[strongSwan] Unable to establish ipsec tunnel using certs of intermediate CA's
Andreas Steffen
andreas.steffen at strongswan.org
Tue Mar 4 15:08:12 CET 2014
Hi Siram,
in order for an Intermediate CA certificate to be accepted by
strongSwan, the CA basic constraint in the certificate has
to be set to TRUE. So if you execute
openssl x509 -in ca-int.crt -noout -text
the CA flag should show as TRUE:
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
Regards
Andreas
On 04.03.2014 14:57, Sriram wrote:
> Hi Andreas,
>
> I think it is not loaded.
>
> On 10.206.1.11
>
> [root at localhost ~]# ipsec listcacerts
>
> List of X.509 CA Certificates:
>
> subject: "CN=DaRoot"
> issuer: "CN=DaRoot"
> serial: c9:95:0a:00:41:c4:d8:25
> validity: not before Mar 03 18:10:17 2014, ok
> not after Apr 02 18:10:17 2014, ok (expires in 28 days)
> pubkey: RSA 2048 bits
> keyid: be:25:1a:4a:e6:f8:44:c4:fe:32:a8:d4:7c:9d:75:42:7d:51:19:0f
> subjkey: c3:59:68:a5:73:e8:b8:76:45:06:3b:c8:a4:62:b3:06:61:7e:9a:c0
> authkey: c3:59:68:a5:73:e8:b8:76:45:06:3b:c8:a4:62:b3:06:61:7e:9a:c0
>
>
> on 10.206.1.10
> [root at localhost ~]# ipsec listcacerts
>
> List of X.509 CA Certificates:
>
> subject: "CN=DaRoot"
> issuer: "CN=DaRoot"
> serial: c9:95:0a:00:41:c4:d8:25
> validity: not before Mar 03 18:10:17 2014, ok
> not after Apr 02 18:10:17 2014, ok (expires in 28 days)
> pubkey: RSA 2048 bits
> keyid: be:25:1a:4a:e6:f8:44:c4:fe:32:a8:d4:7c:9d:75:42:7d:51:19:0f
> subjkey: c3:59:68:a5:73:e8:b8:76:45:06:3b:c8:a4:62:b3:06:61:7e:9a:c0
> authkey: c3:59:68:a5:73:e8:b8:76:45:06:3b:c8:a4:62:b3:06:61:7e:9a:c0
>
> Regards,
> Sriram.
>
>
> On Tue, Mar 4, 2014 at 6:49 PM, Andreas Steffen
> <andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>>
> wrote:
>
> Hi Sriram, could you post the output of the command
>
> ipsec listcacerts
>
> both on 10.206.1.10 and 10.206.1.11. This shows if the intermediate
> CA certificates have been successfully loaded.
>
> Regards
>
> Andreas
>
>
> On 04.03.2014 12 <tel:04.03.2014%2012>:45, Sriram wrote:
>
> Hi Everyone,
>
> I have host –to-host ipsec setup between 2 ips 10.206.1.10 and
> 10.206.1.11
>
> Tunnel is established using certificates. Tunnel is established
> properly, when the certificates are generated using rootca.
>
> But when the certificates are generated using intermediate CA’s,
> tunnel
> is not getting established.
