-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello Justin,
Set rightca to the DN of the CA certificate or to the file name or file path of the Ca certificate. As an alternative, you can get a copy of the server's certificate and do the same for rightcert. Mit freundlichen Grüßen/Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 06.01.2015 um 21:23 schrieb Justin Michael Schwartzbeck: > Hello, > > I am trying to set up a strongswan client to connect to a VPN endpoint. Here > is my configuration: > > # ipsec.conf - strongSwan IPsec configuration file > config setup > charondebug="ike 2, knl 2, mgr 2, net 2" > ca main > cacert=ca.crt > conn client-ha > aaa_identity="CN=my-radius-server.company.com > <http://my-radius-server.company.com>, O=Company" > keyexchange=ikev2 > right=my-vpn-server.company.com <http://my-vpn-server.company.com> > rightid=%any > rightsubnet=0.0.0.0/0 <http://0.0.0.0/0> > leftsourceip=%config > leftsubnet=0.0.0.0/0 <http://0.0.0.0/0> > leftauth=eap-tls > left=10.89.150.227 > leftid="my-radius-client.company.com > <http://my-radius-client.company.com>" > leftcert=server.crt > auto=add > > I have my ca.crt in /etc/ipsec.d/cacerts, my client certificate (server.crt) > in /etc/ipsec.d/certs, and my client key (server.key) in > /etc/ipsec.d/private. I also have the server.key listed in > /etc/ipsec.secrets. My strongswan client's certificate and my vpn endpoint's > certificate are both signed by the same CA. I have checked the vpn's cert > against the ca.crt on my strongswan client to make sure that it was properly > signed. However for some reason my strongswan client is not verifying the > VPN's certificate. Below is the complete error output starting with an "ipsec > restart" and then followed by an "ipsec up" on that profile: > > Jan 6 11:18:11 my-vpn-client charon: 00[DMN] Starting IKE charon daemon > (strongSwan 5.2.0, Linux 2.6.32-431.el6.x86_64, x86_64) > Jan 6 11:18:11 my-vpn-client charon: 00[KNL] detected Linux 2.6.32, no > support for RTA_PREFSRC for IPv6 routes > Jan 6 11:18:11 my-vpn-client charon: 00[KNL] known interfaces and IP > addresses: > Jan 6 11:18:11 my-vpn-client charon: 00[KNL] lo > Jan 6 11:18:11 my-vpn-client charon: 00[KNL] 127.0.0.1 > Jan 6 11:18:11 my-vpn-client charon: 00[KNL] ::1 > Jan 6 11:18:11 my-vpn-client charon: 00[KNL] eth0 > Jan 6 11:18:11 my-vpn-client charon: 00[KNL] 192.168.2.227 > Jan 6 11:18:11 my-vpn-client charon: 00[KNL] 192.168.2.103 > Jan 6 11:18:11 my-vpn-client charon: 00[KNL] fe80::250:56ff:feaa:6249 > Jan 6 11:18:11 my-vpn-client charon: 00[KNL] eth1 > Jan 6 11:18:11 my-vpn-client charon: 00[KNL] fe80::250:56ff:feaa:b96 > Jan 6 11:18:11 my-vpn-client charon: 00[CFG] loading ca certificates from > '/etc/ipsec.d/cacerts' > Jan 6 11:18:11 my-vpn-client charon: 00[CFG] loaded ca certificate "C=US, > ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company" from > '/etc/ipsec.d/cacerts/ca.crt' > Jan 6 11:18:11 my-vpn-client charon: 00[CFG] loading aa certificates from > '/etc/ipsec.d/aacerts' > Jan 6 11:18:11 my-vpn-client charon: 00[CFG] loading ocsp signer > certificates from '/etc/ipsec.d/ocspcerts' > Jan 6 11:18:11 my-vpn-client charon: 00[CFG] loading attribute certificates > from '/etc/ipsec.d/acerts' > Jan 6 11:18:11 my-vpn-client charon: 00[CFG] loading crls from > '/etc/ipsec.d/crls' > Jan 6 11:18:11 my-vpn-client charon: 00[CFG] loading secrets from > '/etc/ipsec.secrets' > Jan 6 11:18:11 my-vpn-client charon: 00[CFG] loaded RSA private key from > '/etc/ipsec.d/private/server.key' > Jan 6 11:18:11 my-vpn-client charon: 00[LIB] loaded plugins: charon curl aes > des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 > pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr > kernel-netlink resolve socket-default stroke