[strongSwan] Roadwarrior setup with IKEv2 using certs
Alex K
rightkicktech at gmail.com
Fri Apr 3 14:25:15 CEST 2020
Hi all,
I've been trying to setup an IPsec VPN between two hosts, running
strongswan 5.5.1. I was able to setup the tunnel with pre-shared keys. What
I am trying now to accomplish is to have same setup with certs instead. I
tried to search the web and trying several parameters though I am failing
to find how to address the issue I am facing (client does not conect with
the error: *no private key found*) and hope I could have some assistance or
pointers.
My config is as follows:
*Server side config: *
config setup
conn %default
ikelifetime=8h
keylife=1h
rekeymargin=3m
keyingtries=%forever
ike=aes128-sha1-modp2048!
esp=aes128-sha1-modp2048!
fragmentation=yes
dpdaction=clear
keyexchange=ikev2
authby=pubkey
type=tunnel
compress=no
conn ipsec-ikev2
left=172.30.0.45
leftid="C=GR, O=HUB, CN=172.30.0.45"
leftcert=server-cert.pem
leftsendcert=always
leftsubnet=10.55.55.0/24
leftfirewall=yes
right=%any
rightid="C=GR, O=HUB, CN=Client"
rightsubnet=192.168.100.0/24
rightsendcert=never
auto=add
/etc/ipsec.secrets:
: RSA server-key.pem
The server keys/certs where generated as follows:
cd /etc/ipsec.d/
ipsec pki --gen --type rsa --size 4096 --outform pem > private/ca-key.pem
chmod 600 private/ca-key.pem
ipsec pki --self --in private/ca-key.pem --dn "C=GR, O=HUB, CN=172.30.0.45"
--lifetime 3650 --ca \
--outform pem > cacerts/ca-cert.pem
ipsec pki --gen --type rsa --size 2048 --outform pem >
private/server-key.pem
ipsec pki --pub --in private/server-key.pem | ipsec pki --issue --cacert
cacerts/ca-cert.pem \
--cakey private/ca-key.pem --lifetime 365 --dn "C=GR, O=HUB,
CN=172.30.0.45" --san="172.30.0.45" \
--flag serverAuth --flag ikeIntermediate --outform pem >
certs/server-cert.pem
The server's IP address is 172.30.0.45, while the client is behind NAT and
has IP 192.168.28.14 which is then NATed at 172.30.0.180.
*Client side config: *
conn %default
ikelifetime=8h
keyingtries=%forever
ike=aes128-sha1-modp2048!
esp=aes128-sha1-modp2048!
dpdaction=restart
compress=no
fragmentation=yes
leftfirewall=yes
conn ipsec-ikev2
keyexchange=ikev2
authby=pubkey
type=tunnel
left=%any
leftid="C=GR, O=HUB, CN=Client"
#leftca=ca-cert.pem
#leftcert=client-cert.pem
leftsubnet=192.168.100.0/24
right=172.30.0.45
rightid="C=GR, O=HUB, CN=172.30.0.45"
rightsubnet=10.55.55.0/24
auto=start
cat /etc/ipsec.secrets
# : P12 client-cert.p12 12345678
: RSA client-key.pem
The client keys were generated as follows:
cd /etc/ipsec.d/
mkdir certs/clients/
ipsec pki --gen --type rsa --size 2048 --outform pem >
/etc/ipsec.d/certs/clients/client-key.pem
ipsec pki --pub --in /etc/ipsec.d/certs/clients/client-key.pem | ipsec pki
--issue --cacert cacerts/ca-cert.pem --cakey private/ca-key.pem \
--lifetime 365 --dn "C=GR, O=HUB, CN=Client" --san="Client" --outform pem >
/etc/ipsec.d/certs/clients/client-cert.pem
openssl pkcs12 -export -inkey /etc/ipsec.d/certs/clients/client-key.pem -in
/etc/ipsec.d/certs/clients/client-cert.pem -name "Client" -certfile
cacerts/ca-cert.pem \
-caname "172.30.0.45" -out /etc/ipsec.d/certs/clients/client-cert.p12
I had packaged the client keys with the passphrase "12345678" for testing.
