[strongSwan] certificate only vpn connection with mac

Cindy Moore ctmoore at cs.ucsd.edu
Thu Dec 11 22:20:03 CET 2014


I'm trying to get a basic connection going with a mac os x client to
strongswan (latest) installed on ubuntu (14.04 lts).  I'm not entirely
certain what is going on.  It seems like the client isn't sending the
desired certificate.  in the log file, vpnHostCert doesn't seem to
play a part at all which i find unexpected.

When I set up the mac I sent the p12 packages over to the mac, added
the three of them (root, vpnHost, cindy) to the system keychain.
What's weird though, is that I can only seem to select, for both User
Authentication certificate & Machine Authentication certificate, the
one identified with ctmoore at example.com (I had expected to select that
for User Auth, and the vpn.example.com for Machine Auth -- all three
(root, vpn, cindy) certificates are visible in the system keychain,
but only the cindy one appears in the list of options when selecting
User/Machine Auth in setting up a vpn connection on the mac.  I set
the strongswan root up as a trusted cert, and authorized the use of
all three in any kind of setting.


Overview of setup (syslog copy at end)


Created the certificates.  Sorry, my email program is eating tabs.

========
"root":
ipsec pki --gen --type rsa --size 4096 \
--outform pem \
> private/strongswanKey.pem
chmod 600 private/strongswanKey.pem
ipsec pki --self --ca --lifetime 3650 \
--in private/strongswanKey.pem --type rsa \
--dn "C=US, O=ThatsUs, CN=strongSwan Root CA" \
--outform pem \
> cacerts/strongswanCert.pem

========
host:
ipsec pki --gen --type rsa --size 2048 \
--outform pem \
> private/vpnHostKey.pem
chmod 600 private/vpnHostKey.pem
ipsec pki --pub --in private/vpnHostKey.pem --type rsa | \
ipsec pki --issue --lifetime 730 \
--cacert cacerts/strongswanCert.pem \
--cakey private/strongswanKey.pem \
--dn "C=US, O=ThatsUs, CN=vpn.example.com" \
--san vpn.example.com \
--flag serverAuth --flag ikeIntermediate \
--outform pem > certs/vpnHostCert.pem

ipsec pki --print looks okay for both

========
created p12 packages
# openssl pkcs12 -export -in certs/vpnHostCert.pem -nokeys -nodes -out
exports/vpnHost.p12
Enter Export Password:
Verifying - Enter Export Password:

# openssl pkcs12 -export -in cacerts/strongswanCert.pem -nokeys -nodes
-out exports/strongSwan.p12
Enter Export Password:
Verifying - Enter Export Password:

========
client certificate
ipsec pki --gen --type rsa --size 2048 \
--outform pem \
> private/cindyKey.pem
chmod 600 private/cindyKey.pem
ipsec pki --pub --in private/cindyKey.pem --type rsa | \
ipsec pki --issue --lifetime 730 \
--cacert cacerts/strongswanCert.pem \
--cakey private/strongswanKey.pem \
--dn "C=US, O=ThatsUs, CN=ctmoore at example.com" \
--san ctmoore at example.com \
--outform pem > certs/cindyCert.pem

(plus p12 packaging)

========
ipsec.secrets
: RSA vpnHostKey.pem

=========
ipsec.conf

conn %default
        ikelifetime=60m
        keylife=60m
        rekeymargin=3m
        keyingtries=1
        #vpn server
        left=[vpn ip]
        leftcert=vpnHostCert.pem
        # certificate based ID
        leftid="C=US, O=strongSwan, CN=vpn.example.com"
        #allow full tunneling
        leftsubnet=0.0.0.0/0
        #assign ip addr from this pool
        rightsourceip=[...]
        # assign dns servers once connected
        rightdns=[...]

ca %default
        cacert=strongswanCert.pem

# certificate only
conn roadwarrior-ikev2
        keyexchange=ikev2
        leftauth=pubkey
        right=%any
        rightid=%any
        rightauth=pubkey
        auto=add

# certificate only, fakeout on xauth (for eg Mac/iOS that must do
xauth. and ikev1 for that matter)
conn roadwarrior-ikev1
        keyexchange=ikev1
        leftauth=pubkey
        right=%any
        rightid=%any
        rightauth=pubkey
        rightauth2=xauth-noauth
        auto=add


========


Using the same ctmoore cert on User/Machine auth in the mac vpn and
connect anyway, I get the following in the syslog

I find the
Dec 11 12:47:54 vpn charon: 10[IKE] found 1 matching config, but none
allows RSA signature authentication using Main Mode
entry interesting, but I don't know if that's the issue, and if it is,
what I can do about it.


