[strongSwan] FQDN based certificate authentication for ikev2
Reshma Begam
reshma.begam at gmail.com
Mon Apr 2 08:07:41 CEST 2012
Hi,
I am trying to establish ikev2 connection between peers
10.0.0.2(initiator)<===========>10.0.0.1(responder).
Generated and distributed (FQDN as identity) based certificates on both
sides. Identity comes as subjAltNmae in Certificates .
I made rightid as %any on responder side to handle any identity of
initiator.
Then I tried ping from initiator and on responder side i get below
error.
Could you please let me know what should be the leftid/rightid and
left/right values on both the ends for succesful connection.
*Error Logs on responder:
=====================*
Apr 1 16:00:00.384479 info CLA-0 charon: 03[IKE] received end entity cert
"C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_ib, E=
gianluigi.ongaro at nsn.com"
Apr 1 16:00:00.384892 info CLA-0 charon: 03[CFG] looking for peer configs
matching 10.0.0.1[10.0.0.1]...10.0.0.2[C=de, ST=Bayern, L=Munich, O=Nokia
Siemens Networks, OU=RTP, CN=ATCA_ib, E=gianluigi.ongaro at nsn.com]
Apr 1 16:00:00.385188 info CLA-0 charon: 03[CFG] no matching peer config
found
*
Following are the certificates and ipsec.conf file on 10.0.0.2(Initiator):
=======================================================*
# cat /etc/ipsec.conf
# ipsec.conf
# FlexiPlatform: IPsec configuration file
config setup
charonstart=yes
plutostart=no
charondebug="knl 0,enc 0,net 0"
conn %default
auto=route
keyexchange=ikev2
ca r1~v1
cacert="/etc/ipsec/certs/ipsec.d//cacerts/cacert.pem"
conn r1~v1
rekeymargin=200
rekeyfuzz=100%
left=10.0.0.2
right=10.0.0.1
leftsubnet=10.0.0.0/24
rightsubnet=10.0.0.0/24
leftprotoport=1
rightprotoport=1
authby=rsasig
leftcert="/etc/ipsec/certs/ipsec.d//certs/ib-cert.pem"
leftid=10.0.0.2
rightid=10.0.0.1
ike=3des-md5-modp1536!
esp=3des-md5
type=tunnel
ikelifetime=3000s
keylife=2000s
mobike=no
auto=route
encapdscp=yes
*
Certificates:
# /usr/local/6bin/ipsec stroke listall *
List of X.509 End Entity Certificates:
altNames: ib.atca.nsn.com
subject: "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP,
CN=ATCA_ib, E=gianluigi.ongaro at nsn.com"
issuer: "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP,
CN=www.nokiasiemensnetworks.com, E=gianluigi.ongaro at nsn.com"
serial: 03
validity: not before Mar 31 09:14:01 2012, ok
not after Apr 30 09:14:01 2012, ok (expires in 28 days)
pubkey: RSA 1024 bits, has private key
keyid: 64:a5:3b:a4:42:18:b6:16:e9:47:84:7e:72:e2:0d:ff:52:0b:81:e5
subjkey: 6f:50:38:73:27:e7:36:93:d8:62:d5:d0:e0:83:df:f8:aa:f1:b9:ed
List of X.509 CA Certificates:
subject: "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP,
CN=www.nokiasiemensnetworks.com, E=gianluigi.ongaro at nsn.com"
issuer: "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP,
CN=www.nokiasiemensnetworks.com, E=gianluigi.ongaro at nsn.com"
serial: 00:a9:d9:3d:5e:b8:7b:a3:4d
validity: not before Mar 31 09:14:01 2012, ok
not after Apr 30 09:14:01 2012, ok (expires in 28 days)
pubkey: RSA 1024 bits
keyid: b0:de:5e:b4:0d:d3:1c:4d:25:e7:cf:4c:bc:f3:31:d1:47:03:1e:d5
subjkey: 29:95:a1:57:17:5e:2b:7a:e0:9d:6d:56:f6:bf:5d:c8:41:1f:44:6f
authkey: 29:95:a1:57:17:5e:2b:7a:e0:9d:6d:56:f6:bf:5d:c8:41:1f:44:6f
*Following are the certificates & ipsec.conf files on 10.0.0.1(Initiator):
====================================================*
# cat /etc/ipsec.conf
# ipsec.conf
# FlexiPlatform: IPsec configuration file
config setup
charonstart=yes
plutostart=no
charondebug="knl 0,enc 0,net 0"
conn %default
auto=route
keyexchange=ikev2
ca r1~v1
cacert="/etc/ipsec/certs/ipsec.d//cacerts/cacert.pem"
conn r1~v1
rekeymargin=200
rekeyfuzz=100%
left=10.0.0.1
right=10.0.0.2
leftsubnet=10.0.0.0/24
rightsubnet=10.0.0.0/24
leftprotoport=1
rightprotoport=1
authby=rsasig
leftcert="/etc/ipsec/certs/ipsec.d//certs/cla-cert.pem"
leftid=10.0.0.1
rightid=%any
ike=3des-md5-modp1536!
esp=3des-md5
type=tunnel
ikelifetime=3000s
keylife=2000s
mobike=no
auto=route
encapdscp=yes
*Certificates *:
*# /usr/local/6bin/ipsec stroke listall*
List of X.509 End Entity Certificates:
altNames: cla.atca.nsn.com
subject: "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP,
CN=ATCA_cla, E=gianluigi.ongaro at nsn.com"
issuer: "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP,
CN=www.nokiasiemensnetworks.com, E=gianluigi.ongaro at nsn.com"
serial: 03
validity: not before Mar 31 09:14:01 2012, ok
not after Apr 30 09:14:01 2012, ok (expires in 28 days)
pubkey: RSA 1024 bits, has private key
keyid: 82:8e:cf:f7:a0:81:9e:00:77:0b:d7:ee:6f:f7:43:8a:d2:73:e4:af
subjkey: 5f:ed:01:a0:a6:18:fd:12:dd:18:e1:fe:d4:76:a2:ea:4c:8f:e2:74
List of X.509 CA Certificates:
subject: "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP,
CN=www.nokiasiemensnetworks.com, E=gianluigi.ongaro at nsn.com"
issuer: "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP,
CN=www.nokiasiemensnetworks.com, E=gianluigi.ongaro at nsn.com"
serial: 00:a9:d9:3d:5e:b8:7b:a3:4d
validity: not before Mar 31 09:14:01 2012, ok
not after Apr 30 09:14:01 2012, ok (expires in 28 days)
pubkey: RSA 1024 bits
keyid: b0:de:5e:b4:0d:d3:1c:4d:25:e7:cf:4c:bc:f3:31:d1:47:03:1e:d5
subjkey: 29:95:a1:57:17:5e:2b:7a:e0:9d:6d:56:f6:bf:5d:c8:41:1f:44:6f
authkey: 29:95:a1:57:17:5e:2b:7a:e0:9d:6d:56:f6:bf:5d:c8:41:1f:44:6f
--
Regards,
Reshma
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120402/6b6684ae/attachment.html>
More information about the Users
mailing list