[strongSwan] trying to get basic pubkey strongswan connection with certificates up and running
Cindy Moore
ctmoore at cs.ucsd.edu
Mon Sep 15 05:55:14 CEST 2014
I don't know why it caches old ones (I've redone some of them because
of typos and such, and I can't find anything to remove these
extra ones o.O -- maybe this is the problem?)
root at vpn:/etc# ipsec listcerts
List of X.509 End Entity Certificates:
altNames: moi
subject: "C=CH, O=strongSwan, CN=moi"
issuer: "C=CH, O=strongSwan, CN=strongSwan Root CA"
serial: 3d:70:d0:89:e8:99:b8:40
validity: not before Sep 14 20:12:14 2014, ok
not after Sep 13 20:12:14 2016, ok
pubkey: RSA 2048 bits
keyid: 48:59:8c:9e:f3:be:3f:ee:7c:c3:76:71:ed:85:c1:bb:fb:a1:9b:0e
subjkey: 3b:1d:40:6d:2d:fb:bc:3b:b6:43:8c:04:35:c2:5a:ce:ed:09:13:72
authkey: d2:2f:8c:6c:da:eb:1c:59:4e:e0:0b:46:57:0d:5e:e3:a7:2a:99:d6
altNames: vpn.example.com
subject: "C=CH, O=strongSwan, CN=vpn.example.com"
issuer: "C=CH, O=strongSwan, CN=strongSwan Root CA"
serial: 2f:c2:6e:7b:e9:2b:a0:2c
validity: not before Sep 14 20:11:41 2014, ok
not after Sep 13 20:11:41 2016, ok
pubkey: RSA 2048 bits
keyid: 15:2b:b8:df:df:03:d7:21:f5:8f:33:21:f3:82:d9:bf:a4:ba:57:65
subjkey: 3e:42:26:fc:36:24:7c:6e:7d:1b:40:f0:30:50:ae:89:84:14:09:62
authkey: d2:2f:8c:6c:da:eb:1c:59:4e:e0:0b:46:57:0d:5e:e3:a7:2a:99:d6
altNames: vpn.example.com
subject: "C=CH, O=strongSwan, CN=vpn.example.com"
issuer: "C=CH, O=strongSwan, CN=strongSwan Root CA"
serial: 96:41:c5:da:2c:a8:ad:d3
validity: not before Sep 13 22:18:37 2014, ok
not after Sep 12 22:18:37 2016, ok
pubkey: RSA 2048 bits
keyid: 15:2b:b8:df:df:03:d7:21:f5:8f:33:21:f3:82:d9:bf:a4:ba:57:65
subjkey: 3e:42:26:fc:36:24:7c:6e:7d:1b:40:f0:30:50:ae:89:84:14:09:62
authkey: d2:2f:8c:6c:da:eb:1c:59:4e:e0:0b:46:57:0d:5e:e3:a7:2a:99:d6
altNames: vpn.example.com, vpn.zeitgeist.se
subject: "C=CH, O=strongSwan, CN=vpn.example.com"
issuer: "C=CH, O=strongSwan, CN=strongSwan Root CA"
serial: 54:e3:01:d5:c9:11:24:5d
validity: not before Sep 11 01:13:34 2014, ok
not after Sep 10 01:13:34 2016, ok
pubkey: RSA 2048 bits
keyid: f5:27:1b:2c:16:c7:d2:61:cf:63:78:29:d2:cf:98:84:fc:2a:cf:a0
subjkey: 01:22:8c:82:15:ba:9c:de:d6:82:bc:67:24:dd:2c:23:04:4a:34:17
authkey: d2:2f:8c:6c:da:eb:1c:59:4e:e0:0b:46:57:0d:5e:e3:a7:2a:99:d6
Current ipsec.conf:
config setup
charondebug="cfg 2, dmn 2, ike 2, net 2"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ike
leftcert=vpnHostCert.pem
leftid="C=CH, O=strongSwan, CN=vpn.example.com"
conn roadwarrior
left=xxx.xxx.xxx.xxx
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=pubkey
rightsourceip=xxx.xx.xxx.0/24
auto=add
And then this is the relevant portion from vpn.example.com's syslog:
Sep 14 20:47:56 vpn charon: 08[CFG] selected peer config 'roadwarrior'
Sep 14 20:47:56 vpn charon: 08[CFG] using certificate "C=CH,
O=strongSwan, CN=moi"
Sep 14 20:47:56 vpn charon: 08[CFG] certificate "C=CH, O=strongSwan,
CN=moi" key: 2048 bit RSA
Sep 14 20:47:56 vpn charon: 08[CFG] using trusted ca certificate
"C=CH, O=strongSwan, CN=strongSwan Root CA"
Sep 14 20:47:56 vpn charon: 08[CFG] checking certificate status of
"C=CH, O=strongSwan, CN=moi"
Sep 14 20:47:56 vpn charon: 08[CFG] ocsp check skipped, no ocsp found
