Hi Andreas, Thanks a lot for your reply. Please find my replies inline.
On Thu, Mar 17, 2011 at 10:08 PM, Andreas Steffen < [email protected]> wrote: > On 17.03.2011 12:33, Meera Sudhakar wrote: > > Hi Andreas, > > > > This problem was solved by the solution provided in > > http://www.mail-archive.com/[email protected]/msg02152.html. I > > now have a new problem for which I cannot find a solution. It would be > > great if you could help me understand the problem, and hopefully provide > > a solution too. > > > > I generated the private key and certificate for my machines (the > > initiator and the receiver) by executing the following command on each > > of them: > > > > openssl req -x509 -days 1460 -newkey rsa:2048 \ > >> -keyout strongswanKey.pem -out strongswanCert.pem > > > This generates a self-signed CA certificate which cannot be used > as a peer certificate. > > > I then placed the file strongswanKey.pem in the path > > /etc/ipsec.d/private/, and the file strongswanCert.pem in the path > > /etc/ipsec.d/certs. So now, the line " : RSA strongswanKey.pem "xxxx" " > > is added to the file ipsec.secrets, and the line > > "leftcert=strongswanCert.pem" is added to the file ipsec.conf. > > > > After starting strongswan, the following was seen in the log file: > > > > Mar 17 18:35:32 cip-Latitude-D520 charon: 00[CFG] loading secrets from > > '/etc/ipsec.secrets' > > Mar 17 18:35:32 cip-Latitude-D520 charon: 00[CFG] loaded RSA private > > key from '/etc/ipsec.d/private/strongswanKey.pem' > > *Mar 17 18:35:32 cip-Latitude-D520 charon: 00[CFG] expanding file > > expression '/var/lib/strongswan/ipsec.secrets.inc' failed > > do you include secrets from /var/lib/strongswan/ipsec.secrets.inc ? > The line "include /var/lib/strongswan/ipsec.secrets.inc" was present in ipsec.conf. That file contains nothing though. So I now tried removing the line from ipsec.conf, but I still see the above message in the logfile. > > > *Mar 17 18:35:32 cip-Latitude-D520 charon: 00[DMN] loaded plugins: curl > > ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem > > openssl fips-prf xcbc hmac agent gmp attr kernel-netlink socket-default > > farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 > > dhcp resolve > > > > Later on in the logs, I see that CHILD_SA was established, but IKE > > authentication failed. I am not sure if this is connected to the above > > problem. Please find a part of the logfile here: > > > > *Mar 17 18:35:44 cip-Latitude-D520 charon: 12[IKE] establishing CHILD_SA > > sample-with-ca-cert > > This is just an announcement that a CHILD_SA is going to be established. > Ok. > > > *Mar 17 18:35:44 cip-Latitude-D520 charon: 12[ENC] generating IKE_AUTH > > request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) > > N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] > > Mar 17 18:35:44 cip-Latitude-D520 charon: 12[NET] sending packet: from > > 10.58.114.215[4500] to 10.58.112.139[4500] > > Mar 17 18:35:44 cip-Latitude-D520 charon: 13[NET] received packet: from > > 10.58.112.139[4500] to 10.58.114.215[4500] > > Mar 17 18:35:44 cip-Latitude-D520 charon: 13[ENC] parsed IKE_AUTH > > response 1 [ N(AUTH_FAILED) ] > > *Mar 17 18:35:44 cip-Latitude-D520 charon: 13[IKE] received > > AUTHENTICATION_FAILED notify error > > * > The peer side has an authentication problem because you are sending > a self-signed certificate. You must send an end entity certificate > signed by the strongSwan CA and put strongswanCert.pem into > /etc/ipsec.d/cacerts as a trust anchor. > Ok. This was something I hadn't realized. > > > > Could you please help me sort this out? > > > Consult the following link how to set up a simple PKI: > > http://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA > I went through the intructions in the link mentioned here. It's mentioned in the link that it was kept "as simple as possible", but I still have a couple of doubts here :-) 1. I have an initiator and a responder. So, I will first create a private key and self-signed CA certificate. This self-signed certificate will help me generate end-entity certificates. (I hope my understanding is right). I created these on the initiator first. 