[strongSwan] FQDN based certificate authentication for ikev2

Reshma Begam reshma.begam at gmail.com
Mon Apr 2 11:14:55 CEST 2012


Hi Andreas,

 Thanks for the response and this works.

Also, how can we assign identity info from cert files to  leftid/rightid ?
instead of explicitly defining them.

Example:  I am looking something like leftid=%fromcert

leftid=%fromcert and leftid=%leftcert -->  I tried both these options on
responder side instead of   leftid=cla.atca.nsn.com, but it doesn't work.

Could you please comment what should be the wild card entries on both sides
to acheive this assignments using certs?

Thanks,
Reshma



On Mon, Apr 2, 2012 at 12:30 PM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:

> Hi Reshma,
>
> if you want to use FQDNs as IDs then you must set rightid and
> leftid accordingly:
>
> On the initiator 10.0.0.2:
>
>  left=10.0.0.2
>  leftcert="/etc/ipsec/certs/**ipsec.d//certs/ib-cert.pem"
>  leftid=ib.atca.nsn.com
>  right=10.0.0.1
>  rightid=cla.atca.nsn.com
>
> On the responder 10.0.0.1:
>
>  left=10.0.0.1
>  leftcert="/etc/ipsec/certs/**ipsec.d//certs/cla-cert.pem"
>  leftid=cla.atca.nsn.com
>  right=%any
>
> Regards
>
> Andreas
>
>
> On 04/02/2012 08:07 AM, Reshma Begam wrote:
>
>> Hi,
>>
>> I am trying to establish ikev2 connection between peers
>> 10.0.0.2(initiator)<==========**=>10.0.0.1(responder).
>>
>> Generated and distributed (FQDN as identity) based certificates on both
>> sides. Identity comes as subjAltNmae in Certificates .
>>
>> I made rightid as %any on responder side to handle any identity of
>> initiator.
>>
>> Then I tried ping from  initiator and on responder side i get  below
>> error.
>>
>> Could you please let me know  what should be the leftid/rightid and
>> left/right values on both the ends  for succesful connection.
>>
>>
>> *Error Logs on responder:
>> =====================*
>>
>> Apr  1 16:00:00.384479 info CLA-0 charon: 03[IKE] received end entity
>> cert "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP,
>> CN=ATCA_ib, E=gianluigi.ongaro at nsn.com <mailto:gianluigi.ongaro at nsn.**com<gianluigi.ongaro at nsn.com>
>> >"
>>
>> Apr  1 16:00:00.384892 info CLA-0 charon: 03[CFG] looking for peer
>> configs matching 10.0.0.1[10.0.0.1]...10.0.0.2[**C=de, ST=Bayern,
>> L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_ib,
>> E=gianluigi.ongaro at nsn.com <mailto:gianluigi.ongaro at nsn.**com<gianluigi.ongaro at nsn.com>
>> >]
>>
>> Apr  1 16:00:00.385188 info CLA-0 charon: 03[CFG] no matching peer
>> config found
>>
>> *
>>
>>  Following are the certificates and ipsec.conf file  on
>> 10.0.0.2(Initiator):
>> ==============================**=========================*
>>
>> # cat /etc/ipsec.conf
>> # ipsec.conf
>> # FlexiPlatform: IPsec configuration file
>>
>> config setup
>>     charonstart=yes
>>     plutostart=no
>>     charondebug="knl 0,enc 0,net 0"
>> conn %default
>>     auto=route
>>     keyexchange=ikev2
>> ca r1~v1
>>     cacert="/etc/ipsec/certs/**ipsec.d//cacerts/cacert.pem"
>> conn r1~v1
>>     rekeymargin=200
>>     rekeyfuzz=100%
>>     left=10.0.0.2
>>     right=10.0.0.1
>>     leftsubnet=10.0.0.0/24 <http://10.0.0.0/24>
