[strongSwan] x509 subjectAltName ipaddress not matching

Shukla, Sanjay Sanjay.Shukla at ipc.com
Fri May 25 17:07:09 CEST 2012


I have ip address defined in the subjectAltName of the server certificates. However the authentication fails, here are by configs on the peers (10.204.74.188 and 10.204.74.189). What is need for ip address validation found in the subjectAltName

On 10.204.74.188

config setup
        uniqueids=replace
        plutostart=no
        charonstart=yes
#Below Are The Configuration for CCM_CCM IPSec Tunnel
conn LocalIP_LocalIP_10.204.74.189
        left=10.204.74.188
        leftcert=ServLcl.pem
        leftsendcert=yes
        leftupdown=/opt/ipc/security/ipsectunnel/raiseAlarm_ipsec.sh
        right=10.204.74.189
        rightid=10.204.74.189
        keyexchange=ikev2
        type=transport
        reauth=no
        dpddelay=5s
        dpdaction=restart
        keyingtries=%forever
        auto=route

--
On 10.204.74.189
config setup
        uniqueids=replace
        plutostart=no
        charonstart=yes
#Below Are The Configuration for CCM_CCM IPSec Tunnel
conn LocalIP_LocalIP_10.204.74.188
        left=10.204.74.189
        leftcert=ServLcl.pem
        leftsendcert=yes
        leftupdown=/opt/ipc/security/ipsectunnel/raiseAlarm_ipsec.sh
        right=10.204.74.188
        rightid=10.204.74.189
        keyexchange=ikev2
        type=transport
        reauth=no
        dpddelay=5s
        dpdaction=restart
        keyingtries=%forever
        auto=route


logs on 189
2012-05-25T10:34:24.000-04:00 [daemon] [info] ffd-ipsec-189.ipc.com charon: 07[NET] received packet: from 10.204.74.188[500] to 10.204.74.189[500]
2012-05-25T10:34:24.000-04:00 [daemon] [info] ffd-ipsec-189.ipc.com charon: 12[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(NO
_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
2012-05-25T10:34:24.000-04:00 [daemon] [info] ffd-ipsec-189.ipc.com charon: 12[IKE] received cert request for "C=US, ST=CT, L=Fairfield, O=IPC, OU=TS-1337911838, CN=http://www.ipc.com"
2012-05-25T10:34:24.000-04:00 [daemon] [info] ffd-ipsec-189.ipc.com charon: 12[IKE] received end entity cert "C=US, ST=CT, L=Fairfield, O=IPC, CN=10.204.74.188"
2012-05-25T10:34:24.000-04:00 [daemon] [info] ffd-ipsec-189.ipc.com charon: 12[CFG] looking for peer configs matching 10.204.74.189[10.204.74.189]...10.204.74.188[10.204.74.188]
2012-05-25T10:34:24.000-04:00 [daemon] [info] ffd-ipsec-189.ipc.com charon: 12[CFG] no matching peer config found
2012-05-25T10:34:24.000-04:00 [daemon] [info] ffd-ipsec-189.ipc.com charon: 12[IKE] peer supports MOBIKE
2012-05-25T10:34:24.000-04:00 [daemon] [info] ffd-ipsec-189.ipc.com charon: 12[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

--

Logs on 188
2012-05-25T10:37:56.000-04:00 [daemon] [info] ffd-ipsec-188.ipc.com charon: 15[NET] received packet: from 10.204.74.189[4500] to 10.204.74.188[4500]
2012-05-25T10:37:56.000-04:00 [daemon] [info] ffd-ipsec-188.ipc.com charon: 15[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(AD
D_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
2012-05-25T10:37:56.000-04:00 [daemon] [info] ffd-ipsec-188.ipc.com charon: 15[IKE] received cert request for "C=US, ST=CT, L=Fairfield, O=IPC, OU=TS-1337911838, CN=http://www.ipc.com"
2012-05-25T10:37:56.000-04:00 [daemon] [info] ffd-ipsec-188.ipc.com charon: 15[IKE] received end entity cert "C=US, ST=CT, L=Fairfield, O=IPC, CN=10.204.74.189"
2012-05-25T10:37:56.000-04:00 [daemon] [info] ffd-ipsec-188.ipc.com charon: 15[CFG] looking for peer configs matching 10.204.74.188[10.204.74.189]...10.204.74.189[10.204.74.189]
2012-05-25T10:37:56.000-04:00 [daemon] [info] ffd-ipsec-188.ipc.com charon: 15[CFG] no matching peer config found
2012-05-25T10:37:56.000-04:00 [daemon] [info] ffd-ipsec-188.ipc.com charon: 15[IKE] peer supports MOBIKE
2012-05-25T10:37:56.000-04:00 [daemon] [info] ffd-ipsec-188.ipc.com charon: 15[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]


