[strongSwan] questions on syslog output; linux server/mac client RSA certificate auth

Cindy Moore ctmoore at cs.ucsd.edu
Tue Dec 16 22:55:43 CET 2014


Latest compiled version of strongswan on latest updated version of
Ubuntu 14.04 LTS.

I'm trying to do an RSA certificate only authentication between the
linux strongswan server, and the client Mac os X (10.6.8, latest
updates etc for this macbook pro). I have the strongswan cert, the vpn
host cert, and the client cert/key loaded into the System Keychain,
and all the numbers, keys, info, etc, match that of the original pem
files.

I'm seeing this:
>Dec 16 13:39:20 vpn charon: 14[CFG] looking for RSA signature peer configs matching vpn_ip...client_ip[C=US, O=ThatsUs, CN=myemailaddr]

Would this be as expected?  I can't figure out why it isn't trying to
match to the vpn host certificate.

>Dec 16 13:39:20 vpn charon: 14[CFG]   candidate "roadwarrior-ikev1", match: 1/1/1052 (me/other/ike)

I copied the load-in of this conn from the last ipsec restart into the
message below.

>Dec 16 13:39:20 vpn charon: 14[IKE] found 1 matching config, but none allows RSA signature authentication using Main Mode

Can anyone tell me what this means?? I've tried searching on it, but
haven't come up with anything useful.  Looking at the equivalent
entries into the mac's system.log suggests that the mac sends the info
out and waits, but never gets a reply back until it says
Disconnecting, after repeatedly sending IKE Packet: transmit success
several times.

>Dec 16 13:39:20 vpn charon: 14[IKE] queueing INFORMATIONAL task
>Dec 16 13:39:20 vpn charon: 14[IKE] activating new tasks
>Dec 16 13:39:20 vpn charon: 14[IKE]   activating INFORMATIONAL task
>Dec 16 13:39:20 vpn charon: 14[ENC] generating INFORMATIONAL_V1 request 2062383989 [ HASH N(AUTH_FAILED) ]

How about this?  I couldn't find any info about this either.  Any
suggestions for where to start debugging?  the pem certificates work
with other systems, so I think the certs are okay.  I'm not as sure
about the pkcs12 packaging I did to bring them to the mac, but as I
said, the info as shown in the keychain once I have them in there (and
marked as trusted etc), matches.

For the connection it chose to use:
----
Dec 16 13:38:46 vpn charon: 07[CFG] conn roadwarrior-ikev1
Dec 16 13:38:46 vpn charon: 07[CFG]   left=vpn_ip
Dec 16 13:38:46 vpn charon: 07[CFG]   leftsubnet=0.0.0.0/0
Dec 16 13:38:46 vpn charon: 07[CFG]   leftauth=pubkey
Dec 16 13:38:46 vpn charon: 07[CFG]   leftid=C=US, O=strongSwan,
CN=vpn machine name
Dec 16 13:38:46 vpn charon: 07[CFG]   leftupdown=ipsec _updown iptables
Dec 16 13:38:46 vpn charon: 07[CFG]   right=%any
Dec 16 13:38:46 vpn charon: 07[CFG]   rightsourceip=[etc]
Dec 16 13:38:46 vpn charon: 07[CFG]   rightdns=[...]
Dec 16 13:38:46 vpn charon: 07[CFG]   rightauth=pubkey
Dec 16 13:38:46 vpn charon: 07[CFG]   rightauth2=xauth-noauth
Dec 16 13:38:46 vpn charon: 07[CFG]   rightid=%any
Dec 16 13:38:46 vpn charon: 07[CFG]
ike=aes128-sha1-modp2048,3des-sha1-modp1536
Dec 16 13:38:46 vpn charon: 07[CFG]   esp=aes128-sha1,3des-sha1
Dec 16 13:38:46 vpn charon: 07[CFG]   dpddelay=30
Dec 16 13:38:46 vpn charon: 07[CFG]   dpdtimeout=150
Dec 16 13:38:46 vpn charon: 07[CFG]   mediation=no
Dec 16 13:38:46 vpn charon: 07[CFG]   keyexchange=ikev1
Dec 16 13:38:46 vpn charon: 07[CFG] reusing virtual IP address pool [...]
Dec 16 13:38:46 vpn charon: 07[CFG] added configuration 'roadwarrior-ikev1'
----


More information about the Users mailing list