>>     rightsubnet=10.0.0.0/24 <http://10.0.0.0/24>
>>
>>     leftprotoport=1
>>     rightprotoport=1
>>     authby=rsasig
>>     leftcert="/etc/ipsec/certs/**ipsec.d//certs/ib-cert.pem"
>>     leftid=10.0.0.2
>>     rightid=10.0.0.1
>>     ike=3des-md5-modp1536!
>>     esp=3des-md5
>>     type=tunnel
>>     ikelifetime=3000s
>>     keylife=2000s
>>     mobike=no
>>     auto=route
>>     encapdscp=yes
>> *
>> Certificates:
>> # /usr/local/6bin/ipsec stroke listall *
>>
>>
>> List of X.509 End Entity Certificates:
>>
>>   altNames: ib.atca.nsn.com <http://ib.atca.nsn.com>
>>
>>   subject: "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks,
>> OU=RTP, CN=ATCA_ib, E=gianluigi.ongaro at nsn.com
>> <mailto:gianluigi.ongaro at nsn.**com <gianluigi.ongaro at nsn.com>>"
>>
>>   issuer: "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP,
>> CN=www.nokiasiemensnetworks.**com <http://www.nokiasiemensnetworks.com> <
>> http://www.**nokiasiemensnetworks.com<http://www.nokiasiemensnetworks.com>
>> >,
>> E=gianluigi.ongaro at nsn.com <mailto:gianluigi.ongaro at nsn.**com<gianluigi.ongaro at nsn.com>
>> >"
>>
>>   serial:    03
>>   validity:  not before Mar 31 09:14:01 2012, ok
>>              not after  Apr 30 09:14:01 2012, ok (expires in 28 days)
>>   pubkey:    RSA 1024 bits, has private key
>>   keyid:     64:a5:3b:a4:42:18:b6:16:e9:47:**
>> 84:7e:72:e2:0d:ff:52:0b:81:e5
>>   subjkey:   6f:50:38:73:27:e7:36:93:d8:62:**
>> d5:d0:e0:83:df:f8:aa:f1:b9:ed
>>
>> List of X.509 CA Certificates:
>>
>>   subject: "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks,
>> OU=RTP, CN=www.nokiasiemensnetworks.**com<http://www.nokiasiemensnetworks.com>
>> <http://www.**nokiasiemensnetworks.com<http://www.nokiasiemensnetworks.com>>,
>> E=gianluigi.ongaro at nsn.com
>> <mailto:gianluigi.ongaro at nsn.**com <gianluigi.ongaro at nsn.com>>"
>>
>>   issuer: "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP,
>> CN=www.nokiasiemensnetworks.**com <http://www.nokiasiemensnetworks.com> <
>> http://www.**nokiasiemensnetworks.com<http://www.nokiasiemensnetworks.com>
>> >,
>> E=gianluigi.ongaro at nsn.com <mailto:gianluigi.ongaro at nsn.**com<gianluigi.ongaro at nsn.com>
>> >"
>>
>>   serial:    00:a9:d9:3d:5e:b8:7b:a3:4d
>>   validity:  not before Mar 31 09:14:01 2012, ok
>>              not after  Apr 30 09:14:01 2012, ok (expires in 28 days)
>>   pubkey:    RSA 1024 bits
>>   keyid:     b0:de:5e:b4:0d:d3:1c:4d:25:e7:**
>> cf:4c:bc:f3:31:d1:47:03:1e:d5
>>   subjkey:   29:95:a1:57:17:5e:2b:7a:e0:9d:**
>> 6d:56:f6:bf:5d:c8:41:1f:44:6f
>>   authkey:   29:95:a1:57:17:5e:2b:7a:e0:9d:**
>> 6d:56:f6:bf:5d:c8:41:1f:44:6f
>>
>> *Following are the certificates & ipsec.conf files on 10.0.0.1(Initiator):
>> ==============================**======================*
>>
>> # cat /etc/ipsec.conf
>> # ipsec.conf
>> # FlexiPlatform: IPsec configuration file
>>
>> config setup
>>     charonstart=yes
>>     plutostart=no
>>     charondebug="knl 0,enc 0,net 0"
>> conn %default
>>     auto=route
>>     keyexchange=ikev2
>> ca r1~v1
>>     cacert="/etc/ipsec/certs/**ipsec.d//cacerts/cacert.pem"
>> conn r1~v1
>>     rekeymargin=200
