[strongSwan] Unable to establish ipsec tunnel using certs of intermediate CA's

Andreas Steffen andreas.steffen at strongswan.org
Thu Mar 6 14:46:10 CET 2014


Hi Sriram,

the actual error now is

 > authentication of 'CN=ten' (myself) with pre-shared key
 > no shared key found for 'CN=ten' - 'CN=eleven'

Did you configure PSK-based authentication by either
setting leftauth=psk, leftauth=secret, or authby=secret?

For mutual certificate based authentication you should set

   authby=pubkey

which is the default or alternatively

   leftauth=pubkey
   rightauth=pubkey

Regards

Andreas

On 06.03.2014 14:31, Sriram wrote:
> Hi Andreas,
>
> Now i have added CA:TRUE for intermediate certs
>
> 10.206.1.10
> [root at localhost private]# ipsec listcacerts
>
> List of X.509 CA Certificates:
>
>    subject:  "CN=DaRoot"
>    issuer:   "CN=DaRoot"
>    serial:    b6:1b:fb:f4:96:05:f7:18
>    validity:  not before Mar 06 18:01:38 2014, ok
>               not after  Apr 05 18:01:38 2014, ok (expires in 29 days)
>    pubkey:    RSA 1024 bits
>    keyid:     eb:12:9a:05:72:2b:bf:89:f0:49:91:47:f7:bf:c1:85:9b:0f:66:e8
>    subjkey:   55:90:f7:42:41:91:73:a1:fb:84:b8:91:8a:2e:32:44:73:97:f9:10
>    authkey:   55:90:f7:42:41:91:73:a1:fb:84:b8:91:8a:2e:32:44:73:97:f9:10
>
>    subject:  "CN=Zintermediate"
>    issuer:   "CN=DaRoot"
>    serial:    02:46:a7:72
>    validity:  not before Mar 06 18:05:34 2014, ok
>               not after  Mar 26 18:05:34 2014, ok (expires in 19 days)
>    pubkey:    RSA 1024 bits
>    keyid:     c2:ba:fb:bd:36:0b:bd:32:e7:8e:0c:b9:25:82:59:64:6a:f8:b7:46
>    subjkey:   f0:2a:8a:a7:55:7f:1b:44:ef:c4:18:00:79:c1:d8:7b:be:98:00:cd
>
>
> 10.206.1.11
> [root at localhost sriram_ikeauth]# ipsec listcacerts
>
> List of X.509 CA Certificates:
>
>    subject:  "CN=Zintermediate1"
>    issuer:   "CN=DaRoot"
>    serial:    02:46:a7:73
>    validity:  not before Mar 06 18:09:23 2014, ok
>               not after  Mar 26 18:09:23 2014, ok (expires in 19 days)
>    pubkey:    RSA 1024 bits
>    keyid:     ea:d5:28:42:7e:74:f3:47:53:51:5e:28:be:27:ed:8f:2c:dc:05:eb
>    subjkey:   ee:3d:fe:ab:11:d4:d9:3c:a2:3c:95:cb:42:04:d8:0e:12:35:36:76
>
>    subject:  "CN=DaRoot"
>    issuer:   "CN=DaRoot"
>    serial:    b6:1b:fb:f4:96:05:f7:18
>    validity:  not before Mar 06 18:01:38 2014, ok
>               not after  Apr 05 18:01:38 2014, ok (expires in 29 days)
>    pubkey:    RSA 1024 bits
>    keyid:     eb:12:9a:05:72:2b:bf:89:f0:49:91:47:f7:bf:c1:85:9b:0f:66:e8
>    subjkey:   55:90:f7:42:41:91:73:a1:fb:84:b8:91:8a:2e:32:44:73:97:f9:10
>    authkey:   55:90:f7:42:41:91:73:a1:fb:84:b8:91:8a:2e:32:44:73:97:f9:10
>
> But ipsec tunnel is not getting established
> In 10.206.1.10 I am getting the below errors.
>
> [root at localhost private]# ipsec up home
> initiating IKE_SA home[2] to 10.206.1.11
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> sending packet: from 10.206.1.10[500] to 10.206.1.11[500] (268 bytes)
> received packet: from 10.206.1.11[500] to 10.206.1.10[500] (321 bytes)
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> CERTREQ N(MULT_AUTH) ]
> received cert request for "CN=DaRoot"
> received 1 cert requests for an unknown ca
> sending cert request for "CN=DaRoot"
> sending cert request for "CN=Zintermediate"
> authentication of 'CN=ten' (myself) with pre-shared key
> no shared key found for 'CN=ten' - 'CN=eleven'
> establishing connection 'home' failed
>
> I have used the below set of commands to generate the certificates of
> root CA, SubCA's and End Entities.
>
> Root ca cert creation
>
> openssl req -new -x509 -nodes -out ca.crt -keyout ca.key -subj
> /CN=DaRoot -newkey rsa:1024 -sha512
>
> Intermediate CA cert creation signed by RootCA
>
> openssl req -new -nodes -out ca-int.req -keyout ca-int.key -subj
> /CN=Zintermediate -newkey rsa:1024 -sha512
>
> openssl x509 -req -in ca-int.req -CAkey ca.key -CA ca.crt -days 20
> -set_serial 38184818 -sha512 -out ca-int.crt -extfile
> ../sriram_chaincert1/file.prm
>
> [root at localhost sriram_chaincert2]# cat ../sriram_chaincert1/file.prm
>
