[strongSwan] FQDN based certificate authentication for ikev2

Andreas Steffen andreas.steffen at strongswan.org
Mon Apr 2 09:00:22 CEST 2012 

Hi Reshma,

if you want to use FQDNs as IDs then you must set rightid and
leftid accordingly:

On the initiator 10.0.0.2:

   left=10.0.0.2
   leftcert="/etc/ipsec/certs/ipsec.d//certs/ib-cert.pem"
   leftid=ib.atca.nsn.com
   right=10.0.0.1
   rightid=cla.atca.nsn.com

On the responder 10.0.0.1:

   left=10.0.0.1
   leftcert="/etc/ipsec/certs/ipsec.d//certs/cla-cert.pem"
   leftid=cla.atca.nsn.com
   right=%any

Regards

Andreas

On 04/02/2012 08:07 AM, Reshma Begam wrote:
> Hi,
>
> I am trying to establish ikev2 connection between peers
> 10.0.0.2(initiator)<===========>10.0.0.1(responder).
>
> Generated and distributed (FQDN as identity) based certificates on both
> sides. Identity comes as subjAltNmae in Certificates .
>
> I made rightid as %any on responder side to handle any identity of
> initiator.
>
> Then I tried ping from  initiator and on responder side i get  below error.
>
> Could you please let me know  what should be the leftid/rightid and
> left/right values on both the ends  for succesful connection.
>
>
> *Error Logs on responder:
> =====================*
> Apr  1 16:00:00.384479 info CLA-0 charon: 03[IKE] received end entity
> cert "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP,
> CN=ATCA_ib, E=gianluigi.ongaro at nsn.com <mailto:gianluigi.ongaro at nsn.com>"
> Apr  1 16:00:00.384892 info CLA-0 charon: 03[CFG] looking for peer
> configs matching 10.0.0.1[10.0.0.1]...10.0.0.2[C=de, ST=Bayern,
> L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_ib,
> E=gianluigi.ongaro at nsn.com <mailto:gianluigi.ongaro at nsn.com>]
> Apr  1 16:00:00.385188 info CLA-0 charon: 03[CFG] no matching peer
> config found
>
> *
>
>   Following are the certificates and ipsec.conf file  on
> 10.0.0.2(Initiator):
> =======================================================*
> # cat /etc/ipsec.conf
> # ipsec.conf
> # FlexiPlatform: IPsec configuration file
>
> config setup
>      charonstart=yes
>      plutostart=no
>      charondebug="knl 0,enc 0,net 0"
> conn %default
>      auto=route
>      keyexchange=ikev2
> ca r1~v1
>      cacert="/etc/ipsec/certs/ipsec.d//cacerts/cacert.pem"
> conn r1~v1
>      rekeymargin=200
>      rekeyfuzz=100%
>      left=10.0.0.2
>      right=10.0.0.1
>      leftsubnet=10.0.0.0/24 <http://10.0.0.0/24>
>      rightsubnet=10.0.0.0/24 <http://10.0.0.0/24>
>      leftprotoport=1
>      rightprotoport=1
>      authby=rsasig
>      leftcert="/etc/ipsec/certs/ipsec.d//certs/ib-cert.pem"
>      leftid=10.0.0.2
>      rightid=10.0.0.1
>      ike=3des-md5-modp1536!
>      esp=3des-md5
>      type=tunnel
>      ikelifetime=3000s
>      keylife=2000s
>      mobike=no
>      auto=route
>      encapdscp=yes
> *
> Certificates:
> # /usr/local/6bin/ipsec stroke listall *
>
> List of X.509 End Entity Certificates:
>
>    altNames: ib.atca.nsn.com <http://ib.atca.nsn.com>
>    subject: "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks,
> OU=RTP, CN=ATCA_ib, E=gianluigi.ongaro at nsn.com
> <mailto:gianluigi.ongaro at nsn.com>"
>    issuer: "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP,
> CN=www.nokiasiemensnetworks.com <http://www.nokiasiemensnetworks.com>,
> E=gianluigi.ongaro at nsn.com <mailto:gianluigi.ongaro at nsn.com>"
>    serial:    03
>    validity:  not before Mar 31 09:14:01 2012, ok
>               not after  Apr 30 09:14:01 2012, ok (expires in 28 days)
>    pubkey:    RSA 1024 bits, has private key
>    keyid:     64:a5:3b:a4:42:18:b6:16:e9:47:84:7e:72:e2:0d:ff:52:0b:81:e5
>    subjkey:   6f:50:38:73:27:e7:36:93:d8:62:d5:d0:e0:83:df:f8:aa:f1:b9:ed
>
> List of X.509 CA Certificates:
>
