[strongSwan] Strongswan client: no trusted RSA public key found, sometimes

joshua g grossjo2 at hotmail.com
Tue Dec 20 18:07:41 CET 2016 

Hi,


I'm running strongswan 5.5.1 on Ubuntu 12.04.

We are using IKEv1 and XAuth-Pam .  I've posted our ipsec.conf at the bottom of this message.


We are seeing an issue where after a some amount of time running,

eventually our client starts to see this error every time it tries to connect:


Dec 19 18:40:52 hostname charon: 15[IKE] signature validation failed, looking for another key

Dec 19 18:40:52 hostname charon: 15[IKE] no trusted RSA public key found for "Cert Subject Removed"


Now if I restart strongswan, or even try the stroke command 'ipsec rereadall'. Suddenly

connections start working.


I've rebuilt strongswan with extra logging around where this error occurs and I found

that it is failing inside of this method:


openssl_rsa_public_key.c method: verify_emsa_pkcs1_signature


when it tries to call "RSA_public_decrypt".


I took this even further and dumped the openssl error:


error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed


It seems that the server may be returning an invalid signature or public key.

Any ideas on how to handle this. I'm more than willing to add more logging, but I've been unable

to figure out how to get any of the inputs into this method:


    len = RSA_public_decrypt(signature.len, signature.ptr, buf, this->rsa,

                 RSA_PKCS1_PADDING);


to dump anything that is human comparable between requests.



config setup

  charondebug="dmn 1, mgr 1, ike 1, chd 1, job 1, cfg 1, knl 1, net 1, asn 1, enc 1, lib 1, esp 1, tls 1"

  #plutodebug=all

  # crlcheckinterval=600

  strictcrlpolicy=no

  # cachecrls=yes

  # charondebug=4

  nat_traversal=yes

  #charonstart=no

  #plutostart=no


ca servers

  auto=add


conn %default

  ikelifetime=60m

  keylife=20m

  rekeymargin=3m

  keyingtries=1

  keyexchange=ikev1

  auto=add


conn ikev1-xauth-pam

  keyexchange=ikev1

  rightauth=pubkey

  rightauth2=xauth-pam

  left=%defaultroute

  leftid=@example.com

  leftsubnet=0.0.0.0/0

  leftfirewall=no

  leftcert=example.pem

  leftsendcert=always

  leftupdown=up_down.sh

  right=%any

  rightsubnet=10.251.0.0/20

  rightsourceip=10.251.0.0/20

  # Require all subject fields to be matched by star

  # As well as CA's pull in

  rightid="C=*, ST=*, L=*, O=*, CN=*, E=*"

  fragmentation=yes

  auto=add



Thank you,
Joshua J. Gross
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161220/c1d56878/attachment.html>

More information about the Users mailing list