[strongSwan] Windows 10 authenticating with certificate fails
Yudi V
yudi.tux at gmail.com
Tue Jan 24 13:59:01 CET 2017
On Tue, Jan 24, 2017 at 11:35 PM, Karl Denninger <karl at denninger.net> wrote:
> On 1/24/2017 04:12, Yudi V wrote:
>
>
>
> On Wed, Jan 18, 2017 at 1:12 AM, Karl Denninger <karl at denninger.net>
> wrote:
>
>>
>> On 1/17/2017 07:10, Yudi V wrote:
>>
>> Hi,
>>
>> Error 13806
>> Authentication from Windows 10 client fails when trying to use just
>> certificates but EAP-Mschapv2 it works fine.
>> Error 13806, "IKE failed to find valid machine certificate"
>>
>> I followed the advise about certificate needs for windows.
>> All the keys are of type ecdsa:
>>
>> server cert:
>> Ipsec pki --pub --in serverKey.der --type ecdsa | ipsec pki --issue
>> --cacert caCert.der --cakey caKey.der --dn "O=xxx, CN=home1234.ddns.com"
>> --san="home1234.ddns.com" --flag serverAuth --flag ikeIntermediate
>> > serverCert.der
>>
>> client cert:
>> ipsec pki --pub --in clientKey.der --type ecdsa | ipsec pki --issue
>> --cacert caCert.der --cakey caKey.der --dn "O=xxx, CN=client" >
>> clientCert.der
>>
>> converted der files to pem and packaged them into pkcs12 file
>>
>> openssl pkcs12 -export -in clientCert.pem -name "client" -inkey
>> clientKey.pem -certfile caCert.pem -caname "xxx CA" -out clientCert.p12
>>
>> the first time I imported caCert.pem and clientCert.p12 files into
>> windwos cert store I made a mistake and imported them into the current user
>> account.
>> Deleted them and imported them into the "computer account".
>> and checked that it looks as in the last two sreencaps at
>> https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs
>> it says you have a private key that corresponds to this certificate.
>>
>> the san and CN are same for the server.
>>
>> ipsec.conf settings are:
>>
>> # ipsec.conf - strongSwan IPsec configuration file
>>
>> # basic configuration
>>
>> config setup
>> # strictcrlpolicy=yes
>> # uniqueids = no
>>
>> conn %default
>> keyexchange=ikev2
>> dpdaction=clear
>> dpddelay=300s
>>
>> # Add connections here.
>>
>>
>> conn rw_pw # this works
>> left=%any
>> leftsubnet=0.0.0.0/0,::0
>> leftauth=pubkey
>> leftcert=serverCert.der
>> leftid=home1234.ddns.com
>> leftfirewall=yes
>> lefthostaccess=yes
>> right=%any
>> rightauth=eap-mschapv2
>> rightsourceip=%dhcp
>> rightdns=192.168.3.1
>> eap_identity=%any
>> auto=add
>>
>> conn rw_cert # this fails
>> left=%any
>> leftsubnet=0.0.0.0/0,::0
>> leftauth=pubkey
>> leftcert=serverCert.der
>> leftid=home1234.ddns.com
>> leftfirewall=yes
>> lefthostaccess=yes
>> right=%any
>> rightauth=pubkey
>> rightcert=clientCert.pem
>> rightsourceip=%dhcp
>> rightdns=192.168.3.1
>> auto=add
>>
>>
>> Any suggestion on how to fix this issue?
>>
>> regards
>> Yudi
>>
>>
>>
>> Windows 10 is hosed in the head (as are other windows versions); here's
>> what I have, and it works -- but it took a while to figure it out by
>> turning debugging up and chasing what the two sides were saying to each
>> other. You do not want eap-mschapv2 unless you're using a password; for a
>> machine certificate you want eap-tls (which may not be in your build; if
>> not you will have to add it), and the eap_identity clause is also required.
