[strongSwan] rightid (Ipsec with Certificates)
Umarale, Lakshmi S (Lakshmi)
lakshmi.umarale at alcatel-lucent.com
Sat Jan 14 03:59:11 CET 2012
This is our configuration -
SEG <IPSEC TUNNEL> ENodeB
The eNodeB is the initiator.
The eNodeB must know in advance the attributes that it will receive in the certificate of the SEG in the name of the SEG.
I have been able to get the authentication working only by specifying rightid="O=*, CN=*" (attributes in the certificate of the SEG) on the eNodeB
If we set the rightid as "C=*, O=*, OU=*, CN=*"
initiating IKE_SA 30[3] to 172.21.11.181
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 172.21.11.21[500] to 172.21.11.181[500]
received packet: from 172.21.11.181[500] to 172.21.11.21[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
received cert request for "O=Alcatel, CN=CMS"
sending cert request for "O=Alcatel, CN=CMS"
authentication of 'O=Alcatel, CN=123456.CMS1' (myself) with RSA signature successful
sending end entity cert "O=Alcatel, CN=123456.CMS1"
sending issuer cert "O=Alcatel, CN=CMS1"
establishing CHILD_SA 30
generating IKE_AUTH request 1 [ IDi CERT CERT N(INIT_CONTACT) CERTREQ AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 172.21.11.21[500] to 172.21.11.181[500]
received packet: from 172.21.11.181[500] to 172.21.11.21[500]
parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr ]
received end entity cert "O=Alcatel, CN=654321 at alcatel-lucent.com<mailto:CN=654321 at alcatel-lucent.com>"
using certificate "O=Alcatel, CN=654321 at alcatel-lucent.com<mailto:CN=654321 at alcatel-lucent.com>"
using trusted ca certificate "O=Alcatel, CN=CMS"
checking certificate status of "O=Alcatel, CN=654321 at alcatel-lucent.com<mailto:CN=654321 at alcatel-lucent.com>"
certificate status is not available
reached self-signed root ca with a path length of 0
authentication of 'O=Alcatel, CN=654321 at alcatel-lucent.com<mailto:CN=654321 at alcatel-lucent.com>' with RSA signature successful
constraint check failed: identity 'C=*, O=*, OU=*, CN=*' required
selected peer config '30' inacceptable
no alternative config found
Without specifying the righid, I get authentication failure
initiating IKE_SA 30[8] to 172.21.11.181
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 172.21.11.21[500] to 172.21.11.181[500]
received packet: from 172.21.11.181[500] to 172.21.11.21[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
received cert request for "O=Alcatel, CN=CMS"
sending cert request for "O=Alcatel, CN=CMS"
authentication of 'O=Alcatel, CN=123456.CMS1' (myself) with RSA signature successful
sending end entity cert "O=Alcatel, CN=123456.CMS1"
sending issuer cert "O=Alcatel, CN=CMS1"
establishing CHILD_SA 30
generating IKE_AUTH request 1 [ IDi CERT CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 172.21.11.21[500] to 172.21.11.181[500]
received packet: from 172.21.11.181[500] to 172.21.11.21[500]
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error
I would like to understand the purpose of leftid and rightid. Why do we need to specify them?
Regards,
Lakshmi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120113/269e06f4/attachment.html>
More information about the Users
mailing list