[strongSwan] FW: Win7 machine certificate connection failing
Andreas Steffen
andreas.steffen at strongswan.org
Sat Jul 20 08:39:25 CEST 2013
Hi Gregg,
openssl 1.x creates private key files in the PKCS#8 format. Support for
parsing this key format was introduced with strongSwan 4.6.2 via the
pkcs8 plugin.
As a workaround either upgrade to a newer strongSwan version with PKCS#8
support or convert your PKCS#8 key file into a PKCS#1 key format.
Regards
Andreas
On 07/19/2013 11:54 PM, Gregg Hughes wrote:
> I think I've found the problem, but I don't know how to fix it. It appears
> that ipsec can't load the private ca key. Here's the relevant syslog cut:
>
> ---------------------syslog------------------------
> Jul 19 15:33:18 strongswan1 charon: 00[DMN] Starting IKEv2 charon daemon
> (strongSwan 4.5.2)
> Jul 19 15:33:20 strongswan1 charon: 00[KNL] listening on interfaces:
> Jul 19 15:33:20 strongswan1 charon: 00[KNL] eth0
> Jul 19 15:33:20 strongswan1 charon: 00[KNL] 192.168.91.163
> Jul 19 15:33:20 strongswan1 charon: 00[KNL] fe80::20c:29ff:fecd:2c6b
> Jul 19 15:33:20 strongswan1 charon: 00[KNL] eth1
> Jul 19 15:33:20 strongswan1 charon: 00[KNL] 10.1.0.1
> Jul 19 15:33:20 strongswan1 charon: 00[KNL] fe80::20c:29ff:fecd:2c75
> Jul 19 15:33:20 strongswan1 charon: 00[CFG] loading ca certificates from
> '/etc/ipsec.d/cacerts'
> Jul 19 15:33:20 strongswan1 charon: 00[CFG] loaded ca certificate "C=US,
> ST=Wisconsin, L=Milwaukee, O=ISC International, Ltd.,
> CN=strongswan1.iscinternational.com, E=support at iscinternational.com" from
> '/etc/ipsec.d/cacerts/strongswan1cert.pem'
> Jul 19 15:33:20 strongswan1 charon: 00[CFG] loading aa certificates from
> '/etc/ipsec.d/aacerts'
> Jul 19 15:33:20 strongswan1 charon: 00[CFG] loading ocsp signer certificates
> from '/etc/ipsec.d/ocspcerts'
> Jul 19 15:33:20 strongswan1 charon: 00[CFG] loading attribute certificates
> from '/etc/ipsec.d/acerts'
> Jul 19 15:33:20 strongswan1 charon: 00[CFG] loading crls from
> '/etc/ipsec.d/crls'
> Jul 19 15:33:20 strongswan1 charon: 00[CFG] loading secrets from
> '/etc/ipsec.secrets'
> Jul 19 15:33:20 strongswan1 charon: 00[LIB] L1 - version: ASN1 tag 0x02
> expected, but is 0x30
> Jul 19 15:33:20 strongswan1 charon: 00[LIB] building CRED_PRIVATE_KEY - RSA
> failed, tried 8 builders
> Jul 19 15:33:20 strongswan1 charon: 00[CFG] loading private key from
> '/etc/ipsec.d/private/strongswan1key.pem' failed
> ________________________________________
>
> So when the EAP session tries to initialize, this happens:
>
> ________________________________________
> Jul 19 15:54:34 strongswan1 charon: 15[NET] received packet: from
> 192.168.91.166[500] to 192.168.91.163[500]
> Jul 19 15:54:34 strongswan1 charon: 15[ENC] parsed IKE_SA_INIT request 0 [
> SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Jul 19 15:54:34 strongswan1 charon: 15[IKE] 192.168.91.166 is initiating an
> IKE_SA
> Jul 19 15:54:34 strongswan1 charon: 15[IKE] sending cert request for "C=US,
> ST=Wisconsin, L=Milwaukee, O=ISC International, Ltd.,
> CN=strongswan1.iscinternational.com, E=support at iscinternational.com"