Sep 14 20:47:56 vpn charon: 08[CFG] certificate status is not available
Sep 14 20:47:56 vpn charon: 08[CFG] certificate "C=CH, O=strongSwan,
CN=strongSwan Root CA" key: 4096 bit RSA
Sep 14 20:47:56 vpn charon: 08[CFG] reached self-signed root ca with
a path length of 0
Sep 14 20:47:56 vpn charon: 08[IKE] authentication of 'C=CH,
O=strongSwan, CN=moi' with RSA signature successful
Sep 14 20:47:56 vpn charon: 08[IKE] processing INTERNAL_IP4_ADDRESS attribute
Sep 14 20:47:56 vpn charon: 08[IKE] processing INTERNAL_IP4_DNS attribute
Sep 14 20:47:56 vpn charon: 08[IKE] processing INTERNAL_IP4_NBNS attribute
Sep 14 20:47:56 vpn charon: 08[IKE] peer supports MOBIKE
Sep 14 20:47:56 vpn charon: 08[IKE] no private key found for 'C=CH,
O=strongSwan, CN=vpn.example.com'
Sep 14 20:47:56 vpn charon: 08[ENC] generating IKE_AUTH response 1 [
N(AUTH_FAILED) ]
On Sun, Sep 14, 2014 at 4:15 AM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Cindy,
>
> The "or" in my previous message was an exclusive or.
> Meaning, set either of these.
> Can you show me your "ipsec listcerts"?
> Also, if the key is encrypted, you need to provide the passphrase for it in /etc/ipsec.secrets.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> Am 14.09.2014 um 07:57 schrieb Cindy Moore:
>> OK, I am now spotting this in the syslog, but I'm a bit at a loss... I
>> have this private file (vpnHostKey.pem) set to 600. How can I find
>> out where it's lookign for the private key? I have all mine in
>> /etc/ipsec.d/private (see below)...
>>
>> Sep 13 22:42:47 vpn charon: 15[IKE] no private key found for 'C=CH,
>> O=strongSwan, CN=vpn.example.com'
>>
>> ipsec.conf is now:
>>
>> config setup
>> charondebug="cfg 2, dmn 2, ike 2, net 2"
>>
>> conn %default
>> ikelifetime=60m
>> keylife=20m
>> rekeymargin=3m
>> keyingtries=1
>> keyexchange=ike
>> leftcert=vpnHostCert.pem
>> leftid="C=CH, O=strongSwan, CN=vpn.example.com"
>>
>> conn roadwarrior
>> #vpn server
>> left=137.110.222.66
>> #allow full tunneling
>> leftsubnet=0.0.0.0/0
>> right=%any
>> rightid=%any
>> rightauth=pubkey
>> #rightauth2=xauth-pam
>> #assign ip addr from this pool
>> rightsourceip=xxx.xx.xxx.0/24
>> auto=add
>>
>> and
>>
>> root at vpn:/etc/ipsec.d# ipsec statusall
>> Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-35-generic, x86_64):
>> uptime: 2 days, since Sep 11 14:16:36 2014
>> malloc: sbrk 2568192, mmap 0, used 429616, free 2138576
>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
>> scheduled: 0
>> loaded plugins: charon test-vectors ldap aes rc2 sha1 sha2 md4 md5
>> random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem
>> openssl xcbc cmac hk
>> Virtual IP pools (size/online/offline):
>> xxx.xx.xxx.0/24: 254/0/0
>> Listening IP addresses:
>> xxx.xxx.xxx.xxx
>> (ipv6 deleted)
>> Connections:
>> roadwarrior: xxx.xxx.xxx.xxx...%any IKEv1/2
>> roadwarrior: local: [C=CH, O=strongSwan, CN=vpn.example.com] uses
>> public key authentication
>> roadwarrior: cert: "C=CH, O=strongSwan, CN=vpn.example.com"
>> roadwarrior: remote: uses public key authentication
>> roadwarrior: child: 0.0.0.0/0 === dynamic TUNNEL
>> Security Associations (0 up, 0 connecting):
>> none
>>
>> and...
