[strongSwan] Win7 machine certificate connection failing
Gregg Hughes
ghughes at iscinternational.com
Wed Jul 10 23:40:31 CEST 2013
Hi, Andy!
Thanks for the quick response - it's good to know there's help out there for
new folks.....
The CA key was generated like so:
openssl genrsa -des3 -out private/cakey.pem 4096
I added a password for the key. Not much of one, but a password.
Created CA Root Certificate
openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days
3650 -set_serial 0
Asked some questions:
Country Name US
State or Porvince Name Wisconsin
Locality Name Milwaukee
Organization Name ISC International, Ltd.
Organizational Unit .
Common name strongswan1
Email Address ghughes [at]
iscinternational.com
....and I got my cert.
I added the requirements to the openssl.cnf file for extendedKeyUsage and
for a subjectAltName, following a document here:
http://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq
Oddly enough, when I do an "ipsec listcerts" I get nothing, even though
syslog shows the certificates being loaded correctly.
Let me know other information you might need (and where to look for it) - I
probably haven't completely fulfilled your request.
Thanks!
Gregg
-----Original Message-----
From: Paton, Andy [mailto:andy.paton at hp.com]
Sent: Wednesday, July 10, 2013 4:13 PM
To: Gregg Hughes
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] Win7 machine certificate connection failing
Can you post details of your certificates. Both the machine cert for the
gateway and the device cert?
--
Andrew Paton
On 10 Jul 2013, at 21:55, "Gregg Hughes"
<ghughes at iscinternational.com<mailto:ghughes at iscinternational.com>> wrote:
Good afternoon, all!
I've been working on getting a Strongswan installation running on a VMware
Workstation test platform. The server is Ubuntu Server 12.04 with
Strongswan 4.5.2 from the Ubuntu repository.
I've been able to get a net-net test config to work, but have had trouble
with a roadwarrior config. I think it's a problem with certificates because
I get "Error 13801: IKE authentication credentials are unacceptable", so I
know the client is reaching the server and trying to get in.
I followed the examples listed here, working on an X.509 machine certificate
to start: http://wiki.strongswan.org/projects/strongswan/wiki/Windows7 I
used the multiple client configs and the instructions on importing
certificates into Win7.
All certs were generated and signed on the strongswan server and are in the
proper directories under /etc/ipsec.d. Content of ipsec.conf and greps from
auth.log and syslog also.
I confess to being at a loss as to why I am still getting the Error 13801
after several hours troubleshooting.
Thanks in advance!
Gregg
# ipsec.conf - strongSwan1 IPsec configuration file
# basic configuration
config setup
# plutodebug=all
# crlcheckinterval=180
# strictcrlpolicy=no
# cachecrls=yes
# nat_traversal=yes
charonstart=yes
plutostart=no
# Add connections here.
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
# authby=secret
keyexchange=ikev2
# mobike=no
conn net-net
left=192.168.91.163
leftsubnet=10.1.0.0/16
leftid=@strongswan1
leftfirewall=yes
right=192.168.91.160
rightsubnet=10.2.0.0/16
rightid=@strongswan2
auto=add
conn Win7
left=%defaultroute
# leftcert=cacert.pem
leftsubnet=10.1.0.0/16
leftid=strongswan1
right=%any
rightsourceip=192.168.93.0/24
# rightauth=eap-mschapv2
# rightsendcert=never
# eap_identity=%any
# rightcert=client1cert.pem
# keyexchange=ikev2
auto=add
include /var/lib/strongswan/ipsec.conf.inc
----------------------------------------
auth.log cuts
Jul 10 15:20:28 strongswan1 charon: 03[IKE] 192.168.91.166 is initiating an
IKE_SA
Jul 10 15:21:51 strongswan1 ipsec_starter[1606]: charon stopped after 200 ms
