[strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

Modster, Anthony Anthony.Modster at Teledyne.com
Fri Nov 16 19:22:55 CET 2018


Hello Tobais

We are using VICI (not from configuration files), so I hope were getting everything.

For this setup are credential directory looks like this
/media/sde1/certs/Org1:
Org1.chain  Org1.crt  Org1.key	Org1.sca1  Org1.ta
/media/sde1/certs/Org2:
Org2.chain  Org2.crt  Org2.key	Org2.sca2  Org2.ta

So we only load the "user cert" using VICI, were letting charon select the correct key and sca.

Test 1, Org1/Org1.crt (196) and Org2/Org2.crt (211), when using this setup 196 VPN comes up and 211 VPN does not (incorrect SCA selected)
Test 2, Org2/Org2.crt (211), when using this setup 211 VPN does come up
Test 3, Org1/Org1.crt (211) and Org2/Org2.crt (196), when using this setup both 211 VPN and 196 VPN and comes up

I verified the keys are different, the "user certs" and SCA files are the correct.
The log file indicates the correct "user certs" are used for each tunnel.

? what else should I check

Below is sample code:

/* load connection
 * returns: 0 = for ok, else 1
 * Note:
 *    reference doc for swanctl.conf https://wiki.strongswan.org/projects/strongswan/wiki/Swanctlconf
 *    reference doc for ipsec.conf: config setup https://wiki.strongswan.org/projects/strongswan/wiki/ConfigSetupSection
 *    example config file /etc/swanctl/swanctl.conf
 */
int load_conn(vici_conn_t *conn, struct s_connection_parameters *param)
{
vici_req_t *req;
vici_res_t *res;
int ret = 0;
char buf[128] = { 0 };
int idx;
chunk_t cert;

   //load the user cert
   load_cert_from_file( param->local_cert, &cert );
   if( cert.ptr == NULL )
   {
      printf("load connection failed : error loading local cert.\n");
      return 1;
   }

   req = vici_begin("load-conn");

   vici_begin_section(req,param->conn_name); 

      //connections.<conn>.version
      vici_add_key_valuef(req,"version","%s",param->ike_version);

      //connections.<conn>.local_addrs
      vici_begin_list(req,"local_addrs");    
         vici_add_list_itemf(req,"%s",param->local_addrs); 
      vici_end_list(req);

      //connections.<conn>.remote_addrs
      vici_begin_list(req,"remote_addrs");    
         vici_add_list_itemf(req,"%s",param->remote_addrs); 
      vici_end_list(req);

      //connections.<conn>.local_port
      //connections.<conn>.remote_port

      //connections.<conn>.proposals
      create_list_for_proposals( req, "proposals", param->proposals );

      //connections.<conn>.vips
      //note: allows the assignment of "virtual IP's" for local_ts and remote_ts
      vici_begin_list(req,"vips");
         vici_add_list_itemf(req,"%s","0.0.0.0"); 
      vici_end_list(req);

      //connections.<conn>.aggressive
      //connections.<conn>.pull
      //connections.<conn>.encap

      //we do not want to use mobike (no searching for other interfaces)
      //note: it is enabled by default
      //connections.<conn>.mobike
      //vici_add_key_valuef(req,"mobike","%s","no");
      vici_add_key_valuef(req,"mobike","%s",param->mobike);

      //connections.<conn>.dpd_delay
      //vici_add_key_valuef(req,"dpd_delay","%s","2s");
      vici_add_key_valuef(req,"dpd_delay","%s",param->dpd_delay);

      //connections.<conn>.dpd_timeout
      //connections.<conn>.fragmentation
      //connections.<conn>.send_certreq
      //connections.<conn>.send_cert

      /* connections.<conn>.keyingtries
       * Number of retransmission sequences to perform during initial connect.
       * Instead of giving up initiation after the first retransmission sequence with the default value of 1,
       * additional sequences may be started according to the configured value.
       * A value of 0 initiates a new sequence until the connection establishes or fails with a permanent error.
      */
      //vici_add_key_valuef(req,"keyingtries","%s","0");
      vici_add_key_valuef(req,"keyingtries","%s",param->keying_tries);

      //connections.<conn>.unique

      //connections.<conn>.reauth_time
      vici_add_key_valuef(req,"reauth_time","%s",param->ike_reauth_time);

      //connections.<conn>.rekey_time
      vici_add_key_valuef(req,"rekey_time","%s",param->ike_rekey_time);

      //connections.<conn>.over_time
      //connections.<conn>.rand_time
      //connections.<conn>.pools

      //Section for a local authentication round ( local<suffix>, the <suffix> is optional )
      vici_begin_section(req,"local");

         //connections.<conn>.local.round

         //connections.<conn>.local.certs
         vici_begin_list(req,"certs"); 
            vici_add_list_item(req, cert.ptr, cert.len);
            chunk_free(&cert);
         vici_end_list(req);

         //connections.<conn>.local.pubkeys

         //connections.<conn>.local.auth
         //vici_add_key_valuef(req,"auth","%s","eap"); //were only using IKEv2 EAP
         //vici_add_key_valuef(req,"auth","%s","pubkey");
         vici_add_key_valuef(req,"auth","%s",param->left_auth);

         //connections.<conn>.local.id
         vici_add_key_valuef(req,"id","%s",param->local_id);

         //connections.<conn>.local.eap_id
         if( strlen( param->eap_id ) )
         {//eap_id is available
            vici_add_key_valuef(req,"eap_id","%s",param->eap_id);
         }

