[strongSwan] peer cert verification: X509: temporary cert import operation failed

2018-02-15 Thread Thomas Jarosch 
Hello together,

I'm currently trying to set up a IKEv1 connection with strongswan 5.6.0 on 
Fedora 27.
It uses a local nssdb in /etc/ipsec.d to handle certificates / private keys.

The connection definition loads fine. When I tell the client
to connect, it fails to verify the certificate from the right (=server) side:

Feb 15 17:20:11.324390: "companyserver" #1: Peer ID is ID_DER_ASN1_DN: 
'CN=firewall.company.com, O=Company, OU=HQ'
Feb 15 17:20:11.324416: | checking for CERT payloads
Feb 15 17:20:11.324426: | found at last one CERT payload, calling 
pluto_process_certs()
Feb 15 17:20:11.324498: | nothing to decode
Feb 15 17:20:11.324509: "companyserver" #1: X509: temporary cert import 
operation failed
Feb 15 17:20:11.324524: "companyserver" #1: cert verify failed with internal 
error
Feb 15 17:20:11.324535: "companyserver" #1: X509: Certificate rejected for this 
connection
Feb 15 17:20:11.324547: "companyserver" #1: X509: CERT payload bogus or revoked
Feb 15 17:20:11.324558: | Peer ID failed to decode
Feb 15 17:20:11.324567: | complete v1 state transition with 
INVALID_ID_INFORMATION


What's puzzles me is the "X509: temporary cert import operation failed"
error message. The output is from "plutodebug=all" already.

May be that happens because I imported the cert
of the right side into the nssdb already?

# certutil -d sql:/etc/ipsec.d -L

Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI

cert.pem CTu,u,u
server.pem   CT,,


The server certificate is a self-signed one,
the nickname is the original filename "server.pem".

Any idea what might cause the
"cert verify failed with internal error" message?

Cheers,
Thomas

Re: [strongSwan] osx Sierra ikev2 connection successful but no traffic

2018-02-15 Thread karthik kumar 
Thanks for your response. I did fix that by changing to 0.0.0.0/0 ..

On Thu, Feb 15, 2018 at 2:50 PM, Tobias Brunner 
wrote:

> Hi Karthik,
>
> > CHILD_SA vpn{2} established with SPIs c13091e4_i c869298c_o and TS
> 10.244.15.1/32 === 0.0.0.0/32
>
> This remote traffic selector (0.0.0.0/32) doesn't look right.  This
> should probably be 0.0.0.0/0.  Since your client config looks OK, check
> how the server is configured.
>
> Regards,
> Tobias
>

Re: [strongSwan] Accessing VPN client from private network

2018-02-15 Thread Tobias Brunner 
Hi Marco,

> FARP is configured on both client and gateway, and I can reach
> all the internal network from the vpn client (ubuntu linux).
> ...
> Still pinging the vpn client from the internal network does not work.

You mean you are able to e.g. ping hosts in the remote network from the
client (i.e. you get a response from an IP other than 192.168.1.10,
which belongs to the server)?  But if you try to ping the client's IP
(192.168.1.20) from a host in that network you don't get a reply?  Try
debugging this with tcpdump/Wireshark on the hosts in that network,
check if the ARP packets are correctly sent/received and where the ICMPs
requests go etc.  Also check your firewall/NAT rules.

Regards,
Tobias

Re: [strongSwan] Can strongSwan support "mutiple IPv6 nodes behind NAT"?

2018-02-15 Thread Tobias Brunner 
Hi,

> 1). public node can create IPsec connection with 2 or more private nodes
> behind NAT? 

Sure.

> 2). IPv6 behind NAT? 
>       https://lists.libreswan.org/pipermail/swan/2018/002489.html shows
> that libreswan does NOT support it because "Linux does not yet have
> support for IPv6-ESP-in-UDP encapsulation". 
>       I am not sure whether  https://wiki.strongswan.org/issues/939 is
> fixed or not. It was posted 3 years ago. 

It's still open, so why would you think it's fixed?  And the reason is
still the same:  the Linux kernel currently does not support UDP
encapsulation for IPv6.

Regards,
Tobias

Re: [strongSwan] osx Sierra ikev2 connection successful but no traffic

2018-02-15 Thread Tobias Brunner 
Hi Karthik,

> CHILD_SA vpn{2} established with SPIs c13091e4_i c869298c_o and TS 
> 10.244.15.1/32 === 0.0.0.0/32

This remote traffic selector (0.0.0.0/32) doesn't look right.  This
should probably be 0.0.0.0/0.  Since your client config looks OK, check
how the server is configured.

Regards,
Tobias