2. I then created the peer key and end-entity certificate for the initiator, using the CA private key and CA certificate created in step 1. 3. Now, I copied the CA private key and the CA certificate (created in step 1) to the responder, and there, I created the peer key and end-entity certificate for the responder. 4. In each of the machines, I stored the peer key in /etc/ipsec.d/private, and the end-entity certificate in /etc/ipsec.d/certs. The CA cert is stored in /etc/ipsec.d/cacerts. 5. I hope whatever I have done is correct. Please let me know if I understood the instructions correctly. Once I did this and started strongswan, I got the following messages in the logfile: Mar 18 19:14:33 cip-Latitude-D520 charon: 12[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] Mar 18 19:14:33 cip-Latitude-D520 charon: 12[IKE] received cert request for "C=CH, O=strongSwan, CN=strongSwan CA" Mar 18 19:14:33 cip-Latitude-D520 charon: 12[IKE] received end entity cert "C=CH, O=strongSwan, CN=peer" Mar 18 19:14:33 cip-Latitude-D520 charon: 12[CFG] looking for peer configs matching 10.58.114.215[C=CH, O=strongSwan, CN=peer]...10.58.112.139[C=CH, O=strongSwan, CN=peer] Mar 18 19:14:33 cip-Latitude-D520 charon: 12[CFG] selected peer config 'sample-with-ca-cert' Mar 18 19:14:33 cip-Latitude-D520 charon: 12[CFG] using trusted ca certificate "C=CH, O=strongSwan, CN=strongSwan CA" Mar 18 19:14:33 cip-Latitude-D520 charon: 12[CFG] checking certificate status of "C=CH, O=strongSwan, CN=peer" Mar 18 19:14:33 cip-Latitude-D520 charon: 12[CFG] certificate status is not available Mar 18 19:14:33 cip-Latitude-D520 charon: 12[CFG] reached self-signed root ca with a path length of 0 Mar 18 19:14:33 cip-Latitude-D520 charon: 12[CFG] using trusted certificate "C=CH, O=strongSwan, CN=peer" Mar 18 19:14:33 cip-Latitude-D520 charon: 12[IKE] signature validation failed, looking for another key Mar 18 19:14:33 cip-Latitude-D520 charon: 12[CFG] using certificate "C=CH, O=strongSwan, CN=peer" Mar 18 19:14:33 cip-Latitude-D520 charon: 12[CFG] using trusted ca certificate "C=CH, O=strongSwan, CN=strongSwan CA" Mar 18 19:14:33 cip-Latitude-D520 charon: 12[CFG] checking certificate status of "C=CH, O=strongSwan, CN=peer" Mar 18 19:14:33 cip-Latitude-D520 charon: 12[CFG] certificate status is not available Mar 18 19:14:33 cip-Latitude-D520 charon: 12[CFG] reached self-signed root ca with a path length of 0 Mar 18 19:14:33 cip-Latitude-D520 charon: 12[IKE] authentication of 'C=CH, O=strongSwan, CN=peer' with RSA signature successful Mar 18 19:14:33 cip-Latitude-D520 charon: 12[CFG] constraint check failed: peer not authenticated with peer cert 'C=CH, O=strongSwan, CN=peer'. Mar 18 19:14:33 cip-Latitude-D520 charon: 12[CFG] selected peer config 'sample-with-ca-cert' inacceptable Mar 18 19:14:33 cip-Latitude-D520 charon: 12[CFG] no alternative config found I really feel I have done something wrong :-( Also, I read in the link http://wiki.strongswan.org/issues/103 that "If authentication is based on X.509 certificates then the identity of the peer *must always* be contained in the peer certificate". This is something I did not do. I just copied the commands from the link you had mentioned. So, should I mention the peer's IP address while creating its certificate (in the dn)? Thanks and regards, Meera > > > Thanks in advance, > > > > Meera > > Regards > > Andreas > > ====================================================================== > Andreas Steffen [email protected] > strongSwan - the Linux VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