>>
>> root at vpn:/etc/ipsec.d# ls -F
>> aacerts/ acerts/ cacerts/ certs/ crls/ ocspcerts/ policies/
>> private/ README reqs/
>> root at vpn:/etc/ipsec.d# ls -lt private/
>> total 12
>> -rw------- 1 root root 1679 Sep 13 22:19 moiKey.pem
>> -rw------- 1 root root 1675 Sep 13 22:18 vpnHostKey.pem
>> -rw------- 1 root root 3243 Sep 11 00:39 strongswanKey.pem
>>
>> thanks!
>>
>> On Sat, Sep 13, 2014 at 11:52 AM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>>>
>> Hello Cindy,
>>
>> Please set the leftid to "C=CH, O=strongSwan, CN=vpn.example.com" or set leftcert to the file name of your server certificate.
>>
>> Mit freundlichen Grüßen/Regards,
>> Noel Kuntze
>>
>> GPG Key ID: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>> Am 13.09.2014 um 16:17 schrieb Cindy Moore:
>> >>> Ah, thank you for the Network Manager explanation. I thought that
>> >>> was very strange. I didn't realize it didn't run with root
>> >>> privileges.
>> >>>
>> >>> As for the ipsec.conf file, it is fine. It is the email client that
>> >>> destroys how it is formatted when I send it out, so you guys can't see
>> >>> how it looks but
>> >>>
>> >>> root at vpn:/etc# ipsec statusall
>> >>> Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-35-generic, x86_64):
>> >>> uptime: 40 hours, since Sep 11 14:16:36 2014
>> >>> malloc: sbrk 2568192, mmap 0, used 416528, free 2151664
>> >>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
>> >>> scheduled: 0
>> >>> loaded plugins: charon test-vectors ldap aes rc2 sha1 sha2 md4 md5
>> >>> random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem
>> >>> openssl xcbc cmac hk
>> >>> Virtual IP pools (size/online/offline):
>> >>> xxx.xx.xxx.0/24: 254/0/0
>> >>> Listening IP addresses:
>> >>> xxx.xxx.xxx.xxx
>> >>> (ipv6 address deleted)
>> >>> Connections:
>> >>> roadwarrior: xxx.xxx.xxx.xxx...%any IKEv1/2
>> >>> roadwarrior: local: [vpn.example.com] uses public key authentication
>> >>> roadwarrior: cert: "C=CH, O=strongSwan, CN=vpn.example.com"
>> >>> roadwarrior: remote: uses public key authentication
>> >>> roadwarrior: child: 0.0.0.0/0 === dynamic TUNNEL
>> >>> Security Associations (0 up, 0 connecting):
>> >>> none
>> >>>
>> >>>
>> >>> Thanks,
>> >>>
>> >>>
>> >>> On Sat, Sep 13, 2014 at 3:24 AM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>> >>>>
>> >>> Hello Cindy,
>> >>>
>> >>> As network manager doesn't run as your user, you need to give
>> >>> it access to the certificate and the private key in your home directory.
>> >>> You can do this by changing the group of those files to a group
>> >>> the network manager user is in and giving said group read
>> >>> access to the file and execute access down the path to said files.
>> >>>
>> >>> Yes, the error message indicates a configuration mismatch
>> >>> between the server and the client.
>> >>>
>> >>> I think you need to indent the section parameters with a tab for strongSwan to read them correctly.
>> >>> Check with "ipsec statusall", if it correctly read all the conn definitions.
>> >>>
>> >>> Mit freundlichen Grüßen/Regards,
>> >>> Noel Kuntze
>> >>>
>> >>> GPG Key ID: 0x63EC6658
>> >>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>> >>> Am 13.09.2014 um 00:05 schrieb Cindy Moore:
>> >>>>>> Hi, I'm hoping I can get some tips or direction here, because I've
>> >>>>>> been banging my head on this for a while.
>> >>>>>>
>> >>>>>> I have strongswan 5 installed on ubuntu 14.04 with all the latest updates, etc:
>> >>>>>> root at vpn:/etc# ipsec version
>> >>>>>> Linux strongSwan U5.1.2/K3.13.0-35-generic
>> >>>>>>
>> >>>>>> This part seems to be functioning fine. I've used the ipsec pki to
>> >>>>>> generate a vpn cacert, and then a couple of certs to test things with.
>> >>>>>> (For reference, I've included the steps I took to create those below,
>> >>>>>> along with my ipsec.conf)
>> >>>>>>
>> >>>>>> All I want is to set up a connection between two machines, both
>> >>>>>> running 14.04. "vpn" is a server install, client is a desktop
>> >>>>>> install. I've installed the network-manager-strongswan (version
>> >>>>>> 1.3.0-1ubuntu1) and restarted the network manager. I've tried to
>> >>>>>> configure it as per
>> >>>>>> https://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager
>> >>>>>> but there are already some differences in what's shown and what I get.
