[strongSwan] x509 subjectAltName ipaddress not matching
Shukla, Sanjay
Sanjay.Shukla at ipc.com
Fri May 25 17:07:09 CEST 2012
I have ip address defined in the subjectAltName of the server certificates. However the authentication fails, here are by configs on the peers (10.204.74.188 and 10.204.74.189). What is need for ip address validation found in the subjectAltName
On 10.204.74.188
config setup
uniqueids=replace
plutostart=no
charonstart=yes
#Below Are The Configuration for CCM_CCM IPSec Tunnel
conn LocalIP_LocalIP_10.204.74.189
left=10.204.74.188
leftcert=ServLcl.pem
leftsendcert=yes
leftupdown=/opt/ipc/security/ipsectunnel/raiseAlarm_ipsec.sh
right=10.204.74.189
rightid=10.204.74.189
keyexchange=ikev2
type=transport
reauth=no
dpddelay=5s
dpdaction=restart
keyingtries=%forever
auto=route
--
On 10.204.74.189
config setup
uniqueids=replace
plutostart=no
charonstart=yes
#Below Are The Configuration for CCM_CCM IPSec Tunnel
conn LocalIP_LocalIP_10.204.74.188
left=10.204.74.189
leftcert=ServLcl.pem
leftsendcert=yes
leftupdown=/opt/ipc/security/ipsectunnel/raiseAlarm_ipsec.sh
right=10.204.74.188
rightid=10.204.74.189
keyexchange=ikev2
type=transport
reauth=no
dpddelay=5s
dpdaction=restart
keyingtries=%forever
auto=route
logs on 189
2012-05-25T10:34:24.000-04:00 [daemon] [info] ffd-ipsec-189.ipc.com charon: 07[NET] received packet: from 10.204.74.188[500] to 10.204.74.189[500]
2012-05-25T10:34:24.000-04:00 [daemon] [info] ffd-ipsec-189.ipc.com charon: 12[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(NO
_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
2012-05-25T10:34:24.000-04:00 [daemon] [info] ffd-ipsec-189.ipc.com charon: 12[IKE] received cert request for "C=US, ST=CT, L=Fairfield, O=IPC, OU=TS-1337911838, CN=http://www.ipc.com"
2012-05-25T10:34:24.000-04:00 [daemon] [info] ffd-ipsec-189.ipc.com charon: 12[IKE] received end entity cert "C=US, ST=CT, L=Fairfield, O=IPC, CN=10.204.74.188"
2012-05-25T10:34:24.000-04:00 [daemon] [info] ffd-ipsec-189.ipc.com charon: 12[CFG] looking for peer configs matching 10.204.74.189[10.204.74.189]...10.204.74.188[10.204.74.188]
2012-05-25T10:34:24.000-04:00 [daemon] [info] ffd-ipsec-189.ipc.com charon: 12[CFG] no matching peer config found
2012-05-25T10:34:24.000-04:00 [daemon] [info] ffd-ipsec-189.ipc.com charon: 12[IKE] peer supports MOBIKE
2012-05-25T10:34:24.000-04:00 [daemon] [info] ffd-ipsec-189.ipc.com charon: 12[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
--
Logs on 188
2012-05-25T10:37:56.000-04:00 [daemon] [info] ffd-ipsec-188.ipc.com charon: 15[NET] received packet: from 10.204.74.189[4500] to 10.204.74.188[4500]
