[strongSwan] x509 subjectAltName ipaddress not matching
Shukla, Sanjay
Sanjay.Shukla at ipc.com
Fri May 25 16:46:14 CEST 2012
I have ip address defined in the subjectAltName of the server certificates. However the authentication fails, here are by configs on the peers (10.204.74.188 and 10.204.74.189). What is need for ip address validation found in the subjectAltName
On 10.204.74.188
config setup
uniqueids=replace
plutostart=no
charonstart=yes
#Below Are The Configuration for CCM_CCM IPSec Tunnel
conn LocalIP_LocalIP_10.204.74.189
left=10.204.74.188
leftcert=ServLcl.pem
leftsendcert=yes
leftupdown=/opt/ipc/security/ipsectunnel/raiseAlarm_ipsec.sh
right=10.204.74.189
rightid=10.204.74.189
keyexchange=ikev2
type=transport
reauth=no
dpddelay=5s
dpdaction=restart
keyingtries=%forever
auto=route
--
On 10.204.74.189
config setup
uniqueids=replace
plutostart=no
charonstart=yes
#Below Are The Configuration for CCM_CCM IPSec Tunnel
conn LocalIP_LocalIP_10.204.74.188
left=10.204.74.189
leftcert=ServLcl.pem
leftsendcert=yes
leftupdown=/opt/ipc/security/ipsectunnel/raiseAlarm_ipsec.sh
right=10.204.74.188
rightid=10.204.74.189
keyexchange=ikev2
type=transport
reauth=no
dpddelay=5s
dpdaction=restart
keyingtries=%forever
auto=route
logs on 189
2012-05-25T10:34:24.000-04:00 [daemon] [info] ffd-ipsec-189.ipc.com charon: 07[NET] received packet: from 10.204.74.188[500] to 10.204.74.189[500]
2012-05-25T10:34:24.000-04:00 [daemon] [info] ffd-ipsec-189.ipc.com charon: 12[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(NO
_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
2012-05-25T10:34:24.000-04:00 [daemon] [info] ffd-ipsec-189.ipc.com charon: 12[IKE] received cert request for "C=US, ST=CT, L=Fairfield, O=IPC, OU=TS-1337911838, CN=http://www.ipc.com"
2012-05-25T10:34:24.000-04:00 [daemon] [info] ffd-ipsec-189.ipc.com charon: 12[IKE] received end entity cert "C=US, ST=CT, L=Fairfield, O=IPC, CN=10.204.74.188"
2012-05-25T10:34:24.000-04:00 [daemon] [info] ffd-ipsec-189.ipc.com charon: 12[CFG] looking for peer configs matching 10.204.74.189[10.204.74.189]...10.204.74.188[10.204.74.188]
2012-05-25T10:34:24.000-04:00 [daemon] [info] ffd-ipsec-189.ipc.com charon: 12[CFG] no matching peer config found
2012-05-25T10:34:24.000-04:00 [daemon] [info] ffd-ipsec-189.ipc.com charon: 12[IKE] peer supports MOBIKE
2012-05-25T10:34:24.000-04:00 [daemon] [info] ffd-ipsec-189.ipc.com charon: 12[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
--
Logs on 188
2012-05-25T10:37:56.000-04:00 [daemon] [info] ffd-ipsec-188.ipc.com charon: 15[NET] received packet: from 10.204.74.189[4500] to 10.204.74.188[4500]
2012-05-25T10:37:56.000-04:00 [daemon] [info] ffd-ipsec-188.ipc.com charon: 15[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(AD
D_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
2012-05-25T10:37:56.000-04:00 [daemon] [info] ffd-ipsec-188.ipc.com charon: 15[IKE] received cert request for "C=US, ST=CT, L=Fairfield, O=IPC, OU=TS-1337911838, CN=http://www.ipc.com"