> basicConstraints=CA:TRUE
>
> Intermediate1 CA cert creation signed by RootCA
>
> openssl req -new -nodes -out ca-int1.req -keyout ca-int1.key -subj
> /CN=Zintermediate1 -newkey rsa:1024 -sha512
>
> openssl x509 -req -in ca-int1.req -CAkey ca.key -CA ca.crt -days 20
> -set_serial 38184819 -sha512 -out ca-int1.crt -extfile
> ../sriram_chaincert1/file.prm
>
> [root at localhost sriram_chaincert2]# cat ../sriram_chaincert1/file.prm
>
> basicConstraints=CA:TRUE
>
> End Entity cert creation signed by intermediate CA
>
> openssl req -new -out ten.req -keyout ten.key -nodes -newkey rsa:1024
> -subj /CN=ten
>
> openssl x509 -req -in ten.req -CAkey ca-int.key -CA ca-int.crt -days 10
> -set_serial 38184820 -sha512 -out ten.crt
>
> End Entity1 cert creation signed by Intermediate1 CA
>
> openssl req -new -out eleven.req -keyout eleven.key -nodes -newkey
> rsa:1024 -subj /CN=eleven
>
> openssl x509 -req -in eleven.req -CAkey ca-int1.key -CA ca-int1.crt
> -days 10 -set_serial 38184821 -sha512 -out eleven.crt
>
> Please let me know how to resolve this issue.
>
>
> Regards,
>
> Sriram.
>
>
>
>
>
>
> On Tue, Mar 4, 2014 at 8:11 PM, Sriram <sriram.ec at gmail.com
> <mailto:sriram.ec at gmail.com>> wrote:
>
>     Thanks Andreas, Let me check that and get back to you.
>
>     Regards,
>     Sriram.
>
>
>     On Tue, Mar 4, 2014 at 7:38 PM, Andreas Steffen
>     <andreas.steffen at strongswan.org
>     <mailto:andreas.steffen at strongswan.org>> wrote:
>
>         Hi Siram,
>
>         in order for an Intermediate CA certificate to be accepted by
>         strongSwan, the CA basic constraint in the certificate has
>         to be set to TRUE. So if you execute
>
>            openssl x509 -in ca-int.crt -noout -text
>
>         the CA flag should show as TRUE:
>
>                  X509v3 extensions:
>                      X509v3 Basic Constraints: critical
>                          CA:TRUE
>                      X509v3 Key Usage:
>                          Certificate Sign, CRL Sign
>
>         Regards
>
>         Andreas
>
>
>         On 04.03.2014 14 <tel:04.03.2014%2014>:57, Sriram wrote:
>
>             Hi Andreas,
>
>             I think it is not loaded.
>
>             On 10.206.1.11
>
>             [root at localhost ~]# ipsec listcacerts
>
>             List of X.509 CA Certificates:
>
>                 subject:  "CN=DaRoot"
>                 issuer:   "CN=DaRoot"
>                 serial:    c9:95:0a:00:41:c4:d8:25
>                 validity:  not before Mar 03 18:10:17 2014, ok
>                            not after  Apr 02 18:10:17 2014, ok (expires
>             in 28 days)
>                 pubkey:    RSA 2048 bits
>                 keyid:
>             be:25:1a:4a:e6:f8:44:c4:fe:32:__a8:d4:7c:9d:75:42:7d:51:19:0f
>                 subjkey:
>             c3:59:68:a5:73:e8:b8:76:45:06:__3b:c8:a4:62:b3:06:61:7e:9a:c0
>                 authkey:
>             c3:59:68:a5:73:e8:b8:76:45:06:__3b:c8:a4:62:b3:06:61:7e:9a:c0
>
>
>             on 10.206.1.10
>             [root at localhost ~]# ipsec listcacerts
>
>             List of X.509 CA Certificates:
>
>                 subject:  "CN=DaRoot"
>                 issuer:   "CN=DaRoot"
>                 serial:    c9:95:0a:00:41:c4:d8:25
>                 validity:  not before Mar 03 18:10:17 2014, ok
>                            not after  Apr 02 18:10:17 2014, ok (expires
>             in 28 days)
>                 pubkey:    RSA 2048 bits
>                 keyid:
>             be:25:1a:4a:e6:f8:44:c4:fe:32:__a8:d4:7c:9d:75:42:7d:51:19:0f
>                 subjkey:
>             c3:59:68:a5:73:e8:b8:76:45:06:__3b:c8:a4:62:b3:06:61:7e:9a:c0
>                 authkey:
>             c3:59:68:a5:73:e8:b8:76:45:06:__3b:c8:a4:62:b3:06:61:7e:9a:c0
>
>             Regards,
>             Sriram.
>
>
>             On Tue, Mar 4, 2014 at 6:49 PM, Andreas Steffen
>             <andreas.steffen at strongswan.__org
>             <mailto:andreas.steffen at strongswan.org>
>             <mailto:andreas.steffen at __strongswan.org
>             <mailto:andreas.steffen at strongswan.org>>>
>
