[strongSwan] IKE_SA getting established even without CA cert being present
divya mohan
divzsecondary at gmail.com
Mon Jun 18 07:08:33 CEST 2012
Hi,
I have set up an IPsec connection using certificates. I have copied
the End Entity certificate and key; but I have not copied the CA
certificate.
I was expecting the connection to fail, as authentication should fail
in this case. However, the connection seems to be working fine.
I am attaching logs and ipsec.conf from Host1(initiator) and Host2(responder).
Is this because of any issue in my configuration? Shouldn't
authentication fail if issuer certificate is not found?
Regards,
Divya Mohan M
-------------- next part --------------
config setup
charonstart=yes
plutostart=no
charondebug="knl 0,enc 0,net 0"
conn %default
auto=route
keyexchange=ikev2
reauth=no
ca RuleFt~VpnFT
cacert="/etc/ipsec/certs/ipsec.d//cacerts/defaultCaCertificate.pem"
conn RuleFt~VpnFT
rekeymargin=8600
rekeyfuzz=100%
left=77.0.0.1
right=77.0.0.2
leftsubnet=77.0.0.0/24
rightsubnet=77.0.0.0/24
leftprotoport=%any
rightprotoport=%any
authby=rsasig
leftcert="/etc/ipsec/certs/ipsec.d//certs/defaultCertificate.pem"
leftid=77.0.0.1
rightid=%any
ike=aes128-md5-modp1024!
esp=aes128-md5
type=tunnel
ikelifetime=86400s
keylife=86000s
mobike=no
auto=route
reauth=no
encapdscp=yes
vrfid=0
-------------- next part --------------
Jun 18 07:43:37.685883 info Host-1 charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6)
Jun 18 07:43:37.695562 info Host-1 charon: 00[CFG] loading ca certificates from '/etc/ipsec/certs/ipsec.d/cacerts'
Jun 18 07:43:37.696298 info Host-1 charon: 00[CFG] loading aa certificates from '/etc/ipsec/certs/ipsec.d/aacerts'
Jun 18 07:43:37.697009 info Host-1 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec/certs/ipsec.d/ocspcerts'
Jun 18 07:43:37.697456 info Host-1 charon: 00[CFG] loading attribute certificates from '/etc/ipsec/certs/ipsec.d/acerts'
Jun 18 07:43:37.697819 info Host-1 charon: 00[CFG] loading crls from '/etc/ipsec/certs/ipsec.d/crls'
Jun 18 07:43:37.698198 info Host-1 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jun 18 07:43:38.084531 info Host-1 charon: 00[CFG] loaded RSA private key from '/etc/ipsec/certs/ipsec.d//private/defaultPrivateKey.pem'
Jun 18 07:43:38.086695 info Host-1 charon: 00[DMN] loaded plugins: openssl random pem x509 pubkey pkcs1 hmac xcbc stroke kernel-netlink
Jun 18 07:43:38.087314 info Host-1 charon: 00[JOB] spawning 16 worker threads
Jun 18 07:43:38.094211 info Host-1 charon: 06[CFG] received stroke: add connection 'RuleFt~VpnFT'
Jun 18 07:43:38.095116 info Host-1 charon: 06[CFG] loaded certificate "C=FI, ST=testee, L=testee, O=ABC, OU=testee, CN=example ee certificate" from '/etc/ipsec/certs/ipsec.d//certs/defaultCertificate.pem'
Jun 18 07:43:38.095514 info Host-1 charon: 06[CFG] id '77.0.0.1' not confirmed by certificate, defaulting to 'C=FI, ST=testee, L=testee, O=ABC, OU=testee, CN=example ee certificate'
Jun 18 07:43:38.095909 info Host-1 charon: 06[CFG] added configuration 'RuleFt~VpnFT'
