[strongSwan] peer cert verification: X509: temporary cert import operation failed
Hello together, I'm currently trying to set up a IKEv1 connection with strongswan 5.6.0 on Fedora 27. It uses a local nssdb in /etc/ipsec.d to handle certificates / private keys. The connection definition loads fine. When I tell the client to connect, it fails to verify the certificate from the right (=server) side: Feb 15 17:20:11.324390: "companyserver" #1: Peer ID is ID_DER_ASN1_DN: 'CN=firewall.company.com, O=Company, OU=HQ' Feb 15 17:20:11.324416: | checking for CERT payloads Feb 15 17:20:11.324426: | found at last one CERT payload, calling pluto_process_certs() Feb 15 17:20:11.324498: | nothing to decode Feb 15 17:20:11.324509: "companyserver" #1: X509: temporary cert import operation failed Feb 15 17:20:11.324524: "companyserver" #1: cert verify failed with internal error Feb 15 17:20:11.324535: "companyserver" #1: X509: Certificate rejected for this connection Feb 15 17:20:11.324547: "companyserver" #1: X509: CERT payload bogus or revoked Feb 15 17:20:11.324558: | Peer ID failed to decode Feb 15 17:20:11.324567: | complete v1 state transition with INVALID_ID_INFORMATION What's puzzles me is the "X509: temporary cert import operation failed" error message. The output is from "plutodebug=all" already. May be that happens because I imported the cert of the right side into the nssdb already? # certutil -d sql:/etc/ipsec.d -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI cert.pem CTu,u,u server.pem CT,, The server certificate is a self-signed one, the nickname is the original filename "server.pem". Any idea what might cause the "cert verify failed with internal error" message? Cheers, Thomas
Re: [strongSwan] osx Sierra ikev2 connection successful but no traffic
Thanks for your response. I did fix that by changing to 0.0.0.0/0 .. On Thu, Feb 15, 2018 at 2:50 PM, Tobias Brunnerwrote: > Hi Karthik, > > > CHILD_SA vpn{2} established with SPIs c13091e4_i c869298c_o and TS > 10.244.15.1/32 === 0.0.0.0/32 > > This remote traffic selector (0.0.0.0/32) doesn't look right. This > should probably be 0.0.0.0/0. Since your client config looks OK, check > how the server is configured. > > Regards, > Tobias >
Re: [strongSwan] Accessing VPN client from private network
Hi Marco, > FARP is configured on both client and gateway, and I can reach > all the internal network from the vpn client (ubuntu linux). > ... > Still pinging the vpn client from the internal network does not work. You mean you are able to e.g. ping hosts in the remote network from the client (i.e. you get a response from an IP other than 192.168.1.10, which belongs to the server)? But if you try to ping the client's IP (192.168.1.20) from a host in that network you don't get a reply? Try debugging this with tcpdump/Wireshark on the hosts in that network, check if the ARP packets are correctly sent/received and where the ICMPs requests go etc. Also check your firewall/NAT rules. Regards, Tobias
Re: [strongSwan] Can strongSwan support "mutiple IPv6 nodes behind NAT"?
Hi, > 1). public node can create IPsec connection with 2 or more private nodes > behind NAT? Sure. > 2). IPv6 behind NAT? > https://lists.libreswan.org/pipermail/swan/2018/002489.html shows > that libreswan does NOT support it because "Linux does not yet have > support for IPv6-ESP-in-UDP encapsulation". > I am not sure whether https://wiki.strongswan.org/issues/939 is > fixed or not. It was posted 3 years ago. It's still open, so why would you think it's fixed? And the reason is still the same: the Linux kernel currently does not support UDP encapsulation for IPv6. Regards, Tobias
Re: [strongSwan] osx Sierra ikev2 connection successful but no traffic
Hi Karthik, > CHILD_SA vpn{2} established with SPIs c13091e4_i c869298c_o and TS > 10.244.15.1/32 === 0.0.0.0/32 This remote traffic selector (0.0.0.0/32) doesn't look right. This should probably be 0.0.0.0/0. Since your client config looks OK, check how the server is configured. Regards, Tobias