[strongSwan] trying to get basic pubkey strongswan connection with certificates up and running

Cindy Moore ctmoore at cs.ucsd.edu
Sat Sep 13 00:05:05 CEST 2014 

Hi, I'm hoping I can get some tips or direction here, because I've
been banging my head on this for a while.

I have strongswan 5 installed on ubuntu 14.04 with all the latest updates, etc:
root at vpn:/etc# ipsec version
Linux strongSwan U5.1.2/K3.13.0-35-generic

This part seems to be functioning fine.  I've used the ipsec pki to
generate a vpn cacert, and then a couple of certs to test things with.
(For reference, I've included the steps I took to create those below,
along with my ipsec.conf)

All I want is to set up a connection between two machines, both
running 14.04.  "vpn" is a server install, client is a desktop
install.  I've installed the network-manager-strongswan (version
1.3.0-1ubuntu1) and restarted the network manager.  I've tried to
configure it as per
https://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager
but there are already some differences in what's shown and what I get.

Instead of Authentication, there is now Client, with Authentication
under that (and additional options depending on what is chosen for
Authentication.  The choices for Authentication are
Certificate/private key, Certificate/ssh-agent, Smartcard, EAP.  I
have questions about the ssh-agent, but I'll tabulate those for now.
Anyway, so when I choose Certificate/private key, I get two more
options below Authentication, which are Certificate and Private key.

So for Gateway, I've got down vpn.example.com (name changed to protect
guilty of course :) )
and for Certificate, I have vpnHostCert.pem (see below).  For
Authentication, Certifcate/private key, for Certificate, moiCert.pem
(see below) and for private key moiKey.pem (see below). I've checked
the options to request an inner IP address, and to enforce udp
encapsulation, but have left the ip compression unchecked.

Under the General and IPv4 settings, I've left the latter to the
deafult Automatic (VPN), for the former, I've tried both checking and
unchecking "all users may connect..."

[NB: I find that I MUST have all .pem files set to 644 and any
directory along their path to 755 or else Network Manager stalls with
asking me for a password and the client's syslog contains "charon-nm:
15[LIB] opening 'path/to/moiKey.pem' filed: Permission denied", which
strikes me as rather strange: to force a private key to be readable??
In this case client is a personal laptop so maybe not that bad, but
really?]

In following the syslog output on the vpn host, I see:

Sep 12 14:42:02 vpn charon: 04[CFG] looking for peer configs matching
xxx.xxx.xxx.xxx[C=CH, O=strongSwan, CN=vpn.example.com]...<client's
current IP addr>[C=CH, O=strongSwan, CN=moi]
Sep 12 14:42:02 vpn charon: 04[CFG] no matching peer config found

so my guess is the conn roadwarrior (see below) isn't properly configured?

I would appreciate any help... getting this configured has been a huge
headache.  Thanks.

--------------
Background info/files:

CAcert/key:

$ cd /etc/ipsec.d/
$ ipsec pki --gen --type rsa --size 4096 \
--outform pem \
> private/strongswanKey.pem
$ chmod 600 private/strongswanKey.pem
$ ipsec pki --self --ca --lifetime 3650 \
--in private/strongswanKey.pem --type rsa \
--dn "C=CH, O=strongSwan, CN=strongSwan Root CA" \
--outform pem \
> cacerts/strongswanCert.pem

vpnHostKey/Cert:

$ cd /etc/ipsec.d/
$ ipsec pki --gen --type rsa --size 2048 \
--outform pem \
> private/vpnHostKey.pem
$ chmod 600 private/vpnHostKey.pem
$ ipsec pki --pub --in private/vpnHostKey.pem --type rsa | \
ipsec pki --issue --lifetime 730 \
--cacert cacerts/strongswanCert.pem \
--cakey private/strongswanKey.pem \
--dn "C=CH, O=strongSwan, CN=vpn.example.com" \
--san vpn.example.com \
--flag serverAuth --flag ikeIntermediate \
--outform pem > certs/vpnHostCert.pem

Client cert/key:

$ cd /etc/ipsec.d/
$ ipsec pki --gen --type rsa --size 2048 \
--outform pem \
> private/moiKey.pem
$ chmod 600 private/moiKey.pem
$ ipsec pki --pub --in private/moiKey.pem --type rsa | \
ipsec pki --issue --lifetime 730 \
--cacert cacerts/strongswanCert.pem \
--cakey private/strongswanKey.pem \
--dn "C=CH, O=strongSwan, CN=moi" \
--san moi \
--outform pem > certs/moiCert.pem

("moi" is just a standin for my personal uid)

ipsec.conf (note that this email client is munging the tabs, but ipsec
reload is perfectly happy with this conf file's syntax)

config setup
# uniqueids=never
charondebug="cfg 2, dmn 2, ike 2, net 2"

conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
#note iOS, Android, xauth-pam are all ikev1!
keyexchange=ike

conn roadwarrior
#vpn server
left=xxx.xxx.xxx.xxx
#allow full tunneling
leftsubnet=0.0.0.0/0
right=%any
rightauth=pubkey
#assign ip addr from this pool
rightsourceip=xxx.xx.xx.0/24
auto=add

More information about the Users mailing list