[strongSwan] subject certificate invalid

Jun Yin hansyin at gmail.com
Wed Oct 31 04:39:39 CET 2012 

Anybody could help to check what's wrong with my config?

I got below error:
oot at pc150:~# ipsec up forti_working
initiating IKE_SA forti_working[1] to 192.168.6.63
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.6.150[500] to 192.168.6.63[500]
received packet: from 192.168.6.63[500] to 192.168.6.150[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
received cert request for "C=CA, ST=BC, L=Burnaby, O=Fortinet Inc,
OU=QA, CN=fortinet.local-CA-2, E=mzhang at fortinet.local"
sending cert request for "C=CA, ST=BC, L=Burnaby, O=Fortinet Inc,
OU=QA, CN=fortinet.local-CA-2, E=mzhang at fortinet.local"
sending cert request for "C=CA, ST=bc, L=vancouver, O=fortinet, OU=qa,
CN=hans_216_sub2, E=hans_216_sub2 at stress.com"
authentication of 'C=CA, ST=BC, L=Burnaby, O=Fortinet Inc, OU=QA,
CN=pauldef.fortinet.local, E=pdef at fortinet.local' (myself) with RSA
signature successful
sending end entity cert "C=CA, ST=BC, L=Burnaby, O=Fortinet Inc,
OU=QA, CN=pauldef.fortinet.local, E=pdef at fortinet.local"
establishing CHILD_SA forti_working
generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH CP(ADDR DNS)
SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) ]
sending packet: from 192.168.6.150[4500] to 192.168.6.63[4500]
retransmit 1 of request with message ID 1
sending packet: from 192.168.6.150[4500] to 192.168.6.63[4500]
received packet: from 192.168.6.63[4500] to 192.168.6.150[4500]
parsed IKE_AUTH response 1 [ IDr CERT AUTH CP(ADDR) SA TSi TSr ]
received end entity cert "C=CA, ST=bc, L=vancouver, O=fortinet, OU=qa,
CN=dut2_sub2, E=dut2_sub2 at stress.com"
  using certificate "C=CA, ST=bc, L=vancouver, O=fortinet, OU=qa,
CN=dut2_sub2, E=dut2_sub2 at stress.com"
  using trusted intermediate ca certificate "C=CA, ST=bc, L=vancouver,
O=fortinet, OU=qa, CN=hans_216_sub2, E=hans_216_sub2 at stress.com"
subject certificate invalid (valid from Sep 12 10:47:25 2011 to Sep 11
10:47:25 2012)
no trusted RSA public key found for 'C=CA, ST=bc, L=vancouver,
O=fortinet, OU=qa, CN=dut2_sub2, E=dut2_sub2 at stress.com'
root at pc150:~#


>From debug, I got:


