[strongSwan] Unable to establish ipsec tunnel using certs of intermediate CA's
Sriram
sriram.ec at gmail.com
Fri Mar 7 05:56:37 CET 2014
Yes Andreas, I had retained authby=secret which I had used to setup tunnels
using psk.
Thanks for pointing that out. I changed it to pubkey
Now I am able to setup the tunnels properly.
IKE_AUTH payload contains the chain of certificates now.
Thanks for the help.
Regards,
Sriram.
On Thu, Mar 6, 2014 at 7:16 PM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:
> Hi Sriram,
>
> the actual error now is
>
>
> > authentication of 'CN=ten' (myself) with pre-shared key
> > no shared key found for 'CN=ten' - 'CN=eleven'
>
> Did you configure PSK-based authentication by either
> setting leftauth=psk, leftauth=secret, or authby=secret?
>
> For mutual certificate based authentication you should set
>
> authby=pubkey
>
> which is the default or alternatively
>
> leftauth=pubkey
> rightauth=pubkey
>
> Regards
>
> Andreas
>
>
> On 06.03.2014 14:31, Sriram wrote:
>
>> Hi Andreas,
>>
>> Now i have added CA:TRUE for intermediate certs
>>
>> 10.206.1.10
>> [root at localhost private]# ipsec listcacerts
>>
>> List of X.509 CA Certificates:
>>
>> subject: "CN=DaRoot"
>> issuer: "CN=DaRoot"
>> serial: b6:1b:fb:f4:96:05:f7:18
>> validity: not before Mar 06 18:01:38 2014, ok
>> not after Apr 05 18:01:38 2014, ok (expires in 29 days)
>> pubkey: RSA 1024 bits
>> keyid: eb:12:9a:05:72:2b:bf:89:f0:49:91:47:f7:bf:c1:85:9b:0f:66:e8
>> subjkey: 55:90:f7:42:41:91:73:a1:fb:84:b8:91:8a:2e:32:44:73:97:f9:10
>> authkey: 55:90:f7:42:41:91:73:a1:fb:84:b8:91:8a:2e:32:44:73:97:f9:10
>>
>> subject: "CN=Zintermediate"
>> issuer: "CN=DaRoot"
>> serial: 02:46:a7:72
>> validity: not before Mar 06 18:05:34 2014, ok
>> not after Mar 26 18:05:34 2014, ok (expires in 19 days)
>> pubkey: RSA 1024 bits
>> keyid: c2:ba:fb:bd:36:0b:bd:32:e7:8e:0c:b9:25:82:59:64:6a:f8:b7:46
>> subjkey: f0:2a:8a:a7:55:7f:1b:44:ef:c4:18:00:79:c1:d8:7b:be:98:00:cd
>>
>>
>> 10.206.1.11
>> [root at localhost sriram_ikeauth]# ipsec listcacerts
>>
>> List of X.509 CA Certificates:
>>
>> subject: "CN=Zintermediate1"
>> issuer: "CN=DaRoot"
>> serial: 02:46:a7:73
>> validity: not before Mar 06 18:09:23 2014, ok
>> not after Mar 26 18:09:23 2014, ok (expires in 19 days)
>> pubkey: RSA 1024 bits
>> keyid: ea:d5:28:42:7e:74:f3:47:53:51:5e:28:be:27:ed:8f:2c:dc:05:eb
>> subjkey: ee:3d:fe:ab:11:d4:d9:3c:a2:3c:95:cb:42:04:d8:0e:12:35:36:76
>>
>> subject: "CN=DaRoot"
>> issuer: "CN=DaRoot"
>> serial: b6:1b:fb:f4:96:05:f7:18
>> validity: not before Mar 06 18:01:38 2014, ok
>> not after Apr 05 18:01:38 2014, ok (expires in 29 days)
>> pubkey: RSA 1024 bits
>> keyid: eb:12:9a:05:72:2b:bf:89:f0:49:91:47:f7:bf:c1:85:9b:0f:66:e8
>> subjkey: 55:90:f7:42:41:91:73:a1:fb:84:b8:91:8a:2e:32:44:73:97:f9:10
>> authkey: 55:90:f7:42:41:91:73:a1:fb:84:b8:91:8a:2e:32:44:73:97:f9:10
>>
>> But ipsec tunnel is not getting established
>> In 10.206.1.10 I am getting the below errors.