> Jul 19 15:54:34 strongswan1 charon: 15[ENC] generating IKE_SA_INIT response
> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> Jul 19 15:54:34 strongswan1 charon: 15[NET] sending packet: from
> 192.168.91.163[500] to 192.168.91.166[500]
> Jul 19 15:54:34 strongswan1 charon: 14[NET] received packet: from
> 192.168.91.166[4500] to 192.168.91.163[4500]
> Jul 19 15:54:34 strongswan1 charon: 14[ENC] unknown attribute type
> INTERNAL_IP4_SERVER
> Jul 19 15:54:34 strongswan1 charon: 14[ENC] unknown attribute type
> INTERNAL_IP6_SERVER
> Jul 19 15:54:34 strongswan1 charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi
> CERTREQ N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
> Jul 19 15:54:34 strongswan1 charon: 14[IKE] received cert request for "C=US,
> ST=Wisconsin, L=Milwaukee, O=ISC International, Ltd.,
> CN=strongswan1.iscinternational.com, E=support at iscinternational.com"
> Jul 19 15:54:34 strongswan1 charon: 14[IKE] received 12 cert requests for an
> unknown ca
> Jul 19 15:54:34 strongswan1 charon: 14[CFG] looking for peer configs
> matching 192.168.91.163[%any]...192.168.91.166[192.168.91.166]
> Jul 19 15:54:34 strongswan1 charon: 14[CFG] selected peer config 'rw'
> Jul 19 15:54:34 strongswan1 charon: 14[IKE] peer requested EAP, config
> inacceptable
> Jul 19 15:54:34 strongswan1 charon: 14[CFG] switching to peer config 'rw2'
> Jul 19 15:54:34 strongswan1 charon: 14[IKE] peer requested EAP, config
> inacceptable
> Jul 19 15:54:34 strongswan1 charon: 14[CFG] switching to peer config
> 'rw-eap'
> Jul 19 15:54:34 strongswan1 charon: 14[IKE] initiating EAP-Identity request
> Jul 19 15:54:34 strongswan1 charon: 14[IKE] peer supports MOBIKE
> Jul 19 15:54:34 strongswan1 charon: 14[IKE] no private key found for 'C=US,
> ST=Wisconsin, L=Milwaukee, O=ISC International, Ltd.,
> CN=strongswan1.iscinternational.com, E=support at iscinternational.com'
> Jul 19 15:54:34 strongswan1 charon: 14[ENC] generating IKE_AUTH response 1 [
> N(AUTH_FAILED) ]
> Jul 19 15:54:34 strongswan1 charon: 14[NET] sending packet: from
> 192.168.91.163[4500] to 192.168.91.166[4500]
> _______________________________________
> The last three lines of the syslog cutting above seem to be related to the
> private key not loading.
>
> Now, I've done some searching for how to fix the ASN1 tag problem but
> haven't come up with anything. I'm using openssl 1.0.1 and don't find any
> bugs or issues with wrong tags. I'm going to recreate the ca, certs and
> keys again and see if the problem comes with any particular steps. It does
> appear that removing the quotes from the ipsec.secrets helped.
>
> Meanwhile, if anyone has some ideas about this......
>
> Many thanks for looking into this!
>
>
> Gregg
>
> -----Original Message-----
> From: Gregg Hughes [mailto:ghughes at iscinternational.com]
> Sent: Thursday, July 18, 2013 2:02 PM
> To: users at lists.strongswan.org
> Subject: FW: [strongSwan] Win7 machine certificate connection failing
>
> I wanted to update the information here with results from some config
> changes.