Certificate on 189
[root at ffd-ipsec-189 ~]# openssl x509 -in /opt/ipc/security/keymgmt/certs/ServLcl.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1337917633 (0x4fbf00c1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=CT, L=Fairfield, O=IPC, OU=TS-1337911838, CN=http://www.ipc.com
        Validity
            Not Before: May 25 03:47:13 2012 GMT
            Not After : May 24 03:47:13 2019 GMT
       Subject: C=US, ST=CT, L=Fairfield, O=IPC, CN=10.204.74.189
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:ca:7d:6a:03:09:a5:57:e4:19:a9:05:81:9c:45:
                    82:99:59:7d:1d:d5:2e:fe:f0:1c:f0:46:32:7e:d6:
                    48:ee:d5:50:41:eb:32:95:62:d9:41:76:dd:be:6b:
                    f8:de:85:f6:fd:f1:ee:aa:47:f3:69:85:cc:42:7b:
                    d2:2c:7e:0b:28:c7:65:03:5e:ac:9a:6c:39:e5:68:
                    de:d4:56:68:c4:0a:a0:34:9e:be:5b:d9:c0:ef:0a:
                    a6:ce:c3:b7:94:d0:d7:0e:df:44:dd:4d:8d:78:26:
                    b8:74:46:30:0a:bb:56:81:3a:2b:5c:dd:75:b6:68:
                    f0:6e:40:fc:7c:87:7f:09:2a:70:ff:3a:fb:ba:66:
                    72:8e:3d:55:e2:0e:75:e2:b6:48:32:64:d2:1d:40:
                    5d:2c:34:8f:1f:35:6b:93:17:c7:28:60:f8:d4:d4:
                    07:12:0d:11:06:3d:45:9d:25:f1:99:bb:9d:86:31:
                    9e:16:eb:37:d3:48:89:7a:a4:2a:73:24:eb:7f:70:
                    f6:af:36:e0:65:e9:40:cd:c0:31:9a:f7:9e:e6:ce:
                    0e:94:e8:53:26:b8:40:82:ac:49:b6:50:55:9e:51:
                    53:96:0d:f4:5c:c3:68:f7:72:25:58:44:46:55:09:
                    c9:a2:cf:d0:bb:db:20:06:67:24:cb:b1:eb:ad:bd:
                    b8:cb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                53:0B:01:8A:51:37:23:63:D1:2D:0B:50:27:5E:62:19:A6:37:F2:B3
            X509v3 Authority Key Identifier:
                keyid:D0:10:19:3D:FD:0C:2C:77:A0:39:F9:16:52:7D:3F:E2:E3:F7:D4:59
                DirName:/C=US/ST=CT/L=Fairfield/O=IPC/OU=TS-1337911838/CN=http://www.ipc.com
                serial:01

