[strongSwan] Unable to establish ipsec tunnel using certs of intermediate CA's

Sriram sriram.ec at gmail.com
Tue Mar 4 12:45:53 CET 2014 

Hi Everyone,



I have host -to-host ipsec setup between 2 ips 10.206.1.10 and 10.206.1.11

Tunnel is established using certificates. Tunnel is established properly,
when the certificates are generated using rootca.

But when the certificates are generated using intermediate CA's, tunnel is
not getting established.



In 10.206.1.10

Under /etc/ipsec.d/cacerts/ I have copied ca.crt(root ca),
*ca-int.crt(Intermediate
ca)*

In /etc/ipsec.d/certs/ I have copied end entity cert issued by ca-int.crt



In 10.206.1.11

Under /etc/ipsec.d/cacerts/ I have copied ca.crt(root ca),
*ca-int1.crt(Intermediate
ca)*

In /etc/ipsec.d/certs/ I have copied end entity cert issued by ca-int1.crt



I am getting below errors

Mar  3 19:34:45 localhost charon: 06[ENC] parsed IKE_AUTH request 1 [ IDi
CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR) SA TSi TSr N(MULT_AUTH)
N(EAP_ONLY) ]

Mar  3 19:34:45 localhost charon: 06[IKE] received cert request for
"CN=DaRoot"

Mar  3 19:34:45 localhost charon: 06[IKE] received end entity cert
"CN=1234abcd"

Mar  3 19:34:45 localhost charon: 06[CFG] looking for peer configs matching
10.206.1.11[CN=12345abcde]...10.206.1.10[CN=1234abcd]

Mar  3 19:34:45 localhost charon: 06[CFG] peer config match local: 20
(ID_DER_ASN1_DN ->
30:15:31:13:30:11:06:03:55:04:03:13:0a:31:32:33:34:35:61:62:63:64:65)

Mar  3 19:34:45 localhost charon: 06[CFG] peer config match remote: 20
(ID_DER_ASN1_DN ->
30:13:31:11:30:0f:06:03:55:04:03:13:08:31:32:33:34:61:62:63:64)

Mar  3 19:34:45 localhost charon: 06[CFG] ike config match: 3100
(10.206.1.11 10.206.1.10 IKEv2)

Mar  3 19:34:45 localhost charon: 06[CFG]   candidate "home1", match:
20/20/3100 (me/other/ike)

Mar  3 19:34:45 localhost charon: 06[CFG] selected peer config 'home1'

Mar  3 19:34:45 localhost charon: 06[IKE] IDx' => 25 bytes @ 0xb4d82fe0

Mar  3 19:34:45 localhost charon: 06[IKE]    0: 09 00 00 00 30 13 31 11 30
0F 06 03 55 04 03 13  ....0.1.0...U...

Mar  3 19:34:45 localhost charon: 06[IKE]   16: 08 31 32 33 34 61 62
63 64
.1234abcd

Mar  3 19:34:45 localhost charon: 06[IKE] SK_p => 16 bytes @ 0x91c5340

Mar  3 19:34:45 localhost charon: 06[IKE]    0: 43 85 1F D8 CA 8B BD 27 A0
58 B8 9F 18 5C E7 C0  C......'.X...\..

Mar  3 19:34:45 localhost charon: 06[IKE] octets = message + nonce +
prf(Sk_px, IDx') => 316 bytes @ 0x91c6d88

Mar  3 19:34:45 localhost charon: 06[IKE]    0: 95 B5 C1 A2 8D 13 C3 77 00
00 00 00 00 00 00 00  .......w........

Mar  3 19:34:45 localhost charon: 06[IKE]   16: 21 20 22 08 00 00 00 00 00
00 01 0C 22 00 00 2C  ! "........."..,

Mar  3 19:34:45 localhost charon: 06[IKE]   32: 00 00 00 28 01 01 00 04 03
00 00 08 01 00 00 03  ...(............

Mar  3 19:34:45 localhost charon: 06[IKE]   48: 03 00 00 08 03 00 00 01 03
00 00 08 02 00 00 01  ................

