[strongSwan] No trusted RSA public key

Justin Michael Schwartzbeck justinmschw at gmail.com
Tue Jan 6 23:22:09 CET 2015


Hi Noel,

My VPN server is an IOS router with certificates configured as part of the
trustpoint. You said that the server does not send its certificate. What
about the message "received end entity cert "CN=my-vpn-server.company.com,
O=Company"" that appears above "no trusted RSA public key found for 'CN=
my-vpn-server.company.com, O=Company'". Is this end entity cert not the
server certificate being sent? Also setting rightca to the DN of the CA
certificate is not working either, same error message. According to the
log, the CA certificate is being loaded correctly on the client side:

Jan  6 11:18:11 my-vpn-client charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Jan  6 11:18:11 my-vpn-client charon: 00[CFG]   loaded ca certificate
"C=US, ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company" from
'/etc/ipsec.d/cacerts/ca.crt'

So the question remains, why is strongswan not verifying the server
certificate by this CA?

I could provide the log and config for my IOS router but I figured that
would not be your area of expertise. There is no error message on the
router side, only the client, so it seems the problem is with strongswan.

On Tue, Jan 6, 2015 at 3:48 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Justin,
>
> I looked through the log and saw that the other peer never sent his
> certificate.
> Please show us the log and configuraton of the server and check if the
> whole certificate chain from the root
> to the server certificate is available in /etc/ipsec.d/cacerts.
> I can see, that the server sends certificate requests for two CAs, one of
> which is unknown.
> > Jan  6 14:50:59 my-vpn-client charon: 11[IKE] received 1 cert requests
> for an unknown ca
>
> You might be able to work around that by setting leftsendcert=always on
> the server side.
>
> Also, setting rightca to the path to the servercertificate doesn't seem to
> have helped, as it seems strongSwan expects
> the CA certificate DN here.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 06.01.2015 um 22:19 schrieb Justin Michael Schwartzbeck:
> > Hi Noel,
> >
> > I have tried all of those things and get the same results. Here is the
> log file after using your method:
> >
> > Jan  6 14:50:54 my-vpn-client charon: 00[DMN] Starting IKE charon daemon
> (strongSwan 5.2.0, Linux 2.6.32-431.el6.x86_64, x86_64)
> > Jan  6 14:50:54 my-vpn-client charon: 00[KNL] detected Linux 2.6.32, no
> support for RTA_PREFSRC for IPv6 routes
> > Jan  6 14:50:54 my-vpn-client charon: 00[KNL] known interfaces and IP
> addresses:
> > Jan  6 14:50:54 my-vpn-client charon: 00[KNL]   lo
> > Jan  6 14:50:54 my-vpn-client charon: 00[KNL]     127.0.0.1
> > Jan  6 14:50:54 my-vpn-client charon: 00[KNL]     ::1
> > Jan  6 14:50:54 my-vpn-client charon: 00[KNL]   eth0
> > Jan  6 14:50:54 my-vpn-client charon: 00[KNL]     192.168.2.227
> > Jan  6 14:50:54 my-vpn-client charon: 00[KNL]     192.168.2.103
> > Jan  6 14:50:54 my-vpn-client charon: 00[KNL]
>  fe80::250:56ff:feaa:6249
> > Jan  6 14:50:54 my-vpn-client charon: 00[KNL]   eth1
> > Jan  6 14:50:54 my-vpn-client charon: 00[KNL]     fe80::250:56ff:feaa:b96
> > Jan  6 14:50:54 my-vpn-client charon: 00[CFG] loading ca certificates
> from '/etc/ipsec.d/cacerts'
> > Jan  6 14:50:54 my-vpn-client charon: 00[CFG]   loaded ca certificate
> "C=US, ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company" from
> '/etc/ipsec.d/cacerts/ca.crt'
> > Jan  6 14:50:54 my-vpn-client charon: 00[CFG] loading aa certificates
> from '/etc/ipsec.d/aacerts'
> > Jan  6 14:50:54 my-vpn-client charon: 00[CFG] loading ocsp signer
> certificates from '/etc/ipsec.d/ocspcerts'
> > Jan  6 14:50:54 my-vpn-client charon: 00[CFG] loading attribute
> certificates from '/etc/ipsec.d/acerts'
> > Jan  6 14:50:54 my-vpn-client charon: 00[CFG] loading crls from
> '/etc/ipsec.d/crls'
> > Jan  6 14:50:54 my-vpn-client charon: 00[CFG] loading secrets from
> '/etc/ipsec.secrets'
> > Jan  6 14:50:54 my-vpn-client charon: 00[CFG]   loaded RSA private key
> from '/etc/ipsec.d/private/server.key'
> > Jan  6 14:50:54 my-vpn-client charon: 00[LIB] loaded plugins: charon
> curl aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints
> pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc
