Thanks Andreas, Let me check that and get back to you. Regards, Sriram.
On Tue, Mar 4, 2014 at 7:38 PM, Andreas Steffen < [email protected]> wrote: > Hi Siram, > > in order for an Intermediate CA certificate to be accepted by > strongSwan, the CA basic constraint in the certificate has > to be set to TRUE. So if you execute > > openssl x509 -in ca-int.crt -noout -text > > the CA flag should show as TRUE: > > X509v3 extensions: > X509v3 Basic Constraints: critical > CA:TRUE > X509v3 Key Usage: > Certificate Sign, CRL Sign > > Regards > > Andreas > > > On 04.03.2014 14:57, Sriram wrote: > >> Hi Andreas, >> >> I think it is not loaded. >> >> On 10.206.1.11 >> >> [root@localhost ~]# ipsec listcacerts >> >> List of X.509 CA Certificates: >> >> subject: "CN=DaRoot" >> issuer: "CN=DaRoot" >> serial: c9:95:0a:00:41:c4:d8:25 >> validity: not before Mar 03 18:10:17 2014, ok >> not after Apr 02 18:10:17 2014, ok (expires in 28 days) >> pubkey: RSA 2048 bits >> keyid: be:25:1a:4a:e6:f8:44:c4:fe:32:a8:d4:7c:9d:75:42:7d:51:19:0f >> subjkey: c3:59:68:a5:73:e8:b8:76:45:06:3b:c8:a4:62:b3:06:61:7e:9a:c0 >> authkey: c3:59:68:a5:73:e8:b8:76:45:06:3b:c8:a4:62:b3:06:61:7e:9a:c0 >> >> >> on 10.206.1.10 >> [root@localhost ~]# ipsec listcacerts >> >> List of X.509 CA Certificates: >> >> subject: "CN=DaRoot" >> issuer: "CN=DaRoot" >> serial: c9:95:0a:00:41:c4:d8:25 >> validity: not before Mar 03 18:10:17 2014, ok >> not after Apr 02 18:10:17 2014, ok (expires in 28 days) >> pubkey: RSA 2048 bits >> keyid: be:25:1a:4a:e6:f8:44:c4:fe:32:a8:d4:7c:9d:75:42:7d:51:19:0f >> subjkey: c3:59:68:a5:73:e8:b8:76:45:06:3b:c8:a4:62:b3:06:61:7e:9a:c0 >> authkey: c3:59:68:a5:73:e8:b8:76:45:06:3b:c8:a4:62:b3:06:61:7e:9a:c0 >> >> Regards, >> Sriram. >> >> >> On Tue, Mar 4, 2014 at 6:49 PM, Andreas Steffen >> <[email protected] <mailto:[email protected]>> >> >> wrote: >> >> Hi Sriram, could you post the output of the command >> >> ipsec listcacerts >> >> both on 10.206.1.10 and 10.206.1.11. This shows if the intermediate >> CA certificates have been successfully loaded. >> >> Regards >> >> Andreas >> >> >> On 04.03.2014 12 <tel:04.03.2014%2012>:45, Sriram wrote: >> >> Hi Everyone, >> >> I have host -to-host ipsec setup between 2 ips 10.206.1.10 and >> 10.206.1.11 >> >> Tunnel is established using certificates. Tunnel is established >> properly, when the certificates are generated using rootca. >> >> But when the certificates are generated using intermediate CA's, >> tunnel >> is not getting established. >> >> In 10.206.1.10 >> >> Under /etc/ipsec.d/cacerts/ I have copied ca.crt(root ca), >> *ca-int.crt(Intermediate ca)* >> >> >> In /etc/ipsec.d/certs/ I have copied end entity cert issued by >> ca-int.crt >> >> In 10.206.1.11 >> >> Under /etc/ipsec.d/cacerts/ I have copied ca.crt(root ca), >> *ca-int1.crt(Intermediate ca)* >> >> >> In /etc/ipsec.d/certs/ I have copied end entity cert issued by >> ca-int1.crt >> >> I am getting below errors >> >> Mar3 19:34:45 localhost charon: 06[ENC] parsed IKE_AUTH request >> 1 [ IDi >> >> CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR) SA TSi TSr >> N(MULT_AUTH) >> N(EAP_ONLY) ] >> >> Mar3 19:34:45 localhost charon: 06[IKE] received cert request for >> "CN=DaRoot" >> >> Mar3 19:34:45 localhost charon: 06[IKE] received end entity cert >> "CN=1234abcd" >> >> Mar3 19:34:45 localhost charon: 06[CFG] looking for peer configs >> >> matching 10.206.1.11[CN=12345abcde]...