-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello Justin,
Okay, I overlooked that. I looked for the certificate in the very large message (IKE_AUTH response). Can you check if the DNS name of the server is contained in a SAN field on the server certificate? I think strongSwan requires that, but don't nail me down on that. I do that on all my installations and it works just fine. Did you check that all CAs in the trust chain are available in /etc/ipsec.d/cacerts/? There is an error message about an unknown CA in the log. The wiki [1] states that it's possible to skip IKEv2 server authentication if you use EAP-TLS. Does your server configuration reflect this, or did you configure it to authenticate itself using IKE and then EAP-TLS (EAP-TLS is mutual authentication)? [1] https://wiki.strongswan.org/projects/strongswan/wiki/EapTls Mit freundlichen Grüßen/Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 06.01.2015 um 23:22 schrieb Justin Michael Schwartzbeck: > Hi Noel, > > My VPN server is an IOS router with certificates configured as part of the > trustpoint. You said that the server does not send its certificate. What > about the message "received end entity cert "CN=my-vpn-server.company.com > <http://my-vpn-server.company.com>, O=Company"" that appears above "no > trusted RSA public key found for 'CN=my-vpn-server.company.com > <http://my-vpn-server.company.com>, O=Company'". Is this end entity cert not > the server certificate being sent? Also setting rightca to the DN of the CA > certificate is not working either, same error message. According to the log, > the CA certificate is being loaded correctly on the client side: > > Jan 6 11:18:11 my-vpn-client charon: 00[CFG] loading ca certificates from > '/etc/ipsec.d/cacerts' > Jan 6 11:18:11 my-vpn-client charon: 00[CFG] loaded ca certificate "C=US, > ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company" from > '/etc/ipsec.d/cacerts/ca.crt' > > So the question remains, why is strongswan not verifying the server > certificate by this CA? > > I could provide the log and config for my IOS router but I figured that would > not be your area of expertise. There is no error message on the router side, > only the client, so it seems the problem is with strongswan. > > On Tue, Jan 6, 2015 at 3:48 PM, Noel Kuntze <[email protected] > <mailto:[email protected]>> wrote: > > > Hello Justin, > > I looked through the log and saw that the other peer never sent his > certificate. > Please show us the log and configuraton of the server and check if the whole > certificate chain from the root > to the server certificate is available in /etc/ipsec.d/cacerts. > I can see, that the server sends certificate requests for two CAs, one of > which is unknown. > > Jan 6 14:50:59 my-vpn-client charon: 11[IKE] received 1 cert requests for > > an unknown ca > > You might be able to work around that by setting leftsendcert=always on the > server side. > > Also, setting rightca to the path to the servercertificate doesn't seem to > have helped, as it seems strongSwan expects > the CA certificate DN here. > > Mit freundlichen Grüßen/Regards, > Noel Kuntze > > GPG Key ID: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > Am 06.01.2015 um 22:19 schrieb Justin Michael Schwartzbeck: > > Hi Noel, > > > I have tried all of those things and get the same results. Here is the log > > file after using your method: > > > Jan 6 14:50:54 my-vpn-client charon: 00[DMN] Starting IKE charon daemon > > (strongSwan 5.2.0, Linux 2.6.32-431.el6.x86_64, x86_64) > > Jan 6 14:50:54 my-vpn-client charon: 00[KNL] detected Linux 2.6.32, no > > support for RTA_PREFSRC for IPv6 routes > > Jan 6 14:50:54 my-vpn-client charon: 00[KNL] known interfaces and IP > > addresses: > > Jan 6 14:50:54 my-vpn-client charon: 00[KNL] lo > > Jan 6 14:50:54 my-vpn-client charon: 00[KNL] 127.0.0.1 > > Jan 6 14:50:54 my-vpn-client charon: 00[KNL] ::1 > > Jan 6 14:50:54 my-vpn-client charon: 00[KNL] eth0 > > Jan 6 14:50:54 my-vpn-client charon: 00[KNL] 192.168.2.227 > > Jan 6 14:50:54 my-vpn-client charon: 00[KNL] 192.168.2.103 > > Jan 6 14:50:54 my-vpn-client charon: 00[KNL] fe80::250:56ff:feaa:6249 > > Jan 6 14:50:54 my-vpn-client charon: 00[KNL] eth1 > > Jan 6 14:50:54 my-vpn-client