>> >>>>>>
>> >>>>>> Instead of Authentication, there is now Client, with Authentication
>> >>>>>> under that (and additional options depending on what is chosen for
>> >>>>>> Authentication. The choices for Authentication are
>> >>>>>> Certificate/private key, Certificate/ssh-agent, Smartcard, EAP. I
>> >>>>>> have questions about the ssh-agent, but I'll tabulate those for now.
>> >>>>>> Anyway, so when I choose Certificate/private key, I get two more
>> >>>>>> options below Authentication, which are Certificate and Private key.
>> >>>>>>
>> >>>>>> So for Gateway, I've got down vpn.example.com (name changed to protect
>> >>>>>> guilty of course :) )
>> >>>>>> and for Certificate, I have vpnHostCert.pem (see below). For
>> >>>>>> Authentication, Certifcate/private key, for Certificate, moiCert.pem
>> >>>>>> (see below) and for private key moiKey.pem (see below). I've checked
>> >>>>>> the options to request an inner IP address, and to enforce udp
>> >>>>>> encapsulation, but have left the ip compression unchecked.
>> >>>>>>
>> >>>>>> Under the General and IPv4 settings, I've left the latter to the
>> >>>>>> deafult Automatic (VPN), for the former, I've tried both checking and
>> >>>>>> unchecking "all users may connect..."
>> >>>>>>
>> >>>>>> [NB: I find that I MUST have all .pem files set to 644 and any
>> >>>>>> directory along their path to 755 or else Network Manager stalls with
>> >>>>>> asking me for a password and the client's syslog contains "charon-nm:
>> >>>>>> 15[LIB] opening 'path/to/moiKey.pem' filed: Permission denied", which
>> >>>>>> strikes me as rather strange: to force a private key to be readable??
>> >>>>>> In this case client is a personal laptop so maybe not that bad, but
>> >>>>>> really?]
>> >>>>>>
>> >>>>>> In following the syslog output on the vpn host, I see:
>> >>>>>>
>> >>>>>> Sep 12 14:42:02 vpn charon: 04[CFG] looking for peer configs matching
>> >>>>>> xxx.xxx.xxx.xxx[C=CH, O=strongSwan, CN=vpn.example.com]...<client's
>> >>>>>> current IP addr>[C=CH, O=strongSwan, CN=moi]
>> >>>>>> Sep 12 14:42:02 vpn charon: 04[CFG] no matching peer config found
>> >>>>>>
>> >>>>>> so my guess is the conn roadwarrior (see below) isn't properly configured?
>> >>>>>>
>> >>>>>> I would appreciate any help... getting this configured has been a huge
>> >>>>>> headache. Thanks.
>> >>>>>>
>> >>>>>> --------------
>> >>>>>> Background info/files:
>> >>>>>>
>> >>>>>> CAcert/key:
>> >>>>>>
>> >>>>>> $ cd /etc/ipsec.d/
>> >>>>>> $ ipsec pki --gen --type rsa --size 4096 \
>> >>>>>> --outform pem \
>> >>>>>>> private/strongswanKey.pem
>> >>>>>> $ chmod 600 private/strongswanKey.pem
>> >>>>>> $ ipsec pki --self --ca --lifetime 3650 \
>> >>>>>> --in private/strongswanKey.pem --type rsa \
>> >>>>>> --dn "C=CH, O=strongSwan, CN=strongSwan Root CA" \
>> >>>>>> --outform pem \
>> >>>>>>> cacerts/strongswanCert.pem
>> >>>>>>
>> >>>>>> vpnHostKey/Cert:
>> >>>>>>
>> >>>>>> $ cd /etc/ipsec.d/
>> >>>>>> $ ipsec pki --gen --type rsa --size 2048 \
>> >>>>>> --outform pem \
>> >>>>>>> private/vpnHostKey.pem
>> >>>>>> $ chmod 600 private/vpnHostKey.pem