>>
>> [root at localhost private]# ipsec up home
>> initiating IKE_SA home[2] to 10.206.1.11
>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> sending packet: from 10.206.1.10[500] to 10.206.1.11[500] (268 bytes)
>> received packet: from 10.206.1.11[500] to 10.206.1.10[500] (321 bytes)
>> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
>> CERTREQ N(MULT_AUTH) ]
>> received cert request for "CN=DaRoot"
>> received 1 cert requests for an unknown ca
>> sending cert request for "CN=DaRoot"
>> sending cert request for "CN=Zintermediate"
>> authentication of 'CN=ten' (myself) with pre-shared key
>> no shared key found for 'CN=ten' - 'CN=eleven'
>> establishing connection 'home' failed
>>
>> I have used the below set of commands to generate the certificates of
>> root CA, SubCA's and End Entities.
>>
>> Root ca cert creation
>>
>> openssl req -new -x509 -nodes -out ca.crt -keyout ca.key -subj
>> /CN=DaRoot -newkey rsa:1024 -sha512
>>
>> Intermediate CA cert creation signed by RootCA
>>
>> openssl req -new -nodes -out ca-int.req -keyout ca-int.key -subj
>> /CN=Zintermediate -newkey rsa:1024 -sha512
>>
>> openssl x509 -req -in ca-int.req -CAkey ca.key -CA ca.crt -days 20
>> -set_serial 38184818 -sha512 -out ca-int.crt -extfile
>> ../sriram_chaincert1/file.prm
>>
>> [root at localhost sriram_chaincert2]# cat ../sriram_chaincert1/file.prm
>>
>> basicConstraints=CA:TRUE
>>
>> Intermediate1 CA cert creation signed by RootCA
>>
>> openssl req -new -nodes -out ca-int1.req -keyout ca-int1.key -subj
>> /CN=Zintermediate1 -newkey rsa:1024 -sha512
>>
>> openssl x509 -req -in ca-int1.req -CAkey ca.key -CA ca.crt -days 20
>> -set_serial 38184819 -sha512 -out ca-int1.crt -extfile
>> ../sriram_chaincert1/file.prm
>>
>> [root at localhost sriram_chaincert2]# cat ../sriram_chaincert1/file.prm
>>
>> basicConstraints=CA:TRUE
>>
>> End Entity cert creation signed by intermediate CA
>>
>> openssl req -new -out ten.req -keyout ten.key -nodes -newkey rsa:1024
>> -subj /CN=ten
>>
>> openssl x509 -req -in ten.req -CAkey ca-int.key -CA ca-int.crt -days 10
>> -set_serial 38184820 -sha512 -out ten.crt
>>
>> End Entity1 cert creation signed by Intermediate1 CA
>>
>> openssl req -new -out eleven.req -keyout eleven.key -nodes -newkey
>> rsa:1024 -subj /CN=eleven
>>
>> openssl x509 -req -in eleven.req -CAkey ca-int1.key -CA ca-int1.crt
>> -days 10 -set_serial 38184821 -sha512 -out eleven.crt
>>
>> Please let me know how to resolve this issue.
>>
>>
>> Regards,
>>
>> Sriram.
>>
>>
>>
>>
>>
>>
>> On Tue, Mar 4, 2014 at 8:11 PM, Sriram <sriram.ec at gmail.com
>> <mailto:sriram.ec at gmail.com>> wrote:
>>
>> Thanks Andreas, Let me check that and get back to you.
>>
>> Regards,
>> Sriram.
>>
>>
>> On Tue, Mar 4, 2014 at 7:38 PM, Andreas Steffen
>> <andreas.steffen at strongswan.org
>> <mailto:andreas.steffen at strongswan.org>> wrote:
>>
>> Hi Siram,
>>
>> in order for an Intermediate CA certificate to be accepted by
>> strongSwan, the CA basic constraint in the certificate has
>> to be set to TRUE. So if you execute
>>
>> openssl x509 -in ca-int.crt -noout -text
>>
>> the CA flag should show as TRUE:
>>
>> X509v3 extensions:
>> X509v3 Basic Constraints: critical
>> CA:TRUE
>> X509v3 Key Usage:
>> Certificate Sign, CRL Sign
>>
>> Regards
>>
>> Andreas
>>
>>
>> On 04.03.2014 14 <tel:04.03.2014%2014>:57, Sriram wrote:
>>
>> Hi Andreas,
>>
>> I think it is not loaded.
