Hi Adam, from the output of "ipsec listall" I see that moon's private key was not found on moon and that no CA cert was found on dave. Further both moon's and dave's certificate were signed by a CA with
authkey: a7:db:14:22:72:76:7b:45:f9:f9:1b:57:59:c1:07:37:9a:a6:57:d2 but the CA found on moon has subjkey: 5a:a3:95:25:a5:02:71:cd:a0:b0:ff:2a:a3:3c:6b:ea:bf:e4:3d:68 authkey: 5a:a3:95:25:a5:02:71:cd:a0:b0:ff:2a:a3:3c:6b:ea:bf:e4:3d:68 so the correct CA is neither present on moon nor dave so that trust cannot be established. Best regards Andreas Adam Gerosa wrote: > Thanks Andreas for your very fast answer. > I did what you said but I got the same error. > > ======================================================== > dave:/etc/ipsec.d# ipsec up home > initiating IKE_SA 'home' to 192.168.0.216 > IKE_SA 'home' state change: CREATED => CONNECTING > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > sending packet: from 192.168.0.238[500] to 192.168.0.216[500] > received packet: from 192.168.0.216[500] to 192.168.0.238[500] > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] > received cert request for unknown ca with keyid > 1f:13:eb:00:2e:a1:00:b3:6a:d0:8d:f7:9f:03:02:9b:41:6b:65:cc > authentication of 'C=CH, ST=TI, L=Stabio, O=Gerosa Server Services, CN=dave' > (myself) with ECDSA-256 signature successful > sending end entity cert "C=CH, ST=TI, L=Stabio, O=Gerosa Server Services, > CN=dave" > establishing CHILD_SA > generating IKE_AUTH request 1 [ IDi CERT IDr AUTH SA TSi TSr N(MOBIKE_SUP) > N(NO_ADD_ADDR) ] > sending packet: from 192.168.0.238[4500] to 192.168.0.216[4500] > received packet: from 192.168.0.216[4500] to 192.168.0.238[4500] > parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] > received AUTHENTICATION_FAILED notify error > ======================================================== > > > For creating certificates I use the script: > > ======================================================== > #!/usr/bin/env sh > # prep > mkdir workdir > cd workdir > mkdir demoCA > mkdir demoCA/certs > mkdir demoCA/crl > mkdir demoCA/newcerts > mkdir demoCA/private > touch demoCA/index.txt > echo 01 > demoCA/serial > > echo > > #----------------------------------------------------------------------- > # make CA private key and 10-yr cert > # Note: prime256v1 is the same curve as secp256r1 > cd demoCA > openssl ecparam -name prime256v1 -text -genkey -out private/cakey.pem > # ******************************************* > # *** cert signed with ecdsa-with-SHA1 in *** > # *** spite of request to use SHA-256 or *** > # *** value of default_md in openssl.cnf *** > # ******************************************* > openssl req -new -x509 -out cacert.pem -key private/cakey.pem \ > -days 3652 -sha256 < ../../promptsCA.txt > echo > # let's see it > openssl x509 -text -in cacert.pem > # let's package the key and cert into a PKCS-12 keystore > openssl pkcs12 -export -in cacert.pem -inkey private/cakey.pem \ > -name ca-ecc256key -out ca.p12 -passout pass:pswd > cd .. > #----------------------------------------------------------------------- > # generate a user ECC key pair > # ******************************************* > # *** ecparam doesn't honor: *** > # *** -aes128 -passout pass:pswd *** > # ******************************************* > openssl ecparam -name prime256v1 -genkey -text \ > -out moon-key-unprotected.pem > # to password protect the pvt key, run this next line > openssl ec -in moon-key-unprotected.pem -out moon-key.pem \ > -aes128 -passout pass:pswd > > #----------------------------------------------------------------------- > # generate a user CSR (unsigned) > openssl req -new -x509 -days 730 -sha256 -key moon-key.pem \ > -out tmpmoon.pem -passin pass:pswd < ../promptsServer.txt > # sign it > openssl x509 -x509toreq -sha256 -in tmpmoon.pem -signkey moon-key.pem \ > -passin pass:pswd -out moon-req.pem > > #----------------------------------------------------------------------- > # CA accepts CSR and signs a cert > # ******************************************* > # *** cert signed with ecdsa-with-SHA1 in *** > # *** spite of request to use SHA-256 or *** > # *** value of default_md in openssl.cnf *** > # ******************************************* > openssl ca -policy policy_anything -days 720 -md sha256 \ > -out moon-cert.pem -infiles moon-req.pem < ../promptsYY.txt > # let's see it > openssl x509 -text -in moon-cert.pem > > #----------------------------------------------------------------------- > # generate a user ECC key pair > # ******************************************* > # *** ecparam doesn't honor: *** > # *** -aes128 -passout pass:pswd *** > # ******************************************* > openssl ecparam -name prime256v1 -genkey -text \ > -out dave-key-unprotected.pem > # to password protect the pvt key, run this next line > openssl ec -in dave-key-unprotected.pem -out dave-key.pem \ > -aes128 -passout pass:pswd > > #----------------------------------------------------------------------- > # generate a user CSR (unsigned) > openssl req -new -x509 -days 730 -sha256 -key dave-key.pem \ > -out tmp.pem -passin pass:pswd < ../promptsClient.txt > # sign it > openssl x509 -x509toreq -sha256 -in tmp.pem -signkey dave-key.pem \ > -passin pass:pswd -out dave-req.pem > > #----------------------------------------------------------------------- > #----------------------------------------------------------------------- > # CA accepts CSR and signs a cert > # ******************************************* > # *** cert signed with ecdsa-with-SHA1 in *** > # *** spite of request to use SHA-256 or *** > # *** value of default_md in openssl.cnf *** > # ******************************************* > openssl ca -policy policy_anything -days 720 -md sha256 \ > -out dave-cert.pem -infiles dave-req.pem < ../promptsYY.txt > # let's see it > openssl x509 -text -in dave-cert.pem > > #----------------------------------------------------------------------- > # put user's private key, cert, and CA cert in a keystore > openssl pkcs12 -export -out dave.p12 -password pass:pswd \ > -in dave-cert.pem -inkey dave-key.pem \ > -passin pass:pswd -name thunderbug-key \ > -certfile demoCA/cacert.pem -caname myCA > ======================================================== > > Now the result of ipsec listall is: > > MOON: > *********************** > moon:/etc/ipsec.d/CA# ipsec listall > > List of X.509 End Entity Certificates: > > subject: "C=CH, ST=TI, L=Stabio, O=Gerosa Server Services, CN=moon" > issuer: "C=CH, ST=TI, L=Stabio, O=Gerosa CA Services, CN=moon" > serial: 01 > validity: not before Jul 29 23:15:52 2009, ok > not after Jul 19 23:15:52 2011, ok > pubkey: ECDSA 256 bits > keyid: 15:29:7f:82:a3:4a:b6:6e:0b:73:bb:3c:40:67:d4:63:18:30:c3:f2 > subjkey: 5d:74:0b:30:eb:62:aa:22:15:ec:14:34:6f:fc:da:6f:43:5d:ce:a9 > authkey: a7:db:14:22:72:76:7b:45:f9:f9:1b:57:59:c1:07:37:9a:a6:57:d2 > > List of X.509 CA Certificates: > > subject: "C=CH, ST=TI, L=Stabio, O=Gerosa CA Services, CN=moon" > issuer: "C=CH, ST=TI, L=Stabio, O=Gerosa CA Services, CN=moon" > serial: 00:92:d3:29:9d:9f:0b:be:5c > validity: not before Jul 28 22:27:34 2009, ok > not after Jul 28 22:27:34 2019, ok > pubkey: ECDSA 256 bits > keyid: 1f:13:eb:00:2e:a1:00:b3:6a:d0:8d:f7:9f:03:02:9b:41:6b:65:cc > subjkey: 5a:a3:95:25:a5:02:71:cd:a0:b0:ff:2a:a3:3c:6b:ea:bf:e4:3d:68 > authkey: 5a:a3:95:25:a5:02:71:cd:a0:b0:ff:2a:a3:3c:6b:ea:bf:e4:3d:68 > moon:/etc/ipsec.d/CA# > > DAVE > ****************************** > dave:/etc/ipsec.d# ipsec listall > > List of X.509 End Entity Certificates: > > subject: "C=CH, ST=TI, L=Stabio, O=Gerosa Server Services, CN=dave" > issuer: "C=CH, ST=TI, L=Stabio, O=Gerosa CA Services, CN=moon" > serial: 02 > validity: not before Jul 29 23:15:53 2009, ok > not after Jul 19 23:15:53 2011, ok > pubkey: ECDSA 256 bits, has private key > keyid: 66:19:f8:1d:bb:ad:df:7b:94:88:8d:78:fc:89:d8:68:37:a9:bd:96 > subjkey: a1:72:33:c8:d6:dc:e9:a2:50:c8:bb:25:93:33:0d:d4:4e:e0:5e:8a > authkey: a7:db:14:22:72:76:7b:45:f9:f9:1b:57:59:c1:07:37:9a:a6:57:d2 > dave:/etc/ipsec.d# > > > the content of /var/log/auth.log: > > MOON > **************************** > Jul 29 23:54:31 moon ipsec_starter[3035]: Starting strongSwan 4.2.4 IPsec > [starter]... > Jul 29 23:54:45 moon charon: 09[AUD] 192.168.0.238 is initiating an IKE_SA > Jul 29 23:54:46 moon charon: 10[AUD] authentication of 'C=CH, ST=TI, > L=Stabio, O=Gerosa Server Services, CN=dave' with ECDSA-256 signature failed > > DAVE > **************************** > Jul 29 23:54:46 dave charon: 09[AUD] initiating IKE_SA 'home' to > 192.168.0.216 > Jul 29 23:54:48 dave charon: 10[AUD] establishing CHILD_SA > Jul 29 23:54:48 dave charon: 11[AUD] received AUTHENTICATION_FAILED notify > error > Jul 29 23:54:48 dave charon: 11[AUD] establishing CHILD_SA failed > > the content of /etc/ipsec.secret is: > > MOON > ****************************** > : ECDSA /etc/ipsec.d/private/moon-key.pem "pswd" > > DAVE > ****************************** > : ECDSA /etc/ipsec.d/private/dave-key.pem "pswd" > > I did: > 1) copy the cacert created on "moon" to "dave" /etc/ipsec.d/cacerts > 2) copy the private key "davekey.pem" (created on "moon") to "dave" > /etc/ipsec.d/private > 3) copy the certificate "dave-cert.pem" (created on "moon") to "dave" > /etc/ipsec.d/certs > > what is wrong? > > Thanks for yours support. > > Adam ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users