Oct 13 18:03:02 tkh-fw charon: 09[NET] sending packet: from x.x.x.x[500] to 122.63.65.10[500]
> Oct 13 18:03:03 tkh-fw charon: 16[NET] received packet: from 122.63.65.10[500] to x.x.x.x[500]
> Oct 13 18:03:03 tkh-fw charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Oct 13 18:03:03 tkh-fw charon: 16[IKE] 122.63.65.10 is initiating an IKE_SA
> Oct 13 18:03:03 tkh-fw charon: 16[IKE] remote host is behind NAT
> Oct 13 18:03:03 tkh-fw charon: 16[IKE] sending cert request for "CN=XX, C=NZ, ST=N/A, L=Auckland, O=XX.net.nz, E=noc at XX.net.nz"
> Oct 13 18:03:03 tkh-fw charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> Oct 13 18:03:03 tkh-fw charon: 16[NET] sending packet: from x.x.x.x[500] to 122.63.65.10[500]
> Oct 13 18:03:03 tkh-fw charon: 11[NET] received packet: from 122.63.65.10[4500] to x.x.x.x[4500]
> Oct 13 18:03:03 tkh-fw charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi CERT IDr AUTH CP SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) ]
> Oct 13 18:03:03 tkh-fw charon: 11[IKE] received end entity cert "C=NZ, ST=N/A, O=XX.net.nz, CN=sin, E=luke.pascoe at gen-i.co.nz"
> Oct 13 18:03:03 tkh-fw charon: 11[CFG] looking for peer configs matching x.x.x.x[C=NZ, ST=N/A, O=XX.net.nz, CN=fw-1, E=noc at XX.net.nz]...122.63.65.10[C=NZ, ST=N/A, O=XX.net.nz, CN=sin, E=luke.pascoe at gen-i.co.nz]
> Oct 13 18:03:03 tkh-fw charon: 11[CFG] selected peer config 'Roadwarriors'
> Oct 13 18:03:03 tkh-fw charon: 11[CFG]   using certificate "C=NZ, ST=N/A, O=XX.net.nz, CN=sin, E=luke.pascoe at gen-i.co.nz"
> Oct 13 18:03:03 tkh-fw charon: 11[CFG]   using trusted ca certificate "CN=XX, C=NZ, ST=N/A, L=Auckland, O=XX.net.nz, E=noc at XX.net.nz"
> Oct 13 18:03:03 tkh-fw charon: 11[CFG] checking certificate status of "C=NZ, ST=N/A, O=XX.net.nz, CN=sin, E=luke.pascoe at gen-i.co.nz"
> Oct 13 18:03:03 tkh-fw charon: 11[CFG] certificate status is not available
> Oct 13 18:03:03 tkh-fw charon: 11[IKE] authentication of 'C=NZ, ST=N/A, O=XX.net.nz, CN=sin, E=luke.pascoe at gen-i.co.nz' with RSA signature successful
> Oct 13 18:03:03 tkh-fw charon: 11[IKE] peer supports MOBIKE
> Oct 13 18:03:03 tkh-fw charon: 11[IKE] no private key found for 'C=NZ, ST=N/A, O=XX.net.nz, CN=fw-1, E=noc at XX.net.nz'
> Oct 13 18:03:03 tkh-fw charon: 11[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> Oct 13 18:03:03 tkh-fw charon: 11[NET] sending packet: from x.x.x.x[4500] to 122.63.65.10[4500]
> 
> This is the pertinent bit:
>> no private key found for 'C=NZ, ST=N/A, O=XX.net.nz, CN=fw-1, E=noc at XX.net.nz'
> 
> Buggered if I know what's going on.
> 
> Any ideas?
> 
> Thanks.
> 
> Luke.

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list