charon: 00[KNL] fe80::250:56ff:feaa:b96 > > Jan 6 14:50:54 my-vpn-client charon: 00[CFG] loading ca certificates from > > '/etc/ipsec.d/cacerts' > > Jan 6 14:50:54 my-vpn-client charon: 00[CFG] loaded ca certificate > > "C=US, ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company" from > > '/etc/ipsec.d/cacerts/ca.crt' > > Jan 6 14:50:54 my-vpn-client charon: 00[CFG] loading aa certificates from > > '/etc/ipsec.d/aacerts' > > Jan 6 14:50:54 my-vpn-client charon: 00[CFG] loading ocsp signer > > certificates from '/etc/ipsec.d/ocspcerts' > > Jan 6 14:50:54 my-vpn-client charon: 00[CFG] loading attribute > > certificates from '/etc/ipsec.d/acerts' > > Jan 6 14:50:54 my-vpn-client charon: 00[CFG] loading crls from > > '/etc/ipsec.d/crls' > > Jan 6 14:50:54 my-vpn-client charon: 00[CFG] loading secrets from > > '/etc/ipsec.secrets' > > Jan 6 14:50:54 my-vpn-client charon: 00[CFG] loaded RSA private key from > > '/etc/ipsec.d/private/server.key' > > Jan 6 14:50:54 my-vpn-client charon: 00[LIB] loaded plugins: charon curl > > aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey > > pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac > > attr kernel-netlink resolve socket-default stroke vici updown eap-identity > > eap-aka eap-md5 eap-tls xauth-generic xauth-noauth lookip > > Jan 6 14:50:54 my-vpn-client charon: 00[LIB] unable to load 6 plugin > > features (6 due to unmet dependencies) > > Jan 6 14:50:54 my-vpn-client charon: 00[JOB] spawning 16 worker threads > > Jan 6 14:50:54 my-vpn-client charon: 02[NET] waiting for data on sockets > > Jan 6 14:50:54 my-vpn-client charon: 05[CFG] received stroke: add > > connection 'client-ha' > > Jan 6 14:50:59 my-vpn-client charon: 05[KNL] 192.168.2.213 is not a local > > address or the interface is down > > Jan 6 14:50:59 my-vpn-client charon: 05[CFG] loaded certificate > > "CN=my-vpn-client.company.com <http://my-vpn-client.company.com> > > <http://my-vpn-client.company.com>, O=Company" from 'server.crt' > > Jan 6 14:50:59 my-vpn-client charon: 05[CFG] id > > 'my-vpn-client.company.com <http://my-vpn-client.company.com> > > <http://my-vpn-client.company.com>' not confirmed by certificate, > > defaulting to 'CN=my-vpn-client.company.com > > <http://my-vpn-client.company.com> <http://my-vpn-client.company.com>, > > O=Company' > > Jan 6 14:50:59 my-vpn-client charon: 05[CFG] loaded certificate > > "CN=my-vpn-server.company.com <http://my-vpn-server.company.com> > > <http://my-vpn-server.company.com>, O=Company" from > > '/etc/ipsec.d/certs/cws.crt' > > Jan 6 14:50:59 my-vpn-client charon: 05[CFG] id '%any' not confirmed by > > certificate, defaulting to 'CN=my-vpn-server.company.com > > <http://my-vpn-server.company.com> <http://my-vpn-server.company.com>, > > O=Company' > > Jan 6 14:50:59 my-vpn-client charon: 05[CFG] CA certificate > > "/etc/ipsec.d/cacerts/ca.crt" not found, discarding CA constraint > > Jan 6 14:50:59 my-vpn-client charon: 05[CFG] added configuration > > 'client-ha' > > Jan 6 14:50:59 my-vpn-client charon: 07[CFG] received stroke: initiate > > 'client-ha' > > Jan 6 14:50:59 my-vpn-client charon: 09[MGR] checkout IKE_SA by config > > Jan 6 14:50:59 my-vpn-client charon: 09[MGR] created IKE_SA (unnamed)[1] > > Jan 6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_VENDOR task > > Jan 6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_INIT task > > Jan 6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_NATD task > > Jan 6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_CERT_PRE task > > Jan 6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_AUTH task > > Jan 6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_CERT_POST task > > Jan 6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_CONFIG task > > Jan 6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_AUTH_LIFETIME > > task > > Jan 6 14:50:59 my-vpn-client charon: 09[IKE] queueing IKE_MOBIKE task > > Jan 6 14:50:59 my-vpn-client charon: 09[IKE] queueing CHILD_CREATE task > > Jan 6 14:50:59 my-vpn-client charon: 09[IKE] activating new tasks > > Jan 6 14:50:59 my-vpn-client charon: 09[IKE] activating IKE_VENDOR task > > Jan 6 14:50:59 my-vpn-client charon: 09[IKE] activating IKE_INIT task > > Jan 6 14:50:59 my-vpn-client charon: 