>>     rekeyfuzz=100%
>>     left=10.0.0.1
>>     right=10.0.0.2
>>     leftsubnet=10.0.0.0/24 <http://10.0.0.0/24>
>>     rightsubnet=10.0.0.0/24 <http://10.0.0.0/24>
>>
>>     leftprotoport=1
>>     rightprotoport=1
>>     authby=rsasig
>>     leftcert="/etc/ipsec/certs/**ipsec.d//certs/cla-cert.pem"
>>     leftid=10.0.0.1
>>     rightid=%any
>>     ike=3des-md5-modp1536!
>>     esp=3des-md5
>>     type=tunnel
>>     ikelifetime=3000s
>>     keylife=2000s
>>     mobike=no
>>     auto=route
>>     encapdscp=yes
>>
>> *Certificates *:
>> *# /usr/local/6bin/ipsec stroke listall*
>>
>> List of X.509 End Entity Certificates:
>>
>>   altNames: cla.atca.nsn.com <http://cla.atca.nsn.com>
>>
>>   subject: "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks,
>> OU=RTP, CN=ATCA_cla, E=gianluigi.ongaro at nsn.com
>> <mailto:gianluigi.ongaro at nsn.**com <gianluigi.ongaro at nsn.com>>"
>>
>>   issuer: "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP,
>> CN=www.nokiasiemensnetworks.**com <http://www.nokiasiemensnetworks.com> <
>> http://www.**nokiasiemensnetworks.com<http://www.nokiasiemensnetworks.com>
>> >,
>> E=gianluigi.ongaro at nsn.com <mailto:gianluigi.ongaro at nsn.**com<gianluigi.ongaro at nsn.com>
>> >"
>>
>>   serial:    03
>>   validity:  not before Mar 31 09:14:01 2012, ok
>>              not after  Apr 30 09:14:01 2012, ok (expires in 28 days)
>>   pubkey:    RSA 1024 bits, has private key
>>   keyid:     82:8e:cf:f7:a0:81:9e:00:77:0b:**
>> d7:ee:6f:f7:43:8a:d2:73:e4:af
>>   subjkey:   5f:ed:01:a0:a6:18:fd:12:dd:18:**
>> e1:fe:d4:76:a2:ea:4c:8f:e2:74
>>
>> List of X.509 CA Certificates:
>>
>>   subject: "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks,
>> OU=RTP, CN=www.nokiasiemensnetworks.**com<http://www.nokiasiemensnetworks.com>
>> <http://www.**nokiasiemensnetworks.com<http://www.nokiasiemensnetworks.com>>,
>> E=gianluigi.ongaro at nsn.com
>> <mailto:gianluigi.ongaro at nsn.**com <gianluigi.ongaro at nsn.com>>"
>>
>>   issuer: "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP,
>> CN=www.nokiasiemensnetworks.**com <http://www.nokiasiemensnetworks.com> <
>> http://www.**nokiasiemensnetworks.com<http://www.nokiasiemensnetworks.com>
>> >,
>> E=gianluigi.ongaro at nsn.com <mailto:gianluigi.ongaro at nsn.**com<gianluigi.ongaro at nsn.com>
>> >"
>>
>>   serial:    00:a9:d9:3d:5e:b8:7b:a3:4d
>>   validity:  not before Mar 31 09:14:01 2012, ok
>>              not after  Apr 30 09:14:01 2012, ok (expires in 28 days)
>>   pubkey:    RSA 1024 bits
>>   keyid:     b0:de:5e:b4:0d:d3:1c:4d:25:e7:**
>> cf:4c:bc:f3:31:d1:47:03:1e:d5
>>   subjkey:   29:95:a1:57:17:5e:2b:7a:e0:9d:**
>> 6d:56:f6:bf:5d:c8:41:1f:44:6f
>>   authkey:   29:95:a1:57:17:5e:2b:7a:e0:9d:**
>> 6d:56:f6:bf:5d:c8:41:1f:44:6f
>>
>>
>> --
>> Regards,
>> Reshma
>>
>
> ==============================**==============================**==========
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ==============================**=============================[**ITA-HSR]==
>



-- 

Regards,
Reshma
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120402/7b8be545/attachment.html>


More information about the Users mailing list