[strongSwan] Roadwarrior setup with IKEv2 using certs
Alex K
rightkicktech at gmail.com
Fri Apr 3 14:47:35 CEST 2020
When changing the client config as follows the logs is changed as further
down:
conn %default
ikelifetime=8h
keyingtries=%forever
ike=aes128-sha1-modp2048!
esp=aes128-sha1-modp2048!
dpdaction=restart
compress=no
fragmentation=yes
leftfirewall=yes
conn ipsec-ikev2
keyexchange=ikev2
authby=pubkey
type=tunnel
left=%any
leftid="C=GR, O=HUB, CN=Client"
* leftca=ca-cert.pem leftcert=client-cert.pem*
leftsubnet=192.168.100.0/24
right=172.30.0.45
rightid="C=GR, O=HUB, CN=172.30.0.45"
rightsubnet=10.55.55.0/24
auto=start
*Client logs: *
Apr 3 12:43:01 Client-VM charon: 08[IKE] sending cert request for "C=GR,
O=HUB, CN=172.30.0.45"
Apr 3 12:43:01 Client-VM charon: 08[IKE] authentication of 'C=GR, O=HUB,
CN=Client' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Apr 3 12:43:01 Client-VM charon: 08[IKE] establishing CHILD_SA ipsec-ikev2
Apr 3 12:43:01 Client-VM charon: 08[ENC] generating IKE_AUTH request 1 [
IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP)
N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Apr 3 12:43:01 Client-VM charon: 08[NET] sending packet: from
192.168.28.14[4500] to 172.30.0.45[4500] (620 bytes)
Apr 3 12:43:01 Client-VM charon: 09[NET] received packet: from
172.30.0.45[4500] to 192.168.28.14[4500] (76 bytes)
Apr 3 12:43:01 Client-VM charon: 09[ENC] parsed IKE_AUTH response 1 [
N(AUTH_FAILED) ]
Apr 3 12:43:01 Client-VM charon: 09[IKE] received AUTHENTICATION_FAILED
notify error
While the server seems to not be able to find a corresponding public key:
Apr 3 07:43:01 debian9 charon: 05[IKE] received cert request for "C=GR,
O=HUB, CN=172.30.0.45"
*Apr 3 07:43:01 debian9 charon: 05[CFG] looking for peer configs matching
172.30.0.45[C=GR, O=HUB, CN=172.30.0.45]...172.30.0.180[C=GR, O=HUB,
CN=Client]*
Apr 3 07:43:01 debian9 charon: 05[CFG] selected peer config 'ipsec-ikev2'
*Apr 3 07:43:01 debian9 charon: 05[IKE] no trusted RSA public key found
for 'C=GR, O=HUB, CN=Client'*
Apr 3 07:43:01 debian9 charon: 05[IKE] peer supports MOBIKE
Apr 3 07:43:01 debian9 charon: 05[ENC] generating IKE_AUTH response 1 [
N(AUTH_FAILED) ]
Apr 3 07:43:01 debian9 charon: 05[NET] sending packet: from
172.30.0.45[4500] to 172.30.0.180[4500] (76 bytes)
I'm not sure what I am missing.
Alex
On Fri, Apr 3, 2020 at 3:25 PM Alex K <rightkicktech at gmail.com> wrote:
> Hi all,
>
> I've been trying to setup an IPsec VPN between two hosts, running
> strongswan 5.5.1. I was able to setup the tunnel with pre-shared keys. What
> I am trying now to accomplish is to have same setup with certs instead. I
> tried to search the web and trying several parameters though I am failing
> to find how to address the issue I am facing (client does not conect with
> the error: *no private key found*) and hope I could have some assistance
> or pointers.
>
> My config is as follows:
>
> *Server side config: *
> config setup
>
> conn %default
> ikelifetime=8h
> keylife=1h
> rekeymargin=3m
> keyingtries=%forever
> ike=aes128-sha1-modp2048!
> esp=aes128-sha1-modp2048!