2012-05-25T10:37:56.000-04:00 [daemon] [info] ffd-ipsec-188.ipc.com charon: 15[IKE] received end entity cert "C=US, ST=CT, L=Fairfield, O=IPC, CN=10.204.74.189"
2012-05-25T10:37:56.000-04:00 [daemon] [info] ffd-ipsec-188.ipc.com charon: 15[CFG] looking for peer configs matching 10.204.74.188[10.204.74.189]...10.204.74.189[10.204.74.189]
2012-05-25T10:37:56.000-04:00 [daemon] [info] ffd-ipsec-188.ipc.com charon: 15[CFG] no matching peer config found
2012-05-25T10:37:56.000-04:00 [daemon] [info] ffd-ipsec-188.ipc.com charon: 15[IKE] peer supports MOBIKE
2012-05-25T10:37:56.000-04:00 [daemon] [info] ffd-ipsec-188.ipc.com charon: 15[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Certificate on 189
[root at ffd-ipsec-189 ~]# openssl x509 -in /opt/ipc/security/keymgmt/certs/ServLcl.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1337917633 (0x4fbf00c1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=CT, L=Fairfield, O=IPC, OU=TS-1337911838, CN=http://www.ipc.com
Validity
Not Before: May 25 03:47:13 2012 GMT
Not After : May 24 03:47:13 2019 GMT
Subject: C=US, ST=CT, L=Fairfield, O=IPC, CN=10.204.74.189
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:ca:7d:6a:03:09:a5:57:e4:19:a9:05:81:9c:45:
82:99:59:7d:1d:d5:2e:fe:f0:1c:f0:46:32:7e:d6:
48:ee:d5:50:41:eb:32:95:62:d9:41:76:dd:be:6b:
f8:de:85:f6:fd:f1:ee:aa:47:f3:69:85:cc:42:7b:
d2:2c:7e:0b:28:c7:65:03:5e:ac:9a:6c:39:e5:68:
de:d4:56:68:c4:0a:a0:34:9e:be:5b:d9:c0:ef:0a:
a6:ce:c3:b7:94:d0:d7:0e:df:44:dd:4d:8d:78:26:
b8:74:46:30:0a:bb:56:81:3a:2b:5c:dd:75:b6:68:
f0:6e:40:fc:7c:87:7f:09:2a:70:ff:3a:fb:ba:66:
72:8e:3d:55:e2:0e:75:e2:b6:48:32:64:d2:1d:40:
5d:2c:34:8f:1f:35:6b:93:17:c7:28:60:f8:d4:d4:
07:12:0d:11:06:3d:45:9d:25:f1:99:bb:9d:86:31:
9e:16:eb:37:d3:48:89:7a:a4:2a:73:24:eb:7f:70:
f6:af:36:e0:65:e9:40:cd:c0:31:9a:f7:9e:e6:ce:
0e:94:e8:53:26:b8:40:82:ac:49:b6:50:55:9e:51:
53:96:0d:f4:5c:c3:68:f7:72:25:58:44:46:55:09:
c9:a2:cf:d0:bb:db:20:06:67:24:cb:b1:eb:ad:bd:
b8:cb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
53:0B:01:8A:51:37:23:63:D1:2D:0B:50:27:5E:62:19:A6:37:F2:B3
X509v3 Authority Key Identifier:
keyid:D0:10:19:3D:FD:0C:2C:77:A0:39:F9:16:52:7D:3F:E2:E3:F7:D4:59
DirName:/C=US/ST=CT/L=Fairfield/O=IPC/OU=TS-1337911838/CN=http://www.ipc.com
serial:01
X509v3 Subject Alternative Name:
IP Address:10.204.74.189
Signature Algorithm: sha1WithRSAEncryption
73:97:39:ed:5b:d3:2b:48:71:cf:f7:f5:5a:60:b5:d9:54:f9:
66:2d:fa:3e:04:8e:68:8c:58:59:15:a8:83:f7:45:e6:30:29:
ac:93:32:89:81:fd:a3:6a:e4:d0:1d:c7:ee:85:97:d8:a5:7a:
8d:b8:64:27:bd:b1:18:4d:70:e9:e8:ba:0c:da:31:0f:d9:21:
e4:41:f5:fa:cf:30:3b:e9:17:6f:5e:29:81:4e:b8:d6:07:53:
74:53:04:30:e6:f7:37:a6:3e:a9:54:a6:85:88:79:8d:e5:6d:
fd:f1:52:ad:4f:49:e4:22:1e:d0:dc:53:1d:ae:bd:be:23:74:
da:af:d6:9a:d5:f1:e6:68:cf:7c:d1:ea:64:33:d4:7e:78:37:
9a:7e:0f:4c:7b:b0:e8:07:b8:10:0e:1b:da:c0:a5:f9:1f:f3:
c2:ec:2c:5c:a6:70:29:71:1c:a3:d3:43:92:f6:0a:e6:3b:13:
34:f4:28:77:80:2f:81:01:ae:25:d9:eb:bb:5c:40:05:70:17:
36:69:f1:8c:e0:6f:f5:af:70:3f:bc:be:17:d0:df:2a:67:6b:
cd:82:5c:60:b7:c7:a8:34:09:aa:c1:a0:01:3c:8b:95:8c:e2:
3d:11:3e:ee:55:6d:22:17:bd:b4:a5:93:d6:ba:a8:a3:f0:cc:
83:f6:43:a1:03:2b:11:89:13:47:58:cd:b8:20:48:f9:56:eb:
b1:33:67:39:52:56:f2:af:0d:e1:b9:97:ee:bb:8b:8c:e4:d4:
f1:14:4b:15:6d:3e:9f:66:37:8c:b4:2d:7a:d1:60:00:2e:f9:
14:32:06:2b:57:cb:1b:06:ef:c8:1a:b0:be:a3:ed:82:0a:05:
2c:8e:a9:fb:f6:c1:a0:d7:72:43:70:00:6d:7f:b8:54:f5:39:
d0:71:c1:c5:6f:ec:1b:cb:68:53:cc:ce:92:17:99:0d:ad:53:
ac:c7:83:db:fc:c5:86:8c:d4:a4:ba:8f:75:4c:b1:b1:a2:02:
10:07:d7:55:80:ec:a3:26:ff:1f:e3:81:31:df:36:91:47:62:
91:60:6f:85:bf:5e:6f:47:f5:fb:2c:dc:20:46:5d:1c:00:18:
95:b2:26:a9:e6:57:0c:5a:45:8b:ae:58:cf:1b:67:27:1c:32:
77:2d:3c:f9:a0:1d:b0:f0:8a:b8:ed:c2:fb:d4:2b:fb:2f:7f:
12:46:7f:51:e4:a2:a6:ec:2f:69:2d:a8:ed:a3:7d:88:f3:76:
e7:d7:ba:5c:0e:ad:91:92:d1:06:f2:e1:1f:59:6b:0d:6a:92:
75:fb:7f:bf:de:24:d3:5d:13:16:aa:bd:80:45:94:18:a5:ee:
c3:cd:24:48:76:5d:d8:fd
certificate on 188
[root at ffd-ipsec-188 ~]# openssl x509 -in /opt/ipc/security/keymgmt/certs/ServLcl.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1337911839 (0x4fbeea1f)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=CT, L=Fairfield, O=IPC, OU=TS-1337911838, CN=http://www.ipc.com
Validity
Not Before: May 25 02:10:39 2012 GMT
Not After : May 24 02:10:39 2019 GMT
Subject: C=US, ST=CT, L=Fairfield, O=IPC, CN=10.204.74.188
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:bc:6f:bf:9a:b0:87:fd:34:7c:9a:0c:f2:d9:b3:
cd:31:e9:2c:97:08:9e:02:84:74:df:7a:07:08:e7:
46:90:ff:a6:e9:e9:a4:a7:8d:87:8b:7d:97:43:40:
04:e0:1f:40:72:5c:7a:e3:41:41:1c:b7:b7:8e:aa:
0e:38:eb:f0:90:4c:1d:42:1f:e0:64:5c:f6:24:69:
1a:56:aa:de:50:42:f8:e9:a7:8d:8d:3a:f1:da:71:
99:6e:b5:4b:36:00:19:7e:9c:cb:e6:e2:cf:1b:45:
36:3c:9c:ee:8f:9b:35:9d:01:71:b0:cb:39:57:e4:
c8:2c:6b:bc:81:e9:ee:55:e1:29:52:8a:37:6b:2f:
d5:27:8a:0d:58:21:37:ec:79:f8:f6:4d:de:0f:91:
b9:7f:f4:83:ab:28:a4:52:f7:42:67:9d:e7:fd:41:
d0:a4:d4:9b:6d:76:e9:fa:96:45:a2:90:8b:98:f9:
16:ed:0a:a1:5f:f1:64:38:79:88:8b:26:1c:5d:36:
43:00:f5:81:f8:b5:4d:68:c5:87:60:7b:e3:c8:e1:
1b:cb:87:a1:9d:45:a1:a1:9d:aa:a1:ec:bc:d9:c6:
ae:a3:e9:b4:43:30:13:d5:f5:74:28:10:01:39:b0:
4d:c5:90:f6:fb:9e:fd:06:60:c7:66:5d:64:b0:ad:
a2:95
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
44:CE:7E:73:97:26:0E:55:5E:9C:07:44:A8:4D:78:50:C0:02:D0:6B
X509v3 Authority Key Identifier:
keyid:D0:10:19:3D:FD:0C:2C:77:A0:39:F9:16:52:7D:3F:E2:E3:F7:D4:59
DirName:/C=US/ST=CT/L=Fairfield/O=IPC/OU=TS-1337911838/CN=http://www.ipc.com
serial:01
X509v3 Subject Alternative Name:
IP Address:10.204.74.188
Signature Algorithm: sha1WithRSAEncryption
17:b5:fd:a8:58:21:5d:a7:fd:15:e3:6d:bb:52:e5:8d:2c:c2:
4c:2a:19:ec:91:fc:f0:f6:01:ff:84:8e:de:c3:59:8b:34:ef:
dd:72:a5:57:70:cb:3b:df:e9:70:fa:eb:21:88:f8:d6:e7:fb:
e2:f6:98:a9:ef:07:11:6d:63:72:0b:2d:79:ac:54:c4:58:2d:
10:90:a4:af:f7:0d:ff:3b:9a:a7:14:d9:4d:36:a6:28:d8:4e:
40:e3:76:d6:31:a3:f7:02:b1:df:a2:bb:6b:ec:55:4c:ba:c8:
5d:b7:41:2a:35:7d:23:77:e3:f3:fe:80:b5:98:10:01:a1:4f:
f2:1e:ef:c2:e1:76:ca:ae:ac:35:07:ed:5c:06:66:42:cd:9d:
92:36:e5:3b:f7:b3:a5:64:bd:3f:1d:6a:57:54:28:7f:96:5b:
ab:7c:22:24:25:67:f2:7a:81:01:58:d0:05:0b:bf:aa:3d:a6:
cd:8c:c1:75:a0:66:6a:79:b5:df:5a:30:99:4b:ac:16:f0:5f:
b3:86:8c:7e:6c:42:2b:ef:ff:99:29:0a:2a:56:4a:5d:5d:fc:
86:5f:67:6b:cb:3f:00:60:70:61:ca:b0:05:27:b2:5d:a4:b3:
51:7a:65:f6:10:ed:d4:be:29:9e:57:dd:c4:0f:f4:57:7e:c7:
d5:3f:a3:1b:cb:77:e3:dc:71:86:ba:39:b3:f8:02:0c:47:68:
3d:96:9b:84:db:79:80:1a:da:4c:d9:ff:84:0e:6d:98:b6:f8:
9e:b9:9a:84:bd:0d:fe:cf:99:9e:1c:05:fb:47:3e:f7:49:33:
48:d6:ff:24:91:c0:44:f0:0e:59:c2:43:3a:dd:49:86:a0:1b:
9b:7b:c9:76:fa:34:04:10:1c:7a:d4:32:ad:97:ae:8c:b4:94:
04:1a:55:f8:1a:18:22:f0:c4:47:23:71:57:85:83:47:3c:72:
8d:78:c4:e1:d3:83:68:87:3a:e6:52:d5:21:53:ea:81:b8:39:
dc:df:7f:d1:3c:16:1b:c2:37:5a:6e:cc:2c:59:6e:3d:87:4a:
04:43:44:3a:de:a2:5b:ad:83:e6:f5:41:39:6f:a5:3c:1a:ea:
7c:71:95:16:e2:f4:80:4a:8d:5e:b5:19:50:a3:b3:5f:8b:ad:
ad:47:78:9f:96:57:89:43:53:cb:24:1e:a7:c0:5f:2c:2e:04:
ad:41:6d:de:0a:ba:14:f7:a1:97:48:b3:c5:36:a4:60:f3:6a:
20:47:08:f0:92:90:8f:33:06:4c:49:c2:36:ec:41:68:93:37:
42:f3:4f:c7:9f:d1:b5:b5:67:15:64:9f:79:0e:45:ea:2f:74:
bb:4f:6f:6a:28:1c:96:e6
[cid:watersranking2012_voteforipcemailsignature_web47c7.jpg] <https://www.surveymonkey.com/s/WatersRankings2012>
[cid:green-logo5c16.jpg]Please consider the environment before printing this email.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
DISCLAIMER: This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Unintended recipients are prohibited from taking action on the basis of information in this e-mail.E-mail messages may contain computer viruses or other defects, may not be accurately replicated on other systems, or may be intercepted, deleted or interfered with without the knowledge of the sender or the intended recipient. If you are not comfortable with the risks associated with e-mail messages, you may decide not to use e-mail to communicate with IPC. IPC reserves the right, to the extent and under circumstances permitted by applicable law, to retain, monitor and intercept e-mail messages to and from its systems.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120525/a4da97b6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: watersranking2012_voteforipcemailsignature_web47c7.jpg
Type: image/jpeg
Size: 70264 bytes
Desc: watersranking2012_voteforipcemailsignature_web47c7.jpg
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120525/a4da97b6/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: green-logo5c16.jpg
Type: image/jpeg
Size: 1268 bytes
Desc: green-logo5c16.jpg
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120525/a4da97b6/attachment-0001.jpg>
More information about the Users
mailing list