[strongSwan] Unable to establish ipsec tunnel using certs of intermediate CA's

Sriram sriram.ec at gmail.com
Thu Mar 6 14:31:35 CET 2014


Hi Andreas,

Now i have added CA:TRUE for intermediate certs

10.206.1.10
[root at localhost private]# ipsec listcacerts

List of X.509 CA Certificates:

  subject:  "CN=DaRoot"
  issuer:   "CN=DaRoot"
  serial:    b6:1b:fb:f4:96:05:f7:18
  validity:  not before Mar 06 18:01:38 2014, ok
             not after  Apr 05 18:01:38 2014, ok (expires in 29 days)
  pubkey:    RSA 1024 bits
  keyid:     eb:12:9a:05:72:2b:bf:89:f0:49:91:47:f7:bf:c1:85:9b:0f:66:e8
  subjkey:   55:90:f7:42:41:91:73:a1:fb:84:b8:91:8a:2e:32:44:73:97:f9:10
  authkey:   55:90:f7:42:41:91:73:a1:fb:84:b8:91:8a:2e:32:44:73:97:f9:10

  subject:  "CN=Zintermediate"
  issuer:   "CN=DaRoot"
  serial:    02:46:a7:72
  validity:  not before Mar 06 18:05:34 2014, ok
             not after  Mar 26 18:05:34 2014, ok (expires in 19 days)
  pubkey:    RSA 1024 bits
  keyid:     c2:ba:fb:bd:36:0b:bd:32:e7:8e:0c:b9:25:82:59:64:6a:f8:b7:46
  subjkey:   f0:2a:8a:a7:55:7f:1b:44:ef:c4:18:00:79:c1:d8:7b:be:98:00:cd


10.206.1.11
[root at localhost sriram_ikeauth]# ipsec listcacerts

List of X.509 CA Certificates:

  subject:  "CN=Zintermediate1"
  issuer:   "CN=DaRoot"
  serial:    02:46:a7:73
  validity:  not before Mar 06 18:09:23 2014, ok
             not after  Mar 26 18:09:23 2014, ok (expires in 19 days)
  pubkey:    RSA 1024 bits
  keyid:     ea:d5:28:42:7e:74:f3:47:53:51:5e:28:be:27:ed:8f:2c:dc:05:eb
  subjkey:   ee:3d:fe:ab:11:d4:d9:3c:a2:3c:95:cb:42:04:d8:0e:12:35:36:76

  subject:  "CN=DaRoot"
  issuer:   "CN=DaRoot"
  serial:    b6:1b:fb:f4:96:05:f7:18
  validity:  not before Mar 06 18:01:38 2014, ok
             not after  Apr 05 18:01:38 2014, ok (expires in 29 days)
  pubkey:    RSA 1024 bits
  keyid:     eb:12:9a:05:72:2b:bf:89:f0:49:91:47:f7:bf:c1:85:9b:0f:66:e8
  subjkey:   55:90:f7:42:41:91:73:a1:fb:84:b8:91:8a:2e:32:44:73:97:f9:10
  authkey:   55:90:f7:42:41:91:73:a1:fb:84:b8:91:8a:2e:32:44:73:97:f9:10

But ipsec tunnel is not getting established
In 10.206.1.10 I am getting the below errors.

[root at localhost private]# ipsec up home
initiating IKE_SA home[2] to 10.206.1.11
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 10.206.1.10[500] to 10.206.1.11[500] (268 bytes)
received packet: from 10.206.1.11[500] to 10.206.1.10[500] (321 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ
N(MULT_AUTH) ]
received cert request for "CN=DaRoot"
received 1 cert requests for an unknown ca
sending cert request for "CN=DaRoot"
sending cert request for "CN=Zintermediate"
authentication of 'CN=ten' (myself) with pre-shared key
no shared key found for 'CN=ten' - 'CN=eleven'
establishing connection 'home' failed

I have used the below set of commands to generate the certificates of root
CA, SubCA's and End Entities.