>
> In 10.206.1.10
>
> Under /etc/ipsec.d/cacerts/ I have copied ca.crt(root ca),
> *ca-int.crt(Intermediate ca)*
>
>
> In /etc/ipsec.d/certs/ I have copied end entity cert issued by
> ca-int.crt
>
> In 10.206.1.11
>
> Under /etc/ipsec.d/cacerts/ I have copied ca.crt(root ca),
> *ca-int1.crt(Intermediate ca)*
>
>
> In /etc/ipsec.d/certs/ I have copied end entity cert issued by
> ca-int1.crt
>
> I am getting below errors
>
> Mar3 19:34:45 localhost charon: 06[ENC] parsed IKE_AUTH request
> 1 [ IDi
>
> CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR) SA TSi TSr
> N(MULT_AUTH)
> N(EAP_ONLY) ]
>
> Mar3 19:34:45 localhost charon: 06[IKE] received cert request for
> "CN=DaRoot"
>
> Mar3 19:34:45 localhost charon: 06[IKE] received end entity cert
> "CN=1234abcd"
>
> Mar3 19:34:45 localhost charon: 06[CFG] looking for peer configs
>
> matching 10.206.1.11[CN=12345abcde]...__10.206.1.10[CN=1234abcd]
>
> Mar3 19:34:45 localhost charon: 06[CFG] peer config match local: 20
>
> (ID_DER_ASN1_DN ->
> 30:15:31:13:30:11:06:03:55:04:__03:13:0a:31:32:33:34:35:61:62:__63:64:65)
>
> Mar3 19:34:45 localhost charon: 06[CFG] peer config match remote: 20
>
> (ID_DER_ASN1_DN ->
> 30:13:31:11:30:0f:06:03:55:04:__03:13:08:31:32:33:34:61:62:63:__64)
>
> Mar3 19:34:45 localhost charon: 06[CFG] ike config match: 3100
> (10.206.1.11 10.206.1.10 IKEv2)
>
> Mar3 19:34:45 localhost charon: 06[CFG]candidate "home1", match:
> 20/20/3100 (me/other/ike)
>
> Mar3 19:34:45 localhost charon: 06[CFG] selected peer config 'home1'
>
> Mar3 19:34:45 localhost charon: 06[IKE] IDx' => 25 bytes @
> 0xb4d82fe0
>
> Mar3 19:34:45 localhost charon: 06[IKE]0: 09 00 00 00 30 13 31
> 11 30 0F
>
> 06 03 55 04 03 13....0.1.0
> <tel:06%2003%2055%2004%2003%2013....0.1.0>...U...
>
> Mar3 19:34:45 localhost charon: 06[IKE]16: 08 31 32 33 34 61 62 63
> 64.1234abcd
>
> Mar3 19:34:45 localhost charon: 06[IKE] SK_p => 16 bytes @ 0x91c5340
>
> Mar3 19:34:45 localhost charon: 06[IKE]0: 43 85 1F D8 CA 8B BD
> 27 A0 58
>
> B8 9F 18 5C E7 C0C......'.X...\..
>
> Mar3 19:34:45 localhost charon: 06[IKE] octets = message + nonce +
>
> prf(Sk_px, IDx') => 316 bytes @ 0x91c6d88
>
> Mar3 19:34:45 localhost charon: 06[IKE]0: 95 B5 C1 A2 8D 13 C3
> 77 00 00
>
> 00 00 00 00 00 00.......w........
>
> Mar3 19:34:45 localhost charon: 06[IKE]16: 21 20 22 08 00 00 00
> 00 00 00
>
> 01 0C 22 00 00 2C! "........."..,
>
> Mar3 19:34:45 localhost charon: 06[IKE]32: 00 00 00 28 01 01 00
> 04 03 00
>
> 00 08 01 00 00 03...(............
>
> Mar3 19:34:45 localhost charon: 06[IKE]48: 03 00 00
> <tel:03%2000%2000> <tel:03%2000%2000>
>
> 08 03 00 00 01 03 00 00 08 02 00 00 01................
>
> Mar3 19:34:45 localhost charon: 06[IKE]64: 00 00 00 08 04 00 00
> 01 28 00
>
> 00 68 00 01 00 00........(..h....
>
> Mar3 19:34:45 localhost charon: 06[IKE]80: 23 F4 AC E7 E8 4E 55
> 80 54 B7
>
> 14 C8 48 B9 98 AE#....NU.T...H...
>
> Mar3 19:34:45 localhost charon: 06[IKE]96: 15 DB CA F8 93 BF 31
> 2D 59 89
>
> 77 52 32 A8 0A 2D......1-Y.wR2..-
>
> Mar3 19:34:45 localhost charon: 06[IKE]112: 78 3E 6F EB 6D 33 5A
> E6 A5
>
> B7 0F 9A 3C DA 4E D8x>o.m3Z.....<.N.
>
> Mar3 19:34:45 localhost charon: 06[IKE]128: E6 71 B4 C4 5A D7 20
> 48 61
>
> B2 34 14 99 0A F6 AF.q..Z. Ha.4.....
