[strongSwan] [strongswan-5.1.1] Unable to establish tunnel using two level certificate Authentication
Muralidhar Rangaiah
mrangaiah at airvana.com
Wed Sep 3 15:47:08 CEST 2014
Hi ,
I am trying to establish the ipsec tunnel using 2 level Certificates.
But I am not able to do so. I am using strongswan-5.1.1 on both client and server side.
I got this error at the strongswan client.
strongswan client logs upon failure
===========================================================
# /usr/sbin/ipsec up home
initiating IKE_SA home[1] to 10.205.20.60
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.51.103[500] to 10.205.20.60[500] (300 bytes)
received packet: from 10.205.20.60[500] to 192.168.51.103[500] (353 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MUL T_AUTH) ]
local host is behind NAT, sending keep alives
received cert request for "CN=OpRootCA"
received cert request for "CN=OpRootCA"
sending cert request for "CN=OpRootCA"
sending cert request for "CN=OpSubCA1"
authentication of '0005B94234FD at data.device.abc.com<mailto:0005B94234FD at data.ltefemto.abc.com>' (myself) with RSA sign ature successful
sending end entity cert "CN=0005B94234FD"
sending issuer cert "CN=OpSubCA1"
establishing CHILD_SA home
generating IKE_AUTH request 1 [ IDi CERT CERT CERTREQ AUTH CPRQ(ADDR DNS) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.51.103[4500] to 10.205.20.60[4500] (2292 bytes)
received packet: from 10.205.20.60[4500] to 192.168.51.103[4500] (1332 bytes)
parsed IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS) SA TSi TSr ]
received end entity cert "CN=secgw"
using certificate "CN=secgw"
no issuer certificate found for "CN=secgw"
no trusted RSA public key found for 'secgw at data.device.abc.com<mailto:secgw at data.ltefemto.abc.com>'
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
sending packet: from 192.168.51.103[4500] to 10.205.20.60[4500] (68 bytes)
establishing connection 'home' failed
# /usr/sbin/ipsec listcacerts
List of X.509 CA Certificates:
subject: "CN=OpSubCA1"
issuer: "CN=OpRootCA"
serial: 51:4a:2f:1a:b5:0b:45:2d
validity: not before Aug 17 13:07:04 2014, ok
not after Aug 17 13:07:04 2015, ok
pubkey: RSA 2048 bits
keyid: 76:c6:78:43:a2:46:1a:54:48:c9:42:3f:61:9c:35:a9:59:17:52:db
subjkey: d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29
authkey: d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29
subject: "CN=OpRootCA"
issuer: "CN=OpRootCA"
serial: 0b:40:68:5e:f3:92:34:79
validity: not before Aug 16 15:03:15 2014, ok
not after Aug 13 15:03:15 2024, ok
pubkey: RSA 2048 bits
keyid: 76:c6:78:43:a2:46:1a:54:48:c9:42:3f:61:9c:35:a9:59:17:52:db
subjkey: d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29
authkey: d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29
# /usr/sbin/ipsec listcerts
List of X.509 End Entity Certificates:
altNames: 0005B94234FD at data.device.abc.com<mailto:0005B94234FD at data.ltefemto.abc.com>
subject: "CN=0005B94234FD"
issuer: "CN=OpSubCA1"
serial: 7f:10:2f:b3:42:a5:27:cb
validity: not before Sep 03 12:01:52 2014, ok
not after Aug 17 13:07:04 2015, ok
pubkey: RSA 2048 bits, has private key
keyid: 7f:73:b1:64:9b:cd:80:08:a3:68:42:24:9d:18:47:8f:a0:2b:e9:1d
subjkey: a8:b8:dd:3c:9f:9a:0f:b0:f1:4a:55:03:67:d8:ff:a7:7a:cb:34:d3
authkey: d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29
strongswan server side logs upon failure
=====================================================
root at PowerEdge-860:/etc/data# /usr/sbin/ipsec listcacerts
List of X.509 CA Certificates:
subject: "CN=OpSubCA1"
issuer: "CN=OpRootCA"
serial: 51:4a:2f:1a:b5:0b:45:2d
validity: not before Aug 17 18:37:04 2014, ok
not after Aug 17 18:37:04 2015, ok
pubkey: RSA 2048 bits
keyid: 76:c6:78:43:a2:46:1a:54:48:c9:42:3f:61:9c:35:a9:59:17:52:db
subjkey: d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29
authkey: d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29
subject: "CN=OpRootCA"
issuer: "CN=OpRootCA"
serial: 0b:40:68:5e:f3:92:34:79
validity: not before Aug 16 20:33:15 2014, ok
not after Aug 13 20:33:15 2024, ok
pubkey: RSA 2048 bits
keyid: 76:c6:78:43:a2:46:1a:54:48:c9:42:3f:61:9c:35:a9:59:17:52:db
subjkey: d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29
authkey: d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29
subject: "CN=OpSubCA2"
issuer: "CN=OpRootCA"
serial: 2d:75:61:0a:c8:ea:a0:bb
validity: not before Aug 17 20:41:25 2014, ok
not after Aug 17 20:41:25 2015, ok
pubkey: RSA 2048 bits
keyid: 76:c6:78:43:a2:46:1a:54:48:c9:42:3f:61:9c:35:a9:59:17:52:db
subjkey: d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29
authkey: d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29
root at PowerEdge-860:/etc/data# /usr/sbin/ipsec listcerts
List of X.509 End Entity Certificates:
altNames: 0005B94234FD at data.device.abc.com<mailto:0005B94234FD at data.ltefemto.abc.com>
subject: "CN=0005B94234FD"
issuer: "CN=OpSubCA1"
serial: 7f:10:2f:b3:42:a5:27:cb
validity: not before Sep 03 17:31:52 2014, ok
not after Aug 17 18:37:04 2015, ok
pubkey: RSA 2048 bits
keyid: 7f:73:b1:64:9b:cd:80:08:a3:68:42:24:9d:18:47:8f:a0:2b:e9:1d
subjkey: a8:b8:dd:3c:9f:9a:0f:b0:f1:4a:55:03:67:d8:ff:a7:7a:cb:34:d3
authkey: d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29
altNames: secgw at data.device.abc.com<mailto:secgw at data.ltefemto.abc.com>
subject: "CN=secgw"
issuer: "CN=OpSubCA2"
serial: 67:36:7a:7a:63:77:98:2b
validity: not before Aug 17 20:33:06 2014, ok
not after Aug 17 20:41:25 2015, ok
pubkey: RSA 2048 bits, has private key
keyid: bf:fe:1e:f5:3b:3a:51:54:db:69:a4:82:9a:d3:07:14:59:7c:77:e1
subjkey: 2e:ac:0d:89:65:6f:40:d9:cc:ea:3b:8f:c8:2c:ef:36:0e:36:4e:3a
authkey: d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29
Can u please let me know from where do I start debugging ?
Regards,
Murali.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140903/9ddcd459/attachment-0001.html>
More information about the Users
mailing list