[strongSwan] Certificate Signature Validation Fails After Long Uptime

joshua grossjo2 at hotmail.com
Mon Dec 1 19:23:17 CET 2014 

I've noticed that on some of my strongswan servers, overtime clients begin to start having trouble connecting to 1 of the three connections defined in the ipsec.conf file.  If I restart the ipsec server, clients have no trouble connecting anymore.
I am using strongswan version 5.04 on ubuntu 12.04.
Below is my configuration and the relevant errors and success logs (sanitized to an extent)
Does anyone have any idea what could be causing this?

# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup  charondebug="dmn 1, mgr 1, ike 1, chd 1, job 1, cfg 1, knl 1, net 1, asn 1, enc 1, lib 1, esp 1, tls 1"  #plutodebug=all  # crlcheckinterval=600  strictcrlpolicy=no  # cachecrls=yes  # charondebug=4  nat_traversal=yes  #charonstart=no  #plutostart=no
ca servers  auto=add
conn %default  ikelifetime=60m  keylife=20m  rekeymargin=3m  keyingtries=1  keyexchange=ikev1  auto=add
conn iphone-general  keyexchange=ikev1  rightauth=pubkey  rightauth2=xauth-pam  left=%defaultroute  leftid=@domain.name3  leftsubnet=0.0.0.0/0  leftfirewall=no  leftcert=defaultCert.pem  right=%any  rightsubnet=10.253.0.0/16  rightsourceip=10.253.0.0/16  # Require all subject fields to be matched by star  # As well as CA's pull in  rightid="C=DEF, ST=*, L=*, O=*, CN=*, E=*"  fragmentation=yes  auto=add  # Dead peer detection can cause issue  # resulting in hanging connections for iOS  # Not sure on the root cause of why though  # dpddelay=30  # dpdtimeout=120  # dpdaction=clear
conn iphone-geo  keyexchange=ikev1  rightauth=pubkey  rightauth2=xauth-pam  left=%defaultroute  leftid=@domain.name2  leftsubnet=0.0.0.0/0  leftfirewall=no  leftcert=geoCert.pem  right=%any  rightsubnet=10.255.0.0/16  rightsourceip=10.255.0.0/16  # Require all subject fields to be matched by star  # As well as CA's pull in  rightid="C=US, ST=*, L=*, O=*, CN=*, E=*"  fragmentation=yes  auto=add

conn iphone-ios8  keyexchange=ikev1  rightauth=pubkey  rightauth2=xauth-pam  left=%defaultroute  leftid=@domain.name  leftsubnet=0.0.0.0/0  leftfirewall=no  leftcert=ios8.pem  right=%any  rightsubnet=10.251.0.0/16  rightsourceip=10.251.0.0/16  # Require all subject fields to be matched by star  # As well as CA's pull in  rightid="C=*, ST=*, L=*, O=*, CN=*, E=*"  fragmentation=yes  auto=add

