[strongSwan] [strongswan-5.1.1] Unable to establish tunnel using two level certificate Authentication

Muralidhar Rangaiah mrangaiah at airvana.com
Thu Sep 4 13:43:25 CEST 2014


Thanks Andreas....it worked after changing the RSA key for Root CA & SubCAs.

Regards,
Murali.

-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen at strongswan.org] 
Sent: Thursday, September 04, 2014 11:01 AM
To: Muralidhar Rangaiah; users at lists.strongswan.org
Subject: Re: [strongSwan] [strongswan-5.1.1] Unable to establish tunnel using two level certificate Authentication

Hi Murali,

you shouldn't use the same RSA key for the Root CA and both SubCAs
because strongSwan's certificate lookup is based on the authKeyID.

Generate three distinct RSA keys and try again.

Best regards

Andreas

On 03.09.2014 15:47, Muralidhar Rangaiah wrote:
> Hi ,
>
> I am trying to establish the ipsec tunnel using 2 level Certificates.
>
> But I am not able to do so. I am using strongswan-5.1.1 on both client
> and server side.
>
> I got this error at the strongswan client.
>
> strongswan client logs upon failure
> ===========================================================
> # /usr/sbin/ipsec up home
> initiating IKE_SA home[1] to 10.205.20.60
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> sending packet: from 192.168.51.103[500] to 10.205.20.60[500] (300 bytes)
> received packet: from 10.205.20.60[500] to 192.168.51.103[500] (353 bytes)
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> CERTREQ
> N(MUL
> T_AUTH) ]
> local host is behind NAT, sending keep alives
> received cert request for "CN=OpRootCA"
> received cert request for "CN=OpRootCA"
> sending cert request for "CN=OpRootCA"
> sending cert request for "CN=OpSubCA1"
> authentication of '0005B94234FD at data.device.abc.com
> <mailto:0005B94234FD at data.ltefemto.abc.com>' (myself) with RSA
> sign
> ature successful
> sending end entity cert "CN=0005B94234FD"
> sending issuer cert "CN=OpSubCA1"
> establishing CHILD_SA home
> generating IKE_AUTH request 1 [ IDi CERT CERT CERTREQ AUTH CPRQ(ADDR
> DNS) SA
> TSi
> TSr N(MULT_AUTH) N(EAP_ONLY) ]
> sending packet: from 192.168.51.103[4500] to 10.205.20.60[4500] (2292 bytes)
> received packet: from 10.205.20.60[4500] to 192.168.51.103[4500] (1332
> bytes)
> parsed IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS) SA TSi TSr ]
> received end entity cert "CN=secgw"
>    using certificate "CN=secgw"
> no issuer certificate found for "CN=secgw"
> no trusted RSA public key found for 'secgw at data.device.abc.com
> <mailto:secgw at data.ltefemto.abc.com>'
> generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
> sending packet: from 192.168.51.103[4500] to 10.205.20.60[4500] (68 bytes)
> establishing connection 'home' failed
>
> # /usr/sbin/ipsec listcacerts
>
> List of X.509 CA Certificates:
>
>    subject:  "CN=OpSubCA1"
>    issuer:   "CN=OpRootCA"
>    serial:    51:4a:2f:1a:b5:0b:45:2d
>    validity:  not before Aug 17 13:07:04 2014, ok
>               not after  Aug 17 13:07:04 2015, ok
>    pubkey:    RSA 2048 bits
>    keyid:     76:c6:78:43:a2:46:1a:54:48:c9:42:3f:61:9c:35:a9:59:17:52:db
>    subjkey:   d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29
>    authkey:   d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29
>
>    subject:  "CN=OpRootCA"
>    issuer:   "CN=OpRootCA"
>    serial:    0b:40:68:5e:f3:92:34:79
>    validity:  not before Aug 16 15:03:15 2014, ok
>               not after  Aug 13 15:03:15 2024, ok
>    pubkey:    RSA 2048 bits
>    keyid:     76:c6:78:43:a2:46:1a:54:48:c9:42:3f:61:9c:35:a9:59:17:52:db
>    subjkey:   d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29
