Hi Ashish,
I had the same problem a few month ago. As I didn't get an answer on the
list I wrote a small patch that solved my problem.
The patch was for strongswan-4.3.2 so you'll probably have to adapt it
for newer strongswan versions.
If you set rightid=%frompeercert in your conn in ipsec.conf the patched
strongswan will take the subject dn from the peers certificate in MR3 as
the peers ID. Make sure the peer sends its certificate or you'll get
serious problems. ;-)
Keep in mind that this is not secure compared to strongswans default
behavior as you do not care about the peers ID.
Best Regards
Michael
ashish mahalka wrote:
Hi Andreas,
It would be really great if you could spend some time to look at this
problem. I feel really bad to trouble you guys so much, but this is
kind of urgent and I need to know if there is a way to workaround
pluto and get ikev1 working with left|rightid = %any.
Thanks for all the help!
regards,
Ashish.
On 1/20/10, ashish mahalka <[email protected]> wrote:
Hi Andreas,
I am trying to set up an ikev1 connection between two peers:
10.10.10.2 ======= 10.10.10.5
10.10.10.2 is the initiator and 10.10.10.5 is the responder.
In the initiator's ipsec.conf, I am specifying the responder's ip
address as I know it but its indentity i.e rightid=%any or
wildcharacters as I have no idea about the DN of the remote peer.
As Daniel's response says, this is a limitation on the pluto side. But
charon does work fine.
Is it possible to change in strongswan to overcome this limitation ?
Thanks & Regards,
Ashish.
On 1/20/10, Daniel Mentz <[email protected]> wrote:
Hi Ashish,
when I carried out the test, I was thinking about an instance of
strongSwan that only *responds* to connection setup requests. I did not
have strongSwan *initiate* connections.
What you are basically saying to strongSwan is:
"Initiate a connection to 10.10.10.2. Ignore the identity of the peer
because I do not know it. But make sure that the peer has a valid
certificate that is signed by a CA I trust."
This kind of configuration is unusual in my opinion because you are
trying to initiate a connection but you do not even know what the
identity of the peer is.
However, it makes sense to *respond* to requests from unknown peers
because those requests might come from road warriors.
I'm afraid that pluto simply does not support the kind of configuration
you are thinking about. Charon apparently does support it.
I do not know whether this is a limitation of the protocol (IKEv1) or
the implementation (pluto).
I suggest addressing the strongSwan core developers and ask if there is
a way to overcome this limitations.
-Daniel
ashish mahalka wrote:
Hi Daniel,
Yes, you are correct. I know the remote IP address but dont know the
DN of the remote peer. If I remember correctly, when using DN
wildcards, I was getting error which said
"cannot initiate connection with wildcards". I am using strongswan
4.3.4.
Can you tell me what version of strongswan u r using ? Also, would it
be possible to establish the connection if we specify
rightid="/CN=*/", though the DN of the peer contains all the values( I
mean C, ST, O,...)
If possible, can you please test on your setup, if specifying
rightid="C=*, ST=*, O=*, OU=*, CN=*, E=*" like this establishes the
connection.
Thanks in advance!
regards,
Ashish.
On 1/19/10, Daniel Mentz <[email protected]>
wrote:
Hi Ashish,
here are my test results:
You can't use right=1.2.3.4 and right=%any at the same time i.e. you
can't specify an IP address for the remote end and use %any for the ID.
However, DN wildcards appear to work ok. I just spotted a typo in your
original mail:
rightid="C*, ST=*, O=*, OU=*, CN=*, E=*"
You're missing a character there. It's should be:
rightid="C=*, ST=*, O=*, OU=*, CN=*, E=*"
I successfully tested it with a simpler pattern:
rightid="/CN=*/"
I should mention, though, that the certificate I'm using only has a
Common Name (CN), no other RDNs.
What I can read from your config files is that you do know the remote
IP
address but you do not know the DN of the peer. Is that correct?
-Daniel
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
diff -crB strongswan-4.3.2/src/pluto/connections.c strongswan/src/pluto/connections.c
*** strongswan-4.3.2/src/pluto/connections.c 2009-07-06 17:12:26.093444033 +0200
--- strongswan/src/pluto/connections.c 2009-07-07 14:06:36.645891341 +0200
***************
*** 1057,1062 ****
--- 1057,1067 ----
same_leftca = extract_end(&c->spd.this, &wm->left, "left");
same_rightca = extract_end(&c->spd.that, &wm->right, "right");
+ /* Set boolean property to get the ID from the peer's certificate, if ID is special value "%frompeercert".
+ * Must be done after extracting the peer end from the configuration. */
+ if (c->spd.that.id.kind == ID_DER_ASN1_DN && strneq(c->spd.that.id.name.ptr, "%frompeercert", c->spd.that.id.name.len))
+ c->get_id_from_peer_cert = TRUE;
+
if (same_rightca)
c->spd.that.ca = c->spd.this.ca;
else if (same_leftca)
diff -crB strongswan-4.3.2/src/pluto/connections.h strongswan/src/pluto/connections.h
*** strongswan-4.3.2/src/pluto/connections.h 2009-07-06 17:12:26.093444033 +0200
--- strongswan/src/pluto/connections.h 2009-07-07 11:04:51.437888305 +0200
***************
*** 224,229 ****
--- 224,230 ----
generalName_t *requested_ca; /* collected certificate requests */
bool got_certrequest;
+ bool get_id_from_peer_cert; /* Get ID from peer's certificate in MR3? */
};
#define oriented(c) ((c).interface != NULL)
diff -crB strongswan-4.3.2/src/pluto/id.c strongswan/src/pluto/id.c
*** strongswan-4.3.2/src/pluto/id.c 2009-06-17 11:37:13.000000000 +0200
--- strongswan/src/pluto/id.c 2009-07-07 14:06:36.129892915 +0200
***************
*** 174,179 ****
--- 174,187 ----
{
id->kind = ID_MYID;
}
+ else if (streq("%frompeercert", src))
+ {
+ /* Copy %frompeercert to ID to later set boolean property in the connection.
+ * The connection property cannot be set directly here. */
+ id->kind = ID_DER_ASN1_DN;
+ id->name.len = strlen(src);
+ id->name.ptr = (u_char *)(strndup(src, id->name.len));
+ }
else if (strchr(src, '=') != NULL)
{
/* we interpret this as an ASCII X.501 ID_DER_ASN1_DN */
diff -crB strongswan-4.3.2/src/pluto/ipsec_doi.c strongswan/src/pluto/ipsec_doi.c
*** strongswan-4.3.2/src/pluto/ipsec_doi.c 2009-07-06 17:12:26.139014371 +0200
--- strongswan/src/pluto/ipsec_doi.c 2009-07-07 14:06:36.321888483 +0200
***************
*** 2123,2128 ****
--- 2123,2136 ----
DBG_log("Public key validated")
)
add_x509_public_key(&cert, valid_until, DAL_SIGNED);
+ chunk_t idFromPeerCert = chunk_clone(cert.subject);
+ if (c->spd.that.id.name.len != 0)
+ {
+ chunk_t oldName = c->spd.that.id.name;
+ chunk_free(&oldName);
+ }
+ c->spd.that.id.name = idFromPeerCert;
+ c->spd.that.id.kind = ID_DER_ASN1_DN;
}
else
{
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