>
> Mar3 19:34:45 localhost charon: 06[IKE]144: F8 DB 6D 82 B2 55 6C
> 1B 84
>
> CA 37 8E C3 7F 50 8A..m..Ul...7...P.
>
> Mar3 19:34:45 localhost charon: 06[IKE]160: 5C 2A 39 E4 27 FC 8D
> 23 38
>
> 95 E2 B2 F3 F9 8E CA\*9.'..#8.......
>
> Mar3 19:34:45 localhost charon: 06[IKE]176: 29 00 00 24 03 8D 56
> 09 5D
>
> B1 17 D2 BA 29 D6 8B)..$..V.]....)..
>
> Mar3 19:34:45 localhost charon: 06[IKE]192: 7E 0B A5 2D 42 4C 1D
> 37 D9
>
> EA 17 4A 0D 0C 77 67~..-BL.7...J..wg
>
> Mar3 19:34:45 localhost charon: 06[IKE]208: E6 51 40 1D 29 00 00
> 1C 00
>
> 00 40 04 D5 2F E3 7F.Q at .)..... at ../..
>
> Mar3 19:34:45 localhost charon: 06[IKE]224: 13 80 F3 7A 91 9D F2
> 7A 0A
>
> 6E C0 A9 E7 B2 72 63...z...z.n....rc
>
> Mar3 19:34:45 localhost charon: 06[IKE]240: 00 00 00 1C 00 00 40
> 05 BD
>
> B4 3E 98 F1 EB F4 10...... at ...>.....
>
> Mar3 19:34:45 localhost charon: 06[IKE]256: 44 06 6B 25 90 C4 30
> CF BB
>
> FB FE 4C 00 9B 1E ADD.k%..0....L....
>
> Mar3 19:34:45 localhost charon: 06[IKE]272: 19 7A F6 43 23 A9 8A
> C4 3C
>
> EF 98 57 13 69 07 0E.z.C#...<..W.i..
>
> Mar3 19:34:45 localhost charon: 06[IKE]288: 9A E4 34 F1 A6 9B 48
> 65 E8
>
> 06 8A 6C 6D 30 6B C1..4...He...lm0k.
>
> Mar3 19:34:45 localhost charon: 06[IKE]304: F2 2C 6E 19 39 37 C1
> C6 2F
> 48 D2 18.,n.97../H..
>
> Mar3 19:34:45 localhost charon: 06[CFG]using certificate
> "CN=1234abcd"
>
> Mar3 19:34:45 localhost charon: 06[CFG]certificate "CN=1234abcd"
> key:
> 2048 bit RSA
>
> *Mar3 19:34:45 localhost charon: 06[CFG] no issuer certificate
> found for
> "CN=1234abcd"*
>
> Mar3 19:34:45 localhost charon: 06[IKE] no trusted RSA public
> key found
> for 'CN=1234abcd'
>
> Mar3 19:34:45 localhost charon: 06[IKE] processing
> INTERNAL_IP4_ADDRESS
>
> attribute
>
> Please let me know, how to resolve this issue.
>
> Below post suggests that the intermediate certs need to be sent
> along
> with the end-entity certificates in ike_auth message.
>
> If that can solve the issue, how can I achieve that.
>
> https://lists.strongswan.org/__pipermail/users/2013-March/__008956.html
> <https://lists.strongswan.org/pipermail/users/2013-March/008956.html>
>
> Any help in this regard is appreciated.
>
> Regards,
>
> Sriram.
>
>
>
>
>
>
> _________________________________________________
> Users mailing list
> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> https://lists.strongswan.org/__mailman/listinfo/users
> <https://lists.strongswan.org/mailman/listinfo/users>
>
>
> --
> ==============================__==============================__==========
> Andreas Steffen andreas.steffen at strongswan.org
> <mailto:andreas.steffen at strongswan.org>
> strongSwan - the Open Source VPN Solution! www.strongswan.org
> <http://www.strongswan.org>
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ==============================__=============================[__ITA-HSR]==
>
>
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140304/903f64f9/attachment-0001.bin>
More information about the Users
mailing list