Mar  3 19:34:45 localhost charon: 06[IKE]   64: 00 00 00 08 04 00 00 01 28
00 00 68 00 01 00 00  ........(..h....

Mar  3 19:34:45 localhost charon: 06[IKE]   80: 23 F4 AC E7 E8 4E 55 80 54
B7 14 C8 48 B9 98 AE  #....NU.T...H...

Mar  3 19:34:45 localhost charon: 06[IKE]   96: 15 DB CA F8 93 BF 31 2D 59
89 77 52 32 A8 0A 2D  ......1-Y.wR2..-

Mar  3 19:34:45 localhost charon: 06[IKE]  112: 78 3E 6F EB 6D 33 5A E6 A5
B7 0F 9A 3C DA 4E D8  x>o.m3Z.....<.N.

Mar  3 19:34:45 localhost charon: 06[IKE]  128: E6 71 B4 C4 5A D7 20 48 61
B2 34 14 99 0A F6 AF  .q..Z. Ha.4.....

Mar  3 19:34:45 localhost charon: 06[IKE]  144: F8 DB 6D 82 B2 55 6C 1B 84
CA 37 8E C3 7F 50 8A  ..m..Ul...7...P.

Mar  3 19:34:45 localhost charon: 06[IKE]  160: 5C 2A 39 E4 27 FC 8D 23 38
95 E2 B2 F3 F9 8E CA  \*9.'..#8.......

Mar  3 19:34:45 localhost charon: 06[IKE]  176: 29 00 00 24 03 8D 56 09 5D
B1 17 D2 BA 29 D6 8B  )..$..V.]....)..

Mar  3 19:34:45 localhost charon: 06[IKE]  192: 7E 0B A5 2D 42 4C 1D 37 D9
EA 17 4A 0D 0C 77 67  ~..-BL.7...J..wg

Mar  3 19:34:45 localhost charon: 06[IKE]  208: E6 51 40 1D 29 00 00 1C 00
00 40 04 D5 2F E3 7F  .Q at .)..... at ../..

Mar  3 19:34:45 localhost charon: 06[IKE]  224: 13 80 F3 7A 91 9D F2 7A 0A
6E C0 A9 E7 B2 72 63  ...z...z.n....rc

Mar  3 19:34:45 localhost charon: 06[IKE]  240: 00 00 00 1C 00 00 40 05 BD
B4 3E 98 F1 EB F4 10  ...... at ...>.....

Mar  3 19:34:45 localhost charon: 06[IKE]  256: 44 06 6B 25 90 C4 30 CF BB
FB FE 4C 00 9B 1E AD  D.k%..0....L....

Mar  3 19:34:45 localhost charon: 06[IKE]  272: 19 7A F6 43 23 A9 8A C4 3C
EF 98 57 13 69 07 0E  .z.C#...<..W.i..

Mar  3 19:34:45 localhost charon: 06[IKE]  288: 9A E4 34 F1 A6 9B 48 65 E8
06 8A 6C 6D 30 6B C1  ..4...He...lm0k.

Mar  3 19:34:45 localhost charon: 06[IKE]  304: F2 2C 6E 19 39 37 C1 C6 2F
48 D2 18              .,n.97../H..

Mar  3 19:34:45 localhost charon: 06[CFG]   using certificate "CN=1234abcd"

Mar  3 19:34:45 localhost charon: 06[CFG]   certificate "CN=1234abcd" key:
2048 bit RSA

*Mar  3 19:34:45 localhost charon: 06[CFG] no issuer certificate found for
"CN=1234abcd"*

Mar  3 19:34:45 localhost charon: 06[IKE] no trusted RSA public key found
for 'CN=1234abcd'

Mar  3 19:34:45 localhost charon: 06[IKE] processing INTERNAL_IP4_ADDRESS
attribute



Please let me know, how to resolve this issue.



Below post suggests that the intermediate certs need to be sent along with
the end-entity certificates in ike_auth message.

If that can solve the issue, how can I achieve that.

https://lists.strongswan.org/pipermail/users/2013-March/008956.html



Any help in this regard is appreciated.



Regards,

Sriram.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140304/55be3faf/attachment.html>

More information about the Users mailing list