> cmac hmac attr kernel-netlink resolve socket-default stroke vici updown
> eap-identity eap-aka eap-md5 eap-tls xauth-generic xauth-noauth lookip
> > Jan  6 14:50:54 my-vpn-client charon: 00[LIB] unable to load 6 plugin
> features (6 due to unmet dependencies)
> > Jan  6 14:50:54 my-vpn-client charon: 00[JOB] spawning 16 worker threads
> > Jan  6 14:50:54 my-vpn-client charon: 02[NET] waiting for data on sockets
> > Jan  6 14:50:54 my-vpn-client charon: 05[CFG] received stroke: add
> connection 'client-ha'
> > Jan  6 14:50:59 my-vpn-client charon: 05[KNL] 192.168.2.213 is not a
> local address or the interface is down
> > Jan  6 14:50:59 my-vpn-client charon: 05[CFG]   loaded certificate "CN=
> my-vpn-client.company.com <http://my-vpn-client.company.com>, O=Company"
> from 'server.crt'
> > Jan  6 14:50:59 my-vpn-client charon: 05[CFG]   id '
> my-vpn-client.company.com <http://my-vpn-client.company.com>' not
> confirmed by certificate, defaulting to 'CN=my-vpn-client.company.com <
> http://my-vpn-client.company.com>, O=Company'
> > Jan  6 14:50:59 my-vpn-client charon: 05[CFG]   loaded certificate "CN=
> my-vpn-server.company.com <http://my-vpn-server.company.com>, O=Company"
> from '/etc/ipsec.d/certs/cws.crt'
> > Jan  6 14:50:59 my-vpn-client charon: 05[CFG]   id '%any' not confirmed
> by certificate, defaulting to 'CN=my-vpn-server.company.com <
> http://my-vpn-server.company.com>, O=Company'
> > Jan  6 14:50:59 my-vpn-client charon: 05[CFG] CA certificate
> "/etc/ipsec.d/cacerts/ca.crt" not found, discarding CA constraint
> > Jan  6 14:50:59 my-vpn-client charon: 05[CFG] added configuration
> 'client-ha'
> > Jan  6 14:50:59 my-vpn-client charon: 07[CFG] received stroke: initiate
> 'client-ha'
> > Jan  6 14:50:59 my-vpn-client charon: 09[MGR] checkout IKE_SA by config
> > Jan  6 14:50:59 my-vpn-client charon: 09[MGR] created IKE_SA (unnamed)[1]
> > Jan  6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_VENDOR task
> > Jan  6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_INIT task
> > Jan  6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_NATD task
> > Jan  6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_CERT_PRE task
> > Jan  6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_AUTH task
> > Jan  6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_CERT_POST task
> > Jan  6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_CONFIG task
> > Jan  6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_AUTH_LIFETIME
> task
> > Jan  6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_MOBIKE task
> > Jan  6 14:50:59 my-vpn-client charon: 09[IKE] queueing CHILD_CREATE task
> > Jan  6 14:50:59 my-vpn-client charon: 09[IKE] activating new tasks
> > Jan  6 14:50:59 my-vpn-client charon: 09[IKE]   activating IKE_VENDOR
> task
> > Jan  6 14:50:59 my-vpn-client charon: 09[IKE]   activating IKE_INIT task
> > Jan  6 14:50:59 my-vpn-client charon: 09[IKE]   activating IKE_NATD task
> > Jan  6 14:50:59 my-vpn-client charon: 09[IKE]   activating IKE_CERT_PRE
> task
> > Jan  6 14:50:59 my-vpn-client charon: 09[IKE]   activating IKE_AUTH task
> > Jan  6 14:50:59 my-vpn-client charon: 09[IKE]   activating IKE_CERT_POST
> task
> > Jan  6 14:50:59 my-vpn-client charon: 09[IKE]   activating IKE_CONFIG
> task
> > Jan  6 14:50:59 my-vpn-client charon: 09[IKE]   activating CHILD_CREATE
> task
> > Jan  6 14:50:59 my-vpn-client charon: 09[IKE]   activating
> IKE_AUTH_LIFETIME task
> > Jan  6 14:50:59 my-vpn-client charon: 09[IKE]   activating IKE_MOBIKE
> task
> > Jan  6 14:50:59 my-vpn-client charon: 09[IKE] initiating IKE_SA
> client-ha[1] to 192.168.2.213
> > Jan  6 14:50:59 my-vpn-client charon: 09[IKE] IKE_SA client-ha[1] state
> change: CREATED => CONNECTING
> > Jan  6 14:50:59 my-vpn-client charon: 09[ENC] generating IKE_SA_INIT
> request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> > Jan  6 14:50:59 my-vpn-client charon: 09[NET] sending packet: from
> 192.168.2.227[500] to 192.168.2.213[500] (708 bytes)
> > Jan  6 14:50:59 my-vpn-client charon: 09[MGR] checkin IKE_SA client-ha[1]
> > Jan  6 14:50:59 my-vpn-client charon: 03[NET] sending packet: from
> 192.168.2.227[500] to 192.168.2.213[500]
> > Jan  6 14:50:59 my-vpn-client charon: 02[NET] received packet: from
> 192.168.2.213[500] to 192.168.2.227[500]
> > Jan  6 14:50:59 my-vpn-client charon: 02[NET] waiting for data on sockets
