[strongSwan] trying to get basic pubkey strongswan connection with certificates up and running

Noel Kuntze noel at familie-kuntze.de
Sun Sep 14 13:15:45 CEST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Cindy,

The "or" in my previous message was an exclusive or.
Meaning, set either of these.
Can you show me your "ipsec listcerts"?
Also, if the key is encrypted, you need to provide the passphrase for it in /etc/ipsec.secrets.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 14.09.2014 um 07:57 schrieb Cindy Moore:
> OK, I am now spotting this in the syslog, but I'm a bit at a loss... I
> have this private file (vpnHostKey.pem) set to 600.  How can I find
> out where it's lookign for the private key?  I have all mine in
> /etc/ipsec.d/private (see below)...
>
> Sep 13 22:42:47 vpn charon: 15[IKE] no private key found for 'C=CH,
> O=strongSwan, CN=vpn.example.com'
>
> ipsec.conf is now:
>
> config setup
>   charondebug="cfg 2, dmn 2, ike 2, net 2"
>
> conn %default
>   ikelifetime=60m
>   keylife=20m
>   rekeymargin=3m
>   keyingtries=1
>   keyexchange=ike
>   leftcert=vpnHostCert.pem
>   leftid="C=CH, O=strongSwan, CN=vpn.example.com"
>
> conn roadwarrior
>   #vpn server
>   left=137.110.222.66
>   #allow full tunneling
>   leftsubnet=0.0.0.0/0
>   right=%any
>   rightid=%any
>   rightauth=pubkey
>   #rightauth2=xauth-pam
>   #assign ip addr from this pool
>   rightsourceip=xxx.xx.xxx.0/24
>   auto=add
>
> and
>
> root at vpn:/etc/ipsec.d# ipsec statusall
> Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-35-generic, x86_64):
>   uptime: 2 days, since Sep 11 14:16:36 2014
>   malloc: sbrk 2568192, mmap 0, used 429616, free 2138576
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 0
>   loaded plugins: charon test-vectors ldap aes rc2 sha1 sha2 md4 md5
> random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem
> openssl xcbc cmac hk
> Virtual IP pools (size/online/offline):
>   xxx.xx.xxx.0/24: 254/0/0
> Listening IP addresses:
>   xxx.xxx.xxx.xxx
>   (ipv6 deleted)
> Connections:
>  roadwarrior:  xxx.xxx.xxx.xxx...%any  IKEv1/2
>  roadwarrior:   local:  [C=CH, O=strongSwan, CN=vpn.example.com] uses
> public key authentication
>  roadwarrior:    cert:  "C=CH, O=strongSwan, CN=vpn.example.com"
>  roadwarrior:   remote: uses public key authentication
>  roadwarrior:   child:  0.0.0.0/0 === dynamic TUNNEL
> Security Associations (0 up, 0 connecting):
>   none
>
> and...
>
> root at vpn:/etc/ipsec.d# ls -F
> aacerts/  acerts/  cacerts/  certs/  crls/  ocspcerts/  policies/
> private/  README  reqs/
> root at vpn:/etc/ipsec.d# ls -lt private/
> total 12
> -rw------- 1 root root 1679 Sep 13 22:19 moiKey.pem
> -rw------- 1 root root 1675 Sep 13 22:18 vpnHostKey.pem
> -rw------- 1 root root 3243 Sep 11 00:39 strongswanKey.pem
>
> thanks!
>
> On Sat, Sep 13, 2014 at 11:52 AM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>>
> Hello Cindy,
>
> Please set the leftid to "C=CH, O=strongSwan, CN=vpn.example.com" or set leftcert to the file name of your server certificate.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> Am 13.09.2014 um 16:17 schrieb Cindy Moore:
> >>> Ah, thank  you for the Network Manager explanation.  I thought that
> >>> was very strange.  I didn't realize it didn't run with root
> >>> privileges.