2012-05-25T10:37:56.000-04:00 [daemon] [info] ffd-ipsec-188.ipc.com charon: 15[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(AD
D_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
2012-05-25T10:37:56.000-04:00 [daemon] [info] ffd-ipsec-188.ipc.com charon: 15[IKE] received cert request for "C=US, ST=CT, L=Fairfield, O=IPC, OU=TS-1337911838, CN=http://www.ipc.com"
2012-05-25T10:37:56.000-04:00 [daemon] [info] ffd-ipsec-188.ipc.com charon: 15[IKE] received end entity cert "C=US, ST=CT, L=Fairfield, O=IPC, CN=10.204.74.189"
2012-05-25T10:37:56.000-04:00 [daemon] [info] ffd-ipsec-188.ipc.com charon: 15[CFG] looking for peer configs matching 10.204.74.188[10.204.74.189]...10.204.74.189[10.204.74.189]
2012-05-25T10:37:56.000-04:00 [daemon] [info] ffd-ipsec-188.ipc.com charon: 15[CFG] no matching peer config found
2012-05-25T10:37:56.000-04:00 [daemon] [info] ffd-ipsec-188.ipc.com charon: 15[IKE] peer supports MOBIKE
2012-05-25T10:37:56.000-04:00 [daemon] [info] ffd-ipsec-188.ipc.com charon: 15[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Certificate on 189
[root at ffd-ipsec-189 ~]# openssl x509 -in /opt/ipc/security/keymgmt/certs/ServLcl.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1337917633 (0x4fbf00c1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=CT, L=Fairfield, O=IPC, OU=TS-1337911838, CN=http://www.ipc.com
Validity
Not Before: May 25 03:47:13 2012 GMT
Not After : May 24 03:47:13 2019 GMT
Subject: C=US, ST=CT, L=Fairfield, O=IPC, CN=10.204.74.189
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:ca:7d:6a:03:09:a5:57:e4:19:a9:05:81:9c:45:
82:99:59:7d:1d:d5:2e:fe:f0:1c:f0:46:32:7e:d6:
48:ee:d5:50:41:eb:32:95:62:d9:41:76:dd:be:6b:
f8:de:85:f6:fd:f1:ee:aa:47:f3:69:85:cc:42:7b:
d2:2c:7e:0b:28:c7:65:03:5e:ac:9a:6c:39:e5:68:
de:d4:56:68:c4:0a:a0:34:9e:be:5b:d9:c0:ef:0a:
a6:ce:c3:b7:94:d0:d7:0e:df:44:dd:4d:8d:78:26:
b8:74:46:30:0a:bb:56:81:3a:2b:5c:dd:75:b6:68:
f0:6e:40:fc:7c:87:7f:09:2a:70:ff:3a:fb:ba:66:
72:8e:3d:55:e2:0e:75:e2:b6:48:32:64:d2:1d:40:
5d:2c:34:8f:1f:35:6b:93:17:c7:28:60:f8:d4:d4:
07:12:0d:11:06:3d:45:9d:25:f1:99:bb:9d:86:31:
9e:16:eb:37:d3:48:89:7a:a4:2a:73:24:eb:7f:70:
f6:af:36:e0:65:e9:40:cd:c0:31:9a:f7:9e:e6:ce:
0e:94:e8:53:26:b8:40:82:ac:49:b6:50:55:9e:51:
53:96:0d:f4:5c:c3:68:f7:72:25:58:44:46:55:09:
c9:a2:cf:d0:bb:db:20:06:67:24:cb:b1:eb:ad:bd:
b8:cb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
53:0B:01:8A:51:37:23:63:D1:2D:0B:50:27:5E:62:19:A6:37:F2:B3
X509v3 Authority Key Identifier:
keyid:D0:10:19:3D:FD:0C:2C:77:A0:39:F9:16:52:7D:3F:E2:E3:F7:D4:59
