[strongSwan] Strongswan 5.4 issue using certificates

rajeev nohria rajnohria at gmail.com
Thu Sep 15 21:19:49 CEST 2016 

Anderas,

For the loading of private rsa keys, that has to be loaded like the
certificate?

Thanks,
Rajeev

On Thu, Aug 4, 2016 at 12:16 AM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:

> Hi Rajeev,
>
> different to the stroke protocol and ipsec.conf where the filename
> of the certificate gets transferred via the stroke socket and the
> charon daemon loads the certificate, vici transfers the certificate
> itself either as a binary DER or a base64-endocded PEM blob. Thus
> your management application has to load the certificate and transfer
> it over the vici socket using davici.
>
> Regards
>
> Andreas
>
> On 04.08.2016 05:03, rajeev nohria wrote:
> > Thanks Andreas,
> >
> > It worked, I know started to implement in Davici. I had PSK working in
> > Davici. With certificates, I am having  following issue during
> > parse_certs().
> >
> > 09[LIB]   file coded in unknown format, discarded
> > 09[LIB] building CRED_CERTIFICATE - X509 failed, tried 4 builders
> >
> >
> >
> > Corresponding code is for Davici is
> >         davici_list_start(r,"certs");
> >
> > davici_list_itemf(r,"%s","/usr/local/etc/swanctl/x509/hostCert.pem");
> >         davici_list_end(r);
> >
> >
> > I have tried file name with and without path.
> >
> > certs = hostCert.pem worked in swanctl.conf as attached in previous
> email.
> >
> >
> > Do you know what could be issue here? Looks like software is not able to
> > recognize the pem format but again it worked when using swanctl.conf
> file.
> >
> > Thanks,
> > Rajeev
> >
> >
> > On Tue, Aug 2, 2016 at 5:41 AM, Andreas Steffen
> > <andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>>
> > wrote:
> >
> >     Hi,
> >
> >     according to your log, the initiator and responder create their
> >     own Root CA certificate and store it locally in
> >     /usr/local/etc/swanctl/x509ca. Therefore it is not surprising
> >     that no trust into the received host certificate can be established
> >     because it has been signed with the private key of a different
> >     root CA (although the Distinguished Name of the issuer is the same).
> >
> >     Fix: Generate only one private key and matching self-signed
> >     Root CA certificate. Use the private Root CA key to sign both
> >     initiator and responder host certificates and deploy the Root CA
> >     certificate on both hosts.
> >
> >     Best regards
> >
> >     Andreas
> >
> >     On 01.08.2016 21:24, rajeev nohria wrote:
> >     >
> >     > I was able to establish IKE connection using PSK but when using
> pubkey I
> >     > am not able to able to establish the IKE connection.
> >     >
> >     > When I issue sudo swanctl --initiate --child net
> >     >
> >     >
> >     > At receptor, it returns the Auth_failed.  Please see the
> swanctl.conf,
> >     > strongswan.conf and charon.log.
> >     >
> >     > Aug  1 12:09:21 12[CFG] <rw|1> no issuer certificate found for
> "C=US,
> >     > ST=MA, L=Lowell, O=Arris, CN=10.13.199.185"
> >     > Aug  1 12:09:21 12[IKE] <rw|1> no trusted RSA public key found for
> >     > '10.13.199.185'
> >     > Aug  1 12:09:21 12[IKE] <rw|1> peer supports MOBIKE
> >     > Aug  1 12:09:21 12[ENC] <rw|1> added payload of type NOTIFY to
> message
> >     > Aug  1 12:09:21 12[ENC] <rw|1> order payloads in message
> >     > Aug  1 12:09:21 12[ENC] <rw|1> added payload of type NOTIFY to
> message
> >     > Aug  1 12:09:21 12[ENC] <rw|1> generating IKE_AUTH response 1 [
> >     > N(AUTH_FAILED) ]
> >     >
> >     > I used following commands to create certificates.
> >     >
> >     > *Initiator:*
> >     > -----------
> >     >
> >     > sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> >     > /usr/local/etc/swanctl/rsa/strongswanKey.pem
> >     >
> >     >
> >     > sudo chmod 600  /usr/local/etc/swanctl/rsa/strongswanKey.pem
> >     >
> >     >
> >     > sudo ipsec pki --self --ca --in
> >     > /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest sha256 --dn
> "C=US,
> >     > ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem >
> >     > /usr/local/etc/swanctl/x509ca/strongswanCert.pem
> >     >
> >     >
> >     > sudo ipsec pki --print --in /usr/local/etc/swanctl/x509ca/
> strongswanCert.pem
> >     >
> >     >
> >     > sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> >     > /usr/local/etc/swanctl/rsa/hostKey.pem
> >     >
> >     >
> >     > sudo chmod 600 /usr/local/etc/swanctl/rsa/hostKey.pem
> >     >
> >     >
> >     >
> >     > sudo ipsec pki --pub --in /usr/local/etc/swanctl/rsa/hostKey.pem
> --type
> >     > rsa | ipsec pki --issue --digest sha256 --cacert
> >     > /usr/local/etc/swanctl/x509ca/strongswanCert.pem --cakey
> >     > /usr/local/etc/swanctl/rsa/strongswanKey.pem --dn "C=US, ST=MA,
> >     > L=Lowell, O=Arris, CN=10.13.199.185" --san 10.13.199.185  pem >
> >     > /usr/local/etc/swanctl/x509/hostCert.pem
> >     >
> >     >
> >     > Receptor:
> >     > --------------
> >     > *
> >     > *
> >     > *sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> >     > /usr/local/etc/swanctl/rsa/strongswanKey.pem*
> >     > *
> >     > *
> >     > *sudo chmod 600  /usr/local/etc/swanctl/rsa/strongswanKey.pem*
> >     > *
> >     > *
> >     > *sudo ipsec pki --self --ca --in
> >     > /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest sha256 --dn
> "C=US,
> >     > ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem >
> >     > /usr/local/etc/swanctl/x509ca/strongswanCert.pem*
> >     > *
> >     > *
> >     > *sudo ipsec pki --print --in
> >     > /usr/local/etc/swanctl/x509ca/strongswanCert.pem*
> >     > *
> >     > *
> >     > *sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
> >     > /usr/local/etc/swanctl/rsa/hostKey.pem*
> >     > *
> >     > *
> >     > *sudo chmod 600 /usr/local/etc/swanctl/rsa/hostKey.pem*
> >     >
> >     > *sudo ipsec pki --pub --in /usr/local/etc/swanctl/rsa/hostKey.pem
> >     --type
> >     > rsa | ipsec pki --issue --digest sha256 --cacert
> >     > /usr/local/etc/swanctl/x509ca/strongswanCert.pem --cakey
> >     > /usr/local/etc/swanctl/rsa/strongswanKey.pem --dn "C=US, ST=MA,
> >     > L=Lowell, O=Arris, CN=10.13.199.130" --san 10.13.199.130 --outform
> pem >
> >     > /usr/local/etc/swanctl/x509/hostCert.pem*
>
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution!          www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160915/1cc8bcd9/attachment.html>

More information about the Users mailing list