Oct 30 17:54:41 pc150 charon: 00[DMN] Starting IKEv2 charon daemon
(strongSwan 4.5.0)
Oct 30 17:54:41 pc150 charon: 00[LIB] Padlock not found, CPU is GenuineIntel
Oct 30 17:54:41 pc150 charon: 00[LIB] plugin 'padlock': failed to load
- padlock_plugin_create returned NULL
Oct 30 17:54:41 pc150 charon: 00[KNL] listening on interfaces:
Oct 30 17:54:41 pc150 charon: 00[KNL]   eth0
Oct 30 17:54:41 pc150 charon: 00[KNL]     172.18.7.150
Oct 30 17:54:41 pc150 charon: 00[KNL]     fe80::215:5dff:fe07:5f12
Oct 30 17:54:41 pc150 charon: 00[KNL]   eth1
Oct 30 17:54:41 pc150 charon: 00[KNL]     192.168.6.150
Oct 30 17:54:41 pc150 charon: 00[KNL]     fe80::215:5dff:fe07:5f19
Oct 30 17:54:41 pc150 charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Oct 30 17:54:41 pc150 charon: 00[CFG]   loaded ca certificate "C=CA,
ST=BC, L=Burnaby, O=Fortinet Inc, OU=QA, CN=fortinet.local-CA-2,
E=mzhang at fortinet.local" from
'/etc/ipsec.d/cacerts/fortinet.local-CA-2-cacert.pem'
Oct 30 17:54:41 pc150 charon: 00[CFG]   loaded ca certificate "C=CA,
ST=bc, L=vancouver, O=fortinet, OU=qa, CN=hans_216_sub2,
E=hans_216_sub2 at stress.com" from
'/etc/ipsec.d/cacerts/cacert_sub2.pem'
Oct 30 17:54:41 pc150 charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Oct 30 17:54:41 pc150 charon: 00[CFG] loading ocsp signer certificates
from '/etc/ipsec.d/ocspcerts'
Oct 30 17:54:41 pc150 charon: 00[CFG] loading attribute certificates
from '/etc/ipsec.d/acerts'
Oct 30 17:54:41 pc150 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Oct 30 17:54:41 pc150 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Oct 30 17:54:41 pc150 charon: 00[CFG]   loaded IKE secret for
192.168.111.221 192.168.111.111
Oct 30 17:54:41 pc150 charon: 00[CFG]   loaded IKE secret for
192.168.2.221 192.168.2.236
Oct 30 17:54:41 pc150 charon: 00[CFG]   loaded IKE secret for
192.168.2.162 192.168.2.100







Oct 30 17:54:42 pc150 charon: 00[CFG]   loaded RSA private key from
'/etc/ipsec.d/private/pdef at fortinet.local-key.pem'
Oct 30 17:54:42 pc150 charon: 00[CFG] sql plugin: database URI not set
Oct 30 17:54:42 pc150 charon: 00[LIB] plugin 'sql': failed to load -
sql_plugin_create returned NULL
Oct 30 17:54:42 pc150 charon: 00[CFG] no valid RADIUS server configuration found
Oct 30 17:54:42 pc150 charon: 00[LIB] plugin 'eap-radius': failed to
load - eap_radius_plugin_create returned NULL
Oct 30 17:54:42 pc150 charon: 00[CFG] mediation database URI not
defined, skipped
Oct 30 17:54:42 pc150 charon: 00[LIB] plugin 'medsrv': failed to load
- medsrv_plugin_create returned NULL
Oct 30 17:54:42 pc150 charon: 00[CFG] mediation client database URI
not defined, skipped
Oct 30 17:54:42 pc150 charon: 00[LIB] plugin 'medcli': failed to load
- medcli_plugin_create returned NULL
Oct 30 17:54:42 pc150 charon: 00[LIB] plugin 'nm' failed to load:
/usr/lib/ipsec/plugins/libstrongswan-nm.so: cannot open shared object
file: No such file or directory
Oct 30 17:54:42 pc150 charon: 00[CFG] HA config misses local/remote address
Oct 30 17:54:42 pc150 charon: 00[LIB] plugin 'ha': failed to load -
ha_plugin_create returned NULL
Oct 30 17:54:42 pc150 charon: 00[DMN] loaded plugins: test-vectors
curl ldap aes des sha1 sha2 md5 random x509 revocation pubkey pkcs1
pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr
kernel-netlink resolve socket-raw farp stroke updown eap-identity
eap-aka eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-tnc dhcp led
addrblock
Oct 30 17:54:42 pc150 charon: 00[JOB] spawning 16 worker threads
Oct 30 17:54:42 pc150 charon: 09[CFG] received stroke: add connection
'forti_notworking'
Oct 30 17:54:42 pc150 charon: 09[CFG]   loaded certificate "C=CA,
ST=BC, L=Burnaby, O=Fortinet Inc, OU=QA, CN=pauldef.fortinet.local,
E=pdef at fortinet.local" from 'pdef at fortinet.local-cert.pem'
Oct 30 17:54:42 pc150 charon: 09[CFG]   id 'pdef' not confirmed by
certificate, defaulting to 'C=CA, ST=BC, L=Burnaby, O=Fortinet Inc,
OU=QA, CN=pauldef.fortinet.local, E=pdef at fortinet.local'
Oct 30 17:54:42 pc150 charon: 09[CFG] added configuration 'forti_notworking'
Oct 30 17:54:42 pc150 charon: 13[CFG] received stroke: add connection
'forti_working'
Oct 30 17:54:42 pc150 charon: 13[CFG]   loaded certificate "C=CA,
ST=BC, L=Burnaby, O=Fortinet Inc, OU=QA, CN=pauldef.fortinet.local,
E=pdef at fortinet.local" from 'pdef at fortinet.local-cert.pem'
Oct 30 17:54:42 pc150 charon: 13[CFG]   id 'pdef' not confirmed by
certificate, defaulting to 'C=CA, ST=BC, L=Burnaby, O=Fortinet Inc,
OU=QA, CN=pauldef.fortinet.local, E=pdef at fortinet.local'
Oct 30 17:54:42 pc150 charon: 13[CFG] added configuration 'forti_working'





