[strongSwan] [strongswan-5.1.1] Unable to establish tunnel using two level certificate Authentication

Muralidhar Rangaiah mrangaiah at airvana.com
Wed Sep 3 15:47:08 CEST 2014


Hi ,

I am trying to establish the ipsec tunnel using 2 level Certificates.
But I am not able to do so. I am using strongswan-5.1.1 on both client and server side.
I got this error at the strongswan client.

strongswan client logs upon failure
===========================================================
# /usr/sbin/ipsec up home
initiating IKE_SA home[1] to 10.205.20.60
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.51.103[500] to 10.205.20.60[500] (300 bytes)
received packet: from 10.205.20.60[500] to 192.168.51.103[500] (353 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MUL                                                                                        T_AUTH) ]
local host is behind NAT, sending keep alives
received cert request for "CN=OpRootCA"
received cert request for "CN=OpRootCA"
sending cert request for "CN=OpRootCA"
sending cert request for "CN=OpSubCA1"
authentication of '0005B94234FD at data.device.abc.com<mailto:0005B94234FD at data.ltefemto.abc.com>' (myself) with RSA sign                                                                                        ature successful
sending end entity cert "CN=0005B94234FD"
sending issuer cert "CN=OpSubCA1"
establishing CHILD_SA home
generating IKE_AUTH request 1 [ IDi CERT CERT CERTREQ AUTH CPRQ(ADDR DNS) SA TSi                                                                                         TSr N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.51.103[4500] to 10.205.20.60[4500] (2292 bytes)
received packet: from 10.205.20.60[4500] to 192.168.51.103[4500] (1332 bytes)
parsed IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS) SA TSi TSr ]
received end entity cert "CN=secgw"
  using certificate "CN=secgw"
no issuer certificate found for "CN=secgw"
no trusted RSA public key found for 'secgw at data.device.abc.com<mailto:secgw at data.ltefemto.abc.com>'
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
sending packet: from 192.168.51.103[4500] to 10.205.20.60[4500] (68 bytes)
establishing connection 'home' failed

# /usr/sbin/ipsec listcacerts

List of X.509 CA Certificates:

  subject:  "CN=OpSubCA1"
  issuer:   "CN=OpRootCA"
  serial:    51:4a:2f:1a:b5:0b:45:2d
  validity:  not before Aug 17 13:07:04 2014, ok
             not after  Aug 17 13:07:04 2015, ok
  pubkey:    RSA 2048 bits
  keyid:     76:c6:78:43:a2:46:1a:54:48:c9:42:3f:61:9c:35:a9:59:17:52:db
  subjkey:   d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29
  authkey:   d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29

  subject:  "CN=OpRootCA"
  issuer:   "CN=OpRootCA"
  serial:    0b:40:68:5e:f3:92:34:79
  validity:  not before Aug 16 15:03:15 2014, ok
             not after  Aug 13 15:03:15 2024, ok
  pubkey:    RSA 2048 bits
  keyid:     76:c6:78:43:a2:46:1a:54:48:c9:42:3f:61:9c:35:a9:59:17:52:db
  subjkey:   d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29
  authkey:   d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29
# /usr/sbin/ipsec listcerts

List of X.509 End Entity Certificates:

  altNames:  0005B94234FD at data.device.abc.com<mailto:0005B94234FD at data.ltefemto.abc.com>
  subject:  "CN=0005B94234FD"
  issuer:   "CN=OpSubCA1"
  serial:    7f:10:2f:b3:42:a5:27:cb
  validity:  not before Sep 03 12:01:52 2014, ok
             not after  Aug 17 13:07:04 2015, ok
  pubkey:    RSA 2048 bits, has private key
  keyid:     7f:73:b1:64:9b:cd:80:08:a3:68:42:24:9d:18:47:8f:a0:2b:e9:1d
  subjkey:   a8:b8:dd:3c:9f:9a:0f:b0:f1:4a:55:03:67:d8:ff:a7:7a:cb:34:d3
  authkey:   d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29


strongswan server side logs upon failure
=====================================================
root at PowerEdge-860:/etc/data# /usr/sbin/ipsec listcacerts

List of X.509 CA Certificates:

  subject:  "CN=OpSubCA1"
  issuer:   "CN=OpRootCA"
  serial:    51:4a:2f:1a:b5:0b:45:2d
  validity:  not before Aug 17 18:37:04 2014, ok
             not after  Aug 17 18:37:04 2015, ok
  pubkey:    RSA 2048 bits
  keyid:     76:c6:78:43:a2:46:1a:54:48:c9:42:3f:61:9c:35:a9:59:17:52:db
  subjkey:   d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29
  authkey:   d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29

  subject:  "CN=OpRootCA"
  issuer:   "CN=OpRootCA"
  serial:    0b:40:68:5e:f3:92:34:79
  validity:  not before Aug 16 20:33:15 2014, ok
             not after  Aug 13 20:33:15 2024, ok
  pubkey:    RSA 2048 bits
  keyid:     76:c6:78:43:a2:46:1a:54:48:c9:42:3f:61:9c:35:a9:59:17:52:db
  subjkey:   d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29
  authkey:   d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29

  subject:  "CN=OpSubCA2"
  issuer:   "CN=OpRootCA"
  serial:    2d:75:61:0a:c8:ea:a0:bb
  validity:  not before Aug 17 20:41:25 2014, ok
             not after  Aug 17 20:41:25 2015, ok
  pubkey:    RSA 2048 bits
  keyid:     76:c6:78:43:a2:46:1a:54:48:c9:42:3f:61:9c:35:a9:59:17:52:db
  subjkey:   d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29
  authkey:   d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29
root at PowerEdge-860:/etc/data# /usr/sbin/ipsec listcerts

List of X.509 End Entity Certificates:

  altNames:  0005B94234FD at data.device.abc.com<mailto:0005B94234FD at data.ltefemto.abc.com>
  subject:  "CN=0005B94234FD"
  issuer:   "CN=OpSubCA1"
  serial:    7f:10:2f:b3:42:a5:27:cb
  validity:  not before Sep 03 17:31:52 2014, ok
             not after  Aug 17 18:37:04 2015, ok
  pubkey:    RSA 2048 bits
  keyid:     7f:73:b1:64:9b:cd:80:08:a3:68:42:24:9d:18:47:8f:a0:2b:e9:1d
  subjkey:   a8:b8:dd:3c:9f:9a:0f:b0:f1:4a:55:03:67:d8:ff:a7:7a:cb:34:d3
  authkey:   d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29

  altNames:  secgw at data.device.abc.com<mailto:secgw at data.ltefemto.abc.com>
  subject:  "CN=secgw"
  issuer:   "CN=OpSubCA2"
  serial:    67:36:7a:7a:63:77:98:2b
  validity:  not before Aug 17 20:33:06 2014, ok
             not after  Aug 17 20:41:25 2015, ok
  pubkey:    RSA 2048 bits, has private key
  keyid:     bf:fe:1e:f5:3b:3a:51:54:db:69:a4:82:9a:d3:07:14:59:7c:77:e1
  subjkey:   2e:ac:0d:89:65:6f:40:d9:cc:ea:3b:8f:c8:2c:ef:36:0e:36:4e:3a
  authkey:   d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29

Can u please let me know from where do I start debugging ?

Regards,
Murali.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140903/9ddcd459/attachment-0001.html>


More information about the Users mailing list