>>
>> Snip from ipsec.conf:
>>
>> conn WinUserCert
>> left=%any
>> leftsubnet=0.0.0.0/0
>> leftcert=genesis.denninger.net.crt
>> leftauth=pubkey
>> right=%any
>> rightsourceip=192.168.2.0/24
>> rightauth=eap-tls
>> eap_identity=%identity
>> auto=add
>> dpdaction=clear
>> dpddelay=300s
>>
>> And then the cert must contain:
>>
>> Certificate:
>> Data:
>> Version: 3 (0x2)
>> Serial Number: 61 (0x3d)
>> Signature Algorithm: sha256WithRSAEncryption
>> Issuer: C=US, ST=Florida, L=Niceville, O=Cuda Systems LLC,
>> CN=Cuda Syste
>> ms LLC CA/emailAddress=Cuda Systems LLC CA
>> Validity
>> Not Before: Dec 18 19:45:35 2016 GMT
>> Not After : Dec 17 19:45:35 2021 GMT
>> Subject: C=US, ST=Florida, O=Cuda Systems LLC,
>> CN=karl at denninger.net
>> Subject Public Key Info:
>> Public Key Algorithm: rsaEncryption
>> Public-Key: (4096 bit)
>> Modulus:
>> 00:cd:8d:e6:66:b1:b3:b3:64:a1:8f:60:e4:d3:31:
>> 15:69:65:d1:36:22:3b:b8:17:ac:66:53:a3:7a:b6:
>> .....
>>
>> Exponent: 65537 (0x10001)
>> X509v3 extensions:
>> Authority Information Access:
>> OCSP - URI:http://cudasystems.net:8888
>>
>> X509v3 Basic Constraints:
>> CA:FALSE
>> Netscape Cert Type:
>> SSL Client, S/MIME
>> X509v3 Key Usage:
>> Digital Signature, Non Repudiation, Key Encipherment
>> Netscape Comment:
>> OpenSSL Generated Certificate
>> X509v3 Subject Key Identifier:
>> A5:F0:08:DF:2F:BB:E7:5A:69:F4:
>> 0D:30:EA:F2:47:C7:C4:68:47:F3
>> X509v3 Authority Key Identifier:
>> keyid:24:71:9B:9D:85:7D:FC:DD:
>> DD:BD:B0:CA:92:94:03:A1:FA:D3:6D:35
>>
>> X509v3 Subject Alternative Name:
>> email:karl at denninger.net
>> Signature Algorithm: sha256WithRSAEncryption
>> 62:07:a3:25:ba:0c:58:25:d7:1c:0f:c6:e8:67:fb:bc:77:c5:
>> ....
>>
>> Note that BOTH SAN and CN are set in the user certificate. SAN is there
>> because I use this cert/key pair for S/MIME as well. However, if you don't
>> set CN to the same thing (which is usually not done if SAN is set) then
>> Win10 will send the CN, whatever it may be (e.g. the user's full name), and
>> StrongSwan won't find the cert because when it looks for it in the
>> certificate store it compares against SAN and the comparison fails.
>>
>>
>> --
>> Karl Denninger
>> karl at denninger.net
>> *The Market Ticker*
>> *[S/MIME encrypted email preferred]*
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>
>
> Hi Karl,
>
> Sorry about the delayed reply.
> I was finally able to use EAP-TLS, I think not having SAN same as CN on
> the client certificate caused it to fail. I cannot be 100% sure as I also
> had incorrect config to start with.
>
>
> I just got one more issue to sort out. How does the server decide which
> "conn" to use when a peer is trying to connect.
> when I try to connect from the windows client, I can connect to either
> rw_cert or rw_pw when one of them is commented out. But if both of them
> are listed, then it always tries to use rw_pw (ie, eap-mschapv2) if it is
> listed before rw_cert.
> If I swap the order of rw_pw and rw_cert (listed before rw_pw) then it
> always tries to use eap-tls.
>
> I am guessing the information sent by the client to the server has some
> bearing on which "conn" to use.
> Is there anyway to dictate which "conn" should be used?
>
> My current config looks like below:
>
> conn %default
> keyexchange=ikev2
> dpdaction=clear
> dpddelay=300s
>
> left=%any
> leftsubnet=0.0.0.0/0,::0
> leftauth=pubkey
> leftcert=serverCert.der
> leftid=home1234.ddns.com
> leftfirewall=yes
> lefthostaccess=yes
>
> right=%any
> rightsourceip=%dhcp
> rightdns=192.168.3.1
>
> conn rw_pw
> rightauth=eap-mschapv2 #using password
> eap_identity=%any
> auto=add
>
> conn rw_cert
> rightauth=eap-tls #using certificate
> rightsendcert=never
> eap_identity=%any
> auto=add
>
> thanks!
> yudi
>
> Whichever one it can match options with first. If you have multiple
> client types connecting you need to be careful what order the various
> required options are listed in within the config file.
>
> --
> Karl Denninger
> karl at denninger.net
> *The Market Ticker*
> *[S/MIME encrypted email preferred]*
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
So order dictates which "Conn" is used, that cannot be right.
I want to use the rightsourceip= setting to connect to different subnets
using separate config sections. Local firewall block access between these
subnets.
--
Kind regards,
Yudi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170124/518f14a3/attachment-0001.html>
More information about the Users
mailing list