[strongSwan] No trusted RSA public key
Justin Michael Schwartzbeck
justinmschw at gmail.com
Tue Jan 6 21:23:57 CET 2015
Hello,
I am trying to set up a strongswan client to connect to a VPN endpoint.
Here is my configuration:
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="ike 2, knl 2, mgr 2, net 2"
ca main
cacert=ca.crt
conn client-ha
aaa_identity="CN=my-radius-server.company.com, O=Company"
keyexchange=ikev2
right=my-vpn-server.company.com
rightid=%any
rightsubnet=0.0.0.0/0
leftsourceip=%config
leftsubnet=0.0.0.0/0
leftauth=eap-tls
left=10.89.150.227
leftid="my-radius-client.company.com"
leftcert=server.crt
auto=add
I have my ca.crt in /etc/ipsec.d/cacerts, my client certificate
(server.crt) in /etc/ipsec.d/certs, and my client key (server.key) in
/etc/ipsec.d/private. I also have the server.key listed in
/etc/ipsec.secrets. My strongswan client's certificate and my vpn
endpoint's certificate are both signed by the same CA. I have checked the
vpn's cert against the ca.crt on my strongswan client to make sure that it
was properly signed. However for some reason my strongswan client is not
verifying the VPN's certificate. Below is the complete error output
starting with an "ipsec restart" and then followed by an "ipsec up" on that
profile:
Jan 6 11:18:11 my-vpn-client charon: 00[DMN] Starting IKE charon daemon
(strongSwan 5.2.0, Linux 2.6.32-431.el6.x86_64, x86_64)
Jan 6 11:18:11 my-vpn-client charon: 00[KNL] detected Linux 2.6.32, no
support for RTA_PREFSRC for IPv6 routes
Jan 6 11:18:11 my-vpn-client charon: 00[KNL] known interfaces and IP
addresses:
Jan 6 11:18:11 my-vpn-client charon: 00[KNL] lo
Jan 6 11:18:11 my-vpn-client charon: 00[KNL] 127.0.0.1
Jan 6 11:18:11 my-vpn-client charon: 00[KNL] ::1
Jan 6 11:18:11 my-vpn-client charon: 00[KNL] eth0
Jan 6 11:18:11 my-vpn-client charon: 00[KNL] 192.168.2.227
Jan 6 11:18:11 my-vpn-client charon: 00[KNL] 192.168.2.103
Jan 6 11:18:11 my-vpn-client charon: 00[KNL] fe80::250:56ff:feaa:6249
Jan 6 11:18:11 my-vpn-client charon: 00[KNL] eth1
Jan 6 11:18:11 my-vpn-client charon: 00[KNL] fe80::250:56ff:feaa:b96
Jan 6 11:18:11 my-vpn-client charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Jan 6 11:18:11 my-vpn-client charon: 00[CFG] loaded ca certificate
"C=US, ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company" from
'/etc/ipsec.d/cacerts/ca.crt'
Jan 6 11:18:11 my-vpn-client charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Jan 6 11:18:11 my-vpn-client charon: 00[CFG] loading ocsp signer
certificates from '/etc/ipsec.d/ocspcerts'
Jan 6 11:18:11 my-vpn-client charon: 00[CFG] loading attribute
certificates from '/etc/ipsec.d/acerts'
Jan 6 11:18:11 my-vpn-client charon: 00[CFG] loading crls from
'/etc/ipsec.d/crls'
Jan 6 11:18:11 my-vpn-client charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Jan 6 11:18:11 my-vpn-client charon: 00[CFG] loaded RSA private key from
'/etc/ipsec.d/private/server.key'
Jan 6 11:18:11 my-vpn-client charon: 00[LIB] loaded plugins: charon curl
aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey
pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac
attr kernel-netlink resolve socket-default stroke vici updown eap-identity
eap-aka eap-md5 eap-tls xauth-generic xauth-noauth lookip
Jan 6 11:18:11 my-vpn-client charon: 00[LIB] unable to load 6 plugin
features (6 due to unmet dependencies)
Jan 6 11:18:11 my-vpn-client charon: 00[JOB] spawning 16 worker threads
Jan 6 11:18:11 my-vpn-client charon: 02[NET] waiting for data on sockets
Jan 6 11:18:11 my-vpn-client charon: 04[CFG] received stroke: add