> >>>
> >>> As for the ipsec.conf file, it is fine.  It is the email client that
> >>> destroys how it is formatted when I send it out, so you guys can't see
> >>> how it looks but
> >>>
> >>> root at vpn:/etc# ipsec statusall
> >>> Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-35-generic, x86_64):
> >>>   uptime: 40 hours, since Sep 11 14:16:36 2014
> >>>   malloc: sbrk 2568192, mmap 0, used 416528, free 2151664
> >>>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> >>> scheduled: 0
> >>>   loaded plugins: charon test-vectors ldap aes rc2 sha1 sha2 md4 md5
> >>> random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem
> >>> openssl xcbc cmac hk
> >>> Virtual IP pools (size/online/offline):
> >>>   xxx.xx.xxx.0/24: 254/0/0
> >>> Listening IP addresses:
> >>>   xxx.xxx.xxx.xxx
> >>>  (ipv6 address deleted)
> >>> Connections:
> >>>  roadwarrior:  xxx.xxx.xxx.xxx...%any  IKEv1/2
> >>>  roadwarrior:   local:  [vpn.example.com] uses public key authentication
> >>>  roadwarrior:    cert:  "C=CH, O=strongSwan, CN=vpn.example.com"
> >>>  roadwarrior:   remote: uses public key authentication
> >>>  roadwarrior:   child:  0.0.0.0/0 === dynamic TUNNEL
> >>> Security Associations (0 up, 0 connecting):
> >>>   none
> >>>
> >>>
> >>> Thanks,
> >>>
> >>>
> >>> On Sat, Sep 13, 2014 at 3:24 AM, Noel Kuntze <noel at familie-kuntze.de> wrote:
> >>>>
> >>> Hello Cindy,
> >>>
> >>> As network manager doesn't run as your user, you need to give
> >>>  it access to the certificate and the private key in your home directory.
> >>> You can do this by changing the group of those files to a group
> >>> the network manager user is in and giving said group read
> >>> access to the file and execute access down the path to said files.
> >>>
> >>> Yes, the error message indicates a configuration mismatch
> >>> between the server and the client.
> >>>
> >>> I think you need to indent the section parameters with a tab for strongSwan to read them correctly.
> >>> Check with "ipsec statusall", if it correctly read all the conn definitions.
> >>>
> >>> Mit freundlichen Grüßen/Regards,
> >>> Noel Kuntze
> >>>
> >>> GPG Key ID: 0x63EC6658
> >>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> >>> Am 13.09.2014 um 00:05 schrieb Cindy Moore:
> >>>>>> Hi, I'm hoping I can get some tips or direction here, because I've
> >>>>>> been banging my head on this for a while.
> >>>>>>
> >>>>>> I have strongswan 5 installed on ubuntu 14.04 with all the latest updates, etc:
> >>>>>> root at vpn:/etc# ipsec version
> >>>>>> Linux strongSwan U5.1.2/K3.13.0-35-generic
> >>>>>>
> >>>>>> This part seems to be functioning fine.  I've used the ipsec pki to
> >>>>>> generate a vpn cacert, and then a couple of certs to test things with.
> >>>>>> (For reference, I've included the steps I took to create those below,
> >>>>>> along with my ipsec.conf)
> >>>>>>
> >>>>>> All I want is to set up a connection between two machines, both
> >>>>>> running 14.04.  "vpn" is a server install, client is a desktop
> >>>>>> install.  I've installed the network-manager-strongswan (version
> >>>>>> 1.3.0-1ubuntu1) and restarted the network manager.  I've tried to
> >>>>>> configure it as per
> >>>>>> https://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager
> >>>>>> but there are already some differences in what's shown and what I get.
> >>>>>>
> >>>>>> Instead of Authentication, there is now Client, with Authentication
> >>>>>> under that (and additional options depending on what is chosen for
> >>>>>> Authentication.  The choices for Authentication are
> >>>>>> Certificate/private key, Certificate/ssh-agent, Smartcard, EAP.  I
> >>>>>> have questions about the ssh-agent, but I'll tabulate those for now.
> >>>>>> Anyway, so when I choose Certificate/private key, I get two more
> >>>>>> options below Authentication, which are Certificate and Private key.
