Hello Robert,
there a two ways to configure the gateway side in
the network-manager-strongswan plugin:
a) Import the Gateway Certificate which might be self-signed
(CA basic constraint is either FALSE or missing):
Gateway address: 192.168.0.1 or moon.strongswan.org
Gateway certificate: gateway.pem
Either the gateway IP address or the gateway hostname resolvable
via DSN can be given. This information doesn't have to be
contained in the gateway certificate. The gateway's subject
distinguished name is sent as desired IDr to the gateway.
In your case this would be:
"C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department,
CN=openssl.home.ro"
b) Import the Root CA certificate
(CA basic constraint must be TRUE)
This is what you tried unsuccessfully.
Gateway address: 192.168.0.1 or moon.strongswan.org
Gateway certificate: cacert.pem
With Windows 2000 and XP Microsoft did not put any constraints
on the name of the VPN gateway so that any user with a valid
certificate could run a man-in-the-middle attack and
successfully act as the gateway. Learning from heavy criticism
they changed this policy with Windows 7 and require the
gateway IP address or the DNS-resolvable fully qualified hostname
to be contained either in the Common Name (CN=) or as a
subjectAltName in the gateway certificate.
We have adapted a similar policy for the NetworkManager plugin.
Thus if connect to the gateway with
Gateway address: 192.168.0.1
Then you must include the following subjectAltName in the gateway
certificate
subjectAltName = IP:192.168.0.1 # in openssl.cnf notation
I'm not sure if Martin has included CN= matching in the nm plugin
code. Since IP addresses might change over time we recommend to
include a FQDN instead
subjectAltName = DNS:moon.strongswan.org # in openssl.cnf notation
and connect via
Gateway address: moon.strongswan.org
If you don't have access to your DNS server then you could add the
entry
192.168.0.1 moon.strongswan.org
to your local /etc/hosts file
In your set up you defined
Gateway address: 192.168.0.1
Thus the desired Idr sent to the gateway was 192.168.0.1 which
failed to match with the default
leftid="C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department,
CN=openssl.home.ro"
resulting from specifying
leftcert=/etc/ssl/home.ro/certs/server_cert.pem
only. You have to change the leftid entry in the gateway's ipsec.conf
either to
leftcert=/etc/ssl/home.ro/certs/server_cert.pem
leftid=192.168.0.1
or
leftcert=/etc/ssl/home.ro/certs/server_cert.pem
[email protected]
depending on what you configure on the client side.
Of course the gateway accepts the leftid only if it is
contained in leftcert.
You might come to the conclusion that locally importing the gateway
certificate might be the easier solution since you won't have to
change your server side configuration.
Best regards
Andreas
Robert Markula wrote:
> Hi,
> I'm having trouble getting the network-manager-strongswan in Ubuntu
> karmic to work. The connection aborts with the error message "no
> matching config found for '192.168.0.1'...'C=DE, ST=BW, L=Stuttgart,
> O=LeRo, OU=IT Department, CN=vm-ubuntu.home.ro'".
>
> To be honest, I'm a bit lost here, since the same certificates work
> using the traditional (non-network-manager) way ("ipsec up home").
>
> Server: Ubuntu 9.04 Jaunty Jackalope, strongswan 4.2.9-1
> Client: Ubuntu 9.10 Karmic Koala, network-manager-strongswan
> 1.1.1-2ubuntu1 -or- strongswan 4.2.9-1
>
> I've got the feeling that theres just a small config glitch somewhere,
> but I can't tell where.
>
> Any hints would be greatly appreciated!
