[strongSwan] Error with StrongSwan 5.1.3: no trusted RSA public key found

Shahreen Ahmed sahmed at adax.co.uk
Wed Jul 9 11:23:08 CEST 2014


Hi,

Please ignore this problem. Its fixed now.

Regards,
Shahreen

Shahreen Noor Ahmed
Network Support Department
Adax Europe Ltd
url: www.adax.com
e-mail: sahmed at adax.co.uk
Direct line: +44(0)118 952 2804

On 07/07/2014 16:37, Shahreen Ahmed wrote:
> Hi,
>
> I am trying to setup a IPsec site-site network based on *X.509 
> certificates*and the *kernel-libipsec*plugin for userland IPsec ESP 
> encryption.
>
> But I am getting error as 'no trusted RSA public key found.
>
> Configuration on both side looks like:
>
> sun:
>
>  cat ipsec.conf
> config setup
>
> conn %default
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=3m
>         keyingtries=1
>         keyexchange=ikev2
>         mobike=no
>
> conn test
>         left=12.0.0.189
>         leftcert=sunCert.pem
>         leftsubnet=11.0.0.0/24
> leftid=sun at test.com
>         leftupdown=/etc/updown
>         right=12.0.0.167
>         rightsubnet=10.0.0.0/24
> rightid=moon at test.com
>         auto=add
>
> cat ipsec.secrets
>  : RSA sunKey.pem
>
> cat strongswan.conf
> charon {
>    load = aes des rc2 sha1 sha2 md5 random nonce x509 revocation 
> constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem 
> fips-prf gmp xcbc cmac hmac attr kernel-libipsec kernel-netlink 
> resolve socket-default stroke updown xauth-generic
>   multiple_authentication = no
>   debug = 4
>             }
>
> ipsec listall | more
>
> List of X.509 End Entity Certificates:
>
>   altNames: sun at test.com
>   subject:  "C=UK, O=Adax Remote unit, CN=sun at test.com"
>   issuer:   "C=UK, O=Adax unit, CN=Adax Inc"
>   serial:    58:67:70:fd:12:9c:61:ad
>   validity:  not before Jul 07 15:58:59 2014, ok
>              not after  Jul 06 15:58:59 2017, ok
>   pubkey:    RSA 1024 bits, has private key
>   keyid: 3a:e6:24:0c:69:6a:96:a8:cf:ef:04:56:c7:f9:2d:5c:b9:9a:89:a2
>   subjkey: bf:b9:81:e2:86:d9:11:e5:69:a1:da:40:6b:48:45:9f:d4:89:cf:d2
>   authkey: 79:5d:18:1e:c3:e5:65:3d:51:fd:8e:0f:f6:91:62:cb:7a:12:09:25
>
> List of X.509 CRLs:
>
>   issuer:   "C=UK, O=Adax unit, CN=Adax Inc"
>   serial:    01
>   revoked:   0 certificates
>   updates:   this Jul 07 16:01:35 2014
>              next Jul 22 16:01:35 2014, ok
>   authkey: 79:5d:18:1e:c3:e5:65:3d:51:fd:8e:0f:f6:91:62:cb:7a:12:09:25
>
>
> moon:
>
> cat ipsec.conf
> config setup
>
> conn %default
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=3m
>         keyingtries=1
>         keyexchange=ikev2
>         mobike=no
>
> conn test
>         left=12.0.0.167
>         leftcert=moonCert.pem
>         leftsubnet=10.0.0.0/24
> leftid=moon at test.com
>         leftupdown=/etc/updown
>         right=12.0.0.189
>         rightsubnet=11.0.0.0/24
> rightid=sun at test.com
>         auto=add
>
> cat ipsec.secrets
>  : RSA moonKey.pem
>
> ipsec listall | more
>
> List of X.509 End Entity Certificates:
>
>   altNames: moon at test.com
>   subject:  "C=UK, O=Adax remote moon unit, CN=moon at test.com"
>   issuer:   "C=UK, O=Adax unit, CN=Adax Inc"
>   serial:    23:65:47:ec:54:e5:05:08
>   validity:  not before Jul 07 16:00:47 2014, ok
>              not after  Jul 06 16:00:47 2017, ok
>   pubkey:    RSA 1024 bits, has private key
>   keyid: e5:bc:2e:35:dd:a9:80:70:a9:05:67:4c:27:19:40:75:fc:5e:28:ce
>   subjkey: f4:d7:b7:e0:d0:4d:3e:ba:c8:06:f3:0d:6a:da:c8:ea:3f:49:86:48
>   authkey: 79:5d:18:1e:c3:e5:65:3d:51:fd:8e:0f:f6:91:62:cb:7a:12:09:25
>
