[strongSwan] Regarding Certificate based authentication ( Load Tests )

Narendra K A naren.ka at gmail.com
Thu Apr 12 13:04:31 CEST 2012

Hi Everyone,

    I am using strongswan load tester to load my server. I am trying with
option initiator_auth=pubkey in strongswan.conf file. Currently i am trying
to use the certificate present in the strongswan load_tester_creds.c file.
These are the steps am following.

1. Copy the certificate in the load_tester_creds.c file to CACERT.pem, and
place it in /etc/ipsec.d/cacerts/ directory and also in /etc/ipsec.d/certs/
directory as initiator_cert.pem file.

2. Copy the private key in the load_tester_creds.c file to PRIKEY.pem and
place it in /etc/ipsec.d/private/ directory

3. Alter the content of /etc/ipsec.secrets file as : RSA PRIKEY.pem

4. Create a CSR from the server and sign it with the strongswan CACERT.pem
and PRIKEY.pem with the following command
        *openssl x509 -req -days 365 -in srv.csr -CA CACERT.pem -CAkey
PRIKEY.pem -set_serial 01 -out ServCert.pem*

5. Now, create a CRL withe the following command
       * openssl ca -gencrl -keyfile PRIVKEY.pem -cert CACERT.pem -out
strcrl.pem -crldays 30*

*6. Now IMPORT all the CACERT.pem, ServCert.pem and strcrl.pem on to the
server. *

7. Initiate the command ipsec start from the client.

After doing all these My server is telling *Certificate not found. !!!!!*

Also, CSR of the server contains a subjectAltName, but when i extracted the
information *(openssl x509 -text -in ca-cer.pem)* from the strongswan
certificate *IT WAS NOT HAVING* subjectAltName.

Can i somehow add subjectAltName to strongswan certificate ? or can i
create a CSR from strongswan side ?

Also i enabled the detailed logs in ipsec.conf, i can see NO ERRORS in the
log, but after IKE_SA_INIT, i can see strongswan is sending IKE_AUTH (5
times since retransmit_tries=5 ) and telling peer not responding. In the
server side it is telling Certificate not found !!.

Please help me to solve this problem.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120412/a4f9eec3/attachment.html>

More information about the Users mailing list