[strongSwan] Roadwarrior setup with IKEv2 using certs
Alex K
rightkicktech at gmail.com
Sat Apr 4 14:57:36 CEST 2020
So the issue was " rightsendcert=never " on server side.
Setting it to " rightsendcert=yes " resolved the issue.
On Fri, Apr 3, 2020 at 3:47 PM Alex K <rightkicktech at gmail.com> wrote:
> When changing the client config as follows the logs is changed as further
> down:
>
> conn %default
> ikelifetime=8h
> keyingtries=%forever
> ike=aes128-sha1-modp2048!
> esp=aes128-sha1-modp2048!
> dpdaction=restart
> compress=no
> fragmentation=yes
> leftfirewall=yes
>
> conn ipsec-ikev2
> keyexchange=ikev2
> authby=pubkey
> type=tunnel
> left=%any
> leftid="C=GR, O=HUB, CN=Client"
>
> * leftca=ca-cert.pem leftcert=client-cert.pem*
> leftsubnet=192.168.100.0/24
> right=172.30.0.45
> rightid="C=GR, O=HUB, CN=172.30.0.45"
> rightsubnet=10.55.55.0/24
> auto=start
>
> *Client logs: *
> Apr 3 12:43:01 Client-VM charon: 08[IKE] sending cert request for "C=GR,
> O=HUB, CN=172.30.0.45"
> Apr 3 12:43:01 Client-VM charon: 08[IKE] authentication of 'C=GR, O=HUB,
> CN=Client' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
> Apr 3 12:43:01 Client-VM charon: 08[IKE] establishing CHILD_SA ipsec-ikev2
> Apr 3 12:43:01 Client-VM charon: 08[ENC] generating IKE_AUTH request 1 [
> IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP)
> N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> Apr 3 12:43:01 Client-VM charon: 08[NET] sending packet: from
> 192.168.28.14[4500] to 172.30.0.45[4500] (620 bytes)
> Apr 3 12:43:01 Client-VM charon: 09[NET] received packet: from
> 172.30.0.45[4500] to 192.168.28.14[4500] (76 bytes)
> Apr 3 12:43:01 Client-VM charon: 09[ENC] parsed IKE_AUTH response 1 [
> N(AUTH_FAILED) ]
> Apr 3 12:43:01 Client-VM charon: 09[IKE] received AUTHENTICATION_FAILED
> notify error
>
> While the server seems to not be able to find a corresponding public key:
> Apr 3 07:43:01 debian9 charon: 05[IKE] received cert request for "C=GR,
> O=HUB, CN=172.30.0.45"
> *Apr 3 07:43:01 debian9 charon: 05[CFG] looking for peer configs matching
> 172.30.0.45[C=GR, O=HUB, CN=172.30.0.45]...172.30.0.180[C=GR, O=HUB,
> CN=Client]*
> Apr 3 07:43:01 debian9 charon: 05[CFG] selected peer config 'ipsec-ikev2'
> *Apr 3 07:43:01 debian9 charon: 05[IKE] no trusted RSA public key found
> for 'C=GR, O=HUB, CN=Client'*
> Apr 3 07:43:01 debian9 charon: 05[IKE] peer supports MOBIKE
> Apr 3 07:43:01 debian9 charon: 05[ENC] generating IKE_AUTH response 1 [
> N(AUTH_FAILED) ]
> Apr 3 07:43:01 debian9 charon: 05[NET] sending packet: from
> 172.30.0.45[4500] to 172.30.0.180[4500] (76 bytes)
>
> I'm not sure what I am missing.
>
> Alex
>
> On Fri, Apr 3, 2020 at 3:25 PM Alex K <rightkicktech at gmail.com> wrote:
>
>> Hi all,
>>
>> I've been trying to setup an IPsec VPN between two hosts, running
>> strongswan 5.5.1. I was able to setup the tunnel with pre-shared keys. What
>> I am trying now to accomplish is to have same setup with certs instead. I
>> tried to search the web and trying several parameters though I am failing
>> to find how to address the issue I am facing (client does not conect with
>> the error: *no private key found*) and hope I could have some assistance
>> or pointers.
>>
>> My config is as follows:
>>
>> *Server side config: *
>> config setup
>>
>> conn %default
>> ikelifetime=8h
>> keylife=1h
>> rekeymargin=3m
>> keyingtries=%forever
>> ike=aes128-sha1-modp2048!
>> esp=aes128-sha1-modp2048!