Root ca cert creation

openssl req -new -x509 -nodes -out ca.crt -keyout ca.key -subj /CN=DaRoot
-newkey rsa:1024 -sha512





Intermediate CA cert creation signed by RootCA

openssl req -new -nodes -out ca-int.req -keyout ca-int.key -subj
/CN=Zintermediate -newkey rsa:1024 -sha512

openssl x509 -req -in ca-int.req -CAkey ca.key -CA ca.crt -days 20
-set_serial 38184818 -sha512 -out ca-int.crt -extfile
../sriram_chaincert1/file.prm

[root at localhost sriram_chaincert2]# cat ../sriram_chaincert1/file.prm

basicConstraints=CA:TRUE



Intermediate1 CA cert creation signed by RootCA

openssl req -new -nodes -out ca-int1.req -keyout ca-int1.key -subj
/CN=Zintermediate1 -newkey rsa:1024 -sha512

openssl x509 -req -in ca-int1.req -CAkey ca.key -CA ca.crt -days 20
-set_serial 38184819 -sha512 -out ca-int1.crt -extfile
../sriram_chaincert1/file.prm

[root at localhost sriram_chaincert2]# cat ../sriram_chaincert1/file.prm

basicConstraints=CA:TRUE





End Entity cert creation signed by intermediate CA

openssl req -new -out ten.req -keyout ten.key -nodes -newkey rsa:1024 -subj
/CN=ten

openssl x509 -req -in ten.req -CAkey ca-int.key -CA ca-int.crt -days 10
-set_serial 38184820 -sha512 -out ten.crt



End Entity1 cert creation signed by Intermediate1 CA

openssl req -new -out eleven.req -keyout eleven.key -nodes -newkey rsa:1024
-subj /CN=eleven

openssl x509 -req -in eleven.req -CAkey ca-int1.key -CA ca-int1.crt -days
10 -set_serial 38184821 -sha512 -out eleven.crt



Please let me know how to resolve this issue.


Regards,

Sriram.









On Tue, Mar 4, 2014 at 8:11 PM, Sriram <sriram.ec at gmail.com> wrote:

> Thanks Andreas, Let me check that and get back to you.
>
> Regards,
> Sriram.
>
>
> On Tue, Mar 4, 2014 at 7:38 PM, Andreas Steffen <
> andreas.steffen at strongswan.org> wrote:
>
>> Hi Siram,
>>
>> in order for an Intermediate CA certificate to be accepted by
>> strongSwan, the CA basic constraint in the certificate has
>> to be set to TRUE. So if you execute
>>
>>   openssl x509 -in ca-int.crt -noout -text
>>
>> the CA flag should show as TRUE:
>>
>>         X509v3 extensions:
>>             X509v3 Basic Constraints: critical
>>                 CA:TRUE
>>             X509v3 Key Usage:
>>                 Certificate Sign, CRL Sign
>>
>> Regards
>>
>> Andreas
>>
>>
>> On 04.03.2014 14:57, Sriram wrote:
>>
>>> Hi Andreas,
>>>
>>> I think it is not loaded.
>>>
>>> On 10.206.1.11
>>>
>>> [root at localhost ~]# ipsec listcacerts
>>>
>>> List of X.509 CA Certificates:
>>>
>>>    subject:  "CN=DaRoot"
>>>    issuer:   "CN=DaRoot"
>>>    serial:    c9:95:0a:00:41:c4:d8:25
>>>    validity:  not before Mar 03 18:10:17 2014, ok
>>>               not after  Apr 02 18:10:17 2014, ok (expires in 28 days)
>>>    pubkey:    RSA 2048 bits
>>>    keyid:     be:25:1a:4a:e6:f8:44:c4:fe:32:
>>> a8:d4:7c:9d:75:42:7d:51:19:0f
>>>    subjkey:   c3:59:68:a5:73:e8:b8:76:45:06:
>>> 3b:c8:a4:62:b3:06:61:7e:9a:c0
>>>    authkey:   c3:59:68:a5:73:e8:b8:76:45:06:
>>> 3b:c8:a4:62:b3:06:61:7e:9a:c0
>>>
>>>
>>> on 10.206.1.10
>>> [root at localhost ~]# ipsec listcacerts
>>>
>>> List of X.509 CA Certificates:
>>>
>>>    subject:  "CN=DaRoot"
>>>    issuer:   "CN=DaRoot"
>>>    serial:    c9:95:0a:00:41:c4:d8:25
>>>    validity:  not before Mar 03 18:10:17 2014, ok
>>>               not after  Apr 02 18:10:17 2014, ok (expires in 28 days)
>>>    pubkey:    RSA 2048 bits
>>>    keyid:     be:25:1a:4a:e6:f8:44:c4:fe:32:
>>> a8:d4:7c:9d:75:42:7d:51:19:0f
>>>    subjkey:   c3:59:68:a5:73:e8:b8:76:45:06:
>>> 3b:c8:a4:62:b3:06:61:7e:9a:c0
>>>    authkey:   c3:59:68:a5:73:e8:b8:76:45:06:
>>> 3b:c8:a4:62:b3:06:61:7e:9a:c0
>>>
>>> Regards,
>>> Sriram.
>>>
>>>
>>> On Tue, Mar 4, 2014 at 6:49 PM, Andreas Steffen
>>> <andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>>
>>>
>>> wrote:
>>>
>>>     Hi Sriram, could you post the output of the command
>>>
>>>        ipsec listcacerts
>>>
>>>     both on  10.206.1.10 and 10.206.1.11. This shows if the intermediate
>>>     CA certificates have been successfully loaded.
>>>
>>>     Regards
>>>
>>>     Andreas
>>>
>>>
>>>     On 04.03.2014 12 <tel:04.03.2014%2012>:45, Sriram wrote:
>>>
>>>         Hi Everyone,
>>>
>>>         I have host -to-host ipsec setup between 2 ips 10.206.1.10 and
>>>         10.206.1.11
>>>
>>>         Tunnel is established using certificates. Tunnel is established
>>>         properly, when the certificates are generated using rootca.
>>>
>>>         But when the certificates are generated using intermediate CA's,
>>>         tunnel
>>>         is not getting established.
>>>
>>>         In 10.206.1.10
>>>
>>>         Under /etc/ipsec.d/cacerts/ I have copied ca.crt(root ca),
>>>         *ca-int.crt(Intermediate ca)*
>>>
>>>
>>>         In /etc/ipsec.d/certs/ I have copied end entity cert issued by
>>>         ca-int.crt
>>>
>>>         In 10.206.1.11
>>>
>>>         Under /etc/ipsec.d/cacerts/ I have copied ca.crt(root ca),
>>>         *ca-int1.crt(Intermediate ca)*
>>>
>>>
>>>         In /etc/ipsec.d/certs/ I have copied end entity cert issued by
>>>         ca-int1.crt
>>>
>>>         I am getting below errors
>>>
>>>         Mar3 19:34:45 localhost charon: 06[ENC] parsed IKE_AUTH request
>>>         1 [ IDi
>>>
>>>         CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR) SA TSi TSr
>>>         N(MULT_AUTH)
>>>         N(EAP_ONLY) ]
>>>
>>>         Mar3 19:34:45 localhost charon: 06[IKE] received cert request for
