Hi Sriram, the actual error now is
> authentication of 'CN=ten' (myself) with pre-shared key > no shared key found for 'CN=ten' - 'CN=eleven' Did you configure PSK-based authentication by either setting leftauth=psk, leftauth=secret, or authby=secret? For mutual certificate based authentication you should set authby=pubkey which is the default or alternatively leftauth=pubkey rightauth=pubkey Regards Andreas On 06.03.2014 14:31, Sriram wrote:
Hi Andreas,
Now i have added CA:TRUE for intermediate certs
10.206.1.10
[root@localhost private]# ipsec listcacerts
List of X.509 CA Certificates:
subject: "CN=DaRoot"
issuer: "CN=DaRoot"
serial: b6:1b:fb:f4:96:05:f7:18
validity: not before Mar 06 18:01:38 2014, ok
not after Apr 05 18:01:38 2014, ok (expires in 29 days)
pubkey: RSA 1024 bits
keyid: eb:12:9a:05:72:2b:bf:89:f0:49:91:47:f7:bf:c1:85:9b:0f:66:e8
subjkey: 55:90:f7:42:41:91:73:a1:fb:84:b8:91:8a:2e:32:44:73:97:f9:10
authkey: 55:90:f7:42:41:91:73:a1:fb:84:b8:91:8a:2e:32:44:73:97:f9:10
subject: "CN=Zintermediate"
issuer: "CN=DaRoot"
serial: 02:46:a7:72
validity: not before Mar 06 18:05:34 2014, ok
not after Mar 26 18:05:34 2014, ok (expires in 19 days)
pubkey: RSA 1024 bits
keyid: c2:ba:fb:bd:36:0b:bd:32:e7:8e:0c:b9:25:82:59:64:6a:f8:b7:46
subjkey: f0:2a:8a:a7:55:7f:1b:44:ef:c4:18:00:79:c1:d8:7b:be:98:00:cd
10.206.1.11
[root@localhost sriram_ikeauth]# ipsec listcacerts
List of X.509 CA Certificates:
subject: "CN=Zintermediate1"
issuer: "CN=DaRoot"
serial: 02:46:a7:73
validity: not before Mar 06 18:09:23 2014, ok
not after Mar 26 18:09:23 2014, ok (expires in 19 days)
pubkey: RSA 1024 bits
keyid: ea:d5:28:42:7e:74:f3:47:53:51:5e:28:be:27:ed:8f:2c:dc:05:eb
subjkey: ee:3d:fe:ab:11:d4:d9:3c:a2:3c:95:cb:42:04:d8:0e:12:35:36:76
subject: "CN=DaRoot"
issuer: "CN=DaRoot"
serial: b6:1b:fb:f4:96:05:f7:18
validity: not before Mar 06 18:01:38 2014, ok
not after Apr 05 18:01:38 2014, ok (expires in 29 days)
pubkey: RSA 1024 bits
keyid: eb:12:9a:05:72:2b:bf:89:f0:49:91:47:f7:bf:c1:85:9b:0f:66:e8
subjkey: 55:90:f7:42:41:91:73:a1:fb:84:b8:91:8a:2e:32:44:73:97:f9:10
authkey: 55:90:f7:42:41:91:73:a1:fb:84:b8:91:8a:2e:32:44:73:97:f9:10
But ipsec tunnel is not getting established
In 10.206.1.10 I am getting the below errors.
[root@localhost private]# ipsec up home
initiating IKE_SA home[2] to 10.206.1.11
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 10.206.1.10[500] to 10.206.1.11[500] (268 bytes)
received packet: from 10.206.1.11[500] to 10.206.1.10[500] (321 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
CERTREQ N(MULT_AUTH) ]
received cert request for "CN=DaRoot"
received 1 cert requests for an unknown ca
sending cert request for "CN=DaRoot"
sending cert request for "CN=Zintermediate"
authentication of 'CN=ten' (myself) with pre-shared key
no shared key found for 'CN=ten' - 'CN=eleven'
establishing connection 'home' failed
I have used the below set of commands to generate the certificates of
root CA, SubCA's and End Entities.
