[strongSwan] Query on client authentication using EAP-TLS
Akash Deep
everakash at gmail.com
Mon Feb 23 13:28:16 CET 2015
Hi,
I am trying to run EAP-TLS client authentication with diameter server.
Strongswan is failing EAP-TLS method.
*Strongswan log:*
initiating IKE_SA init_nai_v4_v4_tls[1] to 122.122.122.120
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 157.121.121.190[500] to 122.122.122.120[500] (708
bytes)
received packet: from 122.122.122.120[500] to 157.121.121.190[500] (38
bytes)
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn't accept DH group MODP_2048, it requested MODP_1024
initiating IKE_SA init_nai_v4_v4_tls[1] to 122.122.122.120
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 157.121.121.190[500] to 122.122.122.120[500] (580
bytes)
received packet: from 122.122.122.120[500] to 157.121.121.190[500] (349
bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
received cert request for "C=IN, ST=HARYANA, L=GURGAON, O=ARICENT,
OU=ARI_CA, CN=CA"
received cert request for "CN=quarry0, O=Quarry1, L=Gurgaon, C=IN"
sending cert request for "C=IN, ST=HARYANA, L=GURGAON, O=ARICENT,
OU=ARI_CA, CN=CA"
sending cert request for "CN=quarry0, O=Quarry1, L=Gurgaon, C=IN"
sending cert request for "C=IN, ST=Haryana, L=Delhi/NCR, O=Aricent,
OU=Datacom, CN=Gagandeep, E=Gagan.Taneja at aricent.com"
sending end entity cert "C=IN, ST=HARYANA, O=ARICENT, OU=ARI_FAP, CN=
223456789123456 at nai.epc.mnc213.mcc090.3gppnetwork.org"
establishing CHILD_SA init_nai_v4_v4_tls
generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr CP(ADDR DNS) SA TSi
TSr N(EAP_ONLY) ]
sending packet: from 157.121.121.190[500] to 122.122.122.120[500] (1564
bytes)
received packet: from 122.122.122.120[500] to 157.121.121.190[500] (892
bytes)
parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/TLS ]
received end entity cert "CN=quarry0, C=IN, O=Quarry3"
using certificate "CN=quarry0, C=IN, O=Quarry3"
using trusted ca certificate "CN=quarry0, O=Quarry1, L=Gurgaon, C=IN"
checking certificate status of "CN=quarry0, C=IN, O=Quarry3"
certificate status is not available
reached self-signed root ca with a path length of 0
authentication of 'rohit' with RSA signature successful
server requested EAP_TLS authentication (id 0x02)
sending end entity cert "C=IN, ST=HARYANA, O=ARICENT, OU=ARI_FAP, CN=
223456789123456 at nai.epc.mnc213.mcc090.3gppnetwork.org"
generating IKE_AUTH request 2 [ CERT EAP/RES/TLS ]
sending packet: from 157.121.121.190[500] to 122.122.122.120[500] (1292
bytes)
received packet: from 122.122.122.120[500] to 157.121.121.190[500] (1100
bytes)
parsed IKE_AUTH response 2 [ EAP/REQ/TLS ]
negotiated TLS 1.2 using suite TLS_RSA_WITH_AES_128_CBC_SHA
sending end entity cert "C=IN, ST=HARYANA, O=ARICENT, OU=ARI_FAP, CN=
223456789123456 at nai.epc.mnc213.mcc090.3gppnetwork.org"
generating IKE_AUTH request 3 [ CERT EAP/RES/TLS ]
sending packet: from 157.121.121.190[500] to 122.122.122.120[500] (1180
bytes)
received packet: from 122.122.122.120[500] to 157.121.121.190[500] (316
bytes)
parsed IKE_AUTH response 3 [ EAP/REQ/TLS ]
received TLS server certificate 'C=IN, ST=HARYANA, O=ARICENT,
OU=ARICENT_AAA, CN=aaa1.nai.epc.mnc213.mcc090.3gppnetwork.org'
received TLS cert request for 'C=IN, ST=HARYANA, L=GURGAON, O=ARICENT,
OU=ARI_CA, CN=CA
no TLS peer certificate found for '
223456789123456 at nai.epc.mnc213.mcc090.3gppnetwork.org', skipping client
authentication
using certificate "C=IN, ST=HARYANA, O=ARICENT, OU=ARICENT_AAA, CN=
aaa1.nai.epc.mnc213.mcc090.3gppnetwork.org"
using trusted ca certificate "C=IN, ST=HARYANA, L=GURGAON, O=ARICENT,
OU=ARI_CA, CN=CA"
checking certificate status of "C=IN, ST=HARYANA, O=ARICENT,
OU=ARICENT_AAA, CN=aaa1.nai.epc.mnc213.mcc090.3gppnetwork.org"
certificate status is not available
reached self-signed root ca with a path length of 0
sending end entity cert "C=IN, ST=HARYANA, O=ARICENT, OU=ARI_FAP, CN=
223456789123456 at nai.epc.mnc213.mcc090.3gppnetwork.org"
generating IKE_AUTH request 4 [ CERT EAP/RES/TLS ]
sending packet: from 157.121.121.190[500] to 122.122.122.120[500] (1532
bytes)
received packet: from 122.122.122.120[500] to 157.121.121.190[500] (76
bytes)
parsed IKE_AUTH response 4 [ EAP/REQ/TLS ]
EAP_TLS method failed
*ipsec.conf*
conn init_nai_v4_v4_tls
leftid=223456789123456 at nai.epc.mnc213.mcc090.3gppnetwork.org
leftauth=eap
left=157.121.121.190
leftsourceip=10.10.10.1
#ike=3des-sha1-modp1024!
#esp = aes-md5-modp1024!
leftcert=fap-tls-10.crt
leftfirewall=yes
right=122.122.122.120
rightsubnet=151.151.151.0/24
rightid=rohit
rightauth=pubkey
auto=add
Kindly let me know if there is any configuration issue or any other issue.
Regards,
Akash
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150223/1f11c561/attachment.html>
More information about the Users
mailing list