connection 'client-ha'
Jan 6 11:18:11 my-vpn-client charon: 04[KNL] 192.168.2.213 is not a local
address or the interface is down
Jan 6 11:18:11 my-vpn-client charon: 04[CFG] loaded certificate "CN=
my-vpn-client.company.com, O=Company" from 'server.crt'
Jan 6 11:18:11 my-vpn-client charon: 04[CFG] id '
my-vpn-client.company.com' not confirmed by certificate, defaulting to 'CN=
my-vpn-client.company.com, O=Company'
Jan 6 11:18:11 my-vpn-client charon: 04[CFG] added configuration
'client-ha'
Jan 6 11:18:31 my-vpn-client charon: 06[CFG] received stroke: initiate
'client-ha'
Jan 6 11:18:31 my-vpn-client charon: 08[MGR] checkout IKE_SA by config
Jan 6 11:18:31 my-vpn-client charon: 08[MGR] created IKE_SA (unnamed)[1]
Jan 6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_VENDOR task
Jan 6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_INIT task
Jan 6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_NATD task
Jan 6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_CERT_PRE task
Jan 6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_AUTH task
Jan 6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_CERT_POST task
Jan 6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_CONFIG task
Jan 6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_AUTH_LIFETIME
task
Jan 6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_MOBIKE task
Jan 6 11:18:31 my-vpn-client charon: 08[IKE] queueing CHILD_CREATE task
Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating new tasks
Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating IKE_VENDOR task
Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating IKE_INIT task
Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating IKE_NATD task
Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating IKE_CERT_PRE task
Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating IKE_AUTH task
Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating IKE_CERT_POST
task
Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating IKE_CONFIG task
Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating CHILD_CREATE task
Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating
IKE_AUTH_LIFETIME task
Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating IKE_MOBIKE task
Jan 6 11:18:31 my-vpn-client charon: 08[IKE] initiating IKE_SA
client-ha[1] to 192.168.2.213
Jan 6 11:18:31 my-vpn-client charon: 08[IKE] IKE_SA client-ha[1] state
change: CREATED => CONNECTING
Jan 6 11:18:31 my-vpn-client charon: 08[ENC] generating IKE_SA_INIT
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jan 6 11:18:31 my-vpn-client charon: 08[NET] sending packet: from
192.168.2.227[500] to 192.168.2.213[500] (708 bytes)
Jan 6 11:18:31 my-vpn-client charon: 08[MGR] checkin IKE_SA client-ha[1]
Jan 6 11:18:31 my-vpn-client charon: 03[NET] sending packet: from
192.168.2.227[500] to 192.168.2.213[500]
Jan 6 11:18:31 my-vpn-client charon: 02[NET] received packet: from
192.168.2.213[500] to 192.168.2.227[500]
Jan 6 11:18:31 my-vpn-client charon: 02[NET] waiting for data on sockets
Jan 6 11:18:31 my-vpn-client charon: 09[MGR] checkout IKE_SA by message
Jan 6 11:18:31 my-vpn-client charon: 09[MGR] IKE_SA client-ha[1]
successfully checked out
Jan 6 11:18:31 my-vpn-client charon: 09[NET] received packet: from
192.168.2.213[500] to 192.168.2.227[500] (38 bytes)
Jan 6 11:18:31 my-vpn-client charon: 09[ENC] parsed IKE_SA_INIT response 0
[ N(INVAL_KE) ]
Jan 6 11:18:31 my-vpn-client charon: 09[IKE] peer didn't accept DH group
MODP_2048, it requested MODP_1024