/var/log/syslog
========
Dec 11 12:47:54 vpn charon: 02[NET] received packet: from [client
ip][500] to [vpn ip][500]
Dec 11 12:47:54 vpn charon: 02[NET] waiting for data on sockets
Dec 11 12:47:54 vpn charon: 04[NET] received packet: from [client
ip][500] to [vpn ip][500] (300 bytes)
Dec 11 12:47:54 vpn charon: 04[ENC] parsed ID_PROT request 0 [ SA V V
V V V V V V V V V ]
Dec 11 12:47:54 vpn charon: 04[CFG] looking for an ike config for [vpn
ip]...[client ip]
Dec 11 12:47:54 vpn charon: 04[CFG]   candidate: [vpn ip]...%any, prio 1052
Dec 11 12:47:54 vpn charon: 04[CFG] found matching ike config: [vpn
ip]...%any with prio 1052
Dec 11 12:47:54 vpn charon: 04[IKE] received NAT-T (RFC 3947) vendor ID
Dec 11 12:47:54 vpn charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike vendor ID
Dec 11 12:47:54 vpn charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-08 vendor ID
Dec 11 12:47:54 vpn charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-07 vendor ID
Dec 11 12:47:54 vpn charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-06 vendor ID
Dec 11 12:47:54 vpn charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-05 vendor ID
Dec 11 12:47:54 vpn charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-04 vendor ID
Dec 11 12:47:54 vpn charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-03 vendor ID
Dec 11 12:47:54 vpn charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-02 vendor ID
Dec 11 12:47:54 vpn charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Dec 11 12:47:54 vpn charon: 04[IKE] received DPD vendor ID
Dec 11 12:47:54 vpn charon: 04[IKE] [client ip] is initiating a Main Mode IKE_SA
Dec 11 12:47:54 vpn charon: 04[IKE] IKE_SA (unnamed)[3] state change:
CREATED => CONNECTING
Dec 11 12:47:54 vpn charon: 04[CFG] selecting proposal:
Dec 11 12:47:54 vpn charon: 04[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Dec 11 12:47:54 vpn charon: 04[CFG] selecting proposal:
Dec 11 12:47:54 vpn charon: 04[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
Dec 11 12:47:54 vpn charon: 04[CFG] selecting proposal:
Dec 11 12:47:54 vpn charon: 04[CFG]   proposal matches
Dec 11 12:47:54 vpn charon: 04[CFG] received proposals:
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Dec 11 12:47:54 vpn charon: 04[CFG] configured proposals:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/HMAC_MD5_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160
Dec 11 12:47:54 vpn charon: 04[CFG] selected proposal:
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Dec 11 12:47:54 vpn charon: 04[IKE] sending XAuth vendor ID
Dec 11 12:47:54 vpn charon: 04[IKE] sending DPD vendor ID
Dec 11 12:47:54 vpn charon: 04[IKE] sending NAT-T (RFC 3947) vendor ID
Dec 11 12:47:54 vpn charon: 04[ENC] generating ID_PROT response 0 [ SA V V V ]
Dec 11 12:47:54 vpn charon: 04[NET] sending packet: from [vpn ip][500]
to [client ip][500] (132 bytes)
Dec 11 12:47:54 vpn charon: 03[NET] sending packet: from [vpn ip][500]
to [client ip][500]
Dec 11 12:47:54 vpn charon: 02[NET] received packet: from [client
ip][500] to [vpn ip][500]
Dec 11 12:47:54 vpn charon: 02[NET] waiting for data on sockets
Dec 11 12:47:54 vpn charon: 09[NET] received packet: from [client
ip][500] to [vpn ip][500] (228 bytes)
Dec 11 12:47:54 vpn charon: 09[ENC] parsed ID_PROT request 0 [ KE No
NAT-D NAT-D ]
Dec 11 12:47:54 vpn charon: 09[IKE] sending cert request for "C=US,
O=ThatsUs, CN=strongSwan Root CA"
Dec 11 12:47:54 vpn charon: 09[ENC] generating ID_PROT response 0 [ KE
