[strongSwan] Machine certificates from BB10 devices fail to connect (PSK works); ideas?
Ko, HsuenJu
HsuenJu.Ko at stratus.com
Wed Mar 25 14:26:37 CET 2015
Hi Andreas,
Is setting left|rightid to full subject DN another solution?
Thanks!
Bettina
-----Original Message-----
From: users-bounces at lists.strongswan.org [mailto:users-bounces at lists.strongswan.org] On Behalf Of Andreas Steffen
Sent: Wednesday, March 25, 2015 8:49 AM
To: Karl Denninger; users at lists.strongswan.org
Subject: Re: [strongSwan] Machine certificates from BB10 devices fail to connect (PSK works); ideas?
Hi Karl,
in order to find a match, the IKEv2 ID 'karl at denninger.net' must be contained as a subjectAltName in the X.509 client certificate.
strongSwan does not do any matching to the CN= or E= fields of the certificate's subjectDistinguishedName.
Best regards
Andreas
On 03/25/2015 05:36 AM, Karl Denninger wrote:
> I'm having a problem getting PKI-authenticated connections from BB10
> smartphones to work.
>
> PSK-authentication works; I have the following stanza in ipsec.conf:
>
> conn BB10
> left=%any
> leftsubnet=0.0.0.0/0
> right=%any
> rightsourceip=192.168.2.0/24
> rightauth=psk
> leftcert=genesis.denninger.net.crt
> leftauth=pubkey
> auto=add
>
> This works fine; the proper secret is in the ipsec.secrets file.
>
> If I change "rightauth" to "pubkey", however, and specify a client
> certificate to be sent on the client side I get this:
>
> Mar 24 23:30:19 NewFS charon: 16[NET] sending packet: from
> 70.169.168.7[500] to 192.168.1.21[500] (333 bytes) Mar 24 23:30:19
> NewFS charon: 16[NET] received packet: from 192.168.1.21[500] to
> 70.169.168.7[500] (2444 bytes) Mar 24 23:30:19 NewFS charon: 16[ENC]
> parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH CPRQ(ADDR MASK DNS
> DNS NBNS NBNS VER) N(INIT_CONTACT)
> N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] Mar 24 23:30:19 NewFS
> charon: 16[IKE] received end entity cert "C=US, ST=Florida, O=Cuda
> Systems LLC, CN=Karl Denninger, E=karl at denninger.net"
> Mar 24 23:30:19 NewFS charon: 16[CFG] looking for peer configs
> matching 70.169.168.7[%any]...192.168.1.21[karl at denninger.net]
> Mar 24 23:30:19 NewFS charon: 16[CFG] selected peer config 'BB10'
> Mar 24 23:30:19 NewFS charon: 16[IKE] no trusted RSA public key found
> for 'karl at denninger.net'
>
> The public key, however, IS in the ipsec.d/certs directory and IS
> readable. In addition "ipsec listcacerts" does show the CA that
> issued the machine certificate.
>
> However, "ipsec listcerts" does not display it; all it shows is the
> machine cert for the server:
>
> [root at NewFS /usr/local/etc/ipsec.d]# ipsec listcerts
>
> List of X.509 End Entity Certificates:
>
> subject: "C=US, ST=Florida, O=Cuda Systems LLC,
> CN=genesis.denninger.net, E=postmaster at genesis.denninger.net"
> issuer: "C=US, ST=Florida, L=Niceville, O=Cuda Systems LLC, CN=Cuda
> Systems LLC CA, E=Cuda Systems LLC CA"
> serial: 17
> validity: not before Mar 24 22:48:26 2015, ok
> not after Mar 21 22:48:26 2025, ok
> pubkey: RSA 4096 bits, has private key
> keyid: 58:e0:39:09:a8:60:69:4e:80:4e:03:c5:03:d4:62:4d:0e:f3:80:7d
> subjkey: e7:7b:7c:61:2e:5e:af:06:d0:9d:ff:29:3d:12:ae:a2:61:bf:60:56
> authkey: 24:71:9b:9d:85:7d:fc:dd:dd:bd:b0:ca:92:94:03:a1:fa:d3:6d:35
> [root at NewFS /usr/local/etc/ipsec.d]#
>
> What am I missing?
>
> --
> Karl Denninger
> karl at denninger.net <mailto:karl at denninger.net> /The Market Ticker/
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list