[strongSwan] FW: Win7 machine certificate connection failing

Andreas Steffen andreas.steffen at strongswan.org
Sat Jul 20 08:39:25 CEST 2013


Hi Gregg,

openssl 1.x creates private key files in the PKCS#8 format. Support for
parsing this key format was introduced with strongSwan 4.6.2 via the
pkcs8 plugin.

As a workaround either upgrade to a newer strongSwan version with PKCS#8
support or convert your PKCS#8 key file into a PKCS#1 key format.

Regards

Andreas

On 07/19/2013 11:54 PM, Gregg Hughes wrote:
> I think I've found the problem, but I don't know how to fix it.  It appears
> that ipsec can't load the private ca key.  Here's the relevant syslog cut:
> 
> ---------------------syslog------------------------
> Jul 19 15:33:18 strongswan1 charon: 00[DMN] Starting IKEv2 charon daemon
> (strongSwan 4.5.2)
> Jul 19 15:33:20 strongswan1 charon: 00[KNL] listening on interfaces:
> Jul 19 15:33:20 strongswan1 charon: 00[KNL]   eth0
> Jul 19 15:33:20 strongswan1 charon: 00[KNL]     192.168.91.163
> Jul 19 15:33:20 strongswan1 charon: 00[KNL]     fe80::20c:29ff:fecd:2c6b
> Jul 19 15:33:20 strongswan1 charon: 00[KNL]   eth1
> Jul 19 15:33:20 strongswan1 charon: 00[KNL]     10.1.0.1
> Jul 19 15:33:20 strongswan1 charon: 00[KNL]     fe80::20c:29ff:fecd:2c75
> Jul 19 15:33:20 strongswan1 charon: 00[CFG] loading ca certificates from
> '/etc/ipsec.d/cacerts'
> Jul 19 15:33:20 strongswan1 charon: 00[CFG]   loaded ca certificate "C=US,
> ST=Wisconsin, L=Milwaukee, O=ISC International, Ltd.,
> CN=strongswan1.iscinternational.com, E=support at iscinternational.com" from
> '/etc/ipsec.d/cacerts/strongswan1cert.pem'
> Jul 19 15:33:20 strongswan1 charon: 00[CFG] loading aa certificates from
> '/etc/ipsec.d/aacerts'
> Jul 19 15:33:20 strongswan1 charon: 00[CFG] loading ocsp signer certificates
> from '/etc/ipsec.d/ocspcerts'
> Jul 19 15:33:20 strongswan1 charon: 00[CFG] loading attribute certificates
> from '/etc/ipsec.d/acerts'
> Jul 19 15:33:20 strongswan1 charon: 00[CFG] loading crls from
> '/etc/ipsec.d/crls'
> Jul 19 15:33:20 strongswan1 charon: 00[CFG] loading secrets from
> '/etc/ipsec.secrets'
> Jul 19 15:33:20 strongswan1 charon: 00[LIB] L1 - version: ASN1 tag 0x02
> expected, but is 0x30
> Jul 19 15:33:20 strongswan1 charon: 00[LIB] building CRED_PRIVATE_KEY - RSA
> failed, tried 8 builders
> Jul 19 15:33:20 strongswan1 charon: 00[CFG]   loading private key from
> '/etc/ipsec.d/private/strongswan1key.pem' failed
> ________________________________________
> 
> So when the EAP session tries to initialize, this happens:
> 
> ________________________________________
> Jul 19 15:54:34 strongswan1 charon: 15[NET] received packet: from
> 192.168.91.166[500] to 192.168.91.163[500]
> Jul 19 15:54:34 strongswan1 charon: 15[ENC] parsed IKE_SA_INIT request 0 [
> SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Jul 19 15:54:34 strongswan1 charon: 15[IKE] 192.168.91.166 is initiating an
> IKE_SA
> Jul 19 15:54:34 strongswan1 charon: 15[IKE] sending cert request for "C=US,
> ST=Wisconsin, L=Milwaukee, O=ISC International, Ltd.,
> CN=strongswan1.iscinternational.com, E=support at iscinternational.com"
> Jul 19 15:54:34 strongswan1 charon: 15[ENC] generating IKE_SA_INIT response
> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> Jul 19 15:54:34 strongswan1 charon: 15[NET] sending packet: from
> 192.168.91.163[500] to 192.168.91.166[500]
> Jul 19 15:54:34 strongswan1 charon: 14[NET] received packet: from
> 192.168.91.166[4500] to 192.168.91.163[4500]
> Jul 19 15:54:34 strongswan1 charon: 14[ENC] unknown attribute type
> INTERNAL_IP4_SERVER
> Jul 19 15:54:34 strongswan1 charon: 14[ENC] unknown attribute type