DirName:/C=US/ST=CT/L=Fairfield/O=IPC/OU=TS-1337911838/CN=http://www.ipc.com
serial:01
X509v3 Subject Alternative Name:
IP Address:10.204.74.189
Signature Algorithm: sha1WithRSAEncryption
73:97:39:ed:5b:d3:2b:48:71:cf:f7:f5:5a:60:b5:d9:54:f9:
66:2d:fa:3e:04:8e:68:8c:58:59:15:a8:83:f7:45:e6:30:29:
ac:93:32:89:81:fd:a3:6a:e4:d0:1d:c7:ee:85:97:d8:a5:7a:
8d:b8:64:27:bd:b1:18:4d:70:e9:e8:ba:0c:da:31:0f:d9:21:
e4:41:f5:fa:cf:30:3b:e9:17:6f:5e:29:81:4e:b8:d6:07:53:
74:53:04:30:e6:f7:37:a6:3e:a9:54:a6:85:88:79:8d:e5:6d:
fd:f1:52:ad:4f:49:e4:22:1e:d0:dc:53:1d:ae:bd:be:23:74:
da:af:d6:9a:d5:f1:e6:68:cf:7c:d1:ea:64:33:d4:7e:78:37:
9a:7e:0f:4c:7b:b0:e8:07:b8:10:0e:1b:da:c0:a5:f9:1f:f3:
c2:ec:2c:5c:a6:70:29:71:1c:a3:d3:43:92:f6:0a:e6:3b:13:
34:f4:28:77:80:2f:81:01:ae:25:d9:eb:bb:5c:40:05:70:17:
36:69:f1:8c:e0:6f:f5:af:70:3f:bc:be:17:d0:df:2a:67:6b:
cd:82:5c:60:b7:c7:a8:34:09:aa:c1:a0:01:3c:8b:95:8c:e2:
3d:11:3e:ee:55:6d:22:17:bd:b4:a5:93:d6:ba:a8:a3:f0:cc:
83:f6:43:a1:03:2b:11:89:13:47:58:cd:b8:20:48:f9:56:eb:
b1:33:67:39:52:56:f2:af:0d:e1:b9:97:ee:bb:8b:8c:e4:d4:
f1:14:4b:15:6d:3e:9f:66:37:8c:b4:2d:7a:d1:60:00:2e:f9:
14:32:06:2b:57:cb:1b:06:ef:c8:1a:b0:be:a3:ed:82:0a:05:
2c:8e:a9:fb:f6:c1:a0:d7:72:43:70:00:6d:7f:b8:54:f5:39:
d0:71:c1:c5:6f:ec:1b:cb:68:53:cc:ce:92:17:99:0d:ad:53:
ac:c7:83:db:fc:c5:86:8c:d4:a4:ba:8f:75:4c:b1:b1:a2:02:
10:07:d7:55:80:ec:a3:26:ff:1f:e3:81:31:df:36:91:47:62:
91:60:6f:85:bf:5e:6f:47:f5:fb:2c:dc:20:46:5d:1c:00:18:
95:b2:26:a9:e6:57:0c:5a:45:8b:ae:58:cf:1b:67:27:1c:32:
77:2d:3c:f9:a0:1d:b0:f0:8a:b8:ed:c2:fb:d4:2b:fb:2f:7f:
12:46:7f:51:e4:a2:a6:ec:2f:69:2d:a8:ed:a3:7d:88:f3:76:
e7:d7:ba:5c:0e:ad:91:92:d1:06:f2:e1:1f:59:6b:0d:6a:92:
75:fb:7f:bf:de:24:d3:5d:13:16:aa:bd:80:45:94:18:a5:ee:
c3:cd:24:48:76:5d:d8:fd
certificate on 188
[root at ffd-ipsec-188 ~]# openssl x509 -in /opt/ipc/security/keymgmt/certs/ServLcl.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1337911839 (0x4fbeea1f)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=CT, L=Fairfield, O=IPC, OU=TS-1337911838, CN=http://www.ipc.com
Validity
Not Before: May 25 02:10:39 2012 GMT
Not After : May 24 02:10:39 2019 GMT
Subject: C=US, ST=CT, L=Fairfield, O=IPC, CN=10.204.74.188
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:bc:6f:bf:9a:b0:87:fd:34:7c:9a:0c:f2:d9:b3:
cd:31:e9:2c:97:08:9e:02:84:74:df:7a:07:08:e7:
46:90:ff:a6:e9:e9:a4:a7:8d:87:8b:7d:97:43:40:
04:e0:1f:40:72:5c:7a:e3:41:41:1c:b7:b7:8e:aa:
0e:38:eb:f0:90:4c:1d:42:1f:e0:64:5c:f6:24:69:
1a:56:aa:de:50:42:f8:e9:a7:8d:8d:3a:f1:da:71:
99:6e:b5:4b:36:00:19:7e:9c:cb:e6:e2:cf:1b:45:
