[strongSwan] FW: Win7 machine certificate connection failing
Gregg Hughes
ghughes at iscinternational.com
Fri Jul 19 23:54:04 CEST 2013
I think I've found the problem, but I don't know how to fix it. It appears
that ipsec can't load the private ca key. Here's the relevant syslog cut:
---------------------syslog------------------------
Jul 19 15:33:18 strongswan1 charon: 00[DMN] Starting IKEv2 charon daemon
(strongSwan 4.5.2)
Jul 19 15:33:20 strongswan1 charon: 00[KNL] listening on interfaces:
Jul 19 15:33:20 strongswan1 charon: 00[KNL] eth0
Jul 19 15:33:20 strongswan1 charon: 00[KNL] 192.168.91.163
Jul 19 15:33:20 strongswan1 charon: 00[KNL] fe80::20c:29ff:fecd:2c6b
Jul 19 15:33:20 strongswan1 charon: 00[KNL] eth1
Jul 19 15:33:20 strongswan1 charon: 00[KNL] 10.1.0.1
Jul 19 15:33:20 strongswan1 charon: 00[KNL] fe80::20c:29ff:fecd:2c75
Jul 19 15:33:20 strongswan1 charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Jul 19 15:33:20 strongswan1 charon: 00[CFG] loaded ca certificate "C=US,
ST=Wisconsin, L=Milwaukee, O=ISC International, Ltd.,
CN=strongswan1.iscinternational.com, E=support at iscinternational.com" from
'/etc/ipsec.d/cacerts/strongswan1cert.pem'
Jul 19 15:33:20 strongswan1 charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Jul 19 15:33:20 strongswan1 charon: 00[CFG] loading ocsp signer certificates
from '/etc/ipsec.d/ocspcerts'
Jul 19 15:33:20 strongswan1 charon: 00[CFG] loading attribute certificates
from '/etc/ipsec.d/acerts'
Jul 19 15:33:20 strongswan1 charon: 00[CFG] loading crls from
'/etc/ipsec.d/crls'
Jul 19 15:33:20 strongswan1 charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Jul 19 15:33:20 strongswan1 charon: 00[LIB] L1 - version: ASN1 tag 0x02
expected, but is 0x30
Jul 19 15:33:20 strongswan1 charon: 00[LIB] building CRED_PRIVATE_KEY - RSA
failed, tried 8 builders
Jul 19 15:33:20 strongswan1 charon: 00[CFG] loading private key from
'/etc/ipsec.d/private/strongswan1key.pem' failed
________________________________________
So when the EAP session tries to initialize, this happens:
________________________________________
Jul 19 15:54:34 strongswan1 charon: 15[NET] received packet: from
192.168.91.166[500] to 192.168.91.163[500]
Jul 19 15:54:34 strongswan1 charon: 15[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jul 19 15:54:34 strongswan1 charon: 15[IKE] 192.168.91.166 is initiating an
IKE_SA
Jul 19 15:54:34 strongswan1 charon: 15[IKE] sending cert request for "C=US,
ST=Wisconsin, L=Milwaukee, O=ISC International, Ltd.,
CN=strongswan1.iscinternational.com, E=support at iscinternational.com"
Jul 19 15:54:34 strongswan1 charon: 15[ENC] generating IKE_SA_INIT response
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jul 19 15:54:34 strongswan1 charon: 15[NET] sending packet: from
192.168.91.163[500] to 192.168.91.166[500]
Jul 19 15:54:34 strongswan1 charon: 14[NET] received packet: from
192.168.91.166[4500] to 192.168.91.163[4500]
Jul 19 15:54:34 strongswan1 charon: 14[ENC] unknown attribute type
INTERNAL_IP4_SERVER
Jul 19 15:54:34 strongswan1 charon: 14[ENC] unknown attribute type
INTERNAL_IP6_SERVER
Jul 19 15:54:34 strongswan1 charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi
CERTREQ N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Jul 19 15:54:34 strongswan1 charon: 14[IKE] received cert request for "C=US,
ST=Wisconsin, L=Milwaukee, O=ISC International, Ltd.,
CN=strongswan1.iscinternational.com, E=support at iscinternational.com"
Jul 19 15:54:34 strongswan1 charon: 14[IKE] received 12 cert requests for an
unknown ca
Jul 19 15:54:34 strongswan1 charon: 14[CFG] looking for peer configs
matching 192.168.91.163[%any]...192.168.91.166[192.168.91.166]
Jul 19 15:54:34 strongswan1 charon: 14[CFG] selected peer config 'rw'
Jul 19 15:54:34 strongswan1 charon: 14[IKE] peer requested EAP, config
inacceptable
Jul 19 15:54:34 strongswan1 charon: 14[CFG] switching to peer config 'rw2'
Jul 19 15:54:34 strongswan1 charon: 14[IKE] peer requested EAP, config
inacceptable
Jul 19 15:54:34 strongswan1 charon: 14[CFG] switching to peer config
'rw-eap'
Jul 19 15:54:34 strongswan1 charon: 14[IKE] initiating EAP-Identity request
Jul 19 15:54:34 strongswan1 charon: 14[IKE] peer supports MOBIKE
Jul 19 15:54:34 strongswan1 charon: 14[IKE] no private key found for 'C=US,
ST=Wisconsin, L=Milwaukee, O=ISC International, Ltd.,
CN=strongswan1.iscinternational.com, E=support at iscinternational.com'
Jul 19 15:54:34 strongswan1 charon: 14[ENC] generating IKE_AUTH response 1 [
N(AUTH_FAILED) ]
Jul 19 15:54:34 strongswan1 charon: 14[NET] sending packet: from
192.168.91.163[4500] to 192.168.91.166[4500]
_______________________________________
The last three lines of the syslog cutting above seem to be related to the
private key not loading.
