[strongSwan] Box configured with PSK authentication negotiated successfully with peer configured with RSA authentication.

Kaur, Sumit (Nokia - IN/Bangalore) sumit.kaur at nokia.com
Thu Oct 1 10:30:08 CEST 2015


Hi,

Can someone explain below behavior in Strongswan version 4.4.0.

 Peer1 configured with PSK authentication and Peer2 configured with RSA authentication.




Peer1 and Peer2 both have the common root CA certificate installed.
Peer1 has End entity certificate and private key installed too, but peer2 does not have End Entity or private key cert installed.

Logs at Peer1

13[IKE] initiating IKE_SA r1~v1[1] to 89.0.0.2
14[IKE] received cert request for "C=IN, ST=KAR, L=BLR, O=Nokia, OU=MBB, CN=CA"
14[IKE] sending cert request for "C=IN, ST=KAR, L=BLR, O=Nokia, OU=MBB, CN=CA"
14[IKE] authentication of 'C=IN, ST=KAR, L=BLR, O=Nokia, OU=MBB, CN=Host1' (myself) with RSA signature successful
14[IKE] sending end entity cert "C=IN, ST=KAR, L=BLR, O=Nokia, OU=MBB, CN=Host1"
14[IKE] establishing CHILD_SA r1~v1{1}
15[IKE] no shared key found for 'C=IN, ST=KAR, L=BLR, O=Nokia, OU=MBB, CN=Host1' - '(vr*)89.0.0.2'



Logs at Peer2

13[IKE] 89.0.0.1 is initiating an IKE_SA
13[IKE] sending cert request for "C=IN, ST=KAR, L=BLR, O=Nokia, OU=MBB, CN=CA"
14[IKE] received cert request for "C=IN, ST=KAR, L=BLR, O=Nokia, OU=MBB, CN=CA"
14[IKE] received end entity cert "C=IN, ST=KAR, L=BLR, O=Nokia, OU=MBB, CN=Host1"
14[CFG] looking for peer configs matching 89.0.0.2[(vr*)%any]...89.0.0.1[C=IN, ST=KAR, L=BLR, O=Nokia, OU=MBB, CN=Host1]
14[CFG] selected peer config 'r1~v1'
14[CFG]   using certificate "C=IN, ST=KAR, L=BLR, O=Nokia, OU=MBB, CN=Host1"
14[CFG]   using trusted ca certificate "C=IN, ST=KAR, L=BLR, O=Nokia, OU=MBB, CN=CA"
14[CFG] checking certificate status of "C=IN, ST=KAR, L=BLR, O=Nokia, OU=MBB, CN=Host1"
14[CFG] certificate status is not available
14[CFG]   reached self-signed root ca with a path length of 0
14[IKE] authentication of 'C=IN, ST=KAR, L=BLR, O=Nokia, OU=MBB, CN=Host1' with RSA signature successful
14[IKE] authentication of '(vr*)89.0.0.2' (myself) with pre-shared key
14[IKE] IKE_SA r1~v1[1] established between 89.0.0.2[(vr*)89.0.0.2]...89.0.0.1[C=IN, ST=KAR, L=BLR, O=Nokia, OU=MBB, CN=Host1]
14[IKE] scheduling rekeying in 852s
14[IKE] maximum IKE_SA lifetime 942s
14[IKE] CHILD_SA r1~v1{2} established with SPIs cad444bf_i cdc9a1b3_o and TS 89.0.0.2/32 === 89.0.0.1/32


Peer2 successfully establishes IKE and CHILD SAs which gets cleared only after DPD/Rekey.

Why does Peer2 successfully authenticates Peer1 when Peer1 does not share the PSK key of Peer2?

Thanks
Sumit


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151001/16c85b79/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: peer1.zip
Type: application/x-zip-compressed
Size: 774 bytes
Desc: peer1.zip
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151001/16c85b79/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: peer2.zip
Type: application/x-zip-compressed
Size: 725 bytes
Desc: peer2.zip
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151001/16c85b79/attachment-0003.bin>


More information about the Users mailing list