[strongSwan] Machine certificates from BB10 devices fail to connect (PSK works); ideas?

Andreas Steffen andreas.steffen at strongswan.org
Wed Mar 25 13:49:18 CET 2015 

Hi Karl,

in order to find a match, the IKEv2 ID 'karl at denninger.net' must be
contained as a subjectAltName in the X.509 client certificate.
strongSwan does not do any matching to the CN= or E= fields of
the certificate's subjectDistinguishedName.

Best regards

Andreas

On 03/25/2015 05:36 AM, Karl Denninger wrote:
> I'm having a problem getting PKI-authenticated connections from BB10
> smartphones to work.
> 
> PSK-authentication works; I have the following stanza in ipsec.conf:
> 
> conn BB10
>         left=%any
>         leftsubnet=0.0.0.0/0
>         right=%any
>         rightsourceip=192.168.2.0/24
>         rightauth=psk
>         leftcert=genesis.denninger.net.crt
>         leftauth=pubkey
>         auto=add
> 
> This works fine; the proper secret is in the ipsec.secrets file.
> 
> If I change "rightauth" to "pubkey", however, and specify a client
> certificate to be sent on the client side I get this:
> 
> Mar 24 23:30:19 NewFS charon: 16[NET] sending packet: from
> 70.169.168.7[500] to 192.168.1.21[500] (333 bytes)
> Mar 24 23:30:19 NewFS charon: 16[NET] received packet: from
> 192.168.1.21[500] to 70.169.168.7[500] (2444 bytes)
> Mar 24 23:30:19 NewFS charon: 16[ENC] parsed IKE_AUTH request 1 [ IDi
> CERT CERTREQ AUTH CPRQ(ADDR MASK DNS DNS NBNS NBNS VER) N(INIT_CONTACT)
> N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
> Mar 24 23:30:19 NewFS charon: 16[IKE] received end entity cert "C=US,
> ST=Florida, O=Cuda Systems LLC, CN=Karl Denninger, E=karl at denninger.net"
> Mar 24 23:30:19 NewFS charon: 16[CFG] looking for peer configs matching
> 70.169.168.7[%any]...192.168.1.21[karl at denninger.net]
> Mar 24 23:30:19 NewFS charon: 16[CFG] selected peer config 'BB10'
> Mar 24 23:30:19 NewFS charon: 16[IKE] no trusted RSA public key found
> for 'karl at denninger.net'
> 
> The public key, however, IS in the ipsec.d/certs directory and IS
> readable.  In addition "ipsec listcacerts" does show the CA that issued
> the machine certificate.
> 
> However, "ipsec listcerts" does not display it; all it shows is the
> machine cert for the server:
> 
> [root at NewFS /usr/local/etc/ipsec.d]# ipsec listcerts
> 
> List of X.509 End Entity Certificates:
> 
>   subject:  "C=US, ST=Florida, O=Cuda Systems LLC,
> CN=genesis.denninger.net, E=postmaster at genesis.denninger.net"
>   issuer:   "C=US, ST=Florida, L=Niceville, O=Cuda Systems LLC, CN=Cuda
> Systems LLC CA, E=Cuda Systems LLC CA"
>   serial:    17
>   validity:  not before Mar 24 22:48:26 2015, ok
>              not after  Mar 21 22:48:26 2025, ok
>   pubkey:    RSA 4096 bits, has private key
>   keyid:     58:e0:39:09:a8:60:69:4e:80:4e:03:c5:03:d4:62:4d:0e:f3:80:7d
>   subjkey:   e7:7b:7c:61:2e:5e:af:06:d0:9d:ff:29:3d:12:ae:a2:61:bf:60:56
>   authkey:   24:71:9b:9d:85:7d:fc:dd:dd:bd:b0:ca:92:94:03:a1:fa:d3:6d:35
> [root at NewFS /usr/local/etc/ipsec.d]#
> 
> What am I missing?
> 
> -- 
> Karl Denninger
> karl at denninger.net <mailto:karl at denninger.net>
> /The Market Ticker/

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150325/6d2e5d03/attachment.bin>

More information about the Users mailing list