>> fragmentation=yes
>> dpdaction=clear
>> keyexchange=ikev2
>> authby=pubkey
>> type=tunnel
>> compress=no
>>
>> conn ipsec-ikev2
>> left=172.30.0.45
>> leftid="C=GR, O=HUB, CN=172.30.0.45"
>> leftcert=server-cert.pem
>> leftsendcert=always
>> leftsubnet=10.55.55.0/24
>> leftfirewall=yes
>> right=%any
>> rightid="C=GR, O=HUB, CN=Client"
>> rightsubnet=192.168.100.0/24
>> rightsendcert=never
>> auto=add
>>
>> /etc/ipsec.secrets:
>> : RSA server-key.pem
>>
>> The server keys/certs where generated as follows:
>>
>> cd /etc/ipsec.d/
>> ipsec pki --gen --type rsa --size 4096 --outform pem > private/ca-key.pem
>> chmod 600 private/ca-key.pem
>> ipsec pki --self --in private/ca-key.pem --dn "C=GR, O=HUB,
>> CN=172.30.0.45" --lifetime 3650 --ca \
>> --outform pem > cacerts/ca-cert.pem
>> ipsec pki --gen --type rsa --size 2048 --outform pem >
>> private/server-key.pem
>> ipsec pki --pub --in private/server-key.pem | ipsec pki --issue --cacert
>> cacerts/ca-cert.pem \
>> --cakey private/ca-key.pem --lifetime 365 --dn "C=GR, O=HUB,
>> CN=172.30.0.45" --san="172.30.0.45" \
>> --flag serverAuth --flag ikeIntermediate --outform pem >
>> certs/server-cert.pem
>>
>> The server's IP address is 172.30.0.45, while the client is behind NAT
>> and has IP 192.168.28.14 which is then NATed at 172.30.0.180.
>>
>> *Client side config: *
>> conn %default
>> ikelifetime=8h
>> keyingtries=%forever
>> ike=aes128-sha1-modp2048!
>> esp=aes128-sha1-modp2048!
>> dpdaction=restart
>> compress=no
>> fragmentation=yes
>> leftfirewall=yes
>>
>> conn ipsec-ikev2
>> keyexchange=ikev2
>> authby=pubkey
>> type=tunnel
>> left=%any
>> leftid="C=GR, O=HUB, CN=Client"
>> #leftca=ca-cert.pem
>> #leftcert=client-cert.pem
>> leftsubnet=192.168.100.0/24
>> right=172.30.0.45
>> rightid="C=GR, O=HUB, CN=172.30.0.45"
>> rightsubnet=10.55.55.0/24
>> auto=start
>>
>> cat /etc/ipsec.secrets
>> # : P12 client-cert.p12 12345678
>> : RSA client-key.pem
>>
>> The client keys were generated as follows:
>> cd /etc/ipsec.d/
>> mkdir certs/clients/
>> ipsec pki --gen --type rsa --size 2048 --outform pem >
>> /etc/ipsec.d/certs/clients/client-key.pem
>> ipsec pki --pub --in /etc/ipsec.d/certs/clients/client-key.pem | ipsec
>> pki --issue --cacert cacerts/ca-cert.pem --cakey private/ca-key.pem \
>> --lifetime 365 --dn "C=GR, O=HUB, CN=Client" --san="Client" --outform pem
>> > /etc/ipsec.d/certs/clients/client-cert.pem
>> openssl pkcs12 -export -inkey /etc/ipsec.d/certs/clients/client-key.pem
>> -in /etc/ipsec.d/certs/clients/client-cert.pem -name "Client" -certfile
>> cacerts/ca-cert.pem \
>> -caname "172.30.0.45" -out /etc/ipsec.d/certs/clients/client-cert.p12
>>
>> I had packaged the client keys with the passphrase "12345678" for
>> testing. In both cases, either with P12 or RSA at secrets file, I get the
>> following logged at client side:
>>
>> Apr 3 12:01:42 Client-VM charon: 00[DMN] Starting IKE charon daemon
>> (strongSwan 5.5.1, Linux 4.9.0-3-amd64, x86_64)
>> Apr 3 12:01:42 Client-VM charon: 00[CFG] loading ca certificates from
>> '/etc/ipsec.d/cacerts'
>> Apr 3 12:01:42 Client-VM charon: 00[CFG] loaded ca certificate "C=GR,
>> O=HUB, CN=172.30.0.45" from '/etc/ipsec.d/cacerts/ca-cert.pem'
>> Apr 3 12:01:42 Client-VM charon: 00[CFG] loading aa certificates from
>> '/etc/ipsec.d/aacerts'
>> Apr 3 12:01:42 Client-VM charon: 00[CFG] loading ocsp signer
>> certificates from '/etc/ipsec.d/ocspcerts'
>> Apr 3 12:01:42 Client-VM charon: 00[CFG] loading attribute certificates
>> from '/etc/ipsec.d/acerts'
>> Apr 3 12:01:42 Client-VM charon: 00[CFG] loading crls from
>> '/etc/ipsec.d/crls'
>> Apr 3 12:01:42 Client-VM charon: 00[CFG] loading secrets from
>> '/etc/ipsec.secrets'
>> Apr 3 12:01:42 Client-VM charon: 00[CFG] loaded RSA private key from
>> '/etc/ipsec.d/private/client-key.pem'
>> Apr 3 12:01:42 Client-VM charon: 00[LIB] loaded plugins: charon aes rc2
>> sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7
>> pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm
>> attr kernel-netlink resolve socket-default connmark stroke updown
>> Apr 3 12:01:42 Client-VM charon: 00[LIB] dropped capabilities, running