>             wrote:
>
>                  Hi Sriram, could you post the output of the command
>
>                     ipsec listcacerts
>
>                  both on  10.206.1.10 and 10.206.1.11. This shows if the
>             intermediate
>                  CA certificates have been successfully loaded.
>
>                  Regards
>
>                  Andreas
>
>
>                  On 04.03.2014 12 <tel:04.03.2014%2012>
>             <tel:04.03.2014%2012>:45, Sriram wrote:
>
>                      Hi Everyone,
>
>                      I have host –to-host ipsec setup between 2 ips
>             10.206.1.10 and
>                      10.206.1.11
>
>                      Tunnel is established using certificates. Tunnel is
>             established
>                      properly, when the certificates are generated using
>             rootca.
>
>                      But when the certificates are generated using
>             intermediate CA’s,
>                      tunnel
>                      is not getting established.
>
>                      In 10.206.1.10
>
>                      Under /etc/ipsec.d/cacerts/ I have copied
>             ca.crt(root ca),
>                      *ca-int.crt(Intermediate ca)*
>
>
>                      In /etc/ipsec.d/certs/ I have copied end entity
>             cert issued by
>                      ca-int.crt
>
>                      In 10.206.1.11
>
>                      Under /etc/ipsec.d/cacerts/ I have copied
>             ca.crt(root ca),
>                      *ca-int1.crt(Intermediate ca)*
>
>
>                      In /etc/ipsec.d/certs/ I have copied end entity
>             cert issued by
>                      ca-int1.crt
>
>                      I am getting below errors
>
>                      Mar3 19:34:45 localhost charon: 06[ENC] parsed
>             IKE_AUTH request
>                      1 [ IDi
>
>                      CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR) SA
>             TSi TSr
>                      N(MULT_AUTH)
>                      N(EAP_ONLY) ]
>
>                      Mar3 19:34:45 localhost charon: 06[IKE] received
>             cert request for
>                      "CN=DaRoot"
>
>                      Mar3 19:34:45 localhost charon: 06[IKE] received
>             end entity cert
>                      "CN=1234abcd"
>
>                      Mar3 19:34:45 localhost charon: 06[CFG] looking for
>             peer configs
>
>                      matching
>             10.206.1.11[CN=12345abcde]...____10.206.1.10[CN=1234abcd]
>
>
>                      Mar3 19:34:45 localhost charon: 06[CFG] peer config
>             match local: 20
>
>                      (ID_DER_ASN1_DN ->
>
>             30:15:31:13:30:11:06:03:55:04:____03:13:0a:31:32:33:34:35:61:__62:__63:64:65)
>
>
>                      Mar3 19:34:45 localhost charon: 06[CFG] peer config
>             match remote: 20
>
>                      (ID_DER_ASN1_DN ->
>
>             30:13:31:11:30:0f:06:03:55:04:____03:13:08:31:32:33:34:61:62:__63:__64)
>
>
>                      Mar3 19:34:45 localhost charon: 06[CFG] ike config
>             match: 3100
>                      (10.206.1.11 10.206.1.10 IKEv2)
>
>                      Mar3 19:34:45 localhost charon: 06[CFG]candidate
>             "home1", match:
>                      20/20/3100 (me/other/ike)
>
>                      Mar3 19:34:45 localhost charon: 06[CFG] selected
>             peer config 'home1'
>
>                      Mar3 19:34:45 localhost charon: 06[IKE] IDx' => 25
>             bytes @
>                      0xb4d82fe0
>
>                      Mar3 19:34:45 localhost charon: 06[IKE]0: 09 00 00
>             00 30 13 31
>                      11 30 0F
>
>             06 03 55 04 03 13....0.1.0
>             <tel:06%2003%2055%2004%2003%2013....0.1.0>
>                      <tel:06%2003%2055%2004%2003%__2013....0.1.0>...U...
>
>
>                      Mar3 19:34:45 localhost charon: 06[IKE]16: 08 31 32
>             33 34 61 62 63
>                      64.1234abcd
>
