[strongSwan] subject certificate invalid

Andreas Steffen andreas.steffen at strongswan.org
Wed Oct 31 05:51:47 CET 2012 

Well, just read what the log tells you:

subject certificate invalid (valid from Sep 12 10:47:25 2011 to Sep 11
10:47:25 2012)

The certificate expired on September 11 2012 so you have to generate
and install a fresh one.

Best regards

Andreas

On 10/31/2012 04:39 AM, Jun Yin wrote:
> Anybody could help to check what's wrong with my config?
> 
> I got below error:
> oot at pc150:~# ipsec up forti_working
> initiating IKE_SA forti_working[1] to 192.168.6.63
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> sending packet: from 192.168.6.150[500] to 192.168.6.63[500]
> received packet: from 192.168.6.63[500] to 192.168.6.150[500]
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
> received cert request for "C=CA, ST=BC, L=Burnaby, O=Fortinet Inc,
> OU=QA, CN=fortinet.local-CA-2, E=mzhang at fortinet.local"
> sending cert request for "C=CA, ST=BC, L=Burnaby, O=Fortinet Inc,
> OU=QA, CN=fortinet.local-CA-2, E=mzhang at fortinet.local"
> sending cert request for "C=CA, ST=bc, L=vancouver, O=fortinet, OU=qa,
> CN=hans_216_sub2, E=hans_216_sub2 at stress.com"
> authentication of 'C=CA, ST=BC, L=Burnaby, O=Fortinet Inc, OU=QA,
> CN=pauldef.fortinet.local, E=pdef at fortinet.local' (myself) with RSA
> signature successful
> sending end entity cert "C=CA, ST=BC, L=Burnaby, O=Fortinet Inc,
> OU=QA, CN=pauldef.fortinet.local, E=pdef at fortinet.local"
> establishing CHILD_SA forti_working
> generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH CP(ADDR DNS)
> SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) ]
> sending packet: from 192.168.6.150[4500] to 192.168.6.63[4500]
> retransmit 1 of request with message ID 1
> sending packet: from 192.168.6.150[4500] to 192.168.6.63[4500]
> received packet: from 192.168.6.63[4500] to 192.168.6.150[4500]
> parsed IKE_AUTH response 1 [ IDr CERT AUTH CP(ADDR) SA TSi TSr ]
> received end entity cert "C=CA, ST=bc, L=vancouver, O=fortinet, OU=qa,
> CN=dut2_sub2, E=dut2_sub2 at stress.com"
>   using certificate "C=CA, ST=bc, L=vancouver, O=fortinet, OU=qa,
> CN=dut2_sub2, E=dut2_sub2 at stress.com"
>   using trusted intermediate ca certificate "C=CA, ST=bc, L=vancouver,
> O=fortinet, OU=qa, CN=hans_216_sub2, E=hans_216_sub2 at stress.com"
> subject certificate invalid (valid from Sep 12 10:47:25 2011 to Sep 11
> 10:47:25 2012)
> no trusted RSA public key found for 'C=CA, ST=bc, L=vancouver,
> O=fortinet, OU=qa, CN=dut2_sub2, E=dut2_sub2 at stress.com'
> root at pc150:~#
> 
> 
>>From debug, I got:
> 
> 
> Oct 30 17:54:41 pc150 charon: 00[DMN] Starting IKEv2 charon daemon
> (strongSwan 4.5.0)
> Oct 30 17:54:41 pc150 charon: 00[LIB] Padlock not found, CPU is GenuineIntel
> Oct 30 17:54:41 pc150 charon: 00[LIB] plugin 'padlock': failed to load
> - padlock_plugin_create returned NULL
> Oct 30 17:54:41 pc150 charon: 00[KNL] listening on interfaces:
> Oct 30 17:54:41 pc150 charon: 00[KNL]   eth0
> Oct 30 17:54:41 pc150 charon: 00[KNL]     172.18.7.150
> Oct 30 17:54:41 pc150 charon: 00[KNL]     fe80::215:5dff:fe07:5f12
> Oct 30 17:54:41 pc150 charon: 00[KNL]   eth1