> INTERNAL_IP6_SERVER
> Jul 19 15:54:34 strongswan1 charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi
> CERTREQ N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
> Jul 19 15:54:34 strongswan1 charon: 14[IKE] received cert request for "C=US,
> ST=Wisconsin, L=Milwaukee, O=ISC International, Ltd.,
> CN=strongswan1.iscinternational.com, E=support at iscinternational.com"
> Jul 19 15:54:34 strongswan1 charon: 14[IKE] received 12 cert requests for an
> unknown ca
> Jul 19 15:54:34 strongswan1 charon: 14[CFG] looking for peer configs
> matching 192.168.91.163[%any]...192.168.91.166[192.168.91.166]
> Jul 19 15:54:34 strongswan1 charon: 14[CFG] selected peer config 'rw'
> Jul 19 15:54:34 strongswan1 charon: 14[IKE] peer requested EAP, config
> inacceptable
> Jul 19 15:54:34 strongswan1 charon: 14[CFG] switching to peer config 'rw2'
> Jul 19 15:54:34 strongswan1 charon: 14[IKE] peer requested EAP, config
> inacceptable
> Jul 19 15:54:34 strongswan1 charon: 14[CFG] switching to peer config
> 'rw-eap'
> Jul 19 15:54:34 strongswan1 charon: 14[IKE] initiating EAP-Identity request
> Jul 19 15:54:34 strongswan1 charon: 14[IKE] peer supports MOBIKE
> Jul 19 15:54:34 strongswan1 charon: 14[IKE] no private key found for 'C=US,
> ST=Wisconsin, L=Milwaukee, O=ISC International, Ltd.,
> CN=strongswan1.iscinternational.com, E=support at iscinternational.com'
> Jul 19 15:54:34 strongswan1 charon: 14[ENC] generating IKE_AUTH response 1 [
> N(AUTH_FAILED) ]
> Jul 19 15:54:34 strongswan1 charon: 14[NET] sending packet: from
> 192.168.91.163[4500] to 192.168.91.166[4500]
> _______________________________________
> The last three lines of the syslog cutting above seem to be related to the
> private key not loading.
> 
> Now, I've done some searching for how to fix the ASN1 tag problem but
> haven't come up with anything.  I'm using openssl 1.0.1 and don't find any
> bugs or issues with wrong tags.  I'm going to recreate the ca, certs and
> keys again and see if the problem comes with any particular steps.  It does
> appear that removing the quotes from the ipsec.secrets helped.
> 
> Meanwhile, if anyone has some ideas about this......
> 
> Many thanks for looking into this!
> 
> 
> Gregg
> 
> -----Original Message-----
> From: Gregg Hughes [mailto:ghughes at iscinternational.com] 
> Sent: Thursday, July 18, 2013 2:02 PM
> To: users at lists.strongswan.org
> Subject: FW: [strongSwan] Win7 machine certificate connection failing
> 
> I wanted to update the information here with results from some config
> changes.
> 
> I added/reconfigured the ipsec.conf to have an EAP-MSCHAPV2 connection
> available, then changed the information on the Windows client side to use
> EAP when making the connection.  Here's the syslog output:
> 
> 
> --------------Clip from syslog------------------
> 
> Jul 17 13:41:40 strongswan1 charon: 16[CFG] received stroke: delete
> connection 'net-net'
> Jul 17 13:41:40 strongswan1 charon: 16[CFG] deleted connection 'net-net'
> Jul 17 13:41:40 strongswan1 charon: 04[CFG] received stroke: delete
> connection 'rw'
> Jul 17 13:41:40 strongswan1 charon: 04[CFG] deleted connection 'rw'
> Jul 17 13:41:40 strongswan1 charon: 07[CFG] received stroke: delete
> connection 'rw2'
> Jul 17 13:41:40 strongswan1 charon: 07[CFG] deleted connection 'rw2'
> Jul 17 13:41:40 strongswan1 charon: 05[CFG] received stroke: delete
> connection 'rw-eap'
> Jul 17 13:41:40 strongswan1 charon: 05[CFG] deleted connection 'rw-eap'
> Jul 17 13:41:40 strongswan1 charon: 16[CFG] received stroke: add connection
> 'net-net'
> Jul 17 13:41:40 strongswan1 charon: 16[CFG] added configuration 'net-net'
> Jul 17 13:41:40 strongswan1 charon: 16[CFG] received stroke: add connection
