[strongSwan] Machine certificates from BB10 devices fail to connect (PSK works); ideas?

Karl Denninger karl at denninger.net
Wed Mar 25 05:36:12 CET 2015 

I'm having a problem getting PKI-authenticated connections from BB10 
smartphones to work.

PSK-authentication works; I have the following stanza in ipsec.conf:

conn BB10
         left=%any
         leftsubnet=0.0.0.0/0
         right=%any
         rightsourceip=192.168.2.0/24
         rightauth=psk
         leftcert=genesis.denninger.net.crt
         leftauth=pubkey
         auto=add

This works fine; the proper secret is in the ipsec.secrets file.

If I change "rightauth" to "pubkey", however, and specify a client 
certificate to be sent on the client side I get this:

Mar 24 23:30:19 NewFS charon: 16[NET] sending packet: from 
70.169.168.7[500] to 192.168.1.21[500] (333 bytes)
Mar 24 23:30:19 NewFS charon: 16[NET] received packet: from 
192.168.1.21[500] to 70.169.168.7[500] (2444 bytes)
Mar 24 23:30:19 NewFS charon: 16[ENC] parsed IKE_AUTH request 1 [ IDi 
CERT CERTREQ AUTH CPRQ(ADDR MASK DNS DNS NBNS NBNS VER) N(INIT_CONTACT) 
N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Mar 24 23:30:19 NewFS charon: 16[IKE] received end entity cert "C=US, 
ST=Florida, O=Cuda Systems LLC, CN=Karl Denninger, E=karl at denninger.net"
Mar 24 23:30:19 NewFS charon: 16[CFG] looking for peer configs matching 
70.169.168.7[%any]...192.168.1.21[karl at denninger.net]
Mar 24 23:30:19 NewFS charon: 16[CFG] selected peer config 'BB10'
Mar 24 23:30:19 NewFS charon: 16[IKE] no trusted RSA public key found 
for 'karl at denninger.net'

The public key, however, IS in the ipsec.d/certs directory and IS 
readable.  In addition "ipsec listcacerts" does show the CA that issued 
the machine certificate.

However, "ipsec listcerts" does not display it; all it shows is the 
machine cert for the server:

[root at NewFS /usr/local/etc/ipsec.d]# ipsec listcerts

List of X.509 End Entity Certificates:

   subject:  "C=US, ST=Florida, O=Cuda Systems LLC, 
CN=genesis.denninger.net, E=postmaster at genesis.denninger.net"
   issuer:   "C=US, ST=Florida, L=Niceville, O=Cuda Systems LLC, CN=Cuda 
Systems LLC CA, E=Cuda Systems LLC CA"
   serial:    17
   validity:  not before Mar 24 22:48:26 2015, ok
              not after  Mar 21 22:48:26 2025, ok
   pubkey:    RSA 4096 bits, has private key
   keyid: 58:e0:39:09:a8:60:69:4e:80:4e:03:c5:03:d4:62:4d:0e:f3:80:7d
   subjkey: e7:7b:7c:61:2e:5e:af:06:d0:9d:ff:29:3d:12:ae:a2:61:bf:60:56
   authkey: 24:71:9b:9d:85:7d:fc:dd:dd:bd:b0:ca:92:94:03:a1:fa:d3:6d:35
[root at NewFS /usr/local/etc/ipsec.d]#

What am I missing?

-- 
Karl Denninger
karl at denninger.net <mailto:karl at denninger.net>
/The Market Ticker/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150324/11b13020/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2942 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150324/11b13020/attachment.bin>

More information about the Users mailing list