[strongSwan] Unable to use Certificate Path Chain (SUBCAs)

Mohammed Rashid mail4rashid at gmail.com
Sat Mar 9 19:01:14 CET 2013


Hi Andreas,

I am putting both RootCA & SubCA locally in /etc/ipsec.d/cacerts but still
its giving the same error..
Even when I do "ipsec listall" its only showing the RootCA..

Regards,
Rashid

On Sat, Mar 9, 2013 at 8:03 PM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:

> Hi Rashid,
>
> an endpoint must store either the SubCA certificate locally in
> /etc/ipsec.d/cacerts or must receive it from the peer together
> with the user certificate in an IKEv2 CERT payload.
>
> Regards
>
> Andreas
>
> On 03/09/2013 05:00 PM, Mohammed Rashid wrote:
> > *Hi All,
> >
> > I am using strongswan 5.0.2. I am using the following configuration with
> > host-host transport mode.
> > It was working fine when I was using the certificates directly from
> RootCA. But when I generated certificates from SUBCA, ipsec starts giving
> errors which I mentioned below..
> > *
> > /Mar  9 15:22:13 charon: 15[CFG] received stroke: initiate 'user4'
> >
> > Mar  9 15:22:13 charon: 10[IKE] initiating IKE_SA user4[5] to
> 192.168.20.126
> > Mar  9 15:22:13 charon: 10[ENC] generating IKE_SA_INIT request 0 [ SA KE
> No N(NATD_S_IP) N(NATD_D_IP) ]
> > Mar  9 15:22:13 charon: 10[NET] sending packet: from 192.168.20.112[500]
> to 192.168.20.126[500] (692 bytes)
> >
> > Mar  9 15:22:13 charon: 09[NET] received packet: from
> 192.168.20.126[500] to 192.168.20.112[500] (432 bytes)
> > Mar  9 15:22:13 charon: 09[ENC] parsed IKE_SA_INIT response 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) ]
> > Mar  9 15:22:13 charon: 09[IKE] authentication of 'user5' (myself) with
> RSA signature successful
> >
> > Mar  9 15:22:13 charon: 09[IKE] establishing CHILD_SA user4
> > Mar  9 15:22:13 charon: 09[ENC] generating IKE_AUTH request 1 [ IDi
> N(INIT_CONTACT) IDr AUTH N(USE_TRANSP) SA TSi TSr N(EAP_ONLY) ]
> > Mar  9 15:22:13 charon: 09[NET] sending packet: from 192.168.20.112[500]
> to 192.168.20.126[500] (684 bytes)
> >
> > Mar  9 15:22:13 charon: 07[NET] received packet: from
> 192.168.20.126[500] to 192.168.20.112[500] (76 bytes)
> > *Mar  9 15:22:13 charon: 07[ENC] parsed IKE_AUTH response 1 [
> N(AUTH_FAILED) ]
> > Mar  9 15:22:13 charon: 07[IKE] received AUTHENTICATION_FAILED notify
> error*
> >
> >
> >
> > Mar  9 17:28:43 charon: 15[NET] received packet: from
> 192.168.20.112[500] to 192.168.20.126[500] (692 bytes)
> > Mar  9 17:28:43 charon: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) ]
> >
> > Mar  9 17:28:43 charon: 15[IKE] 192.168.20.112 is initiating an IKE_SA
> > Mar  9 17:28:43 charon: 15[IKE] sending cert request for "CN=...."
> > Mar  9 17:28:43 charon: 15[ENC] generating IKE_SA_INIT response 0 [ SA
> KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
> >
> > Mar  9 17:28:43 charon: 15[NET] sending packet: from 192.168.20.126[500]
> to 192.168.20.112[500] (457 bytes)
> > Mar  9 17:28:43 charon: 09[NET] received packet: from
> 192.168.20.112[500] to 192.168.20.126[500] (1548 bytes)
> >
> > Mar  9 17:28:43 charon: 09[ENC] parsed IKE_AUTH request 1 [ IDi CERT
> N(INIT_CONTACT) CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr N(EAP_ONLY) ]
> > Mar  9 17:28:43 charon: 09[IKE] received cert request for "CN...."
> >
> > Mar  9 17:28:43 charon: 09[IKE] received end entity cert "CN=user5..."
> > Mar  9 17:28:43 charon: 09[CFG] looking for peer configs matching
> 192.168.20.126[user4]...192.168.20.112[user5]
> > Mar  9 17:28:43 charon: 09[CFG] selected peer config 'user5'
> >
> > Mar  9 17:28:43 charon: 09[CFG]   using certificate "CN=user5..."
> > *Mar  9 17:28:43 charon: 09[CFG] no issuer certificate found for
> "CN=user5...."
> > Mar  9 17:28:43 charon: 09[IKE] no trusted RSA public key found for
> 'user5'*
> >
> > Mar  9 17:28:43 charon: 09[ENC] generating IKE_AUTH response 1 [
> N(AUTH_FAILED) ]
> > Mar  9 17:28:43 charon: 09[NET] sending packet: from 192.168.20.126[500]
> to 192.168.20.112[500] (76 bytes)/
> >
> > Regards,
> > Rashid
>
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130309/0e24a8a9/attachment.html>


More information about the Users mailing list