This was caused by a mismatch between strongSwan and OpenSSL regarding FIPS. OpenSSL was operating in FIPS mode, but a non-FIPS signature algorithm was being called, so it silently failed. I rebuilt strongSwan and OpenSSL and changed the FIPS config to agree and everything worked.
On Tue, Jun 21, 2016 at 11:58 PM Stephen Wilcox <[email protected]> wrote: > I'm attempting to use a Raspberry Pi as a StrongSwan peer with > certificates for authentication. I have a certificate for the Pi signed by > my own ca cert. When I try to bring the connection up, it seems it can't > authenticate itself: > > authentication of 'C=US, ST=OR, L=Portland, O=Tyfone, OU=Shasta, CN= > client.tyfone.com, [email protected]' (myself) failed > The private key and ca cert are present in /etc/ipsec.d/private and > cacerts respectively. Using the pki tool, I can verify that the cert is > current and valid per the ca cert, and I can export the public keys from > the private key and the cert and see that they match. > > *Here is my ipsec.conf on the Pi* > > config setup > charondebug="ike 4, knl 4" > > conn %default > ikelifetime=60m > keylife=20m > rekeymargin=3m > keyingtries=1 > keyexchange=ikev1 > > conn work > left=%defaultroute #external IP address > leftsourceip=%config #external IP address > leftid="C=US, ST=OR, L=Portland, O=Tyfone, OU=Shasta, CN= > client.tyfone.com, [email protected]" > leftcert=clientCert.pem > leftfirewall=yes #automatically add firewall rules > auto=add > right=10.0.1.47 #strongSwan server external IP > rightsubnet=0.0.0.0/0 #route all traffic to the strongSwan > server > [email protected] #unique id of server > rightcert=serverCert.der > > include /var/lib/strongswan/ipsec.conf.inc > > > > *Here is what is shown for the client cert when I use ipsec listcerts* > > subject: "C=US, ST=OR, L=Portland, O=Tyfone, OU=Shasta, CN= > client.tyfone.com, [email protected]" > issuer: "C=US, ST=OR, L=Portland, O=Tyfone, OU=Shasta, CN= > ca.tyfone.com, [email protected]" > validity: not before Jun 17 12:02:02 2016, ok > not after Jun 17 12:02:02 2019, ok (expires in 1090 days) > serial: 4e:33:64:13:cb:2d:ea:65 > altNames: 172.16.176.100 > authkeyId: 59:fb:0e:30:6b:d0:ee:01:18:74:4c:e2:11:4e:84:a2:f6:8c:29:03 > subjkeyId: 09:25:7a:55:22:cf:af:17:94:6f:d8:ea:81:9f:bc:fe:cd:69:e7:ec > pubkey: RSA 2048 bits, has private key > keyid: b3:54:9f:50:47:e4:95:fc:8e:b5:cf:a3:1f:96:e3:eb:9d:11:14:4c > subjkey: 09:25:7a:55:22:cf:af:17:94:6f:d8:ea:81:9f:bc:fe:cd:69:e7:ec > > > *Here is the rest of the output from trying to bring up the work > connection:* > > initiating Main Mode IKE_SA work[2] to 10.0.1.47 > generating ID_PROT request 0 [ SA V V V V ] > sending packet: from 10.0.1.5[500] to 10.0.1.47[500] (216 bytes) > received packet: from 10.0.1.47[500] to 10.0.1.5[500] (136 bytes) > parsed ID_PROT response 0 [ SA V V V ] > received XAuth vendor ID > received DPD vendor ID > received NAT-T (RFC 3947) vendor ID > generating ID_PROT request 0 [ KE No NAT-D NAT-D ] > sending packet: from 10.0.1.5[500] to 10.0.1.47[500] (524 bytes) > received packet: from 10.0.1.47[500] to 10.0.1.5[500] (670 bytes) > parsed ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ] > received cert request for 'C=US, ST=OR, L=Portland, O=Tyfone, OU=Shasta, > CN=ca.tyfone.com, [email protected]' > remote host is behind NAT > sending cert request for "C=US, ST=OR, L=Portland, O=Tyfone, OU=Shasta, CN= > ca.tyfone.com, [email protected]" > authentication of 'C=US, ST=OR, L=Portland, O=Tyfone, OU=Shasta, CN= > client.tyfone.com, [email protected]' (myself) failed > generating INFORMATIONAL_V1 request 1793715306 [ HASH N(AUTH_FAILED) ] > sending packet: from 10.0.1.5[4500] to 10.0.1.47[4500] (108 bytes) > establishing connection 'work' failed > > > Any help is appreciated. Thanks in advance! > > Cheers, > Stephen > > >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
