[strongSwan] Strongswan 5.4 issue using certificates

rajeev nohria rajnohria at gmail.com
Thu Sep 15 21:20:31 CEST 2016 

Anderas,

When using davici-
For the loading of private rsa keys, that has to be loaded like the
certificate?

Thanks,
Rajeev

On Thu, Sep 15, 2016 at 3:19 PM, rajeev nohria <rajnohria at gmail.com> wrote:

> Anderas,
>
> For the loading of private rsa keys, that has to be loaded like the
> certificate?
>
> Thanks,
> Rajeev
>
> On Thu, Aug 4, 2016 at 12:16 AM, Andreas Steffen <
> andreas.steffen at strongswan.org> wrote:
>
>> Hi Rajeev,
>>
>> different to the stroke protocol and ipsec.conf where the filename
>> of the certificate gets transferred via the stroke socket and the
>> charon daemon loads the certificate, vici transfers the certificate
>> itself either as a binary DER or a base64-endocded PEM blob. Thus
>> your management application has to load the certificate and transfer
>> it over the vici socket using davici.
>>
>> Regards
>>
>> Andreas
>>
>> On 04.08.2016 05:03, rajeev nohria wrote:
>> > Thanks Andreas,
>> >
>> > It worked, I know started to implement in Davici. I had PSK working in
>> > Davici. With certificates, I am having  following issue during
>> > parse_certs().
>> >
>> > 09[LIB]   file coded in unknown format, discarded
>> > 09[LIB] building CRED_CERTIFICATE - X509 failed, tried 4 builders
>> >
>> >
>> >
>> > Corresponding code is for Davici is
>> >         davici_list_start(r,"certs");
>> >
>> > davici_list_itemf(r,"%s","/usr/local/etc/swanctl/x509/hostCert.pem");
>> >         davici_list_end(r);
>> >
>> >
>> > I have tried file name with and without path.
>> >
>> > certs = hostCert.pem worked in swanctl.conf as attached in previous
>> email.
>> >
>> >
>> > Do you know what could be issue here? Looks like software is not able to
>> > recognize the pem format but again it worked when using swanctl.conf
>> file.
>> >
>> > Thanks,
>> > Rajeev
>> >
>> >
>> > On Tue, Aug 2, 2016 at 5:41 AM, Andreas Steffen
>> > <andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org
>> >>
>> > wrote:
>> >
>> >     Hi,
>> >
>> >     according to your log, the initiator and responder create their
>> >     own Root CA certificate and store it locally in
>> >     /usr/local/etc/swanctl/x509ca. Therefore it is not surprising
>> >     that no trust into the received host certificate can be established
>> >     because it has been signed with the private key of a different
>> >     root CA (although the Distinguished Name of the issuer is the same).
>> >
>> >     Fix: Generate only one private key and matching self-signed
>> >     Root CA certificate. Use the private Root CA key to sign both
>> >     initiator and responder host certificates and deploy the Root CA
>> >     certificate on both hosts.
>> >
>> >     Best regards
>> >
>> >     Andreas
>> >
>> >     On 01.08.2016 21:24, rajeev nohria wrote:
>> >     >
>> >     > I was able to establish IKE connection using PSK but when using
>> pubkey I
>> >     > am not able to able to establish the IKE connection.
>> >     >
>> >     > When I issue sudo swanctl --initiate --child net
>> >     >
>> >     >
>> >     > At receptor, it returns the Auth_failed.  Please see the
>> swanctl.conf,
>> >     > strongswan.conf and charon.log.
>> >     >
>> >     > Aug  1 12:09:21 12[CFG] <rw|1> no issuer certificate found for
>> "C=US,
>> >     > ST=MA, L=Lowell, O=Arris, CN=10.13.199.185"
>> >     > Aug  1 12:09:21 12[IKE] <rw|1> no trusted RSA public key found for
>> >     > '10.13.199.185'
>> >     > Aug  1 12:09:21 12[IKE] <rw|1> peer supports MOBIKE
>> >     > Aug  1 12:09:21 12[ENC] <rw|1> added payload of type NOTIFY to
