[strongSwan] No trusted RSA public key

Noel Kuntze noel at familie-kuntze.de
Tue Jan 6 21:48:17 CET 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Justin,

Set rightca to the DN of the CA certificate or to the file name or file path of the Ca certificate.
As an alternative, you can get a copy of the server's certificate and do the same for rightcert.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 06.01.2015 um 21:23 schrieb Justin Michael Schwartzbeck:
> Hello,
>
> I am trying to set up a strongswan client to connect to a VPN endpoint. Here is my configuration:
>
> # ipsec.conf - strongSwan IPsec configuration file
> config setup
>                charondebug="ike 2, knl 2, mgr 2, net 2"
> ca main
>                cacert=ca.crt
> conn client-ha
>      aaa_identity="CN=my-radius-server.company.com <http://my-radius-server.company.com>, O=Company"
>      keyexchange=ikev2
>      right=my-vpn-server.company.com <http://my-vpn-server.company.com>
>      rightid=%any
>      rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>      leftsourceip=%config
>      leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>      leftauth=eap-tls
>      left=10.89.150.227
>      leftid="my-radius-client.company.com <http://my-radius-client.company.com>"
>      leftcert=server.crt
>      auto=add
>
> I have my ca.crt in /etc/ipsec.d/cacerts, my client certificate (server.crt) in /etc/ipsec.d/certs, and my client key (server.key) in /etc/ipsec.d/private. I also have the server.key listed in /etc/ipsec.secrets. My strongswan client's certificate and my vpn endpoint's certificate are both signed by the same CA. I have checked the vpn's cert against the ca.crt on my strongswan client to make sure that it was properly signed. However for some reason my strongswan client is not verifying the VPN's certificate. Below is the complete error output starting with an "ipsec restart" and then followed by an "ipsec up" on that profile:
>
> Jan  6 11:18:11 my-vpn-client charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.0, Linux 2.6.32-431.el6.x86_64, x86_64)
> Jan  6 11:18:11 my-vpn-client charon: 00[KNL] detected Linux 2.6.32, no support for RTA_PREFSRC for IPv6 routes
> Jan  6 11:18:11 my-vpn-client charon: 00[KNL] known interfaces and IP addresses:
> Jan  6 11:18:11 my-vpn-client charon: 00[KNL]   lo
> Jan  6 11:18:11 my-vpn-client charon: 00[KNL]     127.0.0.1
> Jan  6 11:18:11 my-vpn-client charon: 00[KNL]     ::1
> Jan  6 11:18:11 my-vpn-client charon: 00[KNL]   eth0
> Jan  6 11:18:11 my-vpn-client charon: 00[KNL]     192.168.2.227
> Jan  6 11:18:11 my-vpn-client charon: 00[KNL]     192.168.2.103
> Jan  6 11:18:11 my-vpn-client charon: 00[KNL]     fe80::250:56ff:feaa:6249
> Jan  6 11:18:11 my-vpn-client charon: 00[KNL]   eth1
> Jan  6 11:18:11 my-vpn-client charon: 00[KNL]     fe80::250:56ff:feaa:b96
> Jan  6 11:18:11 my-vpn-client charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> Jan  6 11:18:11 my-vpn-client charon: 00[CFG]   loaded ca certificate "C=US, ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company" from '/etc/ipsec.d/cacerts/ca.crt'
> Jan  6 11:18:11 my-vpn-client charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> Jan  6 11:18:11 my-vpn-client charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> Jan  6 11:18:11 my-vpn-client charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> Jan  6 11:18:11 my-vpn-client charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
> Jan  6 11:18:11 my-vpn-client charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
> Jan  6 11:18:11 my-vpn-client charon: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/server.key'
> Jan  6 11:18:11 my-vpn-client charon: 00[LIB] loaded plugins: charon curl aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown eap-identity eap-aka eap-md5 eap-tls xauth-generic xauth-noauth lookip
