[strongSwan] Certificate problem

Luke Pascoe Luke.Pascoe at gen-i.co.nz
Fri Oct 14 01:13:51 CEST 2011


Well wouldn't you know, it appears to have fixed itself :/

Buggered if I know how, but both entries in the listcerts list now say "has private key" and I can connect.

Thanks for the help anyway.

Luke.

-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen at strongswan.org] 
Sent: Thursday, 13 October 2011 7:55 p.m.
To: Luke Pascoe
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] Certificate problem

Please hold your entrails back!

Are there any error messages while charon loads the private key?
with

  ipsec reloadsecrets

you can force a reload. Also check for failures while loading plugins
when charon is starting up.

Regards

Andreas

On 13.10.2011 07:55, Luke Pascoe wrote:
> Please save me, I'm about to commit Seppuku!
> 
> I'm trying to set up a roadwarrior terminator on Ubuntu 10.04 LTS. I've got a near identical setup working on Ubuntu 9.10 but this new one's being difficult.
> 
> It appears it's not associating the local certificate with it's private key properly, even though both appear to be being loaded correctly:
> 
> root at fw:~# ipsec listcerts
> 000  
> 000 List of X.509 End Certificates:
> 000  
> 000 Oct 13 18:28:47 2011, count: 2
> 000        subject:  'C=NZ, ST=N/A, O=XX.net.nz, CN=fw-1, E=noc at XX.net.nz'
> 000        issuer:   'CN=XX, C=NZ, ST=N/A, L=Auckland, O=XX.net.nz, E=noc at XX.net.nz'
> 000        serial:    05
> 000        validity:  not before Oct 13 18:27:55 2011 ok
> 000                   not after  Oct 11 18:27:55 2016 ok
> 000        pubkey:    RSA 2048 bits, has private key
> 000        keyid:     50:a2:07:10:19:fd:25:43:d0:e6:ee:1d:08:5c:54:9c:cd:7b:5a:e3
> 000        subjkey:   95:78:c9:25:ca:22:08:a3:6e:3d:f2:da:09:4d:51:9a:50:57:ad:54
> 000        authkey:   5c:4f:af:d8:e8:38:dc:e2:15:f2:4c:88:f3:0e:68:c8:ee:8a:55:b4
> 000        aserial:   00:d2:a1:e8:5e:53:ee:9f:63
> 
> List of X.509 End Entity Certificates:
> 
>   subject:  "C=NZ, ST=N/A, O=XX.net.nz, CN=fw-1, E=noc at XX.net.nz"
>   issuer:   "CN=XX, C=NZ, ST=N/A, L=Auckland, O=XX.net.nz, E=noc at XX.net.nz"
>   serial:    05
>   validity:  not before Oct 13 18:27:55 2011, ok
>              not after  Oct 11 18:27:55 2016, ok 
>   pubkey:    RSA 2048 bits
>   keyid:     50:a2:07:10:19:fd:25:43:d0:e6:ee:1d:08:5c:54:9c:cd:7b:5a:e3
>   subjkey:   95:78:c9:25:ca:22:08:a3:6e:3d:f2:da:09:4d:51:9a:50:57:ad:54
>   authkey:   5c:4f:af:d8:e8:38:dc:e2:15:f2:4c:88:f3:0e:68:c8:ee:8a:55:b4
> 
> Note the top says "has private key" but the bottom doesn't. WTF is up with that?
> 
> Here's what I'm getting in the logs when I try to connect, which pretty much matches the above:
> 
> Oct 13 18:03:02 tkh-fw charon: 09[NET] received packet: from 122.63.65.10[500] to x.x.x.x[500]
> Oct 13 18:03:02 tkh-fw charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Oct 13 18:03:02 tkh-fw charon: 09[IKE] 122.63.65.10 is initiating an IKE_SA
> Oct 13 18:03:02 tkh-fw charon: 09[IKE] remote host is behind NAT
> Oct 13 18:03:02 tkh-fw charon: 09[IKE] DH group ECP_192 inacceptable, requesting MODP_2048
> Oct 13 18:03:02 tkh-fw charon: 09[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
> Oct 13 18:03:02 tkh-fw charon: 09[NET] sending packet: from x.x.x.x[500] to 122.63.65.10[500]
> Oct 13 18:03:03 tkh-fw charon: 16[NET] received packet: from 122.63.65.10[500] to x.x.x.x[500]
> Oct 13 18:03:03 tkh-fw charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Oct 13 18:03:03 tkh-fw charon: 16[IKE] 122.63.65.10 is initiating an IKE_SA
> Oct 13 18:03:03 tkh-fw charon: 16[IKE] remote host is behind NAT
> Oct 13 18:03:03 tkh-fw charon: 16[IKE] sending cert request for "CN=XX, C=NZ, ST=N/A, L=Auckland, O=XX.net.nz, E=noc at XX.net.nz"
> Oct 13 18:03:03 tkh-fw charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> Oct 13 18:03:03 tkh-fw charon: 16[NET] sending packet: from x.x.x.x[500] to 122.63.65.10[500]
> Oct 13 18:03:03 tkh-fw charon: 11[NET] received packet: from 122.63.65.10[4500] to x.x.x.x[4500]
> Oct 13 18:03:03 tkh-fw charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi CERT IDr AUTH CP SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) ]
> Oct 13 18:03:03 tkh-fw charon: 11[IKE] received end entity cert "C=NZ, ST=N/A, O=XX.net.nz, CN=sin, E=luke.pascoe at gen-i.co.nz"
> Oct 13 18:03:03 tkh-fw charon: 11[CFG] looking for peer configs matching x.x.x.x[C=NZ, ST=N/A, O=XX.net.nz, CN=fw-1, E=noc at XX.net.nz]...122.63.65.10[C=NZ, ST=N/A, O=XX.net.nz, CN=sin, E=luke.pascoe at gen-i.co.nz]
> Oct 13 18:03:03 tkh-fw charon: 11[CFG] selected peer config 'Roadwarriors'
> Oct 13 18:03:03 tkh-fw charon: 11[CFG]   using certificate "C=NZ, ST=N/A, O=XX.net.nz, CN=sin, E=luke.pascoe at gen-i.co.nz"
> Oct 13 18:03:03 tkh-fw charon: 11[CFG]   using trusted ca certificate "CN=XX, C=NZ, ST=N/A, L=Auckland, O=XX.net.nz, E=noc at XX.net.nz"
> Oct 13 18:03:03 tkh-fw charon: 11[CFG] checking certificate status of "C=NZ, ST=N/A, O=XX.net.nz, CN=sin, E=luke.pascoe at gen-i.co.nz"
> Oct 13 18:03:03 tkh-fw charon: 11[CFG] certificate status is not available
> Oct 13 18:03:03 tkh-fw charon: 11[IKE] authentication of 'C=NZ, ST=N/A, O=XX.net.nz, CN=sin, E=luke.pascoe at gen-i.co.nz' with RSA signature successful
> Oct 13 18:03:03 tkh-fw charon: 11[IKE] peer supports MOBIKE
> Oct 13 18:03:03 tkh-fw charon: 11[IKE] no private key found for 'C=NZ, ST=N/A, O=XX.net.nz, CN=fw-1, E=noc at XX.net.nz'
> Oct 13 18:03:03 tkh-fw charon: 11[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> Oct 13 18:03:03 tkh-fw charon: 11[NET] sending packet: from x.x.x.x[4500] to 122.63.65.10[4500]
> 
> This is the pertinent bit:
>> no private key found for 'C=NZ, ST=N/A, O=XX.net.nz, CN=fw-1, E=noc at XX.net.nz'
> 
> Buggered if I know what's going on.
> 
> Any ideas?
> 
> Thanks.
> 
> Luke.

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

Mgate3.telecom.co.nz made the following annotations
---------------------------------------------------------------------
This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.
---------------------------------------------------------------------





More information about the Users mailing list