__10.206.1.10[CN=1234abcd] >> >> >> Mar3 19:34:45 localhost charon: 06[CFG] peer config match local: >> 20 >> >> (ID_DER_ASN1_DN -> >> 30:15:31:13:30:11:06:03:55:04:__03:13:0a:31:32:33:34:35:61: >> 62:__63:64:65) >> >> >> Mar3 19:34:45 localhost charon: 06[CFG] peer config match remote: >> 20 >> >> (ID_DER_ASN1_DN -> >> 30:13:31:11:30:0f:06:03:55:04:__03:13:08:31:32:33:34:61:62: >> 63:__64) >> >> >> Mar3 19:34:45 localhost charon: 06[CFG] ike config match: 3100 >> (10.206.1.11 10.206.1.10 IKEv2) >> >> Mar3 19:34:45 localhost charon: 06[CFG]candidate "home1", match: >> 20/20/3100 (me/other/ike) >> >> Mar3 19:34:45 localhost charon: 06[CFG] selected peer config >> 'home1' >> >> Mar3 19:34:45 localhost charon: 06[IKE] IDx' => 25 bytes @ >> 0xb4d82fe0 >> >> Mar3 19:34:45 localhost charon: 06[IKE]0: 09 00 00 00 30 13 31 >> 11 30 0F >> >> 06 03 55 04 03 13....0.1.0 >> <tel:06%2003%2055%2004%2003%2013....0.1.0>...U... >> >> >> Mar3 19:34:45 localhost charon: 06[IKE]16: 08 31 32 33 34 61 62 63 >> 64.1234abcd >> >> Mar3 19:34:45 localhost charon: 06[IKE] SK_p => 16 bytes @ >> 0x91c5340 >> >> Mar3 19:34:45 localhost charon: 06[IKE]0: 43 85 1F D8 CA 8B BD >> 27 A0 58 >> >> B8 9F 18 5C E7 C0C......'.X...\.. >> >> Mar3 19:34:45 localhost charon: 06[IKE] octets = message + nonce + >> >> prf(Sk_px, IDx') => 316 bytes @ 0x91c6d88 >> >> Mar3 19:34:45 localhost charon: 06[IKE]0: 95 B5 C1 A2 8D 13 C3 >> 77 00 00 >> >> 00 00 00 00 00 00.......w........ >> >> Mar3 19:34:45 localhost charon: 06[IKE]16: 21 20 22 08 00 00 00 >> 00 00 00 >> >> 01 0C 22 00 00 2C! ".........".., >> >> Mar3 19:34:45 localhost charon: 06[IKE]32: 00 00 00 28 01 01 00 >> 04 03 00 >> >> 00 08 01 00 00 03...(............ >> >> Mar3 19:34:45 localhost charon: 06[IKE]48: 03 00 00 >> <tel:03%2000%2000> <tel:03%2000%2000> >> >> >> 08 03 00 00 01 03 00 00 08 02 00 00 01................ >> >> Mar3 19:34:45 localhost charon: 06[IKE]64: 00 00 00 08 04 00 00 >> 01 28 00 >> >> 00 68 00 01 00 00........(..h.... >> >> Mar3 19:34:45 localhost charon: 06[IKE]80: 23 F4 AC E7 E8 4E 55 >> 80 54 B7 >> >> 14 C8 48 B9 98 AE#....NU.T...H... >> >> Mar3 19:34:45 localhost charon: 06[IKE]96: 15 DB CA F8 93 BF 31 >> 2D 59 89 >> >> 77 52 32 A8 0A 2D......1-Y.wR2..- >> >> Mar3 19:34:45 localhost charon: 06[IKE]112: 78 3E 6F EB 6D 33 5A >> E6 A5 >> >> B7 0F 9A 3C DA 4E D8x>o.m3Z.....<.N. >> >> Mar3 19:34:45 localhost charon: 06[IKE]128: E6 71 B4 C4 5A D7 20 >> 48 61 >> >> B2 34 14 99 0A F6 AF.q..Z. Ha.4..... >> >> Mar3 19:34:45 localhost charon: 06[IKE]144: F8 DB 6D 82 B2 55 6C >> 1B 84 >> >> CA 37 8E C3 7F 50 8A..m..Ul...7...P. >> >> Mar3 19:34:45 localhost charon: 06[IKE]160: 5C 2A 39 E4 27 FC 8D >> 23 38 >> >> 95 E2 B2 F3 F9 8E CA\*9.'