[strongSwan] Strongswan 5.4 issue using certificates

Andreas Steffen andreas.steffen at strongswan.org
Fri Sep 16 10:33:37 CEST 2016


Hi Rajeev,

yes, you have to load the private key file in your management tool
and transfer it via the VICI interface as a binary blob.

Regards

Andreas

On 15.09.2016 21:20, rajeev nohria wrote:
> Anderas, 
> 
> When using davici- 
> For the loading of private rsa keys, that has to be loaded like the
> certificate?
> 
> Thanks,
> Rajeev
> 
> On Thu, Sep 15, 2016 at 3:19 PM, rajeev nohria <rajnohria at gmail.com
> <mailto:rajnohria at gmail.com>> wrote:
> 
>     Anderas, 
> 
>     For the loading of private rsa keys, that has to be loaded like the
>     certificate?
> 
>     Thanks,
>     Rajeev
> 
>     On Thu, Aug 4, 2016 at 12:16 AM, Andreas Steffen
>     <andreas.steffen at strongswan.org
>     <mailto:andreas.steffen at strongswan.org>> wrote:
> 
>         Hi Rajeev,
> 
>         different to the stroke protocol and ipsec.conf where the filename
>         of the certificate gets transferred via the stroke socket and the
>         charon daemon loads the certificate, vici transfers the certificate
>         itself either as a binary DER or a base64-endocded PEM blob. Thus
>         your management application has to load the certificate and transfer
>         it over the vici socket using davici.
> 
>         Regards
> 
>         Andreas
> 
>         On 04.08.2016 05:03, rajeev nohria wrote:
>         > Thanks Andreas,
>         >
>         > It worked, I know started to implement in Davici. I had PSK working in
>         > Davici. With certificates, I am having  following issue during
>         > parse_certs().
>         >
>         > 09[LIB]   file coded in unknown format, discarded
>         > 09[LIB] building CRED_CERTIFICATE - X509 failed, tried 4 builders
>         >
>         >
>         >
>         > Corresponding code is for Davici is
>         >         davici_list_start(r,"certs");
>         >
>         > davici_list_itemf(r,"%s","/usr/local/etc/swanctl/x509/hostCert.pem");
>         >         davici_list_end(r);
>         >
>         >
>         > I have tried file name with and without path.
>         >
>         > certs = hostCert.pem worked in swanctl.conf as attached in previous email.
>         >
>         >
>         > Do you know what could be issue here? Looks like software is not able to
>         > recognize the pem format but again it worked when using swanctl.conf file.
>         >
>         > Thanks,
>         > Rajeev
>         >
>         >
>         > On Tue, Aug 2, 2016 at 5:41 AM, Andreas Steffen
>         > <andreas.steffen at strongswan.org
>         <mailto:andreas.steffen at strongswan.org>
>         <mailto:andreas.steffen at strongswan.org
>         <mailto:andreas.steffen at strongswan.org>>>
>         > wrote:
>         >
>         >     Hi,
>         >
>         >     according to your log, the initiator and responder create
>         their
>         >     own Root CA certificate and store it locally in
>         >     /usr/local/etc/swanctl/x509ca. Therefore it is not surprising
>         >     that no trust into the received host certificate can be
>         established
>         >     because it has been signed with the private key of a different
>         >     root CA (although the Distinguished Name of the issuer is
>         the same).
>         >
>         >     Fix: Generate only one private key and matching self-signed
>         >     Root CA certificate. Use the private Root CA key to sign both
>         >     initiator and responder host certificates and deploy the
>         Root CA
>         >     certificate on both hosts.
>         >
>         >     Best regards
>         >
>         >     Andreas
>         >
>         >     On 01.08.2016 21:24, rajeev nohria wrote:
>         >     >
>         >     > I was able to establish IKE connection using PSK but
>         when using pubkey I
>         >     > am not able to able to establish the IKE connection.
>         >     >
>         >     > When I issue sudo swanctl --initiate --child net
>         >     >
>         >     >
>         >     > At receptor, it returns the Auth_failed.  Please see the
>         swanctl.conf,
>         >     > strongswan.conf and charon.log.
>         >     >
>         >     > Aug  1 12:09:21 12[CFG] <rw|1> no issuer certificate
>         found for "C=US,
>         >     > ST=MA, L=Lowell, O=Arris, CN=10.13.199.185"
>         >     > Aug  1 12:09:21 12[IKE] <rw|1> no trusted RSA public key
>         found for
>         >     > '10.13.199.185'
>         >     > Aug  1 12:09:21 12[IKE] <rw|1> peer supports MOBIKE