> Oct 30 17:54:41 pc150 charon: 00[KNL]     192.168.6.150
> Oct 30 17:54:41 pc150 charon: 00[KNL]     fe80::215:5dff:fe07:5f19
> Oct 30 17:54:41 pc150 charon: 00[CFG] loading ca certificates from
> '/etc/ipsec.d/cacerts'
> Oct 30 17:54:41 pc150 charon: 00[CFG]   loaded ca certificate "C=CA,
> ST=BC, L=Burnaby, O=Fortinet Inc, OU=QA, CN=fortinet.local-CA-2,
> E=mzhang at fortinet.local" from
> '/etc/ipsec.d/cacerts/fortinet.local-CA-2-cacert.pem'
> Oct 30 17:54:41 pc150 charon: 00[CFG]   loaded ca certificate "C=CA,
> ST=bc, L=vancouver, O=fortinet, OU=qa, CN=hans_216_sub2,
> E=hans_216_sub2 at stress.com" from
> '/etc/ipsec.d/cacerts/cacert_sub2.pem'
> Oct 30 17:54:41 pc150 charon: 00[CFG] loading aa certificates from
> '/etc/ipsec.d/aacerts'
> Oct 30 17:54:41 pc150 charon: 00[CFG] loading ocsp signer certificates
> from '/etc/ipsec.d/ocspcerts'
> Oct 30 17:54:41 pc150 charon: 00[CFG] loading attribute certificates
> from '/etc/ipsec.d/acerts'
> Oct 30 17:54:41 pc150 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
> Oct 30 17:54:41 pc150 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
> Oct 30 17:54:41 pc150 charon: 00[CFG]   loaded IKE secret for
> 192.168.111.221 192.168.111.111
> Oct 30 17:54:41 pc150 charon: 00[CFG]   loaded IKE secret for
> 192.168.2.221 192.168.2.236
> Oct 30 17:54:41 pc150 charon: 00[CFG]   loaded IKE secret for
> 192.168.2.162 192.168.2.100
> 
> 
> 
> 
> 
> 
> 
> Oct 30 17:54:42 pc150 charon: 00[CFG]   loaded RSA private key from
> '/etc/ipsec.d/private/pdef at fortinet.local-key.pem'
> Oct 30 17:54:42 pc150 charon: 00[CFG] sql plugin: database URI not set
> Oct 30 17:54:42 pc150 charon: 00[LIB] plugin 'sql': failed to load -
> sql_plugin_create returned NULL
> Oct 30 17:54:42 pc150 charon: 00[CFG] no valid RADIUS server configuration found
> Oct 30 17:54:42 pc150 charon: 00[LIB] plugin 'eap-radius': failed to
> load - eap_radius_plugin_create returned NULL
> Oct 30 17:54:42 pc150 charon: 00[CFG] mediation database URI not
> defined, skipped
> Oct 30 17:54:42 pc150 charon: 00[LIB] plugin 'medsrv': failed to load
> - medsrv_plugin_create returned NULL
> Oct 30 17:54:42 pc150 charon: 00[CFG] mediation client database URI
> not defined, skipped
> Oct 30 17:54:42 pc150 charon: 00[LIB] plugin 'medcli': failed to load
> - medcli_plugin_create returned NULL
> Oct 30 17:54:42 pc150 charon: 00[LIB] plugin 'nm' failed to load:
> /usr/lib/ipsec/plugins/libstrongswan-nm.so: cannot open shared object
> file: No such file or directory
> Oct 30 17:54:42 pc150 charon: 00[CFG] HA config misses local/remote address
> Oct 30 17:54:42 pc150 charon: 00[LIB] plugin 'ha': failed to load -
> ha_plugin_create returned NULL
> Oct 30 17:54:42 pc150 charon: 00[DMN] loaded plugins: test-vectors
> curl ldap aes des sha1 sha2 md5 random x509 revocation pubkey pkcs1
> pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr
> kernel-netlink resolve socket-raw farp stroke updown eap-identity
> eap-aka eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-tnc dhcp led
> addrblock
> Oct 30 17:54:42 pc150 charon: 00[JOB] spawning 16 worker threads
