[strongSwan] Problem authentication strongswan5.7.2-1.el7 x509
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Oct 30 14:18:33 CET 2019
Hello Fatcharly,
Please follow the instructions on the HelpRequests[1] page on the wiki.
Kind regards
Noel
[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
Am 30.10.19 um 10:27 schrieb fatcharly at gmx.de:
> Hi,
>
> I´m using a strongswan-5.7.2-1.el7.x86_64 on a CentOS 7.7.1908 (Core) to build up a vpn tunnel to a partner site. We are using certificates for the authentication, but I'm running into a problem here and I think it's on my side so I need some help from you.
>
> This is the informationm I get when I start the connection:
>
>>> strongswan up game_cmp_test
> initiating IKE_SA game_cmp_test[18] to 82.xxx.xxx.44
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> sending packet: from 217.xxx.xxx.20[500] to 82.xxx.xxx.44[500] (464 bytes)
> received packet: from 82.xxx.xxx.44[500] to 217.xxx.xxx.20[500] (489 bytes)
> parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ N(HTTP_CERT_LOOK) ]
> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
> received cert request for "C=de, O=Game Company, CN=GMP-Short CA 2015"
> received 4 cert requests for an unknown ca
> sending cert request for "C=de, O=Game Company, CN=GMP-Short CA 2015"
> authentication of '217.xxx.xxx.20' (myself) with RSA signature successful
> sending end entity cert "C=DE, ST=Hamburg, L=Hamburg, O=ourCompany OU=section , CN=ourhost.tld"
> establishing CHILD_SA game_cmp_test{21}
> generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
> sending packet: from 217.xxx.xxx.20[500] to 82.xxx.xxx.44[500] (1648 bytes)
> received packet: from 82.xxx.xxx.44[500] to 217.xxx.xxx.20[500] (1520 bytes)
> parsed IKE_AUTH response 1 [ IDr CERT AUTH N(ESP_TFC_PAD_N) SA TSi TSr ]
> received end entity cert "CN=pa-otun-xx-xx.GMP-name.tld"
> using certificate "CN=pa-otun-xx-xx.GMP-name.tld"
> using trusted ca certificate "C=de, O=Game Company, CN=GMP-Short CA 2015"
> checking certificate status of "CN=pa-otun-xx-xx.GMP-name.tld"
> certificate status is not available
> reached self-signed root ca with a path length of 0
> signature validation failed, looking for another key
> using certificate "CN=pa-otun-xx-xx.GMP-name.tld"
> using trusted ca certificate "C=de, O=Game Company, CN=GMP-Short CA 2015"
> checking certificate status of "CN=pa-otun-xx-xx.GMP-name.tld"
> certificate status is not available
> reached self-signed root ca with a path length of 0
> signature validation failed, looking for another key
> generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
> sending packet: from 217.xxx.xxx.20[500] to 82.xxx.xxx.44[500] (96 bytes)
> establishing connection 'game_cmp_test' failed
>
> this is the configuration:
> conn game_cmp_test
> left=217.xxx.xxx.20
> leftsubnet=192.168.170.0/24
> leftcert=/etc/strongswan/ipsec.d/certs/GMP-name-cert.pem
> right=82.xxx.xxx.44
> #rightsubnet=192.168.180.0/24
> rightsubnet=192.168.14.0/24
> rightid="pa-otun-xx-xx.GMP-name.tld"
> authby=pubkey
> auto=start
> ikelifetime=28800s
> keylife=3600s
> keyexchange=ikev2
> ike=aes256-sha512-modp2048!
> esp=aes256-sha512-modp2048!
>
> Is there something wrong with the certificate ?
>
> Any suggestions are really really welcome
>
> Kind regards
>
> fatcharly
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191030/6ac1b124/attachment.sig>
More information about the Users
mailing list