[strongSwan] Raspberry Pi: authentication of ... (myself) failed

Stephen Wilcox stephen at tyfone.com
Wed Jun 22 07:58:16 CEST 2016 

I'm attempting to use a Raspberry Pi as a StrongSwan peer with certificates
for authentication.  I have a certificate for the Pi signed by my own ca
cert.  When I try to bring the connection up, it seems it can't
authenticate itself:

authentication of 'C=US, ST=OR, L=Portland, O=Tyfone, OU=Shasta, CN=
client.tyfone.com, E=contact at tyfone.com' (myself) failed
The private key and ca cert are present in /etc/ipsec.d/private and cacerts
respectively.  Using the pki tool, I can verify that the cert is current
and valid per the ca cert, and I can export the public keys from the
private key and the cert and see that they match.

*Here is my ipsec.conf on the Pi*

config setup
        charondebug="ike 4, knl 4"

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1

conn work
        left=%defaultroute      #external IP address
        leftsourceip=%config    #external IP address
        leftid="C=US, ST=OR, L=Portland, O=Tyfone, OU=Shasta, CN=
client.tyfone.com, E=contact at tyfone.com"
        leftcert=clientCert.pem
        leftfirewall=yes        #automatically add firewall rules
        auto=add
        right=10.0.1.47         #strongSwan server external IP
        rightsubnet=0.0.0.0/0     #route all traffic to the strongSwan
server
        rightid=@vpn.tyfone.com     #unique id of server
        rightcert=serverCert.der

include /var/lib/strongswan/ipsec.conf.inc



*Here is what is shown for the client cert when I use  ipsec listcerts*

subject:  "C=US, ST=OR, L=Portland, O=Tyfone, OU=Shasta, CN=
client.tyfone.com, E=contact at tyfone.com"
  issuer:   "C=US, ST=OR, L=Portland, O=Tyfone, OU=Shasta, CN=ca.tyfone.com,
E=contact at tyfone.com"
  validity:  not before Jun 17 12:02:02 2016, ok
             not after  Jun 17 12:02:02 2019, ok (expires in 1090 days)
  serial:    4e:33:64:13:cb:2d:ea:65
  altNames:  172.16.176.100
  authkeyId: 59:fb:0e:30:6b:d0:ee:01:18:74:4c:e2:11:4e:84:a2:f6:8c:29:03
  subjkeyId: 09:25:7a:55:22:cf:af:17:94:6f:d8:ea:81:9f:bc:fe:cd:69:e7:ec
  pubkey:    RSA 2048 bits, has private key
  keyid:     b3:54:9f:50:47:e4:95:fc:8e:b5:cf:a3:1f:96:e3:eb:9d:11:14:4c
  subjkey:   09:25:7a:55:22:cf:af:17:94:6f:d8:ea:81:9f:bc:fe:cd:69:e7:ec


*Here is the rest of the output from trying to bring up the work
connection:*

initiating Main Mode IKE_SA work[2] to 10.0.1.47
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 10.0.1.5[500] to 10.0.1.47[500] (216 bytes)
received packet: from 10.0.1.47[500] to 10.0.1.5[500] (136 bytes)
parsed ID_PROT response 0 [ SA V V V ]
received XAuth vendor ID
received DPD vendor ID
received NAT-T (RFC 3947) vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 10.0.1.5[500] to 10.0.1.47[500] (524 bytes)
received packet: from 10.0.1.47[500] to 10.0.1.5[500] (670 bytes)
parsed ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
received cert request for 'C=US, ST=OR, L=Portland, O=Tyfone, OU=Shasta, CN=
ca.tyfone.com, E=contact at tyfone.com'
remote host is behind NAT
sending cert request for "C=US, ST=OR, L=Portland, O=Tyfone, OU=Shasta, CN=
ca.tyfone.com, E=contact at tyfone.com"
authentication of 'C=US, ST=OR, L=Portland, O=Tyfone, OU=Shasta, CN=
client.tyfone.com, E=contact at tyfone.com' (myself) failed
generating INFORMATIONAL_V1 request 1793715306 [ HASH N(AUTH_FAILED) ]
sending packet: from 10.0.1.5[4500] to 10.0.1.47[4500] (108 bytes)
establishing connection 'work' failed


Any help is appreciated.  Thanks in advance!

Cheers,
  Stephen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160621/26c078c2/attachment.html>

More information about the Users mailing list