09[IKE] activating IKE_NATD task > > Jan 6 14:50:59 my-vpn-client charon: 09[IKE] activating IKE_CERT_PRE task > > Jan 6 14:50:59 my-vpn-client charon: 09[IKE] activating IKE_AUTH task > > Jan 6 14:50:59 my-vpn-client charon: 09[IKE] activating IKE_CERT_POST > > task > > Jan 6 14:50:59 my-vpn-client charon: 09[IKE] activating IKE_CONFIG task > > Jan 6 14:50:59 my-vpn-client charon: 09[IKE] activating CHILD_CREATE task > > Jan 6 14:50:59 my-vpn-client charon: 09[IKE] activating > > IKE_AUTH_LIFETIME task > > Jan 6 14:50:59 my-vpn-client charon: 09[IKE] activating IKE_MOBIKE task > > Jan 6 14:50:59 my-vpn-client charon: 09[IKE] initiating IKE_SA > > client-ha[1] to 192.168.2.213 > > Jan 6 14:50:59 my-vpn-client charon: 09[IKE] IKE_SA client-ha[1] state > > change: CREATED => CONNECTING > > Jan 6 14:50:59 my-vpn-client charon: 09[ENC] generating IKE_SA_INIT > > request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > > Jan 6 14:50:59 my-vpn-client charon: 09[NET] sending packet: from > > 192.168.2.227[500] to 192.168.2.213[500] (708 bytes) > > Jan 6 14:50:59 my-vpn-client charon: 09[MGR] checkin IKE_SA client-ha[1] > > Jan 6 14:50:59 my-vpn-client charon: 03[NET] sending packet: from > > 192.168.2.227[500] to 192.168.2.213[500] > > Jan 6 14:50:59 my-vpn-client charon: 02[NET] received packet: from > > 192.168.2.213[500] to 192.168.2.227[500] > > Jan 6 14:50:59 my-vpn-client charon: 02[NET] waiting for data on sockets > > Jan 6 14:50:59 my-vpn-client charon: 10[MGR] checkout IKE_SA by message > > Jan 6 14:50:59 my-vpn-client charon: 10[MGR] IKE_SA client-ha[1] > > successfully checked out > > Jan 6 14:50:59 my-vpn-client charon: 10[NET] received packet: from > > 192.168.2.213[500] to 192.168.2.227[500] (38 bytes) > > Jan 6 14:50:59 my-vpn-client charon: 10[ENC] parsed IKE_SA_INIT response 0 > > [ N(INVAL_KE) ] > > Jan 6 14:50:59 my-vpn-client charon: 10[IKE] peer didn't accept DH group > > MODP_2048, it requested MODP_1024 > > Jan 6 14:50:59 my-vpn-client charon: 10[IKE] IKE_SA client-ha[1] state > > change: CONNECTING => CREATED > > Jan 6 14:50:59 my-vpn-client charon: 10[IKE] activating new tasks > > Jan 6 14:50:59 my-vpn-client charon: 10[IKE] activating IKE_INIT task > > Jan 6 14:50:59 my-vpn-client charon: 10[IKE] activating IKE_NATD task > > Jan 6 14:50:59 my-vpn-client charon: 10[IKE] activating IKE_CERT_PRE task > > Jan 6 14:50:59 my-vpn-client charon: 10[IKE] activating IKE_AUTH task > > Jan 6 14:50:59 my-vpn-client charon: 10[IKE] activating IKE_CERT_POST > > task > > Jan 6 14:50:59 my-vpn-client charon: 10[IKE] activating IKE_CONFIG task > > Jan 6 14:50:59 my-vpn-client charon: 10[IKE] activating CHILD_CREATE task > > Jan 6 14:50:59 my-vpn-client charon: 10[IKE] activating > > IKE_AUTH_LIFETIME task > > Jan 6 14:50:59 my-vpn-client charon: 10[IKE] activating IKE_MOBIKE task > > Jan 6 14:50:59 my-vpn-client charon: 10[IKE] initiating IKE_SA > > client-ha[1] to 192.168.2.213 > > Jan 6 14:50:59 my-vpn-client charon: 10[IKE] IKE_SA client-ha[1] state > > change: CREATED => CONNECTING > > Jan 6 14:50:59 my-vpn-client charon: 10[ENC] generating IKE_SA_INIT > > request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > > Jan 6 14:50:59 my-vpn-client charon: 10[NET] sending packet: from > > 192.168.2.227[500] to 192.168.2.213[500] (580 bytes) > > Jan 6 14:50:59 my-vpn-client charon: 10[MGR] checkin IKE_SA client-ha[1] > > Jan 6 14:50:59 my-vpn-client charon: 10[MGR] check-in of IKE_SA successful. > > Jan 6 14:50:59 my-vpn-client charon: 03[NET] sending packet: from > > 192.168.2.227[500] to 192.168.2.213[500] > > Jan 6 14:50:59 my-vpn-client charon: 02[NET] received packet: from > > 192.168.2.213[500] to 192.168.2.227[500] > > Jan 6 14:50:59 my-vpn-client charon: 02[NET] waiting for data on sockets > > Jan 6 14:50:59 my-vpn-client charon: 11[MGR] checkout IKE_SA by message > > Jan 6 14:50:59 my-vpn-client charon: 11[MGR] IKE_SA client-ha[1] > > successfully checked out > > Jan 6 14:50:59 my-vpn-client charon: 11[NET] received packet: from > > 192.168.2.213[500] to 192.168.2.227[500] (381 bytes) > > Jan 6 14:50:59 my-vpn-client charon: 11[ENC] parsed IKE_SA_INIT response 0 > > [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] > > Jan 6 14:50:59 my-vpn-client charon: 