> > Jan  6 14:50:59 my-vpn-client charon: 10[MGR] checkout IKE_SA by message
> > Jan  6 14:50:59 my-vpn-client charon: 10[MGR] IKE_SA client-ha[1]
> successfully checked out
> > Jan  6 14:50:59 my-vpn-client charon: 10[NET] received packet: from
> 192.168.2.213[500] to 192.168.2.227[500] (38 bytes)
> > Jan  6 14:50:59 my-vpn-client charon: 10[ENC] parsed IKE_SA_INIT
> response 0 [ N(INVAL_KE) ]
> > Jan  6 14:50:59 my-vpn-client charon: 10[IKE] peer didn't accept DH
> group MODP_2048, it requested MODP_1024
> > Jan  6 14:50:59 my-vpn-client charon: 10[IKE] IKE_SA client-ha[1] state
> change: CONNECTING => CREATED
> > Jan  6 14:50:59 my-vpn-client charon: 10[IKE] activating new tasks
> > Jan  6 14:50:59 my-vpn-client charon: 10[IKE]   activating IKE_INIT task
> > Jan  6 14:50:59 my-vpn-client charon: 10[IKE]   activating IKE_NATD task
> > Jan  6 14:50:59 my-vpn-client charon: 10[IKE]   activating IKE_CERT_PRE
> task
> > Jan  6 14:50:59 my-vpn-client charon: 10[IKE]   activating IKE_AUTH task
> > Jan  6 14:50:59 my-vpn-client charon: 10[IKE]   activating IKE_CERT_POST
> task
> > Jan  6 14:50:59 my-vpn-client charon: 10[IKE]   activating IKE_CONFIG
> task
> > Jan  6 14:50:59 my-vpn-client charon: 10[IKE]   activating CHILD_CREATE
> task
> > Jan  6 14:50:59 my-vpn-client charon: 10[IKE]   activating
> IKE_AUTH_LIFETIME task
> > Jan  6 14:50:59 my-vpn-client charon: 10[IKE]   activating IKE_MOBIKE
> task
> > Jan  6 14:50:59 my-vpn-client charon: 10[IKE] initiating IKE_SA
> client-ha[1] to 192.168.2.213
> > Jan  6 14:50:59 my-vpn-client charon: 10[IKE] IKE_SA client-ha[1] state
> change: CREATED => CONNECTING
> > Jan  6 14:50:59 my-vpn-client charon: 10[ENC] generating IKE_SA_INIT
> request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> > Jan  6 14:50:59 my-vpn-client charon: 10[NET] sending packet: from
> 192.168.2.227[500] to 192.168.2.213[500] (580 bytes)
> > Jan  6 14:50:59 my-vpn-client charon: 10[MGR] checkin IKE_SA client-ha[1]
> > Jan  6 14:50:59 my-vpn-client charon: 10[MGR] check-in of IKE_SA
> successful.
> > Jan  6 14:50:59 my-vpn-client charon: 03[NET] sending packet: from
> 192.168.2.227[500] to 192.168.2.213[500]
> > Jan  6 14:50:59 my-vpn-client charon: 02[NET] received packet: from
> 192.168.2.213[500] to 192.168.2.227[500]
> > Jan  6 14:50:59 my-vpn-client charon: 02[NET] waiting for data on sockets
> > Jan  6 14:50:59 my-vpn-client charon: 11[MGR] checkout IKE_SA by message
> > Jan  6 14:50:59 my-vpn-client charon: 11[MGR] IKE_SA client-ha[1]
> successfully checked out
> > Jan  6 14:50:59 my-vpn-client charon: 11[NET] received packet: from
> 192.168.2.213[500] to 192.168.2.227[500] (381 bytes)
> > Jan  6 14:50:59 my-vpn-client charon: 11[ENC] parsed IKE_SA_INIT
> response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
> > Jan  6 14:50:59 my-vpn-client charon: 11[IKE] received cert request for
> unknown ca with keyid
> 4e:e1:18:20:b8:6b:65:0e:f3:40:51:73:88:dd:fe:d2:91:52:11:c0
> > Jan  6 14:50:59 my-vpn-client charon: 11[IKE] received cert request for
> "C=US, ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company"
> > Jan  6 14:50:59 my-vpn-client charon: 11[IKE] received 1 cert requests
> for an unknown ca
> > Jan  6 14:50:59 my-vpn-client charon: 11[IKE] reinitiating already
> active tasks
> > Jan  6 14:50:59 my-vpn-client charon: 11[IKE]   IKE_CERT_PRE task
> > Jan  6 14:50:59 my-vpn-client charon: 11[IKE]   IKE_AUTH task
> > Jan  6 14:50:59 my-vpn-client charon: 11[IKE] sending cert request for
> "C=US, ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company"
> > Jan  6 14:50:59 my-vpn-client charon: 11[IKE] building INTERNAL_IP4_DNS
> attribute
> > Jan  6 14:50:59 my-vpn-client charon: 11[IKE] establishing CHILD_SA
> client-ha
> > Jan  6 14:50:59 my-vpn-client charon: 11[KNL] getting SPI for reqid {1}
> > Jan  6 14:50:59 my-vpn-client charon: 11[KNL] got SPI c837be50 for reqid
> {1}
> > Jan  6 14:50:59 my-vpn-client charon: 11[ENC] generating IKE_AUTH
> request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR DNS) SA TSi TSr
> N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) ]
> > Jan  6 14:50:59 my-vpn-client charon: 11[NET] sending packet: from
> 192.168.2.227[4500] to 192.168.2.213[4500] (492 bytes)
> > Jan  6 14:50:59 my-vpn-client charon: 11[MGR] checkin IKE_SA client-ha[1]
> > Jan  6 14:50:59 my-vpn-client charon: 11[MGR] check-in of IKE_SA
> successful.