         //connections.<conn>.local.aaa_id
         //connections.<conn>.local.xauth_id

      vici_end_section(req); //section end for local

      //Section for a remote authentication round ( remote<suffix>, the <suffix> is optional )
      vici_begin_section(req,"remote");

         //connections.<conn>.remote.round

         //connections.<conn>.remote.id
         vici_add_key_valuef(req,"id","%s",param->remote_id);

         //connections.<conn>.remote.groups
         //connections.<conn>.remote.certs
         //connections.<conn>.remote.cacerts
         //connections.<conn>.remote.pubkeys

         //connections.<conn>.remote.revocation
         vici_add_key_valuef(req,"revocation","%s","relaxed");

         //connections.<conn>.remote.auth
         vici_add_key_valuef(req,"auth","%s","pubkey"); 

      vici_end_section(req); //section end for remote

      //CHILD_SA configuration sub-section ( <child> = <conn>, for now )
      vici_begin_section(req,"children");

         vici_begin_section(req,param->conn_name);

            //connections.<conn>.children.<child>.ah_proposals

            //connections.<conn>.children.<child>.esp_proposals
            create_list_for_proposals( req, "esp_proposals", param->esp_proposals );

            //connections.<conn>.children.<child>.local_ts
            //note: allow peer to set IP address and mask
            vici_begin_list(req,"local_ts");    
//               vici_add_list_itemf(req,"%s","172.16.207.251");
               vici_add_list_itemf(req,"%s","dynamic");
            vici_end_list(req);

            //connections.<conn>.children.<child>.remote_ts
            //note: allow peer to set IP address and mask
            vici_begin_list(req,"remote_ts");
//???tony, need to change because it could be a list (comma seperated) child_remote_ts[BUF_LEN]
               if( strlen( param->child_remote_ts ) )
                  vici_add_list_itemf(req,"%s",param->child_remote_ts);
               else
                  vici_add_list_itemf(req,"%s","dynamic");
//               vici_add_list_itemf(req,"%s","172.16.207.150");
//               vici_add_list_itemf(req,"%s","0.0.0.0/0"); //for IPv4
//               vici_add_list_itemf(req,"%s","0.0.0.0/0,0::0"); //for IPv6
//               vici_add_list_itemf(req,"%s","dynamic");
            vici_end_list(req);

            //connections.<conn>.children.<child>.rekey_time
            vici_add_key_valuef(req,"rekey_time","%s",param->child_rekey_time); 

            //connections.<conn>.children.<child>.life_time
            //connections.<conn>.children.<child>.rand_time
            //connections.<conn>.children.<child>.rekey_bytes
            //connections.<conn>.children.<child>.life_bytes
            //connections.<conn>.children.<child>.rand_bytes
            //connections.<conn>.children.<child>.rekey_packets
            //connections.<conn>.children.<child>.life_packets
            //connections.<conn>.children.<child>.rand_packets

            //connections.<conn>.children.<child>.updown
            vici_add_key_valuef(req,"updown","%s","/usr/lib32/ipsec/_updown_tdy.py");

            //connections.<conn>.children.<child>.hostaccess

            //connections.<conn>.children.<child>.mode
            vici_add_key_valuef(req,"mode","%s","tunnel"); 

            //connections.<conn>.children.<child>.dpd_action
            //vici_add_key_valuef(req,"dpd_action","%s","clear");
            //vici_add_key_valuef(req,"dpd_action","%s","restart");
            vici_add_key_valuef(req,"dpd_action","%s",param->child_dpd_action);

            //connections.<conn>.children.<child>.policies
            //connections.<conn>.children.<child>.dpd_action
            //connections.<conn>.children.<child>.ipcomp
            //connections.<conn>.children.<child>.inactivity
            //connections.<conn>.children.<child>.reqid
            //connections.<conn>.children.<child>.mark_in
            //connections.<conn>.children.<child>.mark_out
            //connections.<conn>.children.<child>.tfc_padding
            //connections.<conn>.children.<child>.replay_window
            //connections.<conn>.children.<child>.start_action
            //connections.<conn>.children.<child>.close_action

         vici_end_section(req); //section end for child / connection

      vici_end_section(req); //section end for child

   vici_end_section(req);  //section end for connection

   res = vici_submit(req, conn);
   if( !res)
   {
      printf("load connection failed :%s \n", strerror(errno));
      return 1;
   }

   if (!streq(vici_find_str(res,"no","success"),"yes"))
   {
      printf("loading connection %s failed : %s \n", "myserver", vici_find_str(res,"","errmsg"));
      return 1;
   }
   else
   {
      printf("loaded connection %s \n","myserver");
      vici_free_res(res);
   }

   return 0;
}


-----Original Message-----
From: Tobias Brunner <tobias at strongswan.org> 
Sent: Friday, November 16, 2018 1:45 AM
To: Modster, Anthony <Anthony.Modster at Teledyne.com>; users at lists.strongswan.org
Subject: Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

Hi Anthony,

> !!!Selected user cert is CN=TDY Test SCA 4
> 2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[CFG]   certificate \"C=US, O=Teledyne Controls Engineering, OU=Systems Engineering, CN=TDY Test SCA 4\" key: 2048 bit RSA

That's the server's certificate, selected to verify the authentication.

> 2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[TLS] sending TLS peer certificate \'CN=RA00017.auth, O=Teledyne Controls Engineering, OU=Systems Engineering, C=US\'
> !!! ? why did TLS send SCA 1 cert

That certificate is selected based on the identity (whatever it is you configured).  If a private key is loaded for this key and identity, why shouldn't it be selected?

Did you perhaps use the same key for different identities (or use the same identity for different keys)?  Also, how does your configuration actually look like?

Regards,
Tobias


More information about the Users mailing list