> Jan  6 11:18:11 my-vpn-client charon: 00[LIB] unable to load 6 plugin features (6 due to unmet dependencies)
> Jan  6 11:18:11 my-vpn-client charon: 00[JOB] spawning 16 worker threads
> Jan  6 11:18:11 my-vpn-client charon: 02[NET] waiting for data on sockets
> Jan  6 11:18:11 my-vpn-client charon: 04[CFG] received stroke: add connection 'client-ha'
> Jan  6 11:18:11 my-vpn-client charon: 04[KNL] 192.168.2.213 is not a local address or the interface is down
> Jan  6 11:18:11 my-vpn-client charon: 04[CFG]   loaded certificate "CN=my-vpn-client.company.com <http://my-vpn-client.company.com>, O=Company" from 'server.crt'
> Jan  6 11:18:11 my-vpn-client charon: 04[CFG]   id 'my-vpn-client.company.com <http://my-vpn-client.company.com>' not confirmed by certificate, defaulting to 'CN=my-vpn-client.company.com <http://my-vpn-client.company.com>, O=Company'
> Jan  6 11:18:11 my-vpn-client charon: 04[CFG] added configuration 'client-ha'
> Jan  6 11:18:31 my-vpn-client charon: 06[CFG] received stroke: initiate 'client-ha'
> Jan  6 11:18:31 my-vpn-client charon: 08[MGR] checkout IKE_SA by config
> Jan  6 11:18:31 my-vpn-client charon: 08[MGR] created IKE_SA (unnamed)[1]
> Jan  6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_VENDOR task
> Jan  6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_INIT task
> Jan  6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_NATD task
> Jan  6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_CERT_PRE task
> Jan  6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_AUTH task
> Jan  6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_CERT_POST task
> Jan  6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_CONFIG task
> Jan  6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_AUTH_LIFETIME task
> Jan  6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_MOBIKE task
> Jan  6 11:18:31 my-vpn-client charon: 08[IKE] queueing CHILD_CREATE task
> Jan  6 11:18:31 my-vpn-client charon: 08[IKE] activating new tasks
> Jan  6 11:18:31 my-vpn-client charon: 08[IKE]   activating IKE_VENDOR task
> Jan  6 11:18:31 my-vpn-client charon: 08[IKE]   activating IKE_INIT task
> Jan  6 11:18:31 my-vpn-client charon: 08[IKE]   activating IKE_NATD task
> Jan  6 11:18:31 my-vpn-client charon: 08[IKE]   activating IKE_CERT_PRE task
> Jan  6 11:18:31 my-vpn-client charon: 08[IKE]   activating IKE_AUTH task
> Jan  6 11:18:31 my-vpn-client charon: 08[IKE]   activating IKE_CERT_POST task
> Jan  6 11:18:31 my-vpn-client charon: 08[IKE]   activating IKE_CONFIG task
> Jan  6 11:18:31 my-vpn-client charon: 08[IKE]   activating CHILD_CREATE task
> Jan  6 11:18:31 my-vpn-client charon: 08[IKE]   activating IKE_AUTH_LIFETIME task
> Jan  6 11:18:31 my-vpn-client charon: 08[IKE]   activating IKE_MOBIKE task
> Jan  6 11:18:31 my-vpn-client charon: 08[IKE] initiating IKE_SA client-ha[1] to 192.168.2.213
> Jan  6 11:18:31 my-vpn-client charon: 08[IKE] IKE_SA client-ha[1] state change: CREATED => CONNECTING
> Jan  6 11:18:31 my-vpn-client charon: 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Jan  6 11:18:31 my-vpn-client charon: 08[NET] sending packet: from 192.168.2.227[500] to 192.168.2.213[500] (708 bytes)
> Jan  6 11:18:31 my-vpn-client charon: 08[MGR] checkin IKE_SA client-ha[1]
> Jan  6 11:18:31 my-vpn-client charon: 03[NET] sending packet: from 192.168.2.227[500] to 192.168.2.213[500]
> Jan  6 11:18:31 my-vpn-client charon: 02[NET] received packet: from 192.168.2.213[500] to 192.168.2.227[500]
> Jan  6 11:18:31 my-vpn-client charon: 02[NET] waiting for data on sockets
> Jan  6 11:18:31 my-vpn-client charon: 09[MGR] checkout IKE_SA by message
> Jan  6 11:18:31 my-vpn-client charon: 09[MGR] IKE_SA client-ha[1] successfully checked out
> Jan  6 11:18:31 my-vpn-client charon: 09[NET] received packet: from 192.168.2.213[500] to 192.168.2.227[500] (38 bytes)
