[strongSwan] trying to get basic pubkey strongswan connection with certificates up and running

Cindy Moore ctmoore at cs.ucsd.edu
Sun Sep 14 07:57:32 CEST 2014 

OK, I am now spotting this in the syslog, but I'm a bit at a loss... I
have this private file (vpnHostKey.pem) set to 600.  How can I find
out where it's lookign for the private key?  I have all mine in
/etc/ipsec.d/private (see below)...

Sep 13 22:42:47 vpn charon: 15[IKE] no private key found for 'C=CH,
O=strongSwan, CN=vpn.example.com'

ipsec.conf is now:

config setup
  charondebug="cfg 2, dmn 2, ike 2, net 2"

conn %default
  ikelifetime=60m
  keylife=20m
  rekeymargin=3m
  keyingtries=1
  keyexchange=ike
  leftcert=vpnHostCert.pem
  leftid="C=CH, O=strongSwan, CN=vpn.example.com"

conn roadwarrior
  #vpn server
  left=137.110.222.66
  #allow full tunneling
  leftsubnet=0.0.0.0/0
  right=%any
  rightid=%any
  rightauth=pubkey
  #rightauth2=xauth-pam
  #assign ip addr from this pool
  rightsourceip=xxx.xx.xxx.0/24
  auto=add

and

root at vpn:/etc/ipsec.d# ipsec statusall
Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-35-generic, x86_64):
  uptime: 2 days, since Sep 11 14:16:36 2014
  malloc: sbrk 2568192, mmap 0, used 429616, free 2138576
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 0
  loaded plugins: charon test-vectors ldap aes rc2 sha1 sha2 md4 md5
random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem
openssl xcbc cmac hk
Virtual IP pools (size/online/offline):
  xxx.xx.xxx.0/24: 254/0/0
Listening IP addresses:
  xxx.xxx.xxx.xxx
  (ipv6 deleted)
Connections:
 roadwarrior:  xxx.xxx.xxx.xxx...%any  IKEv1/2
 roadwarrior:   local:  [C=CH, O=strongSwan, CN=vpn.example.com] uses
public key authentication
 roadwarrior:    cert:  "C=CH, O=strongSwan, CN=vpn.example.com"
 roadwarrior:   remote: uses public key authentication
 roadwarrior:   child:  0.0.0.0/0 === dynamic TUNNEL
Security Associations (0 up, 0 connecting):
  none

and...

root at vpn:/etc/ipsec.d# ls -F
aacerts/  acerts/  cacerts/  certs/  crls/  ocspcerts/  policies/
private/  README  reqs/
root at vpn:/etc/ipsec.d# ls -lt private/
total 12
-rw------- 1 root root 1679 Sep 13 22:19 moiKey.pem
-rw------- 1 root root 1675 Sep 13 22:18 vpnHostKey.pem
-rw------- 1 root root 3243 Sep 11 00:39 strongswanKey.pem

thanks!

