[strongSwan] trying to get basic pubkey strongswan connection with certificates up and running

Noel Kuntze noel at familie-kuntze.de
Sat Sep 13 20:52:59 CEST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Cindy,

Please set the leftid to "C=CH, O=strongSwan, CN=vpn.example.com" or set leftcert to the file name of your server certificate.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 13.09.2014 um 16:17 schrieb Cindy Moore:
> Ah, thank  you for the Network Manager explanation.  I thought that
> was very strange.  I didn't realize it didn't run with root
> privileges.
>
> As for the ipsec.conf file, it is fine.  It is the email client that
> destroys how it is formatted when I send it out, so you guys can't see
> how it looks but
>
> root at vpn:/etc# ipsec statusall
> Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-35-generic, x86_64):
>   uptime: 40 hours, since Sep 11 14:16:36 2014
>   malloc: sbrk 2568192, mmap 0, used 416528, free 2151664
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 0
>   loaded plugins: charon test-vectors ldap aes rc2 sha1 sha2 md4 md5
> random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem
> openssl xcbc cmac hk
> Virtual IP pools (size/online/offline):
>   xxx.xx.xxx.0/24: 254/0/0
> Listening IP addresses:
>   xxx.xxx.xxx.xxx
>  (ipv6 address deleted)
> Connections:
>  roadwarrior:  xxx.xxx.xxx.xxx...%any  IKEv1/2
>  roadwarrior:   local:  [vpn.example.com] uses public key authentication
>  roadwarrior:    cert:  "C=CH, O=strongSwan, CN=vpn.example.com"
>  roadwarrior:   remote: uses public key authentication
>  roadwarrior:   child:  0.0.0.0/0 === dynamic TUNNEL
> Security Associations (0 up, 0 connecting):
>   none
>
>
> Thanks,
>
>
> On Sat, Sep 13, 2014 at 3:24 AM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>>
> Hello Cindy,
>
> As network manager doesn't run as your user, you need to give
>  it access to the certificate and the private key in your home directory.
> You can do this by changing the group of those files to a group
> the network manager user is in and giving said group read
> access to the file and execute access down the path to said files.
>
> Yes, the error message indicates a configuration mismatch
> between the server and the client.
>
> I think you need to indent the section parameters with a tab for strongSwan to read them correctly.
> Check with "ipsec statusall", if it correctly read all the conn definitions.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> Am 13.09.2014 um 00:05 schrieb Cindy Moore:
> >>> Hi, I'm hoping I can get some tips or direction here, because I've
> >>> been banging my head on this for a while.
> >>>
> >>> I have strongswan 5 installed on ubuntu 14.04 with all the latest updates, etc:
> >>> root at vpn:/etc# ipsec version
> >>> Linux strongSwan U5.1.2/K3.13.0-35-generic
> >>>
> >>> This part seems to be functioning fine.  I've used the ipsec pki to
> >>> generate a vpn cacert, and then a couple of certs to test things with.
> >>> (For reference, I've included the steps I took to create those below,
> >>> along with my ipsec.conf)
> >>>
> >>> All I want is to set up a connection between two machines, both
> >>> running 14.04.  "vpn" is a server install, client is a desktop
> >>> install.  I've installed the network-manager-strongswan (version
> >>> 1.3.0-1ubuntu1) and restarted the network manager.  I've tried to
> >>> configure it as per
> >>> https://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager
> >>> but there are already some differences in what's shown and what I get.
> >>>
> >>> Instead of Authentication, there is now Client, with Authentication
> >>> under that (and additional options depending on what is chosen for
> >>> Authentication.  The choices for Authentication are
> >>> Certificate/private key, Certificate/ssh-agent, Smartcard, EAP.  I
> >>> have questions about the ssh-agent, but I'll tabulate those for now.
> >>> Anyway, so when I choose Certificate/private key, I get two more
> >>> options below Authentication, which are Certificate and Private key.
> >>>
> >>> So for Gateway, I've got down vpn.example.com (name changed to protect
> >>> guilty of course :) )
> >>> and for Certificate, I have vpnHostCert.pem (see below).  For
> >>> Authentication, Certifcate/private key, for Certificate, moiCert.pem
> >>> (see below) and for private key moiKey.pem (see below). I've checked
> >>> the options to request an inner IP address, and to enforce udp
> >>> encapsulation, but have left the ip compression unchecked.