> fragmentation=yes
> dpdaction=clear
> keyexchange=ikev2
> authby=pubkey
> type=tunnel
> compress=no
>
> conn ipsec-ikev2
> left=172.30.0.45
> leftid="C=GR, O=HUB, CN=172.30.0.45"
> leftcert=server-cert.pem
> leftsendcert=always
> leftsubnet=10.55.55.0/24
> leftfirewall=yes
> right=%any
> rightid="C=GR, O=HUB, CN=Client"
> rightsubnet=192.168.100.0/24
> rightsendcert=never
> auto=add
>
> /etc/ipsec.secrets:
> : RSA server-key.pem
>
> The server keys/certs where generated as follows:
>
> cd /etc/ipsec.d/
> ipsec pki --gen --type rsa --size 4096 --outform pem > private/ca-key.pem
> chmod 600 private/ca-key.pem
> ipsec pki --self --in private/ca-key.pem --dn "C=GR, O=HUB,
> CN=172.30.0.45" --lifetime 3650 --ca \
> --outform pem > cacerts/ca-cert.pem
> ipsec pki --gen --type rsa --size 2048 --outform pem >
> private/server-key.pem
> ipsec pki --pub --in private/server-key.pem | ipsec pki --issue --cacert
> cacerts/ca-cert.pem \
> --cakey private/ca-key.pem --lifetime 365 --dn "C=GR, O=HUB,
> CN=172.30.0.45" --san="172.30.0.45" \
> --flag serverAuth --flag ikeIntermediate --outform pem >
> certs/server-cert.pem
>
> The server's IP address is 172.30.0.45, while the client is behind NAT and
> has IP 192.168.28.14 which is then NATed at 172.30.0.180.
>
> *Client side config: *
> conn %default
> ikelifetime=8h
> keyingtries=%forever
> ike=aes128-sha1-modp2048!
> esp=aes128-sha1-modp2048!
> dpdaction=restart
> compress=no
> fragmentation=yes
> leftfirewall=yes
>
> conn ipsec-ikev2
> keyexchange=ikev2
> authby=pubkey
> type=tunnel
> left=%any
> leftid="C=GR, O=HUB, CN=Client"
> #leftca=ca-cert.pem
> #leftcert=client-cert.pem
> leftsubnet=192.168.100.0/24
> right=172.30.0.45
> rightid="C=GR, O=HUB, CN=172.30.0.45"
> rightsubnet=10.55.55.0/24
> auto=start
>
> cat /etc/ipsec.secrets
> # : P12 client-cert.p12 12345678
> : RSA client-key.pem
>
> The client keys were generated as follows:
> cd /etc/ipsec.d/
> mkdir certs/clients/
> ipsec pki --gen --type rsa --size 2048 --outform pem >
> /etc/ipsec.d/certs/clients/client-key.pem
> ipsec pki --pub --in /etc/ipsec.d/certs/clients/client-key.pem | ipsec pki
> --issue --cacert cacerts/ca-cert.pem --cakey private/ca-key.pem \
> --lifetime 365 --dn "C=GR, O=HUB, CN=Client" --san="Client" --outform pem
> > /etc/ipsec.d/certs/clients/client-cert.pem
> openssl pkcs12 -export -inkey /etc/ipsec.d/certs/clients/client-key.pem
> -in /etc/ipsec.d/certs/clients/client-cert.pem -name "Client" -certfile
> cacerts/ca-cert.pem \
> -caname "172.30.0.45" -out /etc/ipsec.d/certs/clients/client-cert.p12
>
> I had packaged the client keys with the passphrase "12345678" for
> testing. In both cases, either with P12 or RSA at secrets file, I get the
> following logged at client side:
>
> Apr 3 12:01:42 Client-VM charon: 00[DMN] Starting IKE charon daemon
> (strongSwan 5.5.1, Linux 4.9.0-3-amd64, x86_64)
> Apr 3 12:01:42 Client-VM charon: 00[CFG] loading ca certificates from
> '/etc/ipsec.d/cacerts'
> Apr 3 12:01:42 Client-VM charon: 00[CFG] loaded ca certificate "C=GR,
> O=HUB, CN=172.30.0.45" from '/etc/ipsec.d/cacerts/ca-cert.pem'
> Apr 3 12:01:42 Client-VM charon: 00[CFG] loading aa certificates from
> '/etc/ipsec.d/aacerts'
> Apr 3 12:01:42 Client-VM charon: 00[CFG] loading ocsp signer certificates
> from '/etc/ipsec.d/ocspcerts'
> Apr 3 12:01:42 Client-VM charon: 00[CFG] loading attribute certificates
> from '/etc/ipsec.d/acerts'
> Apr 3 12:01:42 Client-VM charon: 00[CFG] loading crls from
> '/etc/ipsec.d/crls'
> Apr 3 12:01:42 Client-VM charon: 00[CFG] loading secrets from
> '/etc/ipsec.secrets'
> Apr 3 12:01:42 Client-VM charon: 00[CFG] loaded RSA private key from
> '/etc/ipsec.d/private/client-key.pem'
> Apr 3 12:01:42 Client-VM charon: 00[LIB] loaded plugins: charon aes rc2
> sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7
> pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm
> attr kernel-netlink resolve socket-default connmark stroke updown
> Apr 3 12:01:42 Client-VM charon: 00[LIB] dropped capabilities, running as
