[strongSwan] SSwan 5.5.3 , X.509 certs and attr-sql issue
Alex Sharaz
alex.sharaz at york.ac.uk
Thu Jun 29 15:21:51 CEST 2017
Hi,
I’m trying to establish a VPN link using x.509 certificates on an Ubuntu
client talking to an Ubuntu SSwan server. Both ends are using Vsn 5.5.3.
and are running on Ubuntu 16.04.02
I’m also trying to use the attr-sql module to assign an ip address from a
managed ip pool and have built a MySQL db and created the appropriate
tables.
Although I’ve got this working I’m having problems with (i assume) the
attr-sql module
When configured to use eap-radius with a userid and password everything
works just fine.
Client end is using
conn UoY-ikev2
left=%defaultroute
leftcert=sumvision at yorkacuk.cer
leftid="CN=sumvision at york.ac.uk, O=University of York, OU=IT
Services, L=York, ST=North Yorkshire, C=GB"
leftsourceip=%config
leftfirewall=yes
right=144.32.128.199
rightid="CN=vpn10.york.ac.uk, O=University of York, OU=IT Services,
L=York, ST=North Yorkshire, C=GB"
rightsubnet=0.0.0.0/0
auto=add
The server end ….
conn it-services-ikev2
left=%any
leftauth=pubkey
leftcert=vpn10yorkacuk.pem
leftid="CN=vpn10.york.ac.uk, O=University of York, OU=IT Services,
L=York, ST=North Yorkshire, C=GB"
leftsendcert=always
leftsubnet=0.0.0.0/0,::/0
leftupdown=/etc/strongswan.d/no_rules
right=%any
rightauth=eap-radius
rightsendcert=never
rightgroups=“Cserv"
eap_identity=%any
keyexchange=ikev2
rightsourceip=%itservices
fragmentation=yes
auto=add
Where the Ip address pulled from a mysql managed Ip address pool.
The 1st time I try it everything works and I’m assigned an IP address. I
can then shut down the connection.
=== Start of log on client ====
authentication of 'CN=vpn10.york.ac.uk, O=University of York, OU=IT
Services, L=York, ST=North Yorkshire, C=GB' with RSA_EMSA_PKCS1_SHA2_256
successful
IKE_SA UoY-ikev2[3] established between 144.32.231.214[CN=
sumvision at york.ac.uk, O=University of York, OU=IT Services, L=York,
ST=North Yorkshire, C=GB]...144.32.128.199[CN=vpn10.york.ac.uk,
O=University of York, OU=IT Services, L=York, ST=North Yorkshire, C=GB]
installing DNS server 144.32.128.243 via resolvconf
installing DNS server 144.32.128.242 via resolvconf
installing new virtual IP 172.18.64.8
CHILD_SA UoY-ikev2{4} established with SPIs cef147fe_i c43ac4c3_o and TS
172.18.64.8/32 === 0.0.0.0/0
peer supports MOBIKE
connection 'UoY-ikev2' established successfully
root at sumvision:/usr/local/etc# ipsec down UoY-ikev2
deleting IKE_SA UoY-ikev2[3] between 144.32.231.214[CN=sumvision at york.ac.uk,
O=University of York, OU=IT Services, L=York, ST=North Yorkshire,
C=GB]...144.32.128.199[CN=vpn10.york.ac.uk, O=University of York, OU=IT
Services, L=York, ST=North Yorkshire, C=GB]
sending DELETE for IKE_SA UoY-ikev2[3]
generating INFORMATIONAL request 2 [ D ]
=====End of log on client ===
If I then try another connect, on the client I get
==== Start of log on client ====
ocsp response correctly signed by "CN=University of York Root CA 2,
O=University of York, OU=IT Services, L=York, ST=North Yorkshire, C=GB, E=
netops at york.ac.uk"
certificate from Jun 28 13:48:23 2017 is newer - existing certificate
from Jun 28 13:17:07 2017 replaced
ocsp response is valid: until Jun 29 13:53:23 2017
using cached ocsp response
certificate status is good
reached self-signed root ca with a path length of 1
authentication of 'CN=vpn10.york.ac.uk, O=University of York, OU=IT
Services, L=York, ST=North Yorkshire, C=GB' with RSA_EMSA_PKCS1_SHA2_256
successful
IKE_SA UoY-ikev2[4] established between 144.32.231.214[CN=
sumvision at york.ac.uk, O=University of York, OU=IT Services, L=York,
ST=North Yorkshire, C=GB]...144.32.128.199[CN=vpn10.york.ac.uk,
O=University of York, OU=IT Services, L=York, ST=North Yorkshire, C=GB]
received INTERNAL_ADDRESS_FAILURE notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
establishing connection 'UoY-ikev2’ failed
==== End of log on client =====
Looking at the VPN server end I can see
===== Start of log on server ====
Jun 29 13:49:12 06[CFG] <x509-certs-ikev2|1> certificate status is good
Jun 29 13:49:12 06[CFG] <x509-certs-ikev2|1> reached self-signed root ca
with a path length of 1
Jun 29 13:49:12 06[IKE] <x509-certs-ikev2|1> authentication of 'CN=
sumvision at york.ac.uk, O=University of York, OU=IT Services, L=Yo
rk, ST=North Yorkshire, C=GB' with RSA_EMSA_PKCS1_SHA2_256 successful
Jun 29 13:49:12 06[IKE] <x509-certs-ikev2|1> peer supports MOBIKE
Jun 29 13:49:12 06[IKE] <x509-certs-ikev2|1> authentication of 'CN=
vpn10.york.ac.uk, O=University of York, OU=IT Services, L=York,
ST=North Yorkshire, C=GB' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Jun 29 13:49:12 06[IKE] <x509-certs-ikev2|1> IKE_SA x509-certs-ikev2[1]
established between 144.32.128.199[CN=vpn10.york.ac.uk, O=U
niversity of York, OU=IT Services, L=York, ST=North Yorkshire,
C=GB]...144.32.231.214[CN=sumvision at york.ac.uk, O=University of York, OU=IT
Services, L=York, ST=North Yorkshire, C=GB]
Jun 29 13:49:12 06[IKE] <x509-certs-ikev2|1> sending end entity cert "CN=
vpn10.york.ac.uk, O=University of York, OU=IT Services, L=York, ST=North
Yorkshire, C=GB"
Jun 29 13:49:12 06[IKE] <x509-certs-ikev2|1> peer requested virtual IP %any
Jun 29 13:49:12 06[LIB] <x509-certs-ikev2|1> executing MySQL statement
failed: Duplicate entry '9-0\x81\x881\x1D0\x1B\x06\x03U\x04\x03\x0C\
x14sumvision at york.ac.' for key 'type'
Jun 29 13:49:12 06[IKE] <x509-certs-ikev2|1> no virtual IP found for %any
requested by 'CN=sumvision at york.ac.uk, O=University of York, OU=IT
Services, L=York, ST=North Yorkshire, C=GB’
==== End of log on server ======
Looking in the mysql database I can see an entry in table “identities"
type =9 data = ……. sumvision……
If I delete this entry and try again, the connection still fails. If I
delete this entry and restart the server vpn I get connected and have an Ip
address assigned successfully.
Is there something wrong with my config or in SSWan 5.5.3 ?
Rgds
Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170629/69f27110/attachment-0001.html>
More information about the Users
mailing list