>>
>> On 10.206.1.11
>>
>> [root at localhost ~]# ipsec listcacerts
>>
>> List of X.509 CA Certificates:
>>
>> subject: "CN=DaRoot"
>> issuer: "CN=DaRoot"
>> serial: c9:95:0a:00:41:c4:d8:25
>> validity: not before Mar 03 18:10:17 2014, ok
>> not after Apr 02 18:10:17 2014, ok (expires
>> in 28 days)
>> pubkey: RSA 2048 bits
>> keyid:
>> be:25:1a:4a:e6:f8:44:c4:fe:32:__a8:d4:7c:9d:75:42:7d:51:19:0f
>> subjkey:
>> c3:59:68:a5:73:e8:b8:76:45:06:__3b:c8:a4:62:b3:06:61:7e:9a:c0
>> authkey:
>> c3:59:68:a5:73:e8:b8:76:45:06:__3b:c8:a4:62:b3:06:61:7e:9a:c0
>>
>>
>>
>> on 10.206.1.10
>> [root at localhost ~]# ipsec listcacerts
>>
>> List of X.509 CA Certificates:
>>
>> subject: "CN=DaRoot"
>> issuer: "CN=DaRoot"
>> serial: c9:95:0a:00:41:c4:d8:25
>> validity: not before Mar 03 18:10:17 2014, ok
>> not after Apr 02 18:10:17 2014, ok (expires
>> in 28 days)
>> pubkey: RSA 2048 bits
>> keyid:
>> be:25:1a:4a:e6:f8:44:c4:fe:32:__a8:d4:7c:9d:75:42:7d:51:19:0f
>> subjkey:
>> c3:59:68:a5:73:e8:b8:76:45:06:__3b:c8:a4:62:b3:06:61:7e:9a:c0
>> authkey:
>> c3:59:68:a5:73:e8:b8:76:45:06:__3b:c8:a4:62:b3:06:61:7e:9a:c0
>>
>>
>> Regards,
>> Sriram.
>>
>>
>> On Tue, Mar 4, 2014 at 6:49 PM, Andreas Steffen
>> <andreas.steffen at strongswan.__org
>> <mailto:andreas.steffen at strongswan.org>
>> <mailto:andreas.steffen at __strongswan.org
>>
>> <mailto:andreas.steffen at strongswan.org>>>
>>
>> wrote:
>>
>> Hi Sriram, could you post the output of the command
>>
>> ipsec listcacerts
>>
>> both on 10.206.1.10 and 10.206.1.11. This shows if the
>> intermediate
>> CA certificates have been successfully loaded.
>>
>> Regards
>>
>> Andreas
>>
>>
>> On 04.03.2014 12 <tel:04.03.2014%2012>
>> <tel:04.03.2014%2012>:45, Sriram wrote:
>>
>> Hi Everyone,
>>
>> I have host -to-host ipsec setup between 2 ips
>> 10.206.1.10 and
>> 10.206.1.11
>>
>> Tunnel is established using certificates. Tunnel is
>> established
>> properly, when the certificates are generated using
>> rootca.
>>
>> But when the certificates are generated using
>> intermediate CA's,
>> tunnel
>> is not getting established.
