[strongSwan] Regarding Certificate based authentication ( Load Tests )
Narendra K A
naren.ka at gmail.com
Mon Apr 16 09:10:06 CEST 2012
Thanks for the information Rajiv,
As per my previous post i had followed the same steps but with
different names right ? Its not working for me :( . Also u have told to
copy the responder_key.pem to responder side. Which means we are SHARING A
PRIVATE KEY ???? !!!! which should not be done right ??? except this step
am following all the steps u have told. Still no luck :(
On Sat, Apr 14, 2012 at 11:48 PM, Rajiv Kulkarni
<rajivkulkarni69 at gmail.com>wrote:
> Hi
>
> why dont't you try the below steps (it worked for me):
>
> 1. you will need to first access the following link
>
> http://wiki.strongswan.org/projects/strongswan/repository/entry/src/libcharon/plugins/load_tester/load_tester_creds.c
> and then
> - copy the RSA private-key into 2 files and name them "initiator_key.pem"
> and "responder_key.pem"
>
> - copy the self-signed cert into 3 files and name them "cacert.pem",
> "initiator_cert.pem" and "responder_cert.pem"
>
> -----------------------------------------------------------------------------------------------
> On the Initiator GW/PC/Machine (enabled with the LoadTester-Plugim)
> -------------------------------------------------------------------
> - Please note that the load-tester plugin can only act in and as a
> road-warrior-client simulator mode. So you should be enabling the
> load-tester plugin on only the initiator linux-machine running the
> strongswan package
> - The ipsec.conf file on this initiator is NEVER used or NOT required just
> comment out all config statments
> - copy the cacert.pem, initiator_cert.pem and the initiator_key.pem to the
> respective locations "cacerts", "certs" and "private" under .../ipsec.d/
> folder
> - in the ipsec.secrets file, include the statement
> : RSA initiator_key.pem
> - The strongswan.conf file should be as below:
> ------------------------------------------
> charon {
> reuse_ikesa = no
> threads = 32
> plugins {
> load-tester {
> # enable the plugin
> enable = yes
> # example: 10 connections, 5 in parallel
> initiators = 5
> iterations = 2
> # use a delay of 100ms, overall time is: iterations * delay =
> 100s
> delay = 100
> # address of the gateway
> remote = 172.17.10.10
> # IKE-proposal to use
> proposal = aes128-sha1-modp1024
> # use faster PSK authentication instead of 1024bit RSA
> initiator_auth = pubkey
> responder_auth = pubkey
> # request a virtual IP using configuration payloads
> request_virtual_ip = yes
> # disable IKE_SA rekeying (default)
> ike_rekey = 0
> # enable CHILD_SA every 60s
> child_rekey = 60
> # do not delete the IKE_SA after it has been established
> (default)
> delete_after_established = no
> # do not shut down the daemon if all IKE_SAs established
> shutdown_when_complete = no
> }
> }
> }
> -----------------------------------------------------------
> On the Responder GW/PC/Machine
> ******************************
> - do not enable load-tester plugin here. just configure this machine as a
> Road-Warrior-VPN-Server
>
> - the ipsec.conf file shoule be as below:
> # /etc/ipsec.conf - strongSwan IPsec configuration file
> config setup
> strictcrlpolicy=no
> crlcheckinterval=180
> plutostart=no
> charonstart=yes
>
> conn %default
> ikelifetime=60m
> keylife=30m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev2
> mobike=no
>
> conn rw-server
> left=172.17.10.10
> leftsubnet=192.168.20.0/24
> right=%any
> rightsourceip=10.3.0.0/16
> leftid="CN=srv, OU=load-test, O=strongSwan"
> leftcert=respcert.pem
> authby=pubkey
> keyexchange=ikev2
> type=tunnel
> auto=add
> #
>
> - copy the cacert.pem, responder_cert.pem and responder_key.pem to the
> respective locations under ipsec.d folder
>
> - The ipsec.secrets file should have an entry as below:
> : RSA responder_key.pem
>
> 2. That's it, now you start strongswan ipsec on both initiator and
> responder (first on this) using "ipsec start" or "ipsec start --nofork"
>
> - you will see that as configured in the strongswan.conf, there will be 10
> IKEv2 tunnels established, but ofcourse no ipsec SAs are established, as
> per design of the plugin
>
> - also, it did not work for me with PSK (using fqdn) as mentioned in the
> link below:
> http://wiki.strongswan.org/projects/strongswan/wiki/LoadTests
>
> ---------------------------------------------------------------------------------------------------------------------
> As far as i understand, there is no need to create another set of certs,
> crl, etc..