11[IKE] received cert request for > > unknown ca with keyid > > 4e:e1:18:20:b8:6b:65:0e:f3:40:51:73:88:dd:fe:d2:91:52:11:c0 > > Jan 6 14:50:59 my-vpn-client charon: 11[IKE] received cert request for > > "C=US, ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company" > > Jan 6 14:50:59 my-vpn-client charon: 11[IKE] received 1 cert requests for > > an unknown ca > > Jan 6 14:50:59 my-vpn-client charon: 11[IKE] reinitiating already active > > tasks > > Jan 6 14:50:59 my-vpn-client charon: 11[IKE] IKE_CERT_PRE task > > Jan 6 14:50:59 my-vpn-client charon: 11[IKE] IKE_AUTH task > > Jan 6 14:50:59 my-vpn-client charon: 11[IKE] sending cert request for > > "C=US, ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company" > > Jan 6 14:50:59 my-vpn-client charon: 11[IKE] building INTERNAL_IP4_DNS > > attribute > > Jan 6 14:50:59 my-vpn-client charon: 11[IKE] establishing CHILD_SA > > client-ha > > Jan 6 14:50:59 my-vpn-client charon: 11[KNL] getting SPI for reqid {1} > > Jan 6 14:50:59 my-vpn-client charon: 11[KNL] got SPI c837be50 for reqid {1} > > Jan 6 14:50:59 my-vpn-client charon: 11[ENC] generating IKE_AUTH request 1 > > [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) > > N(ADD_4_ADDR) N(EAP_ONLY) ] > > Jan 6 14:50:59 my-vpn-client charon: 11[NET] sending packet: from > > 192.168.2.227[4500] to 192.168.2.213[4500] (492 bytes) > > Jan 6 14:50:59 my-vpn-client charon: 11[MGR] checkin IKE_SA client-ha[1] > > Jan 6 14:50:59 my-vpn-client charon: 11[MGR] check-in of IKE_SA successful. > > Jan 6 14:50:59 my-vpn-client charon: 03[NET] sending packet: from > > 192.168.2.227[4500] to 192.168.2.213[4500] > > Jan 6 14:50:59 my-vpn-client charon: 02[NET] received packet: from > > 192.168.2.213[4500] to 192.168.2.227[4500] > > Jan 6 14:50:59 my-vpn-client charon: 02[NET] waiting for data on sockets > > Jan 6 14:50:59 my-vpn-client charon: 12[MGR] checkout IKE_SA by message > > Jan 6 14:50:59 my-vpn-client charon: 12[MGR] IKE_SA client-ha[1] > > successfully checked out > > Jan 6 14:50:59 my-vpn-client charon: 12[NET] received packet: from > > 192.168.2.213[4500] to 192.168.2.227[4500] (972 bytes) > > Jan 6 14:50:59 my-vpn-client charon: 12[ENC] parsed IKE_AUTH response 1 [ > > V IDr CERT AUTH EAP/REQ/ID ] > > Jan 6 14:50:59 my-vpn-client charon: 12[IKE] received end entity cert > > "CN=my-vpn-server.company.com <http://my-vpn-server.company.com> > > <http://my-vpn-server.company.com>, O=Company" > > Jan 6 14:50:59 my-vpn-client charon: 12[IKE] no trusted RSA public key > > found for 'CN=my-vpn-server.company.com <http://my-vpn-server.company.com> > > <http://my-vpn-server.company.com>, O=Company' > > Jan 6 14:50:59 my-vpn-client charon: 12[ENC] generating INFORMATIONAL > > request 2 [ N(AUTH_FAILED) ] > > Jan 6 14:50:59 my-vpn-client charon: 12[NET] sending packet: from > > 192.168.2.227[4500] to 192.168.2.213[4500] (76 bytes) > > Jan 6 14:50:59 my-vpn-client charon: 12[KNL] deleting SAD entry with SPI > > c837be50 (mark 0/0x00000000) > > Jan 6 14:50:59 my-vpn-client charon: 03[NET] sending packet: from > > 192.168.2.227[4500] to 192.168.2.213[4500] > > Jan 6 14:50:59 my-vpn-client charon: 12[KNL] deleted SAD entry with SPI > > c837be50 (mark 0/0x00000000) > > Jan 6 14:50:59 my-vpn-client charon: 12[MGR] checkin and destroy IKE_SA > > client-ha[1] > > Jan 6 14:50:59 my-vpn-client charon: 12[IKE] IKE_SA client-ha[1] state > > change: CONNECTING => DESTROYING > > Jan 6 14:50:59 my-vpn-client charon: 12[MGR] check-in and destroy of > > IKE_SA successful > > > > On Tue, Jan 6, 2015 at 2:48 PM, Noel Kuntze <[email protected] > > <mailto:[email protected]> <mailto:[email protected] > > <mailto:[email protected]>>> wrote: > > > > Hello Justin, > > > Set rightca to the DN of the CA certificate or to the file name or file > > path of the Ca certificate. > > As an alternative, you can get a copy of the server's certificate and do > > the same for rightcert. > > > Mit freundlichen Grüßen/Regards, > > Noel Kuntze > > > GPG Key ID: 0x63EC6658 > > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > > Am 06.01.2015 um 21:23 schrieb Justin Michael Schwartzbeck: > > > Hello, > > > > I am trying to set up a strongswan client to connect to a VPN endpoint. > > > Here is my configuration: > > > > # ipsec.conf - strongSwan IPsec configuration file > > > config setup > > > charondebug="ike 2, knl 2, mgr 2, net 2" > > > ca main > > > cacert=ca.crt > > > conn client-ha > > > aaa_identity="CN=my-radius-server.company.com > > > <http://my-radius-server.company.com> > > > <http://my-radius-server.company.com> > > > <http://my-radius-server.company.com>, O=Company" > > > keyexchange=ikev2 > > > right=my-vpn-server.company.com <http://my-vpn-server.company.com> > > > <http://my-vpn-server.company.com> <http://my-vpn-server.company.com> > > > rightid=%any > > > rightsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> > > > <http://0.0.0.0/0> > > > leftsourceip=%config > > > leftsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> > > > <http://0.0.0.0/0> > > > leftauth=eap-tls > > > left=10.89.150.227 > > > leftid="my-radius-client.company.com > > > <http://my-radius-client.company.com> > > > <http://my-radius-client.company.com> > > > <http://my-radius-client.company.com>" > > > leftcert=server.crt > > > auto=add > > > > I have my ca.crt in /etc/ipsec.d/cacerts, my client certificate > > > (server.crt) in /etc/ipsec.d/certs, and my client key (server.key) in > > > /etc/ipsec.d/private. I also have the server.key listed in > > > /etc/ipsec.secrets. My strongswan client's certificate and my vpn > > > endpoint's certificate are both signed by the same CA. I have checked the > > > vpn's cert against the ca.crt on my strongswan client to make sure that > > > it was properly signed. However for some reason my strongswan client is > > > not verifying the VPN's certificate. Below is the complete error output > > > starting with an "ipsec restart" and then followed by an "ipsec up" on > > > that profile: > > > > Jan 6 11:18:11 my-vpn-client charon: 00[DMN] Starting IKE charon daemon > > > (strongSwan 5.2.0, Linux 2.6.32-431.el6.x86_64, x86_64) > > > Jan 6 11:18:11 my-vpn-client charon: 00[KNL] detected Linux 2.6.32, no > > > support for RTA_PREFSRC for IPv6 routes > > > Jan 6 11:18:11 my-vpn-client charon: 00[KNL] known interfaces and IP > > > addresses: > > > Jan 6 11:18:11 my-vpn-client charon: 00[KNL] lo > > > Jan 6 11:18:11 my-vpn-client charon: 00[KNL] 127.0.0.1 > > > Jan 6 11:18:11 my-vpn-client charon: 00[KNL] ::1 > > > Jan 6 11:18:11 my-vpn-client charon: 00[KNL] eth0 > > > Jan 6 11:18:11 my-vpn-client charon: 00[KNL] 192.168.2.227 > > > Jan 6 11:18:11 my-vpn-client charon: 00[KNL] 192.168.2.103 > > > Jan 6 11:18:11 my-vpn-client charon: 00[KNL] fe80::250:56ff:feaa:6249 > > > Jan 6 11:18:11 my-vpn-client charon: 00[KNL] eth1 > > > Jan 6 11:18:11 my-vpn-client charon: 00[KNL] fe80::250:56ff:feaa:b96 > > > Jan 6 11:18:11 my-vpn-client charon: 00[CFG] loading ca certificates > > > from '/etc/ipsec.d/cacerts' > > > Jan 6 11:18:11 my-vpn-client charon: 00[CFG] loaded ca certificate > > > "C=US, ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company" from > > > '/etc/ipsec.d/cacerts/ca.crt' > > > Jan 6 11:18:11 my-vpn-client charon: 00[CFG] loading aa certificates > > > from '/etc/ipsec.d/aacerts' > > > Jan 6 11:18:11 my-vpn-client charon: 00[CFG] loading ocsp signer > > > certificates from '/etc/ipsec.d/ocspcerts' > > > Jan 6 11:18:11 my-vpn-client charon: 00[CFG] loading attribute > > > certificates from '/etc/ipsec.d/acerts' > > > Jan 6 11:18:11 my-vpn-client charon: 00[CFG] loading crls from > > > '/etc/ipsec.d/crls' > > > Jan 6 11:18:11 my-vpn-client charon: 00[CFG] loading secrets from > > > '/etc/ipsec.secrets' > > > Jan 6 11:18:11 my-vpn-client charon: 00[CFG] loaded RSA private key > > > from '/etc/ipsec.d/private/server.key' > > > Jan 6 11:18:11 my-vpn-client charon: 00[LIB] loaded plugins: charon curl > > > aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey > > > pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac > > > hmac attr kernel-netlink resolve socket-default stroke vici updown > > > eap-identity eap-aka eap-md5 eap-tls xauth-generic xauth-noauth lookip > > > Jan 6 11:18:11 my-vpn-client charon: 00[LIB] unable to load 6 plugin > > > features (6 due to unmet dependencies) > > > Jan 6 11:18:11 my-vpn-client charon: 00[JOB] spawning 16 worker threads > > > Jan 6 11:18:11 my-vpn-client charon: 02[NET] waiting for data on sockets > > > Jan 6 11:18:11 