[strongSwan] Error with StrongSwan 5.1.3: no trusted RSA public key found
Shahreen Ahmed
sahmed at adax.co.uk
Mon Jul 7 17:37:29 CEST 2014
Hi,
I am trying to setup a IPsec site-site network based on *X.509
certificates*and the *kernel-libipsec*plugin for userland IPsec ESP
encryption.
But I am getting error as 'no trusted RSA public key found.
Configuration on both side looks like:
sun:
cat ipsec.conf
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
mobike=no
conn test
left=12.0.0.189
leftcert=sunCert.pem
leftsubnet=11.0.0.0/24
leftid=sun at test.com
leftupdown=/etc/updown
right=12.0.0.167
rightsubnet=10.0.0.0/24
rightid=moon at test.com
auto=add
cat ipsec.secrets
: RSA sunKey.pem
cat strongswan.conf
charon {
load = aes des rc2 sha1 sha2 md5 random nonce x509 revocation
constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem
fips-prf gmp xcbc cmac hmac attr kernel-libipsec kernel-netlink resolve
socket-default stroke updown xauth-generic
multiple_authentication = no
debug = 4
}
ipsec listall | more
List of X.509 End Entity Certificates:
altNames: sun at test.com
subject: "C=UK, O=Adax Remote unit, CN=sun at test.com"
issuer: "C=UK, O=Adax unit, CN=Adax Inc"
serial: 58:67:70:fd:12:9c:61:ad
validity: not before Jul 07 15:58:59 2014, ok
not after Jul 06 15:58:59 2017, ok
pubkey: RSA 1024 bits, has private key
keyid: 3a:e6:24:0c:69:6a:96:a8:cf:ef:04:56:c7:f9:2d:5c:b9:9a:89:a2
subjkey: bf:b9:81:e2:86:d9:11:e5:69:a1:da:40:6b:48:45:9f:d4:89:cf:d2
authkey: 79:5d:18:1e:c3:e5:65:3d:51:fd:8e:0f:f6:91:62:cb:7a:12:09:25
List of X.509 CRLs:
issuer: "C=UK, O=Adax unit, CN=Adax Inc"
serial: 01
revoked: 0 certificates
updates: this Jul 07 16:01:35 2014
next Jul 22 16:01:35 2014, ok
authkey: 79:5d:18:1e:c3:e5:65:3d:51:fd:8e:0f:f6:91:62:cb:7a:12:09:25
moon:
cat ipsec.conf
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
mobike=no
conn test
left=12.0.0.167
leftcert=moonCert.pem
leftsubnet=10.0.0.0/24
leftid=moon at test.com
leftupdown=/etc/updown
right=12.0.0.189
rightsubnet=11.0.0.0/24
rightid=sun at test.com
auto=add
cat ipsec.secrets
: RSA moonKey.pem
ipsec listall | more
List of X.509 End Entity Certificates:
altNames: moon at test.com
subject: "C=UK, O=Adax remote moon unit, CN=moon at test.com"
issuer: "C=UK, O=Adax unit, CN=Adax Inc"
serial: 23:65:47:ec:54:e5:05:08
validity: not before Jul 07 16:00:47 2014, ok
not after Jul 06 16:00:47 2017, ok
pubkey: RSA 1024 bits, has private key
keyid: e5:bc:2e:35:dd:a9:80:70:a9:05:67:4c:27:19:40:75:fc:5e:28:ce
subjkey: f4:d7:b7:e0:d0:4d:3e:ba:c8:06:f3:0d:6a:da:c8:ea:3f:49:86:48
authkey: 79:5d:18:1e:c3:e5:65:3d:51:fd:8e:0f:f6:91:62:cb:7a:12:09:25
List of X.509 CRLs:
issuer: "C=UK, O=Adax unit, CN=Adax Inc"
serial: 01
revoked: 0 certificates
updates: this Jul 07 16:01:35 2014
next Jul 22 16:01:35 2014, ok
authkey: 79:5d:18:1e:c3:e5:65:3d:51:fd:8e:0f:f6:91:62:cb:7a:12:09:25
#############
When I am running 'ipsec up test' from sun side following error is logged:
sun
Jul 7 16:16:33 ZNYX9210 charon: 14[CFG] received stroke: initiate 'test'
Jul 7 16:16:33 ZNYX9210 charon: 15[IKE] initiating IKE_SA test[2] to
12.0.0.167
Jul 7 16:16:33 ZNYX9210 charon: 15[ENC] generating IKE_SA_INIT request
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jul 7 16:16:33 ZNYX9210 charon: 15[NET] sending packet: from
12.0.0.189[500] to 12.0.0.167[500] (708 bytes)
Jul 7 16:16:33 ZNYX9210 charon: 06[NET] received packet: from
12.0.0.167[500] to 12.0.0.189[500] (432 bytes)
Jul 7 16:16:33 ZNYX9210 charon: 06[ENC] parsed IKE_SA_INIT response 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jul 7 16:16:33 ZNYX9210 charon: 06[IKE] authentication of
'sun at test.com' (myself) with RSA signature successful
Jul 7 16:16:33 ZNYX9210 charon: 06[IKE] establishing CHILD_SA test
Jul 7 16:16:33 ZNYX9210 charon: 06[ENC] generating IKE_AUTH request 1 [
IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(EAP_ONLY) ]
Jul 7 16:16:33 ZNYX9210 charon: 06[NET] sending packet: from
12.0.0.189[500] to 12.0.0.167[500] (492 bytes)
Jul 7 16:16:33 ZNYX9210 charon: 05[NET] received packet: from
12.0.0.167[500] to 12.0.0.189[500] (76 bytes)
Jul 7 16:16:33 ZNYX9210 charon: 05[ENC] parsed IKE_AUTH response 1 [
N(AUTH_FAILED) ]
Jul 7 16:16:33 ZNYX9210 charon: 05[IKE] received AUTHENTICATION_FAILED
notify error
moon
Jul 7 16:16:37 RAID_server charon: 07[NET] received packet: from
12.0.0.189[500] to 12.0.0.167[500] (708 bytes)
Jul 7 16:16:37 RAID_server charon: 07[ENC] parsed IKE_SA_INIT request 0
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jul 7 16:16:37 RAID_server charon: 07[IKE] 12.0.0.189 is initiating an
IKE_SA
Jul 7 16:16:37 RAID_server charon: 07[ENC] generating IKE_SA_INIT
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jul 7 16:16:37 RAID_server charon: 07[NET] sending packet: from
12.0.0.167[500] to 12.0.0.189[500] (432 bytes)
Jul 7 16:16:37 RAID_server charon: 08[NET] received packet: from
12.0.0.189[500] to 12.0.0.167[500] (492 bytes)
Jul 7 16:16:37 RAID_server charon: 08[ENC] parsed IKE_AUTH request 1 [
IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(EAP_ONLY) ]
Jul 7 16:16:37 RAID_server charon: 08[CFG] looking for peer configs
matching 12.0.0.167[moon at test.com]...12.0.0.189[sun at test.com]
Jul 7 16:16:37 RAID_server charon: 08[CFG] selected peer config 'test'
Jul 7 16:16:37 RAID_server charon: 08[IKE] no trusted RSA public key
found for 'sun at test.com'
Jul 7 16:16:37 RAID_server charon: 08[ENC] generating IKE_AUTH response
1 [ N(AUTH_FAILED) ]
Jul 7 16:16:37 RAID_server charon: 08[NET] sending packet: from
12.0.0.167[500] to 12.0.0.189[500] (76 bytes)
Can you please help what could be the reason for this failure?
Thanks,
Shahreen
--
Shahreen Noor Ahmed
Network Support Department
Adax Europe Ltd
url: www.adax.com
e-mail: sahmed at adax.co.uk
Direct line: +44(0)118 952 2804
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140707/f43a9b88/attachment.html>
More information about the Users
mailing list