[strongSwan] Strongswan 5.4 issue using certificates
Andreas Steffen
andreas.steffen at strongswan.org
Thu Aug 4 06:16:50 CEST 2016
Hi Rajeev,
different to the stroke protocol and ipsec.conf where the filename
of the certificate gets transferred via the stroke socket and the
charon daemon loads the certificate, vici transfers the certificate
itself either as a binary DER or a base64-endocded PEM blob. Thus
your management application has to load the certificate and transfer
it over the vici socket using davici.
Regards
Andreas
On 04.08.2016 05:03, rajeev nohria wrote:
> Thanks Andreas,
>
> It worked, I know started to implement in Davici. I had PSK working in
> Davici. With certificates, I am having following issue during
> parse_certs().
>
> 09[LIB] file coded in unknown format, discarded
> 09[LIB] building CRED_CERTIFICATE - X509 failed, tried 4 builders
>
>
>
> Corresponding code is for Davici is
> davici_list_start(r,"certs");
>
> davici_list_itemf(r,"%s","/usr/local/etc/swanctl/x509/hostCert.pem");
> davici_list_end(r);
>
>
> I have tried file name with and without path.
>
> certs = hostCert.pem worked in swanctl.conf as attached in previous email.
>
>
> Do you know what could be issue here? Looks like software is not able to
> recognize the pem format but again it worked when using swanctl.conf file.
>
> Thanks,
> Rajeev
>
>
> On Tue, Aug 2, 2016 at 5:41 AM, Andreas Steffen
> <andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>>
> wrote:
>
> Hi,
>
> according to your log, the initiator and responder create their
> own Root CA certificate and store it locally in
> /usr/local/etc/swanctl/x509ca. Therefore it is not surprising
> that no trust into the received host certificate can be established
> because it has been signed with the private key of a different
> root CA (although the Distinguished Name of the issuer is the same).
>
> Fix: Generate only one private key and matching self-signed
> Root CA certificate. Use the private Root CA key to sign both
> initiator and responder host certificates and deploy the Root CA
> certificate on both hosts.
>
> Best regards
>
> Andreas
>
> On 01.08.2016 21:24, rajeev nohria wrote:
> >
> > I was able to establish IKE connection using PSK but when using pubkey I
> > am not able to able to establish the IKE connection.
> >
> > When I issue sudo swanctl --initiate --child net
> >
> >
> > At receptor, it returns the Auth_failed. Please see the swanctl.conf,
> > strongswan.conf and charon.log.
> >
> > Aug 1 12:09:21 12[CFG] <rw|1> no issuer certificate found for "C=US,
> > ST=MA, L=Lowell, O=Arris, CN=10.13.199.185"
> > Aug 1 12:09:21 12[IKE] <rw|1> no trusted RSA public key found for
> > '10.13.199.185'
> > Aug 1 12:09:21 12[IKE] <rw|1> peer supports MOBIKE
> > Aug 1 12:09:21 12[ENC] <rw|1> added payload of type NOTIFY to message
> > Aug 1 12:09:21 12[ENC] <rw|1> order payloads in message
> > Aug 1 12:09:21 12[ENC] <rw|1> added payload of type NOTIFY to message
> > Aug 1 12:09:21 12[ENC] <rw|1> generating IKE_AUTH response 1 [
> > N(AUTH_FAILED) ]
> >
> > I used following commands to create certificates.
> >
> > *Initiator:*
> > -----------
> >
> > sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> > /usr/local/etc/swanctl/rsa/strongswanKey.pem
> >
> >
> > sudo chmod 600 /usr/local/etc/swanctl/rsa/strongswanKey.pem
> >
> >
> > sudo ipsec pki --self --ca --in
> > /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest sha256 --dn "C=US,
> > ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem >
> > /usr/local/etc/swanctl/x509ca/strongswanCert.pem
> >
> >
> > sudo ipsec pki --print --in /usr/local/etc/swanctl/x509ca/strongswanCert.pem
> >
> >
> > sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> > /usr/local/etc/swanctl/rsa/hostKey.pem
> >
> >
> > sudo chmod 600 /usr/local/etc/swanctl/rsa/hostKey.pem
> >
> >
> >
> > sudo ipsec pki --pub --in /usr/local/etc/swanctl/rsa/hostKey.pem --type
> > rsa | ipsec pki --issue --digest sha256 --cacert
> > /usr/local/etc/swanctl/x509ca/strongswanCert.pem --cakey
> > /usr/local/etc/swanctl/rsa/strongswanKey.pem --dn "C=US, ST=MA,
> > L=Lowell, O=Arris, CN=10.13.199.185" --san 10.13.199.185 pem >
> > /usr/local/etc/swanctl/x509/hostCert.pem
> >
> >
> > Receptor:
> > --------------
> > *
> > *
> > *sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> > /usr/local/etc/swanctl/rsa/strongswanKey.pem*
> > *
> > *
> > *sudo chmod 600 /usr/local/etc/swanctl/rsa/strongswanKey.pem*
> > *
> > *
> > *sudo ipsec pki --self --ca --in
> > /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest sha256 --dn "C=US,
> > ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem >
> > /usr/local/etc/swanctl/x509ca/strongswanCert.pem*
> > *
> > *
> > *sudo ipsec pki --print --in
> > /usr/local/etc/swanctl/x509ca/strongswanCert.pem*
> > *
> > *
> > *sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> > /usr/local/etc/swanctl/rsa/hostKey.pem*
> > *
> > *
> > *sudo chmod 600 /usr/local/etc/swanctl/rsa/hostKey.pem*
> >
> > *sudo ipsec pki --pub --in /usr/local/etc/swanctl/rsa/hostKey.pem
> --type
> > rsa | ipsec pki --issue --digest sha256 --cacert
> > /usr/local/etc/swanctl/x509ca/strongswanCert.pem --cakey
> > /usr/local/etc/swanctl/rsa/strongswanKey.pem --dn "C=US, ST=MA,
> > L=Lowell, O=Arris, CN=10.13.199.130" --san 10.13.199.130 --outform pem >
> > /usr/local/etc/swanctl/x509/hostCert.pem*
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4275 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160804/a95ed5d3/attachment-0001.bin>
More information about the Users
mailing list