On Sat, Sep 13, 2014 at 11:52 AM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Cindy,
>
> Please set the leftid to "C=CH, O=strongSwan, CN=vpn.example.com" or set leftcert to the file name of your server certificate.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> Am 13.09.2014 um 16:17 schrieb Cindy Moore:
>> Ah, thank  you for the Network Manager explanation.  I thought that
>> was very strange.  I didn't realize it didn't run with root
>> privileges.
>>
>> As for the ipsec.conf file, it is fine.  It is the email client that
>> destroys how it is formatted when I send it out, so you guys can't see
>> how it looks but
>>
>> root at vpn:/etc# ipsec statusall
>> Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-35-generic, x86_64):
>>   uptime: 40 hours, since Sep 11 14:16:36 2014
>>   malloc: sbrk 2568192, mmap 0, used 416528, free 2151664
>>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
>> scheduled: 0
>>   loaded plugins: charon test-vectors ldap aes rc2 sha1 sha2 md4 md5
>> random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem
>> openssl xcbc cmac hk
>> Virtual IP pools (size/online/offline):
>>   xxx.xx.xxx.0/24: 254/0/0
>> Listening IP addresses:
>>   xxx.xxx.xxx.xxx
>>  (ipv6 address deleted)
>> Connections:
>>  roadwarrior:  xxx.xxx.xxx.xxx...%any  IKEv1/2
>>  roadwarrior:   local:  [vpn.example.com] uses public key authentication
>>  roadwarrior:    cert:  "C=CH, O=strongSwan, CN=vpn.example.com"
>>  roadwarrior:   remote: uses public key authentication
>>  roadwarrior:   child:  0.0.0.0/0 === dynamic TUNNEL
>> Security Associations (0 up, 0 connecting):
>>   none
>>
>>
>> Thanks,
>>
>>
>> On Sat, Sep 13, 2014 at 3:24 AM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>>>
>> Hello Cindy,
>>
>> As network manager doesn't run as your user, you need to give
>>  it access to the certificate and the private key in your home directory.
>> You can do this by changing the group of those files to a group
>> the network manager user is in and giving said group read
>> access to the file and execute access down the path to said files.
>>
>> Yes, the error message indicates a configuration mismatch
>> between the server and the client.
>>
>> I think you need to indent the section parameters with a tab for strongSwan to read them correctly.
>> Check with "ipsec statusall", if it correctly read all the conn definitions.
>>
>> Mit freundlichen Grüßen/Regards,
>> Noel Kuntze
>>
>> GPG Key ID: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>> Am 13.09.2014 um 00:05 schrieb Cindy Moore:
>> >>> Hi, I'm hoping I can get some tips or direction here, because I've
>> >>> been banging my head on this for a while.
>> >>>
>> >>> I have strongswan 5 installed on ubuntu 14.04 with all the latest updates, etc:
>> >>> root at vpn:/etc# ipsec version
>> >>> Linux strongSwan U5.1.2/K3.13.0-35-generic
>> >>>
>> >>> This part seems to be functioning fine.  I've used the ipsec pki to
>> >>> generate a vpn cacert, and then a couple of certs to test things with.
>> >>> (For reference, I've included the steps I took to create those below,
>> >>> along with my ipsec.conf)
>> >>>
>> >>> All I want is to set up a connection between two machines, both
>> >>> running 14.04.  "vpn" is a server install, client is a desktop
>> >>> install.  I've installed the network-manager-strongswan (version
>> >>> 1.3.0-1ubuntu1) and restarted the network manager.  I've tried to
>> >>> configure it as per
>> >>> https://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager
>> >>> but there are already some differences in what's shown and what I get.
>> >>>
>> >>> Instead of Authentication, there is now Client, with Authentication
>> >>> under that (and additional options depending on what is chosen for
>> >>> Authentication.  The choices for Authentication are
>> >>> Certificate/private key, Certificate/ssh-agent, Smartcard, EAP.  I
>> >>> have questions about the ssh-agent, but I'll tabulate those for now.
>> >>> Anyway, so when I choose Certificate/private key, I get two more
>> >>> options below Authentication, which are Certificate and Private key.
>> >>>
>> >>> So for Gateway, I've got down vpn.example.com (name changed to protect
>> >>> guilty of course :) )
>> >>> and for Certificate, I have vpnHostCert.pem (see below).  For
>> >>> Authentication, Certifcate/private key, for Certificate, moiCert.pem
>> >>> (see below) and for private key moiKey.pem (see below). I've checked
>> >>> the options to request an inner IP address, and to enforce udp
>> >>> encapsulation, but have left the ip compression unchecked.
>> >>>