>
> I added/reconfigured the ipsec.conf to have an EAP-MSCHAPV2 connection
> available, then changed the information on the Windows client side to use
> EAP when making the connection. Here's the syslog output:
>
>
> --------------Clip from syslog------------------
>
> Jul 17 13:41:40 strongswan1 charon: 16[CFG] received stroke: delete
> connection 'net-net'
> Jul 17 13:41:40 strongswan1 charon: 16[CFG] deleted connection 'net-net'
> Jul 17 13:41:40 strongswan1 charon: 04[CFG] received stroke: delete
> connection 'rw'
> Jul 17 13:41:40 strongswan1 charon: 04[CFG] deleted connection 'rw'
> Jul 17 13:41:40 strongswan1 charon: 07[CFG] received stroke: delete
> connection 'rw2'
> Jul 17 13:41:40 strongswan1 charon: 07[CFG] deleted connection 'rw2'
> Jul 17 13:41:40 strongswan1 charon: 05[CFG] received stroke: delete
> connection 'rw-eap'
> Jul 17 13:41:40 strongswan1 charon: 05[CFG] deleted connection 'rw-eap'
> Jul 17 13:41:40 strongswan1 charon: 16[CFG] received stroke: add connection
> 'net-net'
> Jul 17 13:41:40 strongswan1 charon: 16[CFG] added configuration 'net-net'
> Jul 17 13:41:40 strongswan1 charon: 16[CFG] received stroke: add connection
> 'rw'
> Jul 17 13:41:40 strongswan1 charon: 16[CFG] added configuration 'rw'
> Jul 17 13:41:40 strongswan1 charon: 16[CFG] received stroke: add connection
> 'rw2'
> Jul 17 13:41:40 strongswan1 charon: 16[CFG] loaded certificate "C=US,
> ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1" from 'cacert.pem'
> Jul 17 13:41:40 strongswan1 charon: 16[CFG] id '192.168.91.163' not
> confirmed by certificate, defaulting to 'C=US, ST=Wisconsin, O=ISC
> International, Ltd., CN=strongswan1'
> Jul 17 13:41:40 strongswan1 charon: 16[CFG] added configuration 'rw2'
> Jul 17 13:41:40 strongswan1 charon: 07[CFG] received stroke: add connection
> 'rw-eap'
> Jul 17 13:41:40 strongswan1 charon: 07[CFG] loaded certificate "C=US,
> ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1" from 'cacert.pem'
> Jul 17 13:41:40 strongswan1 charon: 07[CFG] id '192.168.91.163' not
> confirmed by certificate, defaulting to 'C=US, ST=Wisconsin, O=ISC
> International, Ltd., CN=strongswan1'
> Jul 17 13:41:40 strongswan1 charon: 07[CFG] added configuration 'rw-eap'
> Jul 17 13:42:46 strongswan1 charon: 11[NET] received packet: from
> 192.168.91.166[500] to 192.168.91.163[500] Jul 17 13:42:46 strongswan1
> charon: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) ] Jul 17 13:42:46 strongswan1 charon: 11[IKE] 192.168.91.166 is
> initiating an IKE_SA Jul 17 13:42:46 strongswan1 charon: 11[IKE] sending
> cert request for "C=US, ST=Wisconsin, O=ISC International, Ltd.,
> CN=strongswan1"
> Jul 17 13:42:46 strongswan1 charon: 11[ENC] generating IKE_SA_INIT response
> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] Jul 17
> 13:42:46 strongswan1 charon: 11[NET] sending packet: from
> 192.168.91.163[500] to 192.168.91.166[500] Jul 17 13:42:46 strongswan1
> charon: 14[NET] received packet: from 192.168.91.166[4500] to
> 192.168.91.163[4500] Jul 17 13:42:46 strongswan1 charon: 14[ENC] unknown
> attribute type INTERNAL_IP4_SERVER Jul 17 13:42:46 strongswan1 charon:
> 14[ENC] unknown attribute type INTERNAL_IP6_SERVER Jul 17 13:42:46
> strongswan1 charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ
> N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ] Jul 17
> 13:42:46 strongswan1 charon: 14[IKE] received cert request for "C=US,
> ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1"
> Jul 17 13:42:46 strongswan1 charon: 14[IKE] received 8 cert requests for an
> unknown ca Jul 17 13:42:46 strongswan1 charon: 14[CFG] looking for peer