> uid 0, gid 0
> Apr 3 12:01:42 Client-VM charon: 00[JOB] spawning 16 worker threads
> Apr 3 12:01:42 Client-VM charon: 06[CFG] received stroke: add connection
> 'ipsec-ikev2'
> Apr 3 12:01:42 Client-VM charon: 06[CFG] added configuration 'ipsec-ikev2'
> Apr 3 12:01:42 Client-VM charon: 08[CFG] received stroke: initiate
> 'ipsec-ikev2'
> Apr 3 12:01:42 Client-VM charon: 08[IKE] initiating IKE_SA ipsec-ikev2[1]
> to 172.30.0.45
> Apr 3 12:01:42 Client-VM charon: 08[ENC] generating IKE_SA_INIT request 0
> [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> Apr 3 12:01:42 Client-VM charon: 08[NET] sending packet: from
> 192.168.28.14[500] to 172.30.0.45[500] (464 bytes)
> Apr 3 12:01:42 Client-VM charon: 10[NET] received packet: from
> 172.30.0.45[500] to 192.168.28.14[500] (464 bytes)
> Apr 3 12:01:42 Client-VM charon: 10[ENC] parsed IKE_SA_INIT response 0 [
> SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
> Apr 3 12:01:42 Client-VM charon: 10[IKE] local host is behind NAT,
> sending keep alives
> Apr 3 12:01:42 Client-VM charon: 10[IKE] sending cert request for "C=GR,
> O=HUB, CN=172.30.0.45"
> *Apr 3 12:01:42 Client-VM charon: 10[IKE] no private key found for 'C=GR,
> O=HUB, CN=Client'*
>
> While the server logs:
> Apr 3 07:01:34 debian9 charon: 00[DMN] Starting IKE charon daemon
> (strongSwan 5.5.1, Linux 4.9.0-12-amd64, x86_64)
> Apr 3 07:01:34 debian9 charon: 00[CFG] loading ca certificates from
> '/etc/ipsec.d/cacerts'
> Apr 3 07:01:34 debian9 charon: 00[CFG] loaded ca certificate "C=GR,
> O=HUB, CN=172.30.0.45" from '/etc/ipsec.d/cacerts/ca-cert.pem'
> Apr 3 07:01:34 debian9 charon: 00[CFG] loading aa certificates from
> '/etc/ipsec.d/aacerts'
> Apr 3 07:01:34 debian9 charon: 00[CFG] loading ocsp signer certificates
> from '/etc/ipsec.d/ocspcerts'
> Apr 3 07:01:34 debian9 charon: 00[CFG] loading attribute certificates
> from '/etc/ipsec.d/acerts'
> Apr 3 07:01:34 debian9 charon: 00[CFG] loading crls from
> '/etc/ipsec.d/crls'
> Apr 3 07:01:34 debian9 charon: 00[CFG] loading secrets from
> '/etc/ipsec.secrets'
> Apr 3 07:01:34 debian9 charon: 00[CFG] loaded RSA private key from
> '/etc/ipsec.d/private/server-key.pem'
> Apr 3 07:01:34 debian9 charon: 00[LIB] loaded plugins: charon aesni aes
> rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1
> pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc
> hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
> Apr 3 07:01:34 debian9 charon: 00[LIB] dropped capabilities, running as
> uid 0, gid 0
> Apr 3 07:01:34 debian9 charon: 00[JOB] spawning 16 worker threads
> Apr 3 07:01:34 debian9 charon: 05[CFG] received stroke: add connection
> 'ipsec-ikev2'
> Apr 3 07:01:34 debian9 charon: 05[CFG] loaded certificate "C=GR, O=HUB,
> CN=172.30.0.45" from 'server-cert.pem'
> Apr 3 07:01:34 debian9 charon: 05[CFG] added configuration 'ipsec-ikev2'
>
> and on client connection attempt:
>
> Apr 3 07:01:42 debian9 charon: 07[NET] received packet: from
> 172.30.0.180[500] to 172.30.0.45[500] (464 bytes)
> Apr 3 07:01:42 debian9 charon: 07[ENC] parsed IKE_SA_INIT request 0 [ SA
> KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> Apr 3 07:01:42 debian9 charon: 07[IKE] 172.30.0.180 is initiating an
> IKE_SA
> Apr 3 07:01:42 debian9 charon: 07[IKE] remote host is behind NAT
> Apr 3 07:01:42 debian9 charon: 07[ENC] generating IKE_SA_INIT response 0
> [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
> Apr 3 07:01:42 debian9 charon: 07[NET] sending packet: from
> 172.30.0.45[500] to 172.30.0.180[500] (464 bytes)
> Apr 3 07:02:12 debian9 charon: 08[JOB] deleting half open IKE_SA after
> timeout
>
> I've configured the firewall (iptables stateful) to allow all outgoing
> traffic from CLient to server.
> Not sure if I could provide anything in addition to help isolating the
> issue.
> Thank you for your patience and appreciate any help.
>
> Alex
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200403/77e1b9be/attachment-0001.html>
More information about the Users
mailing list