Jan 6 11:18:31 my-vpn-client charon: 09[IKE] IKE_SA client-ha[1] state
change: CONNECTING => CREATED
Jan 6 11:18:31 my-vpn-client charon: 09[IKE] activating new tasks
Jan 6 11:18:31 my-vpn-client charon: 09[IKE] activating IKE_INIT task
Jan 6 11:18:31 my-vpn-client charon: 09[IKE] activating IKE_NATD task
Jan 6 11:18:31 my-vpn-client charon: 09[IKE] activating IKE_CERT_PRE task
Jan 6 11:18:31 my-vpn-client charon: 09[IKE] activating IKE_AUTH task
Jan 6 11:18:31 my-vpn-client charon: 09[IKE] activating IKE_CERT_POST
task
Jan 6 11:18:31 my-vpn-client charon: 09[IKE] activating IKE_CONFIG task
Jan 6 11:18:31 my-vpn-client charon: 09[IKE] activating CHILD_CREATE task
Jan 6 11:18:31 my-vpn-client charon: 09[IKE] activating
IKE_AUTH_LIFETIME task
Jan 6 11:18:31 my-vpn-client charon: 09[IKE] activating IKE_MOBIKE task
Jan 6 11:18:31 my-vpn-client charon: 09[IKE] initiating IKE_SA
client-ha[1] to 192.168.2.213
Jan 6 11:18:31 my-vpn-client charon: 09[IKE] IKE_SA client-ha[1] state
change: CREATED => CONNECTING
Jan 6 11:18:31 my-vpn-client charon: 09[ENC] generating IKE_SA_INIT
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jan 6 11:18:31 my-vpn-client charon: 09[NET] sending packet: from
192.168.2.227[500] to 192.168.2.213[500] (580 bytes)
Jan 6 11:18:31 my-vpn-client charon: 09[MGR] checkin IKE_SA client-ha[1]
Jan 6 11:18:31 my-vpn-client charon: 09[MGR] check-in of IKE_SA successful.
Jan 6 11:18:31 my-vpn-client charon: 03[NET] sending packet: from
192.168.2.227[500] to 192.168.2.213[500]
Jan 6 11:18:31 my-vpn-client charon: 02[NET] received packet: from
192.168.2.213[500] to 192.168.2.227[500]
Jan 6 11:18:31 my-vpn-client charon: 02[NET] waiting for data on sockets
Jan 6 11:18:31 my-vpn-client charon: 10[MGR] checkout IKE_SA by message
Jan 6 11:18:31 my-vpn-client charon: 10[MGR] IKE_SA client-ha[1]
successfully checked out
Jan 6 11:18:31 my-vpn-client charon: 10[NET] received packet: from
192.168.2.213[500] to 192.168.2.227[500] (381 bytes)
Jan 6 11:18:31 my-vpn-client charon: 10[ENC] parsed IKE_SA_INIT response 0
[ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Jan 6 11:18:31 my-vpn-client charon: 10[IKE] received cert request for
unknown ca with keyid
4e:e1:18:20:b8:6b:65:0e:f3:40:51:73:88:dd:fe:d2:91:52:11:c0
Jan 6 11:18:31 my-vpn-client charon: 10[IKE] received cert request for
"C=US, ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company"
Jan 6 11:18:31 my-vpn-client charon: 10[IKE] received 1 cert requests for
an unknown ca
Jan 6 11:18:31 my-vpn-client charon: 10[IKE] reinitiating already active
tasks
Jan 6 11:18:31 my-vpn-client charon: 10[IKE] IKE_CERT_PRE task
Jan 6 11:18:31 my-vpn-client charon: 10[IKE] IKE_AUTH task
Jan 6 11:18:31 my-vpn-client charon: 10[IKE] sending cert request for
"C=US, ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company"
Jan 6 11:18:31 my-vpn-client charon: 10[IKE] building INTERNAL_IP4_DNS
attribute
Jan 6 11:18:31 my-vpn-client charon: 10[IKE] establishing CHILD_SA
client-ha
Jan 6 11:18:31 my-vpn-client charon: 10[KNL] getting SPI for reqid {1}
Jan 6 11:18:31 my-vpn-client charon: 10[KNL] got SPI ccd30cb7 for reqid {1}
Jan 6 11:18:31 my-vpn-client charon: 10[ENC] generating IKE_AUTH request 1
[ IDi CERTREQ CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR)
N(EAP_ONLY) ]
Jan 6 11:18:31 my-vpn-client charon: 10[NET] sending packet: from
192.168.2.227[4500] to 192.168.2.213[4500] (428 bytes)
Jan 6 11:18:31 my-vpn-client charon: 10[MGR] checkin IKE_SA client-ha[1]
Jan 6 11:18:31 my-vpn-client charon: 10[MGR] check-in of IKE_SA successful.
