[strongSwan] Unable to establish ipsec tunnel using certs of intermediate CA's

Sriram sriram.ec at gmail.com
Tue Mar 4 14:57:06 CET 2014


Hi Andreas,

I think it is not loaded.

On 10.206.1.11

[root at localhost ~]# ipsec listcacerts

List of X.509 CA Certificates:

  subject:  "CN=DaRoot"
  issuer:   "CN=DaRoot"
  serial:    c9:95:0a:00:41:c4:d8:25
  validity:  not before Mar 03 18:10:17 2014, ok
             not after  Apr 02 18:10:17 2014, ok (expires in 28 days)
  pubkey:    RSA 2048 bits
  keyid:     be:25:1a:4a:e6:f8:44:c4:fe:32:a8:d4:7c:9d:75:42:7d:51:19:0f
  subjkey:   c3:59:68:a5:73:e8:b8:76:45:06:3b:c8:a4:62:b3:06:61:7e:9a:c0
  authkey:   c3:59:68:a5:73:e8:b8:76:45:06:3b:c8:a4:62:b3:06:61:7e:9a:c0


on 10.206.1.10
[root at localhost ~]# ipsec listcacerts

List of X.509 CA Certificates:

  subject:  "CN=DaRoot"
  issuer:   "CN=DaRoot"
  serial:    c9:95:0a:00:41:c4:d8:25
  validity:  not before Mar 03 18:10:17 2014, ok
             not after  Apr 02 18:10:17 2014, ok (expires in 28 days)
  pubkey:    RSA 2048 bits
  keyid:     be:25:1a:4a:e6:f8:44:c4:fe:32:a8:d4:7c:9d:75:42:7d:51:19:0f
  subjkey:   c3:59:68:a5:73:e8:b8:76:45:06:3b:c8:a4:62:b3:06:61:7e:9a:c0
  authkey:   c3:59:68:a5:73:e8:b8:76:45:06:3b:c8:a4:62:b3:06:61:7e:9a:c0

Regards,
Sriram.


On Tue, Mar 4, 2014 at 6:49 PM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:

> Hi Sriram, could you post the output of the command
>
>   ipsec listcacerts
>
> both on  10.206.1.10 and 10.206.1.11. This shows if the intermediate
> CA certificates have been successfully loaded.
>
> Regards
>
> Andreas
>
>
> On 04.03.2014 12:45, Sriram wrote:
>
>> Hi Everyone,
>>
>> I have host -to-host ipsec setup between 2 ips 10.206.1.10 and 10.206.1.11
>>
>> Tunnel is established using certificates. Tunnel is established
>> properly, when the certificates are generated using rootca.
>>
>> But when the certificates are generated using intermediate CA's, tunnel
>> is not getting established.
>>
>> In 10.206.1.10
>>
>> Under /etc/ipsec.d/cacerts/ I have copied ca.crt(root ca),
>> *ca-int.crt(Intermediate ca)*
>>
>>
>> In /etc/ipsec.d/certs/ I have copied end entity cert issued by ca-int.crt
>>
>> In 10.206.1.11
>>
>> Under /etc/ipsec.d/cacerts/ I have copied ca.crt(root ca),
>> *ca-int1.crt(Intermediate ca)*
>>
>>
>> In /etc/ipsec.d/certs/ I have copied end entity cert issued by ca-int1.crt
>>
>> I am getting below errors
>>
>> Mar3 19:34:45 localhost charon: 06[ENC] parsed IKE_AUTH request 1 [ IDi
>>
>> CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR) SA TSi TSr N(MULT_AUTH)
>> N(EAP_ONLY) ]
>>
>> Mar3 19:34:45 localhost charon: 06[IKE] received cert request for
>> "CN=DaRoot"
>>
>> Mar3 19:34:45 localhost charon: 06[IKE] received end entity cert
>> "CN=1234abcd"
>>
>> Mar3 19:34:45 localhost charon: 06[CFG] looking for peer configs
>>
>> matching 10.206.1.11[CN=12345abcde]...10.206.1.10[CN=1234abcd]
>>
>> Mar3 19:34:45 localhost charon: 06[CFG] peer config match local: 20
>>
>> (ID_DER_ASN1_DN ->
>> 30:15:31:13:30:11:06:03:55:04:03:13:0a:31:32:33:34:35:61:62:63:64:65)
>>
>> Mar3 19:34:45 localhost charon: 06[CFG] peer config match remote: 20
>>
>> (ID_DER_ASN1_DN ->
>> 30:13:31:11:30:0f:06:03:55:04:03:13:08:31:32:33:34:61:62:63:64)
>>
>> Mar3 19:34:45 localhost charon: 06[CFG] ike config match: 3100
>> (10.206.1.11 10.206.1.10 IKEv2)
>>
>> Mar3 19:34:45 localhost charon: 06[CFG]candidate "home1", match:
>> 20/20/3100 (me/other/ike)
>>
>> Mar3 19:34:45 localhost charon: 06[CFG] selected peer config 'home1'
>>
>> Mar3 19:34:45 localhost charon: 06[IKE] IDx' => 25 bytes @ 0xb4d82fe0
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]0: 09 00 00 00 30 13 31 11 30 0F
>>
>> 06 03 55 04 03 13....0.1.0...U...
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]16: 08 31 32 33 34 61 62 63
>> 64.1234abcd
>>
>> Mar3 19:34:45 localhost charon: 06[IKE] SK_p => 16 bytes @ 0x91c5340
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]0: 43 85 1F D8 CA 8B BD 27 A0 58
>>
>> B8 9F 18 5C E7 C0C......'.X...\..
>>
>> Mar3 19:34:45 localhost charon: 06[IKE] octets = message + nonce +
>>
>> prf(Sk_px, IDx') => 316 bytes @ 0x91c6d88
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]0: 95 B5 C1 A2 8D 13 C3 77 00 00
>>
>> 00 00 00 00 00 00.......w........
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]16: 21 20 22 08 00 00 00 00 00 00
>>
>> 01 0C 22 00 00 2C! "........."..,
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]32: 00 00 00 28 01 01 00 04 03 00
>>
>> 00 08 01 00 00 03...(............
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]48: 03 00 00 <tel:03%2000%2000>
>>
>> 08 03 00 00 01 03 00 00 08 02 00 00 01................
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]64: 00 00 00 08 04 00 00 01 28 00
>>
>> 00 68 00 01 00 00........(..h....
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]80: 23 F4 AC E7 E8 4E 55 80 54 B7
>>
>> 14 C8 48 B9 98 AE#....NU.T...H...
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]96: 15 DB CA F8 93 BF 31 2D 59 89
>>
>> 77 52 32 A8 0A 2D......1-Y.wR2..-
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]112: 78 3E 6F EB 6D 33 5A E6 A5
>>
>> B7 0F 9A 3C DA 4E D8x>o.m3Z.....<.N.
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]128: E6 71 B4 C4 5A D7 20 48 61
>>
>> B2 34 14 99 0A F6 AF.q..Z. Ha.4.....
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]144: F8 DB 6D 82 B2 55 6C 1B 84
>>
>> CA 37 8E C3 7F 50 8A..m..Ul...7...P.
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]160: 5C 2A 39 E4 27 FC 8D 23 38
>>
>> 95 E2 B2 F3 F9 8E CA\*9.'..#8.......
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]176: 29 00 00 24 03 8D 56 09 5D
>>
>> B1 17 D2 BA 29 D6 8B)..$..V.]....)..
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]192: 7E 0B A5 2D 42 4C 1D 37 D9
>>
>> EA 17 4A 0D 0C 77 67~..-BL.7...J..wg
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]208: E6 51 40 1D 29 00 00 1C 00
>>
>> 00 40 04 D5 2F E3 7F.Q at .)..... at ../..
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]224: 13 80 F3 7A 91 9D F2 7A 0A
>>
>> 6E C0 A9 E7 B2 72 63...z...z.n....rc
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]240: 00 00 00 1C 00 00 40 05 BD
>>
>> B4 3E 98 F1 EB F4 10...... at ...>.....
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]256: 44 06 6B 25 90 C4 30 CF BB
>>
>> FB FE 4C 00 9B 1E ADD.k%..0....L....
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]272: 19 7A F6 43 23 A9 8A C4 3C
>>
>> EF 98 57 13 69 07 0E.z.C#...<..W.i..
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]288: 9A E4 34 F1 A6 9B 48 65 E8
>>
>> 06 8A 6C 6D 30 6B C1..4...He...lm0k.
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]304: F2 2C 6E 19 39 37 C1 C6 2F
>> 48 D2 18.,n.97../H..
>>
>> Mar3 19:34:45 localhost charon: 06[CFG]using certificate "CN=1234abcd"
>>
>> Mar3 19:34:45 localhost charon: 06[CFG]certificate "CN=1234abcd" key:
>> 2048 bit RSA
>>
>> *Mar3 19:34:45 localhost charon: 06[CFG] no issuer certificate found for
>> "CN=1234abcd"*
>>
>> Mar3 19:34:45 localhost charon: 06[IKE] no trusted RSA public key found
>> for 'CN=1234abcd'
>>
>> Mar3 19:34:45 localhost charon: 06[IKE] processing INTERNAL_IP4_ADDRESS
>>
>> attribute
>>
>> Please let me know, how to resolve this issue.
>>
>> Below post suggests that the intermediate certs need to be sent along
>> with the end-entity certificates in ike_auth message.
>>
>> If that can solve the issue, how can I achieve that.
>>
>> https://lists.strongswan.org/pipermail/users/2013-March/008956.html
>>
>> Any help in this regard is appreciated.
>>
>> Regards,
>>
>> Sriram.
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>>
> --
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution!          www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140304/42100955/attachment.html>


More information about the Users mailing list