Thanks for the tip! I added the subjectAltName to my openssl.cnf file, regenerated the certificate and now it is working!
[ v3_req ] basicConstraints = CA:FALSE subjectKeyIdentifier = hash subjectAltName = @alt_names [alt_names] IP.1 = 172.16.107.2 On Thu, Apr 29, 2010 at 12:41 AM, Andreas Steffen <[email protected]> wrote: > Hi Jim, > > IPsec is not SSL! If your peer's identity is the IPv4 address > 172.16.107.2 then it will not be checked against the CN= field > in the certificate. Instead the certificate must contain the > IP address as a subjectAltName extension. > > It also seems that the host itself is using the same certificate. > You should use distinct certs for each VPN host. > > Regards > > Andreas > > Jim Tessier wrote: >> Hello, >> I am having no luck setting up a mutually authenticated tunnel >> using certificates. I have tried mucking around with just about every >> ipsec.conf parameter, but no luck. I also saw the FAQ, but could not >> make sense of the answer. Any help is appreciated!!! Thanks. >> >> Here is my output: >> >> 04[CFG] added configuration 'home' >> 08[CFG] received stroke: initiate 'load' >> 08[CFG] no config named 'load' >> 08[CFG] >> 07[CFG] received stroke: initiate 'home' >> 10[IKE] initiating IKE_SA home[1] to 172.16.107.2 >> 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) >> N(NATD_D_IP) ] >> 10[NET] sending packet: from 2.2.2.3[500] to 172.16.107.2[500] >> 12[NET] received packet: from 172.16.107.2[500] to 2.2.2.3[500] >> 12[ENC] parsed IKE_SA_INIT response 0 [ N(COOKIE) ] >> 12[IKE] initiating IKE_SA home[1] to 172.16.107.2 >> 12[ENC] generating IKE_SA_INIT request 0 [ N(COOKIE) SA KE No >> N(NATD_S_IP) N(NATD_D_IP) ] >> 12[NET] sending packet: from 2.2.2.3[500] to 172.16.107.2[500] >> 16[NET] received packet: from 172.16.107.2[500] to 2.2.2.3[500] >> 16[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) >> N(NATD_D_IP) CERTREQ ] >> 16[IKE] local host is behind NAT, sending keep alives >> 16[IKE] received cert request for "O=AcmePacket, OU=CSE, >> [email protected], L=Burlington, ST=MA, C=US, CN=selab.com" >> 16[IKE] sending cert request for "O=AcmePacket, OU=CSE, >> [email protected], L=Burlington, ST=MA, C=US, CN=selab.com" >> 16[IKE] authentication of 'C=US, ST=Massachusetts, O=Acme Packet, >> OU=Systems Engineering, CN=172.16.107.2' (myself) with RSA signature >> successful >> 16[IKE] sending end entity cert "C=US, ST=Massachusetts, O=Acme >> Packet, OU=Systems Engineering, CN=172.16.107.2" >> 16[IKE] establishing CHILD_SA home >> 16[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH CP >> SA TSi TSr N(EAP_ONLY) ] >> 16[NET] sending packet: from 2.2.2.3[4500] to 172.16.107.2[4500] >> 13[NET] received packet: from 172.16.107.2[4500] to 2.2.2.3[4500] >> 13[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH CP SA TSi TSr ] >> 13[IKE] received end entity cert "C=US, ST=MA, L=Burlington, >> O=Engineering, CN=172.16.107.2" >> 13[IKE] no trusted RSA public key found for '172.16.107.2' >> 00[DMN] signal of type SIGINT received. Shutting down >> 00[KNL] received netlink error: Invalid argument (22) >> >> And here is my ipsec.conf file: >> # ipsec.conf - strongSwan IPsec configuration file >> >> # basic configuration >> >> config setup >> plutostart=no >> charondebug=all >> >> ca msg1 >> cacert=CA-SS-acmesec1.pem >> auto=add >> >> conn %default >> ike=aes128-sha1-modp1024! >> esp=aes128-sha1! >> ikelifetime=23d >> keylife=22d >> rekeymargin=10m >> keyingtries=1 >> keyexchange=ikev2 >> mobike=no >> auto=add >> lefthostaccess=no >> dpdaction=restart >> dpddelay=45 >> rekey=yes >> reauth=no >> forceencaps=yes >> >> conn home >> left=%defaultroute >> leftsourceip=%modeconfig >> leftcert=acmesec1Cert.pem >> leftfirewall=yes >> rightfirewall=yes >> right=172.16.107.2 >> rightid=%172.16.107.2 >> rightsubnet=192.168.105.0/24 >> >> _______________________________________________ >> Users mailing list >> [email protected] >> https://lists.strongswan.org/mailman/listinfo/users > > > -- > ====================================================================== > Andreas Steffen [email protected] > strongSwan - the Linux VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== > _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