>>
>> In 10.206.1.10
>>
>> Under /etc/ipsec.d/cacerts/ I have copied
>> ca.crt(root ca),
>> *ca-int.crt(Intermediate ca)*
>>
>>
>> In /etc/ipsec.d/certs/ I have copied end entity
>> cert issued by
>> ca-int.crt
>>
>> In 10.206.1.11
>>
>> Under /etc/ipsec.d/cacerts/ I have copied
>> ca.crt(root ca),
>> *ca-int1.crt(Intermediate ca)*
>>
>>
>> In /etc/ipsec.d/certs/ I have copied end entity
>> cert issued by
>> ca-int1.crt
>>
>> I am getting below errors
>>
>> Mar3 19:34:45 localhost charon: 06[ENC] parsed
>> IKE_AUTH request
>> 1 [ IDi
>>
>> CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR) SA
>> TSi TSr
>> N(MULT_AUTH)
>> N(EAP_ONLY) ]
>>
>> Mar3 19:34:45 localhost charon: 06[IKE] received
>> cert request for
>> "CN=DaRoot"
>>
>> Mar3 19:34:45 localhost charon: 06[IKE] received
>> end entity cert
>> "CN=1234abcd"
>>
>> Mar3 19:34:45 localhost charon: 06[CFG] looking for
>> peer configs
>>
>> matching
>> 10.206.1.11[CN=12345abcde]...____10.206.1.10[CN=1234abcd]
>>
>>
>>
>> Mar3 19:34:45 localhost charon: 06[CFG] peer config
>> match local: 20
>>
>> (ID_DER_ASN1_DN ->
>>
>> 30:15:31:13:30:11:06:03:55:04:____03:13:0a:31:32:33:34:35:
>> 61:__62:__63:64:65)
>>
>>
>>
>> Mar3 19:34:45 localhost charon: 06[CFG] peer config
>> match remote: 20
>>
>> (ID_DER_ASN1_DN ->
>>
>> 30:13:31:11:30:0f:06:03:55:04:____03:13:08:31:32:33:34:61:
>> 62:__63:__64)
>>
>>
>>
>> Mar3 19:34:45 localhost charon: 06[CFG] ike config
>> match: 3100
>> (10.206.1.11 10.206.1.10 IKEv2)
>>
>> Mar3 19:34:45 localhost charon: 06[CFG]candidate
>> "home1", match:
>> 20/20/3100 (me/other/ike)
>>
>> Mar3 19:34:45 localhost charon: 06[CFG] selected
>> peer config 'home1'
>>
>> Mar3 19:34:45 localhost charon: 06[IKE] IDx' => 25
>> bytes @
>> 0xb4d82fe0
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]0: 09 00 00
>> 00 30 13 31
>> 11 30 0F
>>
>> 06 03 55 04 03 13....0.1.0
>> <tel:06%2003%2055%2004%2003%2013....0.1.0>
>> <tel:06%2003%2055%2004%2003%__2013....0.1.0>...U...
>>
>>
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]16: 08 31 32
>> 33 34 61 62 63
>> 64.1234abcd
>>
>> Mar3 19:34:45 localhost charon: 06[IKE] SK_p => 16
>> bytes @ 0x91c5340
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]0: 43 85 1F
>> D8 CA 8B BD
>> 27 A0 58
>>
>> B8 9F 18 5C E7 C0C......'.X...\..
>>
>> Mar3 19:34:45 localhost charon: 06[IKE] octets =
>> message + nonce +
>>
>> prf(Sk_px, IDx') => 316 bytes @ 0x91c6d88
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]0: 95 B5 C1
>> A2 8D 13 C3
>> 77 00 00
>>
>> 00 00 00 00 00 00.......w........
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]16: 21 20 22
>> 08 00 00 00
>> 00 00 00
>>
>> 01 0C 22 00 00 2C! "........."..,
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]32: 00 00 00
>> 28 01 01 00
>> 04 03 00
>>
>> 00 08 01 00 00 03...(............
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]48: 03 00 00
>> <tel:03%2000%2000>
>> <tel:03%2000%2000> <tel:03%2000%2000>
>>
>>
>> 08 03 00 00 01 03 00 00 08 02 00 00
>> 01................
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]64: 00 00 00
>> 08 04 00 00
>> 01 28 00
>>
>> 00 68 00 01 00 00........(..h....
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]80: 23 F4 AC
>> E7 E8 4E 55
>> 80 54 B7
>>
>> 14 C8 48 B9 98 AE#....NU.T...H...
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]96: 15 DB CA
>> F8 93 BF 31
>> 2D 59 89
>>
>> 77 52 32 A8 0A 2D......1-Y.wR2..-
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]112: 78 3E
>> 6F EB 6D 33 5A
>> E6 A5
>>
>> B7 0F 9A 3C DA 4E D8x>o.m3Z.....<.N.
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]128: E6 71
>> B4 C4 5A D7 20
>> 48 61
>>
>> B2 34 14 99 0A F6 AF.q..Z. Ha.4.....
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]144: F8 DB
>> 6D 82 B2 55 6C
>> 1B 84
>>
>> CA 37 8E C3 7F 50 8A..m..Ul...7...P.
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]160: 5C 2A
>> 39 E4 27 FC 8D
>> 23 38
>>
>> 95 E2 B2 F3 F9 8E CA\*9.'..#8.......
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]176: 29 00
>> 00 24 03 8D 56
>> 09 5D
>>
>> B1 17 D2 BA 29 D6 8B)..$..V.]....)..
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]192: 7E 0B
>> A5 2D 42 4C 1D
>> 37 D9
>>
>> EA 17 4A 0D 0C 77 67~..-BL.7...J..wg
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]208: E6 51
>> 40 1D 29 00 00
>> 1C 00
>>
>> 00 40 04 D5 2F E3 7F.Q at .)..... at ../..