> Jan  6 11:18:31 my-vpn-client charon: 09[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
> Jan  6 11:18:31 my-vpn-client charon: 09[IKE] peer didn't accept DH group MODP_2048, it requested MODP_1024
> Jan  6 11:18:31 my-vpn-client charon: 09[IKE] IKE_SA client-ha[1] state change: CONNECTING => CREATED
> Jan  6 11:18:31 my-vpn-client charon: 09[IKE] activating new tasks
> Jan  6 11:18:31 my-vpn-client charon: 09[IKE]   activating IKE_INIT task
> Jan  6 11:18:31 my-vpn-client charon: 09[IKE]   activating IKE_NATD task
> Jan  6 11:18:31 my-vpn-client charon: 09[IKE]   activating IKE_CERT_PRE task
> Jan  6 11:18:31 my-vpn-client charon: 09[IKE]   activating IKE_AUTH task
> Jan  6 11:18:31 my-vpn-client charon: 09[IKE]   activating IKE_CERT_POST task
> Jan  6 11:18:31 my-vpn-client charon: 09[IKE]   activating IKE_CONFIG task
> Jan  6 11:18:31 my-vpn-client charon: 09[IKE]   activating CHILD_CREATE task
> Jan  6 11:18:31 my-vpn-client charon: 09[IKE]   activating IKE_AUTH_LIFETIME task
> Jan  6 11:18:31 my-vpn-client charon: 09[IKE]   activating IKE_MOBIKE task
> Jan  6 11:18:31 my-vpn-client charon: 09[IKE] initiating IKE_SA client-ha[1] to 192.168.2.213
> Jan  6 11:18:31 my-vpn-client charon: 09[IKE] IKE_SA client-ha[1] state change: CREATED => CONNECTING
> Jan  6 11:18:31 my-vpn-client charon: 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Jan  6 11:18:31 my-vpn-client charon: 09[NET] sending packet: from 192.168.2.227[500] to 192.168.2.213[500] (580 bytes)
> Jan  6 11:18:31 my-vpn-client charon: 09[MGR] checkin IKE_SA client-ha[1]
> Jan  6 11:18:31 my-vpn-client charon: 09[MGR] check-in of IKE_SA successful.
> Jan  6 11:18:31 my-vpn-client charon: 03[NET] sending packet: from 192.168.2.227[500] to 192.168.2.213[500]
> Jan  6 11:18:31 my-vpn-client charon: 02[NET] received packet: from 192.168.2.213[500] to 192.168.2.227[500]
> Jan  6 11:18:31 my-vpn-client charon: 02[NET] waiting for data on sockets
> Jan  6 11:18:31 my-vpn-client charon: 10[MGR] checkout IKE_SA by message
> Jan  6 11:18:31 my-vpn-client charon: 10[MGR] IKE_SA client-ha[1] successfully checked out
> Jan  6 11:18:31 my-vpn-client charon: 10[NET] received packet: from 192.168.2.213[500] to 192.168.2.227[500] (381 bytes)
> Jan  6 11:18:31 my-vpn-client charon: 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
> Jan  6 11:18:31 my-vpn-client charon: 10[IKE] received cert request for unknown ca with keyid 4e:e1:18:20:b8:6b:65:0e:f3:40:51:73:88:dd:fe:d2:91:52:11:c0
> Jan  6 11:18:31 my-vpn-client charon: 10[IKE] received cert request for "C=US, ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company"
> Jan  6 11:18:31 my-vpn-client charon: 10[IKE] received 1 cert requests for an unknown ca
> Jan  6 11:18:31 my-vpn-client charon: 10[IKE] reinitiating already active tasks
> Jan  6 11:18:31 my-vpn-client charon: 10[IKE]   IKE_CERT_PRE task
> Jan  6 11:18:31 my-vpn-client charon: 10[IKE]   IKE_AUTH task
> Jan  6 11:18:31 my-vpn-client charon: 10[IKE] sending cert request for "C=US, ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company"
> Jan  6 11:18:31 my-vpn-client charon: 10[IKE] building INTERNAL_IP4_DNS attribute
> Jan  6 11:18:31 my-vpn-client charon: 10[IKE] establishing CHILD_SA client-ha
> Jan  6 11:18:31 my-vpn-client charon: 10[KNL] getting SPI for reqid {1}
> Jan  6 11:18:31 my-vpn-client charon: 10[KNL] got SPI ccd30cb7 for reqid {1}
> Jan  6 11:18:31 my-vpn-client charon: 10[ENC] generating IKE_AUTH request 1 [ IDi CERTREQ CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) ]
> Jan  6 11:18:31 my-vpn-client charon: 10[NET] sending packet: from 192.168.2.227[4500] to 192.168.2.213[4500] (428 bytes)
> Jan  6 11:18:31 my-vpn-client charon: 10[MGR] checkin IKE_SA client-ha[1]
> Jan  6 11:18:31 my-vpn-client charon: 10[MGR] check-in of IKE_SA successful.
