[strongSwan] Peer identities w.r.t. PSK based authentication and Certificates based authentication

Kaur, Sumit (NSN - IN/Bangalore) sumit.kaur at nsn.com
Thu Jan 29 08:01:44 CET 2015 

Hi All,

Let me make my question simpler.

Actually in my testing I was trying to have more than 1 remote Access VPN (Road Warrior VPNs) at Server using different PSK secrets.

Since in road warrior, server cannot know about its peer identities, is it logical to have local identity as a selector for PSK in ipsec.secrets file?

Or should it only be the remote identity as the selector in ipsec.secrets file for PSK mode. If that's the case, then this becomes a limitation with PSKs that more than 1 road warrior configuration is not allowed because with road warriors we cannot know our peer identities.

Can someone confirm.

Thanks
Sumit


From: users-bounces at lists.strongswan.org [mailto:users-bounces at lists.strongswan.org] On Behalf Of ext Kaur, Sumit (NSN - IN/Bangalore)
Sent: Wednesday, January 28, 2015 6:37 PM
To: users at lists.strongswan.org
Subject: [strongSwan] Peer identities w.r.t. PSK based authentication and Certificates based authentication

Hi all,

I have configured Ikev2 in strongswan version 4.3.6 as below.


ipsec.conf on Host1

Ipsec.secrets on host1



Ipsec.conf on host2

Ipsec.secrets on host2



The Certificates are IP addresses based.


Host1 is made to act as responder alone. Ipsec connections are initiated from Host2 always.

With above configuration, both connections r1~v1 and r2~v2 gets established (Initiated from Host2).

Logs at Host1(Responder)

10[IKE] (vr2)14.0.0.2 is initiating an IKE_SA
10[IKE] sending cert request for "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=www.nokiasiemensnetworks.com, E=gianluigi.ongaro at nsn.com<mailto:E=gianluigi.ongaro at nsn.com>"
09[IKE] received cert request for "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=www.nokiasiemensnetworks.com, E=gianluigi.ongaro at nsn.com<mailto:E=gianluigi.ongaro at nsn.com>"
09[IKE] received end entity cert "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_eipu2, E=gianluigi.ongaro at nsn.com<mailto:E=gianluigi.ongaro at nsn.com>"
09[CFG] looking for peer configs matching (vr2)30.0.0.1[(vr*)%any]...(vr2)14.0.0.2[(vr*)14.0.0.2]
09[CFG] selected peer config 'r1~v1'
09[CFG]   using certificate "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_eipu2, E=gianluigi.ongaro at nsn.com<mailto:E=gianluigi.ongaro at nsn.com>"
09[CFG]   using trusted ca certificate "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=www.nokiasiemensnetworks.com, E=gianluigi.ongaro at nsn.com<mailto:E=gianluigi.ongaro at nsn.com>"
09[CFG] checking certificate status of "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_eipu2, E=gianluigi.ongaro at nsn.com<mailto:E=gianluigi.ongaro at nsn.com>"
09[CFG] certificate status is not available
09[CFG]   reached self-signed root ca with a path length of 0
09[IKE] authentication of '(vr*)14.0.0.2' with RSA signature successful
09[IKE] authentication of '(vr*)30.0.0.1' (myself) with RSA signature successful

10[IKE] 13.0.0.2 is initiating an IKE_SA
10[IKE] sending cert request for "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=www.nokiasiemensnetworks.com, E=gianluigi.ongaro at nsn.com<mailto:E=gianluigi.ongaro at nsn.com>"
12[IKE] received cert request for "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=www.nokiasiemensnetworks.com, E=gianluigi.ongaro at nsn.com<mailto:E=gianluigi.ongaro at nsn.com>"
12[IKE] received end entity cert "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_eipu, E=gianluigi.ongaro at nsn.com<mailto:E=gianluigi.ongaro at nsn.com>"
12[CFG] looking for peer configs matching 20.0.0.1[(vr*)%any]...13.0.0.2[(vr*)13.0.0.2]
12[CFG] selected peer config 'r2~v2'
12[CFG]   using certificate "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_eipu, E=gianluigi.ongaro at nsn.com<mailto:E=gianluigi.ongaro at nsn.com>"
12[CFG]   using trusted ca certificate "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=www.nokiasiemensnetworks.com, E=gianluigi.ongaro at nsn.com<mailto:E=gianluigi.ongaro at nsn.com>"
12[CFG] checking certificate status of "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_eipu, E=gianluigi.ongaro at nsn.com<mailto:E=gianluigi.ongaro at nsn.com>"
12[CFG] certificate status is not available
12[CFG]   reached self-signed root ca with a path length of 0
12[IKE] authentication of '(vr*)13.0.0.2' with RSA signature successful
12[IKE] authentication of '(vr*)20.0.0.1' (myself) with RSA signature successful


But same configuration with secrets does not go through fine.

Host1 ipsec.conf, ipsec.secrets

Host 2 ipsec.conf, ipsec.secrets



When r1~v1, r2~v2 are initiated from Host2, Host1 fails the authentication with below error :-

09[IKE] (vr2)14.0.0.2 is initiating an IKE_SA
09[IKE] sending cert request for "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=www.nokiasiemensnetworks.com, E=gianluigi.ongaro at nsn.com<mailto:E=gianluigi.ongaro at nsn.com>"
08[IKE] received cert request for "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=www.nokiasiemensnetworks.com, E=gianluigi.ongaro at nsn.com<mailto:E=gianluigi.ongaro at nsn.com>"
08[CFG] looking for peer configs matching (vr2)30.0.0.1[(vr*)%any]...(vr2)14.0.0.2[(vr*)14.0.0.2]
08[CFG] selected peer config 'r1~v1'
08[IKE] no shared key found for '(vr*)%any' - '(vr*)14.0.0.2'


11[IKE] 13.0.0.2 is initiating an IKE_SA
11[IKE] sending cert request for "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=www.nokiasiemensnetworks.com, E=gianluigi.ongaro at nsn.com<mailto:E=gianluigi.ongaro at nsn.com>"
10[IKE] received cert request for "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=www.nokiasiemensnetworks.com, E=gianluigi.ongaro at nsn.com<mailto:E=gianluigi.ongaro at nsn.com>"
10[CFG] looking for peer configs matching 20.0.0.1[(vr*)%any]...13.0.0.2[(vr*)13.0.0.2]
10[CFG] selected peer config 'r2~v2'
10[IKE] no shared key found for '(vr*)%any' - '(vr*)13.0.0.2'



As far as my understanding goes, %any identity is looked for in ipsec.secrets file of HOST1, which is not available and hence the error.

But then for certificates too, %any is not mentioned in ipsec.secrets file, then how does the authentication goes through fine for both the connections with the respective private keys at HOST1.

Can someone explain this.

Thanks
Sumit

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150129/07389f8e/attachment-0001.html>

More information about the Users mailing list