> configs matching 192.168.91.163[%any]...192.168.91.166[192.168.91.166]
> Jul 17 13:42:46 strongswan1 charon: 14[CFG] selected peer config 'rw'
> Jul 17 13:42:46 strongswan1 charon: 14[IKE] peer requested EAP, config
> inacceptable Jul 17 13:42:46 strongswan1 charon: 14[CFG] switching to peer
> config 'rw2'
> Jul 17 13:42:46 strongswan1 charon: 14[IKE] peer requested EAP, config
> inacceptable Jul 17 13:42:46 strongswan1 charon: 14[CFG] switching to peer
> config 'rw-eap'
> Jul 17 13:42:46 strongswan1 charon: 14[IKE] using configured EAP-Identity
> gregg Jul 17 13:42:46 strongswan1 charon: 14[IKE] initiating EAP_MSCHAPV2
> method (id 0x77) Jul 17 13:42:46 strongswan1 charon: 14[IKE] peer supports
> MOBIKE Jul 17 13:42:46 strongswan1 charon: 14[IKE] no private key found for
> 'C=US, ST=Wisconsin, O=ISC International, Ltd., CN=strongswan1'
> Jul 17 13:42:46 strongswan1 charon: 14[ENC] generating IKE_AUTH response 1 [
> N(AUTH_FAILED) ] Jul 17 13:42:46 strongswan1 charon: 14[NET] sending packet:
> from 192.168.91.163[4500] to 192.168.91.166[4500] Jul 17 13:43:35
> strongswan1 dhclient: DHCPREQUEST of 192.168.91.163 on eth0 to
> 192.168.91.254 port 67 Jul 17 13:43:35 strongswan1 dhclient: DHCPACK of
> 192.168.91.163 from 192.168.91.254 Jul 17 13:43:35 strongswan1 dhclient:
> bound to 192.168.91.163 -- renewal in 692 seconds.
>
> On the client side, I get the dreaded "Error 13801 IKE authentication
> credentials are unacceptable." and the connection halts. It looks like the
> EAP is clearing but the cacert isn't clearing the Windows client. I've used
> seven different methods to create and re-create the self-signed CA and
> certificate - openssl, the ipsec pki tool, the OpenVPN tools and probably a
> couple others I tried. I edited the openssl.cnf each time to try and add
> the extended key usage and the gateway name in the CN and/or the
> subjectAltName - with no luck. I did find that removing the leftid didn't
> help, nor did specifying the EAP user.
>
> It really appears that the connection is hanging on the server certificate.
> I'm *this close* to getting this connection down - and I'm pretty sure it's
> a certificate problem. If anyone has some suggestions on where to look
> next, I'd really appreciate it!
>
>
> Config----
> # ipsec.conf - strongSwan1 IPsec configuration file
>
> # basic configuration
>
> config setup
> # plutodebug=all
> # crlcheckinterval=180
> # strictcrlpolicy=no
> # cachecrls=yes
> # nat_traversal=yes
> charonstart=yes
> plutostart=no
>
> # Add connections here.
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> # authby=secret
> keyexchange=ikev2
> # mobike=no
>
>
> conn net-net
> left=192.168.91.163
> leftsubnet=10.1.0.0/16
> leftid=@strongswan1
> leftfirewall=yes
> right=192.168.91.160
> rightsubnet=10.2.0.0/16
> rightid=@strongswan2
> auto=add
>
> conn rw
> left=192.168.91.163
> leftsubnet=10.1.0.0/16
> leftfirewall=yes
> authby=secret
> right=%any
> auto=add
>
> conn rw2
> left=192.168.91.163
> leftsubnet=10.1.0.0/16
> # leftid=@strongswan1
> leftcert=cacert.pem
> leftfirewall=yes
> right=%any
> keyexchange=ikev2
> auto=add
>
> conn rw-eap
> left=192.168.91.163
> leftsubnet=10.1.0.0/16
> # leftid=@strongswan1
> leftcert=cacert.pem
> leftauth=pubkey
> leftfirewall=yes
> right=%any
> rightauth=eap-mschapv2
> rightsendcert=never
> eap_identity=gregg
> auto=add
>
> include /var/lib/strongswan/ipsec.conf.inc
>
>
> ---------ipsec.secrets---------
> : RSA cakey.pem "newcapassword"
>
> 192.168.91.165 : PSK 1234567890
>
> 192.168.91.154 : PSK 1234567890
>
> gregg : EAP "1234567890"
>
> include /var/lib/strongswan/ipsec.secrets.inc
>
> Thanks to all!
