[strongSwan] Strongswan 5.4 issue using certificates

Andreas Steffen andreas.steffen at strongswan.org
Tue Aug 2 11:41:47 CEST 2016


Hi,

according to your log, the initiator and responder create their
own Root CA certificate and store it locally in
/usr/local/etc/swanctl/x509ca. Therefore it is not surprising
that no trust into the received host certificate can be established
because it has been signed with the private key of a different
root CA (although the Distinguished Name of the issuer is the same).

Fix: Generate only one private key and matching self-signed
Root CA certificate. Use the private Root CA key to sign both
initiator and responder host certificates and deploy the Root CA
certificate on both hosts.

Best regards

Andreas

On 01.08.2016 21:24, rajeev nohria wrote:
> 
> I was able to establish IKE connection using PSK but when using pubkey I
> am not able to able to establish the IKE connection.
> 
> When I issue sudo swanctl --initiate --child net
> 
> 
> At receptor, it returns the Auth_failed.  Please see the swanctl.conf,
> strongswan.conf and charon.log. 
> 
> Aug  1 12:09:21 12[CFG] <rw|1> no issuer certificate found for "C=US,
> ST=MA, L=Lowell, O=Arris, CN=10.13.199.185"
> Aug  1 12:09:21 12[IKE] <rw|1> no trusted RSA public key found for
> '10.13.199.185'
> Aug  1 12:09:21 12[IKE] <rw|1> peer supports MOBIKE
> Aug  1 12:09:21 12[ENC] <rw|1> added payload of type NOTIFY to message
> Aug  1 12:09:21 12[ENC] <rw|1> order payloads in message
> Aug  1 12:09:21 12[ENC] <rw|1> added payload of type NOTIFY to message
> Aug  1 12:09:21 12[ENC] <rw|1> generating IKE_AUTH response 1 [
> N(AUTH_FAILED) ]
> 
> I used following commands to create certificates.
> 
> *Initiator:*
> -----------
> 
> sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> /usr/local/etc/swanctl/rsa/strongswanKey.pem
> 
> 
> sudo chmod 600  /usr/local/etc/swanctl/rsa/strongswanKey.pem
> 
> 
> sudo ipsec pki --self --ca --in
> /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest sha256 --dn "C=US,
> ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem >
> /usr/local/etc/swanctl/x509ca/strongswanCert.pem
> 
> 
> sudo ipsec pki --print --in /usr/local/etc/swanctl/x509ca/strongswanCert.pem
> 
> 
> sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> /usr/local/etc/swanctl/rsa/hostKey.pem
> 
> 
> sudo chmod 600 /usr/local/etc/swanctl/rsa/hostKey.pem
> 
> 
> 
> sudo ipsec pki --pub --in /usr/local/etc/swanctl/rsa/hostKey.pem --type
> rsa | ipsec pki --issue --digest sha256 --cacert
> /usr/local/etc/swanctl/x509ca/strongswanCert.pem --cakey
> /usr/local/etc/swanctl/rsa/strongswanKey.pem --dn "C=US, ST=MA,
> L=Lowell, O=Arris, CN=10.13.199.185" --san 10.13.199.185  pem >
> /usr/local/etc/swanctl/x509/hostCert.pem
> 
> 
> Receptor:
> --------------
> *
> *
> *sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> /usr/local/etc/swanctl/rsa/strongswanKey.pem*
> *
> *
> *sudo chmod 600  /usr/local/etc/swanctl/rsa/strongswanKey.pem*
> *
> *
> *sudo ipsec pki --self --ca --in
> /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest sha256 --dn "C=US,
> ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem >
> /usr/local/etc/swanctl/x509ca/strongswanCert.pem*
> *
> *
> *sudo ipsec pki --print --in
> /usr/local/etc/swanctl/x509ca/strongswanCert.pem*
> *
> *
> *sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> /usr/local/etc/swanctl/rsa/hostKey.pem*
> *
> *
> *sudo chmod 600 /usr/local/etc/swanctl/rsa/hostKey.pem*
> 
> *sudo ipsec pki --pub --in /usr/local/etc/swanctl/rsa/hostKey.pem --type
> rsa | ipsec pki --issue --digest sha256 --cacert
> /usr/local/etc/swanctl/x509ca/strongswanCert.pem --cakey
> /usr/local/etc/swanctl/rsa/strongswanKey.pem --dn "C=US, ST=MA,
> L=Lowell, O=Arris, CN=10.13.199.130" --san 10.13.199.130 --outform pem >
> /usr/local/etc/swanctl/x509/hostCert.pem*
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4275 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160802/1e4c409e/attachment.bin>


More information about the Users mailing list