Root ca cert creation
openssl req -new -x509 -nodes -out ca.crt -keyout ca.key -subj
/CN=DaRoot -newkey rsa:1024 -sha512
Intermediate CA cert creation signed by RootCA
openssl req -new -nodes -out ca-int.req -keyout ca-int.key -subj
/CN=Zintermediate -newkey rsa:1024 -sha512
openssl x509 -req -in ca-int.req -CAkey ca.key -CA ca.crt -days 20
-set_serial 38184818 -sha512 -out ca-int.crt -extfile
../sriram_chaincert1/file.prm
[root@localhost sriram_chaincert2]# cat ../sriram_chaincert1/file.prm
basicConstraints=CA:TRUE
Intermediate1 CA cert creation signed by RootCA
openssl req -new -nodes -out ca-int1.req -keyout ca-int1.key -subj
/CN=Zintermediate1 -newkey rsa:1024 -sha512
openssl x509 -req -in ca-int1.req -CAkey ca.key -CA ca.crt -days 20
-set_serial 38184819 -sha512 -out ca-int1.crt -extfile
../sriram_chaincert1/file.prm
[root@localhost sriram_chaincert2]# cat ../sriram_chaincert1/file.prm
basicConstraints=CA:TRUE
End Entity cert creation signed by intermediate CA
openssl req -new -out ten.req -keyout ten.key -nodes -newkey rsa:1024
-subj /CN=ten
openssl x509 -req -in ten.req -CAkey ca-int.key -CA ca-int.crt -days 10
-set_serial 38184820 -sha512 -out ten.crt
End Entity1 cert creation signed by Intermediate1 CA
openssl req -new -out eleven.req -keyout eleven.key -nodes -newkey
rsa:1024 -subj /CN=eleven
openssl x509 -req -in eleven.req -CAkey ca-int1.key -CA ca-int1.crt
-days 10 -set_serial 38184821 -sha512 -out eleven.crt
Please let me know how to resolve this issue.
Regards,
Sriram.
On Tue, Mar 4, 2014 at 8:11 PM, Sriram <[email protected]
<mailto:[email protected]>> wrote:
Thanks Andreas, Let me check that and get back to you.
Regards,
Sriram.
On Tue, Mar 4, 2014 at 7:38 PM, Andreas Steffen
<[email protected]
<mailto:[email protected]>> wrote:
Hi Siram,
in order for an Intermediate CA certificate to be accepted by
strongSwan, the CA basic constraint in the certificate has
to be set to TRUE. So if you execute
openssl x509 -in ca-int.crt -noout -text
the CA flag should show as TRUE:
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
Regards
Andreas
On 04.03.2014 14 <tel:04.03.2014%2014>:57, Sriram wrote:
Hi Andreas,
I think it is not loaded.
On 10.206.1.11
[root@localhost ~]# ipsec listcacerts
List of X.509 CA Certificates:
subject: "CN=DaRoot"
issuer: "CN=DaRoot"
serial: c9:95:0a:00:41:c4:d8:25
validity: not before Mar 03 18:10:17 2014, ok
not after Apr 02 18:10:17 2014, ok (expires
in 28 days)
pubkey: RSA 2048 bits
keyid:
be:25:1a:4a:e6:f8:44:c4:fe:32:__a8:d4:7c:9d:75:42:7d:51:19:0f
subjkey:
c3:59:68:a5:73:e8:b8:76:45:06:__3b:c8:a4:62:b3:06:61:7e:9a:c0
authkey:
c3:59:68:a5:73:e8:b8:76:45:06:__3b:c8:a4:62:b3:06:61:7e:9a:c0
on 10.206.1.10
[root@localhost ~]# ipsec listcacerts
List of X.509 CA Certificates:
subject: "CN=DaRoot"
issuer: "CN=DaRoot"
serial: c9:95:0a:00:41:c4:d8:25
validity: not before Mar 03 18:10:17 2014, ok
not after Apr 02 18:10:17 2014, ok (expires
in 28 days)
pubkey: RSA 2048 bits
keyid:
be:25:1a:4a:e6:f8:44:c4:fe:32:__a8:d4:7c:9d:75:42:7d:51:19:0f
subjkey:
c3:59:68:a5:73:e8:b8:76:45:06:__3b:c8:a4:62:b3:06:61:7e:9a:c0
authkey:
c3:59:68:a5:73:e8:b8:76:45:06:__3b:c8:a4:62:b3:06:61:7e:9a:c0
Regards,
Sriram.
On Tue, Mar 4, 2014 at 6:49 PM, Andreas Steffen
<andreas.steffen@strongswan.__org
<mailto:[email protected]>
<mailto:andreas.steffen@__strongswan.org
<mailto:[email protected]>>>
wrote:
Hi Sriram, could you post the output of the command
ipsec listcacerts
both on 10.206.1.10 and 10.206.1.11. This shows if the
intermediate
CA certificates have been successfully loaded.
Regards
Andreas
On 04.03.2014 12 <tel:04.03.2014%2012>
<tel:04.03.2014%2012>:45, Sriram wrote:
Hi Everyone,
I have host –to-host ipsec setup between 2 ips
10.206.1.10 and
10.206.1.11
Tunnel is established using certificates. Tunnel is
established
properly, when the certificates are generated using
rootca.