Jul 10 15:21:54 strongswan1 ipsec_starter[1641]: charon (1667) started after
60 ms
Jul 10 15:23:02 strongswan1 ipsec_starter[1641]: charon stopped after 200 ms
Jul 10 15:23:25 strongswan1 ipsec_starter[931]: charon (939) started after
1120 ms
Jul 10 15:32:19 strongswan1 ipsec_starter[999]: charon (1003) started after
1060 ms
Jul 10 15:32:43 strongswan1 charon: 13[IKE] 192.168.91.166 is initiating an
IKE_SA
--------------------------------------------
syslog cuts
Jul 10 15:32:20 strongswan1 charon: 00[DMN] Starting IKEv2 charon daemon
(strongSwan 4.5.2)
Jul 10 15:32:19 strongswan1 charon: 00[KNL] listening on interfaces:
Jul 10 15:32:19 strongswan1 charon: 00[KNL] eth0
Jul 10 15:32:19 strongswan1 charon: 00[KNL] 192.168.91.163
Jul 10 15:32:19 strongswan1 charon: 00[KNL] fe80::20c:29ff:fecd:2c6b
Jul 10 15:32:19 strongswan1 charon: 00[KNL] eth1
Jul 10 15:32:19 strongswan1 charon: 00[KNL] 10.1.0.1
Jul 10 15:32:19 strongswan1 charon: 00[KNL] fe80::20c:29ff:fecd:2c75
Jul 10 15:32:19 strongswan1 charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Jul 10 15:32:19 strongswan1 charon: 00[CFG] loaded ca certificate "C=US,
ST=Wisconsin, L=Milwaukee, O=ISC International, Ltd., CN=strongswan1,
E=ghughes at iscinternational.com<http://iscinternational.com>" from
'/etc/ipsec.d/cacerts/cacert.pem'
Jul 10 15:32:19 strongswan1 charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Jul 10 15:32:19 strongswan1 charon: 00[CFG] loading ocsp signer certificates
from '/etc/ipsec.d/ocspcerts'
Jul 10 15:32:19 strongswan1 charon: 00[CFG] loading attribute certificates
from '/etc/ipsec.d/acerts'
Jul 10 15:32:19 strongswan1 charon: 00[CFG] loading crls from
'/etc/ipsec.d/crls'
Jul 10 15:32:19 strongswan1 charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Jul 10 15:32:19 strongswan1 charon: 00[CFG] loaded RSA private key from
'/etc/ipsec.d/private/cakey.pem'
Jul 10 15:32:19 strongswan1 charon: 00[CFG] expanding file expression
'/var/lib/strongswan/ipsec.secrets.inc' failed
Jul 10 15:32:19 strongswan1 charon: 00[CFG] sql plugin: database URI not set
Jul 10 15:32:19 strongswan1 charon: 00[LIB] plugin 'sql': failed to load -
sql_plugin_create returned NULL
Jul 10 15:32:19 strongswan1 charon: 00[CFG] loaded 0 RADIUS server
configurations
Jul 10 15:32:19 strongswan1 charon: 00[LIB] plugin 'medsrv' failed to load:
/usr/lib/ipsec/plugins/libstrongswan-medsrv.so: cannot open shared object
file: No such file or directory
Jul 10 15:32:19 strongswan1 charon: 00[CFG] mediation client database URI
not defined, skipped
Jul 10 15:32:19 strongswan1 charon: 00[LIB] plugin 'medcli': failed to load
- medcli_plugin_create returned NULL
Jul 10 15:32:19 strongswan1 charon: 00[LIB] plugin 'nm' failed to load:
/usr/lib/ipsec/plugins/libstrongswan-nm.so: cannot open shared object file:
No such file or directory
Jul 10 15:32:19 strongswan1 charon: 00[CFG] HA config misses local/remote
address
Jul 10 15:32:19 strongswan1 charon: 00[LIB] plugin 'ha': failed to load -
ha_plugin_create returned NULL
Jul 10 15:32:19 strongswan1 charon: 00[DMN] loaded plugins: test-vectors
curl ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey
pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr
kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka
eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led
addrblock
Jul 10 15:32:19 strongswan1 charon: 00[JOB] spawning 16 worker threads
Jul 10 15:32:19 strongswan1 charon: 05[CFG] received stroke: add connection
'net-net'
Jul 10 15:32:19 strongswan1 charon: 05[CFG] added configuration 'net-net'
Jul 10 15:32:19 strongswan1 charon: 10[CFG] received stroke: add connection
'Win7'
Jul 10 15:32:19 strongswan1 charon: 10[CFG] added configuration 'Win7'
Jul 10 15:32:19 strongswan1 charon: 10[CFG] adding virtual IP address pool