my-vpn-client charon: 04[CFG] received stroke: add > > > connection 'client-ha' > > > Jan 6 11:18:11 my-vpn-client charon: 04[KNL] 192.168.2.213 is not a > > > local address or the interface is down > > > Jan 6 11:18:11 my-vpn-client charon: 04[CFG] loaded certificate > > > "CN=my-vpn-client.company.com <http://my-vpn-client.company.com> > > > <http://my-vpn-client.company.com> <http://my-vpn-client.company.com>, > > > O=Company" from 'server.crt' > > > Jan 6 11:18:11 my-vpn-client charon: 04[CFG] id > > > 'my-vpn-client.company.com <http://my-vpn-client.company.com> > > > <http://my-vpn-client.company.com> <http://my-vpn-client.company.com>' > > > not confirmed by certificate, defaulting to 'CN=my-vpn-client.company.com > > > <http://my-vpn-client.company.com> <http://my-vpn-client.company.com> > > > <http://my-vpn-client.company.com>, O=Company' > > > Jan 6 11:18:11 my-vpn-client charon: 04[CFG] added configuration > > > 'client-ha' > > > Jan 6 11:18:31 my-vpn-client charon: 06[CFG] received stroke: initiate > > > 'client-ha' > > > Jan 6 11:18:31 my-vpn-client charon: 08[MGR] checkout IKE_SA by config > > > Jan 6 11:18:31 my-vpn-client charon: 08[MGR] created IKE_SA (unnamed)[1] > > > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_VENDOR task > > > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_INIT task > > > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_NATD task > > > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_CERT_PRE task > > > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_AUTH task > > > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_CERT_POST task > > > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_CONFIG task > > > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_AUTH_LIFETIME > > > task > > > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] queueing IKE_MOBIKE task > > > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] queueing CHILD_CREATE task > > > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating new tasks > > > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating IKE_VENDOR task > > > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating IKE_INIT task > > > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating IKE_NATD task > > > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating IKE_CERT_PRE > > > task > > > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating IKE_AUTH task > > > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating IKE_CERT_POST > > > task > > > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating IKE_CONFIG task > > > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating CHILD_CREATE > > > task > > > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating > > > IKE_AUTH_LIFETIME task > > > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] activating IKE_MOBIKE task > > > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] initiating IKE_SA > > > client-ha[1] to 192.168.2.213 > > > Jan 6 11:18:31 my-vpn-client charon: 08[IKE] IKE_SA client-ha[1] state > > > change: CREATED => CONNECTING > > > Jan 6 11:18:31 my-vpn-client charon: 08[ENC] generating IKE_SA_INIT > > > request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > > > Jan 6 11:18:31 my-vpn-client charon: 08[NET] sending packet: from > > > 192.168.2.227[500] to 192.168.2.213[500] (708 bytes) > > > Jan 6 11:18:31 my-vpn-client charon: 08[MGR] checkin IKE_SA client-ha[1] > > > Jan 6 11:18:31 my-vpn-client charon: 03[NET] sending packet: from > > > 192.168.2.227[500] to 192.168.2.213[500] > > > Jan 6 11:18:31 my-vpn-client charon: 02[NET] received packet: from > > > 192.168.2.213[500] to 192.168.2.227[500] > > > Jan 6 11:18:31 my-vpn-client charon: 02[NET] waiting for data on sockets > > > Jan 6 11:18:31 my-vpn-client charon: 09[MGR] checkout IKE_SA by message > > > Jan 6 11:18:31 my-vpn-client charon: 09[MGR] IKE_SA client-ha[1] > > > successfully checked out > > > Jan 6 11:18:31 my-vpn-client charon: 09[NET] received packet: from > > > 192.168.2.213[500] to 192.168.2.227[500] (38 bytes) > > > Jan 6 11:18:31 my-vpn-client charon: 09[ENC] parsed IKE_SA_INIT response > > > 0 [ N(INVAL_KE) ] > > > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] peer didn't accept DH