> Oct 30 17:54:42 pc150 charon: 09[CFG] received stroke: add connection
> 'forti_notworking'
> Oct 30 17:54:42 pc150 charon: 09[CFG]   loaded certificate "C=CA,
> ST=BC, L=Burnaby, O=Fortinet Inc, OU=QA, CN=pauldef.fortinet.local,
> E=pdef at fortinet.local" from 'pdef at fortinet.local-cert.pem'
> Oct 30 17:54:42 pc150 charon: 09[CFG]   id 'pdef' not confirmed by
> certificate, defaulting to 'C=CA, ST=BC, L=Burnaby, O=Fortinet Inc,
> OU=QA, CN=pauldef.fortinet.local, E=pdef at fortinet.local'
> Oct 30 17:54:42 pc150 charon: 09[CFG] added configuration 'forti_notworking'
> Oct 30 17:54:42 pc150 charon: 13[CFG] received stroke: add connection
> 'forti_working'
> Oct 30 17:54:42 pc150 charon: 13[CFG]   loaded certificate "C=CA,
> ST=BC, L=Burnaby, O=Fortinet Inc, OU=QA, CN=pauldef.fortinet.local,
> E=pdef at fortinet.local" from 'pdef at fortinet.local-cert.pem'
> Oct 30 17:54:42 pc150 charon: 13[CFG]   id 'pdef' not confirmed by
> certificate, defaulting to 'C=CA, ST=BC, L=Burnaby, O=Fortinet Inc,
> OU=QA, CN=pauldef.fortinet.local, E=pdef at fortinet.local'
> Oct 30 17:54:42 pc150 charon: 13[CFG] added configuration 'forti_working'
> 
> 
> 
> 
> 
> Oct 30 17:58:53 pc150 charon: 10[CFG] received stroke: initiate 'forti_working'
> Oct 30 17:58:53 pc150 charon: 01[IKE] initiating IKE_SA
> forti_working[1] to 192.168.6.63
> Oct 30 17:58:53 pc150 charon: 01[ENC] generating IKE_SA_INIT request 0
> [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Oct 30 17:58:53 pc150 charon: 01[NET] sending packet: from
> 192.168.6.150[500] to 192.168.6.63[500]
> Oct 30 17:58:53 pc150 charon: 16[NET] received packet: from
> 192.168.6.63[500] to 192.168.6.150[500]
> Oct 30 17:58:53 pc150 charon: 16[ENC] parsed IKE_SA_INIT response 0 [
> SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
> Oct 30 17:58:54 pc150 charon: 16[IKE] received cert request for "C=CA,
> ST=BC, L=Burnaby, O=Fortinet Inc, OU=QA, CN=fortinet.local-CA-2,
> E=mzhang at fortinet.local"
> Oct 30 17:58:54 pc150 charon: 16[IKE] sending cert request for "C=CA,
> ST=BC, L=Burnaby, O=Fortinet Inc, OU=QA, CN=fortinet.local-CA-2,
> E=mzhang at fortinet.local"
> Oct 30 17:58:54 pc150 charon: 16[IKE] sending cert request for "C=CA,
> ST=bc, L=vancouver, O=fortinet, OU=qa, CN=hans_216_sub2,
> E=hans_216_sub2 at stress.com"
> Oct 30 17:58:54 pc150 charon: 16[IKE] authentication of 'C=CA, ST=BC,
> L=Burnaby, O=Fortinet Inc, OU=QA, CN=pauldef.fortinet.local,
> E=pdef at fortinet.local' (myself) with RSA signature successful
> Oct 30 17:58:54 pc150 charon: 16[IKE] sending end entity cert "C=CA,
> ST=BC, L=Burnaby, O=Fortinet Inc, OU=QA, CN=pauldef.fortinet.local,
> E=pdef at fortinet.local"
> Oct 30 17:58:54 pc150 charon: 16[IKE] establishing CHILD_SA forti_working
> Oct 30 17:58:54 pc150 charon: 16[ENC] generating IKE_AUTH request 1 [
> IDi CERT CERTREQ IDr AUTH CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP)
> N(ADD_4_ADDR) N(EAP_ONLY) ]
> Oct 30 17:58:54 pc150 charon: 16[NET] sending packet: from
> 192.168.6.150[4500] to 192.168.6.63[4500]
> Oct 30 17:58:58 pc150 charon: 12[IKE] retransmit 1 of request with message ID 1
> Oct 30 17:58:58 pc150 charon: 12[NET] sending packet: from