> 'rw'
> Jul 17 13:41:40 strongswan1 charon: 16[CFG] added configuration 'rw'
> Jul 17 13:41:40 strongswan1 charon: 16[CFG] received stroke: add connection
> 'rw2'
> Jul 17 13:41:40 strongswan1 charon: 16[CFG]   loaded certificate "C=US,
> ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1" from 'cacert.pem'
> Jul 17 13:41:40 strongswan1 charon: 16[CFG]   id '192.168.91.163' not
> confirmed by certificate, defaulting to 'C=US, ST=Wisconsin, O=ISC
> International, Ltd., CN=strongswan1'
> Jul 17 13:41:40 strongswan1 charon: 16[CFG] added configuration 'rw2'
> Jul 17 13:41:40 strongswan1 charon: 07[CFG] received stroke: add connection
> 'rw-eap'
> Jul 17 13:41:40 strongswan1 charon: 07[CFG]   loaded certificate "C=US,
> ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1" from 'cacert.pem'
> Jul 17 13:41:40 strongswan1 charon: 07[CFG]   id '192.168.91.163' not
> confirmed by certificate, defaulting to 'C=US, ST=Wisconsin, O=ISC
> International, Ltd., CN=strongswan1'
> Jul 17 13:41:40 strongswan1 charon: 07[CFG] added configuration 'rw-eap'
> Jul 17 13:42:46 strongswan1 charon: 11[NET] received packet: from
> 192.168.91.166[500] to 192.168.91.163[500] Jul 17 13:42:46 strongswan1
> charon: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) ] Jul 17 13:42:46 strongswan1 charon: 11[IKE] 192.168.91.166 is
> initiating an IKE_SA Jul 17 13:42:46 strongswan1 charon: 11[IKE] sending
> cert request for "C=US, ST=Wisconsin, O=ISC International, Ltd.,
> CN=strongswan1"
> Jul 17 13:42:46 strongswan1 charon: 11[ENC] generating IKE_SA_INIT response
> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] Jul 17
> 13:42:46 strongswan1 charon: 11[NET] sending packet: from
> 192.168.91.163[500] to 192.168.91.166[500] Jul 17 13:42:46 strongswan1
> charon: 14[NET] received packet: from 192.168.91.166[4500] to
> 192.168.91.163[4500] Jul 17 13:42:46 strongswan1 charon: 14[ENC] unknown
> attribute type INTERNAL_IP4_SERVER Jul 17 13:42:46 strongswan1 charon:
> 14[ENC] unknown attribute type INTERNAL_IP6_SERVER Jul 17 13:42:46
> strongswan1 charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ
> N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ] Jul 17
> 13:42:46 strongswan1 charon: 14[IKE] received cert request for "C=US,
> ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1"
> Jul 17 13:42:46 strongswan1 charon: 14[IKE] received 8 cert requests for an
> unknown ca Jul 17 13:42:46 strongswan1 charon: 14[CFG] looking for peer
> configs matching 192.168.91.163[%any]...192.168.91.166[192.168.91.166]
> Jul 17 13:42:46 strongswan1 charon: 14[CFG] selected peer config 'rw'
> Jul 17 13:42:46 strongswan1 charon: 14[IKE] peer requested EAP, config
> inacceptable Jul 17 13:42:46 strongswan1 charon: 14[CFG] switching to peer
> config 'rw2'
> Jul 17 13:42:46 strongswan1 charon: 14[IKE] peer requested EAP, config
> inacceptable Jul 17 13:42:46 strongswan1 charon: 14[CFG] switching to peer
> config 'rw-eap'
> Jul 17 13:42:46 strongswan1 charon: 14[IKE] using configured EAP-Identity
> gregg Jul 17 13:42:46 strongswan1 charon: 14[IKE] initiating EAP_MSCHAPV2
> method (id 0x77) Jul 17 13:42:46 strongswan1 charon: 14[IKE] peer supports
> MOBIKE Jul 17 13:42:46 strongswan1 charon: 14[IKE] no private key found for
> 'C=US, ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1'
> Jul 17 13:42:46 strongswan1 charon: 14[ENC] generating IKE_AUTH response 1 [
> N(AUTH_FAILED) ] Jul 17 13:42:46 strongswan1 charon: 14[NET] sending packet:
> from 192.168.91.163[4500] to 192.168.91.166[4500] Jul 17 13:43:35
> strongswan1 dhclient: DHCPREQUEST of 192.168.91.163 on eth0 to