>> >>>>>> $ ipsec pki --pub --in private/vpnHostKey.pem --type rsa | \
>> >>>>>> ipsec pki --issue --lifetime 730 \
>> >>>>>> --cacert cacerts/strongswanCert.pem \
>> >>>>>> --cakey private/strongswanKey.pem \
>> >>>>>> --dn "C=CH, O=strongSwan, CN=vpn.example.com" \
>> >>>>>> --san vpn.example.com \
>> >>>>>> --flag serverAuth --flag ikeIntermediate \
>> >>>>>> --outform pem > certs/vpnHostCert.pem
>> >>>>>>
>> >>>>>> Client cert/key:
>> >>>>>>
>> >>>>>> $ cd /etc/ipsec.d/
>> >>>>>> $ ipsec pki --gen --type rsa --size 2048 \
>> >>>>>> --outform pem \
>> >>>>>>> private/moiKey.pem
>> >>>>>> $ chmod 600 private/moiKey.pem
>> >>>>>> $ ipsec pki --pub --in private/moiKey.pem --type rsa | \
>> >>>>>> ipsec pki --issue --lifetime 730 \
>> >>>>>> --cacert cacerts/strongswanCert.pem \
>> >>>>>> --cakey private/strongswanKey.pem \
>> >>>>>> --dn "C=CH, O=strongSwan, CN=moi" \
>> >>>>>> --san moi \
>> >>>>>> --outform pem > certs/moiCert.pem
>> >>>>>>
>> >>>>>> ("moi" is just a standin for my personal uid)
>> >>>>>>
>> >>>>>> ipsec.conf (note that this email client is munging the tabs, but ipsec
>> >>>>>> reload is perfectly happy with this conf file's syntax)
>> >>>>>>
>> >>>>>> config setup
>> >>>>>> # uniqueids=never
>> >>>>>> charondebug="cfg 2, dmn 2, ike 2, net 2"
>> >>>>>>
>> >>>>>> conn %default
>> >>>>>> ikelifetime=60m
>> >>>>>> keylife=20m
>> >>>>>> rekeymargin=3m
>> >>>>>> keyingtries=1
>> >>>>>> #note iOS, Android, xauth-pam are all ikev1!
>> >>>>>> keyexchange=ike
>> >>>>>>
>> >>>>>> conn roadwarrior
>> >>>>>> #vpn server
>> >>>>>> left=xxx.xxx.xxx.xxx
>> >>>>>> #allow full tunneling
>> >>>>>> leftsubnet=0.0.0.0/0
>> >>>>>> right=%any
>> >>>>>> rightauth=pubkey
>> >>>>>> #assign ip addr from this pool
>> >>>>>> rightsourceip=xxx.xx.xx.0/24
>> >>>>>> auto=add
>> >>>>>> _______________________________________________
>> >>>>>> Users mailing list
>> >>>>>> Users at lists.strongswan.org
>> >>>>>> https://lists.strongswan.org/mailman/listinfo/users
>> >>>
>> >>>>
>> >>>> _______________________________________________
>> >>>> Users mailing list
>> >>>> Users at lists.strongswan.org
>> >>>> https://lists.strongswan.org/mailman/listinfo/users
>>
>>>
>>>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJUFXjhAAoJEDg5KY9j7GZYZsQP/0ENZlcTwN3T4HUIN87AQWFT
> TtKR0GKBt0vY/UhduNLSYb642dYRI8AXwrTQJe5rwW/3Zy9U9B2z26rRmKUJxS55
> f9lFHRHSBYfJCzYW2ZfybsAVx7ESKRxqENaa7jI/KMCDE0KpAMAM3Jg0zomYCRpp
> BVD8fQKCxp0Mp15Fs1N8H283jIDZBuw3QL9EOE/rooWVKetXXVTMDurB3Woafr7v
> zNrclFEgH/a0KhFEPGL+9twttDA93DonQcAfQoIez1bsxEhCO77NgLpLL7DF72+U
> xorr4ENHycl1fhANmFfnH0sgMy/lU6t31JCi4IHVd8Sz2gz3UyV3c1FgzBPjgAfh
> CsbavAjYcYuI2jVGcw3/vRyMvCgYdgrQBemV21sp8E9K2fOuVKYip05wWzJrYxwP
> KX5FnMnDrVbMTUcoRLNpKiHwS+OI7onIDdSAJpjh0mBC2tlqcWvVt+HvXkinygIK
> +L3gGXZDVMhmySGUyZgI2zfTJVB7ULUTt8QjI9jtuKiVA7z0cmniKEMarIS8qWMS
> loCG3HkdNKYZ6kNNaWT3eG3rjMIxH/jpwb7hLK/LcbxlXc0atQ2Z0KK5HlGugO63
> z8V+GvDuTvB+wYp7Z2KbAWYyLihVKqKwdXpV4dZDvbmi7ZTQceHiJPqB32icXw/n
> mOw843hs9NAi4XYm33zs
> =Wsrr
> -----END PGP SIGNATURE-----
>
>
More information about the Users
mailing list