[strongSwan] Problem authentication strongswan5.7.2-1.el7 x509

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Oct 30 14:18:33 CET 2019 

Hello Fatcharly,

Please follow the instructions on the HelpRequests[1] page on the wiki.

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests

Am 30.10.19 um 10:27 schrieb fatcharly at gmx.de:
> Hi,
> 
> I´m using a strongswan-5.7.2-1.el7.x86_64 on a CentOS 7.7.1908 (Core) to build up a vpn tunnel to a partner site. We are using certificates for the authentication, but I'm running into a problem here and I think it's on my side so I need some help from you.
> 
> This is the informationm I get when I start the connection:
> 
>>> strongswan up game_cmp_test
> initiating IKE_SA game_cmp_test[18] to 82.xxx.xxx.44
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> sending packet: from 217.xxx.xxx.20[500] to 82.xxx.xxx.44[500] (464 bytes)
> received packet: from 82.xxx.xxx.44[500] to 217.xxx.xxx.20[500] (489 bytes)
> parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ N(HTTP_CERT_LOOK) ]
> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
> received cert request for "C=de, O=Game Company, CN=GMP-Short CA 2015"
> received 4 cert requests for an unknown ca
> sending cert request for "C=de, O=Game Company, CN=GMP-Short CA 2015"
> authentication of '217.xxx.xxx.20' (myself) with RSA signature successful
> sending end entity cert "C=DE, ST=Hamburg, L=Hamburg, O=ourCompany OU=section , CN=ourhost.tld"
> establishing CHILD_SA game_cmp_test{21}
> generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
> sending packet: from 217.xxx.xxx.20[500] to 82.xxx.xxx.44[500] (1648 bytes)
> received packet: from 82.xxx.xxx.44[500] to 217.xxx.xxx.20[500] (1520 bytes)
> parsed IKE_AUTH response 1 [ IDr CERT AUTH N(ESP_TFC_PAD_N) SA TSi TSr ]
> received end entity cert "CN=pa-otun-xx-xx.GMP-name.tld"
>   using certificate "CN=pa-otun-xx-xx.GMP-name.tld"
>   using trusted ca certificate "C=de, O=Game Company, CN=GMP-Short CA 2015"
> checking certificate status of "CN=pa-otun-xx-xx.GMP-name.tld"
> certificate status is not available
>   reached self-signed root ca with a path length of 0
> signature validation failed, looking for another key
>   using certificate "CN=pa-otun-xx-xx.GMP-name.tld"
>   using trusted ca certificate "C=de, O=Game Company, CN=GMP-Short CA 2015"
> checking certificate status of "CN=pa-otun-xx-xx.GMP-name.tld"
> certificate status is not available
>   reached self-signed root ca with a path length of 0
> signature validation failed, looking for another key
> generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
> sending packet: from 217.xxx.xxx.20[500] to 82.xxx.xxx.44[500] (96 bytes)
> establishing connection 'game_cmp_test' failed
> 
> this is the configuration:
> conn game_cmp_test
>         left=217.xxx.xxx.20
>         leftsubnet=192.168.170.0/24
>         leftcert=/etc/strongswan/ipsec.d/certs/GMP-name-cert.pem
>         right=82.xxx.xxx.44
>         #rightsubnet=192.168.180.0/24
>         rightsubnet=192.168.14.0/24
>         rightid="pa-otun-xx-xx.GMP-name.tld"
>         authby=pubkey
>         auto=start
>         ikelifetime=28800s
>         keylife=3600s
>         keyexchange=ikev2
>         ike=aes256-sha512-modp2048!
>         esp=aes256-sha512-modp2048!
> 
> Is there something wrong with the certificate ?
> 
> Any suggestions are really really welcome 
> 
> Kind regards
> 
> fatcharly
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191030/6ac1b124/attachment.sig>

More information about the Users mailing list