I resolved the issue by setting up id properly. Thanks for the direction. On Fri, Oct 6, 2017 at 8:37 AM, rajeev nohria <[email protected]> wrote:
> Anderas, > > Thanks for reply. I am using davici interface instead of swanctl.conf. I > do set the id as id: fc00:cada:c404:607::1001 but not the certs. Since > I am using davici, it does not know the certificate file name and its path, > I am reading the certificate file and passing the data. How can I resolve > the problem in this situation? > > