[strongSwan] Certificate problem

Luke Pascoe Luke.Pascoe at gen-i.co.nz
Thu Oct 13 22:36:52 CEST 2011 

> Are there any error messages while charon loads the private key?

Oct 14 09:22:17 fw charon: 08[CFG] rereading secrets
Oct 14 09:22:17 fw charon: 08[CFG] loading secrets from 
'/etc/ipsec.secrets'
Oct 14 09:22:17 fw charon: 08[CFG]   loaded private key file 
'/etc/ipsec.d/private/fw-1.key'
Oct 14 09:22:17 fw charon: 08[CFG] line 8: missing ' : ' separator

That separator thing seems to be a common issue, and line 8 is after the key is loaded anyway.

Here's the (redacted) secrets file:

# RCSID $Id: ipsec.secrets.proto,v 1.2 2004/10/05 15:02:29 ken Exp $ 
# This file holds shared secrets or RSA private keys for inter-Pluto 
# authentication.  See ipsec_pluto(8) manpage, and HTML documentation. 

: RSA fw-1.key "XX" 

@fw-1 x.x.x.x: PSK "XX" 
@fw-1 y.y.y.y: PSK "XX" 

@fw-1 @heretic: PSK "XX" 

@fw-1 %any: PSK "XX" 

# RSA private key for this host, authenticating it to any other host 
# which knows the public part.  Suitable public keys, for ipsec.conf, DNS, 
# or configuration of other implementations, can be extracted conveniently 
# with "ipsec showhostkey". 
@fw-1: RSA  { 
        # RSA 2048 bits   tkhfw1   Mon Feb 21 17:07:15 2005 
        # for signatures only, UNSAFE FOR ENCRYPTION 
... 
        }

And the relevant parts of ipsec.conf:

config setup 
        # plutodebug=all 
        # crlcheckinterval=600 
        # strictcrlpolicy=yes 
        # cachecrls=yes 
        nat_traversal=yes 
        charonstart=yes 
        plutostart=yes 
        virtual_private=%v4:172.16.1.0/24 

conn %default 
        pfs=yes 
        keylife=8h 
        rekey=yes 
        rekeymargin=9m 
        rekeyfuzz=100% 
        ikelifetime=1h 
        compress=no 

conn Roadwarriors 
        auto=add 
        authby=rsasig 
        left=x.x.x.x 
        leftnexthop=x.x.x.y 
        leftsubnet=x.x.x.0/24 
        leftcert=fw-1.2011.cert 
        right=%any 
        rightca=%same 
        rightsourceip=172.16.1.0/24 

conn Roadwarriors2 
        auto=add 
        authby=rsasig 
        left=x.x.x.x 
        leftnexthop=x.x.x.y 
        leftsubnet=x.x.x.0/24 
        leftcert=fw-1.2011.cert 
        right=%any 
        rightca=%same 
        rightsubnetwithin=172.16.1.0/24

-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen at strongswan.org] 
Sent: Thursday, 13 October 2011 7:55 p.m.
To: Luke Pascoe
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] Certificate problem

Please hold your entrails back!

Are there any error messages while charon loads the private key?
with

  ipsec reloadsecrets

you can force a reload. Also check for failures while loading plugins
when charon is starting up.