> >>>>>>
> >>>>>> So for Gateway, I've got down vpn.example.com (name changed to protect
> >>>>>> guilty of course :) )
> >>>>>> and for Certificate, I have vpnHostCert.pem (see below).  For
> >>>>>> Authentication, Certifcate/private key, for Certificate, moiCert.pem
> >>>>>> (see below) and for private key moiKey.pem (see below). I've checked
> >>>>>> the options to request an inner IP address, and to enforce udp
> >>>>>> encapsulation, but have left the ip compression unchecked.
> >>>>>>
> >>>>>> Under the General and IPv4 settings, I've left the latter to the
> >>>>>> deafult Automatic (VPN), for the former, I've tried both checking and
> >>>>>> unchecking "all users may connect..."
> >>>>>>
> >>>>>> [NB: I find that I MUST have all .pem files set to 644 and any
> >>>>>> directory along their path to 755 or else Network Manager stalls with
> >>>>>> asking me for a password and the client's syslog contains "charon-nm:
> >>>>>> 15[LIB] opening 'path/to/moiKey.pem' filed: Permission denied", which
> >>>>>> strikes me as rather strange: to force a private key to be readable??
> >>>>>> In this case client is a personal laptop so maybe not that bad, but
> >>>>>> really?]
> >>>>>>
> >>>>>> In following the syslog output on the vpn host, I see:
> >>>>>>
> >>>>>> Sep 12 14:42:02 vpn charon: 04[CFG] looking for peer configs matching
> >>>>>> xxx.xxx.xxx.xxx[C=CH, O=strongSwan, CN=vpn.example.com]...<client's
> >>>>>> current IP addr>[C=CH, O=strongSwan, CN=moi]
> >>>>>> Sep 12 14:42:02 vpn charon: 04[CFG] no matching peer config found
> >>>>>>
> >>>>>> so my guess is the conn roadwarrior (see below) isn't properly configured?
> >>>>>>
> >>>>>> I would appreciate any help... getting this configured has been a huge
> >>>>>> headache.  Thanks.
> >>>>>>
> >>>>>> --------------
> >>>>>> Background info/files:
> >>>>>>
> >>>>>> CAcert/key:
> >>>>>>
> >>>>>> $ cd /etc/ipsec.d/
> >>>>>> $ ipsec pki --gen --type rsa --size 4096 \
> >>>>>> --outform pem \
> >>>>>>> private/strongswanKey.pem
> >>>>>> $ chmod 600 private/strongswanKey.pem
> >>>>>> $ ipsec pki --self --ca --lifetime 3650 \
> >>>>>> --in private/strongswanKey.pem --type rsa \
> >>>>>> --dn "C=CH, O=strongSwan, CN=strongSwan Root CA" \
> >>>>>> --outform pem \
> >>>>>>> cacerts/strongswanCert.pem
> >>>>>>
> >>>>>> vpnHostKey/Cert:
> >>>>>>
> >>>>>> $ cd /etc/ipsec.d/
> >>>>>> $ ipsec pki --gen --type rsa --size 2048 \
> >>>>>> --outform pem \
> >>>>>>> private/vpnHostKey.pem
> >>>>>> $ chmod 600 private/vpnHostKey.pem
> >>>>>> $ ipsec pki --pub --in private/vpnHostKey.pem --type rsa | \
> >>>>>> ipsec pki --issue --lifetime 730 \
> >>>>>> --cacert cacerts/strongswanCert.pem \
> >>>>>> --cakey private/strongswanKey.pem \
> >>>>>> --dn "C=CH, O=strongSwan, CN=vpn.example.com" \