..#8....... >> >> Mar3 19:34:45 localhost charon: 06[IKE]176: 29 00 00 24 03 8D 56 >> 09 5D >> >> B1 17 D2 BA 29 D6 8B)..$..V.]....).. >> >> Mar3 19:34:45 localhost charon: 06[IKE]192: 7E 0B A5 2D 42 4C 1D >> 37 D9 >> >> EA 17 4A 0D 0C 77 67~..-BL.7...J..wg >> >> Mar3 19:34:45 localhost charon: 06[IKE]208: E6 51 40 1D 29 00 00 >> 1C 00 >> >> 00 40 04 D5 2F E3 7F.Q@.).....@../.. >> >> Mar3 19:34:45 localhost charon: 06[IKE]224: 13 80 F3 7A 91 9D F2 >> 7A 0A >> >> 6E C0 A9 E7 B2 72 63...z...z.n....rc >> >> Mar3 19:34:45 localhost charon: 06[IKE]240: 00 00 00 1C 00 00 40 >> 05 BD >> >> B4 3E 98 F1 EB F4 10......@...>..... >> >> Mar3 19:34:45 localhost charon: 06[IKE]256: 44 06 6B 25 90 C4 30 >> CF BB >> >> FB FE 4C 00 9B 1E ADD.k%..0....L.... >> >> Mar3 19:34:45 localhost charon: 06[IKE]272: 19 7A F6 43 23 A9 8A >> C4 3C >> >> EF 98 57 13 69 07 0E.z.C#...<..W.i.. >> >> Mar3 19:34:45 localhost charon: 06[IKE]288: 9A E4 34 F1 A6 9B 48 >> 65 E8 >> >> 06 8A 6C 6D 30 6B C1..4...He...lm0k. >> >> Mar3 19:34:45 localhost charon: 06[IKE]304: F2 2C 6E 19 39 37 C1 >> C6 2F >> 48 D2 18.,n.97../H.. >> >> Mar3 19:34:45 localhost charon: 06[CFG]using certificate >> "CN=1234abcd" >> >> Mar3 19:34:45 localhost charon: 06[CFG]certificate "CN=1234abcd" >> key: >> 2048 bit RSA >> >> *Mar3 19:34:45 localhost charon: 06[CFG] no issuer certificate >> found for >> "CN=1234abcd"* >> >> Mar3 19:34:45 localhost charon: 06[IKE] no trusted RSA public >> key found >> for 'CN=1234abcd' >> >> Mar3 19:34:45 localhost charon: 06[IKE] processing >> INTERNAL_IP4_ADDRESS >> >> attribute >> >> Please let me know, how to resolve this issue. >> >> Below post suggests that the intermediate certs need to be sent >> along >> with the end-entity certificates in ike_auth message. >> >> If that can solve the issue, how can I achieve that. >> >> https://lists.strongswan.org/__pipermail/users/2013-March/__ >> 008956.html >> >> <https://lists.strongswan.org/pipermail/users/2013-March/ >> 008956.html> >> >> Any help in this regard is appreciated. >> >> Regards, >> >> Sriram. >> >> >> >> >> >> >> _________________________________________________ >> Users mailing list >> [email protected] <mailto:[email protected]> >> https://lists.strongswan.org/__mailman/listinfo/users >> <https://lists.strongswan.org/mailman/listinfo/users> >> >> >> -- >> ==============================__============================ >> ==__========== >> Andreas Steffen [email protected] >> <mailto:[email protected]> >> >> strongSwan - the Open Source VPN Solution! www.strongswan.org >> <http://www.strongswan.org> >> >> Institute for Internet Technologies and Applications >> University of Applied Sciences Rapperswil >> CH-8640 Rapperswil (Switzerland) >> ==============================__============================ >> =[__ITA-HSR]== >> >> >> > -- > ====================================================================== > Andreas Steffen [email protected] > strongSwan - the Open Source VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== > >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