Jan 6 11:18:31 my-vpn-client charon: 03[NET] sending packet: from
192.168.2.227[4500] to 192.168.2.213[4500]
Jan 6 11:18:31 my-vpn-client charon: 02[NET] received packet: from
192.168.2.213[4500] to 192.168.2.227[4500]
Jan 6 11:18:31 my-vpn-client charon: 02[NET] waiting for data on sockets
Jan 6 11:18:31 my-vpn-client charon: 11[MGR] checkout IKE_SA by message
Jan 6 11:18:31 my-vpn-client charon: 11[MGR] IKE_SA client-ha[1]
successfully checked out
Jan 6 11:18:31 my-vpn-client charon: 11[NET] received packet: from
192.168.2.213[4500] to 192.168.2.227[4500] (956 bytes)
Jan 6 11:18:31 my-vpn-client charon: 11[ENC] parsed IKE_AUTH response 1 [
V IDr CERT AUTH EAP/REQ/ID ]
Jan 6 11:18:31 my-vpn-client charon: 11[IKE] received end entity cert "CN=
my-vpn-server.company.com, O=Company"
Jan 6 11:18:31 my-vpn-client charon: 11[IKE] no trusted RSA public key
found for 'my-vpn-server.company.com'
Jan 6 11:18:31 my-vpn-client charon: 11[ENC] generating INFORMATIONAL
request 2 [ N(AUTH_FAILED) ]
Jan 6 11:18:31 my-vpn-client charon: 11[NET] sending packet: from
192.168.2.227[4500] to 192.168.2.213[4500] (76 bytes)
Jan 6 11:18:31 my-vpn-client charon: 11[KNL] deleting SAD entry with SPI
ccd30cb7 (mark 0/0x00000000)
Jan 6 11:18:31 my-vpn-client charon: 03[NET] sending packet: from
192.168.2.227[4500] to 192.168.2.213[4500]
Jan 6 11:18:31 my-vpn-client charon: 11[KNL] deleted SAD entry with SPI
ccd30cb7 (mark 0/0x00000000)
Jan 6 11:18:31 my-vpn-client charon: 11[MGR] checkin and destroy IKE_SA
client-ha[1]
Jan 6 11:18:31 my-vpn-client charon: 11[IKE] IKE_SA client-ha[1] state
change: CONNECTING => DESTROYING
Jan 6 11:18:31 my-vpn-client charon: 11[MGR] check-in and destroy of
IKE_SA successful
Jan 6 11:18:35 my-vpn-client charon: 12[MGR] checkout IKE_SA
Jan 6 11:18:35 my-vpn-client charon: 13[MGR] checkout IKE_SA
Jan 6 11:18:35 my-vpn-client charon: 14[MGR] checkout IKE_SA
The important failure message here is "no trusted RSA public key found for '
my-vpn-server.company.com'". I have also tried setting the eap identity in
the vpn endpoint to the full DN in the server certificate but that didn't
work either. I don't understand why this would be failing if the
certificate is properly signed by the CA. Can someone tell me if I am
missing something?
Thanks for the help.
-Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150106/dd183112/attachment-0001.html>
More information about the Users
mailing list