> > Jan  6 14:50:59 my-vpn-client charon: 03[NET] sending packet: from
> 192.168.2.227[4500] to 192.168.2.213[4500]
> > Jan  6 14:50:59 my-vpn-client charon: 02[NET] received packet: from
> 192.168.2.213[4500] to 192.168.2.227[4500]
> > Jan  6 14:50:59 my-vpn-client charon: 02[NET] waiting for data on sockets
> > Jan  6 14:50:59 my-vpn-client charon: 12[MGR] checkout IKE_SA by message
> > Jan  6 14:50:59 my-vpn-client charon: 12[MGR] IKE_SA client-ha[1]
> successfully checked out
> > Jan  6 14:50:59 my-vpn-client charon: 12[NET] received packet: from
> 192.168.2.213[4500] to 192.168.2.227[4500] (972 bytes)
> > Jan  6 14:50:59 my-vpn-client charon: 12[ENC] parsed IKE_AUTH response 1
> [ V IDr CERT AUTH EAP/REQ/ID ]
> > Jan  6 14:50:59 my-vpn-client charon: 12[IKE] received end entity cert
> "CN=my-vpn-server.company.com <http://my-vpn-server.company.com>,
> O=Company"
> > Jan  6 14:50:59 my-vpn-client charon: 12[IKE] no trusted RSA public key
> found for 'CN=my-vpn-server.company.com <http://my-vpn-server.company.com>,
> O=Company'
> > Jan  6 14:50:59 my-vpn-client charon: 12[ENC] generating INFORMATIONAL
> request 2 [ N(AUTH_FAILED) ]
> > Jan  6 14:50:59 my-vpn-client charon: 12[NET] sending packet: from
> 192.168.2.227[4500] to 192.168.2.213[4500] (76 bytes)
> > Jan  6 14:50:59 my-vpn-client charon: 12[KNL] deleting SAD entry with
> SPI c837be50  (mark 0/0x00000000)
> > Jan  6 14:50:59 my-vpn-client charon: 03[NET] sending packet: from
> 192.168.2.227[4500] to 192.168.2.213[4500]
> > Jan  6 14:50:59 my-vpn-client charon: 12[KNL] deleted SAD entry with SPI
> c837be50 (mark 0/0x00000000)
> > Jan  6 14:50:59 my-vpn-client charon: 12[MGR] checkin and destroy IKE_SA
> client-ha[1]
> > Jan  6 14:50:59 my-vpn-client charon: 12[IKE] IKE_SA client-ha[1] state
> change: CONNECTING => DESTROYING
> > Jan  6 14:50:59 my-vpn-client charon: 12[MGR] check-in and destroy of
> IKE_SA successful
> >
> >
> > On Tue, Jan 6, 2015 at 2:48 PM, Noel Kuntze <noel at familie-kuntze.de
> <mailto:noel at familie-kuntze.de>> wrote:
> >
> >
> > Hello Justin,
> >
> > Set rightca to the DN of the CA certificate or to the file name or file
> path of the Ca certificate.
> > As an alternative, you can get a copy of the server's certificate and do
> the same for rightcert.
