Hi Siram, in order for an Intermediate CA certificate to be accepted by strongSwan, the CA basic constraint in the certificate has to be set to TRUE. So if you execute
openssl x509 -in ca-int.crt -noout -text
the CA flag should show as TRUE:
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
Regards
Andreas
On 04.03.2014 14:57, Sriram wrote:
Hi Andreas,
I think it is not loaded.
On 10.206.1.11
[root@localhost ~]# ipsec listcacerts
List of X.509 CA Certificates:
subject: "CN=DaRoot"
issuer: "CN=DaRoot"
serial: c9:95:0a:00:41:c4:d8:25
validity: not before Mar 03 18:10:17 2014, ok
not after Apr 02 18:10:17 2014, ok (expires in 28 days)
pubkey: RSA 2048 bits
keyid: be:25:1a:4a:e6:f8:44:c4:fe:32:a8:d4:7c:9d:75:42:7d:51:19:0f
subjkey: c3:59:68:a5:73:e8:b8:76:45:06:3b:c8:a4:62:b3:06:61:7e:9a:c0
authkey: c3:59:68:a5:73:e8:b8:76:45:06:3b:c8:a4:62:b3:06:61:7e:9a:c0
on 10.206.1.10
[root@localhost ~]# ipsec listcacerts
List of X.509 CA Certificates:
subject: "CN=DaRoot"
issuer: "CN=DaRoot"
serial: c9:95:0a:00:41:c4:d8:25
validity: not before Mar 03 18:10:17 2014, ok
not after Apr 02 18:10:17 2014, ok (expires in 28 days)
pubkey: RSA 2048 bits
keyid: be:25:1a:4a:e6:f8:44:c4:fe:32:a8:d4:7c:9d:75:42:7d:51:19:0f
subjkey: c3:59:68:a5:73:e8:b8:76:45:06:3b:c8:a4:62:b3:06:61:7e:9a:c0
authkey: c3:59:68:a5:73:e8:b8:76:45:06:3b:c8:a4:62:b3:06:61:7e:9a:c0
Regards,
Sriram.
On Tue, Mar 4, 2014 at 6:49 PM, Andreas Steffen
<[email protected] <mailto:[email protected]>>
wrote:
Hi Sriram, could you post the output of the command
ipsec listcacerts
both on 10.206.1.10 and 10.206.1.11. This shows if the intermediate
CA certificates have been successfully loaded.
Regards
Andreas
On 04.03.2014 12 <tel:04.03.2014%2012>:45, Sriram wrote:
Hi Everyone,
I have host –to-host ipsec setup between 2 ips 10.206.1.10 and
10.206.1.11
Tunnel is established using certificates. Tunnel is established
properly, when the certificates are generated using rootca.
But when the certificates are generated using intermediate CA’s,
tunnel
is not getting established.
In 10.206.1.10
Under /etc/ipsec.d/cacerts/ I have copied ca.crt(root ca),
*ca-int.crt(Intermediate ca)*
In /etc/ipsec.d/certs/ I have copied end entity cert issued by
ca-int.crt
In 10.206.1.11
Under /etc/ipsec.d/cacerts/ I have copied ca.crt(root ca),
*ca-int1.crt(Intermediate ca)*
In /etc/ipsec.d/certs/ I have copied end entity cert issued by
ca-int1.crt
I am getting below errors
Mar3 19:34:45 localhost charon: 06[ENC] parsed IKE_AUTH request
1 [ IDi
CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR) SA TSi TSr
N(MULT_AUTH)
N(EAP_ONLY) ]
Mar3 19:34:45 localhost charon: 06[IKE] received cert request for
"CN=DaRoot"
Mar3 19:34:45 localhost charon: 06[IKE] received end entity cert
"CN=1234abcd"
Mar3 19:34:45 localhost charon: 06[CFG] looking for peer configs
matching 10.206.1.11[CN=12345abcde]...__10.206.1.10[CN=1234abcd]
Mar3 19:34:45 localhost charon: 06[CFG] peer config match local: 20
(ID_DER_ASN1_DN ->
30:15:31:13:30:11:06:03:55:04:__03:13:0a:31:32:33:34:35:61:62:__63:64:65)
Mar3 19:34:45 localhost charon: 06[CFG] peer config match remote: 20
(ID_DER_ASN1_DN ->
30:13:31:11:30:0f:06:03:55:04:__03:13:08:31:32:33:34:61:62:63:__64)
Mar3 19:34:45 localhost charon: 06[CFG] ike config match: 3100
(10.206.1.11 10.206.1.10 IKEv2)
Mar3 19:34:45 localhost charon: 06[CFG]candidate "home1", match:
20/20/3100 (me/other/ike)
Mar3 19:34:45 localhost charon: 06[CFG] selected peer config 'home1'
Mar3 19:34:45 localhost charon: 06[IKE] IDx' => 25 bytes @
0xb4d82fe0
Mar3 19:34:45 localhost charon: 06[IKE]0: 09 00 00 00 30 13 31
11 30 0F
06 03 55 04 03 13....0.1.0
<tel:06%2003%2055%2004%2003%2013....0.1.0>...U...
Mar3 19:34:45 localhost charon: 06[IKE]16: 08 31 32 33 34 61 62 63
64.1234abcd
Mar3 19:34:45 localhost charon: 06[IKE] SK_p => 16 bytes @ 0x91c5340
Mar3 19:34:45 localhost charon: 06[IKE]0: 43 85 1F D8 CA 8B BD
27 A0 58
B8 9F 18 5C E7 C0C......'.X...\..