> >>>>>> --san vpn.example.com \
> >>>>>> --flag serverAuth --flag ikeIntermediate \
> >>>>>> --outform pem > certs/vpnHostCert.pem
> >>>>>>
> >>>>>> Client cert/key:
> >>>>>>
> >>>>>> $ cd /etc/ipsec.d/
> >>>>>> $ ipsec pki --gen --type rsa --size 2048 \
> >>>>>> --outform pem \
> >>>>>>> private/moiKey.pem
> >>>>>> $ chmod 600 private/moiKey.pem
> >>>>>> $ ipsec pki --pub --in private/moiKey.pem --type rsa | \
> >>>>>> ipsec pki --issue --lifetime 730 \
> >>>>>> --cacert cacerts/strongswanCert.pem \
> >>>>>> --cakey private/strongswanKey.pem \
> >>>>>> --dn "C=CH, O=strongSwan, CN=moi" \
> >>>>>> --san moi \
> >>>>>> --outform pem > certs/moiCert.pem
> >>>>>>
> >>>>>> ("moi" is just a standin for my personal uid)
> >>>>>>
> >>>>>> ipsec.conf (note that this email client is munging the tabs, but ipsec
> >>>>>> reload is perfectly happy with this conf file's syntax)
> >>>>>>
> >>>>>> config setup
> >>>>>> # uniqueids=never
> >>>>>> charondebug="cfg 2, dmn 2, ike 2, net 2"
> >>>>>>
> >>>>>> conn %default
> >>>>>> ikelifetime=60m
> >>>>>> keylife=20m
> >>>>>> rekeymargin=3m
> >>>>>> keyingtries=1
> >>>>>> #note iOS, Android, xauth-pam are all ikev1!
> >>>>>> keyexchange=ike
> >>>>>>
> >>>>>> conn roadwarrior
> >>>>>> #vpn server
> >>>>>> left=xxx.xxx.xxx.xxx
> >>>>>> #allow full tunneling
> >>>>>> leftsubnet=0.0.0.0/0
> >>>>>> right=%any
> >>>>>> rightauth=pubkey
> >>>>>> #assign ip addr from this pool
> >>>>>> rightsourceip=xxx.xx.xx.0/24
> >>>>>> auto=add
> >>>>>> _______________________________________________
> >>>>>> Users mailing list
> >>>>>> Users at lists.strongswan.org
> >>>>>> https://lists.strongswan.org/mailman/listinfo/users
> >>>
> >>>>
> >>>> _______________________________________________
> >>>> Users mailing list
> >>>> Users at lists.strongswan.org
> >>>> https://lists.strongswan.org/mailman/listinfo/users
>
>>
>>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUFXjhAAoJEDg5KY9j7GZYZsQP/0ENZlcTwN3T4HUIN87AQWFT
TtKR0GKBt0vY/UhduNLSYb642dYRI8AXwrTQJe5rwW/3Zy9U9B2z26rRmKUJxS55
f9lFHRHSBYfJCzYW2ZfybsAVx7ESKRxqENaa7jI/KMCDE0KpAMAM3Jg0zomYCRpp
BVD8fQKCxp0Mp15Fs1N8H283jIDZBuw3QL9EOE/rooWVKetXXVTMDurB3Woafr7v
zNrclFEgH/a0KhFEPGL+9twttDA93DonQcAfQoIez1bsxEhCO77NgLpLL7DF72+U
xorr4ENHycl1fhANmFfnH0sgMy/lU6t31JCi4IHVd8Sz2gz3UyV3c1FgzBPjgAfh
CsbavAjYcYuI2jVGcw3/vRyMvCgYdgrQBemV21sp8E9K2fOuVKYip05wWzJrYxwP
KX5FnMnDrVbMTUcoRLNpKiHwS+OI7onIDdSAJpjh0mBC2tlqcWvVt+HvXkinygIK
+L3gGXZDVMhmySGUyZgI2zfTJVB7ULUTt8QjI9jtuKiVA7z0cmniKEMarIS8qWMS
loCG3HkdNKYZ6kNNaWT3eG3rjMIxH/jpwb7hLK/LcbxlXc0atQ2Z0KK5HlGugO63
z8V+GvDuTvB+wYp7Z2KbAWYyLihVKqKwdXpV4dZDvbmi7ZTQceHiJPqB32icXw/n
mOw843hs9NAi4XYm33zs
=Wsrr
-----END PGP SIGNATURE-----




More information about the Users mailing list