> Jan  6 11:18:31 my-vpn-client charon: 03[NET] sending packet: from 192.168.2.227[4500] to 192.168.2.213[4500]
> Jan  6 11:18:31 my-vpn-client charon: 02[NET] received packet: from 192.168.2.213[4500] to 192.168.2.227[4500]
> Jan  6 11:18:31 my-vpn-client charon: 02[NET] waiting for data on sockets
> Jan  6 11:18:31 my-vpn-client charon: 11[MGR] checkout IKE_SA by message
> Jan  6 11:18:31 my-vpn-client charon: 11[MGR] IKE_SA client-ha[1] successfully checked out
> Jan  6 11:18:31 my-vpn-client charon: 11[NET] received packet: from 192.168.2.213[4500] to 192.168.2.227[4500] (956 bytes)
> Jan  6 11:18:31 my-vpn-client charon: 11[ENC] parsed IKE_AUTH response 1 [ V IDr CERT AUTH EAP/REQ/ID ]
> Jan  6 11:18:31 my-vpn-client charon: 11[IKE] received end entity cert "CN=my-vpn-server.company.com <http://my-vpn-server.company.com>, O=Company"
> Jan  6 11:18:31 my-vpn-client charon: 11[IKE] no trusted RSA public key found for 'my-vpn-server.company.com <http://my-vpn-server.company.com>'
> Jan  6 11:18:31 my-vpn-client charon: 11[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
> Jan  6 11:18:31 my-vpn-client charon: 11[NET] sending packet: from 192.168.2.227[4500] to 192.168.2.213[4500] (76 bytes)
> Jan  6 11:18:31 my-vpn-client charon: 11[KNL] deleting SAD entry with SPI ccd30cb7  (mark 0/0x00000000)
> Jan  6 11:18:31 my-vpn-client charon: 03[NET] sending packet: from 192.168.2.227[4500] to 192.168.2.213[4500]
> Jan  6 11:18:31 my-vpn-client charon: 11[KNL] deleted SAD entry with SPI ccd30cb7 (mark 0/0x00000000)
> Jan  6 11:18:31 my-vpn-client charon: 11[MGR] checkin and destroy IKE_SA client-ha[1]
> Jan  6 11:18:31 my-vpn-client charon: 11[IKE] IKE_SA client-ha[1] state change: CONNECTING => DESTROYING
> Jan  6 11:18:31 my-vpn-client charon: 11[MGR] check-in and destroy of IKE_SA successful
> Jan  6 11:18:35 my-vpn-client charon: 12[MGR] checkout IKE_SA
> Jan  6 11:18:35 my-vpn-client charon: 13[MGR] checkout IKE_SA
> Jan  6 11:18:35 my-vpn-client charon: 14[MGR] checkout IKE_SA
>
> The important failure message here is "no trusted RSA public key found for 'my-vpn-server.company.com <http://my-vpn-server.company.com>'". I have also tried setting the eap identity in the vpn endpoint to the full DN in the server certificate but that didn't work either. I don't understand why this would be failing if the certificate is properly signed by the CA. Can someone tell me if I am missing something?
>
> Thanks for the help.
> -Justin
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUrEoPAAoJEDg5KY9j7GZYswIQAJjaxLAtSQTiHj1GU3wkc9l6
5klLIIlMlhygDOrmbbOst0WouyBfAUQAg3H/BkX5VBb6iXspK5RixDg6YqWru79a
xLSMYyPMpeHLAvAB1SRQTx8RwlEs1UnXiio4kE47QV4BmARLiYEY5WhGvTpVOPMF
hdmScVzQ2CQ20sLZmL/NHtTBm57s2w9cDZX/vNGsQxeHUfF54X6xoo9KM+S2so3F
uXO0F83L8N66uWUDuITVFqWNyWpwX1G8yCewIFV8gEvvAZkPkUechjG+as8Oal4C
zs4jpAZA49XmzWBbgSxCjIgDrUHP5RCnfKjRywS8QZvt+Ak6Nf+dcE9fxXSqP3N6
/cpAmOxapCg5C13a5QkoDntgncBUgF6HACfyOA0Lo4H6e5o8BnNRbA/r/zNQmkdi
DHVMqV4wbSoOdFq6SN8VK+yDPZjZwkHXcyiGBa2v7wrjPXcCIG+7DGo55oirTW+V
wQ/S16htXISB9uN/YRtMwaP6K54zZthP0/d3xtbE8kYdVgUqdvgZhjm+jJOKjIRc
eF7F9ChDEQI4TM2ditjHTqE4+gtnoRwA1bpwim5reS1/L6rp1Dk5mBvLjLETVnYb
qvsi0IGixX+FlMGhRWuNU97rOfIig9rO+ZSXBMHgyHhWgXrv5tf6oDd+eAvdBwkX
jLd4ISNIP+/QWeWS3Hk/
=RJTz
-----END PGP SIGNATURE-----

More information about the Users mailing list