[strongSwan] Regarding Certificate based authentication ( Load Tests )
Narendra K A
naren.ka at gmail.com
Thu Apr 12 13:04:31 CEST 2012
Hi Everyone,
I am using strongswan load tester to load my server. I am trying with
option initiator_auth=pubkey in strongswan.conf file. Currently i am trying
to use the certificate present in the strongswan load_tester_creds.c file.
These are the steps am following.
1. Copy the certificate in the load_tester_creds.c file to CACERT.pem, and
place it in /etc/ipsec.d/cacerts/ directory and also in /etc/ipsec.d/certs/
directory as initiator_cert.pem file.
2. Copy the private key in the load_tester_creds.c file to PRIKEY.pem and
place it in /etc/ipsec.d/private/ directory
3. Alter the content of /etc/ipsec.secrets file as : RSA PRIKEY.pem
4. Create a CSR from the server and sign it with the strongswan CACERT.pem
and PRIKEY.pem with the following command
*openssl x509 -req -days 365 -in srv.csr -CA CACERT.pem -CAkey
PRIKEY.pem -set_serial 01 -out ServCert.pem*
5. Now, create a CRL withe the following command
* openssl ca -gencrl -keyfile PRIVKEY.pem -cert CACERT.pem -out
strcrl.pem -crldays 30*
*6. Now IMPORT all the CACERT.pem, ServCert.pem and strcrl.pem on to the
server. *
7. Initiate the command ipsec start from the client.
After doing all these My server is telling *Certificate not found. !!!!!*
Also, CSR of the server contains a subjectAltName, but when i extracted the
information *(openssl x509 -text -in ca-cer.pem)* from the strongswan
certificate *IT WAS NOT HAVING* subjectAltName.
Can i somehow add subjectAltName to strongswan certificate ? or can i
create a CSR from strongswan side ?
Also i enabled the detailed logs in ipsec.conf, i can see NO ERRORS in the
log, but after IKE_SA_INIT, i can see strongswan is sending IKE_AUTH (5
times since retransmit_tries=5 ) and telling peer not responding. In the
server side it is telling Certificate not found !!.
Please help me to solve this problem.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120412/a4f9eec3/attachment.html>
More information about the Users
mailing list