[strongSwan] no IDr configured, fall back on IP address - revisit

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Oct 30 14:22:16 CET 2019 

Hello L.,

Make sure you have the private key for your certificate registered in ipsec.secrets.
Your config has a couple of problems:
1) rightid="C=Shire, O=NRR, CN=*": Wildcards are not supported. Put the actual SAN or DN in the rightid field.
2) No configured leftid on the responder: Set leftid to the value that the remote peer expects. E.g. what you configured in rightid.
   It has to be authenticated by the certificate.

Kind regards

Noel

Am 29.10.19 um 19:18 schrieb lejeczek:
> hi everyone,
> 
> I've asked a long time ago, was not urgent and I did put it off.
> 
> I have a relatively simple config, on the server:
> 
> conn to_NRR
>  
> ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
> 
>  
> esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
> 
>  
>   dpdaction=clear
>   dpddelay=300s
>   rekey=no
>  
>   left=%any
>   #leftsubnet=0.0.0.0/0
>   leftsubnet=10.5.8.0/24
>   leftcert="NRR-vpn-clusterserver.cert.der"
>  
>   right=%any
>   rightdns=10.5.8.204
>   rightsourceip=10.5.8.220,10.5.8.221
>  
> conn IPSec-IKEv2
>     keyexchange=ikev2
>     auto=add
>  
> conn IPSec-IKEv2-EAP
>     also="IPSec-IKEv2"
>     #rightauth=eap-mschapv2
>     #rightauthby2=pubkey
>     rightauth=pubkey
>     #rightauthby2=eap-mschapv2
>     rightsendcert=never
>     eap_identity=%any
>  
> conn CiscoIPSec
>     keyexchange=ikev1
>     forceencaps=yes
>     authby=xauthrsasig
>     xauth=server
>     auto=add
> 
> and when roadwarrior connects then server logs shows:
> 
> ...
> 
> 2[IKE] received cert request for "C=Shire, O=NRR,
> CN=private.private.tam.cos"
> 12[IKE] received 1 cert requests for an unknown ca
> 12[IKE] received end entity cert "C=Shire, O=NRR,
> CN=sucker at private.private.tam.cos"
> 12[CFG] looking for peer configs matching
> 192.168.2.202[%any]...10.4.4.21[C=Shire, O=NRR,
> CN=sucker at private.private.tam.cos]
> 12[CFG]   candidate "IPSec-IKEv2", match: 1/1/28 (me/other/ike)
> 12[CFG]   candidate "IPSec-IKEv2-EAP", match: 1/1/28 (me/other/ike)
> 12[CFG] selected peer config 'IPSec-IKEv2'
> 12[CFG]   using certificate "C=Shire, O=NRR,
> CN=sucker at private.private.tam.cos"
> 12[CFG]   certificate "C=Shire, O=NRR,
> CN=sucker at private.private.tam.cos" key: 2048 bit RSA
> 12[CFG]   using trusted ca certificate "C=Shire, O=NRR,
> CN=private.private.tam.cos"
> 12[CFG] checking certificate status of "C=Shire, O=NRR,
> CN=sucker at private.private.tam.cos"
> 12[CFG] ocsp check skipped, no ocsp found
> 12[CFG] certificate status is not available
> 12[CFG]   certificate "C=Shire, O=NRR, CN=private.private.tam.cos" key:
> 2048 bit RSA
> 12[CFG]   reached self-signed root ca with a path length of 0
> 12[IKE] authentication of 'C=Shire, O=NRR,
> CN=sucker at private.private.tam.cos' with RSA_EMSA_PKCS1_SHA2_256 successful
> 12[IKE] processing INTERNAL_IP4_ADDRESS attribute
> 12[IKE] processing INTERNAL_IP4_DNS attribute
> 12[IKE] peer supports MOBIKE
> 12[IKE] got additional MOBIKE peer address: 10.0.16.6
> 12[IKE] got additional MOBIKE peer address: 10.5.10.49
> 12[CFG] no IDr configured, fall back on IP address
> 12[IKE] no private key found for '192.168.2.202'
> 12[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> 12[NET] sending packet: from 192.168.2.202[4500] to 10.4.4.21[4500] (80
> bytes)
> 12[MGR] checkin and destroy IKE_SA IPSec-IKEv2[2]
> 12[IKE] IKE_SA IPSec-IKEv2[2] state change: CONNECTING => DESTROYING
> 03[NET] sending packet: from 192.168.2.202[4500] to 10.4.4.21[4500]
> 12[MGR] checkin and destroy of IKE_SA successful
> 07[MGR] checkout IKEv2 SA with SPIs a1791cef0af46d08_i f11cc222ffacd5bf_r
> 07[MGR] IKE_SA checkout not successful
> 
> and the roadwarrior's config is:
> 
> conn to_NRR
>   leftsourceip=%config                # This will take an IP from the ip
> pool on server
>   leftcert="sucker at openstack.der"        # The user cert we copied in
>   leftfirewall=yes
>  
>   right=192.168.2.202                # The location of the host, FQDN or
> IP 
>   rightid="C=Shire, O=NRR, CN=*"              # the Altname used by the
> ipsec host
>   rightsubnet=10.5.8.0/24          # the subnet on the servers side you
> want to access. 
>  
>   auto=add
>   #type=route
>   type=passthrough
> 
> and roadwarrior says:
> 
> initiating IKE_SA to_nrr[1] to 192.168.2.202
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> sending packet: from 10.0.0.5[500] to 192.168.2.202[500] (1064 bytes)
> received packet: from 192.168.2.202[500] to 10.0.0.5[500] (297 bytes)
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
> selected proposal:
> IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/ECP_256
> local host is behind NAT, sending keep alives
> received cert request for "C=Shire, O=nrr, CN=private.private.tam.cos"
> sending cert request for "C=shire, O=strongswan, CN=vpn"
> sending cert request for "C=Shire, O=nrr, CN=private.private.tam.cos"
> authentication of 'C=Shire, O=nrr, CN=sucker at private.private.tam.cos'
> (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
> sending end entity cert "C=Shire, O=nrr, CN=sucker at private.private.tam.cos"
> establishing CHILD_SA to_nrr{1}
> generating IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH CPRQ(ADDR DNS) SA
> TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH)
> N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
> splitting IKE message (1664 bytes) into 2 fragments
> generating IKE_AUTH request 1 [ EF(1/2) ]
> generating IKE_AUTH request 1 [ EF(2/2) ]
> sending packet: from 10.0.0.5[4500] to 192.168.2.202[4500] (1236 bytes)
> sending packet: from 10.0.0.5[4500] to 192.168.2.202[4500] (500 bytes)
> received packet: from 192.168.2.202[4500] to 10.0.0.5[4500] (80 bytes)
> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> received AUTHENTICATION_FAILED notify error
> establishing connection 'to_nrr' failed 
> 
> 
> That - 12[IKE] no private key found for '192.168.2.202' - it's the IP of
> the server thus I presume something there?
> 
> Certificates seem to load on both ends okey. Both ends are Centos 7 with
> U5.7.2/K3.10.0-514.26.2.el7.x86_64
> 
> Could this be some kind of a bug or I've gone blind(from tiredness) ?
> 
> many thanks, L.
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191030/f5ca535c/attachment.sig>

More information about the Users mailing list