[strongSwan] Regarding Certificate based authentication ( Load Tests )

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Sat Apr 14 20:18:51 CEST 2012


Hi

why dont't you try the below steps (it worked for me):

1. you will need to first access the following link
http://wiki.strongswan.org/projects/strongswan/repository/entry/src/libcharon/plugins/load_tester/load_tester_creds.c
and then
- copy the RSA private-key into 2 files and name them "initiator_key.pem"
and "responder_key.pem"

- copy the self-signed cert into 3 files and name them "cacert.pem",
"initiator_cert.pem" and "responder_cert.pem"
-----------------------------------------------------------------------------------------------
On the Initiator GW/PC/Machine (enabled with the LoadTester-Plugim)
-------------------------------------------------------------------
- Please note that the load-tester plugin can only act in and as a
road-warrior-client simulator mode. So you should be enabling the
load-tester plugin on only the initiator linux-machine running the
strongswan package
- The ipsec.conf file on this initiator is NEVER used or NOT required just
comment out all config statments
- copy the cacert.pem, initiator_cert.pem and the initiator_key.pem to the
respective locations "cacerts", "certs" and "private" under .../ipsec.d/
folder
- in the ipsec.secrets file, include the statement
: RSA initiator_key.pem
- The strongswan.conf file should be as below:
------------------------------------------
charon {
    reuse_ikesa = no
    threads = 32
    plugins {
        load-tester {
            # enable the plugin
            enable = yes
            # example: 10 connections, 5 in parallel
            initiators = 5
            iterations = 2
            # use a delay of 100ms, overall time is: iterations * delay =
100s
            delay = 100
            # address of the gateway
            remote = 172.17.10.10
            # IKE-proposal to use
            proposal = aes128-sha1-modp1024
            # use faster PSK authentication instead of 1024bit RSA
            initiator_auth = pubkey
            responder_auth = pubkey
            # request a virtual IP using configuration payloads
            request_virtual_ip = yes
            # disable IKE_SA rekeying (default)
            ike_rekey = 0
            # enable CHILD_SA every 60s
            child_rekey = 60
            # do not delete the IKE_SA after it has been established
(default)
            delete_after_established = no
            # do not shut down the daemon if all IKE_SAs established
            shutdown_when_complete = no
        }
    }
}
-----------------------------------------------------------
On the Responder GW/PC/Machine
******************************
- do not enable load-tester plugin here. just configure this machine as a
Road-Warrior-VPN-Server

- the ipsec.conf file shoule be as below:
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
 strictcrlpolicy=no
 crlcheckinterval=180
 plutostart=no
 charonstart=yes

conn %default
 ikelifetime=60m
 keylife=30m
 rekeymargin=3m
 keyingtries=1
 keyexchange=ikev2
 mobike=no

conn rw-server
 left=172.17.10.10
 leftsubnet=192.168.20.0/24
 right=%any
 rightsourceip=10.3.0.0/16
 leftid="CN=srv, OU=load-test, O=strongSwan"
 leftcert=respcert.pem
 authby=pubkey
 keyexchange=ikev2
 type=tunnel
 auto=add
#

- copy the cacert.pem, responder_cert.pem and responder_key.pem to the
respective locations under ipsec.d folder

- The ipsec.secrets file should have an entry as below:
: RSA responder_key.pem

2. That's it, now you start strongswan ipsec on both initiator and
responder (first on this) using "ipsec start" or "ipsec start --nofork"

- you will see that as configured in the strongswan.conf, there will be 10
IKEv2 tunnels established, but ofcourse no ipsec SAs are established, as
per design of the plugin

- also, it did not work for me with PSK (using fqdn) as mentioned in the
link below:
http://wiki.strongswan.org/projects/strongswan/wiki/LoadTests
---------------------------------------------------------------------------------------------------------------------
As far as i understand, there is no need to create another set of certs,
crl, etc..

regards
rajiv

PS:
Just as an aside info and not really used for above setup, your steps to
create the required certs are wrong. Use the below instead, if you really
want to:

-----------------------------

for a new root-ca:

1. openssl req -new -x509 -config /etc/ssl/openssl.cnf -newkey rsa:1024
-keyout private/cakey.pem -days 3650 -out cacert.pem

for generating  a new-device cert1:
2. openssl req -new -config /etc/ssl/openssl.cnf -nodes -newkey rsa:1024
-keyout private/host1key.pem -days 730 -out host1CSR.pem

for cert sign by the above root-CA:

3. openssl ca -config /etc/ssl/openssl.cnf -policy policy_anything -out
certs/host1cert.pem
-infiles host1CSR.pem
now you will need to copy the cacert.pem, host1cert.pem and host1key.pem to
the respective locations for strongswan configuration. create another set
of host2cert and host2key for the remote host to use

for subjectAltname, it is initiatlly a long procedure to configure
openssl.cnf each time for each device cert to include the subjectaltname...
-------------------------------********************************************-------------------------------
On Thu, Apr 12, 2012 at 4:34 PM, Narendra K A <naren.ka at gmail.com> wrote:

> Hi Everyone,
>
>     I am using strongswan load tester to load my server. I am trying with
> option initiator_auth=pubkey in strongswan.conf file. Currently i am trying
> to use the certificate present in the strongswan load_tester_creds.c file.
> These are the steps am following.
>
> 1. Copy the certificate in the load_tester_creds.c file to CACERT.pem, and
> place it in /etc/ipsec.d/cacerts/ directory and also in /etc/ipsec.d/certs/
> directory as initiator_cert.pem file.
>
> 2. Copy the private key in the load_tester_creds.c file to PRIKEY.pem and
> place it in /etc/ipsec.d/private/ directory
>
> 3. Alter the content of /etc/ipsec.secrets file as : RSA PRIKEY.pem
>
> 4. Create a CSR from the server and sign it with the strongswan CACERT.pem
> and PRIKEY.pem with the following command
>         *openssl x509 -req -days 365 -in srv.csr -CA CACERT.pem -CAkey
> PRIKEY.pem -set_serial 01 -out ServCert.pem*
>
> 5. Now, create a CRL withe the following command
>        * openssl ca -gencrl -keyfile PRIVKEY.pem -cert CACERT.pem -out
> strcrl.pem -crldays 30*
>
> *6. Now IMPORT all the CACERT.pem, ServCert.pem and strcrl.pem on to the
> server. *
>
> 7. Initiate the command ipsec start from the client.
>
> After doing all these My server is telling *Certificate not found. !!!!!*
>
> Also, CSR of the server contains a subjectAltName, but when i extracted
> the information *(openssl x509 -text -in ca-cer.pem)* from the strongswan
> certificate *IT WAS NOT HAVING* subjectAltName.
>
> Can i somehow add subjectAltName to strongswan certificate ? or can i
> create a CSR from strongswan side ?
>
> Also i enabled the detailed logs in ipsec.conf, i can see NO ERRORS in the
> log, but after IKE_SA_INIT, i can see strongswan is sending IKE_AUTH (5
> times since retransmit_tries=5 ) and telling peer not responding. In the
> server side it is telling Certificate not found !!.
>
> Please help me to solve this problem.
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120414/1d41dd7a/attachment.html>


More information about the Users mailing list