>    authkey:   d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29
> # /usr/sbin/ipsec listcerts
>
> List of X.509 End Entity Certificates:
>
>    altNames: 0005B94234FD at data.device.abc.com
> <mailto:0005B94234FD at data.ltefemto.abc.com>
>    subject:  "CN=0005B94234FD"
>    issuer:   "CN=OpSubCA1"
>    serial:    7f:10:2f:b3:42:a5:27:cb
>    validity:  not before Sep 03 12:01:52 2014, ok
>               not after  Aug 17 13:07:04 2015, ok
>    pubkey:    RSA 2048 bits, has private key
>    keyid:     7f:73:b1:64:9b:cd:80:08:a3:68:42:24:9d:18:47:8f:a0:2b:e9:1d
>    subjkey:   a8:b8:dd:3c:9f:9a:0f:b0:f1:4a:55:03:67:d8:ff:a7:7a:cb:34:d3
>    authkey:   d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29
>
>
> strongswan server side logs upon failure
> =====================================================
> root at PowerEdge-860:/etc/data# /usr/sbin/ipsec listcacerts
>
> List of X.509 CA Certificates:
>
>    subject:  "CN=OpSubCA1"
>    issuer:   "CN=OpRootCA"
>    serial:    51:4a:2f:1a:b5:0b:45:2d
>    validity:  not before Aug 17 18:37:04 2014, ok
>               not after  Aug 17 18:37:04 2015, ok
>    pubkey:    RSA 2048 bits
>    keyid:     76:c6:78:43:a2:46:1a:54:48:c9:42:3f:61:9c:35:a9:59:17:52:db
>    subjkey:   d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29
>    authkey:   d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29
>
>    subject:  "CN=OpRootCA"
>    issuer:   "CN=OpRootCA"
>    serial:    0b:40:68:5e:f3:92:34:79
>    validity:  not before Aug 16 20:33:15 2014, ok
>               not after  Aug 13 20:33:15 2024, ok
>    pubkey:    RSA 2048 bits
>    keyid:     76:c6:78:43:a2:46:1a:54:48:c9:42:3f:61:9c:35:a9:59:17:52:db
>    subjkey:   d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29
>    authkey:   d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29
>
>    subject:  "CN=OpSubCA2"
>    issuer:   "CN=OpRootCA"
>    serial:    2d:75:61:0a:c8:ea:a0:bb
>    validity:  not before Aug 17 20:41:25 2014, ok
>               not after  Aug 17 20:41:25 2015, ok
>    pubkey:    RSA 2048 bits
>    keyid:     76:c6:78:43:a2:46:1a:54:48:c9:42:3f:61:9c:35:a9:59:17:52:db
>    subjkey:   d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29
>    authkey:   d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29
>
> root at PowerEdge-860:/etc/data# /usr/sbin/ipsec listcerts
>
> List of X.509 End Entity Certificates:
>
>    altNames: 0005B94234FD at data.device.abc.com
> <mailto:0005B94234FD at data.ltefemto.abc.com>
>    subject:  "CN=0005B94234FD"
>    issuer:   "CN=OpSubCA1"
>    serial:    7f:10:2f:b3:42:a5:27:cb
>    validity:  not before Sep 03 17:31:52 2014, ok
>               not after  Aug 17 18:37:04 2015, ok
>    pubkey:    RSA 2048 bits
>    keyid:     7f:73:b1:64:9b:cd:80:08:a3:68:42:24:9d:18:47:8f:a0:2b:e9:1d
>    subjkey:   a8:b8:dd:3c:9f:9a:0f:b0:f1:4a:55:03:67:d8:ff:a7:7a:cb:34:d3
>    authkey:   d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29
>
>    altNames: secgw at data.device.abc.com <mailto:secgw at data.ltefemto.abc.com>
>    subject:  "CN=secgw"
>    issuer:   "CN=OpSubCA2"
>    serial:    67:36:7a:7a:63:77:98:2b
>    validity:  not before Aug 17 20:33:06 2014, ok
>               not after  Aug 17 20:41:25 2015, ok
>    pubkey:    RSA 2048 bits, has private key
>    keyid:     bf:fe:1e:f5:3b:3a:51:54:db:69:a4:82:9a:d3:07:14:59:7c:77:e1
>    subjkey:   2e:ac:0d:89:65:6f:40:d9:cc:ea:3b:8f:c8:2c:ef:36:0e:36:4e:3a
>    authkey:   d0:bf:99:f2:18:8d:b0:ad:ad:0d:6b:95:47:d3:e1:b4:10:ba:6a:29
>
> Can u please let me know from where do I start debugging ?
>
> Regards,
>
> Murali.
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==



More information about the Users mailing list