No CERTREQ NAT-D NAT-D ]
Dec 11 12:47:54 vpn charon: 09[NET] sending packet: from [vpn ip][500]
to [client ip][500] (310 bytes)
Dec 11 12:47:54 vpn charon: 03[NET] sending packet: from [vpn ip][500]
to [client ip][500]
Dec 11 12:47:54 vpn charon: 02[NET] received packet: from [client
ip][500] to [vpn ip][500]
Dec 11 12:47:54 vpn charon: 02[NET] waiting for data on sockets
Dec 11 12:47:54 vpn charon: 10[NET] received packet: from [client
ip][500] to [vpn ip][500] (1492 bytes)
Dec 11 12:47:54 vpn charon: 10[ENC] parsed ID_PROT request 0 [ ID CERT
SIG CERTREQ N(INITIAL_CONTACT) ]
Dec 11 12:47:54 vpn charon: 10[IKE] ignoring certificate request without data
Dec 11 12:47:54 vpn charon: 10[IKE] received end entity cert "C=US,
O=ThatsUs, CN=ctmoore at example.com"
Dec 11 12:47:54 vpn charon: 10[CFG] looking for RSA signature peer
configs matching [vpn ip]...[client ip][C=US, O=ThatsUs,
CN=ctmoore at example.com]
Dec 11 12:47:54 vpn charon: 10[CFG]   candidate "roadwarrior-ikev1",
match: 1/1/1052 (me/other/ike)
Dec 11 12:47:54 vpn charon: 10[IKE] found 1 matching config, but none
allows RSA signature authentication using Main Mode
Dec 11 12:47:54 vpn charon: 10[IKE] queueing INFORMATIONAL task
Dec 11 12:47:54 vpn charon: 10[IKE] activating new tasks
Dec 11 12:47:54 vpn charon: 10[IKE]   activating INFORMATIONAL task
Dec 11 12:47:54 vpn charon: 10[ENC] generating INFORMATIONAL_V1
request 2651689082 [ HASH N(AUTH_FAILED) ]
Dec 11 12:47:54 vpn charon: 10[NET] sending packet: from [vpn ip][500]
to [client ip][500] (84 bytes)
Dec 11 12:47:54 vpn charon: 10[IKE] IKE_SA (unnamed)[3] state change:
CONNECTING => DESTROYING
Dec 11 12:47:54 vpn charon: 03[NET] sending packet: from [vpn ip][500]
to [client ip][500]
Dec 11 12:47:57 vpn charon: 02[NET] received packet: from [client
ip][500] to [vpn ip][500]
Dec 11 12:47:57 vpn charon: 02[NET] waiting for data on sockets
Dec 11 12:48:00 vpn charon: 02[NET] received packet: from [client
ip][500] to [vpn ip][500]
Dec 11 12:48:00 vpn charon: 02[NET] waiting for data on sockets
Dec 11 12:48:03 vpn charon: 02[NET] received packet: from [client
ip][500] to [vpn ip][500]
Dec 11 12:48:03 vpn charon: 02[NET] waiting for data on sockets
Dec 11 12:48:06 vpn charon: 02[NET] received packet: from [client
ip][500] to [vpn ip][500]
Dec 11 12:48:06 vpn charon: 02[NET] waiting for data on sockets
Dec 11 12:48:09 vpn charon: 02[NET] received packet: from [client
ip][500] to [vpn ip][500]
Dec 11 12:48:09 vpn charon: 02[NET] waiting for data on sockets
Dec 11 12:48:16 vpn charon: 02[NET] received packet: from [client
ip][500] to [vpn ip][500]
Dec 11 12:48:16 vpn charon: 02[NET] waiting for data on sockets
Dec 11 12:48:19 vpn charon: 02[NET] received packet: from [client
ip][500] to [vpn ip][500]
Dec 11 12:48:19 vpn charon: 02[NET] waiting for data on sockets
Dec 11 12:48:22 vpn charon: 02[NET] received packet: from [client
ip][500] to [vpn ip][500]
Dec 11 12:48:22 vpn charon: 02[NET] waiting for data on sockets
Dec 11 12:48:24 vpn charon: 02[NET] received packet: from [client
ip][500] to [vpn ip][500]
Dec 11 12:48:24 vpn charon: 02[NET] waiting for data on sockets
Dec 11 12:48:24 vpn charon: 04[NET] received packet: from [client
ip][500] to [vpn ip][500] (300 bytes)
Dec 11 12:48:24 vpn charon: 04[ENC] parsed ID_PROT request 0 [ SA V V
V V V V V V V V V ]
Dec 11 12:48:24 vpn charon: 04[CFG] looking for an ike config for [vpn
ip]...[client ip]
