[strongSwan] Machine certificates from BB10 devices fail to connect (PSK works); ideas?

Ko, HsuenJu HsuenJu.Ko at stratus.com
Wed Mar 25 15:16:30 CET 2015 

Thanks to confirm this.

Bettina

-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen at strongswan.org] 
Sent: Wednesday, March 25, 2015 10:17 AM
To: Ko, HsuenJu; Karl Denninger; users at lists.strongswan.org
Subject: Re: [strongSwan] Machine certificates from BB10 devices fail to connect (PSK works); ideas?

Yes, setting left|rightid to the subject DN does also work.

Regards

Andreas

On 25.03.2015 14:26, Ko, HsuenJu wrote:
> Hi Andreas,
> Is setting left|rightid to full subject DN another solution?
>
> Thanks!
> Bettina
>
> -----Original Message-----
> From: users-bounces at lists.strongswan.org [mailto:users-bounces at lists.strongswan.org] On Behalf Of Andreas Steffen
> Sent: Wednesday, March 25, 2015 8:49 AM
> To: Karl Denninger; users at lists.strongswan.org
> Subject: Re: [strongSwan] Machine certificates from BB10 devices fail to connect (PSK works); ideas?
>
> Hi Karl,
>
> in order to find a match, the IKEv2 ID 'karl at denninger.net' must be contained as a subjectAltName in the X.509 client certificate.
> strongSwan does not do any matching to the CN= or E= fields of the certificate's subjectDistinguishedName.
>
> Best regards
>
> Andreas
>
> On 03/25/2015 05:36 AM, Karl Denninger wrote:
>> I'm having a problem getting PKI-authenticated connections from BB10
>> smartphones to work.
>>
>> PSK-authentication works; I have the following stanza in ipsec.conf:
>>
>> conn BB10
>>          left=%any
>>          leftsubnet=0.0.0.0/0
>>          right=%any
>>          rightsourceip=192.168.2.0/24
>>          rightauth=psk
>>          leftcert=genesis.denninger.net.crt
>>          leftauth=pubkey
>>          auto=add
>>
>> This works fine; the proper secret is in the ipsec.secrets file.
>>
>> If I change "rightauth" to "pubkey", however, and specify a client
>> certificate to be sent on the client side I get this:
>>
>> Mar 24 23:30:19 NewFS charon: 16[NET] sending packet: from
>> 70.169.168.7[500] to 192.168.1.21[500] (333 bytes) Mar 24 23:30:19
>> NewFS charon: 16[NET] received packet: from 192.168.1.21[500] to
>> 70.169.168.7[500] (2444 bytes) Mar 24 23:30:19 NewFS charon: 16[ENC]
>> parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH CPRQ(ADDR MASK DNS
>> DNS NBNS NBNS VER) N(INIT_CONTACT)
>> N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] Mar 24 23:30:19 NewFS
>> charon: 16[IKE] received end entity cert "C=US, ST=Florida, O=Cuda
>> Systems LLC, CN=Karl Denninger, E=karl at denninger.net"
>> Mar 24 23:30:19 NewFS charon: 16[CFG] looking for peer configs
>> matching 70.169.168.7[%any]...192.168.1.21[karl at denninger.net]
>> Mar 24 23:30:19 NewFS charon: 16[CFG] selected peer config 'BB10'
>> Mar 24 23:30:19 NewFS charon: 16[IKE] no trusted RSA public key found
>> for 'karl at denninger.net'
>>
>> The public key, however, IS in the ipsec.d/certs directory and IS
>> readable.  In addition "ipsec listcacerts" does show the CA that
>> issued the machine certificate.
>>
>> However, "ipsec listcerts" does not display it; all it shows is the
>> machine cert for the server:
>>
>> [root at NewFS /usr/local/etc/ipsec.d]# ipsec listcerts
>>
>> List of X.509 End Entity Certificates:
>>
>>    subject:  "C=US, ST=Florida, O=Cuda Systems LLC,
>> CN=genesis.denninger.net, E=postmaster at genesis.denninger.net"
>>    issuer:   "C=US, ST=Florida, L=Niceville, O=Cuda Systems LLC, CN=Cuda
>> Systems LLC CA, E=Cuda Systems LLC CA"
>>    serial:    17
>>    validity:  not before Mar 24 22:48:26 2015, ok
>>               not after  Mar 21 22:48:26 2025, ok
>>    pubkey:    RSA 4096 bits, has private key
>>    keyid:     58:e0:39:09:a8:60:69:4e:80:4e:03:c5:03:d4:62:4d:0e:f3:80:7d
>>    subjkey:   e7:7b:7c:61:2e:5e:af:06:d0:9d:ff:29:3d:12:ae:a2:61:bf:60:56
>>    authkey:   24:71:9b:9d:85:7d:fc:dd:dd:bd:b0:ca:92:94:03:a1:fa:d3:6d:35
>> [root at NewFS /usr/local/etc/ipsec.d]#
>>
>> What am I missing?
>>
>> --
>> Karl Denninger
>> karl at denninger.net <mailto:karl at denninger.net> /The Market Ticker/
>
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution!          www.strongswan.org
> Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list