[strongSwan] DN-based ID not confirmed by Certificate
Aaron Edwards
aaron at ebob9.com
Sat May 31 03:14:02 CEST 2014
As an update, copying the certificate from each machine to the other
machine, and allowing the remote DN to be learned from the certificate as
rightcert=<othersidecert> allows the machines to find the peer config and
establish.
I'm 99.9% sure the DN text-based rightid/leftid in the config matches whats
in the certificate. There's definitely something strange going on here,
shouldn't text DNs still work as IDs? Am I missing a change or something?
Here's the relevant ipsec.conf files as I have it mocked up in my testbed:
-- BOX 1 --
# basic configuration
config setup
charondebug="ike 3, knl 2, cfg 3"
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
conn DEVOPS-B
authby=rsasig
auto=start
compress=yes
dpdaction=clear
dpddelay=10s
dpdtimeout=20s
esp=aes256-sha1
#inactivity=600s
forceencaps=yes
#ike=
type=transport
keyexchange=ikev2
keyingtries=3
leftsubnet=192.168.1.10/24
#leftfirewall=yes
leftprotoport=47
leftcert=office.cer
left=192.168.1.10
#leftid="C=US, ST=California, L=Santa Clara, O=Company, Inc,
OU=Marketing, CN=office.company.com"
#leftid=
right=2.2.2.2
# Peer not found if RightID set to DN and rightcert not specified ??
#rightid="C=US, ST=California, L=Santa Clara, O=Company, Inc,
OU=Marketing, CN=devops.company.com"
rightcert=devops.cer
-- BOX 2 --
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
conn OFFICE-1
authby=rsasig
auto=start
compress=yes
dpdaction=clear
dpddelay=10s
dpdtimeout=20s
esp=aes256-sha1
#inactivity=600s
forceencaps=yes
#ike=
type=transport
keyexchange=ikev2
keyingtries=3
leftsubnet=192.168.0.10/24
#leftfirewall=yes
leftprotoport=47
leftcert=devops.cer
left=192.168.0.10
#leftid="C=US, ST=California, L=Santa Clara, O=Company, Inc,
OU=Marketing, CN=devops.company.com"
#leftid=
right=1.1.1.1
# Peer not found if RightID set to DN and rightcert not specified ??
#rightid="C=US, ST=California, L=Santa Clara, O=Company, Inc,
OU=Marketing, CN=office.company.com"
rightcert=office.cer
Any thoughts?
TIA,
Aaron
On Fri, May 30, 2014 at 12:19 PM, Aaron Edwards <aaron at ebob9.com> wrote:
> Hi All,
>
> Looking for some troubleshooting direction here.
>
> I'm setting up a strongswan to strongswan VPN, authenticating using
> DN-based IDs on certificates from a private CA.
>
> I've done this a *bunch* of times before with earlier self-compiled
> versions (5.0.1-5.1.0), however in 5.1.2 that comes with Ubuntu 14.04,
> Strongswan does not seem to like my ID:
>
> May 30 18:54:12 office-gilligan charon: 10[CFG] id 'C=US, ST=California,
> L=Santa Clara, O=Company, Inc, OU=Marketing, CN=office.company.com' not
> confirmed by certificate, defaulting to 'C=US, ST=California, L=Santa
> Clara, O=Company, Inc, OU=Marketing, CN=office.company.com'
>
> Later on, when the peer tries to connect, I get a "peer config not found".
> Note - I am not using SANs in my certificates (thus why I have been doing
> DN-based auth), which has worked before.
>
> Are there any changes/ known bugs from 5.1.0 to 5.1.2 that could cause
> this? If not, are there any configuration/compilation options that could
> cause this? Just looking for ideas on what to try next.
>
> Thanks,
> Aaron
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140530/60bb6a31/attachment.html>
More information about the Users
mailing list