'Win7': 192.168.93.0/24
Jul 10 15:32:43 strongswan1 charon: 13[NET] received packet: from
192.168.91.166[500] to 192.168.91.163[500]
Jul 10 15:32:43 strongswan1 charon: 13[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jul 10 15:32:43 strongswan1 charon: 13[IKE] 192.168.91.166 is initiating an
IKE_SA
Jul 10 15:32:43 strongswan1 charon: 13[IKE] sending cert request for "C=US,
ST=Wisconsin, L=Milwaukee, O=ISC International, Ltd., CN=strongswan1,
E=ghughes at iscinternational.com<http://iscinternational.com>"
Jul 10 15:32:43 strongswan1 charon: 13[ENC] generating IKE_SA_INIT response
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jul 10 15:32:43 strongswan1 charon: 13[NET] sending packet: from
192.168.91.163[500] to 192.168.91.166[500]
Jul 10 15:32:43 strongswan1 charon: 14[NET] received packet: from
192.168.91.166[4500] to 192.168.91.163[4500]
Jul 10 15:32:43 strongswan1 charon: 14[ENC] unknown attribute type
INTERNAL_IP4_SERVER
Jul 10 15:32:43 strongswan1 charon: 14[ENC] unknown attribute type
INTERNAL_IP6_SERVER
Jul 10 15:32:43 strongswan1 charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi
CERT CERTREQ AUTH N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi
TSr ]
Jul 10 15:32:43 strongswan1 charon: 14[IKE] received cert request for "C=US,
ST=Wisconsin, L=Milwaukee, O=ISC International, Ltd., CN=strongswan1,
E=ghughes at iscinternational.com<http://iscinternational.com>"
Jul 10 15:32:43 strongswan1 charon: 14[IKE] received 8 cert requests for an
unknown ca
Jul 10 15:32:43 strongswan1 charon: 14[IKE] received end entity cert "C=US,
ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1, E=ghughes at
iscinternational.com<http://iscinternational.com>"
Jul 10 15:32:43 strongswan1 charon: 14[CFG] looking for peer configs
matching 192.168.91.163[%any]...192.168.91.166[C=US, ST=Wisconsin, O=ISC
International, Ltd., CN=strongswan1, E=ghughes at
iscinternational.com<http://iscinternational.com>]
Jul 10 15:32:43 strongswan1 charon: 14[CFG] selected peer config 'Win7'
Jul 10 15:32:43 strongswan1 charon: 14[CFG] using certificate "C=US,
ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1, E=ghughes at
iscinternational.com<http://iscinternational.com>"
Jul 10 15:32:43 strongswan1 charon: 14[CFG] using trusted ca certificate
"C=US, ST=Wisconsin, L=Milwaukee, O=ISC International, Ltd., CN=strongswan1,
E=ghughes at iscinternational.com<http://iscinternational.com>"
Jul 10 15:32:43 strongswan1 charon: 14[CFG] checking certificate status of
"C=US, ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1, E=ghughes at
iscinternational.com<http://iscinternational.com>"
Jul 10 15:32:43 strongswan1 charon: 14[CFG] certificate status is not
available
Jul 10 15:32:43 strongswan1 charon: 14[CFG] reached self-signed root ca
with a path length of 0
Jul 10 15:32:43 strongswan1 charon: 14[IKE] authentication of 'C=US,
ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1, E=ghughes at
iscinternational.com<http://iscinternational.com>' with RSA signature
successful
Jul 10 15:32:43 strongswan1 charon: 14[IKE] peer supports MOBIKE
Jul 10 15:32:43 strongswan1 charon: 14[IKE] no private key found for
'strongswan1'
Jul 10 15:32:43 strongswan1 charon: 14[ENC] generating IKE_AUTH response 1 [
N(AUTH_FAILED) ]
Jul 10 15:32:43 strongswan1 charon: 14[NET] sending packet: from
192.168.91.163[4500] to 192.168.91.166[4500]
Gregg Hughes
IT Administrator
www.iscinternational.com<http://www.iscinternational.com>
414.721.0301 phone
262.313.3106 fax
_______________________________________________
Users mailing list
Users at lists.strongswan.org<mailto:Users at lists.strongswan.org>
https://lists.strongswan.org/mailman/listinfo/users
More information about the Users
mailing list