Now, I've done some searching for how to fix the ASN1 tag problem but
haven't come up with anything. I'm using openssl 1.0.1 and don't find any
bugs or issues with wrong tags. I'm going to recreate the ca, certs and
keys again and see if the problem comes with any particular steps. It does
appear that removing the quotes from the ipsec.secrets helped.
Meanwhile, if anyone has some ideas about this......
Many thanks for looking into this!
Gregg
-----Original Message-----
From: Gregg Hughes [mailto:ghughes at iscinternational.com]
Sent: Thursday, July 18, 2013 2:02 PM
To: users at lists.strongswan.org
Subject: FW: [strongSwan] Win7 machine certificate connection failing
I wanted to update the information here with results from some config
changes.
I added/reconfigured the ipsec.conf to have an EAP-MSCHAPV2 connection
available, then changed the information on the Windows client side to use
EAP when making the connection. Here's the syslog output:
--------------Clip from syslog------------------
Jul 17 13:41:40 strongswan1 charon: 16[CFG] received stroke: delete
connection 'net-net'
Jul 17 13:41:40 strongswan1 charon: 16[CFG] deleted connection 'net-net'
Jul 17 13:41:40 strongswan1 charon: 04[CFG] received stroke: delete
connection 'rw'
Jul 17 13:41:40 strongswan1 charon: 04[CFG] deleted connection 'rw'
Jul 17 13:41:40 strongswan1 charon: 07[CFG] received stroke: delete
connection 'rw2'
Jul 17 13:41:40 strongswan1 charon: 07[CFG] deleted connection 'rw2'
Jul 17 13:41:40 strongswan1 charon: 05[CFG] received stroke: delete
connection 'rw-eap'
Jul 17 13:41:40 strongswan1 charon: 05[CFG] deleted connection 'rw-eap'
Jul 17 13:41:40 strongswan1 charon: 16[CFG] received stroke: add connection
'net-net'
Jul 17 13:41:40 strongswan1 charon: 16[CFG] added configuration 'net-net'
Jul 17 13:41:40 strongswan1 charon: 16[CFG] received stroke: add connection
'rw'
Jul 17 13:41:40 strongswan1 charon: 16[CFG] added configuration 'rw'
Jul 17 13:41:40 strongswan1 charon: 16[CFG] received stroke: add connection
'rw2'
Jul 17 13:41:40 strongswan1 charon: 16[CFG] loaded certificate "C=US,
ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1" from 'cacert.pem'
Jul 17 13:41:40 strongswan1 charon: 16[CFG] id '192.168.91.163' not
confirmed by certificate, defaulting to 'C=US, ST=Wisconsin, O=ISC
International, Ltd., CN=strongswan1'
Jul 17 13:41:40 strongswan1 charon: 16[CFG] added configuration 'rw2'
Jul 17 13:41:40 strongswan1 charon: 07[CFG] received stroke: add connection
'rw-eap'
Jul 17 13:41:40 strongswan1 charon: 07[CFG] loaded certificate "C=US,
ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1" from 'cacert.pem'
Jul 17 13:41:40 strongswan1 charon: 07[CFG] id '192.168.91.163' not
confirmed by certificate, defaulting to 'C=US, ST=Wisconsin, O=ISC
International, Ltd., CN=strongswan1'
Jul 17 13:41:40 strongswan1 charon: 07[CFG] added configuration 'rw-eap'
Jul 17 13:42:46 strongswan1 charon: 11[NET] received packet: from
192.168.91.166[500] to 192.168.91.163[500] Jul 17 13:42:46 strongswan1
charon: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ] Jul 17 13:42:46 strongswan1 charon: 11[IKE] 192.168.91.166 is
initiating an IKE_SA Jul 17 13:42:46 strongswan1 charon: 11[IKE] sending