> >
> > Mit freundlichen Grüßen/Regards,
> > Noel Kuntze
> >
> > GPG Key ID: 0x63EC6658
> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> >
> > Am 06.01.2015 um 21:23 schrieb Justin Michael Schwartzbeck:
> > > Hello,
> >
> > > I am trying to set up a strongswan client to connect to a VPN
> endpoint. Here is my configuration:
> >
> > > # ipsec.conf - strongSwan IPsec configuration file
> > > config setup
> > >                charondebug="ike 2, knl 2, mgr 2, net 2"
> > > ca main
> > >                cacert=ca.crt
> > > conn client-ha
> > >      aaa_identity="CN=my-radius-server.company.com <
> http://my-radius-server.company.com> <http://my-radius-server.company.com>,
> O=Company"
> > >      keyexchange=ikev2
> > >      right=my-vpn-server.company.com <http://my-vpn-server.company.com>
> <http://my-vpn-server.company.com>
> > >      rightid=%any
> > >      rightsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
> > >      leftsourceip=%config
> > >      leftsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
> > >      leftauth=eap-tls
> > >      left=10.89.150.227
> > >      leftid="my-radius-client.company.com <
> http://my-radius-client.company.com> <http://my-radius-client.company.com
> >"
> > >      leftcert=server.crt
> > >      auto=add
> >
> > > I have my ca.crt in /etc/ipsec.d/cacerts, my client certificate
> (server.crt) in /etc/ipsec.d/certs, and my client key (server.key) in
> /etc/ipsec.d/private. I also have the server.key listed in
> /etc/ipsec.secrets. My strongswan client's certificate and my vpn
> endpoint's certificate are both signed by the same CA. I have checked the
> vpn's cert against the ca.crt on my strongswan client to make sure that it
> was properly signed. However for some reason my strongswan client is not
> verifying the VPN's certificate. Below is the complete error output
> starting with an "ipsec restart" and then followed by an "ipsec up" on that
> profile:
> >
> > > Jan  6 11:18:11 my-vpn-client charon: 00[DMN] Starting IKE charon
> daemon (strongSwan 5.2.0, Linux 2.6.32-431.el6.x86_64, x86_64)
> > > Jan  6 11:18:11 my-vpn-client charon: 00[KNL] detected Linux 2.6.32,
> no support for RTA_PREFSRC for IPv6 routes
> > > Jan  6 11:18:11 my-vpn-client charon: 00[KNL] known interfaces and IP
> addresses:
> > > Jan  6 11:18:11 my-vpn-client charon: 00[KNL]   lo
> > > Jan  6 11:18:11 my-vpn-client charon: 00[KNL]     127.0.0.1
> > > Jan  6 11:18:11 my-vpn-client charon: 00[KNL]     ::1
> > > Jan  6 11:18:11 my-vpn-client charon: 00[KNL]   eth0
> > > Jan  6 11:18:11 my-vpn-client charon: 00[KNL]     192.168.2.227
> > > Jan  6 11:18:11 my-vpn-client charon: 00[KNL]     192.168.2.103
> > > Jan  6 11:18:11 my-vpn-client charon: 00[KNL]
>  fe80::250:56ff:feaa:6249
> > > Jan  6 11:18:11 my-vpn-client charon: 00[KNL]   eth1
> > > Jan  6 11:18:11 my-vpn-client charon: 00[KNL]
>  fe80::250:56ff:feaa:b96
> > > Jan  6 11:18:11 my-vpn-client charon: 00[CFG] loading ca certificates
> from '/etc/ipsec.d/cacerts'
> > > Jan  6 11:18:11 my-vpn-client charon: 00[CFG]   loaded ca certificate
> "C=US, ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company" from
> '/etc/ipsec.d/cacerts/ca.crt'
> > > Jan  6 11:18:11 my-vpn-client charon: 00[CFG] loading aa certificates
> from '/etc/ipsec.d/aacerts'
> > > Jan  6 11:18:11 my-vpn-client charon: 00[CFG] loading ocsp signer
> certificates from '/etc/ipsec.d/ocspcerts'
> > > Jan  6 11:18:11 my-vpn-client charon: 00[CFG] loading attribute
> certificates from '/etc/ipsec.d/acerts'
> > > Jan  6 11:18:11 my-vpn-client charon: 00[CFG] loading crls from
> '/etc/ipsec.d/crls'
> > > Jan  6 11:18:11 my-vpn-client charon: 00[CFG] loading secrets from
> '/etc/ipsec.secrets'
> > > Jan  6 11:18:11 my-vpn-client charon: 00[CFG]   loaded RSA private key
> from '/etc/ipsec.d/private/server.key'
> > > Jan  6 11:18:11 my-vpn-client charon: 00[LIB] loaded plugins: charon
> curl aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints
> pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc
> cmac hmac attr kernel-netlink resolve socket-default stroke vici updown
> eap-identity eap-aka eap-md5 eap-tls xauth-generic xauth-noauth lookip
> > > Jan  6 11:18:11 my-vpn-client charon: 00[LIB] unable to load 6 plugin
> features (6 due to unmet dependencies)
> > > Jan  6 11:18:11 my-vpn-client charon: 00[JOB] spawning 16 worker
> threads
> > > Jan  6 11:18:11 my-vpn-client charon: 02[NET] waiting for data on
> sockets
> > > Jan  6 11:18:11 my-vpn-client charon: 04[CFG] received stroke: add
> connection 'client-ha'
> > > Jan  6 11:18:11 my-vpn-client charon: 04[KNL] 192.168.2.213 is not a
> local address or the interface is down
> > > Jan  6 11:18:11 my-vpn-client charon: 04[CFG]   loaded certificate "CN=
> my-vpn-client.company.com <http://my-vpn-client.company.com> <
> http://my-vpn-client.company.com>, O=Company" from 'server.crt'
> > > Jan  6 11:18:11 my-vpn-client charon: 04[CFG]   id '
> my-vpn-client.company.com <http://my-vpn-client.company.com> <
> http://my-vpn-client.company.com>' not confirmed by certificate,
> defaulting to 'CN=my-vpn-client.company.com <
