[strongSwan] user certificate could not be found via windows 7 vpn connect
Johannes
jotpe.osm at gmail.com
Mon Aug 25 19:29:07 CEST 2014
Thanks for your reply. I could install a new generated pfx cert on the
win7 client, but the vpn connection manager doesn't accept my cert
again. Failure 798.
Now I recorded exactly what I did. Maybe the error is more fundamental.
-------------------------------------------
#Linux server "hobbit" and the Win7 "klapperkiste" can ping each other
# gen key file for CA
ipsec pki --gen > /etc/ipsec.d/private/caKey.der
# create CA cert
ipsec pki --self --in /etc/ipsec.d/private/caKey.der --dn "D=DE, O=Heim,
CN=HCA" --ca > /etc/ipsec.d/cacerts/caCert.der
# Keyfile for Linux Server "hobbit"
ipsec pki --gen > /etc/ipsec.d/private/hobbitKey.der
# cert for Linux server "hobbit"
ipsec pki --pub --in /etc/ipsec.d/private/hobbitKey.der | ipsec pki
--issue --cacert /etc/ipsec.d/cacerts/caCert.der --cakey
/etc/ipsec.d/private/caKey.der --dn "C=DE, O=Heim, CN=hobbit" --san
"hobbit" --san "192.168.0.206" --flag serverAuth --flag ikeIntermediate
> /etc/ipsec.d/certs/hobbitCert.der
# have a look, flag serverAuth ok, flag ikeIntermediate missing
ipsec pki --print --in /etc/ipsec.d/certs/hobbitCert.der
cert: X509
subject: "C=DE, O=Heim, CN=hobbit"
issuer: "C=DE, O=Heim, CN=HCA"
validity: not before Aug 25 12:16:18 2014, ok
not after Aug 24 12:16:18 2017, ok (expires in 1094 days)
serial: 00:e0:42:ee:03:d5:9f:ec:3c
altNames: hobbit, 192.168.0.206
flags: serverAuth
authkeyId: 84:72:21:63:32:8e:08:cf:4f:23:6a:41:51:cb:c8:df:68:fd:34:74
subjkeyId: 5d:9a:a9:b3:4a:93:26:7e:0d:9c:f1:d9:cf:70:a9:35:77:5d:f9:b7
pubkey: RSA 2048 bits
keyid: 6f:10:c2:8b:1d:45:e5:a5:23:a8:a2:e9:9c:bf:16:60:78:d8:cf:f4
subjkey: 5d:9a:a9:b3:4a:93:26:7e:0d:9c:f1:d9:cf:70:a9:35:77:5d:f9:b7
# gen key file for win7 "klapperkasten"
ipsec pki --gen --outform pem > /etc/ipsec.d/private/klapperkastenKey.pem
# create pubkey for win7 "klapperkasten"
ipsec pki --pub --in /etc/ipsec.d/private/klapperkastenKey.pem | ipsec
pki --issue --cacert /etc/ipsec.d/cacerts/caCert.der --cakey
/etc/ipsec.d/private/caKey.der --dn "C=DE, O=Heim, CN=klapperkasten"
--san klapperkasten --san "192.168.0.207" --flag serverAuth --flag
ikeIntermediate --outform pem > /etc/ipsec.d/certs/klapperkastenCert.pem
#have a look, flag ikeIntermediate missing again
ipsec pki --print --in /etc/ipsec.d/certs/klapperkastenCert.pem
cert: X509
subject: "C=DE, O=Heim, CN=klapperkasten"
issuer: "C=DE, O=Heim, CN=HCA"
validity: not before Aug 25 13:50:17 2014, ok
not after Aug 24 13:50:17 2017, ok (expires in 1094 days)
serial: 3d:c6:a3:c9:3d:1c:27:19
altNames: klapperkasten, 192.168.0.207
flags: serverAuth
authkeyId: 84:72:21:63:32:8e:08:cf:4f:23:6a:41:51:cb:c8:df:68:fd:34:74
subjkeyId: c7:ed:ee:6c:ba:8e:27:7b:9d:d1:c6:ec:5a:5d:78:e6:42:a9:0b:27
pubkey: RSA 2048 bits
keyid: 57:29:70:0f:5d:9b:e6:f8:44:80:98:28:d5:84:2d:ba:44:93:a8:ea
subjkey: c7:ed:ee:6c:ba:8e:27:7b:9d:d1:c6:ec:5a:5d:78:e6:42:a9:0b:27
#convert caCert.der in caCert.pem; preparing for next command
openssl x509 -inform der -in /etc/ipsec.d/cacerts/caCert.der -out
/etc/ipsec.d/cacerts/caCert.pem
# don't know exactly if this is right, to make Win7 believe the
generated cert can be used as a X509 user certificate...
# merging them togehter to a pfx-certificate (with passphrase)
openssl pkcs12 -export -out klapperkasten.pfx -inkey
/etc/ipsec.d/private/klapperkastenKey.pem -in
/etc/ipsec.d/certs/klapperkastenCert.pem -certfile
/etc/ipsec.d/cacerts/caCert.pem
cat /etc/ipsec.secrets
: RSA hobbitKey.der
#ipsec.conf example from
https://wiki.strongswan.org/projects/strongswan/wiki/Win7UserMultipleConfig
cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
charonstart=yes
conn win7
leftcert=hobbitCert.der
leftauth=eap-tls
leftsubnet=192.168.0.0/24
right=%any
rightauth=eap-tls
rightsendcert=never
rightsourceip=192.168.1.0/24
keyexchange=ikev2
auto=add
ipsec start
Starting strongSwan 4.5.2 IPsec [starter]...
ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.5.2):
uptime: 15 seconds, since Aug 25 13:57:14 2014
malloc: sbrk 270336, mmap 0, used 248128, free 22208
worker threads: 7 idle of 16, job queue load: 0, scheduled events: 0
loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random
x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp
agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve
socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc
eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led addrblock
Virtual IP pools (size/online/offline):
win7: 255/0/0
Listening IP addresses:
192.168.0.106
Connections:
win7: %any...%any
win7: local: [C=DE, O=Heim, CN=hobbit] uses EAP_TLS
authentication
win7: cert: "C=DE, O=Heim, CN=hobbit"
win7: remote: [%any] uses EAP_TLS authentication
win7: child: 192.168.0.0/24 === dynamic
Security Associations:
none
-------------------------------------------------------------
I copied the caCert.der & klapperkasten.pfx to the Win7 client, please
look at the uploaded images at
https://drive.google.com/folderview?id=0B3PppnqNatwyTkZpUHdGSUpwUk0&usp=sharing
Best regards
Johannes
Am 22.08.2014 17:15, schrieb Michael O Holstein:
>> The import dialog sais, "imported correctly into own certs", but is
never shown in the cert manager.
>
> certmgmt.msc and attach to computer account .. this is where x509
certs for VPN connections need to be.
>
> also make sure you have SubjectAltName=FQDN of host.
>
> Regards,
>
> Michael Holstein
> Cleveland State University
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 551 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140825/756bdd07/attachment.pgp>
More information about the Users
mailing list