>>>         "CN=DaRoot"
>>>
>>>         Mar3 19:34:45 localhost charon: 06[IKE] received end entity cert
>>>         "CN=1234abcd"
>>>
>>>         Mar3 19:34:45 localhost charon: 06[CFG] looking for peer configs
>>>
>>>         matching 10.206.1.11[CN=12345abcde]...__10.206.1.10[CN=1234abcd]
>>>
>>>
>>>         Mar3 19:34:45 localhost charon: 06[CFG] peer config match local:
>>> 20
>>>
>>>         (ID_DER_ASN1_DN ->
>>>         30:15:31:13:30:11:06:03:55:04:__03:13:0a:31:32:33:34:35:61:
>>> 62:__63:64:65)
>>>
>>>
>>>         Mar3 19:34:45 localhost charon: 06[CFG] peer config match
>>> remote: 20
>>>
>>>         (ID_DER_ASN1_DN ->
>>>         30:13:31:11:30:0f:06:03:55:04:__03:13:08:31:32:33:34:61:62:
>>> 63:__64)
>>>
>>>
>>>         Mar3 19:34:45 localhost charon: 06[CFG] ike config match: 3100
>>>         (10.206.1.11 10.206.1.10 IKEv2)
>>>
>>>         Mar3 19:34:45 localhost charon: 06[CFG]candidate "home1", match:
>>>         20/20/3100 (me/other/ike)
>>>
>>>         Mar3 19:34:45 localhost charon: 06[CFG] selected peer config
>>> 'home1'
>>>
>>>         Mar3 19:34:45 localhost charon: 06[IKE] IDx' => 25 bytes @
>>>         0xb4d82fe0
>>>
>>>         Mar3 19:34:45 localhost charon: 06[IKE]0: 09 00 00 00 30 13 31
>>>         11 30 0F
>>>
>>>         06 03 55 04 03 13....0.1.0
>>>         <tel:06%2003%2055%2004%2003%2013....0.1.0>...U...
>>>
>>>
>>>         Mar3 19:34:45 localhost charon: 06[IKE]16: 08 31 32 33 34 61 62
>>> 63
>>>         64.1234abcd
>>>
>>>         Mar3 19:34:45 localhost charon: 06[IKE] SK_p => 16 bytes @
>>> 0x91c5340
>>>
>>>         Mar3 19:34:45 localhost charon: 06[IKE]0: 43 85 1F D8 CA 8B BD
>>>         27 A0 58
>>>
>>>         B8 9F 18 5C E7 C0C......'.X...\..
>>>
>>>         Mar3 19:34:45 localhost charon: 06[IKE] octets = message + nonce
>>> +
>>>
>>>         prf(Sk_px, IDx') => 316 bytes @ 0x91c6d88
>>>
>>>         Mar3 19:34:45 localhost charon: 06[IKE]0: 95 B5 C1 A2 8D 13 C3
>>>         77 00 00
>>>
>>>         00 00 00 00 00 00.......w........
>>>
>>>         Mar3 19:34:45 localhost charon: 06[IKE]16: 21 20 22 08 00 00 00
>>>         00 00 00
>>>
>>>         01 0C 22 00 00 2C! "........."..,
>>>
>>>         Mar3 19:34:45 localhost charon: 06[IKE]32: 00 00 00 28 01 01 00
>>>         04 03 00
>>>
>>>         00 08 01 00 00 03...(............
>>>
>>>         Mar3 19:34:45 localhost charon: 06[IKE]48: 03 00 00
>>>         <tel:03%2000%2000> <tel:03%2000%2000>
>>>
>>>
>>>         08 03 00 00 01 03 00 00 08 02 00 00 01................
>>>
>>>         Mar3 19:34:45 localhost charon: 06[IKE]64: 00 00 00 08 04 00 00
>>>         01 28 00
>>>
>>>         00 68 00 01 00 00........(..h....
>>>
>>>         Mar3 19:34:45 localhost charon: 06[IKE]80: 23 F4 AC E7 E8 4E 55
>>>         80 54 B7
>>>
>>>         14 C8 48 B9 98 AE#....NU.T...H...
>>>
>>>         Mar3 19:34:45 localhost charon: 06[IKE]96: 15 DB CA F8 93 BF 31
>>>         2D 59 89
>>>
>>>         77 52 32 A8 0A 2D......1-Y.wR2..-
>>>
>>>         Mar3 19:34:45 localhost charon: 06[IKE]112: 78 3E 6F EB 6D 33 5A
>>>         E6 A5
>>>
>>>         B7 0F 9A 3C DA 4E D8x>o.m3Z.....<.N.
>>>
>>>         Mar3 19:34:45 localhost charon: 06[IKE]128: E6 71 B4 C4 5A D7 20
>>>         48 61
>>>
>>>         B2 34 14 99 0A F6 AF.q..Z. Ha.4.....
>>>
>>>         Mar3 19:34:45 localhost charon: 06[IKE]144: F8 DB 6D 82 B2 55 6C
>>>         1B 84
>>>
>>>         CA 37 8E C3 7F 50 8A..m..Ul...7...P.
>>>
>>>         Mar3 19:34:45 localhost charon: 06[IKE]160: 5C 2A 39 E4 27 FC 8D
>>>         23 38
>>>
>>>         95 E2 B2 F3 F9 8E CA\*9.'..#8.......
>>>
>>>         Mar3 19:34:45 localhost charon: 06[IKE]176: 29 00 00 24 03 8D 56
>>>         09 5D
>>>
>>>         B1 17 D2 BA 29 D6 8B)..$..V.]....)..
>>>