vici updown eap-identity eap-aka > eap-md5 eap-tls xauth-generic xauth-noauth lookip > Jan 6 11:18:11 my-vpn-client charon: 00[LIB] unable to load 6 plugin > features (6 due to unmet dependencies) > Jan 6 11:18:11 my-vpn-client charon: 00[JOB] spawning 16 worker threads > Jan 6 11:18:11 my-vpn-client charon: 02[NET] waiting for data on sockets > Jan 6 11:18:11 my-vpn-client charon: 04[CFG] received stroke: add connection > 'client-ha' > Jan 6 11:18:11 my-vpn-client charon: 04[KNL] 192.168.2.213 is not a local > address or the interface is down > Jan 6 11:18:11 my-vpn-client charon: 04[CFG] loaded certificate > "CN=my-vpn-client.company.com <http://my-vpn-client.company.com>, O=Company" > from 'server.crt' > Jan 6 11:18:11 my-vpn-client charon: 04[CFG] id 'my-vpn-client.company.com > <http://my-vpn-client.company.com>' not confirmed by certificate, defaulting > to 'CN=my-vpn-client.company.com <http://my-vpn-client.company.com>, > O=Company' > Jan 6 11:18:11 my-vpn-client charon: 04[CFG] added configuration 'client-ha' > Jan 6 11:18:31 my-vpn-client charon: 06[CFG] received stroke: initiate > 'client-ha' > Jan 6 11:18:31 my-vpn-client charon: 08[MGR] checkout IKE_SA by config > Jan 6 11:18:31 my-vpn-client charon: 08[MGR] created IKE_SA (unnamed)[1] > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_VENDOR task > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_INIT task > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_NATD task > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_CERT_PRE task > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_AUTH task > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_CERT_POST task > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_CONFIG task > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_AUTH_LIFETIME task > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_MOBIKE task > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] queueing CHILD_CREATE task > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating new tasks > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating IKE_VENDOR task > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating IKE_INIT task > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating IKE_NATD task > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating IKE_CERT_PRE task > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating IKE_AUTH task > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating IKE_CERT_POST task > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating IKE_CONFIG task > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating CHILD_CREATE task > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating IKE_AUTH_LIFETIME > task > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating IKE_MOBIKE task > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] initiating IKE_SA client-ha[1] > to 192.168.2.213 > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] IKE_SA client-ha[1] state > change: CREATED => CONNECTING > Jan 6 11:18:31 my-vpn-client charon: 08[ENC] generating IKE_SA_INIT request > 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > Jan 6 11:18:31 my-vpn-client charon: 08[NET] sending packet: from > 192.168.2.227[500] to 192.168.2.213[500] (708 bytes) > Jan 6 11:18:31 my-vpn-client charon: 08[MGR] checkin IKE_SA client-ha[1] > Jan 6 11:18:31 my-vpn-client charon: 03[NET] sending packet: from > 192.168.2.227[500] to 192.168.2.213[500] > Jan 6 11:18:31 my-vpn-client charon: 02[NET] received packet: from > 192.168.2.213[500] to 192.168.2.227[500] > Jan 6 11:18:31 my-vpn-client charon: 02[NET] waiting for data on sockets > Jan 6 11:18:31 my-vpn-client charon: 09[MGR] checkout IKE_SA by message > Jan 6 11:18:31 my-vpn-client charon: 09[MGR] IKE_SA