I'm attempting to use a Raspberry Pi as a StrongSwan peer with certificates for authentication. I have a certificate for the Pi signed by my own ca cert. When I try to bring the connection up, it seems it can't authenticate itself:
authentication of 'C=US, ST=OR, L=Portland, O=Tyfone, OU=Shasta, CN= client.tyfone.com, [email protected]' (myself) failed The private key and ca cert are present in /etc/ipsec.d/private and cacerts respectively. Using the pki tool, I can verify that the cert is current and valid per the ca cert, and I can export the public keys from the private key and the cert and see that they match. *Here is my ipsec.conf on the Pi* config setup charondebug="ike 4, knl 4" conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev1 conn work left=%defaultroute #external IP address leftsourceip=%config #external IP address leftid="C=US, ST=OR, L=Portland, O=Tyfone, OU=Shasta, CN= client.tyfone.com, [email protected]" leftcert=clientCert.pem leftfirewall=yes #automatically add firewall rules auto=add right=10.0.1.47 #strongSwan server external IP rightsubnet=0.0.0.0/0 #route all traffic to the strongSwan server [email protected] #unique id of server rightcert=serverCert.der include /var/lib/strongswan/ipsec.conf.inc *Here is what is shown for the client cert when I use ipsec listcerts* subject: "C=US, ST=OR, L=Portland, O=Tyfone, OU=Shasta, CN= client.tyfone.com, [email protected]" issuer: "C=US, ST=OR, L=Portland, O=Tyfone, OU=Shasta, CN=ca.tyfone.com, [email protected]" validity: not before Jun 17 12:02:02 2016, ok not after Jun 17 12:02:02 2019, ok (expires in 1090 days) serial: 4e:33:64:13:cb:2d:ea:65 altNames: 172.16.176.100 authkeyId: 59:fb:0e:30:6b:d0:ee:01:18:74:4c:e2:11:4e:84:a2:f6:8c:29:03 subjkeyId: 09:25:7a:55:22:cf:af:17:94:6f:d8:ea:81:9f:bc:fe:cd:69:e7:ec pubkey: RSA 2048 bits, has private key keyid: b3:54:9f:50:47:e4:95:fc:8e:b5:cf:a3:1f:96:e3:eb:9d:11:14:4c subjkey: 09:25:7a:55:22:cf:af:17:94:6f:d8:ea:81:9f:bc:fe:cd:69:e7:ec *Here is the rest of the output from trying to bring up the work connection:* initiating Main Mode IKE_SA work[2] to 10.0.1.47 generating ID_PROT request 0 [ SA V V V V ] sending packet: from 10.0.1.5[500] to 10.0.1.47[500] (216 bytes) received packet: from 10.0.1.47[500] to 10.0.1.5[500] (136 bytes) parsed ID_PROT response 0 [ SA V V V ] received XAuth vendor ID received DPD vendor ID received NAT-T (RFC 3947) vendor ID generating ID_PROT request 0 [ KE No NAT-D NAT-D ] sending packet: from 10.0.1.5[500] to 10.0.1.47[500] (524 bytes) received packet: from 10.0.1.47[500] to 10.0.1.5[500] (670 bytes) parsed ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ] received cert request for 'C=US, ST=OR, L=Portland, O=Tyfone, OU=Shasta, CN= ca.tyfone.com, [email protected]' remote host is behind NAT sending cert request for "C=US, ST=OR, L=Portland, O=Tyfone, OU=Shasta, CN= ca.tyfone.com, [email protected]" authentication of 'C=US, ST=OR, L=Portland, O=Tyfone, OU=Shasta, CN= client.tyfone.com, [email protected]' (myself) failed generating INFORMATIONAL_V1 request 1793715306 [ HASH N(AUTH_FAILED) ] sending packet: from 10.0.1.5[4500] to 10.0.1.47[4500] (108 bytes) establishing connection 'work' failed Any help is appreciated. Thanks in advance! Cheers, Stephen
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