cert request for "C=US, ST=Wisconsin, O=ISC International, Ltd.,
CN=strongswan1"
Jul 17 13:42:46 strongswan1 charon: 11[ENC] generating IKE_SA_INIT response
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] Jul 17
13:42:46 strongswan1 charon: 11[NET] sending packet: from
192.168.91.163[500] to 192.168.91.166[500] Jul 17 13:42:46 strongswan1
charon: 14[NET] received packet: from 192.168.91.166[4500] to
192.168.91.163[4500] Jul 17 13:42:46 strongswan1 charon: 14[ENC] unknown
attribute type INTERNAL_IP4_SERVER Jul 17 13:42:46 strongswan1 charon:
14[ENC] unknown attribute type INTERNAL_IP6_SERVER Jul 17 13:42:46
strongswan1 charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ
N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ] Jul 17
13:42:46 strongswan1 charon: 14[IKE] received cert request for "C=US,
ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1"
Jul 17 13:42:46 strongswan1 charon: 14[IKE] received 8 cert requests for an
unknown ca Jul 17 13:42:46 strongswan1 charon: 14[CFG] looking for peer
configs matching 192.168.91.163[%any]...192.168.91.166[192.168.91.166]
Jul 17 13:42:46 strongswan1 charon: 14[CFG] selected peer config 'rw'
Jul 17 13:42:46 strongswan1 charon: 14[IKE] peer requested EAP, config
inacceptable Jul 17 13:42:46 strongswan1 charon: 14[CFG] switching to peer
config 'rw2'
Jul 17 13:42:46 strongswan1 charon: 14[IKE] peer requested EAP, config
inacceptable Jul 17 13:42:46 strongswan1 charon: 14[CFG] switching to peer
config 'rw-eap'
Jul 17 13:42:46 strongswan1 charon: 14[IKE] using configured EAP-Identity
gregg Jul 17 13:42:46 strongswan1 charon: 14[IKE] initiating EAP_MSCHAPV2
method (id 0x77) Jul 17 13:42:46 strongswan1 charon: 14[IKE] peer supports
MOBIKE Jul 17 13:42:46 strongswan1 charon: 14[IKE] no private key found for
'C=US, ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1'
Jul 17 13:42:46 strongswan1 charon: 14[ENC] generating IKE_AUTH response 1 [
N(AUTH_FAILED) ] Jul 17 13:42:46 strongswan1 charon: 14[NET] sending packet:
from 192.168.91.163[4500] to 192.168.91.166[4500] Jul 17 13:43:35
strongswan1 dhclient: DHCPREQUEST of 192.168.91.163 on eth0 to
192.168.91.254 port 67 Jul 17 13:43:35 strongswan1 dhclient: DHCPACK of
192.168.91.163 from 192.168.91.254 Jul 17 13:43:35 strongswan1 dhclient:
bound to 192.168.91.163 -- renewal in 692 seconds.
On the client side, I get the dreaded "Error 13801 IKE authentication
credentials are unacceptable." and the connection halts. It looks like the
EAP is clearing but the cacert isn't clearing the Windows client. I've used
seven different methods to create and re-create the self-signed CA and
certificate - openssl, the ipsec pki tool, the OpenVPN tools and probably a
couple others I tried. I edited the openssl.cnf each time to try and add
the extended key usage and the gateway name in the CN and/or the
subjectAltName - with no luck. I did find that removing the leftid didn't
help, nor did specifying the EAP user.
It really appears that the connection is hanging on the server certificate.
I'm *this close* to getting this connection down - and I'm pretty sure it's
a certificate problem. If anyone has some suggestions on where to look
next, I'd really appreciate it!