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]224: 13 80
>> F3 7A 91 9D F2
>> 7A 0A
>>
>> 6E C0 A9 E7 B2 72 63...z...z.n....rc
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]240: 00 00
>> 00 1C 00 00 40
>> 05 BD
>>
>> B4 3E 98 F1 EB F4 10...... at ...>.....
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]256: 44 06
>> 6B 25 90 C4 30
>> CF BB
>>
>> FB FE 4C 00 9B 1E ADD.k%..0....L....
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]272: 19 7A
>> F6 43 23 A9 8A
>> C4 3C
>>
>> EF 98 57 13 69 07 0E.z.C#...<..W.i..
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]288: 9A E4
>> 34 F1 A6 9B 48
>> 65 E8
>>
>> 06 8A 6C 6D 30 6B C1..4...He...lm0k.
>>
>> Mar3 19:34:45 localhost charon: 06[IKE]304: F2 2C
>> 6E 19 39 37 C1
>> C6 2F
>> 48 D2 18.,n.97../H..
>>
>> Mar3 19:34:45 localhost charon: 06[CFG]using
>> certificate
>> "CN=1234abcd"
>>
>> Mar3 19:34:45 localhost charon: 06[CFG]certificate
>> "CN=1234abcd"
>> key:
>> 2048 bit RSA
>>
>> *Mar3 19:34:45 localhost charon: 06[CFG] no issuer
>> certificate
>> found for
>> "CN=1234abcd"*
>>
>> Mar3 19:34:45 localhost charon: 06[IKE] no trusted
>> RSA public
>> key found
>> for 'CN=1234abcd'
>>
>> Mar3 19:34:45 localhost charon: 06[IKE] processing
>> INTERNAL_IP4_ADDRESS
>>
>> attribute
>>
>> Please let me know, how to resolve this issue.
>>
>> Below post suggests that the intermediate certs
>> need to be sent
>> along
>> with the end-entity certificates in ike_auth message.
>>
>> If that can solve the issue, how can I achieve that.
>>
>> https://lists.strongswan.org/____pipermail/users/2013-March/
>> ____008956.html
>> <https://lists.strongswan.org/__pipermail/users/2013-March/_
>> _008956.html>
>>
>>
>>
>> <https://lists.strongswan.org/__pipermail/users/2013-March/_
>> _008956.html
>> <https://lists.strongswan.org/pipermail/users/2013-March/
>> 008956.html>>
>>
>> Any help in this regard is appreciated.
>>
>> Regards,
>>
>> Sriram.
>>
>>
>>
>>
>>
>>
>> ___________________________________________________
>>
>> Users mailing list
>> Users at lists.strongswan.org
>> <mailto:Users at lists.strongswan.org>
>> <mailto:Users at lists.__strongswan.org
>> <mailto:Users at lists.strongswan.org>>
>> https://lists.strongswan.org/____mailman/listinfo/users
>> <https://lists.strongswan.org/__mailman/listinfo/users>
>>
>>
>> <https://lists.strongswan.org/__mailman/listinfo/users
>> <https://lists.strongswan.org/mailman/listinfo/users>>
>>
>>
>> --
>>
>> ==============================____==========================
>> ==__==__==========
>>
>> Andreas Steffen andreas.steffen at strongswan.org
>> <mailto:andreas.steffen at strongswan.org>
>> <mailto:andreas.steffen at __strongswan.org
>>
>> <mailto:andreas.steffen at strongswan.org>>
>>
>> strongSwan - the Open Source VPN Solution!
>> www.strongswan.org <http://www.strongswan.org>
>> <http://www.strongswan.org>
>>
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil
>> CH-8640 Rapperswil (Switzerland)
>>
>> ==============================____==========================
>> ==__=[__ITA-HSR]==
>>
>>
>>
>>
>> --
>> ==============================__============================
>> ==__==========
>> Andreas Steffen andreas.steffen at strongswan.org
>> <mailto:andreas.steffen at strongswan.org>
>> strongSwan - the Open Source VPN Solution! www.strongswan.org
>> <http://www.strongswan.org>
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil
>> CH-8640 Rapperswil (Switzerland)
>> ==============================__============================
>> =[__ITA-HSR]==
>>
>>
>>
>>
> --
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140307/96c9d23b/attachment-0001.html>
More information about the Users
mailing list