[strongSwan] strongswan is asking private key for the root CA

Noel Kuntze noel.kuntze at thermi.consulting
Fri Jul 12 19:50:06 CEST 2019 

Hello,

From the FAQ[1]:

*Q:* /Can strongSwan read chain files (a leaf certificate and the CAs that are required to authenticate it)?/

*A:* No, strongswan does not support chain files. Every certificate needs to be provided in a single file, given it is not loaded by a user provided application that uses the VICI <https://wiki.strongswan.org/projects/strongswan/wiki/VICI> API.


Thus, split up the certificates into seperate files. I suspect you put the root CA's certificate in first and then appended the other certificates.
Then strongSwan would find its cert first in the file and try it.

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#X509-Certificate-chain-files

Am 12.07.19 um 12:39 schrieb Old Kid:
> Hi all,
> I basically copied/pasted DigitalOcean's strongswan configuration for ubuntu 18.04. I run strongswan on debian 9 myself. It's 5.7 version and still uses
> ipsec.conf:
>
> config setup
>    charondebug="ike 1, knl 1, cfg 0"
>    uniqueids=no
>
> conn ikev2-vpn
>    auto=add
>    compress=no
>    type=tunnel
>    keyexchange=ikev2
>    fragmentation=yes
>    forceencaps=yes
>    dpdaction=clear
>    dpddelay=300s
>    rekey=no
>    left=%any
>    leftid=@server_domain_or_IP
>    leftcert=server-cert.pem
>    leftsendcert=always
>    leftsubnet=0.0.0.0/0
>    right=%any
>    rightid=%any
>    rightauth=eap-mschapv2
>    rightsourceip=10.10.10.0/24
>    rightdns=8.8.8.8,8.8.4.4
>    rightsendcert=never
>    eap_identity=%identity
>
> and this is my ipsec.secrets:
> : RSA "server-key.pem"
> test : EAP "password"
>
> I have a valid certificate for my domain. I combined the certificates like
> this:
> cat root-ca.crt domain.crt > server-cert.pem
>
> and I directly copied the private key text file to /etc/ipsec.d/private/server-key.pem
>
> But when I tried connecting to the server via strongswan android client,
> there was an error in the server log:
>
> Jul 12 06:07:24 debian charon: 13[ENC] received fragment #3 of 3, reassembled fragmented IKE message (3120 bytes)
> Jul 12 06:07:24 debian charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
> Jul 12 06:07:24 debian charon: 13[IKE] received 134 cert requests for an unknown ca
> Jul 12 06:07:24 debian charon: 13[IKE] initiating EAP_IDENTITY method (id 0x00)
> Jul 12 06:07:24 debian charon: 13[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> Jul 12 06:07:24 debian charon: 13[IKE] peer supports MOBIKE
> Jul 12 06:07:24 debian charon: 13[IKE] no private key found for 'C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA'
> Jul 12 06:07:24 debian charon: 13[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>
> I checked my pem file with openssl verify command and it said ok. I don't
> understand why strongswan is asking for private key for the root certificate.

-- 
Noel Kuntze
IT security consultant

GPG Key ID: 0x0739AD6C
Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190712/6f637e47/attachment.sig>

More information about the Users mailing list