[strongSwan] Strongswan 5.4 issue using certificates

rajeev nohria rajnohria at gmail.com
Mon Aug 1 21:24:51 CEST 2016


I was able to establish IKE connection using PSK but when using pubkey I am
not able to able to establish the IKE connection.

When I issue sudo swanctl --initiate --child net


At receptor, it returns the Auth_failed.  Please see the swanctl.conf,
strongswan.conf and charon.log.

Aug  1 12:09:21 12[CFG] <rw|1> no issuer certificate found for "C=US,
ST=MA, L=Lowell, O=Arris, CN=10.13.199.185"
Aug  1 12:09:21 12[IKE] <rw|1> no trusted RSA public key found for
'10.13.199.185'
Aug  1 12:09:21 12[IKE] <rw|1> peer supports MOBIKE
Aug  1 12:09:21 12[ENC] <rw|1> added payload of type NOTIFY to message
Aug  1 12:09:21 12[ENC] <rw|1> order payloads in message
Aug  1 12:09:21 12[ENC] <rw|1> added payload of type NOTIFY to message
Aug  1 12:09:21 12[ENC] <rw|1> generating IKE_AUTH response 1 [
N(AUTH_FAILED) ]

I used following commands to create certificates.

*Initiator:*
-----------

sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
/usr/local/etc/swanctl/rsa/strongswanKey.pem

sudo chmod 600  /usr/local/etc/swanctl/rsa/strongswanKey.pem


sudo ipsec pki --self --ca --in
/usr/local/etc/swanctl/rsa/strongswanKey.pem --digest sha256 --dn "C=US,
ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem >
/usr/local/etc/swanctl/x509ca/strongswanCert.pem

sudo ipsec pki --print --in /usr/local/etc/swanctl/x509ca/strongswanCert.pem

sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
/usr/local/etc/swanctl/rsa/hostKey.pem

sudo chmod 600 /usr/local/etc/swanctl/rsa/hostKey.pem


sudo ipsec pki --pub --in /usr/local/etc/swanctl/rsa/hostKey.pem --type rsa
| ipsec pki --issue --digest sha256 --cacert
/usr/local/etc/swanctl/x509ca/strongswanCert.pem --cakey
/usr/local/etc/swanctl/rsa/strongswanKey.pem --dn "C=US, ST=MA, L=Lowell,
O=Arris, CN=10.13.199.185" --san 10.13.199.185  pem >
/usr/local/etc/swanctl/x509/hostCert.pem


Receptor:
--------------

*sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
/usr/local/etc/swanctl/rsa/strongswanKey.pem*

*sudo chmod 600  /usr/local/etc/swanctl/rsa/strongswanKey.pem*

*sudo ipsec pki --self --ca --in
/usr/local/etc/swanctl/rsa/strongswanKey.pem --digest sha256 --dn "C=US,
ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem >
/usr/local/etc/swanctl/x509ca/strongswanCert.pem*

*sudo ipsec pki --print --in
/usr/local/etc/swanctl/x509ca/strongswanCert.pem*

*sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
/usr/local/etc/swanctl/rsa/hostKey.pem*

*sudo chmod 600 /usr/local/etc/swanctl/rsa/hostKey.pem*

*sudo ipsec pki --pub --in /usr/local/etc/swanctl/rsa/hostKey.pem --type
rsa | ipsec pki --issue --digest sha256 --cacert
/usr/local/etc/swanctl/x509ca/strongswanCert.pem --cakey
/usr/local/etc/swanctl/rsa/strongswanKey.pem --dn "C=US, ST=MA, L=Lowell,
O=Arris, CN=10.13.199.130" --san 10.13.199.130 --outform pem >
/usr/local/etc/swanctl/x509/hostCert.pem*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160801/3494be22/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: initiator_swanctl.conf
Type: application/octet-stream
Size: 10421 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160801/3494be22/attachment-0006.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: receptor_charon.log
Type: application/octet-stream
Size: 523801 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160801/3494be22/attachment-0007.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: receptor_strongswan.conf
Type: application/octet-stream
Size: 1227 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160801/3494be22/attachment-0008.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: receptor_swanctl.conf
Type: application/octet-stream
Size: 10380 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160801/3494be22/attachment-0009.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: initiator_charon.log
Type: application/octet-stream
Size: 22227 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160801/3494be22/attachment-0010.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: initiator_strongswan.conf
Type: application/octet-stream
Size: 1402 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160801/3494be22/attachment-0011.obj>


More information about the Users mailing list