>
> Cheers,
> Robert
>
>
> *************************************************
> * Here's the server config:
> * see also http://paste.debian.net/51293/
> *************************************************
> <snip>
> config setup
> plutostart=no
>
> ca strongswan
> cacert=/etc/ssl/home.ro/cacerts/cacert.pem
> auto=add
>
> conn roadwarrior
> left=192.168.0.1
> leftsubnet=192.168.178.0/24
> leftcert=/etc/ssl/home.ro/certs/server_cert.pem
> right=%any
> keyexchange=ikev2
> auto=add
> </snip>
>
> *************************************************
> * And the client's network-manager-strongswan settings:
> *************************************************
> <snip>
> Gateway address: 192.168.0.1
> Gateway certificate: cacert.pem
> Client authentication: Certificate/private key
> Client certificate: vm-ubuntu_cert.pem
> Client private key: vm-ubuntu_key.pem
> + Request an inner IP address
> - Enforce UDP encapsulation
> - Use IP compression
> </snip>
>
> *************************************************
> * These are the client settings when using "ipsec up home":
> * see also http://paste.debian.net/51294/
> *************************************************
> <snip>
> config setup
> plutostart=no
>
> conn home
> left=%defaultroute
> leftcert=/home/loc/.ssh/vm-ubuntu_cert.pem
> right=192.168.0.1
> rightsubnet=192.168.178.0/24
> rightid="C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department,
> CN=openssl.home.ro"
> keyexchange = ikev2
> auto=add
> </snip>
>
>
> *************************************************
> * When using the network manager plugin, the server log reports:
> * see also http://paste.debian.net/51295/
> *************************************************
> <snip>
> Nov 11 16:55:45 cray charon: 17[NET] received packet: from
> 192.168.0.41[500] to 192.168.0.1[500]
> Nov 11 16:55:45 cray charon: 17[ENC] parsed IKE_SA_INIT request 0 [ SA
> KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Nov 11 16:55:45 cray charon: 17[IKE] 192.168.0.41 is initiating an IKE_SA
> Nov 11 16:55:45 cray charon: 17[IKE] DH group ECP_192_BIT inacceptable,
> requesting MODP_2048_BIT
> Nov 11 16:55:45 cray charon: 17[ENC] generating IKE_SA_INIT response 0 [
> N(INVAL_KE) ]
> Nov 11 16:55:45 cray charon: 17[NET] sending packet: from
> 192.168.0.1[500] to 192.168.0.41[500]
> Nov 11 16:55:45 cray charon: 08[NET] received packet: from
> 192.168.0.41[500] to 192.168.0.1[500]
> Nov 11 16:55:45 cray charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA
> KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Nov 11 16:55:45 cray charon: 08[IKE] 192.168.0.41 is initiating an IKE_SA
> Nov 11 16:55:45 cray charon: 08[IKE] sending cert request for "C=DE,
> ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=ca.home.ro"
> Nov 11 16:55:45 cray charon: 08[ENC] generating IKE_SA_INIT response 0 [
> SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
> Nov 11 16:55:45 cray charon: 08[NET] sending packet: from
> 192.168.0.1[500] to 192.168.0.41[500]
> Nov 11 16:55:45 cray charon: 09[NET] received packet: from
> 192.168.0.41[4500] to 192.168.0.1[4500]
> Nov 11 16:55:45 cray charon: 09[ENC] parsed IKE_AUTH request 1 [ IDi
> CERT CERTREQ IDr AUTH CP SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
> Nov 11 16:55:45 cray charon: 09[IKE] received cert request for "C=DE,
> ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=ca.home.ro"
> Nov 11 16:55:45 cray charon: 09[IKE] received end entity cert "C=DE,
> ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=vm-ubuntu.home.ro"
> Nov 11 16:55:45 cray charon: 09[CFG] using certificate "C=DE, ST=BW,
> L=Stuttgart, O=LeRo, OU=IT Department, CN=vm-ubuntu.home.ro"
> Nov 11 16:55:45 cray charon: 09[CFG] using trusted ca certificate
> "C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=ca.home.ro"
> Nov 11 16:55:45 cray charon: 09[CFG] checking certificate status of
> "C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=vm-ubuntu.home.ro"
> Nov 11 16:55:45 cray charon: 09[CFG] certificate status is not available
> Nov 11 16:55:45 cray charon: 09[IKE] authentication of 'C=DE, ST=BW,
> L=Stuttgart, O=LeRo, OU=IT Department, CN=vm-ubuntu.home.ro' with RSA