But when the certificates are generated using
intermediate CA’s,
tunnel
is not getting established.
In 10.206.1.10
Under /etc/ipsec.d/cacerts/ I have copied
ca.crt(root ca),
*ca-int.crt(Intermediate ca)*
In /etc/ipsec.d/certs/ I have copied end entity
cert issued by
ca-int.crt
In 10.206.1.11
Under /etc/ipsec.d/cacerts/ I have copied
ca.crt(root ca),
*ca-int1.crt(Intermediate ca)*
In /etc/ipsec.d/certs/ I have copied end entity
cert issued by
ca-int1.crt
I am getting below errors
Mar3 19:34:45 localhost charon: 06[ENC] parsed
IKE_AUTH request
1 [ IDi
CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR) SA
TSi TSr
N(MULT_AUTH)
N(EAP_ONLY) ]
Mar3 19:34:45 localhost charon: 06[IKE] received
cert request for
"CN=DaRoot"
Mar3 19:34:45 localhost charon: 06[IKE] received
end entity cert
"CN=1234abcd"
Mar3 19:34:45 localhost charon: 06[CFG] looking for
peer configs
matching
10.206.1.11[CN=12345abcde]...____10.206.1.10[CN=1234abcd]
Mar3 19:34:45 localhost charon: 06[CFG] peer config
match local: 20
(ID_DER_ASN1_DN ->
30:15:31:13:30:11:06:03:55:04:____03:13:0a:31:32:33:34:35:61:__62:__63:64:65)
Mar3 19:34:45 localhost charon: 06[CFG] peer config
match remote: 20
(ID_DER_ASN1_DN ->
30:13:31:11:30:0f:06:03:55:04:____03:13:08:31:32:33:34:61:62:__63:__64)
Mar3 19:34:45 localhost charon: 06[CFG] ike config
match: 3100
(10.206.1.11 10.206.1.10 IKEv2)
Mar3 19:34:45 localhost charon: 06[CFG]candidate
"home1", match:
20/20/3100 (me/other/ike)
Mar3 19:34:45 localhost charon: 06[CFG] selected
peer config 'home1'
Mar3 19:34:45 localhost charon: 06[IKE] IDx' => 25
bytes @
0xb4d82fe0
Mar3 19:34:45 localhost charon: 06[IKE]0: 09 00 00
00 30 13 31
11 30 0F
06 03 55 04 03 13....0.1.0
<tel:06%2003%2055%2004%2003%2013....0.1.0>
<tel:06%2003%2055%2004%2003%__2013....0.1.0>...U...
Mar3 19:34:45 localhost charon: 06[IKE]16: 08 31 32
33 34 61 62 63
64.1234abcd
Mar3 19:34:45 localhost charon: 06[IKE] SK_p => 16
bytes @ 0x91c5340
Mar3 19:34:45 localhost charon: 06[IKE]0: 43 85 1F
D8 CA 8B BD
27 A0 58
B8 9F 18 5C E7 C0C......'.X...\..
Mar3 19:34:45 localhost charon: 06[IKE] octets =
message + nonce +
prf(Sk_px, IDx') => 316 bytes @ 0x91c6d88
Mar3 19:34:45 localhost charon: 06[IKE]0: 95 B5 C1
A2 8D 13 C3
77 00 00
00 00 00 00 00 00.......w........
Mar3 19:34:45 localhost charon: 06[IKE]16: 21 20 22
08 00 00 00
00 00 00
01 0C 22 00 00 2C! "........."..,
Mar3 19:34:45 localhost charon: 06[IKE]32: 00 00 00
28 01 01 00
04 03 00
00 08 01 00 00 03...(............
Mar3 19:34:45 localhost charon: 06[IKE]48: 03 00 00
<tel:03%2000%2000>
<tel:03%2000%2000> <tel:03%2000%2000>
08 03 00 00 01 03 00 00 08 02 00 00 01................
Mar3 19:34:45 localhost charon: 06[IKE]64: 00 00 00
08 04 00 00
01 28 00
00 68 00 01 00 00........(..h....
Mar3 19:34:45 localhost charon: 06[IKE]80: 23 F4 AC
E7 E8 4E 55
80 54 B7
14 C8 48 B9 98 AE#....NU.T...H...
Mar3 19:34:45 localhost charon: 06[IKE]96: 15 DB CA
F8 93 BF 31
2D 59 89
77 52 32 A8 0A 2D......1-Y.wR2..-
Mar3 19:34:45 localhost charon: 06[IKE]112: 78 3E
6F EB 6D 33 5A
E6 A5
B7 0F 9A 3C DA 4E D8x>o.m3Z.....<.N.