>         >     > Aug  1 12:09:21 12[ENC] <rw|1> added payload of type
>         NOTIFY to message
>         >     > Aug  1 12:09:21 12[ENC] <rw|1> order payloads in message
>         >     > Aug  1 12:09:21 12[ENC] <rw|1> added payload of type
>         NOTIFY to message
>         >     > Aug  1 12:09:21 12[ENC] <rw|1> generating IKE_AUTH
>         response 1 [
>         >     > N(AUTH_FAILED) ]
>         >     >
>         >     > I used following commands to create certificates.
>         >     >
>         >     > *Initiator:*
>         >     > -----------
>         >     >
>         >     > sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
>         >     > /usr/local/etc/swanctl/rsa/strongswanKey.pem
>         >     >
>         >     >
>         >     > sudo chmod 600  /usr/local/etc/swanctl/rsa/strongswanKey.pem
>         >     >
>         >     >
>         >     > sudo ipsec pki --self --ca --in
>         >     > /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest
>         sha256 --dn "C=US,
>         >     > ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem >
>         >     > /usr/local/etc/swanctl/x509ca/strongswanCert.pem
>         >     >
>         >     >
>         >     > sudo ipsec pki --print --in
>         /usr/local/etc/swanctl/x509ca/strongswanCert.pem
>         >     >
>         >     >
>         >     > sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
>         >     > /usr/local/etc/swanctl/rsa/hostKey.pem
>         >     >
>         >     >
>         >     > sudo chmod 600 /usr/local/etc/swanctl/rsa/hostKey.pem
>         >     >
>         >     >
>         >     >
>         >     > sudo ipsec pki --pub --in
>         /usr/local/etc/swanctl/rsa/hostKey.pem --type
>         >     > rsa | ipsec pki --issue --digest sha256 --cacert
>         >     > /usr/local/etc/swanctl/x509ca/strongswanCert.pem --cakey
>         >     > /usr/local/etc/swanctl/rsa/strongswanKey.pem --dn "C=US,
>         ST=MA,
>         >     > L=Lowell, O=Arris, CN=10.13.199.185" --san
>         10.13.199.185  pem >
>         >     > /usr/local/etc/swanctl/x509/hostCert.pem
>         >     >
>         >     >
>         >     > Receptor:
>         >     > --------------
>         >     > *
>         >     > *
>         >     > *sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
>         >     > /usr/local/etc/swanctl/rsa/strongswanKey.pem*
>         >     > *
>         >     > *
>         >     > *sudo chmod 600 
>         /usr/local/etc/swanctl/rsa/strongswanKey.pem*
>         >     > *
>         >     > *
>         >     > *sudo ipsec pki --self --ca --in
>         >     > /usr/local/etc/swanctl/rsa/strongswanKey.pem --digest
>         sha256 --dn "C=US,
>         >     > ST=MA, O=Arris, CN=StrongSwan Root CA" --outform pem >
>         >     > /usr/local/etc/swanctl/x509ca/strongswanCert.pem*
>         >     > *
>         >     > *
>         >     > *sudo ipsec pki --print --in
>         >     > /usr/local/etc/swanctl/x509ca/strongswanCert.pem*
>         >     > *
>         >     > *
>         >     > *sudo ipsec pki --gen --type rsa --size 4096 --outform pem >
>         >     > /usr/local/etc/swanctl/rsa/hostKey.pem*
>         >     > *
>         >     > *
>         >     > *sudo chmod 600 /usr/local/etc/swanctl/rsa/hostKey.pem*
>         >     >
>         >     > *sudo ipsec pki --pub --in
>         /usr/local/etc/swanctl/rsa/hostKey.pem
>         >     --type
>         >     > rsa | ipsec pki --issue --digest sha256 --cacert
>         >     > /usr/local/etc/swanctl/x509ca/strongswanCert.pem --cakey
>         >     > /usr/local/etc/swanctl/rsa/strongswanKey.pem --dn "C=US,
>         ST=MA,
>         >     > L=Lowell, O=Arris, CN=10.13.199.130" --san 10.13.199.130
>         --outform pem >
>         >     > /usr/local/etc/swanctl/x509/hostCert.pem*
> 
>         ======================================================================
>         Andreas Steffen                       
>          andreas.steffen at strongswan.org
>         <mailto:andreas.steffen at strongswan.org>
>         strongSwan - the Open Source VPN Solution!         
>         www.strongswan.org <http://www.strongswan.org>
>         Institute for Internet Technologies and Applications
>         University of Applied Sciences Rapperswil
>         CH-8640 Rapperswil (Switzerland)
>         ===========================================================[ITA-HSR]==
> 
> 
> 

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3859 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160916/6c64d434/attachment.bin>


More information about the Users mailing list