> http://my-vpn-client.company.com> <http://my-vpn-client.company.com>,
> O=Company'
> > > Jan  6 11:18:11 my-vpn-client charon: 04[CFG] added configuration
> 'client-ha'
> > > Jan  6 11:18:31 my-vpn-client charon: 06[CFG] received stroke:
> initiate 'client-ha'
> > > Jan  6 11:18:31 my-vpn-client charon: 08[MGR] checkout IKE_SA by config
> > > Jan  6 11:18:31 my-vpn-client charon: 08[MGR] created IKE_SA
> (unnamed)[1]
> > > Jan  6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_VENDOR task
> > > Jan  6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_INIT task
> > > Jan  6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_NATD task
> > > Jan  6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_CERT_PRE
> task
> > > Jan  6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_AUTH task
> > > Jan  6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_CERT_POST
> task
> > > Jan  6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_CONFIG task
> > > Jan  6 11:18:31 my-vpn-client charon: 08[IKE] queueing
> IKE_AUTH_LIFETIME task
> > > Jan  6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_MOBIKE task
> > > Jan  6 11:18:31 my-vpn-client charon: 08[IKE] queueing CHILD_CREATE
> task
> > > Jan  6 11:18:31 my-vpn-client charon: 08[IKE] activating new tasks
> > > Jan  6 11:18:31 my-vpn-client charon: 08[IKE]   activating IKE_VENDOR
> task
> > > Jan  6 11:18:31 my-vpn-client charon: 08[IKE]   activating IKE_INIT
> task
> > > Jan  6 11:18:31 my-vpn-client charon: 08[IKE]   activating IKE_NATD
> task
> > > Jan  6 11:18:31 my-vpn-client charon: 08[IKE]   activating
> IKE_CERT_PRE task
> > > Jan  6 11:18:31 my-vpn-client charon: 08[IKE]   activating IKE_AUTH
> task
> > > Jan  6 11:18:31 my-vpn-client charon: 08[IKE]   activating
> IKE_CERT_POST task
> > > Jan  6 11:18:31 my-vpn-client charon: 08[IKE]   activating IKE_CONFIG
> task
> > > Jan  6 11:18:31 my-vpn-client charon: 08[IKE]   activating
> CHILD_CREATE task
> > > Jan  6 11:18:31 my-vpn-client charon: 08[IKE]   activating
> IKE_AUTH_LIFETIME task
> > > Jan  6 11:18:31 my-vpn-client charon: 08[IKE]   activating IKE_MOBIKE
> task
> > > Jan  6 11:18:31 my-vpn-client charon: 08[IKE] initiating IKE_SA
> client-ha[1] to 192.168.2.213
> > > Jan  6 11:18:31 my-vpn-client charon: 08[IKE] IKE_SA client-ha[1]
> state change: CREATED => CONNECTING
> > > Jan  6 11:18:31 my-vpn-client charon: 08[ENC] generating IKE_SA_INIT
> request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> > > Jan  6 11:18:31 my-vpn-client charon: 08[NET] sending packet: from
> 192.168.2.227[500] to 192.168.2.213[500] (708 bytes)
> > > Jan  6 11:18:31 my-vpn-client charon: 08[MGR] checkin IKE_SA
> client-ha[1]
> > > Jan  6 11:18:31 my-vpn-client charon: 03[NET] sending packet: from
> 192.168.2.227[500] to 192.168.2.213[500]
> > > Jan  6 11:18:31 my-vpn-client charon: 02[NET] received packet: from
> 192.168.2.213[500] to 192.168.2.227[500]
> > > Jan  6 11:18:31 my-vpn-client charon: 02[NET] waiting for data on
> sockets
> > > Jan  6 11:18:31 my-vpn-client charon: 09[MGR] checkout IKE_SA by
> message
> > > Jan  6 11:18:31 my-vpn-client charon: 09[MGR] IKE_SA client-ha[1]
> successfully checked out
> > > Jan  6 11:18:31 my-vpn-client charon: 09[NET] received packet: from
> 192.168.2.213[500] to 192.168.2.227[500] (38 bytes)
> > > Jan  6 11:18:31 my-vpn-client charon: 09[ENC] parsed IKE_SA_INIT
> response 0 [ N(INVAL_KE) ]
> > > Jan  6 11:18:31 my-vpn-client charon: 09[IKE] peer didn't accept DH
> group MODP_2048, it requested MODP_1024
> > > Jan  6 11:18:31 my-vpn-client charon: 09[IKE] IKE_SA client-ha[1]
> state change: CONNECTING => CREATED
> > > Jan  6 11:18:31 my-vpn-client charon: 09[IKE] activating new tasks
> > > Jan  6 11:18:31 my-vpn-client charon: 09[IKE]   activating IKE_INIT
> task
> > > Jan  6 11:18:31 my-vpn-client charon: 09[IKE]   activating IKE_NATD
> task
> > > Jan  6 11:18:31 my-vpn-client charon: 09[IKE]   activating
> IKE_CERT_PRE task
> > > Jan  6 11:18:31 my-vpn-client charon: 09[IKE]   activating IKE_AUTH
> task
> > > Jan  6 11:18:31 my-vpn-client charon: 09[IKE]   activating
> IKE_CERT_POST task
> > > Jan  6 11:18:31 my-vpn-client charon: 09[IKE]   activating IKE_CONFIG
> task
> > > Jan  6 11:18:31 my-vpn-client charon: 09[IKE]   activating
> CHILD_CREATE task
> > > Jan  6 11:18:31 my-vpn-client charon: 09[IKE]   activating
> IKE_AUTH_LIFETIME task
> > > Jan  6 11:18:31 my-vpn-client charon: 09[IKE]   activating IKE_MOBIKE
> task
> > > Jan  6 11:18:31 my-vpn-client charon: 09[IKE] initiating IKE_SA
> client-ha[1] to 192.168.2.213
> > > Jan  6 11:18:31 my-vpn-client charon: 09[IKE] IKE_SA client-ha[1]
> state change: CREATED => CONNECTING
> > > Jan  6 11:18:31 my-vpn-client charon: 09[ENC] generating IKE_SA_INIT
> request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> > > Jan  6 11:18:31 my-vpn-client charon: 09[NET] sending packet: from
> 192.168.2.227[500] to 192.168.2.213[500] (580 bytes)
> > > Jan  6 11:18:31 my-vpn-client charon: 09[MGR] checkin IKE_SA
> client-ha[1]
> > > Jan  6 11:18:31 my-vpn-client charon: 09[MGR] check-in of IKE_SA
> successful.
