[strongSwan] how to use 'rightca' connection option?
John Brown
jb20141125 at gmail.com
Thu Nov 24 09:10:52 CET 2016
Thank you for your answer. Here is the log:
root at 127.0.0.1:~$ ipsec up lap1
initiating IKE_SA lap1[1] to 192.168.10.152
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 172.27.10.142[500] to 192.168.10.152[500] (588 bytes)
received packet: from 192.168.10.152[500] to 172.27.10.142[500] (517 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ
N(MULT_AUTH) ]
received cert request for "O=Firm, CN=Root_CA, C=CN, ST=Land, L=City, E=
e at mail.com, OU=Firm, OU=CA_ROOT"
received 3 cert requests for an unknown ca
sending cert request for "O=Firm, CN=Root_CA, C=CN, ST=Land, L=City, E=
e at mail.com, OU=Firm, OU=CA_ROOT"
authentication of 'CN=EndDeviceName, ST=Land, C=CN, E=e at mail.com, O=Firm,
L=City, OU=UnitName, OU=EndDevices' (myself) with RSA signature successful
sending end entity cert "CN=EndDeviceName, ST=Land, C=CN, E=e at mail.com,
O=Firm, L=City, OU=UnitName, OU=EndDevices"
establishing CHILD_SA lap1
generating IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH SA TSi TSr
N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 172.27.10.142[500] to 192.168.10.152[500] (2165 bytes)
received packet: from 192.168.10.152[500] to 172.27.10.142[500] (5295 bytes)
parsed IKE_AUTH response 1 [ IDr CERT CERT CERT AUTH SA TSi TSr N(AUTH_LFT)
]
received end entity cert "CN=GateName, ST=Land, C=CN, E=e at mail.com, O=Firm,
L=City, OU=UnitName, OU=EndDevices"
received issuer cert "CN=Master, ST=Land, C=CN, E=e at mail.com, O=Firm,
L=City, OU=UnitName, OU=Master"
received issuer cert "CN=Signing_CA, ST=Land, C=CN, E=e at mail.com, O=Firm,
L=City, OU=Firm, OU=SIGNING_CA"
using certificate "CN=GateName, ST=Land, C=CN, E=e at mail.com, O=Firm,
L=City, OU=UnitName, OU=EndDevices"
using untrusted intermediate certificate "CN=Master, ST=Land, C=CN, E=
e at mail.com, O=Firm, L=City, OU=UnitName, OU=Master"
checking certificate status of "CN=GateName, ST=Land, C=CN, E=e at mail.com,
O=Firm, L=City, OU=UnitName, OU=EndDevices"
certificate status is not available
using untrusted intermediate certificate "CN=Signing_CA, ST=Land, C=CN, E=
e at mail.com, O=Firm, L=City, OU=Firm, OU=SIGNING_CA"
checking certificate status of "CN=Master, ST=Land, C=CN, E=e at mail.com,
O=Firm, L=City, OU=UnitName, OU=Master"
certificate status is not available
using trusted ca certificate "O=Firm, CN=Root_CA, C=CN, ST=Land, L=City,
E=e at mail.com, OU=Firm, OU=CA_ROOT"
checking certificate status of "CN=Signing_CA, ST=Land, C=CN, E=e at mail.com,
O=Firm, L=City, OU=Firm, OU=SIGNING_CA"
certificate status is not available
reached self-signed root ca with a path length of 2
authentication of 'CN=GateName, ST=Land, C=CN, E=e at mail.com, O=Firm,
L=City, OU=UnitName, OU=EndDevices' with RSA signature successful
IKE_SA lap1[1] established between 172.27.10.142[CN=EndDeviceName, ST=Land,
C=CN, E=e at mail.com, O=Firm, L=City, OU=UnitName,
OU=EndDevices]...192.168.10.152[CN=GateName, ST=Land, C=CN, E=e at mail.com,
O=Firm, L=City, OU=UnitName, OU=EndDevices]
scheduling reauthentication in 6694s
maximum IKE_SA lifetime 6994s
connection 'lap1' established successfully
root at 127.0.0.1:~$
as I was doing many experiments, current log is from scenario where:
rightid="%any"
rightca="CN=aa, ST=aa, C=aa, E=aa, O=aa, L=aa, OU=aa, OU=aa"
Are these logs enough for you? Of course I've changed the data taken from
certs showed in log but I've done this consistently.
Are there any log or info accessible informing that rightca is checked
during authentication process?
Regards,
John
2016-11-23 19:50 GMT+01:00 Andreas Steffen <andreas.steffen at strongswan.org>:
> Hi John,
>
> could you send me a log file showing that a CA different from the CA
> requested by rightca is accepted?
>
> Best regards
>
> Andreas
>
> On 23.11.2016 16:41, John Brown wrote:
>
>> Hello all,
>>
>> I'm using Linux strongSwan U5.2.1/K3.4.112 and I'm trying to implement
>> rightca option in ipsec.conf file but without a success.
>>
>> As far as I understand the documentation, if rightca contains DN of a
>> certificate authority which lies in the trust path from the end device
>> cert to rootca, authentication process will pass (assuming that other
>> elements are configured fine) otherwise will fail and this is the
>> functionality I need. But in my scenario, whatever is the value of
>> rightca, the authentication process pass with success.
>>
>> I've put rightca on the initiator of IKEv2 tunnel, root ca chain path
>> lenght is 2 (root ca->sub1->sub2->end device cert). Currently only root
>> ca is installed in /etc/ipsec.d/cacerts.
>>
>> Part of the connection config:
>>
>> conn lap1
>> auto=add
>> left=%any
>> right=192.168.1.1
>> rightsubnet=10.0.0.0/24 <http://10.0.0.0/24>
>> ...
>> leftauth=pubkey
>> rightauth=pubkey
>> leftcert=cert.crt
>> rightid="CN=*, ST=Stttt, C=Cccc, E=E at eeee, O=Oooooo, L=Lllllll,
>> OU=*, OU=Ouuuuuu"
>> rightca="CN=aa, ST=aa, C=aa, E=aa, O=aa, L=aa, OU=aa, OU=aa"
>>
>> I've changed values of fields in righid, but rightca is taken from real
>> config without modification.
>>
>> I'm probably missing something obvious, or does not understand this
>> feature, but I have no idea, what this can be.
>>
>> Does anybody knows?
>>
>> Best regards,
>> John,
>>
>
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161124/18c2c357/attachment-0001.html>
More information about the Users
mailing list