> signature successful
> Nov 11 16:55:45 cray charon: 09[IKE] peer supports MOBIKE
> Nov 11 16:55:45 cray charon: 09[IKE] no matching config found for
> '192.168.0.1'...'C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department,
> CN=vm-ubuntu.home.ro'
> Nov 11 16:55:45 cray charon: 09[ENC] generating IKE_AUTH response 1 [
> N(AUTH_FAILED) ]
> Nov 11 16:55:45 cray charon: 09[NET] sending packet: from
> 192.168.0.1[4500] to 192.168.0.41[4500]
> </snip>
>
> *************************************************
> * This is the server log when using "ipsec up home":
> * see also http://paste.debian.net/51296/
> *************************************************
> <snip>
> Nov 11 17:09:09 cray charon: 12[NET] received packet: from
> 192.168.0.41[500] to 192.168.0.1[500]
> Nov 11 17:09:09 cray charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA
> KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Nov 11 17:09:09 cray charon: 12[IKE] 192.168.0.41 is initiating an IKE_SA
> Nov 11 17:09:09 cray charon: 12[IKE] sending cert request for "C=DE,
> ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=ca.home.ro"
> Nov 11 17:09:09 cray charon: 12[ENC] generating IKE_SA_INIT response 0 [
> SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
> Nov 11 17:09:09 cray charon: 12[NET] sending packet: from
> 192.168.0.1[500] to 192.168.0.41[500]
> Nov 11 17:09:09 cray charon: 13[NET] received packet: from
> 192.168.0.41[4500] to 192.168.0.1[4500]
> Nov 11 17:09:09 cray charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi
> CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
> Nov 11 17:09:09 cray charon: 13[IKE] received cert request for "C=DE,
> ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=ca.home.ro"
> Nov 11 17:09:09 cray charon: 13[IKE] received end entity cert "C=DE,
> ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=vm-ubuntu.home.ro"
> Nov 11 17:09:09 cray charon: 13[CFG] using certificate "C=DE, ST=BW,
> L=Stuttgart, O=LeRo, OU=IT Department, CN=vm-ubuntu.home.ro"
> Nov 11 17:09:09 cray charon: 13[CFG] using trusted ca certificate
> "C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=ca.home.ro"
> Nov 11 17:09:09 cray charon: 13[CFG] checking certificate status of
> "C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=vm-ubuntu.home.ro"
> Nov 11 17:09:09 cray charon: 13[CFG] certificate status is not available
> Nov 11 17:09:09 cray charon: 13[IKE] authentication of 'C=DE, ST=BW,
> L=Stuttgart, O=LeRo, OU=IT Department, CN=vm-ubuntu.home.ro' with RSA
> signature successful
> Nov 11 17:09:09 cray charon: 13[CFG] found matching peer config
> "roadwarrior": C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department,
> CN=openssl.home.ro...%any with prio 21.5
> Nov 11 17:09:09 cray charon: 13[IKE] peer supports MOBIKE
> Nov 11 17:09:09 cray charon: 13[IKE] authentication of 'C=DE, ST=BW,
> L=Stuttgart, O=LeRo, OU=IT Department, CN=openssl.home.ro' (myself) with
> RSA signature successful
> Nov 11 17:09:09 cray charon: 13[IKE] scheduling reauthentication in 9945s
> Nov 11 17:09:09 cray charon: 13[IKE] maximum IKE_SA lifetime 10485s
> Nov 11 17:09:09 cray charon: 13[IKE] IKE_SA roadwarrior[5] established
> between 192.168.0.1[C=DE, ST=BW, L=Stuttgart, O=LeRo, OU=IT Department,
> CN=openssl.home.ro]...192.168.0.41[C=DE, ST=BW, L=Stuttgart, O=LeRo,
> OU=IT Department, CN=vm-ubuntu.home.ro]
> Nov 11 17:09:09 cray charon: 13[IKE] sending end entity cert "C=DE,
> ST=BW, L=Stuttgart, O=LeRo, OU=IT Department, CN=openssl.home.ro"
> Nov 11 17:09:09 cray charon: 13[IKE] CHILD_SA roadwarrior{1} established
> with SPIs ccca36e3_i c7cae4e6_o and TS 192.168.178.0/24 === 192.168.0.41/32
> Nov 11 17:09:09 cray charon: 13[ENC] generating IKE_AUTH response 1 [
> IDr CERT AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR)
> N(ADD_4_ADDR) ]
> Nov 11 17:09:09 cray charon: 13[NET] sending packet: from
> 192.168.0.1[4500] to 192.168.0.41[4500]
> </snip>
======================================================================
Andreas Steffen [email protected]
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