> List of X.509 CRLs:
>
>   issuer:   "C=UK, O=Adax unit, CN=Adax Inc"
>   serial:    01
>   revoked:   0 certificates
>   updates:   this Jul 07 16:01:35 2014
>              next Jul 22 16:01:35 2014, ok
>   authkey: 79:5d:18:1e:c3:e5:65:3d:51:fd:8e:0f:f6:91:62:cb:7a:12:09:25
>
> #############
>
> When I am running 'ipsec up test' from sun side following error is logged:
>
> sun
>
> Jul  7 16:16:33 ZNYX9210 charon: 14[CFG] received stroke: initiate 'test'
> Jul  7 16:16:33 ZNYX9210 charon: 15[IKE] initiating IKE_SA test[2] to 
> 12.0.0.167
> Jul  7 16:16:33 ZNYX9210 charon: 15[ENC] generating IKE_SA_INIT 
> request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Jul  7 16:16:33 ZNYX9210 charon: 15[NET] sending packet: from 
> 12.0.0.189[500] to 12.0.0.167[500] (708 bytes)
> Jul  7 16:16:33 ZNYX9210 charon: 06[NET] received packet: from 
> 12.0.0.167[500] to 12.0.0.189[500] (432 bytes)
> Jul  7 16:16:33 ZNYX9210 charon: 06[ENC] parsed IKE_SA_INIT response 0 
> [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Jul  7 16:16:33 ZNYX9210 charon: 06[IKE] authentication of 
> 'sun at test.com' (myself) with RSA signature successful
> Jul  7 16:16:33 ZNYX9210 charon: 06[IKE] establishing CHILD_SA test
> Jul  7 16:16:33 ZNYX9210 charon: 06[ENC] generating IKE_AUTH request 1 
> [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(EAP_ONLY) ]
> Jul  7 16:16:33 ZNYX9210 charon: 06[NET] sending packet: from 
> 12.0.0.189[500] to 12.0.0.167[500] (492 bytes)
> Jul  7 16:16:33 ZNYX9210 charon: 05[NET] received packet: from 
> 12.0.0.167[500] to 12.0.0.189[500] (76 bytes)
> Jul  7 16:16:33 ZNYX9210 charon: 05[ENC] parsed IKE_AUTH response 1 [ 
> N(AUTH_FAILED) ]
> Jul  7 16:16:33 ZNYX9210 charon: 05[IKE] received 
> AUTHENTICATION_FAILED notify error
>
> moon
>
> Jul  7 16:16:37 RAID_server charon: 07[NET] received packet: from 
> 12.0.0.189[500] to 12.0.0.167[500] (708 bytes)
> Jul  7 16:16:37 RAID_server charon: 07[ENC] parsed IKE_SA_INIT request 
> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Jul  7 16:16:37 RAID_server charon: 07[IKE] 12.0.0.189 is initiating 
> an IKE_SA
> Jul  7 16:16:37 RAID_server charon: 07[ENC] generating IKE_SA_INIT 
> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Jul  7 16:16:37 RAID_server charon: 07[NET] sending packet: from 
> 12.0.0.167[500] to 12.0.0.189[500] (432 bytes)
> Jul  7 16:16:37 RAID_server charon: 08[NET] received packet: from 
> 12.0.0.189[500] to 12.0.0.167[500] (492 bytes)
> Jul  7 16:16:37 RAID_server charon: 08[ENC] parsed IKE_AUTH request 1 
> [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(EAP_ONLY) ]
> Jul  7 16:16:37 RAID_server charon: 08[CFG] looking for peer configs 
> matching 12.0.0.167[moon at test.com]...12.0.0.189[sun at test.com]
> Jul  7 16:16:37 RAID_server charon: 08[CFG] selected peer config 'test'
> Jul  7 16:16:37 RAID_server charon: 08[IKE] no trusted RSA public key 
> found for 'sun at test.com'
> Jul  7 16:16:37 RAID_server charon: 08[ENC] generating IKE_AUTH 
> response 1 [ N(AUTH_FAILED) ]
> Jul  7 16:16:37 RAID_server charon: 08[NET] sending packet: from 
> 12.0.0.167[500] to 12.0.0.189[500] (76 bytes)
>
> Can you please help what could be the reason for this failure?
>
> Thanks,
> Shahreen
>
> -- 
>
> Shahreen Noor Ahmed
> Network Support Department
> Adax Europe Ltd
> url:www.adax.com
> e-mail:sahmed at adax.co.uk
> Direct line: +44(0)118 952 2804
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140709/b1865bdd/attachment.html>


More information about the Users mailing list