Regards

Andreas

On 13.10.2011 07:55, Luke Pascoe wrote:
> Please save me, I'm about to commit Seppuku!
> 
> I'm trying to set up a roadwarrior terminator on Ubuntu 10.04 LTS. I've got a near identical setup working on Ubuntu 9.10 but this new one's being difficult.
> 
> It appears it's not associating the local certificate with it's private key properly, even though both appear to be being loaded correctly:
> 
> root at fw:~# ipsec listcerts
> 000  
> 000 List of X.509 End Certificates:
> 000  
> 000 Oct 13 18:28:47 2011, count: 2
> 000        subject:  'C=NZ, ST=N/A, O=XX.net.nz, CN=fw-1, E=noc at XX.net.nz'
> 000        issuer:   'CN=XX, C=NZ, ST=N/A, L=Auckland, O=XX.net.nz, E=noc at XX.net.nz'
> 000        serial:    05
> 000        validity:  not before Oct 13 18:27:55 2011 ok
> 000                   not after  Oct 11 18:27:55 2016 ok
> 000        pubkey:    RSA 2048 bits, has private key
> 000        keyid:     50:a2:07:10:19:fd:25:43:d0:e6:ee:1d:08:5c:54:9c:cd:7b:5a:e3
> 000        subjkey:   95:78:c9:25:ca:22:08:a3:6e:3d:f2:da:09:4d:51:9a:50:57:ad:54
> 000        authkey:   5c:4f:af:d8:e8:38:dc:e2:15:f2:4c:88:f3:0e:68:c8:ee:8a:55:b4
> 000        aserial:   00:d2:a1:e8:5e:53:ee:9f:63
> 
> List of X.509 End Entity Certificates:
> 
>   subject:  "C=NZ, ST=N/A, O=XX.net.nz, CN=fw-1, E=noc at XX.net.nz"
>   issuer:   "CN=XX, C=NZ, ST=N/A, L=Auckland, O=XX.net.nz, E=noc at XX.net.nz"
>   serial:    05
>   validity:  not before Oct 13 18:27:55 2011, ok
>              not after  Oct 11 18:27:55 2016, ok 
>   pubkey:    RSA 2048 bits
>   keyid:     50:a2:07:10:19:fd:25:43:d0:e6:ee:1d:08:5c:54:9c:cd:7b:5a:e3
>   subjkey:   95:78:c9:25:ca:22:08:a3:6e:3d:f2:da:09:4d:51:9a:50:57:ad:54
>   authkey:   5c:4f:af:d8:e8:38:dc:e2:15:f2:4c:88:f3:0e:68:c8:ee:8a:55:b4
> 
> Note the top says "has private key" but the bottom doesn't. WTF is up with that?
> 
> Here's what I'm getting in the logs when I try to connect, which pretty much matches the above:
> 
> Oct 13 18:03:02 tkh-fw charon: 09[NET] received packet: from 122.63.65.10[500] to x.x.x.x[500]
> Oct 13 18:03:02 tkh-fw charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Oct 13 18:03:02 tkh-fw charon: 09[IKE] 122.63.65.10 is initiating an IKE_SA
> Oct 13 18:03:02 tkh-fw charon: 09[IKE] remote host is behind NAT
> Oct 13 18:03:02 tkh-fw charon: 09[IKE] DH group ECP_192 inacceptable, requesting MODP_2048
> Oct 13 18:03:02 tkh-fw charon: 09[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
> Oct 13 18:03:02 tkh-fw charon: 09[NET] sending packet: from x.x.x.x[500] to 122.63.65.10[500]
> Oct 13 18:03:03 tkh-fw charon: 16[NET] received packet: from 122.63.65.10[500] to x.x.x.x[500]
> Oct 13 18:03:03 tkh-fw charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Oct 13 18:03:03 tkh-fw charon: 16[IKE] 122.63.65.10 is initiating an IKE_SA
> Oct 13 18:03:03 tkh-fw charon: 16[IKE] remote host is behind NAT
> Oct 13 18:03:03 tkh-fw charon: 16[IKE] sending cert request for "CN=XX, C=NZ, ST=N/A, L=Auckland, O=XX.net.nz, E=noc at XX.net.nz"
> Oct 13 18:03:03 tkh-fw charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> Oct 13 18:03:03 tkh-fw charon: 16[NET] sending packet: from x.x.x.x[500] to 122.63.65.10[500]
> Oct 13 18:03:03 tkh-fw charon: 11[NET] received packet: from 122.63.65.10[4500] to x.x.x.x[4500]
> Oct 13 18:03:03 tkh-fw charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi CERT IDr AUTH CP SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) ]
> Oct 13 18:03:03 tkh-fw charon: 11[IKE] received end entity cert "C=NZ, ST=N/A, O=XX.net.nz, CN=sin, E=luke.pascoe at gen-i.co.nz"
> Oct 13 18:03:03 tkh-fw charon: 11[CFG] looking for peer configs matching x.x.x.x[C=NZ, ST=N/A, O=XX.net.nz, CN=fw-1, E=noc at XX.net.nz]...122.63.65.10[C=NZ, ST=N/A, O=XX.net.nz, CN=sin, E=luke.pascoe at gen-i.co.nz]
> Oct 13 18:03:03 tkh-fw charon: 11[CFG] selected peer config 'Roadwarriors'
> Oct 13 18:03:03 tkh-fw charon: 11[CFG]   using certificate "C=NZ, ST=N/A, O=XX.net.nz, CN=sin, E=luke.pascoe at gen-i.co.nz"
> Oct 13 18:03:03 tkh-fw charon: 11[CFG]   using trusted ca certificate "CN=XX, C=NZ, ST=N/A, L=Auckland, O=XX.net.nz, E=noc at XX.net.nz"
> Oct 13 18:03:03 tkh-fw charon: 11[CFG] checking certificate status of "C=NZ, ST=N/A, O=XX.net.nz, CN=sin, E=luke.pascoe at gen-i.co.nz"
> Oct 13 18:03:03 tkh-fw charon: 11[CFG] certificate status is not available
> Oct 13 18:03:03 tkh-fw charon: 11[IKE] authentication of 'C=NZ, ST=N/A, O=XX.net.nz, CN=sin, E=luke.pascoe at gen-i.co.nz' with RSA signature successful
> Oct 13 18:03:03 tkh-fw charon: 11[IKE] peer supports MOBIKE
> Oct 13 18:03:03 tkh-fw charon: 11[IKE] no private key found for 'C=NZ, ST=N/A, O=XX.net.nz, CN=fw-1, E=noc at XX.net.nz'
> Oct 13 18:03:03 tkh-fw charon: 11[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> Oct 13 18:03:03 tkh-fw charon: 11[NET] sending packet: from x.x.x.x[4500] to 122.63.65.10[4500]
> 
> This is the pertinent bit:
>> no private key found for 'C=NZ, ST=N/A, O=XX.net.nz, CN=fw-1, E=noc at XX.net.nz'
> 
> Buggered if I know what's going on.
> 
> Any ideas?
> 
> Thanks.
> 
> Luke.

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

Mgate3.telecom.co.nz made the following annotations
---------------------------------------------------------------------
This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.
---------------------------------------------------------------------

More information about the Users mailing list