>                      Mar3 19:34:45 localhost charon: 06[IKE] SK_p => 16
>             bytes @ 0x91c5340
>
>                      Mar3 19:34:45 localhost charon: 06[IKE]0: 43 85 1F
>             D8 CA 8B BD
>                      27 A0 58
>
>                      B8 9F 18 5C E7 C0C......'.X...\..
>
>                      Mar3 19:34:45 localhost charon: 06[IKE] octets =
>             message + nonce +
>
>                      prf(Sk_px, IDx') => 316 bytes @ 0x91c6d88
>
>                      Mar3 19:34:45 localhost charon: 06[IKE]0: 95 B5 C1
>             A2 8D 13 C3
>                      77 00 00
>
>                      00 00 00 00 00 00.......w........
>
>                      Mar3 19:34:45 localhost charon: 06[IKE]16: 21 20 22
>             08 00 00 00
>                      00 00 00
>
>                      01 0C 22 00 00 2C! "........."..,
>
>                      Mar3 19:34:45 localhost charon: 06[IKE]32: 00 00 00
>             28 01 01 00
>                      04 03 00
>
>                      00 08 01 00 00 03...(............
>
>                      Mar3 19:34:45 localhost charon: 06[IKE]48: 03 00 00
>             <tel:03%2000%2000>
>                      <tel:03%2000%2000> <tel:03%2000%2000>
>
>
>                      08 03 00 00 01 03 00 00 08 02 00 00 01................
>
>                      Mar3 19:34:45 localhost charon: 06[IKE]64: 00 00 00
>             08 04 00 00
>                      01 28 00
>
>                      00 68 00 01 00 00........(..h....
>
>                      Mar3 19:34:45 localhost charon: 06[IKE]80: 23 F4 AC
>             E7 E8 4E 55
>                      80 54 B7
>
>                      14 C8 48 B9 98 AE#....NU.T...H...
>
>                      Mar3 19:34:45 localhost charon: 06[IKE]96: 15 DB CA
>             F8 93 BF 31
>                      2D 59 89
>
>                      77 52 32 A8 0A 2D......1-Y.wR2..-
>
>                      Mar3 19:34:45 localhost charon: 06[IKE]112: 78 3E
>             6F EB 6D 33 5A
>                      E6 A5
>
>                      B7 0F 9A 3C DA 4E D8x>o.m3Z.....<.N.
>
>                      Mar3 19:34:45 localhost charon: 06[IKE]128: E6 71
>             B4 C4 5A D7 20
>                      48 61
>
>                      B2 34 14 99 0A F6 AF.q..Z. Ha.4.....
>
>                      Mar3 19:34:45 localhost charon: 06[IKE]144: F8 DB
>             6D 82 B2 55 6C
>                      1B 84
>
>                      CA 37 8E C3 7F 50 8A..m..Ul...7...P.
>
>                      Mar3 19:34:45 localhost charon: 06[IKE]160: 5C 2A
>             39 E4 27 FC 8D
>                      23 38
>
>                      95 E2 B2 F3 F9 8E CA\*9.'..#8.......
>
>                      Mar3 19:34:45 localhost charon: 06[IKE]176: 29 00
>             00 24 03 8D 56
>                      09 5D
>
>                      B1 17 D2 BA 29 D6 8B)..$..V.]....)..
>
>                      Mar3 19:34:45 localhost charon: 06[IKE]192: 7E 0B
>             A5 2D 42 4C 1D
>                      37 D9
>
>                      EA 17 4A 0D 0C 77 67~..-BL.7...J..wg
>
>                      Mar3 19:34:45 localhost charon: 06[IKE]208: E6 51
>             40 1D 29 00 00
>                      1C 00
>
>                      00 40 04 D5 2F E3 7F.Q at .)..... at ../..
>
>                      Mar3 19:34:45 localhost charon: 06[IKE]224: 13 80
>             F3 7A 91 9D F2
>                      7A 0A
>
>                      6E C0 A9 E7 B2 72 63...z...z.n....rc
>
>                      Mar3 19:34:45 localhost charon: 06[IKE]240: 00 00
>             00 1C 00 00 40
>                      05 BD
>
>                      B4 3E 98 F1 EB F4 10...... at ...>.....
>
>                      Mar3 19:34:45 localhost charon: 06[IKE]256: 44 06
>             6B 25 90 C4 30
>                      CF BB
>
>                      FB FE 4C 00 9B 1E ADD.k%..0....L....
>
>                      Mar3 19:34:45 localhost charon: 06[IKE]272: 19 7A
>             F6 43 23 A9 8A
>                      C4 3C
>
>                      EF 98 57 13 69 07 0E.z.C#...<..W.i..
>
>                      Mar3 19:34:45 localhost charon: 06[IKE]288: 9A E4
