[strongSwan] DN-based ID not confirmed by Certificate

Aaron Edwards aaron at ebob9.com
Sat May 31 03:14:02 CEST 2014


As an update, copying the certificate from each machine to the other
machine, and allowing the remote DN to be learned from the certificate as
rightcert=<othersidecert> allows the machines to find the peer config and
establish.

I'm 99.9% sure the DN text-based rightid/leftid in the config matches whats
in the certificate. There's definitely something strange going on here,
shouldn't text DNs still work as IDs? Am I missing a change or something?

Here's the relevant ipsec.conf files as I have it mocked up in my testbed:

-- BOX 1 --
# basic configuration

config setup
 charondebug="ike 3, knl 2, cfg 3"
# strictcrlpolicy=yes
# uniqueids = no

# Add connections here.

conn DEVOPS-B
       authby=rsasig
       auto=start
       compress=yes
       dpdaction=clear
       dpddelay=10s
       dpdtimeout=20s
       esp=aes256-sha1
       #inactivity=600s
       forceencaps=yes
       #ike=
       type=transport
       keyexchange=ikev2
       keyingtries=3
       leftsubnet=192.168.1.10/24
       #leftfirewall=yes
       leftprotoport=47
       leftcert=office.cer
       left=192.168.1.10
       #leftid="C=US, ST=California, L=Santa Clara, O=Company, Inc,
OU=Marketing, CN=office.company.com"
       #leftid=
       right=2.2.2.2
       # Peer not found if RightID set to DN and rightcert not specified ??
       #rightid="C=US, ST=California, L=Santa Clara, O=Company, Inc,
OU=Marketing, CN=devops.company.com"
       rightcert=devops.cer


-- BOX 2 --
# basic configuration

config setup
# strictcrlpolicy=yes
 # uniqueids = no

# Add connections here.

conn OFFICE-1
       authby=rsasig
       auto=start
       compress=yes
       dpdaction=clear
       dpddelay=10s
       dpdtimeout=20s
       esp=aes256-sha1
       #inactivity=600s
       forceencaps=yes
       #ike=
       type=transport
       keyexchange=ikev2
       keyingtries=3
       leftsubnet=192.168.0.10/24
       #leftfirewall=yes
       leftprotoport=47
       leftcert=devops.cer
       left=192.168.0.10
       #leftid="C=US, ST=California, L=Santa Clara, O=Company, Inc,
OU=Marketing, CN=devops.company.com"
       #leftid=
       right=1.1.1.1
       # Peer not found if RightID set to DN and rightcert not specified ??

       #rightid="C=US, ST=California, L=Santa Clara, O=Company, Inc,
OU=Marketing, CN=office.company.com"
       rightcert=office.cer

Any thoughts?

TIA,
Aaron

On Fri, May 30, 2014 at 12:19 PM, Aaron Edwards <aaron at ebob9.com> wrote:

> Hi All,
>
> Looking for some troubleshooting direction here.
>
> I'm setting up a strongswan to strongswan VPN, authenticating using
> DN-based IDs on certificates from a private CA.
>
> I've done this a *bunch* of times before with earlier self-compiled
> versions (5.0.1-5.1.0), however in 5.1.2 that comes with Ubuntu 14.04,
> Strongswan does not seem to like my ID:
>
> May 30 18:54:12 office-gilligan charon: 10[CFG]   id 'C=US, ST=California,
> L=Santa Clara, O=Company, Inc, OU=Marketing, CN=office.company.com' not
> confirmed by certificate, defaulting to 'C=US, ST=California, L=Santa
> Clara, O=Company, Inc, OU=Marketing, CN=office.company.com'
>
> Later on, when the peer tries to connect, I get a "peer config not found".
> Note - I am not using SANs in my certificates (thus why I have been doing
> DN-based auth), which has worked before.
>
> Are there any changes/ known bugs from 5.1.0 to 5.1.2 that could cause
> this? If not, are there any configuration/compilation options that could
> cause this? Just looking for ideas on what to try next.
>
> Thanks,
> Aaron
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140530/60bb6a31/attachment.html>


More information about the Users mailing list