Config----
# ipsec.conf - strongSwan1 IPsec configuration file
# basic configuration
config setup
# plutodebug=all
# crlcheckinterval=180
# strictcrlpolicy=no
# cachecrls=yes
# nat_traversal=yes
charonstart=yes
plutostart=no
# Add connections here.
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
# authby=secret
keyexchange=ikev2
# mobike=no
conn net-net
left=192.168.91.163
leftsubnet=10.1.0.0/16
leftid=@strongswan1
leftfirewall=yes
right=192.168.91.160
rightsubnet=10.2.0.0/16
rightid=@strongswan2
auto=add
conn rw
left=192.168.91.163
leftsubnet=10.1.0.0/16
leftfirewall=yes
authby=secret
right=%any
auto=add
conn rw2
left=192.168.91.163
leftsubnet=10.1.0.0/16
# leftid=@strongswan1
leftcert=cacert.pem
leftfirewall=yes
right=%any
keyexchange=ikev2
auto=add
conn rw-eap
left=192.168.91.163
leftsubnet=10.1.0.0/16
# leftid=@strongswan1
leftcert=cacert.pem
leftauth=pubkey
leftfirewall=yes
right=%any
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=gregg
auto=add
include /var/lib/strongswan/ipsec.conf.inc
---------ipsec.secrets---------
: RSA cakey.pem "newcapassword"
192.168.91.165 : PSK 1234567890
192.168.91.154 : PSK 1234567890
gregg : EAP "1234567890"
include /var/lib/strongswan/ipsec.secrets.inc
Thanks to all!
---------------------------------------------------------------
-----Original Message-----
From: Gregg Hughes [mailto:ghughes at iscinternational.com]
Sent: Wednesday, July 10, 2013 4:41 PM
To: 'Paton, Andy'
Cc: 'users at lists.strongswan.org'
Subject: RE: [strongSwan] Win7 machine certificate connection failing
Hi, Andy!
Thanks for the quick response - it's good to know there's help out there for
new folks.....
The CA key was generated like so:
openssl genrsa -des3 -out private/cakey.pem 4096 I added a password
for the key. Not much of one, but a password.
Created CA Root Certificate
openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days
3650 -set_serial 0 Asked some questions:
Country Name US
State or Porvince Name Wisconsin
Locality Name Milwaukee
Organization Name ISC International, Ltd.
Organizational Unit .
Common name strongswan1
Email Address ghughes [at]
iscinternational.com
....and I got my cert.
I added the requirements to the openssl.cnf file for extendedKeyUsage and
for a subjectAltName, following a document here:
http://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq
Oddly enough, when I do an "ipsec listcerts" I get nothing, even though
syslog shows the certificates being loaded correctly.
Let me know other information you might need (and where to look for it) - I
probably haven't completely fulfilled your request.
Thanks!
Gregg
-----Original Message-----
From: Paton, Andy [mailto:andy.paton at hp.com]
Sent: Wednesday, July 10, 2013 4:13 PM
To: Gregg Hughes
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] Win7 machine certificate connection failing
Can you post details of your certificates. Both the machine cert for the
gateway and the device cert?
--
Andrew Paton
On 10 Jul 2013, at 21:55, "Gregg Hughes"
<ghughes at iscinternational.com<mailto:ghughes at iscinternational.com>> wrote:
Good afternoon, all!
I've been working on getting a Strongswan installation running on a VMware
Workstation test platform. The server is Ubuntu Server 12.04 with
Strongswan 4.5.2 from the Ubuntu repository.
I've been able to get a net-net test config to work, but have had trouble
with a roadwarrior config. I think it's a problem with certificates because
I get "Error 13801: IKE authentication credentials are unacceptable", so I
know the client is reaching the server and trying to get in.
I followed the examples listed here, working on an X.509 machine certificate
to start: http://wiki.strongswan.org/projects/strongswan/wiki/Windows7 I
used the multiple client configs and the instructions on importing
certificates into Win7.
All certs were generated and signed on the strongswan server and are in the
proper directories under /etc/ipsec.d. Content of ipsec.conf and greps from
auth.log and syslog also.
I confess to being at a loss as to why I am still getting the Error 13801
after several hours troubleshooting.
Thanks in advance!
Gregg
# ipsec.conf - strongSwan1 IPsec configuration file
# basic configuration
config setup
# plutodebug=all
# crlcheckinterval=180
# strictcrlpolicy=no
# cachecrls=yes
# nat_traversal=yes
charonstart=yes
plutostart=no
# Add connections here.
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
# authby=secret
keyexchange=ikev2
# mobike=no
conn net-net
left=192.168.91.163
leftsubnet=10.1.0.0/16
leftid=@strongswan1
leftfirewall=yes
right=192.168.91.160
rightsubnet=10.2.0.0/16
rightid=@strongswan2
auto=add
conn Win7
left=%defaultroute
# leftcert=cacert.pem
leftsubnet=10.1.0.0/16
leftid=strongswan1
right=%any
rightsourceip=192.168.93.0/24
# rightauth=eap-mschapv2
# rightsendcert=never
# eap_identity=%any
# rightcert=client1cert.pem
# keyexchange=ikev2
auto=add
include /var/lib/strongswan/ipsec.conf.inc
More information about the Users
mailing list