[strongSwan] Peer identities w.r.t. PSK based authentication and Certificates based authentication

Kaur, Sumit (NSN - IN/Bangalore) sumit.kaur at nsn.com
Wed Jan 28 14:06:41 CET 2015 

Hi all,

I have configured Ikev2 in strongswan version 4.3.6 as below.


ipsec.conf on Host1


Ipsec.secrets on host1




Ipsec.conf on host2


Ipsec.secrets on host2




The Certificates are IP addresses based.




Host1 is made to act as responder alone. Ipsec connections are initiated from Host2 always.

With above configuration, both connections r1~v1 and r2~v2 gets established (Initiated from Host2).

Logs at Host1(Responder)

10[IKE] (vr2)14.0.0.2 is initiating an IKE_SA
10[IKE] sending cert request for "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=www.nokiasiemensnetworks.com, E=gianluigi.ongaro at nsn.com"
09[IKE] received cert request for "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=www.nokiasiemensnetworks.com, E=gianluigi.ongaro at nsn.com"
09[IKE] received end entity cert "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_eipu2, E=gianluigi.ongaro at nsn.com"
09[CFG] looking for peer configs matching (vr2)30.0.0.1[(vr*)%any]...(vr2)14.0.0.2[(vr*)14.0.0.2]
09[CFG] selected peer config 'r1~v1'
09[CFG]   using certificate "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_eipu2, E=gianluigi.ongaro at nsn.com"
09[CFG]   using trusted ca certificate "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=www.nokiasiemensnetworks.com, E=gianluigi.ongaro at nsn.com"
09[CFG] checking certificate status of "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_eipu2, E=gianluigi.ongaro at nsn.com"
09[CFG] certificate status is not available
09[CFG]   reached self-signed root ca with a path length of 0
09[IKE] authentication of '(vr*)14.0.0.2' with RSA signature successful
09[IKE] authentication of '(vr*)30.0.0.1' (myself) with RSA signature successful

10[IKE] 13.0.0.2 is initiating an IKE_SA
10[IKE] sending cert request for "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=www.nokiasiemensnetworks.com, E=gianluigi.ongaro at nsn.com"
12[IKE] received cert request for "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=www.nokiasiemensnetworks.com, E=gianluigi.ongaro at nsn.com"
12[IKE] received end entity cert "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_eipu, E=gianluigi.ongaro at nsn.com"
12[CFG] looking for peer configs matching 20.0.0.1[(vr*)%any]...13.0.0.2[(vr*)13.0.0.2]
12[CFG] selected peer config 'r2~v2'
12[CFG]   using certificate "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_eipu, E=gianluigi.ongaro at nsn.com"
12[CFG]   using trusted ca certificate "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=www.nokiasiemensnetworks.com, E=gianluigi.ongaro at nsn.com"
12[CFG] checking certificate status of "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_eipu, E=gianluigi.ongaro at nsn.com"
12[CFG] certificate status is not available
12[CFG]   reached self-signed root ca with a path length of 0
12[IKE] authentication of '(vr*)13.0.0.2' with RSA signature successful
12[IKE] authentication of '(vr*)20.0.0.1' (myself) with RSA signature successful


But same configuration with secrets does not go through fine.

Host1 ipsec.conf, ipsec.secrets



Host 2 ipsec.conf, ipsec.secrets





When r1~v1, r2~v2 are initiated from Host2, Host1 fails the authentication with below error :-

09[IKE] (vr2)14.0.0.2 is initiating an IKE_SA
09[IKE] sending cert request for "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=www.nokiasiemensnetworks.com, E=gianluigi.ongaro at nsn.com"
08[IKE] received cert request for "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=www.nokiasiemensnetworks.com, E=gianluigi.ongaro at nsn.com"
08[CFG] looking for peer configs matching (vr2)30.0.0.1[(vr*)%any]...(vr2)14.0.0.2[(vr*)14.0.0.2]
08[CFG] selected peer config 'r1~v1'
08[IKE] no shared key found for '(vr*)%any' - '(vr*)14.0.0.2'


11[IKE] 13.0.0.2 is initiating an IKE_SA
11[IKE] sending cert request for "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=www.nokiasiemensnetworks.com, E=gianluigi.ongaro at nsn.com"
10[IKE] received cert request for "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=www.nokiasiemensnetworks.com, E=gianluigi.ongaro at nsn.com"
10[CFG] looking for peer configs matching 20.0.0.1[(vr*)%any]...13.0.0.2[(vr*)13.0.0.2]
10[CFG] selected peer config 'r2~v2'
10[IKE] no shared key found for '(vr*)%any' - '(vr*)13.0.0.2'



As far as my understanding goes, %any identity is looked for in ipsec.secrets file of HOST1, which is not available and hence the error.

But then for certificates too, %any is not mentioned in ipsec.secrets file, then how does the authentication goes through fine for both the connections with the respective private keys at HOST1.

Can someone explain this.

Thanks
Sumit

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150128/4e939c73/attachment-0001.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: host1_ipsec.conf.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150128/4e939c73/attachment-0010.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: host1_ipsec.secrets.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150128/4e939c73/attachment-0011.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: host2-ipsec.secrets.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150128/4e939c73/attachment-0012.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: host2-ipsec.conf.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150128/4e939c73/attachment-0013.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Scenario2_host1-ipsec.conf.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150128/4e939c73/attachment-0014.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Scenario2_host1-ipsec.secrets.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150128/4e939c73/attachment-0015.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Scenario2_host2-ipsec.conf.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150128/4e939c73/attachment-0016.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Scenario2-host2-ipsec.secrets.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150128/4e939c73/attachment-0017.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Host1_Cert_info.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150128/4e939c73/attachment-0018.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Host2_Cert_info.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150128/4e939c73/attachment-0019.txt>

More information about the Users mailing list