[strongSwan] How to make moon to use the certificate/privat key to authenticate itself in strongswan-5.0.0?

Mao, Zhiheng zmao at qualcomm.com
Mon Sep 17 07:22:28 CEST 2012


Hi there,

I have a testing scenario where the VPN gateway moon uses the certificate/private key to authenticate itself to the client. I have installed the server's certificate at /usr/local/etc/ipsec.d/certs/ moonCert.pem and server's private key file at /usr/local/etc/ipsec.d/private/moonKey.pem. These two files are the original ones taken from the strongswan-5.0.0 release.

The client is an Android phone behind a WiFi router (10.41.72.35). When the client comes in, I am seeing moon (10.46.212.196) complaining about certificate related problem and then the authentication failed:
Sep 15 18:52:51 as3-iwf118 charon: 13[NET] received packet: from 10.41.72.35[34745] to 10.46.212.196[500]
Sep 15 18:52:51 as3-iwf118 charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Sep 15 18:52:51 as3-iwf118 charon: 13[IKE] 10.41.72.35 is initiating an IKE_SA
Sep 15 18:52:51 as3-iwf118 charon: 13[IKE] remote host is behind NAT
Sep 15 18:52:51 as3-iwf118 charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Sep 15 18:52:51 as3-iwf118 charon: 13[NET] sending packet: from 10.46.212.196[500] to 10.41.72.35[34745]
Sep 15 18:52:53 as3-iwf118 charon: 08[NET] received packet: from 10.41.72.35[44399] to 10.46.212.196[4500]
Sep 15 18:52:53 as3-iwf118 charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Sep 15 18:52:53 as3-iwf118 charon: 08[IKE] received 118 cert requests for an unknown ca
Sep 15 18:52:53 as3-iwf118 charon: 08[CFG] looking for peer configs matching 10.46.212.196[10.46.212.196]...10.41.72.35[octopus at qualcomm.com]
Sep 15 18:52:53 as3-iwf118 charon: 08[CFG] no matching peer config found
Sep 15 18:52:53 as3-iwf118 charon: 08[IKE] peer supports MOBIKE
Sep 15 18:52:53 as3-iwf118 charon: 08[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Sep 15 18:52:53 as3-iwf118 charon: 08[NET] sending packet: from 10.46.212.196[4500] to 10.41.72.35[44399]


I have included moon's ipsec.conf, ipsec.secrets, and strongswan.conf at the end of this email, but I guess I may not fully understand how this certificate/private key authentication works, so I am asking some questions here and would appreciate very much if someone could please shed some light:



1):  Is it allowed to make moon to use pre-configured certificate/private key, such as the moonCert.pem/ moonKey.pem, to authenticate itself to the client, and make a client to use the moonCert.pem? Or does it have to go through some kind of certificate authorities (CAs)?
2):   Is "received 118 cert requests for an unknown ca" really the error which caused the AUTH_FAILED or is "no matching peer config found" the real error?
3):   Is the "received 118 cert requests for an unknown ca" harmless? Or should we configure the client not to include the CERTREQ in its IKE_AUTH request?
4):  How can I make the client accept the moonCert.pem? Shout I manually install it on the client as well? Or can the client receive it from the IKV2 message and start using it from there?

I also tried another client of strongswan-5.0.0 running on a separate Linux box (10.41.73.234) and got the server authentication working with the same configurations of the server:
Sep 16 21:57:14 as3-iwf118 charon: 09[NET] received packet: from 10.41.73.234[4500] to 10.46.212.196[4500]
Sep 16 21:57:14 as3-iwf118 charon: 09[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Sep 16 21:57:14 as3-iwf118 charon: 09[CFG] looking for peer configs matching 10.46.212.196[moon.strongswan.org]...10.41.73.234[octopus at qualcomm.com]
Sep 16 21:57:14 as3-iwf118 charon: 09[CFG] selected peer config 'client_1'
Sep 16 21:57:14 as3-iwf118 charon: 09[CFG] sending RADIUS Access-Request to server '127.0.0.1'
Sep 16 21:57:14 as3-iwf118 charon: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Sep 16 21:57:14 as3-iwf118 charon: 07[NET] sending packet: from 2002:c023:9c17:21b::a2e:d4c4[500] to 2002:c023:9c17:21c:21b:78ff:fee0:dbfc[500]
Sep 16 21:57:14 as3-iwf118 charon: 09[CFG] received RADIUS Access-Challenge from server '127.0.0.1'
Sep 16 21:57:14 as3-iwf118 charon: 09[IKE] initiating EAP_RADIUS method (id 0x01)
Sep 16 21:57:14 as3-iwf118 charon: 09[IKE] peer supports MOBIKE
Sep 16 21:57:14 as3-iwf118 charon: 09[IKE] authentication of 'moon.strongswan.org' (myself) with RSA signature successful
Sep 16 21:57:14 as3-iwf118 charon: 09[ENC] generating IKE_AUTH response 1 [ IDr AUTH EAP/REQ/MD5 ]
Sep 16 21:57:14 as3-iwf118 charon: 09[NET] sending packet: from 10.46.212.196[4500] to 10.41.73.234[4500]
Sep 16 21:57:14 as3-iwf118 charon: 10[NET] received packet: from 10.41.73.234[4500] to 10.46.212.196[4500]
Sep 16 21:57:14 as3-iwf118 charon: 10[ENC] parsed IKE_AUTH request 2 [ EAP/RES/MD5 ]
Sep 16 21:57:14 as3-iwf118 charon: 10[CFG] sending RADIUS Access-Request to server '127.0.0.1'
Sep 16 21:57:14 as3-iwf118 charon: 10[CFG] received RADIUS Access-Accept from server '127.0.0.1'
Sep 16 21:57:14 as3-iwf118 charon: 10[IKE] RADIUS authentication of 'octopus at qualcomm.com' successful
Sep 16 21:57:14 as3-iwf118 charon: 10[IKE] EAP method EAP_MD5 succeeded, no MSK established
Sep 16 21:57:14 as3-iwf118 charon: 10[ENC] generating IKE_AUTH response 2 [ EAP/SUCC ]
Sep 16 21:57:14 as3-iwf118 charon: 10[NET] sending packet: from 10.46.212.196[4500] to 10.41.73.234[4500]

In this log, I noticed the matching 10.46.212.196[moon.strongswan.org]...10.41.73.234[octopus at qualcomm.com] and found the 'client_1'.
However,  between the two log messages below (the first is the failed case, and the second is the success case), the only difference is that the first one did not show moon.strongswan.org, it had 10.46.212.196 instead and it failed:

Sep 15 18:52:53 as3-iwf118 charon: 08[CFG] looking for peer configs matching 10.46.212.196[10.46.212.196]...10.41.72.35[octopus at qualcomm.com]

Sep 16 21:57:14 as3-iwf118 charon: 09[CFG] looking for peer configs matching 10.46.212.196[moon.strongswan.org]...10.41.73.234[octopus at qualcomm.com]

So, could this be the reason why no matching peer config found in the failure case? How can I make it work in the failure case?

Thanks a lot!

Zhiheng


=======================================================

# ipsec.conf - strongSwan IPsec configuration file of the VPN gateway

#

config setup



conn %default

        ikelifetime=60m

        keylife=20m

        rekeymargin=3m

        keyingtries=1

        keyexchange=ikev2



conn client_1

        left=%defaultroute

        leftsubnet=10.46.212.192/27,10.9.8.0/24

        leftid=@moon.strongswan.org<mailto:leftid=@moon.strongswan.org>

        leftcert=moonCert.pem

        leftauth=pubkey

        leftfirewall=yes

        rightid=octopus at qualcomm.com<mailto:rightid=octopus at qualcomm.com>

        rightauth=eap-radius

        rightsendcert=never

        right=%any

        rightsourceip=10.9.8.1

        auto=add



=======================================================

# ipsec.secrets - strongSwan IPsec secrets file of the VPN gateway

#

: RSA moonKey.pem



# client's secrecy is stored in freeradius server's configuration file

#     for example: /usr/etc/raddb/users



=======================================================
# strongswan.conf - strongSwan configuration file
#
charon {

        # number of worker threads in charon
        threads = 16

        # send strongswan vendor ID?
        # send_vendor_id = yes

        plugins {

                sql {
                        # loglevel to log into sql database
                        loglevel = -1

                        # URI to the database
                       # database = sqlite:///path/to/file.db
                        # database = mysql://user:password@localhost/database
                }
                eap-radius {
                  server = 127.0.0.1
                  secret = testing123
                }

        }

        # ...
}

pluto {

}

libstrongswan {

        #  set to no, the DH exponent size is optimized
        #  dh_exponent_ansi_x9_42 = no
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120917/51ba3400/attachment.html>


More information about the Users mailing list