>
> ---------------------------------------------------------------
>
>
> -----Original Message-----
> From: Gregg Hughes [mailto:ghughes at iscinternational.com]
> Sent: Wednesday, July 10, 2013 4:41 PM
> To: 'Paton, Andy'
> Cc: 'users at lists.strongswan.org'
> Subject: RE: [strongSwan] Win7 machine certificate connection failing
>
> Hi, Andy!
>
> Thanks for the quick response - it's good to know there's help out there for
> new folks.....
>
> The CA key was generated like so:
> openssl genrsa -des3 -out private/cakey.pem 4096 I added a password
> for the key. Not much of one, but a password.
>
> Created CA Root Certificate
> openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days
> 3650 -set_serial 0 Asked some questions:
> Country Name US
> State or Porvince Name Wisconsin
> Locality Name Milwaukee
> Organization Name ISC International, Ltd.
> Organizational Unit .
> Common name strongswan1
> Email Address ghughes [at]
> iscinternational.com
> ....and I got my cert.
>
> I added the requirements to the openssl.cnf file for extendedKeyUsage and
> for a subjectAltName, following a document here:
> http://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq
>
> Oddly enough, when I do an "ipsec listcerts" I get nothing, even though
> syslog shows the certificates being loaded correctly.
>
> Let me know other information you might need (and where to look for it) - I
> probably haven't completely fulfilled your request.
>
> Thanks!
>
> Gregg
>
>
> -----Original Message-----
> From: Paton, Andy [mailto:andy.paton at hp.com]
> Sent: Wednesday, July 10, 2013 4:13 PM
> To: Gregg Hughes
> Cc: users at lists.strongswan.org
> Subject: Re: [strongSwan] Win7 machine certificate connection failing
>
> Can you post details of your certificates. Both the machine cert for the
> gateway and the device cert?
>
> --
> Andrew Paton
>
>
>
> On 10 Jul 2013, at 21:55, "Gregg Hughes"
> <ghughes at iscinternational.com<mailto:ghughes at iscinternational.com>> wrote:
>
> Good afternoon, all!
>
> I've been working on getting a Strongswan installation running on a VMware
> Workstation test platform. The server is Ubuntu Server 12.04 with
> Strongswan 4.5.2 from the Ubuntu repository.
> I've been able to get a net-net test config to work, but have had trouble
> with a roadwarrior config. I think it's a problem with certificates because
> I get "Error 13801: IKE authentication credentials are unacceptable", so I
> know the client is reaching the server and trying to get in.
>
>
> I followed the examples listed here, working on an X.509 machine certificate
> to start: http://wiki.strongswan.org/projects/strongswan/wiki/Windows7 I
> used the multiple client configs and the instructions on importing
> certificates into Win7.
>
> All certs were generated and signed on the strongswan server and are in the
> proper directories under /etc/ipsec.d. Content of ipsec.conf and greps from
> auth.log and syslog also.
>
> I confess to being at a loss as to why I am still getting the Error 13801
> after several hours troubleshooting.
>
> Thanks in advance!
>
>
>
> Gregg
>
>
>
> # ipsec.conf - strongSwan1 IPsec configuration file
>
> # basic configuration
>
> config setup
> # plutodebug=all
> # crlcheckinterval=180
> # strictcrlpolicy=no
> # cachecrls=yes
> # nat_traversal=yes
> charonstart=yes
> plutostart=no
>
> # Add connections here.
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> # authby=secret
> keyexchange=ikev2
> # mobike=no
>
>
> conn net-net
> left=192.168.91.163
> leftsubnet=10.1.0.0/16
> leftid=@strongswan1
> leftfirewall=yes
> right=192.168.91.160
> rightsubnet=10.2.0.0/16
> rightid=@strongswan2
> auto=add
>
> conn Win7
> left=%defaultroute
> # leftcert=cacert.pem
> leftsubnet=10.1.0.0/16
> leftid=strongswan1
> right=%any
> rightsourceip=192.168.93.0/24
> # rightauth=eap-mschapv2
> # rightsendcert=never
> # eap_identity=%any
> # rightcert=client1cert.pem
> # keyexchange=ikev2
> auto=add
>
> include /var/lib/strongswan/ipsec.conf.inc
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130720/03896c3d/attachment.bin>
More information about the Users
mailing list