            X509v3 Subject Alternative Name:
                IP Address:10.204.74.189
    Signature Algorithm: sha1WithRSAEncryption
        73:97:39:ed:5b:d3:2b:48:71:cf:f7:f5:5a:60:b5:d9:54:f9:
        66:2d:fa:3e:04:8e:68:8c:58:59:15:a8:83:f7:45:e6:30:29:
        ac:93:32:89:81:fd:a3:6a:e4:d0:1d:c7:ee:85:97:d8:a5:7a:
        8d:b8:64:27:bd:b1:18:4d:70:e9:e8:ba:0c:da:31:0f:d9:21:
        e4:41:f5:fa:cf:30:3b:e9:17:6f:5e:29:81:4e:b8:d6:07:53:
        74:53:04:30:e6:f7:37:a6:3e:a9:54:a6:85:88:79:8d:e5:6d:
        fd:f1:52:ad:4f:49:e4:22:1e:d0:dc:53:1d:ae:bd:be:23:74:
        da:af:d6:9a:d5:f1:e6:68:cf:7c:d1:ea:64:33:d4:7e:78:37:
        9a:7e:0f:4c:7b:b0:e8:07:b8:10:0e:1b:da:c0:a5:f9:1f:f3:
        c2:ec:2c:5c:a6:70:29:71:1c:a3:d3:43:92:f6:0a:e6:3b:13:
        34:f4:28:77:80:2f:81:01:ae:25:d9:eb:bb:5c:40:05:70:17:
        36:69:f1:8c:e0:6f:f5:af:70:3f:bc:be:17:d0:df:2a:67:6b:
        cd:82:5c:60:b7:c7:a8:34:09:aa:c1:a0:01:3c:8b:95:8c:e2:
        3d:11:3e:ee:55:6d:22:17:bd:b4:a5:93:d6:ba:a8:a3:f0:cc:
        83:f6:43:a1:03:2b:11:89:13:47:58:cd:b8:20:48:f9:56:eb:
        b1:33:67:39:52:56:f2:af:0d:e1:b9:97:ee:bb:8b:8c:e4:d4:
        f1:14:4b:15:6d:3e:9f:66:37:8c:b4:2d:7a:d1:60:00:2e:f9:
        14:32:06:2b:57:cb:1b:06:ef:c8:1a:b0:be:a3:ed:82:0a:05:
        2c:8e:a9:fb:f6:c1:a0:d7:72:43:70:00:6d:7f:b8:54:f5:39:
        d0:71:c1:c5:6f:ec:1b:cb:68:53:cc:ce:92:17:99:0d:ad:53:
        ac:c7:83:db:fc:c5:86:8c:d4:a4:ba:8f:75:4c:b1:b1:a2:02:
        10:07:d7:55:80:ec:a3:26:ff:1f:e3:81:31:df:36:91:47:62:
        91:60:6f:85:bf:5e:6f:47:f5:fb:2c:dc:20:46:5d:1c:00:18:
        95:b2:26:a9:e6:57:0c:5a:45:8b:ae:58:cf:1b:67:27:1c:32:
        77:2d:3c:f9:a0:1d:b0:f0:8a:b8:ed:c2:fb:d4:2b:fb:2f:7f:
        12:46:7f:51:e4:a2:a6:ec:2f:69:2d:a8:ed:a3:7d:88:f3:76:
        e7:d7:ba:5c:0e:ad:91:92:d1:06:f2:e1:1f:59:6b:0d:6a:92:
        75:fb:7f:bf:de:24:d3:5d:13:16:aa:bd:80:45:94:18:a5:ee:
        c3:cd:24:48:76:5d:d8:fd


certificate on 188
[root at ffd-ipsec-188 ~]# openssl x509 -in /opt/ipc/security/keymgmt/certs/ServLcl.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1337911839 (0x4fbeea1f)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=CT, L=Fairfield, O=IPC, OU=TS-1337911838, CN=http://www.ipc.com
        Validity
            Not Before: May 25 02:10:39 2012 GMT
            Not After : May 24 02:10:39 2019 GMT
        Subject: C=US, ST=CT, L=Fairfield, O=IPC, CN=10.204.74.188
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:bc:6f:bf:9a:b0:87:fd:34:7c:9a:0c:f2:d9:b3:
                    cd:31:e9:2c:97:08:9e:02:84:74:df:7a:07:08:e7:
                    46:90:ff:a6:e9:e9:a4:a7:8d:87:8b:7d:97:43:40:
                    04:e0:1f:40:72:5c:7a:e3:41:41:1c:b7:b7:8e:aa:
                    0e:38:eb:f0:90:4c:1d:42:1f:e0:64:5c:f6:24:69:
                    1a:56:aa:de:50:42:f8:e9:a7:8d:8d:3a:f1:da:71:
                    99:6e:b5:4b:36:00:19:7e:9c:cb:e6:e2:cf:1b:45:
                    36:3c:9c:ee:8f:9b:35:9d:01:71:b0:cb:39:57:e4:
                    c8:2c:6b:bc:81:e9:ee:55:e1:29:52:8a:37:6b:2f:
                    d5:27:8a:0d:58:21:37:ec:79:f8:f6:4d:de:0f:91:
                    b9:7f:f4:83:ab:28:a4:52:f7:42:67:9d:e7:fd:41:
                    d0:a4:d4:9b:6d:76:e9:fa:96:45:a2:90:8b:98:f9:
                    16:ed:0a:a1:5f:f1:64:38:79:88:8b:26:1c:5d:36:
                    43:00:f5:81:f8:b5:4d:68:c5:87:60:7b:e3:c8:e1:
                    1b:cb:87:a1:9d:45:a1:a1:9d:aa:a1:ec:bc:d9:c6:
                    ae:a3:e9:b4:43:30:13:d5:f5:74:28:10:01:39:b0:
                    4d:c5:90:f6:fb:9e:fd:06:60:c7:66:5d:64:b0:ad:
                    a2:95
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                44:CE:7E:73:97:26:0E:55:5E:9C:07:44:A8:4D:78:50:C0:02:D0:6B
            X509v3 Authority Key Identifier:
                keyid:D0:10:19:3D:FD:0C:2C:77:A0:39:F9:16:52:7D:3F:E2:E3:F7:D4:59
                DirName:/C=US/ST=CT/L=Fairfield/O=IPC/OU=TS-1337911838/CN=http://www.ipc.com
                serial:01