>             34 F1 A6 9B 48
>                      65 E8
>
>                      06 8A 6C 6D 30 6B C1..4...He...lm0k.
>
>                      Mar3 19:34:45 localhost charon: 06[IKE]304: F2 2C
>             6E 19 39 37 C1
>                      C6 2F
>                      48 D2 18.,n.97../H..
>
>                      Mar3 19:34:45 localhost charon: 06[CFG]using
>             certificate
>                      "CN=1234abcd"
>
>                      Mar3 19:34:45 localhost charon: 06[CFG]certificate
>             "CN=1234abcd"
>                      key:
>                      2048 bit RSA
>
>                      *Mar3 19:34:45 localhost charon: 06[CFG] no issuer
>             certificate
>                      found for
>                      "CN=1234abcd"*
>
>                      Mar3 19:34:45 localhost charon: 06[IKE] no trusted
>             RSA public
>                      key found
>                      for 'CN=1234abcd'
>
>                      Mar3 19:34:45 localhost charon: 06[IKE] processing
>                      INTERNAL_IP4_ADDRESS
>
>                      attribute
>
>                      Please let me know, how to resolve this issue.
>
>                      Below post suggests that the intermediate certs
>             need to be sent
>                      along
>                      with the end-entity certificates in ike_auth message.
>
>                      If that can solve the issue, how can I achieve that.
>
>             https://lists.strongswan.org/____pipermail/users/2013-March/____008956.html
>             <https://lists.strongswan.org/__pipermail/users/2013-March/__008956.html>
>
>
>             <https://lists.strongswan.org/__pipermail/users/2013-March/__008956.html
>             <https://lists.strongswan.org/pipermail/users/2013-March/008956.html>>
>
>                      Any help in this regard is appreciated.
>
>                      Regards,
>
>                      Sriram.
>
>
>
>
>
>
>                      ___________________________________________________
>                      Users mailing list
>             Users at lists.strongswan.org
>             <mailto:Users at lists.strongswan.org>
>             <mailto:Users at lists.__strongswan.org
>             <mailto:Users at lists.strongswan.org>>
>             https://lists.strongswan.org/____mailman/listinfo/users
>             <https://lists.strongswan.org/__mailman/listinfo/users>
>
>             <https://lists.strongswan.org/__mailman/listinfo/users
>             <https://lists.strongswan.org/mailman/listinfo/users>>
>
>
>                  --
>
>             ==============================____============================__==__==========
>                  Andreas Steffen andreas.steffen at strongswan.org
>             <mailto:andreas.steffen at strongswan.org>
>                  <mailto:andreas.steffen at __strongswan.org
>             <mailto:andreas.steffen at strongswan.org>>
>
>                  strongSwan - the Open Source VPN Solution!
>             www.strongswan.org <http://www.strongswan.org>
>                  <http://www.strongswan.org>
>
>                  Institute for Internet Technologies and Applications
>                  University of Applied Sciences Rapperswil
>                  CH-8640 Rapperswil (Switzerland)
>
>             ==============================____============================__=[__ITA-HSR]==
>
>
>
>         --
>         ==============================__==============================__==========
>         Andreas Steffen andreas.steffen at strongswan.org
>         <mailto:andreas.steffen at strongswan.org>
>         strongSwan - the Open Source VPN Solution! www.strongswan.org
>         <http://www.strongswan.org>
>         Institute for Internet Technologies and Applications
>         University of Applied Sciences Rapperswil
>         CH-8640 Rapperswil (Switzerland)
>         ==============================__=============================[__ITA-HSR]==
>
>
>

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140306/fa99f4f5/attachment.bin>


More information about the Users mailing list