Jun 18 07:43:38.096277 info Host-1 charon: 02[CFG] rereading secrets
Jun 18 07:43:38.096637 info Host-1 charon: 02[CFG] loading secrets from '/etc/ipsec.secrets'
Jun 18 07:43:38.481802 info Host-1 charon: 02[CFG] loaded RSA private key from '/etc/ipsec/certs/ipsec.d//private/defaultPrivateKey.pem'
Jun 18 07:43:38.482168 info Host-1 charon: 02[CFG] rereading ca certificates from '/etc/ipsec/certs/ipsec.d/cacerts'
Jun 18 07:43:38.482528 info Host-1 charon: 02[CFG] rereading ocsp signer certificates from '/etc/ipsec/certs/ipsec.d/ocspcerts'
Jun 18 07:43:38.482923 info Host-1 charon: 02[CFG] rereading aa certificates from '/etc/ipsec/certs/ipsec.d/aacerts'
Jun 18 07:43:38.483321 info Host-1 charon: 02[CFG] rereading attribute certificates from '/etc/ipsec/certs/ipsec.d/acerts'
Jun 18 07:43:38.483700 info Host-1 charon: 02[CFG] rereading crls from '/etc/ipsec/certs/ipsec.d/crls'
Jun 18 07:43:38.484088 info Host-1 charon: 08[CFG] received stroke: route 'RuleFt~VpnFT'
Jun 18 07:43:58.718540 info Host-1 charon: 13[IKE] initiating IKE_SA RuleFt~VpnFT[1] to 77.0.0.2
Jun 18 07:43:59.140456 info Host-1 charon: 14[IKE] authentication of 'C=FI, ST=testee, L=testee, O=ABC, OU=testee, CN=example ee certificate' (myself) with RSA signature successful
Jun 18 07:43:59.140764 info Host-1 charon: 14[IKE] establishing CHILD_SA RuleFt~VpnFT{1}
Jun 18 07:43:59.413575 info Host-1 charon: 15[CFG] no issuer certificate found for "C=FI, ST=testee, L=testee, O=ABC, OU=testee, CN=example ee certificate"
Jun 18 07:43:59.413959 info Host-1 charon: 15[CFG] using trusted certificate "C=FI, ST=testee, L=testee, O=ABC, OU=testee, CN=example ee certificate"
Jun 18 07:43:59.417471 info Host-1 charon: 15[IKE] authentication of 'C=FI, ST=testee, L=testee, O=ABC, OU=testee, CN=example ee certificate' with RSA signature successful
Jun 18 07:43:59.417856 info Host-1 charon: 15[IKE] IKE_SA RuleFt~VpnFT[1] established between 77.0.0.1[C=FI, ST=testee, L=testee, O=ABC, OU=testee, CN=example ee certificate]...77.0.0.2[C=FI, ST=testee, L=testee, O=ABC, OU=testee, CN=example ee certificate]
Jun 18 07:43:59.418563 info Host-1 charon: 15[IKE] scheduling rekeying in 73253s
Jun 18 07:43:59.418931 info Host-1 charon: 15[IKE] maximum IKE_SA lifetime 81853s
Jun 18 07:43:59.509198 info Host-1 charon: 15[IKE] CHILD_SA RuleFt~VpnFT{1} established with SPIs cd4828df_i c2ca89ad_o and TS 77.0.0.0/24 === 77.0.0.0/24
-------------- next part --------------
config setup
charonstart=yes
plutostart=no
charondebug="knl 0,enc 0,net 0"
conn %default
auto=route
keyexchange=ikev2
reauth=no
ca RuleFt~VpnFT
cacert="/etc/ipsec/certs/ipsec.d//cacerts/defaultCaCertificate.pem"
conn RuleFt~VpnFT
rekeymargin=8600
rekeyfuzz=100%
left=77.0.0.2
right=77.0.0.1
leftsubnet=77.0.0.0/24
rightsubnet=77.0.0.0/24
leftprotoport=%any
rightprotoport=%any
authby=rsasig
leftcert="/etc/ipsec/certs/ipsec.d//certs/defaultCertificate.pem"
leftid=77.0.0.2
rightid=%any
ike=aes128-md5-modp1024!