Mar3 19:34:45 localhost charon: 06[IKE] octets = message + nonce +
prf(Sk_px, IDx') => 316 bytes @ 0x91c6d88
Mar3 19:34:45 localhost charon: 06[IKE]0: 95 B5 C1 A2 8D 13 C3
77 00 00
00 00 00 00 00 00.......w........
Mar3 19:34:45 localhost charon: 06[IKE]16: 21 20 22 08 00 00 00
00 00 00
01 0C 22 00 00 2C! "........."..,
Mar3 19:34:45 localhost charon: 06[IKE]32: 00 00 00 28 01 01 00
04 03 00
00 08 01 00 00 03...(............
Mar3 19:34:45 localhost charon: 06[IKE]48: 03 00 00
<tel:03%2000%2000> <tel:03%2000%2000>
08 03 00 00 01 03 00 00 08 02 00 00 01................
Mar3 19:34:45 localhost charon: 06[IKE]64: 00 00 00 08 04 00 00
01 28 00
00 68 00 01 00 00........(..h....
Mar3 19:34:45 localhost charon: 06[IKE]80: 23 F4 AC E7 E8 4E 55
80 54 B7
14 C8 48 B9 98 AE#....NU.T...H...
Mar3 19:34:45 localhost charon: 06[IKE]96: 15 DB CA F8 93 BF 31
2D 59 89
77 52 32 A8 0A 2D......1-Y.wR2..-
Mar3 19:34:45 localhost charon: 06[IKE]112: 78 3E 6F EB 6D 33 5A
E6 A5
B7 0F 9A 3C DA 4E D8x>o.m3Z.....<.N.
Mar3 19:34:45 localhost charon: 06[IKE]128: E6 71 B4 C4 5A D7 20
48 61
B2 34 14 99 0A F6 AF.q..Z. Ha.4.....
Mar3 19:34:45 localhost charon: 06[IKE]144: F8 DB 6D 82 B2 55 6C
1B 84
CA 37 8E C3 7F 50 8A..m..Ul...7...P.
Mar3 19:34:45 localhost charon: 06[IKE]160: 5C 2A 39 E4 27 FC 8D
23 38
95 E2 B2 F3 F9 8E CA\*9.'..#8.......
Mar3 19:34:45 localhost charon: 06[IKE]176: 29 00 00 24 03 8D 56
09 5D
B1 17 D2 BA 29 D6 8B)..$..V.]....)..
Mar3 19:34:45 localhost charon: 06[IKE]192: 7E 0B A5 2D 42 4C 1D
37 D9
EA 17 4A 0D 0C 77 67~..-BL.7...J..wg
Mar3 19:34:45 localhost charon: 06[IKE]208: E6 51 40 1D 29 00 00
1C 00
00 40 04 D5 2F E3 7F.Q@.).....@../..
Mar3 19:34:45 localhost charon: 06[IKE]224: 13 80 F3 7A 91 9D F2
7A 0A
6E C0 A9 E7 B2 72 63...z...z.n....rc
Mar3 19:34:45 localhost charon: 06[IKE]240: 00 00 00 1C 00 00 40
05 BD
B4 3E 98 F1 EB F4 10......@...>.....
Mar3 19:34:45 localhost charon: 06[IKE]256: 44 06 6B 25 90 C4 30
CF BB
FB FE 4C 00 9B 1E ADD.k%..0....L....
Mar3 19:34:45 localhost charon: 06[IKE]272: 19 7A F6 43 23 A9 8A
C4 3C
EF 98 57 13 69 07 0E.z.C#...<..W.i..
Mar3 19:34:45 localhost charon: 06[IKE]288: 9A E4 34 F1 A6 9B 48
65 E8
06 8A 6C 6D 30 6B C1..4...He...lm0k.
Mar3 19:34:45 localhost charon: 06[IKE]304: F2 2C 6E 19 39 37 C1
C6 2F
48 D2 18.,n.97../H..
Mar3 19:34:45 localhost charon: 06[CFG]using certificate
"CN=1234abcd"
Mar3 19:34:45 localhost charon: 06[CFG]certificate "CN=1234abcd"
key:
2048 bit RSA
*Mar3 19:34:45 localhost charon: 06[CFG] no issuer certificate
found for
"CN=1234abcd"*
Mar3 19:34:45 localhost charon: 06[IKE] no trusted RSA public
key found
for 'CN=1234abcd'
Mar3 19:34:45 localhost charon: 06[IKE] processing
INTERNAL_IP4_ADDRESS
attribute
Please let me know, how to resolve this issue.
Below post suggests that the intermediate certs need to be sent
along
with the end-entity certificates in ike_auth message.
If that can solve the issue, how can I achieve that.
https://lists.strongswan.org/__pipermail/users/2013-March/__008956.html
<https://lists.strongswan.org/pipermail/users/2013-March/008956.html>
Any help in this regard is appreciated.
Regards,
Sriram.
_________________________________________________
Users mailing list
[email protected] <mailto:[email protected]>
https://lists.strongswan.org/__mailman/listinfo/users
<https://lists.strongswan.org/mailman/listinfo/users>
--
==============================__==============================__==========
Andreas Steffen [email protected]
<mailto:[email protected]>
strongSwan - the Open Source VPN Solution! www.strongswan.org
<http://www.strongswan.org>
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
==============================__=============================[__ITA-HSR]==
-- ====================================================================== Andreas Steffen [email protected] strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