In both cases, either with P12 or RSA at secrets file, I get the following
logged at client side:
Apr 3 12:01:42 Client-VM charon: 00[DMN] Starting IKE charon daemon
(strongSwan 5.5.1, Linux 4.9.0-3-amd64, x86_64)
Apr 3 12:01:42 Client-VM charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Apr 3 12:01:42 Client-VM charon: 00[CFG] loaded ca certificate "C=GR,
O=HUB, CN=172.30.0.45" from '/etc/ipsec.d/cacerts/ca-cert.pem'
Apr 3 12:01:42 Client-VM charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Apr 3 12:01:42 Client-VM charon: 00[CFG] loading ocsp signer certificates
from '/etc/ipsec.d/ocspcerts'
Apr 3 12:01:42 Client-VM charon: 00[CFG] loading attribute certificates
from '/etc/ipsec.d/acerts'
Apr 3 12:01:42 Client-VM charon: 00[CFG] loading crls from
'/etc/ipsec.d/crls'
Apr 3 12:01:42 Client-VM charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Apr 3 12:01:42 Client-VM charon: 00[CFG] loaded RSA private key from
'/etc/ipsec.d/private/client-key.pem'
Apr 3 12:01:42 Client-VM charon: 00[LIB] loaded plugins: charon aes rc2
sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7
pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm
attr kernel-netlink resolve socket-default connmark stroke updown
Apr 3 12:01:42 Client-VM charon: 00[LIB] dropped capabilities, running as
uid 0, gid 0
Apr 3 12:01:42 Client-VM charon: 00[JOB] spawning 16 worker threads
Apr 3 12:01:42 Client-VM charon: 06[CFG] received stroke: add connection
'ipsec-ikev2'
Apr 3 12:01:42 Client-VM charon: 06[CFG] added configuration 'ipsec-ikev2'
Apr 3 12:01:42 Client-VM charon: 08[CFG] received stroke: initiate
'ipsec-ikev2'
Apr 3 12:01:42 Client-VM charon: 08[IKE] initiating IKE_SA ipsec-ikev2[1]
to 172.30.0.45
Apr 3 12:01:42 Client-VM charon: 08[ENC] generating IKE_SA_INIT request 0
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Apr 3 12:01:42 Client-VM charon: 08[NET] sending packet: from
192.168.28.14[500] to 172.30.0.45[500] (464 bytes)
Apr 3 12:01:42 Client-VM charon: 10[NET] received packet: from
172.30.0.45[500] to 192.168.28.14[500] (464 bytes)
Apr 3 12:01:42 Client-VM charon: 10[ENC] parsed IKE_SA_INIT response 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Apr 3 12:01:42 Client-VM charon: 10[IKE] local host is behind NAT, sending
keep alives
Apr 3 12:01:42 Client-VM charon: 10[IKE] sending cert request for "C=GR,
O=HUB, CN=172.30.0.45"
*Apr 3 12:01:42 Client-VM charon: 10[IKE] no private key found for 'C=GR,
O=HUB, CN=Client'*
While the server logs:
Apr 3 07:01:34 debian9 charon: 00[DMN] Starting IKE charon daemon
(strongSwan 5.5.1, Linux 4.9.0-12-amd64, x86_64)
Apr 3 07:01:34 debian9 charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Apr 3 07:01:34 debian9 charon: 00[CFG] loaded ca certificate "C=GR,
O=HUB, CN=172.30.0.45" from '/etc/ipsec.d/cacerts/ca-cert.pem'
Apr 3 07:01:34 debian9 charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Apr 3 07:01:34 debian9 charon: 00[CFG] loading ocsp signer certificates
from '/etc/ipsec.d/ocspcerts'
Apr 3 07:01:34 debian9 charon: 00[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts'
Apr 3 07:01:34 debian9 charon: 00[CFG] loading crls from
'/etc/ipsec.d/crls'
Apr 3 07:01:34 debian9 charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Apr 3 07:01:34 debian9 charon: 00[CFG] loaded RSA private key from
'/etc/ipsec.d/private/server-key.pem'
Apr 3 07:01:34 debian9 charon: 00[LIB] loaded plugins: charon aesni aes
rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1
pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc
hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
Apr 3 07:01:34 debian9 charon: 00[LIB] dropped capabilities, running as
uid 0, gid 0
Apr 3 07:01:34 debian9 charon: 00[JOB] spawning 16 worker threads
Apr 3 07:01:34 debian9 charon: 05[CFG] received stroke: add connection
'ipsec-ikev2'
Apr 3 07:01:34 debian9 charon: 05[CFG] loaded certificate "C=GR, O=HUB,
CN=172.30.0.45" from 'server-cert.pem'
Apr 3 07:01:34 debian9 charon: 05[CFG] added configuration 'ipsec-ikev2'
and on client connection attempt:
Apr 3 07:01:42 debian9 charon: 07[NET] received packet: from
172.30.0.180[500] to 172.30.0.45[500] (464 bytes)
Apr 3 07:01:42 debian9 charon: 07[ENC] parsed IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Apr 3 07:01:42 debian9 charon: 07[IKE] 172.30.0.180 is initiating an IKE_SA
Apr 3 07:01:42 debian9 charon: 07[IKE] remote host is behind NAT
Apr 3 07:01:42 debian9 charon: 07[ENC] generating IKE_SA_INIT response 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Apr 3 07:01:42 debian9 charon: 07[NET] sending packet: from
172.30.0.45[500] to 172.30.0.180[500] (464 bytes)
Apr 3 07:02:12 debian9 charon: 08[JOB] deleting half open IKE_SA after
timeout
I've configured the firewall (iptables stateful) to allow all outgoing
traffic from CLient to server.
Not sure if I could provide anything in addition to help isolating the
issue.
Thank you for your patience and appreciate any help.
Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200403/4503e832/attachment.html>
More information about the Users
mailing list