[strongSwan] Raspberry Pi: authentication of ... (myself) failed

Stephen Wilcox stephen at tyfone.com
Fri Jul 1 18:25:20 CEST 2016 

This was caused by a mismatch between strongSwan and OpenSSL regarding
FIPS.  OpenSSL was operating in FIPS mode, but a non-FIPS signature
algorithm was being called, so it silently failed.  I rebuilt strongSwan
and OpenSSL and changed the FIPS config to agree and everything worked.

On Tue, Jun 21, 2016 at 11:58 PM Stephen Wilcox <stephen at tyfone.com> wrote:

> I'm attempting to use a Raspberry Pi as a StrongSwan peer with
> certificates for authentication.  I have a certificate for the Pi signed by
> my own ca cert.  When I try to bring the connection up, it seems it can't
> authenticate itself:
>
> authentication of 'C=US, ST=OR, L=Portland, O=Tyfone, OU=Shasta, CN=
> client.tyfone.com, E=contact at tyfone.com' (myself) failed
> The private key and ca cert are present in /etc/ipsec.d/private and
> cacerts respectively.  Using the pki tool, I can verify that the cert is
> current and valid per the ca cert, and I can export the public keys from
> the private key and the cert and see that they match.
>
> *Here is my ipsec.conf on the Pi*
>
> config setup
>         charondebug="ike 4, knl 4"
>
> conn %default
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=3m
>         keyingtries=1
>         keyexchange=ikev1
>
> conn work
>         left=%defaultroute      #external IP address
>         leftsourceip=%config    #external IP address
>         leftid="C=US, ST=OR, L=Portland, O=Tyfone, OU=Shasta, CN=
> client.tyfone.com, E=contact at tyfone.com"
>         leftcert=clientCert.pem
>         leftfirewall=yes        #automatically add firewall rules
>         auto=add
>         right=10.0.1.47         #strongSwan server external IP
>         rightsubnet=0.0.0.0/0     #route all traffic to the strongSwan
> server
>         rightid=@vpn.tyfone.com     #unique id of server
>         rightcert=serverCert.der
>
> include /var/lib/strongswan/ipsec.conf.inc
>
>
>
> *Here is what is shown for the client cert when I use  ipsec listcerts*
>
> subject:  "C=US, ST=OR, L=Portland, O=Tyfone, OU=Shasta, CN=
> client.tyfone.com, E=contact at tyfone.com"
>   issuer:   "C=US, ST=OR, L=Portland, O=Tyfone, OU=Shasta, CN=
> ca.tyfone.com, E=contact at tyfone.com"
>   validity:  not before Jun 17 12:02:02 2016, ok
>              not after  Jun 17 12:02:02 2019, ok (expires in 1090 days)
>   serial:    4e:33:64:13:cb:2d:ea:65
>   altNames:  172.16.176.100
>   authkeyId: 59:fb:0e:30:6b:d0:ee:01:18:74:4c:e2:11:4e:84:a2:f6:8c:29:03
>   subjkeyId: 09:25:7a:55:22:cf:af:17:94:6f:d8:ea:81:9f:bc:fe:cd:69:e7:ec
>   pubkey:    RSA 2048 bits, has private key
>   keyid:     b3:54:9f:50:47:e4:95:fc:8e:b5:cf:a3:1f:96:e3:eb:9d:11:14:4c
>   subjkey:   09:25:7a:55:22:cf:af:17:94:6f:d8:ea:81:9f:bc:fe:cd:69:e7:ec
>
>
> *Here is the rest of the output from trying to bring up the work
> connection:*
>
> initiating Main Mode IKE_SA work[2] to 10.0.1.47
> generating ID_PROT request 0 [ SA V V V V ]
> sending packet: from 10.0.1.5[500] to 10.0.1.47[500] (216 bytes)
> received packet: from 10.0.1.47[500] to 10.0.1.5[500] (136 bytes)
> parsed ID_PROT response 0 [ SA V V V ]
> received XAuth vendor ID
> received DPD vendor ID
> received NAT-T (RFC 3947) vendor ID
> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
> sending packet: from 10.0.1.5[500] to 10.0.1.47[500] (524 bytes)
> received packet: from 10.0.1.47[500] to 10.0.1.5[500] (670 bytes)
> parsed ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
> received cert request for 'C=US, ST=OR, L=Portland, O=Tyfone, OU=Shasta,
> CN=ca.tyfone.com, E=contact at tyfone.com'
> remote host is behind NAT
> sending cert request for "C=US, ST=OR, L=Portland, O=Tyfone, OU=Shasta, CN=
> ca.tyfone.com, E=contact at tyfone.com"
> authentication of 'C=US, ST=OR, L=Portland, O=Tyfone, OU=Shasta, CN=
> client.tyfone.com, E=contact at tyfone.com' (myself) failed
> generating INFORMATIONAL_V1 request 1793715306 [ HASH N(AUTH_FAILED) ]
> sending packet: from 10.0.1.5[4500] to 10.0.1.47[4500] (108 bytes)
> establishing connection 'work' failed
>
>
> Any help is appreciated.  Thanks in advance!
>
> Cheers,
>   Stephen
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160701/88069b4a/attachment.html>

More information about the Users mailing list