Dec 11 12:48:24 vpn charon: 04[CFG]   candidate: [vpn ip]...%any, prio 1052
Dec 11 12:48:24 vpn charon: 04[CFG] found matching ike config: [vpn
ip]...%any with prio 1052
Dec 11 12:48:24 vpn charon: 04[IKE] received NAT-T (RFC 3947) vendor ID
Dec 11 12:48:24 vpn charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike vendor ID
Dec 11 12:48:24 vpn charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-08 vendor ID
Dec 11 12:48:24 vpn charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-07 vendor ID
Dec 11 12:48:24 vpn charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-06 vendor ID
Dec 11 12:48:24 vpn charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-05 vendor ID
Dec 11 12:48:24 vpn charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-04 vendor ID
Dec 11 12:48:24 vpn charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-03 vendor ID
Dec 11 12:48:24 vpn charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-02 vendor ID
Dec 11 12:48:24 vpn charon: 04[IKE] received
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Dec 11 12:48:24 vpn charon: 04[IKE] received DPD vendor ID
Dec 11 12:48:24 vpn charon: 04[IKE] [client ip] is initiating a Main Mode IKE_SA
Dec 11 12:48:24 vpn charon: 04[IKE] IKE_SA (unnamed)[4] state change:
CREATED => CONNECTING
Dec 11 12:48:24 vpn charon: 04[CFG] selecting proposal:
Dec 11 12:48:24 vpn charon: 04[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Dec 11 12:48:24 vpn charon: 04[CFG] selecting proposal:
Dec 11 12:48:24 vpn charon: 04[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
Dec 11 12:48:24 vpn charon: 04[CFG] selecting proposal:
Dec 11 12:48:24 vpn charon: 04[CFG]   proposal matches
Dec 11 12:48:24 vpn charon: 04[CFG] received proposals:
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Dec 11 12:48:24 vpn charon: 04[CFG] configured proposals:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/HMAC_MD5_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160
Dec 11 12:48:24 vpn charon: 04[CFG] selected proposal:
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Dec 11 12:48:24 vpn charon: 04[IKE] sending XAuth vendor ID
Dec 11 12:48:24 vpn charon: 04[IKE] sending DPD vendor ID
Dec 11 12:48:24 vpn charon: 04[IKE] sending NAT-T (RFC 3947) vendor ID
Dec 11 12:48:24 vpn charon: 04[ENC] generating ID_PROT response 0 [ SA V V V ]
Dec 11 12:48:24 vpn charon: 04[NET] sending packet: from [vpn ip][500]
to [client ip][500] (132 bytes)
Dec 11 12:48:24 vpn charon: 03[NET] sending packet: from [vpn ip][500]
to [client ip][500]
Dec 11 12:48:24 vpn charon: 02[NET] received packet: from [client
ip][500] to [vpn ip][500]
Dec 11 12:48:24 vpn charon: 02[NET] waiting for data on sockets
Dec 11 12:48:24 vpn charon: 09[NET] received packet: from [client
ip][500] to [vpn ip][500] (228 bytes)
Dec 11 12:48:24 vpn charon: 09[ENC] parsed ID_PROT request 0 [ KE No
NAT-D NAT-D ]
Dec 11 12:48:24 vpn charon: 09[IKE] sending cert request for "C=US,
O=ThatsUs, CN=strongSwan Root CA"
Dec 11 12:48:24 vpn charon: 09[ENC] generating ID_PROT response 0 [ KE
No CERTREQ NAT-D NAT-D ]
Dec 11 12:48:24 vpn charon: 09[NET] sending packet: from [vpn ip][500]
to [client ip][500] (310 bytes)
Dec 11 12:48:24 vpn charon: 03[NET] sending packet: from [vpn ip][500]
to [client ip][500]
Dec 11 12:48:54 vpn charon: 10[JOB] deleting half open IKE_SA after timeout
Dec 11 12:48:54 vpn charon: 10[IKE] IKE_SA (unnamed)[4] state change:
CONNECTING => DESTROYING


More information about the Users mailing list