[strongSwan] Need help configuring a test environment with IKEv2 and certificate authentication

FORTMANN, TOM tf990d at att.com
Tue Jul 19 20:06:21 CEST 2016 

I am trying to setup a test environment using Strongswan (strongSwan 5.4.0, Linux 3.10.0-327.13.1.el7.centos.plus.x86_64, x86_64) on a CentOS 7 server and TeraVM (an IPsec traffic generator) as the initiator.

The problem I am having is TeraVM is sending an IPv4 address in the ID_INITIATOR payload, but the self-signed certificate used for authentication does not include this address.  I've tried a number of values for the rightid but none of them work.

With rightid=%any or rightid=10.15.1.1 (or left blank) it matches the connection entry for both the IKE_SA_INIT and IKE_AUTH flows, but then fails the authentication with a "no trusted RSA public key found" error:

Jul 18 12:56:48 16[CFG] looking for an ike config for 192.168.0.9...10.15.1.1
Jul 18 12:56:48 16[CFG] ike config match: 1048 (192.168.0.9 10.15.1.1 IKEv2)
Jul 18 12:56:48 16[CFG]   candidate: 192.168.0.9...%any, prio 1048
Jul 18 12:56:48 16[CFG] found matching ike config: 192.168.0.9...%any with prio 1048
...
Jul 18 12:56:49 11[IKE] received end entity cert "CN=Shenick Test Certificate"
Jul 18 12:56:49 11[CFG] looking for peer configs matching 192.168.0.9[%any]...10.15.1.1[10.15.1.1]
Jul 18 12:56:49 11[CFG] peer config match local: 1 (ID_ANY -> )
Jul 18 12:56:49 11[CFG] peer config match remote: 1 (ID_IPV4_ADDR -> 0a:0f:01:01)
Jul 18 12:56:49 11[CFG] ike config match: 1048 (192.168.0.9 10.15.1.1 IKEv2)
Jul 18 12:56:49 11[CFG]   candidate "shenick", match: 1/1/1048 (me/other/ike)
Jul 18 12:56:49 11[CFG] selected peer config 'shenick'
...
Jul 18 12:56:49 11[IKE] no trusted RSA public key found for '10.15.1.1'

And, with rightid=%"CN=Shenick Test Certificate" it fails to match a connection for the IKE_AUTH:

Jul 19 09:20:43 07[IKE] received end entity cert "CN=Shenick Test Certificate"
Jul 19 09:20:43 07[CFG] looking for peer configs matching 192.168.0.9[%any]...10.15.1.1[10.15.1.1]
Jul 19 09:20:43 07[CFG] peer config match local: 1 (ID_ANY -> )
Jul 19 09:20:43 07[CFG] peer config match remote: 0 (ID_IPV4_ADDR -> 0a:0f:01:01)
Jul 19 09:20:43 07[CFG] ike config match: 1048 (192.168.0.9 10.15.1.1 IKEv2)
Jul 19 09:20:43 07[CFG] no matching peer config found

I tried other tests setting rightcert and rightsigkey but none of them made a difference.

I should also state that I have limited control over the TeraVM setup, and from what I am being told we cannot change the ID value sent in the IKEv2 flows.

Can anyone help with this setup?  This is for a test, not production, so if there is a simple way to tell strongswan to simply accept any certificate authentication - that would be perfect.

Here is my latest ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file

config setup
        cachecrls=yes
        # strictcrlpolicy=yes
        # uniqueids = no

conn %default
        keyexchange=ike
        rekey=no

conn shenick
        left=192.168.0.9
        leftsubnet=0.0.0.0/0
        leftid=192.168.0.9
        leftcert=clorthoHostCert.pem
        leftsendcert=always
        right=%any
        rightdns=8.8.8.8,8.8.4.4
        rightsourceip=172.16.4.0/24
        rightid=%any
#        rightid=10.15.1.1
#        rightid=%"CN=Shenick Test Certificate"
        authby=pubkey
        auto=add


Thanks in advance for any and all help,
Tom

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160719/c5e03607/attachment-0001.html>

More information about the Users mailing list