> > > Jan  6 11:18:31 my-vpn-client charon: 03[NET] sending packet: from
> 192.168.2.227[500] to 192.168.2.213[500]
> > > Jan  6 11:18:31 my-vpn-client charon: 02[NET] received packet: from
> 192.168.2.213[500] to 192.168.2.227[500]
> > > Jan  6 11:18:31 my-vpn-client charon: 02[NET] waiting for data on
> sockets
> > > Jan  6 11:18:31 my-vpn-client charon: 10[MGR] checkout IKE_SA by
> message
> > > Jan  6 11:18:31 my-vpn-client charon: 10[MGR] IKE_SA client-ha[1]
> successfully checked out
> > > Jan  6 11:18:31 my-vpn-client charon: 10[NET] received packet: from
> 192.168.2.213[500] to 192.168.2.227[500] (381 bytes)
> > > Jan  6 11:18:31 my-vpn-client charon: 10[ENC] parsed IKE_SA_INIT
> response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
> > > Jan  6 11:18:31 my-vpn-client charon: 10[IKE] received cert request
> for unknown ca with keyid
> 4e:e1:18:20:b8:6b:65:0e:f3:40:51:73:88:dd:fe:d2:91:52:11:c0
> > > Jan  6 11:18:31 my-vpn-client charon: 10[IKE] received cert request
> for "C=US, ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company"
> > > Jan  6 11:18:31 my-vpn-client charon: 10[IKE] received 1 cert requests
> for an unknown ca
> > > Jan  6 11:18:31 my-vpn-client charon: 10[IKE] reinitiating already
> active tasks
> > > Jan  6 11:18:31 my-vpn-client charon: 10[IKE]   IKE_CERT_PRE task
> > > Jan  6 11:18:31 my-vpn-client charon: 10[IKE]   IKE_AUTH task
> > > Jan  6 11:18:31 my-vpn-client charon: 10[IKE] sending cert request for
> "C=US, ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company"
> > > Jan  6 11:18:31 my-vpn-client charon: 10[IKE] building
> INTERNAL_IP4_DNS attribute
> > > Jan  6 11:18:31 my-vpn-client charon: 10[IKE] establishing CHILD_SA
> client-ha
> > > Jan  6 11:18:31 my-vpn-client charon: 10[KNL] getting SPI for reqid {1}
> > > Jan  6 11:18:31 my-vpn-client charon: 10[KNL] got SPI ccd30cb7 for
> reqid {1}
> > > Jan  6 11:18:31 my-vpn-client charon: 10[ENC] generating IKE_AUTH
> request 1 [ IDi CERTREQ CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP)
> N(ADD_4_ADDR) N(EAP_ONLY) ]
> > > Jan  6 11:18:31 my-vpn-client charon: 10[NET] sending packet: from
> 192.168.2.227[4500] to 192.168.2.213[4500] (428 bytes)
> > > Jan  6 11:18:31 my-vpn-client charon: 10[MGR] checkin IKE_SA
> client-ha[1]
> > > Jan  6 11:18:31 my-vpn-client charon: 10[MGR] check-in of IKE_SA
> successful.