Oct 30 17:58:53 pc150 charon: 10[CFG] received stroke: initiate 'forti_working'
Oct 30 17:58:53 pc150 charon: 01[IKE] initiating IKE_SA
forti_working[1] to 192.168.6.63
Oct 30 17:58:53 pc150 charon: 01[ENC] generating IKE_SA_INIT request 0
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Oct 30 17:58:53 pc150 charon: 01[NET] sending packet: from
192.168.6.150[500] to 192.168.6.63[500]
Oct 30 17:58:53 pc150 charon: 16[NET] received packet: from
192.168.6.63[500] to 192.168.6.150[500]
Oct 30 17:58:53 pc150 charon: 16[ENC] parsed IKE_SA_INIT response 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Oct 30 17:58:54 pc150 charon: 16[IKE] received cert request for "C=CA,
ST=BC, L=Burnaby, O=Fortinet Inc, OU=QA, CN=fortinet.local-CA-2,
E=mzhang at fortinet.local"
Oct 30 17:58:54 pc150 charon: 16[IKE] sending cert request for "C=CA,
ST=BC, L=Burnaby, O=Fortinet Inc, OU=QA, CN=fortinet.local-CA-2,
E=mzhang at fortinet.local"
Oct 30 17:58:54 pc150 charon: 16[IKE] sending cert request for "C=CA,
ST=bc, L=vancouver, O=fortinet, OU=qa, CN=hans_216_sub2,
E=hans_216_sub2 at stress.com"
Oct 30 17:58:54 pc150 charon: 16[IKE] authentication of 'C=CA, ST=BC,
L=Burnaby, O=Fortinet Inc, OU=QA, CN=pauldef.fortinet.local,
E=pdef at fortinet.local' (myself) with RSA signature successful
Oct 30 17:58:54 pc150 charon: 16[IKE] sending end entity cert "C=CA,
ST=BC, L=Burnaby, O=Fortinet Inc, OU=QA, CN=pauldef.fortinet.local,
E=pdef at fortinet.local"
Oct 30 17:58:54 pc150 charon: 16[IKE] establishing CHILD_SA forti_working
Oct 30 17:58:54 pc150 charon: 16[ENC] generating IKE_AUTH request 1 [
IDi CERT CERTREQ IDr AUTH CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP)
N(ADD_4_ADDR) N(EAP_ONLY) ]
Oct 30 17:58:54 pc150 charon: 16[NET] sending packet: from
192.168.6.150[4500] to 192.168.6.63[4500]
Oct 30 17:58:58 pc150 charon: 12[IKE] retransmit 1 of request with message ID 1
Oct 30 17:58:58 pc150 charon: 12[NET] sending packet: from
192.168.6.150[4500] to 192.168.6.63[4500]
Oct 30 17:58:59 pc150 charon: 09[NET] received packet: from
192.168.6.63[4500] to 192.168.6.150[4500]
Oct 30 17:58:59 pc150 charon: 09[ENC] parsed IKE_AUTH response 1 [ IDr
CERT AUTH CP(ADDR) SA TSi TSr ]
Oct 30 17:58:59 pc150 charon: 09[IKE] received end entity cert "C=CA,
ST=bc, L=vancouver, O=fortinet, OU=qa, CN=dut2_sub2,
E=dut2_sub2 at stress.com"
Oct 30 17:58:59 pc150 charon: 09[CFG]   using certificate "C=CA,
ST=bc, L=vancouver, O=fortinet, OU=qa, CN=dut2_sub2,
E=dut2_sub2 at stress.com"
Oct 30 17:58:59 pc150 charon: 09[CFG]   using trusted intermediate ca
certificate "C=CA, ST=bc, L=vancouver, O=fortinet, OU=qa,
CN=hans_216_sub2, E=hans_216_sub2 at stress.com"
Oct 30 17:58:59 pc150 charon: 09[CFG] subject certificate invalid
(valid from Sep 12 10:47:25 2011 to Sep 11 10:47:25 2012)
Oct 30 17:58:59 pc150 charon: 09[IKE] no trusted RSA public key found
for 'C=CA, ST=bc, L=vancouver, O=fortinet, OU=qa, CN=dut2_sub2,
E=dut2_sub2 at stress.com'
Oct 30 18:17:02