>>>         Mar3 19:34:45 localhost charon: 06[IKE]192: 7E 0B A5 2D 42 4C 1D
>>>         37 D9
>>>
>>>         EA 17 4A 0D 0C 77 67~..-BL.7...J..wg
>>>
>>>         Mar3 19:34:45 localhost charon: 06[IKE]208: E6 51 40 1D 29 00 00
>>>         1C 00
>>>
>>>         00 40 04 D5 2F E3 7F.Q at .)..... at ../..
>>>
>>>         Mar3 19:34:45 localhost charon: 06[IKE]224: 13 80 F3 7A 91 9D F2
>>>         7A 0A
>>>
>>>         6E C0 A9 E7 B2 72 63...z...z.n....rc
>>>
>>>         Mar3 19:34:45 localhost charon: 06[IKE]240: 00 00 00 1C 00 00 40
>>>         05 BD
>>>
>>>         B4 3E 98 F1 EB F4 10...... at ...>.....
>>>
>>>         Mar3 19:34:45 localhost charon: 06[IKE]256: 44 06 6B 25 90 C4 30
>>>         CF BB
>>>
>>>         FB FE 4C 00 9B 1E ADD.k%..0....L....
>>>
>>>         Mar3 19:34:45 localhost charon: 06[IKE]272: 19 7A F6 43 23 A9 8A
>>>         C4 3C
>>>
>>>         EF 98 57 13 69 07 0E.z.C#...<..W.i..
>>>
>>>         Mar3 19:34:45 localhost charon: 06[IKE]288: 9A E4 34 F1 A6 9B 48
>>>         65 E8
>>>
>>>         06 8A 6C 6D 30 6B C1..4...He...lm0k.
>>>
>>>         Mar3 19:34:45 localhost charon: 06[IKE]304: F2 2C 6E 19 39 37 C1
>>>         C6 2F
>>>         48 D2 18.,n.97../H..
>>>
>>>         Mar3 19:34:45 localhost charon: 06[CFG]using certificate
>>>         "CN=1234abcd"
>>>
>>>         Mar3 19:34:45 localhost charon: 06[CFG]certificate "CN=1234abcd"
>>>         key:
>>>         2048 bit RSA
>>>
>>>         *Mar3 19:34:45 localhost charon: 06[CFG] no issuer certificate
>>>         found for
>>>         "CN=1234abcd"*
>>>
>>>         Mar3 19:34:45 localhost charon: 06[IKE] no trusted RSA public
>>>         key found
>>>         for 'CN=1234abcd'
>>>
>>>         Mar3 19:34:45 localhost charon: 06[IKE] processing
>>>         INTERNAL_IP4_ADDRESS
>>>
>>>         attribute
>>>
>>>         Please let me know, how to resolve this issue.
>>>
>>>         Below post suggests that the intermediate certs need to be sent
>>>         along
>>>         with the end-entity certificates in ike_auth message.
>>>
>>>         If that can solve the issue, how can I achieve that.
>>>
>>>         https://lists.strongswan.org/__pipermail/users/2013-March/__
>>> 008956.html
>>>
>>>         <https://lists.strongswan.org/pipermail/users/2013-March/
>>> 008956.html>
>>>
>>>         Any help in this regard is appreciated.
>>>
>>>         Regards,
>>>
>>>         Sriram.
>>>
>>>
>>>
>>>
>>>
>>>
>>>         _________________________________________________
>>>         Users mailing list
>>>         Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>>>         https://lists.strongswan.org/__mailman/listinfo/users
>>>         <https://lists.strongswan.org/mailman/listinfo/users>
>>>
>>>
>>>     --
>>>     ==============================__============================
>>> ==__==========
>>>     Andreas Steffen andreas.steffen at strongswan.org
>>>     <mailto:andreas.steffen at strongswan.org>
>>>
>>>     strongSwan - the Open Source VPN Solution! www.strongswan.org
>>>     <http://www.strongswan.org>
>>>
>>>     Institute for Internet Technologies and Applications
>>>     University of Applied Sciences Rapperswil
>>>     CH-8640 Rapperswil (Switzerland)
>>>     ==============================__============================
>>> =[__ITA-HSR]==
>>>
>>>
>>>
>> --
>> ======================================================================
>> Andreas Steffen                         andreas.steffen at strongswan.org
>> strongSwan - the Open Source VPN Solution!          www.strongswan.org
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil
>> CH-8640 Rapperswil (Switzerland)
>> ===========================================================[ITA-HSR]==
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140306/d85c47b5/attachment-0001.html>


More information about the Users mailing list