36:3c:9c:ee:8f:9b:35:9d:01:71:b0:cb:39:57:e4:
c8:2c:6b:bc:81:e9:ee:55:e1:29:52:8a:37:6b:2f:
d5:27:8a:0d:58:21:37:ec:79:f8:f6:4d:de:0f:91:
b9:7f:f4:83:ab:28:a4:52:f7:42:67:9d:e7:fd:41:
d0:a4:d4:9b:6d:76:e9:fa:96:45:a2:90:8b:98:f9:
16:ed:0a:a1:5f:f1:64:38:79:88:8b:26:1c:5d:36:
43:00:f5:81:f8:b5:4d:68:c5:87:60:7b:e3:c8:e1:
1b:cb:87:a1:9d:45:a1:a1:9d:aa:a1:ec:bc:d9:c6:
ae:a3:e9:b4:43:30:13:d5:f5:74:28:10:01:39:b0:
4d:c5:90:f6:fb:9e:fd:06:60:c7:66:5d:64:b0:ad:
a2:95
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
44:CE:7E:73:97:26:0E:55:5E:9C:07:44:A8:4D:78:50:C0:02:D0:6B
X509v3 Authority Key Identifier:
keyid:D0:10:19:3D:FD:0C:2C:77:A0:39:F9:16:52:7D:3F:E2:E3:F7:D4:59
DirName:/C=US/ST=CT/L=Fairfield/O=IPC/OU=TS-1337911838/CN=http://www.ipc.com
serial:01
X509v3 Subject Alternative Name:
IP Address:10.204.74.188
Signature Algorithm: sha1WithRSAEncryption
17:b5:fd:a8:58:21:5d:a7:fd:15:e3:6d:bb:52:e5:8d:2c:c2:
4c:2a:19:ec:91:fc:f0:f6:01:ff:84:8e:de:c3:59:8b:34:ef:
dd:72:a5:57:70:cb:3b:df:e9:70:fa:eb:21:88:f8:d6:e7:fb:
e2:f6:98:a9:ef:07:11:6d:63:72:0b:2d:79:ac:54:c4:58:2d:
10:90:a4:af:f7:0d:ff:3b:9a:a7:14:d9:4d:36:a6:28:d8:4e:
40:e3:76:d6:31:a3:f7:02:b1:df:a2:bb:6b:ec:55:4c:ba:c8:
5d:b7:41:2a:35:7d:23:77:e3:f3:fe:80:b5:98:10:01:a1:4f:
f2:1e:ef:c2:e1:76:ca:ae:ac:35:07:ed:5c:06:66:42:cd:9d:
92:36:e5:3b:f7:b3:a5:64:bd:3f:1d:6a:57:54:28:7f:96:5b:
ab:7c:22:24:25:67:f2:7a:81:01:58:d0:05:0b:bf:aa:3d:a6:
cd:8c:c1:75:a0:66:6a:79:b5:df:5a:30:99:4b:ac:16:f0:5f:
b3:86:8c:7e:6c:42:2b:ef:ff:99:29:0a:2a:56:4a:5d:5d:fc:
86:5f:67:6b:cb:3f:00:60:70:61:ca:b0:05:27:b2:5d:a4:b3:
51:7a:65:f6:10:ed:d4:be:29:9e:57:dd:c4:0f:f4:57:7e:c7:
d5:3f:a3:1b:cb:77:e3:dc:71:86:ba:39:b3:f8:02:0c:47:68:
3d:96:9b:84:db:79:80:1a:da:4c:d9:ff:84:0e:6d:98:b6:f8:
9e:b9:9a:84:bd:0d:fe:cf:99:9e:1c:05:fb:47:3e:f7:49:33:
48:d6:ff:24:91:c0:44:f0:0e:59:c2:43:3a:dd:49:86:a0:1b:
9b:7b:c9:76:fa:34:04:10:1c:7a:d4:32:ad:97:ae:8c:b4:94:
04:1a:55:f8:1a:18:22:f0:c4:47:23:71:57:85:83:47:3c:72:
8d:78:c4:e1:d3:83:68:87:3a:e6:52:d5:21:53:ea:81:b8:39:
dc:df:7f:d1:3c:16:1b:c2:37:5a:6e:cc:2c:59:6e:3d:87:4a:
04:43:44:3a:de:a2:5b:ad:83:e6:f5:41:39:6f:a5:3c:1a:ea:
7c:71:95:16:e2:f4:80:4a:8d:5e:b5:19:50:a3:b3:5f:8b:ad:
ad:47:78:9f:96:57:89:43:53:cb:24:1e:a7:c0:5f:2c:2e:04:
ad:41:6d:de:0a:ba:14:f7:a1:97:48:b3:c5:36:a4:60:f3:6a:
20:47:08:f0:92:90:8f:33:06:4c:49:c2:36:ec:41:68:93:37:
42:f3:4f:c7:9f:d1:b5:b5:67:15:64:9f:79:0e:45:ea:2f:74:
bb:4f:6f:6a:28:1c:96:e6
-----------------------------------------------------
Please consider the environment before printing this email.
More information about the Users
mailing list