Mar3 19:34:45 localhost charon: 06[IKE]128: E6 71
B4 C4 5A D7 20
48 61
B2 34 14 99 0A F6 AF.q..Z. Ha.4.....
Mar3 19:34:45 localhost charon: 06[IKE]144: F8 DB
6D 82 B2 55 6C
1B 84
CA 37 8E C3 7F 50 8A..m..Ul...7...P.
Mar3 19:34:45 localhost charon: 06[IKE]160: 5C 2A
39 E4 27 FC 8D
23 38
95 E2 B2 F3 F9 8E CA\*9.'..#8.......
Mar3 19:34:45 localhost charon: 06[IKE]176: 29 00
00 24 03 8D 56
09 5D
B1 17 D2 BA 29 D6 8B)..$..V.]....)..
Mar3 19:34:45 localhost charon: 06[IKE]192: 7E 0B
A5 2D 42 4C 1D
37 D9
EA 17 4A 0D 0C 77 67~..-BL.7...J..wg
Mar3 19:34:45 localhost charon: 06[IKE]208: E6 51
40 1D 29 00 00
1C 00
00 40 04 D5 2F E3 7F.Q@.).....@../..
Mar3 19:34:45 localhost charon: 06[IKE]224: 13 80
F3 7A 91 9D F2
7A 0A
6E C0 A9 E7 B2 72 63...z...z.n....rc
Mar3 19:34:45 localhost charon: 06[IKE]240: 00 00
00 1C 00 00 40
05 BD
B4 3E 98 F1 EB F4 10......@...>.....
Mar3 19:34:45 localhost charon: 06[IKE]256: 44 06
6B 25 90 C4 30
CF BB
FB FE 4C 00 9B 1E ADD.k%..0....L....
Mar3 19:34:45 localhost charon: 06[IKE]272: 19 7A
F6 43 23 A9 8A
C4 3C
EF 98 57 13 69 07 0E.z.C#...<..W.i..
Mar3 19:34:45 localhost charon: 06[IKE]288: 9A E4
34 F1 A6 9B 48
65 E8
06 8A 6C 6D 30 6B C1..4...He...lm0k.
Mar3 19:34:45 localhost charon: 06[IKE]304: F2 2C
6E 19 39 37 C1
C6 2F
48 D2 18.,n.97../H..
Mar3 19:34:45 localhost charon: 06[CFG]using
certificate
"CN=1234abcd"
Mar3 19:34:45 localhost charon: 06[CFG]certificate
"CN=1234abcd"
key:
2048 bit RSA
*Mar3 19:34:45 localhost charon: 06[CFG] no issuer
certificate
found for
"CN=1234abcd"*
Mar3 19:34:45 localhost charon: 06[IKE] no trusted
RSA public
key found
for 'CN=1234abcd'
Mar3 19:34:45 localhost charon: 06[IKE] processing
INTERNAL_IP4_ADDRESS
attribute
Please let me know, how to resolve this issue.
Below post suggests that the intermediate certs
need to be sent
along
with the end-entity certificates in ike_auth message.
If that can solve the issue, how can I achieve that.
https://lists.strongswan.org/____pipermail/users/2013-March/____008956.html
<https://lists.strongswan.org/__pipermail/users/2013-March/__008956.html>
<https://lists.strongswan.org/__pipermail/users/2013-March/__008956.html
<https://lists.strongswan.org/pipermail/users/2013-March/008956.html>>
Any help in this regard is appreciated.
Regards,
Sriram.
___________________________________________________
Users mailing list
[email protected]
<mailto:[email protected]>
<mailto:Users@lists.__strongswan.org
<mailto:[email protected]>>
https://lists.strongswan.org/____mailman/listinfo/users
<https://lists.strongswan.org/__mailman/listinfo/users>
<https://lists.strongswan.org/__mailman/listinfo/users
<https://lists.strongswan.org/mailman/listinfo/users>>
--
==============================____============================__==__==========
Andreas Steffen [email protected]
<mailto:[email protected]>
<mailto:andreas.steffen@__strongswan.org
<mailto:[email protected]>>
strongSwan - the Open Source VPN Solution!
www.strongswan.org <http://www.strongswan.org>
<http://www.strongswan.org>
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
==============================____============================__=[__ITA-HSR]==
--
==============================__==============================__==========
Andreas Steffen [email protected]
<mailto:[email protected]>
strongSwan - the Open Source VPN Solution! www.strongswan.org
<http://www.strongswan.org>
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
==============================__=============================[__ITA-HSR]==
-- ====================================================================== Andreas Steffen [email protected] strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
