[strongSwan] Problem using asymmetric keys against Cisco IOS

John Serink john_serink at trimble.com
Wed Dec 9 07:02:30 CET 2020 

Hi:

I have attempted to follow that page and have the following for my leftid values in the
connection definition:
conn Test                                                                                    
        leftid=@#:CORS89 
Cisco response:
Dec  9 05:23:04.398: IKEv2:(SESSION ID = 94347,SA ID = 42):Searching policy based on peer's
identity '@' of type 'key ID'
Dec  9 05:23:04.400: IKEv2-ERROR:(SESSION ID = 94347,SA ID = 42):: Failed to locate an item in
the database
Dec  9 05:23:04.400: IKEv2:(SESSION ID = 94347,SA ID = 42):Verification of peer's
authentication data FAILED

conn Test                                                                                    
        leftid="@#:CORS89" 
Cisco response:
Dec  9 05:33:51.319: IKEv2:(SESSION ID = 94360,SA ID = 42):Searching policy based on peer's
identity '@' of type 'key ID'
Dec  9 05:33:51.320: IKEv2-ERROR:(SESSION ID = 94360,SA ID = 42):: Failed to locate an item in
the database
Dec  9 05:33:51.320: IKEv2:(SESSION ID = 94360,SA ID = 42):Verification of peer's
authentication data FAILED

conn Test                                                                                    
        leftid="#:CORS89"  

Cisco Response:
Dec  9 05:38:00.740: IKEv2:(SESSION ID = 94364,SA ID = 3):Searching policy based on peer's
identity '#:CORS89' of type 'key ID'
Dec  9 05:38:00.742: IKEv2-ERROR:(SESSION ID = 94364,SA ID = 3):: Failed to locate an item in
the database
Dec  9 05:38:00.742: IKEv2:(SESSION ID = 94364,SA ID = 3):Verification of peer's
authentication data FAILED

conn Test                                                                                    
        leftid="=CORS89"  

Cisco Response:
Dec  9 05:43:28.120: IKEv2:(SESSION ID = 94376,SA ID = 3):Searching policy based on peer's
identity '=CORS89' of type 'key ID'
Dec  9 05:43:28.122: IKEv2-ERROR:(SESSION ID = 94376,SA ID = 3):: Failed to locate an item in
the database
Dec  9 05:43:28.122: IKEv2:(SESSION ID = 94376,SA ID = 3):Verification of peer's
authentication data FAILED

conn Test                                                                                    
        leftid="CORS89" 

Cisco Response:
Dec  9 05:54:56.401: IKEv2:(SESSION ID = 94394,SA ID = 3):Searching policy based on peer's
identity 'CORS89' of type 'FQDN'
Dec  9 05:54:56.401: IKEv2-ERROR:(SESSION ID = 94394,SA ID = 3):% key not found.
Dec  9 05:54:56.403: IKEv2-ERROR:(SESSION ID = 94394,SA ID = 3):: Failed to locate an item in
the database

So strongswan sees "=CORS89" as a key ID but it sees "CORS89" as a FQDN.

I want strongswan to see a key ID of CORS89.

How do I do that?

Cheers,
John



On Wed, 2020-12-09 at 11:15 +0800, John Serink wrote:
> That one's easy to fix.
> 
> Cheers Tobias.
> John
> 
> On Tue, 2020-12-08 at 15:28 +0100, Tobias Brunner wrote:
> > Hi John,
> > 
> > > It identified my strongswan client CORS89 but it thinks its an FQDN rather than and ID.
> > > 
> > > In the ipsec.conf for leftid I used '@CORS89' and in the ipsec.secrets I also used
> > > @CORS89
> > > so
> > > why would the Cisco think its a FQDN rather than just a key-id?
> > 
> > Of course it's a FQDN, why would you think prefixing it with an @
> > changes that?  Please see [1].
> > 
> > Regards,
> > Tobias
> > 
> > [1] https://wiki.strongswan.org/projects/strongswan/wiki/IdentityParsing
>

More information about the Users mailing list