>
> regards
> rajiv
>
> PS:
> Just as an aside info and not really used for above setup, your steps to
> create the required certs are wrong. Use the below instead, if you really
> want to:
>
> -----------------------------
>
> for a new root-ca:
>
> 1. openssl req -new -x509 -config /etc/ssl/openssl.cnf -newkey rsa:1024
> -keyout private/cakey.pem -days 3650 -out cacert.pem
>
> for generating a new-device cert1:
> 2. openssl req -new -config /etc/ssl/openssl.cnf -nodes -newkey rsa:1024
> -keyout private/host1key.pem -days 730 -out host1CSR.pem
>
> for cert sign by the above root-CA:
>
> 3. openssl ca -config /etc/ssl/openssl.cnf -policy policy_anything -out
> certs/host1cert.pem
> -infiles host1CSR.pem
> now you will need to copy the cacert.pem, host1cert.pem and host1key.pem
> to the respective locations for strongswan configuration. create another
> set of host2cert and host2key for the remote host to use
>
> for subjectAltname, it is initiatlly a long procedure to configure
> openssl.cnf each time for each device cert to include the subjectaltname...
>
> -------------------------------********************************************-------------------------------
> On Thu, Apr 12, 2012 at 4:34 PM, Narendra K A <naren.ka at gmail.com> wrote:
>
>> Hi Everyone,
>>
>> I am using strongswan load tester to load my server. I am trying with
>> option initiator_auth=pubkey in strongswan.conf file. Currently i am trying
>> to use the certificate present in the strongswan load_tester_creds.c file.
>> These are the steps am following.
>>
>> 1. Copy the certificate in the load_tester_creds.c file to CACERT.pem,
>> and place it in /etc/ipsec.d/cacerts/ directory and also in
>> /etc/ipsec.d/certs/ directory as initiator_cert.pem file.
>>
>> 2. Copy the private key in the load_tester_creds.c file to PRIKEY.pem and
>> place it in /etc/ipsec.d/private/ directory
>>
>> 3. Alter the content of /etc/ipsec.secrets file as : RSA PRIKEY.pem
>>
>> 4. Create a CSR from the server and sign it with the strongswan
>> CACERT.pem and PRIKEY.pem with the following command
>> *openssl x509 -req -days 365 -in srv.csr -CA CACERT.pem -CAkey
>> PRIKEY.pem -set_serial 01 -out ServCert.pem*
>>
>> 5. Now, create a CRL withe the following command
>> * openssl ca -gencrl -keyfile PRIVKEY.pem -cert CACERT.pem -out
>> strcrl.pem -crldays 30*
>>
>> *6. Now IMPORT all the CACERT.pem, ServCert.pem and strcrl.pem on to the
>> server. *
>>
>> 7. Initiate the command ipsec start from the client.
>>
>> After doing all these My server is telling *Certificate not found. !!!!!*
>>
>> Also, CSR of the server contains a subjectAltName, but when i extracted
>> the information *(openssl x509 -text -in ca-cer.pem)* from the
>> strongswan certificate *IT WAS NOT HAVING* subjectAltName.
>>
>> Can i somehow add subjectAltName to strongswan certificate ? or can i
>> create a CSR from strongswan side ?
>>
>> Also i enabled the detailed logs in ipsec.conf, i can see NO ERRORS in
>> the log, but after IKE_SA_INIT, i can see strongswan is sending IKE_AUTH (5
>> times since retransmit_tries=5 ) and telling peer not responding. In the
>> server side it is telling Certificate not found !!.
>>
>> Please help me to solve this problem.
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120416/c5da4684/attachment.html>
More information about the Users
mailing list