>> >>> Under the General and IPv4 settings, I've left the latter to the
>> >>> deafult Automatic (VPN), for the former, I've tried both checking and
>> >>> unchecking "all users may connect..."
>> >>>
>> >>> [NB: I find that I MUST have all .pem files set to 644 and any
>> >>> directory along their path to 755 or else Network Manager stalls with
>> >>> asking me for a password and the client's syslog contains "charon-nm:
>> >>> 15[LIB] opening 'path/to/moiKey.pem' filed: Permission denied", which
>> >>> strikes me as rather strange: to force a private key to be readable??
>> >>> In this case client is a personal laptop so maybe not that bad, but
>> >>> really?]
>> >>>
>> >>> In following the syslog output on the vpn host, I see:
>> >>>
>> >>> Sep 12 14:42:02 vpn charon: 04[CFG] looking for peer configs matching
>> >>> xxx.xxx.xxx.xxx[C=CH, O=strongSwan, CN=vpn.example.com]...<client's
>> >>> current IP addr>[C=CH, O=strongSwan, CN=moi]
>> >>> Sep 12 14:42:02 vpn charon: 04[CFG] no matching peer config found
>> >>>
>> >>> so my guess is the conn roadwarrior (see below) isn't properly configured?
>> >>>
>> >>> I would appreciate any help... getting this configured has been a huge
>> >>> headache.  Thanks.
>> >>>
>> >>> --------------
>> >>> Background info/files:
>> >>>
>> >>> CAcert/key:
>> >>>
>> >>> $ cd /etc/ipsec.d/
>> >>> $ ipsec pki --gen --type rsa --size 4096 \
>> >>> --outform pem \
>> >>>> private/strongswanKey.pem
>> >>> $ chmod 600 private/strongswanKey.pem
>> >>> $ ipsec pki --self --ca --lifetime 3650 \
>> >>> --in private/strongswanKey.pem --type rsa \
>> >>> --dn "C=CH, O=strongSwan, CN=strongSwan Root CA" \
>> >>> --outform pem \
>> >>>> cacerts/strongswanCert.pem
>> >>>
>> >>> vpnHostKey/Cert:
>> >>>
>> >>> $ cd /etc/ipsec.d/
>> >>> $ ipsec pki --gen --type rsa --size 2048 \
>> >>> --outform pem \
>> >>>> private/vpnHostKey.pem
>> >>> $ chmod 600 private/vpnHostKey.pem
>> >>> $ ipsec pki --pub --in private/vpnHostKey.pem --type rsa | \
>> >>> ipsec pki --issue --lifetime 730 \
>> >>> --cacert cacerts/strongswanCert.pem \
>> >>> --cakey private/strongswanKey.pem \
>> >>> --dn "C=CH, O=strongSwan, CN=vpn.example.com" \
>> >>> --san vpn.example.com \
>> >>> --flag serverAuth --flag ikeIntermediate \
>> >>> --outform pem > certs/vpnHostCert.pem
>> >>>
>> >>> Client cert/key:
>> >>>
>> >>> $ cd /etc/ipsec.d/
>> >>> $ ipsec pki --gen --type rsa --size 2048 \
>> >>> --outform pem \
>> >>>> private/moiKey.pem
>> >>> $ chmod 600 private/moiKey.pem
>> >>> $ ipsec pki --pub --in private/moiKey.pem --type rsa | \
>> >>> ipsec pki --issue --lifetime 730 \
>> >>> --cacert cacerts/strongswanCert.pem \
>> >>> --cakey private/strongswanKey.pem \
>> >>> --dn "C=CH, O=strongSwan, CN=moi" \
>> >>> --san moi \
>> >>> --outform pem > certs/moiCert.pem
>> >>>
>> >>> ("moi" is just a standin for my personal uid)
>> >>>
>> >>> ipsec.conf (note that this email client is munging the tabs, but ipsec
>> >>> reload is perfectly happy with this conf file's syntax)
>> >>>
>> >>> config setup
>> >>> # uniqueids=never
>> >>> charondebug="cfg 2, dmn 2, ike 2, net 2"
>> >>>
>> >>> conn %default
>> >>> ikelifetime=60m
>> >>> keylife=20m
>> >>> rekeymargin=3m
>> >>> keyingtries=1
>> >>> #note iOS, Android, xauth-pam are all ikev1!
>> >>> keyexchange=ike
>> >>>
>> >>> conn roadwarrior
>> >>> #vpn server
>> >>> left=xxx.xxx.xxx.xxx
>> >>> #allow full tunneling
>> >>> leftsubnet=0.0.0.0/0
>> >>> right=%any
>> >>> rightauth=pubkey
>> >>> #assign ip addr from this pool
>> >>> rightsourceip=xxx.xx.xx.0/24
>> >>> auto=add
>> >>> _______________________________________________
>> >>> Users mailing list
>> >>> Users at lists.strongswan.org
>> >>> https://lists.strongswan.org/mailman/listinfo/users
>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJUFJKLAAoJEDg5KY9j7GZYsjYP+wdUifzWcfnRHehkVIFdgxb5
> uJ8GgMDY6wPSReZ24dHqAVCjJVPa+38lDbIrG0/5G78safsbPYLKbuBwtPNVPfWq
> UVMG9zjWLMxxu7IelnjKSQR6N0N3JcpTas9X5J5lSV5NX5nStHrgXtC3H9T4UYT0
> +vjg1sUrmZ5V1K7zLrK5qKzo2Bdzq9p3+feiyhAV05g2I1iArERBm3dBfftymGI3
> qHwaU2DCNRBYzUv7htzm7/jy9g+zG1b+dLDLLYkQkkShBuLknDJFaAOjZFdjRO/E
> iWpWD03O+01ErphDkLtgg/t6tT56wCthbvsKlsUo3ycDcLYj6rvwHXA7Jesc0hOn
> rZSww6PHkxsloHOlExMI1Yss+FetUibnVue8Wkk1SbGyEAA7fLE8KrKNiAvXrA0e
> O6G/xgycXiQLEZyjfOWnVhJZ5z2KhSxTx0y7p8NdjE2/rn0IvgOw9kj8imkPJ2pb
> FwfxPfL/DmQ43kLvJzurJ/AIqdDu8N5vIEPu2MFsrdpy8VnZOytUmagB7v9DRqth
> ivHmY+RatFvnhS4h6mKTUSK0WoE4HvMEZsLtsSNH8uOpnkNbbOOm/JG5wtpRCjag
> GtptIzJoSY2QCHluN8iIjGJcppcq4mtg5RR4e8vMCZiqaTvIiFuT8RvMs1y/6+Js
> P0APsohzwcsAudAAh5i1
> =zUBr
> -----END PGP SIGNATURE-----
>
>

More information about the Users mailing list