>> message
>> >     > Aug  1 12:09:21 12[ENC] <rw|1> order payloads in message
>> >     > Aug  1 12:09:21 12[ENC] <rw|1> added payload of type NOTIFY to
>> message
>> >     > Aug  1 12:09:21 12[ENC] <rw|1> generating IKE_AUTH response 1 [
>> >     > N(AUTH_FAILED) ]
>> >     >
>> >     > I used following commands to create certificates.
>> >     >
>> >     > *Initiator:*
>> >     > -----------
>> >     >
>> >     > sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
>> >     > /usr/local/etc/swanctl/rsa/strongswanKey.pem
>> >     >
>> >     >
>> >     > sudo chmod 600  /usr/local/etc/swanctl/rsa/strongswanKey.pem
>> >     >
>> >     >
>> >     > sudo ipsec pki --self --ca --in
>> >     > /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest sha256
>> --dn "C=US,
>> >     > ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem >
>> >     > /usr/local/etc/swanctl/x509ca/strongswanCert.pem
>> >     >
>> >     >
>> >     > sudo ipsec pki --print --in /usr/local/etc/swanctl/x509ca/
>> strongswanCert.pem
>> >     >
>> >     >
>> >     > sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
>> >     > /usr/local/etc/swanctl/rsa/hostKey.pem
>> >     >
>> >     >
>> >     > sudo chmod 600 /usr/local/etc/swanctl/rsa/hostKey.pem
>> >     >
>> >     >
>> >     >
>> >     > sudo ipsec pki --pub --in /usr/local/etc/swanctl/rsa/hostKey.pem
>> --type
>> >     > rsa | ipsec pki --issue --digest sha256 --cacert
>> >     > /usr/local/etc/swanctl/x509ca/strongswanCert.pem --cakey
>> >     > /usr/local/etc/swanctl/rsa/strongswanKey.pem --dn "C=US, ST=MA,
>> >     > L=Lowell, O=Arris, CN=10.13.199.185" --san 10.13.199.185  pem >
>> >     > /usr/local/etc/swanctl/x509/hostCert.pem
>> >     >
>> >     >
>> >     > Receptor:
>> >     > --------------
>> >     > *
>> >     > *
>> >     > *sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
>> >     > /usr/local/etc/swanctl/rsa/strongswanKey.pem*
>> >     > *
>> >     > *
>> >     > *sudo chmod 600  /usr/local/etc/swanctl/rsa/strongswanKey.pem*
>> >     > *
>> >     > *
>> >     > *sudo ipsec pki --self --ca --in
>> >     > /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest sha256
>> --dn "C=US,
>> >     > ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem >
>> >     > /usr/local/etc/swanctl/x509ca/strongswanCert.pem*
>> >     > *
>> >     > *
>> >     > *sudo ipsec pki --print --in
>> >     > /usr/local/etc/swanctl/x509ca/strongswanCert.pem*
>> >     > *
>> >     > *
>> >     > *sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
>> >     > /usr/local/etc/swanctl/rsa/hostKey.pem*
>> >     > *
>> >     > *
>> >     > *sudo chmod 600 /usr/local/etc/swanctl/rsa/hostKey.pem*
>> >     >
>> >     > *sudo ipsec pki --pub --in /usr/local/etc/swanctl/rsa/hostKey.pem
>> >     --type
>> >     > rsa | ipsec pki --issue --digest sha256 --cacert
>> >     > /usr/local/etc/swanctl/x509ca/strongswanCert.pem --cakey
>> >     > /usr/local/etc/swanctl/rsa/strongswanKey.pem --dn "C=US, ST=MA,
>> >     > L=Lowell, O=Arris, CN=10.13.199.130" --san 10.13.199.130
>> --outform pem >
>> >     > /usr/local/etc/swanctl/x509/hostCert.pem*
>>
>> ======================================================================
>> Andreas Steffen                         andreas.steffen at strongswan.org
>> strongSwan - the Open Source VPN Solution!          www.strongswan.org
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil
>> CH-8640 Rapperswil (Switzerland)
>> ===========================================================[ITA-HSR]==
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160915/8c497f22/attachment-0001.html>

More information about the Users mailing list