> 192.168.91.254 port 67 Jul 17 13:43:35 strongswan1 dhclient: DHCPACK of
> 192.168.91.163 from 192.168.91.254 Jul 17 13:43:35 strongswan1 dhclient:
> bound to 192.168.91.163 -- renewal in 692 seconds.
> 
> On the client side, I get the dreaded "Error 13801 IKE authentication
> credentials are unacceptable." and the connection halts.  It looks like the
> EAP is clearing but the cacert isn't clearing the Windows client.  I've used
> seven different methods to create and re-create the self-signed CA and
> certificate - openssl, the ipsec pki tool, the OpenVPN tools and probably a
> couple others I tried.  I edited the openssl.cnf each time to try and add
> the extended key usage and the gateway name in the CN and/or the
> subjectAltName - with no luck.  I did find that removing the leftid didn't
> help, nor did specifying the EAP user.
> 
> It really appears that the connection is hanging on the server certificate.
> I'm *this close* to getting this connection down - and I'm pretty sure it's
> a certificate problem.  If anyone has some suggestions on where to look
> next, I'd really appreciate it!
> 
> 
> Config----
> # ipsec.conf - strongSwan1 IPsec configuration file
> 
> # basic configuration
> 
> config setup
> 	# plutodebug=all
> 	# crlcheckinterval=180
> 	# strictcrlpolicy=no
> 	# cachecrls=yes
> 	# nat_traversal=yes
> 	charonstart=yes
> 	plutostart=no
> 
> # Add connections here.
> 
> conn %default
> 	ikelifetime=60m
> 	keylife=20m
> 	rekeymargin=3m
> 	keyingtries=1
> 	# authby=secret
> 	keyexchange=ikev2
> 	# mobike=no
> 	
> 
> conn net-net
> 	left=192.168.91.163
> 	leftsubnet=10.1.0.0/16
> 	leftid=@strongswan1
> 	leftfirewall=yes
> 	right=192.168.91.160
> 	rightsubnet=10.2.0.0/16
> 	rightid=@strongswan2
> 	auto=add
> 
> conn rw
> 	left=192.168.91.163
> 	leftsubnet=10.1.0.0/16
> 	leftfirewall=yes
> 	authby=secret
> 	right=%any
> 	auto=add
> 	
> conn rw2
> 	left=192.168.91.163
> 	leftsubnet=10.1.0.0/16
> 	# leftid=@strongswan1
> 	leftcert=cacert.pem
> 	leftfirewall=yes
> 	right=%any
> 	keyexchange=ikev2
> 	auto=add
> 
> conn rw-eap
> 	left=192.168.91.163
> 	leftsubnet=10.1.0.0/16
> 	# leftid=@strongswan1
> 	leftcert=cacert.pem
> 	leftauth=pubkey
> 	leftfirewall=yes
> 	right=%any
> 	rightauth=eap-mschapv2
> 	rightsendcert=never
> 	eap_identity=gregg
> 	auto=add
> 
> include /var/lib/strongswan/ipsec.conf.inc
> 
> 
> ---------ipsec.secrets---------
> : RSA cakey.pem "newcapassword"
> 
> 192.168.91.165 : PSK 1234567890
> 
> 192.168.91.154 : PSK 1234567890
> 
> gregg : EAP "1234567890"
> 
> include /var/lib/strongswan/ipsec.secrets.inc
> 
> Thanks to all!
> 
> ---------------------------------------------------------------
> 
> 
> -----Original Message-----
> From: Gregg Hughes [mailto:ghughes at iscinternational.com]
> Sent: Wednesday, July 10, 2013 4:41 PM
> To: 'Paton, Andy'
> Cc: 'users at lists.strongswan.org'
> Subject: RE: [strongSwan] Win7 machine certificate connection failing
> 
> Hi, Andy!
> 
> Thanks for the quick response - it's good to know there's help out there for
> new folks.....
> 
> The CA key was generated like so:
> 	openssl genrsa -des3 -out private/cakey.pem 4096 I added a password
> for the key.  Not much of one, but a password.
> 
> Created CA Root Certificate
> 	openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days
> 3650 -set_serial 0 Asked some questions:
> 	Country Name				US	
> 	State or Porvince Name		Wisconsin
> 	Locality Name				Milwaukee
> 	Organization Name			ISC International, Ltd.
> 	Organizational Unit			.
> 	Common name				strongswan1
> 	Email Address				ghughes [at]
> iscinternational.com
> ....and I got my cert.
> 
> I added the requirements to the openssl.cnf file for extendedKeyUsage and