client-ha[1] > successfully checked out > Jan 6 11:18:31 my-vpn-client charon: 09[NET] received packet: from > 192.168.2.213[500] to 192.168.2.227[500] (38 bytes) > Jan 6 11:18:31 my-vpn-client charon: 09[ENC] parsed IKE_SA_INIT response 0 [ > N(INVAL_KE) ] > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] peer didn't accept DH group > MODP_2048, it requested MODP_1024 > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] IKE_SA client-ha[1] state > change: CONNECTING => CREATED > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] activating new tasks > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] activating IKE_INIT task > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] activating IKE_NATD task > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] activating IKE_CERT_PRE task > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] activating IKE_AUTH task > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] activating IKE_CERT_POST task > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] activating IKE_CONFIG task > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] activating CHILD_CREATE task > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] activating IKE_AUTH_LIFETIME > task > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] activating IKE_MOBIKE task > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] initiating IKE_SA client-ha[1] > to 192.168.2.213 > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] IKE_SA client-ha[1] state > change: CREATED => CONNECTING > Jan 6 11:18:31 my-vpn-client charon: 09[ENC] generating IKE_SA_INIT request > 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > Jan 6 11:18:31 my-vpn-client charon: 09[NET] sending packet: from > 192.168.2.227[500] to 192.168.2.213[500] (580 bytes) > Jan 6 11:18:31 my-vpn-client charon: 09[MGR] checkin IKE_SA client-ha[1] > Jan 6 11:18:31 my-vpn-client charon: 09[MGR] check-in of IKE_SA successful. > Jan 6 11:18:31 my-vpn-client charon: 03[NET] sending packet: from > 192.168.2.227[500] to 192.168.2.213[500] > Jan 6 11:18:31 my-vpn-client charon: 02[NET] received packet: from > 192.168.2.213[500] to 192.168.2.227[500] > Jan 6 11:18:31 my-vpn-client charon: 02[NET] waiting for data on sockets > Jan 6 11:18:31 my-vpn-client charon: 10[MGR] checkout IKE_SA by message > Jan 6 11:18:31 my-vpn-client charon: 10[MGR] IKE_SA client-ha[1] > successfully checked out > Jan 6 11:18:31 my-vpn-client charon: 10[NET] received packet: from > 192.168.2.213[500] to 192.168.2.227[500] (381 bytes) > Jan 6 11:18:31 my-vpn-client charon: 10[ENC] parsed IKE_SA_INIT response 0 [ > SA KE No V V N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] > Jan 6 11:18:31 my-vpn-client charon: 10[IKE] received cert request for > unknown ca with keyid > 4e:e1:18:20:b8:6b:65:0e:f3:40:51:73:88:dd:fe:d2:91:52:11:c0 > Jan 6 11:18:31 my-vpn-client charon: 10[IKE] received cert request for > "C=US, ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company" > Jan 6 11:18:31 my-vpn-client charon: 10[IKE] received 1 cert requests for an > unknown ca > Jan 6 11:18:31 my-vpn-client charon: 10[IKE] reinitiating already active > tasks > Jan 6 11:18:31 my-vpn-client charon: 10[IKE] IKE_CERT_PRE task > Jan 6 11:18:31 my-vpn-client charon: 10[IKE] IKE_AUTH task > Jan 6 11:18:31 my-vpn-client charon: 10[IKE] sending cert request for "C=US, > ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company" > Jan 6 11:18:31 my-vpn-client charon: 10[IKE] building INTERNAL_IP4_DNS > attribute > Jan 6 11:18:31 my-vpn-client charon: 10[IKE] establishing CHILD_SA client-ha > Jan 6 11:18:31 my-vpn-client charon: 10[KNL] getting SPI for reqid {1} > Jan 6 11:18:31 my-vpn-client charon: 10[KNL] got SPI ccd30cb7 for reqid {1} > Jan 6 11:18:31 