[strongSwan] Problem authentication strongswan5.7.2-1.el7 x509

fatcharly at gmx.de fatcharly at gmx.de
Wed Oct 30 10:27:22 CET 2019 

Hi,

I´m using a strongswan-5.7.2-1.el7.x86_64 on a CentOS 7.7.1908 (Core) to build up a vpn tunnel to a partner site. We are using certificates for the authentication, but I'm running into a problem here and I think it's on my side so I need some help from you.

This is the informationm I get when I start the connection:

>>strongswan up game_cmp_test
initiating IKE_SA game_cmp_test[18] to 82.xxx.xxx.44
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 217.xxx.xxx.20[500] to 82.xxx.xxx.44[500] (464 bytes)
received packet: from 82.xxx.xxx.44[500] to 217.xxx.xxx.20[500] (489 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ N(HTTP_CERT_LOOK) ]
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
received cert request for "C=de, O=Game Company, CN=GMP-Short CA 2015"
received 4 cert requests for an unknown ca
sending cert request for "C=de, O=Game Company, CN=GMP-Short CA 2015"
authentication of '217.xxx.xxx.20' (myself) with RSA signature successful
sending end entity cert "C=DE, ST=Hamburg, L=Hamburg, O=ourCompany OU=section , CN=ourhost.tld"
establishing CHILD_SA game_cmp_test{21}
generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 217.xxx.xxx.20[500] to 82.xxx.xxx.44[500] (1648 bytes)
received packet: from 82.xxx.xxx.44[500] to 217.xxx.xxx.20[500] (1520 bytes)
parsed IKE_AUTH response 1 [ IDr CERT AUTH N(ESP_TFC_PAD_N) SA TSi TSr ]
received end entity cert "CN=pa-otun-xx-xx.GMP-name.tld"
  using certificate "CN=pa-otun-xx-xx.GMP-name.tld"
  using trusted ca certificate "C=de, O=Game Company, CN=GMP-Short CA 2015"
checking certificate status of "CN=pa-otun-xx-xx.GMP-name.tld"
certificate status is not available
  reached self-signed root ca with a path length of 0
signature validation failed, looking for another key
  using certificate "CN=pa-otun-xx-xx.GMP-name.tld"
  using trusted ca certificate "C=de, O=Game Company, CN=GMP-Short CA 2015"
checking certificate status of "CN=pa-otun-xx-xx.GMP-name.tld"
certificate status is not available
  reached self-signed root ca with a path length of 0
signature validation failed, looking for another key
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
sending packet: from 217.xxx.xxx.20[500] to 82.xxx.xxx.44[500] (96 bytes)
establishing connection 'game_cmp_test' failed

this is the configuration:
conn game_cmp_test
        left=217.xxx.xxx.20
        leftsubnet=192.168.170.0/24
        leftcert=/etc/strongswan/ipsec.d/certs/GMP-name-cert.pem
        right=82.xxx.xxx.44
        #rightsubnet=192.168.180.0/24
        rightsubnet=192.168.14.0/24
        rightid="pa-otun-xx-xx.GMP-name.tld"
        authby=pubkey
        auto=start
        ikelifetime=28800s
        keylife=3600s
        keyexchange=ikev2
        ike=aes256-sha512-modp2048!
        esp=aes256-sha512-modp2048!

Is there something wrong with the certificate ?

Any suggestions are really really welcome 

Kind regards

fatcharly

More information about the Users mailing list