group > > > MODP_2048, it requested MODP_1024 > > > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] IKE_SA client-ha[1] state > > > change: CONNECTING => CREATED > > > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] activating new tasks > > > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] activating IKE_INIT task > > > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] activating IKE_NATD task > > > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] activating IKE_CERT_PRE > > > task > > > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] activating IKE_AUTH task > > > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] activating IKE_CERT_POST > > > task > > > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] activating IKE_CONFIG task > > > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] activating CHILD_CREATE > > > task > > > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] activating > > > IKE_AUTH_LIFETIME task > > > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] activating IKE_MOBIKE task > > > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] initiating IKE_SA > > > client-ha[1] to 192.168.2.213 > > > Jan 6 11:18:31 my-vpn-client charon: 09[IKE] IKE_SA client-ha[1] state > > > change: CREATED => CONNECTING > > > Jan 6 11:18:31 my-vpn-client charon: 09[ENC] generating IKE_SA_INIT > > > request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > > > Jan 6 11:18:31 my-vpn-client charon: 09[NET] sending packet: from > > > 192.168.2.227[500] to 192.168.2.213[500] (580 bytes) > > > Jan 6 11:18:31 my-vpn-client charon: 09[MGR] checkin IKE_SA client-ha[1] > > > Jan 6 11:18:31 my-vpn-client charon: 09[MGR] check-in of IKE_SA > > > successful. > > > Jan 6 11:18:31 my-vpn-client charon: 03[NET] sending packet: from > > > 192.168.2.227[500] to 192.168.2.213[500] > > > Jan 6 11:18:31 my-vpn-client charon: 02[NET] received packet: from > > > 192.168.2.213[500] to 192.168.2.227[500] > > > Jan 6 11:18:31 my-vpn-client charon: 02[NET] waiting for data on sockets > > > Jan 6 11:18:31 my-vpn-client charon: 10[MGR] checkout IKE_SA by message > > > Jan 6 11:18:31 my-vpn-client charon: 10[MGR] IKE_SA client-ha[1] > > > successfully checked out > > > Jan 6 11:18:31 my-vpn-client charon: 10[NET] received packet: from > > > 192.168.2.213[500] to 192.168.2.227[500] (381 bytes) > > > Jan 6 11:18:31 my-vpn-client charon: 10[ENC] parsed IKE_SA_INIT response > > > 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] > > > Jan 6 11:18:31 my-vpn-client charon: 10[IKE] received cert request for > > > unknown ca with keyid > > > 4e:e1:18:20:b8:6b:65:0e:f3:40:51:73:88:dd:fe:d2:91:52:11:c0 > > > Jan 6 11:18:31 my-vpn-client charon: 10[IKE] received cert request for > > > "C=US, ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company" > > > Jan 6 11:18:31 my-vpn-client charon: 10[IKE] received 1 cert requests > > > for an unknown ca > > > Jan 6 11:18:31 my-vpn-client charon: 10[IKE] reinitiating already active > > > tasks > > > Jan 6 11:18:31 my-vpn-client charon: 10[IKE] IKE_CERT_PRE task > > > Jan 6 11:18:31 my-vpn-client charon: 10[IKE] IKE_AUTH task > > > Jan 6 11:18:31 my-vpn-client charon: 10[IKE] sending cert request for > > > "C=US, ST=Colorado, L=Denver, O=Company, OU=NET, CN=Company" > > > Jan 6 11:18:31 my-vpn-client charon: 10[IKE] building INTERNAL_IP4_DNS > > > attribute > > > Jan 6 11:18:31 my-vpn-client charon: 10[IKE] establishing CHILD_SA > > > client-ha > > > Jan 6 11:18:31 my-vpn-client charon: 10[KNL] getting SPI for reqid {1} > > > Jan 6 11:18:31 my-vpn-client charon: 10[KNL] got SPI ccd30cb7 for reqid > > > {1} > > > Jan 6 11:18:31 my-vpn-client charon: 10[ENC] generating IKE_AUTH request > > > 1 [ IDi CERTREQ CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) > > > N(EAP_ONLY) ] > > > Jan 6 11:18:31 my-vpn-client charon: 10[NET] sending packet: from > > > 192.168.2.227[4500] to 192.168.2.213[4500] (428 bytes) > > > Jan 6 11:18:31 my-vpn-client charon: 10[MGR] checkin IKE_SA client-ha[1] > > > Jan 6 11:18:31 my-vpn-client charon: 10[MGR] check-in of IKE_SA > > > successful. > > > Jan 6 11:18:31 my-vpn-client charon: 03[NET] sending packet: from > > > 192.168.2.227[4500] to 192.168.2.213[4500] > > > Jan 6 11:18:31 