Re: [Swan-dev] how to send certificate request payload in IKE_AUTH request

[Paul Wouters]

On Tue, 14 Jul 2020, Balaji Thoguluva wrote:

I am trying to establish an IKEv2/IPsec tunnel using certificate based 
authentication so that both ends can exchange certificates to authenticate
themselves.

How can I configure Libreswan which initiates the connection to send a "certificate 
request" (CERTREQ) payload in IKE_AUTH request so that the other end
can send it's certificate in the IKE_AUTH response back?

The two are not related. The CERTREQ is just a "hint" for the other side
to pick its own CERT if it has more than one to choose from.

For example, I have configured as follows

conn radcert
        ikev2=yes
        left=10.196.175.174
        leftsubnet=10.196.175.174/32
        leftca=%same
        leftrsasigkey=%cert
        leftid=libs...@xyz.com   <------ other end's identity
        leftprotoport=17/1812
        right=10.196.172.139
        rightsubnet=10.196.172.139/32
        rightprotoport=17/1812
        auto=ondemand
        ike=aes128-sha1;dh14
        phase2=esp
        phase2alg=aes128-sha1;modp2048
        pfs=yes
        rightcert="mycert"
        rightrsasigkey=%cert
        rightsendcert=always
        rightid=@abc.com
        rightca=%same
        type=tunnel
        esn=no
        rekey=yes
        salifetime=28800s
        ikelifetime=3600s
        dpddelay=0s
        dpdtimeout=0s
        dpdaction=hold

looks good, other than the dpd values which should never be 0, and
dpdaction hold should be restart.

I have p12 file in /etc/ipsec.d directory which is a container of mycert 
crtificate, mycert's CA certificate and private key of mycert. This p12 file is
imported.

When this connection is activated, Libreswan sends its certificate (because 
rightsendcert=always) in CERT payload however it does not send CERTREQ
payload. Is there a way to instruct Libreswan to send CERTREQ payload?

Why does it need to send a CERTREQ? Does the other end not send any CERT
otherwise?

Jul 14 22:06:51 [localhost] pluto[6672]: "radcert" #1: initiating v2 parent SA  
                                                                  
Jul 14 22:06:51 [localhost] pluto[6672]: "radcert" #1: local IKE proposals for 
radcert (IKE SA initiator selecting KE):
1:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP2048
Jul 14 22:06:51 [localhost] pluto[6672]: "radcert" #1: STATE_PARENT_I1: sent 
v2I1, expected v2R1                                             
Jul 14 22:06:51 [localhost] pluto[6672]: "radcert" #1: local ESP/AH proposals 
for radcert (IKE SA initiator emitting ESP/AH proposals):
1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;DH=NONE;ESN=DISABLED
Jul 14 22:06:51 [localhost] pluto[6672]: "radcert" #2: STATE_PARENT_I2: sent 
v2I2, expected v2R2 {auth=IKEv2 cipher=aes_128 integ=sha1_96 prf=sha
group=MODP2048}
Jul 14 22:06:51 [localhost] pluto[6672]: "radcert" #2: IKEv2 mode peer ID is 
ID_USER_FQDN: 'libs...@xyz.com'         
Jul 14 22:06:51 [localhost] pluto[6672]: "radcert" #2: no RSA public key known for 
'libs...@xyz.com'  <-----------------------------------              

Does the ID libs...@xyz.com appear as SAN on the certificate?
Perhaps you can run with plutodebug=all enabled so we can have a closer
look?

Paul
_______________________________________________
Swan-dev mailing list
Swan-dev@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-dev