            X509v3 Subject Alternative Name:
                IP Address:10.204.74.188
    Signature Algorithm: sha1WithRSAEncryption
        17:b5:fd:a8:58:21:5d:a7:fd:15:e3:6d:bb:52:e5:8d:2c:c2:
        4c:2a:19:ec:91:fc:f0:f6:01:ff:84:8e:de:c3:59:8b:34:ef:
        dd:72:a5:57:70:cb:3b:df:e9:70:fa:eb:21:88:f8:d6:e7:fb:
        e2:f6:98:a9:ef:07:11:6d:63:72:0b:2d:79:ac:54:c4:58:2d:
        10:90:a4:af:f7:0d:ff:3b:9a:a7:14:d9:4d:36:a6:28:d8:4e:
        40:e3:76:d6:31:a3:f7:02:b1:df:a2:bb:6b:ec:55:4c:ba:c8:
        5d:b7:41:2a:35:7d:23:77:e3:f3:fe:80:b5:98:10:01:a1:4f:
        f2:1e:ef:c2:e1:76:ca:ae:ac:35:07:ed:5c:06:66:42:cd:9d:
        92:36:e5:3b:f7:b3:a5:64:bd:3f:1d:6a:57:54:28:7f:96:5b:
        ab:7c:22:24:25:67:f2:7a:81:01:58:d0:05:0b:bf:aa:3d:a6:
        cd:8c:c1:75:a0:66:6a:79:b5:df:5a:30:99:4b:ac:16:f0:5f:
        b3:86:8c:7e:6c:42:2b:ef:ff:99:29:0a:2a:56:4a:5d:5d:fc:
        86:5f:67:6b:cb:3f:00:60:70:61:ca:b0:05:27:b2:5d:a4:b3:
        51:7a:65:f6:10:ed:d4:be:29:9e:57:dd:c4:0f:f4:57:7e:c7:
        d5:3f:a3:1b:cb:77:e3:dc:71:86:ba:39:b3:f8:02:0c:47:68:
        3d:96:9b:84:db:79:80:1a:da:4c:d9:ff:84:0e:6d:98:b6:f8:
        9e:b9:9a:84:bd:0d:fe:cf:99:9e:1c:05:fb:47:3e:f7:49:33:
        48:d6:ff:24:91:c0:44:f0:0e:59:c2:43:3a:dd:49:86:a0:1b:
        9b:7b:c9:76:fa:34:04:10:1c:7a:d4:32:ad:97:ae:8c:b4:94:
        04:1a:55:f8:1a:18:22:f0:c4:47:23:71:57:85:83:47:3c:72:
        8d:78:c4:e1:d3:83:68:87:3a:e6:52:d5:21:53:ea:81:b8:39:
        dc:df:7f:d1:3c:16:1b:c2:37:5a:6e:cc:2c:59:6e:3d:87:4a:
        04:43:44:3a:de:a2:5b:ad:83:e6:f5:41:39:6f:a5:3c:1a:ea:
        7c:71:95:16:e2:f4:80:4a:8d:5e:b5:19:50:a3:b3:5f:8b:ad:
        ad:47:78:9f:96:57:89:43:53:cb:24:1e:a7:c0:5f:2c:2e:04:
        ad:41:6d:de:0a:ba:14:f7:a1:97:48:b3:c5:36:a4:60:f3:6a:
        20:47:08:f0:92:90:8f:33:06:4c:49:c2:36:ec:41:68:93:37:
        42:f3:4f:c7:9f:d1:b5:b5:67:15:64:9f:79:0e:45:ea:2f:74:
        bb:4f:6f:6a:28:1c:96:e6



-----------------------------------------------------
Please consider the environment before printing this email.





More information about the Users mailing list