my-vpn-client charon: 02[NET] received packet: from > > > 192.168.2.213[4500] to 192.168.2.227[4500] > > > Jan 6 11:18:31 my-vpn-client charon: 02[NET] waiting for data on sockets > > > Jan 6 11:18:31 my-vpn-client charon: 11[MGR] checkout IKE_SA by message > > > Jan 6 11:18:31 my-vpn-client charon: 11[MGR] IKE_SA client-ha[1] > > > successfully checked out > > > Jan 6 11:18:31 my-vpn-client charon: 11[NET] received packet: from > > > 192.168.2.213[4500] to 192.168.2.227[4500] (956 bytes) > > > Jan 6 11:18:31 my-vpn-client charon: 11[ENC] parsed IKE_AUTH response 1 > > > [ V IDr CERT AUTH EAP/REQ/ID ] > > > Jan 6 11:18:31 my-vpn-client charon: 11[IKE] received end entity cert > > > "CN=my-vpn-server.company.com <http://my-vpn-server.company.com> > > > <http://my-vpn-server.company.com> <http://my-vpn-server.company.com>, > > > O=Company" > > > Jan 6 11:18:31 my-vpn-client charon: 11[IKE] no trusted RSA public key > > > found for 'my-vpn-server.company.com <http://my-vpn-server.company.com> > > > <http://my-vpn-server.company.com> <http://my-vpn-server.company.com>' > > > Jan 6 11:18:31 my-vpn-client charon: 11[ENC] generating INFORMATIONAL > > > request 2 [ N(AUTH_FAILED) ] > > > Jan 6 11:18:31 my-vpn-client charon: 11[NET] sending packet: from > > > 192.168.2.227[4500] to 192.168.2.213[4500] (76 bytes) > > > Jan 6 11:18:31 my-vpn-client charon: 11[KNL] deleting SAD entry with SPI > > > ccd30cb7 (mark 0/0x00000000) > > > Jan 6 11:18:31 my-vpn-client charon: 03[NET] sending packet: from > > > 192.168.2.227[4500] to 192.168.2.213[4500] > > > Jan 6 11:18:31 my-vpn-client charon: 11[KNL] deleted SAD entry with SPI > > > ccd30cb7 (mark 0/0x00000000) > > > Jan 6 11:18:31 my-vpn-client charon: 11[MGR] checkin and destroy IKE_SA > > > client-ha[1] > > > Jan 6 11:18:31 my-vpn-client charon: 11[IKE] IKE_SA client-ha[1] state > > > change: CONNECTING => DESTROYING > > > Jan 6 11:18:31 my-vpn-client charon: 11[MGR] check-in and destroy of > > > IKE_SA successful > > > Jan 6 11:18:35 my-vpn-client charon: 12[MGR] checkout IKE_SA > > > Jan 6 11:18:35 my-vpn-client charon: 13[MGR] checkout IKE_SA > > > Jan 6 11:18:35 my-vpn-client charon: 14[MGR] checkout IKE_SA > > > > The important failure message here is "no trusted RSA public key found > > > for 'my-vpn-server.company.com <http://my-vpn-server.company.com> > > > <http://my-vpn-server.company.com> <http://my-vpn-server.company.com>'". > > > I have also tried setting the eap identity in the vpn endpoint to the > > > full DN in the server certificate but that didn't work either. I don't > > > understand why this would be failing if the certificate is properly > > > signed by the CA. Can someone tell me if I am missing something? > > > > Thanks for the help. > > > -Justin > > > > > _______________________________________________ > > > Users mailing list > > > [email protected] <mailto:[email protected]> > > > <mailto:[email protected] <mailto:[email protected]>> > > > https://lists.strongswan.org/mailman/listinfo/users > > > > _______________________________________________ > > Users mailing list > > [email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>> > > https://lists.strongswan.org/mailman/listinfo/users > > > > > _______________________________________________ > Users mailing list > [email protected] <mailto:[email protected]> > https://lists.strongswan.org/mailman/listinfo/users > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJUrGLaAAoJEDg5KY9j7GZYYxoP/RS59c96LK9ceowjTvJkpQtp 8pZ+BWbdAIo7J58h4ozGCXr10Yj3sEY3bw+PWz5YJJJsjqomJc6q3/87kp/eLonn C/Qd7ihptAoQyT+gALJTLlUMoGRqvubX1Mn0on2lBC7fohXY+q1GHYlrgD5YsN6S SEiYKGigaD7nNAlxBguZMgU0hYNplTfc3ukJ19cme/C4+4Y0RjoIYJzpC/F9+FWW VGjy4B0WqafE+rlsDG3XjcrYBJKzOsAkoahMLXEBTj5ESsMHuKfzVHma6CnBNpOc /N19W9KU0iUDJOem04Y9Z6+mBdszeAG2cVljeyHLGNkFP9XtwsfJ+yiGrEr4saFU LwNb2XsBa5OgXSSwOoBDkc8TbOcQbUwvW+v7CIvHgcpdsG+z3EjxFNFmpKEsxwzp qDAOgesdIY8kDecd2CudTGsGaL6LLNbJhoYC20qf55+1y0lLmoViSmGcCwnk2SFT Ew5XJxPCmwmeYGas0evjRIzKGIFI0E+5yj6xcqLVe9OM2W/lvnFAxiz76179Am0d HyrEDFpBkcToWJsxJwMNUgRt6Nwj/PZKbrNvhNO/rxDq1qohIphqVdiPthAwlvAH Xz/06VkFdGC9XZrUol/VFjVCVy3zkaztENdYnHtJrwz7sTJXixSEANdnzFLWGkxI Q3sUkoZu0zvf8MJ1NbLE =jg0y -----END PGP SIGNATURE----- _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