my-vpn-client charon: 10[ENC] generating IKE_AUTH request 1 [ > IDi CERTREQ CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) > ] > Jan 6 11:18:31 my-vpn-client charon: 10[NET] sending packet: from > 192.168.2.227[4500] to 192.168.2.213[4500] (428 bytes) > Jan 6 11:18:31 my-vpn-client charon: 10[MGR] checkin IKE_SA client-ha[1] > Jan 6 11:18:31 my-vpn-client charon: 10[MGR] check-in of IKE_SA successful. > Jan 6 11:18:31 my-vpn-client charon: 03[NET] sending packet: from > 192.168.2.227[4500] to 192.168.2.213[4500] > Jan 6 11:18:31 my-vpn-client charon: 02[NET] received packet: from > 192.168.2.213[4500] to 192.168.2.227[4500] > Jan 6 11:18:31 my-vpn-client charon: 02[NET] waiting for data on sockets > Jan 6 11:18:31 my-vpn-client charon: 11[MGR] checkout IKE_SA by message > Jan 6 11:18:31 my-vpn-client charon: 11[MGR] IKE_SA client-ha[1] > successfully checked out > Jan 6 11:18:31 my-vpn-client charon: 11[NET] received packet: from > 192.168.2.213[4500] to 192.168.2.227[4500] (956 bytes) > Jan 6 11:18:31 my-vpn-client charon: 11[ENC] parsed IKE_AUTH response 1 [ V > IDr CERT AUTH EAP/REQ/ID ] > Jan 6 11:18:31 my-vpn-client charon: 11[IKE] received end entity cert > "CN=my-vpn-server.company.com <http://my-vpn-server.company.com>, O=Company" > Jan 6 11:18:31 my-vpn-client charon: 11[IKE] no trusted RSA public key found > for 'my-vpn-server.company.com <http://my-vpn-server.company.com>' > Jan 6 11:18:31 my-vpn-client charon: 11[ENC] generating INFORMATIONAL > request 2 [ N(AUTH_FAILED) ] > Jan 6 11:18:31 my-vpn-client charon: 11[NET] sending packet: from > 192.168.2.227[4500] to 192.168.2.213[4500] (76 bytes) > Jan 6 11:18:31 my-vpn-client charon: 11[KNL] deleting SAD entry with SPI > ccd30cb7 (mark 0/0x00000000) > Jan 6 11:18:31 my-vpn-client charon: 03[NET] sending packet: from > 192.168.2.227[4500] to 192.168.2.213[4500] > Jan 6 11:18:31 my-vpn-client charon: 11[KNL] deleted SAD entry with SPI > ccd30cb7 (mark 0/0x00000000) > Jan 6 11:18:31 my-vpn-client charon: 11[MGR] checkin and destroy IKE_SA > client-ha[1] > Jan 6 11:18:31 my-vpn-client charon: 11[IKE] IKE_SA client-ha[1] state > change: CONNECTING => DESTROYING > Jan 6 11:18:31 my-vpn-client charon: 11[MGR] check-in and destroy of IKE_SA > successful > Jan 6 11:18:35 my-vpn-client charon: 12[MGR] checkout IKE_SA > Jan 6 11:18:35 my-vpn-client charon: 13[MGR] checkout IKE_SA > Jan 6 11:18:35 my-vpn-client charon: 14[MGR] checkout IKE_SA > > The important failure message here is "no trusted RSA public key found for > 'my-vpn-server.company.com <http://my-vpn-server.company.com>'". I have also > tried setting the eap identity in the vpn endpoint to the full DN in the > server certificate but that didn't work either. I don't understand why this > would be failing if the certificate is properly signed by the CA. Can someone > tell me if I am missing something? > > Thanks for the help. > -Justin > > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJUrEoPAAoJEDg5KY9j7GZYswIQAJjaxLAtSQTiHj1GU3wkc9l6 5klLIIlMlhygDOrmbbOst0WouyBfAUQAg3H/BkX5VBb6iXspK5RixDg6YqWru79a xLSMYyPMpeHLAvAB1SRQTx8RwlEs1UnXiio4kE47QV4BmARLiYEY5WhGvTpVOPMF hdmScVzQ2CQ20sLZmL/NHtTBm57s2w9cDZX/vNGsQxeHUfF54X6xoo9KM+S2so3F uXO0F83L8N66uWUDuITVFqWNyWpwX1G8yCewIFV8gEvvAZkPkUechjG+as8Oal4C zs4jpAZA49XmzWBbgSxCjIgDrUHP5RCnfKjRywS8QZvt+Ak6Nf+dcE9fxXSqP3N6 /cpAmOxapCg5C13a5QkoDntgncBUgF6HACfyOA0Lo4H6e5o8BnNRbA/r/zNQmkdi DHVMqV4wbSoOdFq6SN8VK+yDPZjZwkHXcyiGBa2v7wrjPXcCIG+7DGo55oirTW+V wQ/S16htXISB9uN/YRtMwaP6K54zZthP0/d3xtbE8kYdVgUqdvgZhjm+jJOKjIRc eF7F9ChDEQI4TM2ditjHTqE4+gtnoRwA1bpwim5reS1/L6rp1Dk5mBvLjLETVnYb qvsi0IGixX+FlMGhRWuNU97rOfIig9rO+ZSXBMHgyHhWgXrv5tf6oDd+eAvdBwkX jLd4ISNIP+/QWeWS3Hk/ =RJTz -----END PGP SIGNATURE----- _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
