[strongSwan] Strongswan 5.4 issue using certificates

rajeev nohria rajnohria at gmail.com
Thu Aug 4 05:03:49 CEST 2016 

Thanks Andreas,

It worked, I know started to implement in Davici. I had PSK working in
Davici. With certificates, I am having  following issue during
parse_certs().

09[LIB]   file coded in unknown format, discarded
09[LIB] building CRED_CERTIFICATE - X509 failed, tried 4 builders



Corresponding code is for Davici is
        davici_list_start(r,"certs");

davici_list_itemf(r,"%s","/usr/local/etc/swanctl/x509/hostCert.pem");
        davici_list_end(r);


I have tried file name with and without path.

certs = hostCert.pem worked in swanctl.conf as attached in previous email.


Do you know what could be issue here? Looks like software is not able to
recognize the pem format but again it worked when using swanctl.conf file.

Thanks,
Rajeev


On Tue, Aug 2, 2016 at 5:41 AM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:

> Hi,
>
> according to your log, the initiator and responder create their
> own Root CA certificate and store it locally in
> /usr/local/etc/swanctl/x509ca. Therefore it is not surprising
> that no trust into the received host certificate can be established
> because it has been signed with the private key of a different
> root CA (although the Distinguished Name of the issuer is the same).
>
> Fix: Generate only one private key and matching self-signed
> Root CA certificate. Use the private Root CA key to sign both
> initiator and responder host certificates and deploy the Root CA
> certificate on both hosts.
>
> Best regards
>
> Andreas
>
> On 01.08.2016 21:24, rajeev nohria wrote:
> >
> > I was able to establish IKE connection using PSK but when using pubkey I
> > am not able to able to establish the IKE connection.
> >
> > When I issue sudo swanctl --initiate --child net
> >
> >
> > At receptor, it returns the Auth_failed.  Please see the swanctl.conf,
> > strongswan.conf and charon.log.
> >
> > Aug  1 12:09:21 12[CFG] <rw|1> no issuer certificate found for "C=US,
> > ST=MA, L=Lowell, O=Arris, CN=10.13.199.185"
> > Aug  1 12:09:21 12[IKE] <rw|1> no trusted RSA public key found for
> > '10.13.199.185'
> > Aug  1 12:09:21 12[IKE] <rw|1> peer supports MOBIKE
> > Aug  1 12:09:21 12[ENC] <rw|1> added payload of type NOTIFY to message
> > Aug  1 12:09:21 12[ENC] <rw|1> order payloads in message
> > Aug  1 12:09:21 12[ENC] <rw|1> added payload of type NOTIFY to message
> > Aug  1 12:09:21 12[ENC] <rw|1> generating IKE_AUTH response 1 [
> > N(AUTH_FAILED) ]
> >
> > I used following commands to create certificates.
> >
> > *Initiator:*
> > -----------
> >
> > sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> > /usr/local/etc/swanctl/rsa/strongswanKey.pem
> >
> >
> > sudo chmod 600  /usr/local/etc/swanctl/rsa/strongswanKey.pem
> >
> >
> > sudo ipsec pki --self --ca --in
> > /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest sha256 --dn "C=US,
> > ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem >
> > /usr/local/etc/swanctl/x509ca/strongswanCert.pem
> >
> >
> > sudo ipsec pki --print --in
> /usr/local/etc/swanctl/x509ca/strongswanCert.pem
> >
> >
> > sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> > /usr/local/etc/swanctl/rsa/hostKey.pem
> >
> >
> > sudo chmod 600 /usr/local/etc/swanctl/rsa/hostKey.pem
> >
> >
> >
> > sudo ipsec pki --pub --in /usr/local/etc/swanctl/rsa/hostKey.pem --type
> > rsa | ipsec pki --issue --digest sha256 --cacert
> > /usr/local/etc/swanctl/x509ca/strongswanCert.pem --cakey
> > /usr/local/etc/swanctl/rsa/strongswanKey.pem --dn "C=US, ST=MA,
> > L=Lowell, O=Arris, CN=10.13.199.185" --san 10.13.199.185  pem >
> > /usr/local/etc/swanctl/x509/hostCert.pem
> >
> >
> > Receptor:
> > --------------
> > *
> > *
> > *sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> > /usr/local/etc/swanctl/rsa/strongswanKey.pem*
> > *
> > *
> > *sudo chmod 600  /usr/local/etc/swanctl/rsa/strongswanKey.pem*
> > *
> > *
> > *sudo ipsec pki --self --ca --in
> > /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest sha256 --dn "C=US,
> > ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem >
> > /usr/local/etc/swanctl/x509ca/strongswanCert.pem*
> > *
> > *
> > *sudo ipsec pki --print --in
> > /usr/local/etc/swanctl/x509ca/strongswanCert.pem*
> > *
> > *
> > *sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> > /usr/local/etc/swanctl/rsa/hostKey.pem*
> > *
> > *
> > *sudo chmod 600 /usr/local/etc/swanctl/rsa/hostKey.pem*
> >
> > *sudo ipsec pki --pub --in /usr/local/etc/swanctl/rsa/hostKey.pem --type
> > rsa | ipsec pki --issue --digest sha256 --cacert
> > /usr/local/etc/swanctl/x509ca/strongswanCert.pem --cakey
> > /usr/local/etc/swanctl/rsa/strongswanKey.pem --dn "C=US, ST=MA,
> > L=Lowell, O=Arris, CN=10.13.199.130" --san 10.13.199.130 --outform pem >
> > /usr/local/etc/swanctl/x509/hostCert.pem*
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
> >
>
> --
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution!          www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160803/9ece72f2/attachment.html>

More information about the Users mailing list