Logs from client where it  fails to validate the signature.
Dec  1 17:24:58 vagrant-ubuntu-precise-64 charon: 04[CFG] checking certificate status of "C=CA, ST=state, L=city, O=Company, CN=ipsec.Company.mobi, E=ops at Company.com"Dec  1 17:24:58 vagrant-ubuntu-precise-64 charon: 04[CFG] certificate status is not availableDec  1 17:24:58 vagrant-ubuntu-precise-64 charon: 04[CFG]   using trusted ca certificate "C=CA, ST=state, L=city, O=Company, CN=Company CA, E=ops at Company.com"Dec  1 17:24:58 vagrant-ubuntu-precise-64 charon: 04[CFG] checking certificate status of "C=CA, ST=state, O=Company, CN=Company Intermediate CA, E=ops at Company.com"Dec  1 17:24:58 vagrant-ubuntu-precise-64 charon: 04[CFG] certificate status is not availableDec  1 17:24:58 vagrant-ubuntu-precise-64 charon: 04[CFG]   reached self-signed root ca with a path length of 1Dec  1 17:24:58 vagrant-ubuntu-precise-64 charon: 04[IKE] signature validation failed, looking for another keyDec  1 17:24:58 vagrant-ubuntu-precise-64 charon: 04[IKE] no trusted RSA public key found for 'ipsec.Company.mobi'Dec  1 17:24:58 vagrant-ubuntu-precise-64 charon: 04[IKE] deleting IKE_SA client[1] between 10.0.2.15[C=DEF, ST=state, L=city, O=Company, CN=sprinkler_server, E=josh+6474474654226372364145163867877661111424 at Company.com]...23.105.140.23[ipsec.company.mobi]Dec  1 17:24:58 vagrant-ubuntu-precise-64 charon: 04[IKE] sending DELETE for IKE_SA client[1]
Logs from after restart where it connections without an issue.Dec  1 17:26:31 vagrant-ubuntu-precise-64 charon: 04[CFG] certificate status is not availableDec  1 17:26:31 vagrant-ubuntu-precise-64 charon: 04[CFG]   reached self-signed root ca with a path length of 0Dec  1 17:26:31 vagrant-ubuntu-precise-64 charon: 04[CFG]   using trusted certificate "C=DEF, ST=state, L=city, O=Company, CN=sprinkler_server, E=josh+6474474654226372364145163867877661111424 at Company.com"Dec  1 17:26:31 vagrant-ubuntu-precise-64 charon: 04[IKE] signature validation failed, looking for another keyDec  1 17:26:31 vagrant-ubuntu-precise-64 charon: 04[CFG]   using certificate "C=CA, ST=state, L=city, O=Company, CN=ipsec.Company.mobi, E=ops at Company.com"Dec  1 17:26:31 vagrant-ubuntu-precise-64 charon: 04[CFG]   using trusted intermediate ca certificate "C=CA, ST=state, O=Company, CN=Company Intermediate CA, E=ops at Company.com"Dec  1 17:26:31 vagrant-ubuntu-precise-64 charon: 04[CFG] checking certificate status of "C=CA, ST=state, L=city, O=Company, CN=ipsec.Company.mobi, E=ops at Company.com"Dec  1 17:26:31 vagrant-ubuntu-precise-64 charon: 04[CFG] certificate status is not availableDec  1 17:26:31 vagrant-ubuntu-precise-64 charon: 04[CFG]   using trusted ca certificate "C=CA, ST=state, L=city, O=Company, CN=Company CA, E=ops at Company.com"Dec  1 17:26:31 vagrant-ubuntu-precise-64 charon: 04[CFG] checking certificate status of "C=CA, ST=state, O=Company, CN=Company Intermediate CA, E=ops at Company.com"Dec  1 17:26:31 vagrant-ubuntu-precise-64 charon: 04[CFG] certificate status is not availableDec  1 17:26:31 vagrant-ubuntu-precise-64 charon: 04[CFG]   reached self-signed root ca with a path length of 1Dec  1 17:26:31 vagrant-ubuntu-precise-64 charon: 04[IKE] authentication of 'ipsec.Company.mobi' with RSA successfulDec  1 17:26:31 vagrant-ubuntu-precise-64 charon: 05[NET] received packet: from 23.105.140.23[4500] to 10.0.2.15[4500] (76 bytes)Dec  1 17:26:31 vagrant-ubuntu-precise-64 charon: 05[ENC] parsed TRANSACTION request 1975513490 [ HASH CP ]Dec  1 17:26:31 vagrant-ubuntu-precise-64 charon: 05[ENC] generating TRANSACTION response 1975513490 [ HASH CP ]Dec  1 17:26:31 vagrant-ubuntu-precise-64 charon: 05[NET] sending packet: from 10.0.2.15[4500] to 23.105.140.23[4500] (188 bytes)Dec  1 17:26:31 vagrant-ubuntu-precise-64 charon: 03[NET] received packet: from 23.105.140.23[4500] to 10.0.2.15[4500] (76 bytes)Dec  1 17:26:31 vagrant-ubuntu-precise-64 charon: 03[ENC] parsed TRANSACTION request 948789398 [ HASH CP ]Dec  1 17:26:31 vagrant-ubuntu-precise-64 charon: 03[IKE] XAuth authentication of '65a6f50cc061eef61b8846223b2fd3b55d28c1c1' (myself) successfulDec  1 17:26:31 vagrant-ubuntu-precise-64 charon: 03[IKE] IKE_SA client[1] established between 10.0.2.15[C=DEF, ST=state, L=city, O=Company, CN=sprinkler_server, E=josh+6474474654226372364145163867877661111424 at Company.com]...23.105.140.23[ipsec.Company.mobi]



Joshua J. Gross
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141201/25afe361/attachment.html>

More information about the Users mailing list