>> as uid 0, gid 0
>> Apr 3 12:01:42 Client-VM charon: 00[JOB] spawning 16 worker threads
>> Apr 3 12:01:42 Client-VM charon: 06[CFG] received stroke: add connection
>> 'ipsec-ikev2'
>> Apr 3 12:01:42 Client-VM charon: 06[CFG] added configuration
>> 'ipsec-ikev2'
>> Apr 3 12:01:42 Client-VM charon: 08[CFG] received stroke: initiate
>> 'ipsec-ikev2'
>> Apr 3 12:01:42 Client-VM charon: 08[IKE] initiating IKE_SA
>> ipsec-ikev2[1] to 172.30.0.45
>> Apr 3 12:01:42 Client-VM charon: 08[ENC] generating IKE_SA_INIT request
>> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP)
>> ]
>> Apr 3 12:01:42 Client-VM charon: 08[NET] sending packet: from
>> 192.168.28.14[500] to 172.30.0.45[500] (464 bytes)
>> Apr 3 12:01:42 Client-VM charon: 10[NET] received packet: from
>> 172.30.0.45[500] to 192.168.28.14[500] (464 bytes)
>> Apr 3 12:01:42 Client-VM charon: 10[ENC] parsed IKE_SA_INIT response 0 [
>> SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
>> Apr 3 12:01:42 Client-VM charon: 10[IKE] local host is behind NAT,
>> sending keep alives
>> Apr 3 12:01:42 Client-VM charon: 10[IKE] sending cert request for "C=GR,
>> O=HUB, CN=172.30.0.45"
>> *Apr 3 12:01:42 Client-VM charon: 10[IKE] no private key found for
>> 'C=GR, O=HUB, CN=Client'*
>>
>> While the server logs:
>> Apr 3 07:01:34 debian9 charon: 00[DMN] Starting IKE charon daemon
>> (strongSwan 5.5.1, Linux 4.9.0-12-amd64, x86_64)
>> Apr 3 07:01:34 debian9 charon: 00[CFG] loading ca certificates from
>> '/etc/ipsec.d/cacerts'
>> Apr 3 07:01:34 debian9 charon: 00[CFG] loaded ca certificate "C=GR,
>> O=HUB, CN=172.30.0.45" from '/etc/ipsec.d/cacerts/ca-cert.pem'
>> Apr 3 07:01:34 debian9 charon: 00[CFG] loading aa certificates from
>> '/etc/ipsec.d/aacerts'
>> Apr 3 07:01:34 debian9 charon: 00[CFG] loading ocsp signer certificates
>> from '/etc/ipsec.d/ocspcerts'
>> Apr 3 07:01:34 debian9 charon: 00[CFG] loading attribute certificates
>> from '/etc/ipsec.d/acerts'
>> Apr 3 07:01:34 debian9 charon: 00[CFG] loading crls from
>> '/etc/ipsec.d/crls'
>> Apr 3 07:01:34 debian9 charon: 00[CFG] loading secrets from
>> '/etc/ipsec.secrets'
>> Apr 3 07:01:34 debian9 charon: 00[CFG] loaded RSA private key from
>> '/etc/ipsec.d/private/server-key.pem'
>> Apr 3 07:01:34 debian9 charon: 00[LIB] loaded plugins: charon aesni aes
>> rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1
>> pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc
>> hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
>> Apr 3 07:01:34 debian9 charon: 00[LIB] dropped capabilities, running as
>> uid 0, gid 0
>> Apr 3 07:01:34 debian9 charon: 00[JOB] spawning 16 worker threads
>> Apr 3 07:01:34 debian9 charon: 05[CFG] received stroke: add connection
>> 'ipsec-ikev2'
>> Apr 3 07:01:34 debian9 charon: 05[CFG] loaded certificate "C=GR,
>> O=HUB, CN=172.30.0.45" from 'server-cert.pem'
>> Apr 3 07:01:34 debian9 charon: 05[CFG] added configuration 'ipsec-ikev2'
>>
>> and on client connection attempt:
>>
>> Apr 3 07:01:42 debian9 charon: 07[NET] received packet: from
>> 172.30.0.180[500] to 172.30.0.45[500] (464 bytes)
>> Apr 3 07:01:42 debian9 charon: 07[ENC] parsed IKE_SA_INIT request 0 [ SA
>> KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
>> Apr 3 07:01:42 debian9 charon: 07[IKE] 172.30.0.180 is initiating an
>> IKE_SA
>> Apr 3 07:01:42 debian9 charon: 07[IKE] remote host is behind NAT
>> Apr 3 07:01:42 debian9 charon: 07[ENC] generating IKE_SA_INIT response 0
>> [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
>> Apr 3 07:01:42 debian9 charon: 07[NET] sending packet: from
>> 172.30.0.45[500] to 172.30.0.180[500] (464 bytes)
>> Apr 3 07:02:12 debian9 charon: 08[JOB] deleting half open IKE_SA after
>> timeout
>>
>> I've configured the firewall (iptables stateful) to allow all outgoing
>> traffic from CLient to server.
>> Not sure if I could provide anything in addition to help isolating the
>> issue.
>> Thank you for your patience and appreciate any help.
>>
>> Alex
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200404/8df486e2/attachment-0001.html>
More information about the Users
mailing list