My config files:

oot at pc150:~# cat /etc/ipsec.conf
config setup
        #charondebug="dmn 1, mgr 1, ike 2, chd 1, job 1, cfg 5, knl 1,
net 5, enc 4, lib 4"
        charondebug=all
        dumpdir=/var/crash
        hidetos=yes
        nat_traversal=yes
        plutostart=no
conn %default
        auto=add
        # ike=aes128-3des-sha256-modp2048!
        ike=aes128-3des-sha-modp2048!
        ikelifetime=24h
        keyexchange=ikev2
        keyingtries=1
        keylife=4h
        left= 192.168.6.150
        leftnexthop=192.168.6.63
        leftsourceip=%config
        reauth=no
        rekey=yes
        rekeyfuzz=10%
        rekeymargin=10m
        #rightid=@hnb.example.com
        rightauth=pubkey
        leftauth=pubkey
        right=192.168.6.63
        leftcert="pdef at fortinet.local-cert.pem"
        leftid=@pdef


conn forti_notworking
        rightid=@dut1fqdn
        rightsubnet=0.0.0.0/0
        leftsubnet=0.0.0.0/0

conn forti_working
        #rightid="C=GB, ST=Wiltshire, L=Swindon, O=Example Operator,
OU=PKI, CN=fortinet.sha1.example.com, E=tw52 at alcatel-lucent.com"
        #rightid="CN=paul.fortinet.local"
        rightid="C=CA, ST=BC, L=Burnaby, O=Fortinet Inc, OU=QA,
CN=paul.fortinet.local, E=paul at fortinet.local"
        #rightsubnet=192.168.2.0/24
        #rightsubnet=135.86.206.154/32
        #works rightsubnet=10.4.0.0/24
        leftsubnet=0.0.0.0/0
        rightsubnet=0.0.0.0/0
        #rightsubnet=135.1.1.1/32
        #leftsubnet=135.1.1.2/32
        #leftsubnet=10.244.243.4/32
        #leftsubnet=192.168.2.201/32
        #leftsubnet=10.244.243.0/24
        #forceencaps=yes



root at pc150:~# cat /etc/ipsec.secrets
192.168.111.221 192.168.111.111 : PSK "123456"
192.168.2.221 192.168.2.236 : PSK "123456"
192.168.2.162 192.168.2.100 : PSK "123456"
192.168.6.150 192.168.6.63 : RSA "pdef at fortinet.local-key.pem" 111111



Thanks a lot!

-- 
Rgds,

Hans Yin
Web:   http://sourceforge.net/projects/autotestnet/
Email:  hansyin at gmail.com
MSN:   hansyin at hotmail.com
Skype: hans_yin_vancouver

More information about the Users mailing list