>    subject: "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks,
> OU=RTP, CN=www.nokiasiemensnetworks.com
> <http://www.nokiasiemensnetworks.com>, E=gianluigi.ongaro at nsn.com
> <mailto:gianluigi.ongaro at nsn.com>"
>    issuer: "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP,
> CN=www.nokiasiemensnetworks.com <http://www.nokiasiemensnetworks.com>,
> E=gianluigi.ongaro at nsn.com <mailto:gianluigi.ongaro at nsn.com>"
>    serial:    00:a9:d9:3d:5e:b8:7b:a3:4d
>    validity:  not before Mar 31 09:14:01 2012, ok
>               not after  Apr 30 09:14:01 2012, ok (expires in 28 days)
>    pubkey:    RSA 1024 bits
>    keyid:     b0:de:5e:b4:0d:d3:1c:4d:25:e7:cf:4c:bc:f3:31:d1:47:03:1e:d5
>    subjkey:   29:95:a1:57:17:5e:2b:7a:e0:9d:6d:56:f6:bf:5d:c8:41:1f:44:6f
>    authkey:   29:95:a1:57:17:5e:2b:7a:e0:9d:6d:56:f6:bf:5d:c8:41:1f:44:6f
>
> *Following are the certificates & ipsec.conf files on 10.0.0.1(Initiator):
> ====================================================*
> # cat /etc/ipsec.conf
> # ipsec.conf
> # FlexiPlatform: IPsec configuration file
>
> config setup
>      charonstart=yes
>      plutostart=no
>      charondebug="knl 0,enc 0,net 0"
> conn %default
>      auto=route
>      keyexchange=ikev2
> ca r1~v1
>      cacert="/etc/ipsec/certs/ipsec.d//cacerts/cacert.pem"
> conn r1~v1
>      rekeymargin=200
>      rekeyfuzz=100%
>      left=10.0.0.1
>      right=10.0.0.2
>      leftsubnet=10.0.0.0/24 <http://10.0.0.0/24>
>      rightsubnet=10.0.0.0/24 <http://10.0.0.0/24>
>      leftprotoport=1
>      rightprotoport=1
>      authby=rsasig
>      leftcert="/etc/ipsec/certs/ipsec.d//certs/cla-cert.pem"
>      leftid=10.0.0.1
>      rightid=%any
>      ike=3des-md5-modp1536!
>      esp=3des-md5
>      type=tunnel
>      ikelifetime=3000s
>      keylife=2000s
>      mobike=no
>      auto=route
>      encapdscp=yes
>
> *Certificates *:
> *# /usr/local/6bin/ipsec stroke listall*
> List of X.509 End Entity Certificates:
>
>    altNames: cla.atca.nsn.com <http://cla.atca.nsn.com>
>    subject: "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks,
> OU=RTP, CN=ATCA_cla, E=gianluigi.ongaro at nsn.com
> <mailto:gianluigi.ongaro at nsn.com>"
>    issuer: "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP,
> CN=www.nokiasiemensnetworks.com <http://www.nokiasiemensnetworks.com>,
> E=gianluigi.ongaro at nsn.com <mailto:gianluigi.ongaro at nsn.com>"
>    serial:    03
>    validity:  not before Mar 31 09:14:01 2012, ok
>               not after  Apr 30 09:14:01 2012, ok (expires in 28 days)
>    pubkey:    RSA 1024 bits, has private key
>    keyid:     82:8e:cf:f7:a0:81:9e:00:77:0b:d7:ee:6f:f7:43:8a:d2:73:e4:af
>    subjkey:   5f:ed:01:a0:a6:18:fd:12:dd:18:e1:fe:d4:76:a2:ea:4c:8f:e2:74
>
> List of X.509 CA Certificates:
>
>    subject: "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks,
> OU=RTP, CN=www.nokiasiemensnetworks.com
> <http://www.nokiasiemensnetworks.com>, E=gianluigi.ongaro at nsn.com
> <mailto:gianluigi.ongaro at nsn.com>"
>    issuer: "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP,
> CN=www.nokiasiemensnetworks.com <http://www.nokiasiemensnetworks.com>,
> E=gianluigi.ongaro at nsn.com <mailto:gianluigi.ongaro at nsn.com>"
>    serial:    00:a9:d9:3d:5e:b8:7b:a3:4d
>    validity:  not before Mar 31 09:14:01 2012, ok
>               not after  Apr 30 09:14:01 2012, ok (expires in 28 days)
>    pubkey:    RSA 1024 bits
>    keyid:     b0:de:5e:b4:0d:d3:1c:4d:25:e7:cf:4c:bc:f3:31:d1:47:03:1e:d5
>    subjkey:   29:95:a1:57:17:5e:2b:7a:e0:9d:6d:56:f6:bf:5d:c8:41:1f:44:6f
>    authkey:   29:95:a1:57:17:5e:2b:7a:e0:9d:6d:56:f6:bf:5d:c8:41:1f:44:6f
>
>
> --
> Regards,
> Reshma

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list