[strongSwan] Certificate-based IPsec tunnel failing to complete

Andreas Steffen andreas.steffen at strongswan.org
Fri Jul 5 11:50:13 CEST 2019


Hi Julian,

hmmm, the connection definition:

remote {
   auth = pubkey
   id = vpntest.MY_ORG.co.uk
}

lists the subjectAltName which is apparently contained in
the certificate:

       X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:vpntest.$MY_ORG.co.uk

so the identity matching is supposed to work if there is no typo
or some strange Unicode characters in the SAN.

Does the strongSwan swanctl --list-certs command list the SAN of the
received peer certificate?

Would it be possible to send the peer certificate to me for closer
inspection?

Best regards

Andreas

On 04.07.19 14:16, Regel, Julian (CSS) wrote:
> Hi
> 
> I am trying to configure an IPsec tunnel between a Cisco ASA and StrongSWAN, using IKEv2 and certificates for authentication.
> 
> I'm running StrongSWAN version 5.6.2-1ubuntu2.4, installed on Ubuntu 18.04.2 LTS.
> 
> I am using a self-signed certificate on the ASA end. Unfortunately, I'm getting the following error (full error log below, and I've obviously sanitised the FQDN and DN):
> 
> [CFG] constraint check failed: identity 'vpntest.$MY_ORG.co.uk' required
> 
> Based on the StrongSWAN FAQ, I assumed this was the SAN field in the certificate that was wrong, but on checking, it appears okay(?).
> 
> Please can you advise what I need to check to help fix this?
> 
> Many thanks
> 
> Julian
> 
> 
> ########## ASA certificate
> 
> $ openssl x509 -in asa.crt -text -noout
> 
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number: 2 (0x2)
>         Signature Algorithm: ecdsa-with-SHA256
>         Issuer: C = UK, ST = $MY_STATE, L = $MY_CITY, O = $MY_ORG, OU = $MY_OU, CN = CA Root (ECDSA)
>         Validity
>             Not Before: Jul  4 10:43:17 2019 GMT
>             Not After : Jul  3 10:43:17 2020 GMT
>         Subject: C = UK, ST = $MY_STATE, O = $MY_ORG, OU = $MY_OU, CN = vpntest.$MY_ORG.co.uk
>         Subject Public Key Info:
>             Public Key Algorithm: id-ecPublicKey
>                 Public-Key: (256 bit)
>                 pub:
>                     04:0b:73:8e:6e:7f:41:99:18:3b:70:27:3c:97:4e:
>                     c2:84:8a:19:fa:37:fd:51:eb:cd:64:a1:27:ac:68:
>                     36:30:c5:64:eb:75:85:99:e3:ff:3e:d5:2f:f8:6b:
>                     4c:b0:ee:45:00:59:dd:06:06:b5:5e:d5:d8:b1:8f:
>                     a6:10:33:a5:e6
>                 ASN1 OID: prime256v1
>                 NIST CURVE: P-256
>         X509v3 extensions:
>             X509v3 Subject Alternative Name:
>                 DNS:vpntest.$MY_ORG.co.uk
>     Signature Algorithm: ecdsa-with-SHA256
>          30:46:02:21:00:c3:0b:fc:15:e9:f2:19:86:8d:51:3c:12:0c:
>          f7:4f:22:12:07:a7:1f:ff:73:b3:52:3a:ac:c8:6b:ee:e8:5c:
>          36:02:21:00:ed:51:ca:79:8a:13:d0:45:80:ee:bf:18:4f:59:
>          54:94:72:41:c0:88:52:56:d1:9f:c5:17:8d:c0:88:7d:20:3d
> 
> ########## /etc/swanctl.conf:
> 
> connections {
> onprem-to-azure {
> local_addrs  = 172.26.0.85
> remote_addrs = ON_PREM_EXT_IP
> local {
> auth = pubkey
> certs = occert.pem
> id = vpn.production.$MY_ORG.cloud
> }
> remote {
> auth = pubkey
> id = vpntest.MY_ORG.co.uk
> }
> children {
> net1-net1 {
> local_ts  = 172.26.0.85
> remote_ts = 10.1.0.0/16
> #updown = /usr/local/libexec/ipsec/_updown iptables
> rekey_time = 5400
> rekey_bytes = 500000000
> rekey_packets = 1000000
> esp_proposals = aes128gcm16-ecp256 # Phase 2
> }
> }
> version = 2
> mobike = yes
> reauth_time = 10800
> proposals = aes128gcm16-prfsha256-ecp256 # Phase 1
> }
> }
> 
> 
> ########### Trying to bring the tunnel up:
> 
> root at s00C-vpn-uks-01:/etc/swanctl/x509ca# swanctl -i -c net1-net1
> [IKE] initiating IKE_SA onprem-to-azure[1] to $MY_ON_PREM_EXT_IP
> [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> [NET] sending packet: from 172.26.0.85[500] to $MY_ON_PREM_EXT_IP[500] (264 bytes)
> [NET] received packet: from $MY_ON_PREM_EXT_IP[500] to 172.26.0.85[500] (659 bytes)
> [ENC] parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) V ]