> >>>
> >>> Under the General and IPv4 settings, I've left the latter to the
> >>> deafult Automatic (VPN), for the former, I've tried both checking and
> >>> unchecking "all users may connect..."
> >>>
> >>> [NB: I find that I MUST have all .pem files set to 644 and any
> >>> directory along their path to 755 or else Network Manager stalls with
> >>> asking me for a password and the client's syslog contains "charon-nm:
> >>> 15[LIB] opening 'path/to/moiKey.pem' filed: Permission denied", which
> >>> strikes me as rather strange: to force a private key to be readable??
> >>> In this case client is a personal laptop so maybe not that bad, but
> >>> really?]
> >>>
> >>> In following the syslog output on the vpn host, I see:
> >>>
> >>> Sep 12 14:42:02 vpn charon: 04[CFG] looking for peer configs matching
> >>> xxx.xxx.xxx.xxx[C=CH, O=strongSwan, CN=vpn.example.com]...<client's
> >>> current IP addr>[C=CH, O=strongSwan, CN=moi]
> >>> Sep 12 14:42:02 vpn charon: 04[CFG] no matching peer config found
> >>>
> >>> so my guess is the conn roadwarrior (see below) isn't properly configured?
> >>>
> >>> I would appreciate any help... getting this configured has been a huge
> >>> headache.  Thanks.
> >>>
> >>> --------------
> >>> Background info/files:
> >>>
> >>> CAcert/key:
> >>>
> >>> $ cd /etc/ipsec.d/
> >>> $ ipsec pki --gen --type rsa --size 4096 \
> >>> --outform pem \
> >>>> private/strongswanKey.pem
> >>> $ chmod 600 private/strongswanKey.pem
> >>> $ ipsec pki --self --ca --lifetime 3650 \
> >>> --in private/strongswanKey.pem --type rsa \
> >>> --dn "C=CH, O=strongSwan, CN=strongSwan Root CA" \
> >>> --outform pem \
> >>>> cacerts/strongswanCert.pem
> >>>
> >>> vpnHostKey/Cert:
> >>>
> >>> $ cd /etc/ipsec.d/
> >>> $ ipsec pki --gen --type rsa --size 2048 \
> >>> --outform pem \
> >>>> private/vpnHostKey.pem
> >>> $ chmod 600 private/vpnHostKey.pem
> >>> $ ipsec pki --pub --in private/vpnHostKey.pem --type rsa | \
> >>> ipsec pki --issue --lifetime 730 \
> >>> --cacert cacerts/strongswanCert.pem \
> >>> --cakey private/strongswanKey.pem \
> >>> --dn "C=CH, O=strongSwan, CN=vpn.example.com" \
> >>> --san vpn.example.com \
> >>> --flag serverAuth --flag ikeIntermediate \
> >>> --outform pem > certs/vpnHostCert.pem
> >>>
> >>> Client cert/key:
> >>>
> >>> $ cd /etc/ipsec.d/
> >>> $ ipsec pki --gen --type rsa --size 2048 \
> >>> --outform pem \
> >>>> private/moiKey.pem
> >>> $ chmod 600 private/moiKey.pem
> >>> $ ipsec pki --pub --in private/moiKey.pem --type rsa | \
> >>> ipsec pki --issue --lifetime 730 \
> >>> --cacert cacerts/strongswanCert.pem \
> >>> --cakey private/strongswanKey.pem \
> >>> --dn "C=CH, O=strongSwan, CN=moi" \
> >>> --san moi \
> >>> --outform pem > certs/moiCert.pem
> >>>
> >>> ("moi" is just a standin for my personal uid)
> >>>
> >>> ipsec.conf (note that this email client is munging the tabs, but ipsec
> >>> reload is perfectly happy with this conf file's syntax)
> >>>
> >>> config setup
> >>> # uniqueids=never
> >>> charondebug="cfg 2, dmn 2, ike 2, net 2"
> >>>
> >>> conn %default
> >>> ikelifetime=60m
> >>> keylife=20m
> >>> rekeymargin=3m
> >>> keyingtries=1
> >>> #note iOS, Android, xauth-pam are all ikev1!
> >>> keyexchange=ike
> >>>
> >>> conn roadwarrior
> >>> #vpn server
> >>> left=xxx.xxx.xxx.xxx
> >>> #allow full tunneling
> >>> leftsubnet=0.0.0.0/0
> >>> right=%any
> >>> rightauth=pubkey
> >>> #assign ip addr from this pool
> >>> rightsourceip=xxx.xx.xx.0/24
> >>> auto=add
> >>> _______________________________________________
> >>> Users mailing list
> >>> Users at lists.strongswan.org
> >>> https://lists.strongswan.org/mailman/listinfo/users
>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUFJKLAAoJEDg5KY9j7GZYsjYP+wdUifzWcfnRHehkVIFdgxb5
uJ8GgMDY6wPSReZ24dHqAVCjJVPa+38lDbIrG0/5G78safsbPYLKbuBwtPNVPfWq
UVMG9zjWLMxxu7IelnjKSQR6N0N3JcpTas9X5J5lSV5NX5nStHrgXtC3H9T4UYT0
+vjg1sUrmZ5V1K7zLrK5qKzo2Bdzq9p3+feiyhAV05g2I1iArERBm3dBfftymGI3
qHwaU2DCNRBYzUv7htzm7/jy9g+zG1b+dLDLLYkQkkShBuLknDJFaAOjZFdjRO/E
iWpWD03O+01ErphDkLtgg/t6tT56wCthbvsKlsUo3ycDcLYj6rvwHXA7Jesc0hOn
rZSww6PHkxsloHOlExMI1Yss+FetUibnVue8Wkk1SbGyEAA7fLE8KrKNiAvXrA0e
O6G/xgycXiQLEZyjfOWnVhJZ5z2KhSxTx0y7p8NdjE2/rn0IvgOw9kj8imkPJ2pb
FwfxPfL/DmQ43kLvJzurJ/AIqdDu8N5vIEPu2MFsrdpy8VnZOytUmagB7v9DRqth
ivHmY+RatFvnhS4h6mKTUSK0WoE4HvMEZsLtsSNH8uOpnkNbbOOm/JG5wtpRCjag
GtptIzJoSY2QCHluN8iIjGJcppcq4mtg5RR4e8vMCZiqaTvIiFuT8RvMs1y/6+Js
P0APsohzwcsAudAAh5i1
=zUBr
-----END PGP SIGNATURE-----

More information about the Users mailing list