esp=aes128-md5
type=tunnel
ikelifetime=86400s
keylife=86000s
mobike=no
auto=route
reauth=no
encapdscp=yes
vrfid=0
-------------- next part --------------
Jun 18 07:43:37.691534 info Host-2 charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6)
Jun 18 07:43:37.700707 info Host-2 charon: 00[CFG] loading ca certificates from '/etc/ipsec/certs/ipsec.d/cacerts'
Jun 18 07:43:37.701544 info Host-2 charon: 00[CFG] loading aa certificates from '/etc/ipsec/certs/ipsec.d/aacerts'
Jun 18 07:43:37.723098 info Host-2 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec/certs/ipsec.d/ocspcerts'
Jun 18 07:43:37.726188 info Host-2 charon: 00[CFG] loading attribute certificates from '/etc/ipsec/certs/ipsec.d/acerts'
Jun 18 07:43:37.727357 info Host-2 charon: 00[CFG] loading crls from '/etc/ipsec/certs/ipsec.d/crls'
Jun 18 07:43:37.730000 info Host-2 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jun 18 07:43:38.117884 info Host-2 charon: 00[CFG] loaded RSA private key from '/etc/ipsec/certs/ipsec.d//private/defaultPrivateKey.pem'
Jun 18 07:43:38.119454 info Host-2 charon: 00[DMN] loaded plugins: openssl random pem x509 pubkey pkcs1 hmac xcbc stroke kernel-netlink
Jun 18 07:43:38.119918 info Host-2 charon: 00[JOB] spawning 16 worker threads
Jun 18 07:43:38.133246 info Host-2 charon: 08[CFG] received stroke: add connection 'RuleFt~VpnFT'
Jun 18 07:43:38.134828 info Host-2 charon: 08[CFG] loaded certificate "C=FI, ST=testee, L=testee, O=ABC, OU=testee, CN=example ee certificate" from '/etc/ipsec/certs/ipsec.d//certs/defaultCertificate.pem'
Jun 18 07:43:38.135176 info Host-2 charon: 08[CFG] id '77.0.0.2' not confirmed by certificate, defaulting to 'C=FI, ST=testee, L=testee, O=ABC, OU=testee, CN=example ee certificate'
Jun 18 07:43:38.135499 info Host-2 charon: 08[CFG] added configuration 'RuleFt~VpnFT'
Jun 18 07:43:38.136170 info Host-2 charon: 09[CFG] rereading secrets
Jun 18 07:43:38.136170 info Host-2 charon: 09[CFG] loading secrets from '/etc/ipsec.secrets'
Jun 18 07:43:38.522310 info Host-2 charon: 09[CFG] loaded RSA private key from '/etc/ipsec/certs/ipsec.d//private/defaultPrivateKey.pem'
Jun 18 07:43:38.522526 info Host-2 charon: 09[CFG] rereading ca certificates from '/etc/ipsec/certs/ipsec.d/cacerts'
Jun 18 07:43:38.523093 info Host-2 charon: 09[CFG] rereading ocsp signer certificates from '/etc/ipsec/certs/ipsec.d/ocspcerts'
Jun 18 07:43:38.523583 info Host-2 charon: 09[CFG] rereading aa certificates from '/etc/ipsec/certs/ipsec.d/aacerts'
Jun 18 07:43:38.524064 info Host-2 charon: 09[CFG] rereading attribute certificates from '/etc/ipsec/certs/ipsec.d/acerts'
Jun 18 07:43:38.524538 info Host-2 charon: 09[CFG] rereading crls from '/etc/ipsec/certs/ipsec.d/crls'
Jun 18 07:43:38.525500 info Host-2 charon: 11[CFG] received stroke: route 'RuleFt~VpnFT'
Jun 18 07:43:58.787887 info Host-2 charon: 13[IKE] 77.0.0.1 is initiating an IKE_SA
Jun 18 07:43:59.143601 info Host-2 charon: 14[CFG] looking for peer configs matching 77.0.0.2[%any]...77.0.0.1[C=FI, ST=testee, L=testee, O=ABC, OU=testee, CN=example ee certificate]
Jun 18 07:43:59.143786 info Host-2 charon: 14[CFG] selected peer config 'RuleFt~VpnFT'
Jun 18 07:43:59.144205 info Host-2 charon: 14[CFG] no issuer certificate found for "C=FI, ST=testee, L=testee, O=ABC, OU=testee, CN=example ee certificate"
Jun 18 07:43:59.144423 info Host-2 charon: 14[CFG] using trusted certificate "C=FI, ST=testee, L=testee, O=ABC, OU=testee, CN=example ee certificate"
Jun 18 07:43:59.148918 info Host-2 charon: 14[IKE] authentication of 'C=FI, ST=testee, L=testee, O=ABC, OU=testee, CN=example ee certificate' with RSA signature successful
Jun 18 07:43:59.302034 info Host-2 charon: 14[IKE] authentication of 'C=FI, ST=testee, L=testee, O=ABC, OU=testee, CN=example ee certificate' (myself) with RSA signature successful
Jun 18 07:43:59.302313 info Host-2 charon: 14[IKE] IKE_SA RuleFt~VpnFT[1] established between 77.0.0.2[C=FI, ST=testee, L=testee, O=ABC, OU=testee, CN=example ee certificate]...77.0.0.1[C=FI, ST=testee, L=testee, O=ABC, OU=testee, CN=example ee certificate]
Jun 18 07:43:59.302816 info Host-2 charon: 14[IKE] scheduling rekeying in 75054s
Jun 18 07:43:59.302962 info Host-2 charon: 14[IKE] maximum IKE_SA lifetime 83654s
Jun 18 07:43:59.411171 info Host-2 charon: 14[IKE] CHILD_SA RuleFt~VpnFT{2} established with SPIs c2ca89ad_i cd4828df_o and TS 77.0.0.0/24 === 77.0.0.0/24
More information about the Users
mailing list