> [IKE] received Cisco Delete Reason vendor ID
> [IKE] received Cisco Copyright (c) 2009 vendor ID
> [IKE] received FRAGMENTATION vendor ID
> [IKE] local host is behind NAT, sending keep alives
> [IKE] received cert request for "C=UK, ST=$MY_STATE, L=$MY_CITY, O=$MY_ORG, OU=$MY_OU, CN=CA Root (ECDSA)"
> [IKE] received cert request for "C=UK, ST=$MY_STATE, L=$MY_CITY, O=$MY_ORG, OU=$MY_OU, CN=CA Root (ECDSA)"
> [IKE] received cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Global SSL ICA G3"
> [IKE] received cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2 G3"
> [IKE] received 10 cert requests for an unknown ca
> [IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2 G3"
> [IKE] sending cert request for "C=UK, ST=$MY_STATE, L=$MY_CITY, O=$MY_ORG, OU=$MY_OU, CN=CA Root (ECDSA)"
> [IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Global SSL ICA G3"
> [IKE] authentication of 'vpn.production.$MY_ORG.cloud' (myself) with ECDSA-256 signature successful
> [IKE] sending end entity cert "C=GB, ST=London, L=London, O=$MY_ORG PLC, CN=vpn.production.$MY_ORG.cloud"
> [IKE] establishing CHILD_SA net1-net1{1}
> [ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
> [ENC] splitting IKE message with length of 2018 bytes into 2 fragments
> [ENC] generating IKE_AUTH request 1 [ EF(1/2) ]
> [ENC] generating IKE_AUTH request 1 [ EF(2/2) ]
> [NET] sending packet: from 172.26.0.85[4500] to $MY_ON_PREM_EXT_IP[4500] (1248 bytes)
> [NET] sending packet: from 172.26.0.85[4500] to $MY_ON_PREM_EXT_IP[4500] (835 bytes)
> [NET] received packet: from $MY_ON_PREM_EXT_IP[4500] to 172.26.0.85[4500] (525 bytes)
> [ENC] parsed IKE_AUTH response 1 [ EF(1/4) ]
> [ENC] received fragment #1 of 4, waiting for complete IKE message
> [NET] received packet: from $MY_ON_PREM_EXT_IP[4500] to 172.26.0.85[4500] (525 bytes)
> [ENC] parsed IKE_AUTH response 1 [ EF(3/4) ]
> [ENC] received fragment #3 of 4, waiting for complete IKE message
> [NET] received packet: from $MY_ON_PREM_EXT_IP[4500] to 172.26.0.85[4500] (525 bytes)
> [ENC] parsed IKE_AUTH response 1 [ EF(2/4) ]
> [ENC] received fragment #2 of 4, waiting for complete IKE message
> [NET] received packet: from $MY_ON_PREM_EXT_IP[4500] to 172.26.0.85[4500] (76 bytes)
> [ENC] parsed IKE_AUTH response 1 [ EF(4/4) ]
> [ENC] received fragment #4 of 4, reassembling fragmented IKE message
> [ENC] parsed IKE_AUTH response 1 [ V IDr CERT CERT AUTH SA TSi TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) N(MOBIKE_SUP) ]
> [IKE] received end entity cert "C=UK, ST=$MY_STATE, O=$MY_ORG, OU=$MY_OU, CN=vpntest.$MY_ORG.co.uk"
> [IKE] received issuer cert "C=UK, ST=$MY_STATE, L=$MY_CITY, O=$MY_ORG, OU=$MY_OU, CN=CA Root (ECDSA)"
> [CFG]   using certificate "C=UK, ST=$MY_STATE, O=$MY_ORG, OU=$MY_OU, CN=vpntest.$MY_ORG.co.uk"
> [CFG]   using trusted ca certificate "C=UK, ST=$MY_STATE, L=$MY_CITY, O=$MY_ORG, OU=$MY_OU, CN=CA Root (ECDSA)"
> [CFG] checking certificate status of "C=UK, ST=$MY_STATE, O=$MY_ORG, OU=MY_OU, CN=vpntest.$MY_ORG.co.uk"
> [CFG] certificate status is not available
> [CFG]   reached self-signed root ca with a path length of 0
> [IKE] authentication of 'C=UK, ST=$MY_STATE, O=$MY_ORG, OU=MY_OU, CN=vpntest.$MY_ORG.co.uk' with ECDSA-256 signature successful
> [CFG] constraint check failed: identity 'vpntest.$MY_ORG.co.uk' required
> [CFG] selected peer config 'onprem-to-azure' inacceptable: constraint checking failed
> [CFG] no alternative config found
> [ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
> [NET] sending packet: from 172.26.0.85[4500] to $MY_ON_PREM_EXT_IP[4500] (65 bytes)
> initiate failed: establishing CHILD_SA 'net1-net1' failed
> 
> 
> 
> 
> You are receiving this message from Capita Software. Should you wish to see how we may have collected or may use your information, or view ways to exercise your individual rights, see our Privacy Notice<https://www.capitasoftware.com/PrivacyNotice>
> 
> 
> This email is security checked and subject to the disclaimer on web-page: http://www.capita.co.uk/email-disclaimer.aspx
> 

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==


More information about the Users mailing list