> for a subjectAltName, following a document here:
> http://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq
> 
> Oddly enough, when I do an "ipsec listcerts" I get nothing, even though
> syslog shows the certificates being loaded correctly.
> 
> Let me know other information you might need (and where to look for it) - I
> probably haven't completely fulfilled your request.
> 
> Thanks!
> 
> Gregg
> 
> 
> -----Original Message-----
> From: Paton, Andy [mailto:andy.paton at hp.com]
> Sent: Wednesday, July 10, 2013 4:13 PM
> To: Gregg Hughes
> Cc: users at lists.strongswan.org
> Subject: Re: [strongSwan] Win7 machine certificate connection failing
> 
> Can you post details of your certificates. Both the machine cert for the
> gateway and the device cert?
> 
> --
> Andrew Paton
> 
> 
> 
> On 10 Jul 2013, at 21:55, "Gregg Hughes"
> <ghughes at iscinternational.com<mailto:ghughes at iscinternational.com>> wrote:
> 
> Good afternoon, all!
> 
> I've been working on getting a Strongswan installation running on a VMware
> Workstation test platform.  The server is Ubuntu Server 12.04 with
> Strongswan 4.5.2 from the Ubuntu repository.
> I've been able to get a  net-net test config to work, but have had trouble
> with a roadwarrior config.  I think it's a problem with certificates because
> I get "Error 13801: IKE authentication credentials are unacceptable", so I
> know the client is reaching the server and trying to get in.
> 
> 
> I followed the examples listed here, working on an X.509 machine certificate
> to start:  http://wiki.strongswan.org/projects/strongswan/wiki/Windows7  I
> used the multiple client configs and the instructions on importing
> certificates into Win7.
> 
> All certs were generated and signed on the strongswan server and are in the
> proper directories under /etc/ipsec.d.  Content of ipsec.conf and greps from
> auth.log and syslog also.
> 
> I confess to being at a loss as to why I am still getting the Error 13801
> after several hours troubleshooting.
> 
> Thanks in advance!
> 
> 
> 
> Gregg
> 
> 
> 
> # ipsec.conf - strongSwan1 IPsec configuration file
> 
> # basic configuration
> 
> config setup
>                 # plutodebug=all
>                 # crlcheckinterval=180
>                 # strictcrlpolicy=no
>                 # cachecrls=yes
>                 # nat_traversal=yes
>                 charonstart=yes
>                 plutostart=no
> 
> # Add connections here.
> 
> conn %default
>                 ikelifetime=60m
>                 keylife=20m
>                 rekeymargin=3m
>                 keyingtries=1
>                 # authby=secret
>                 keyexchange=ikev2
>                 # mobike=no
> 
> 
> conn net-net
>                 left=192.168.91.163
>                 leftsubnet=10.1.0.0/16
>                 leftid=@strongswan1
>                 leftfirewall=yes
>                 right=192.168.91.160
>                 rightsubnet=10.2.0.0/16
>                 rightid=@strongswan2
>                 auto=add
> 
> conn Win7
>                 left=%defaultroute
>                 # leftcert=cacert.pem
>                 leftsubnet=10.1.0.0/16
>                 leftid=strongswan1
>                 right=%any
>                 rightsourceip=192.168.93.0/24
>                 # rightauth=eap-mschapv2
>                 # rightsendcert=never
>                 # eap_identity=%any
>                 # rightcert=client1cert.pem
>                 # keyexchange=ikev2
>                 auto=add
> 
> include /var/lib/strongswan/ipsec.conf.inc

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130720/03896c3d/attachment.bin>


More information about the Users mailing list