> > > Jan  6 11:18:31 my-vpn-client charon: 03[NET] sending packet: from
> 192.168.2.227[4500] to 192.168.2.213[4500]
> > > Jan  6 11:18:31 my-vpn-client charon: 02[NET] received packet: from
> 192.168.2.213[4500] to 192.168.2.227[4500]
> > > Jan  6 11:18:31 my-vpn-client charon: 02[NET] waiting for data on
> sockets
> > > Jan  6 11:18:31 my-vpn-client charon: 11[MGR] checkout IKE_SA by
> message
> > > Jan  6 11:18:31 my-vpn-client charon: 11[MGR] IKE_SA client-ha[1]
> successfully checked out
> > > Jan  6 11:18:31 my-vpn-client charon: 11[NET] received packet: from
> 192.168.2.213[4500] to 192.168.2.227[4500] (956 bytes)
> > > Jan  6 11:18:31 my-vpn-client charon: 11[ENC] parsed IKE_AUTH response
> 1 [ V IDr CERT AUTH EAP/REQ/ID ]
> > > Jan  6 11:18:31 my-vpn-client charon: 11[IKE] received end entity cert
> "CN=my-vpn-server.company.com <http://my-vpn-server.company.com> <
> http://my-vpn-server.company.com>, O=Company"
> > > Jan  6 11:18:31 my-vpn-client charon: 11[IKE] no trusted RSA public
> key found for 'my-vpn-server.company.com <http://my-vpn-server.company.com>
> <http://my-vpn-server.company.com>'
> > > Jan  6 11:18:31 my-vpn-client charon: 11[ENC] generating INFORMATIONAL
> request 2 [ N(AUTH_FAILED) ]
> > > Jan  6 11:18:31 my-vpn-client charon: 11[NET] sending packet: from
> 192.168.2.227[4500] to 192.168.2.213[4500] (76 bytes)
> > > Jan  6 11:18:31 my-vpn-client charon: 11[KNL] deleting SAD entry with
> SPI ccd30cb7  (mark 0/0x00000000)
> > > Jan  6 11:18:31 my-vpn-client charon: 03[NET] sending packet: from
> 192.168.2.227[4500] to 192.168.2.213[4500]
> > > Jan  6 11:18:31 my-vpn-client charon: 11[KNL] deleted SAD entry with
> SPI ccd30cb7 (mark 0/0x00000000)
> > > Jan  6 11:18:31 my-vpn-client charon: 11[MGR] checkin and destroy
> IKE_SA client-ha[1]
> > > Jan  6 11:18:31 my-vpn-client charon: 11[IKE] IKE_SA client-ha[1]
> state change: CONNECTING => DESTROYING
> > > Jan  6 11:18:31 my-vpn-client charon: 11[MGR] check-in and destroy of
> IKE_SA successful
> > > Jan  6 11:18:35 my-vpn-client charon: 12[MGR] checkout IKE_SA
> > > Jan  6 11:18:35 my-vpn-client charon: 13[MGR] checkout IKE_SA
> > > Jan  6 11:18:35 my-vpn-client charon: 14[MGR] checkout IKE_SA
> >
> > > The important failure message here is "no trusted RSA public key found
> for 'my-vpn-server.company.com <http://my-vpn-server.company.com> <
> http://my-vpn-server.company.com>'". I have also tried setting the eap
> identity in the vpn endpoint to the full DN in the server certificate but
> that didn't work either. I don't understand why this would be failing if
> the certificate is properly signed by the CA. Can someone tell me if I am
> missing something?
> >
> > > Thanks for the help.
> > > -Justin
> >
> >
> > > _______________________________________________
> > > Users mailing list
> > > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> > > https://lists.strongswan.org/mailman/listinfo/users
> >
> >
> >     _______________________________________________
> >     Users mailing list
> >     Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> >     https://lists.strongswan.org/mailman/listinfo/users
> >
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJUrFgYAAoJEDg5KY9j7GZYoA4P/3W7mRLnKQr3qRAtPToW21/Y
> 2B9Ej0/9VUy8KHanfJ8oL2AcGq99vSdnXR21q310MESw3XpbRKgXwMUaXwSy+eOY
> WKUdHQtW3euzF3n6QiiOepjTUwWKjPPt6lNj4cjevv3I3niKH3B7in1lVllq/BQe
> 0KDv/2+Nv3G9Ku0HNG+4mfISy0o5PTurQYqbG7HkQhPfxCS+Uo5dvIjnR22sBrvw
> /zV2nriMteodemn9uyT0B2Qv7weOhwjg476Iob2FKhWqDCkDMDpijVscqPOlEZNg
> JexW+dnVICh7tO3zA0kM/Os3OFS8JtmROXbYZKjvVNoxVFYz+R0toHR0bFI6+R9f
> CGICBzGenEyCZHYJt5NgReUSyHxYEQKxkjzcafPAXKRUZGW9QTsgcVkR5CWJ5c4S
> GoAuy0kPU4mEBt04uFN8EJ2IBE9lRe1FVUw6uNbQKOxRsvUSAEDHuO8mi2fmeDBy
> ZGCOg5Jk2s+9mvLqZ5VcBck9sDVICHJOZnf7yK/GfFaHUo6jKvmBnF1XX7b3eaOG
> +tttdta0hM7O3TiDFfe7btLWgiWJM+RkfQPOmmfgqHfPK3h7ajwhH/WJj/htBGrS
> a/yanGSYR01bXf8pKP3FlCQiJ1PmiDXvsr0OGJ7oOepXk6GxgIsvJiEzb6nu4Xoy
> 8qGnoG3/G7VAXt6u4vSD
> =C4m5
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150106/db731f7d/attachment-0001.html>


More information about the Users mailing list