[strongSwan] Unable to use Certificate Path Chain (SUBCAs)

Andreas Steffen andreas.steffen at strongswan.org
Sat Mar 9 18:03:48 CET 2013 

Hi Rashid,

an endpoint must store either the SubCA certificate locally in
/etc/ipsec.d/cacerts or must receive it from the peer together
with the user certificate in an IKEv2 CERT payload.

Regards

Andreas

On 03/09/2013 05:00 PM, Mohammed Rashid wrote:
> *Hi All,
> 
> I am using strongswan 5.0.2. I am using the following configuration with
> host-host transport mode.
> It was working fine when I was using the certificates directly from RootCA. But when I generated certificates from SUBCA, ipsec starts giving errors which I mentioned below..
> *
> /Mar  9 15:22:13 charon: 15[CFG] received stroke: initiate 'user4'
> 
> Mar  9 15:22:13 charon: 10[IKE] initiating IKE_SA user4[5] to 192.168.20.126
> Mar  9 15:22:13 charon: 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Mar  9 15:22:13 charon: 10[NET] sending packet: from 192.168.20.112[500] to 192.168.20.126[500] (692 bytes)
> 
> Mar  9 15:22:13 charon: 09[NET] received packet: from 192.168.20.126[500] to 192.168.20.112[500] (432 bytes)
> Mar  9 15:22:13 charon: 09[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Mar  9 15:22:13 charon: 09[IKE] authentication of 'user5' (myself) with RSA signature successful
> 
> Mar  9 15:22:13 charon: 09[IKE] establishing CHILD_SA user4
> Mar  9 15:22:13 charon: 09[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(USE_TRANSP) SA TSi TSr N(EAP_ONLY) ]
> Mar  9 15:22:13 charon: 09[NET] sending packet: from 192.168.20.112[500] to 192.168.20.126[500] (684 bytes)
> 
> Mar  9 15:22:13 charon: 07[NET] received packet: from 192.168.20.126[500] to 192.168.20.112[500] (76 bytes)
> *Mar  9 15:22:13 charon: 07[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> Mar  9 15:22:13 charon: 07[IKE] received AUTHENTICATION_FAILED notify error*
> 
> 
> 
> Mar  9 17:28:43 charon: 15[NET] received packet: from 192.168.20.112[500] to 192.168.20.126[500] (692 bytes)
> Mar  9 17:28:43 charon: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> 
> Mar  9 17:28:43 charon: 15[IKE] 192.168.20.112 is initiating an IKE_SA
> Mar  9 17:28:43 charon: 15[IKE] sending cert request for "CN=...."
> Mar  9 17:28:43 charon: 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
> 
> Mar  9 17:28:43 charon: 15[NET] sending packet: from 192.168.20.126[500] to 192.168.20.112[500] (457 bytes)
> Mar  9 17:28:43 charon: 09[NET] received packet: from 192.168.20.112[500] to 192.168.20.126[500] (1548 bytes)
> 
> Mar  9 17:28:43 charon: 09[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr N(EAP_ONLY) ]
> Mar  9 17:28:43 charon: 09[IKE] received cert request for "CN...."
> 
> Mar  9 17:28:43 charon: 09[IKE] received end entity cert "CN=user5..."
> Mar  9 17:28:43 charon: 09[CFG] looking for peer configs matching 192.168.20.126[user4]...192.168.20.112[user5]
> Mar  9 17:28:43 charon: 09[CFG] selected peer config 'user5'
> 
> Mar  9 17:28:43 charon: 09[CFG]   using certificate "CN=user5..."
> *Mar  9 17:28:43 charon: 09[CFG] no issuer certificate found for "CN=user5...."
> Mar  9 17:28:43 charon: 09[IKE] no trusted RSA public key found for 'user5'*
> 
> Mar  9 17:28:43 charon: 09[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> Mar  9 17:28:43 charon: 09[NET] sending packet: from 192.168.20.126[500] to 192.168.20.112[500] (76 bytes)/
> 
> Regards,
> Rashid

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130309/53177c97/attachment.bin>

More information about the Users mailing list