> 192.168.6.150[4500] to 192.168.6.63[4500]
> Oct 30 17:58:59 pc150 charon: 09[NET] received packet: from
> 192.168.6.63[4500] to 192.168.6.150[4500]
> Oct 30 17:58:59 pc150 charon: 09[ENC] parsed IKE_AUTH response 1 [ IDr
> CERT AUTH CP(ADDR) SA TSi TSr ]
> Oct 30 17:58:59 pc150 charon: 09[IKE] received end entity cert "C=CA,
> ST=bc, L=vancouver, O=fortinet, OU=qa, CN=dut2_sub2,
> E=dut2_sub2 at stress.com"
> Oct 30 17:58:59 pc150 charon: 09[CFG]   using certificate "C=CA,
> ST=bc, L=vancouver, O=fortinet, OU=qa, CN=dut2_sub2,
> E=dut2_sub2 at stress.com"
> Oct 30 17:58:59 pc150 charon: 09[CFG]   using trusted intermediate ca
> certificate "C=CA, ST=bc, L=vancouver, O=fortinet, OU=qa,
> CN=hans_216_sub2, E=hans_216_sub2 at stress.com"
> Oct 30 17:58:59 pc150 charon: 09[CFG] subject certificate invalid
> (valid from Sep 12 10:47:25 2011 to Sep 11 10:47:25 2012)
> Oct 30 17:58:59 pc150 charon: 09[IKE] no trusted RSA public key found
> for 'C=CA, ST=bc, L=vancouver, O=fortinet, OU=qa, CN=dut2_sub2,
> E=dut2_sub2 at stress.com'
> Oct 30 18:17:02
> 
> 
> 
> My config files:
> 
> oot at pc150:~# cat /etc/ipsec.conf
> config setup
>         #charondebug="dmn 1, mgr 1, ike 2, chd 1, job 1, cfg 5, knl 1,
> net 5, enc 4, lib 4"
>         charondebug=all
>         dumpdir=/var/crash
>         hidetos=yes
>         nat_traversal=yes
>         plutostart=no
> conn %default
>         auto=add
>         # ike=aes128-3des-sha256-modp2048!
>         ike=aes128-3des-sha-modp2048!
>         ikelifetime=24h
>         keyexchange=ikev2
>         keyingtries=1
>         keylife=4h
>         left= 192.168.6.150
>         leftnexthop=192.168.6.63
>         leftsourceip=%config
>         reauth=no
>         rekey=yes
>         rekeyfuzz=10%
>         rekeymargin=10m
>         #rightid=@hnb.example.com
>         rightauth=pubkey
>         leftauth=pubkey
>         right=192.168.6.63
>         leftcert="pdef at fortinet.local-cert.pem"
>         leftid=@pdef
> 
> 
> conn forti_notworking
>         rightid=@dut1fqdn
>         rightsubnet=0.0.0.0/0
>         leftsubnet=0.0.0.0/0
> 
> conn forti_working
>         #rightid="C=GB, ST=Wiltshire, L=Swindon, O=Example Operator,
> OU=PKI, CN=fortinet.sha1.example.com, E=tw52 at alcatel-lucent.com"
>         #rightid="CN=paul.fortinet.local"
>         rightid="C=CA, ST=BC, L=Burnaby, O=Fortinet Inc, OU=QA,
> CN=paul.fortinet.local, E=paul at fortinet.local"
>         #rightsubnet=192.168.2.0/24
>         #rightsubnet=135.86.206.154/32
>         #works rightsubnet=10.4.0.0/24
>         leftsubnet=0.0.0.0/0
>         rightsubnet=0.0.0.0/0
>         #rightsubnet=135.1.1.1/32
>         #leftsubnet=135.1.1.2/32
>         #leftsubnet=10.244.243.4/32
>         #leftsubnet=192.168.2.201/32
>         #leftsubnet=10.244.243.0/24
>         #forceencaps=yes
> 
> 
> 
> root at pc150:~# cat /etc/ipsec.secrets
> 192.168.111.221 192.168.111.111 : PSK "123456"
> 192.168.2.221 192.168.2.236 : PSK "123456"
> 192.168.2.162 192.168.2.100 : PSK "123456"
> 192.168.6.150 192.168.6.63 : RSA "pdef at fortinet.local-key.pem" 111111
> 
> 
> 
> Thanks a lot!
> 


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list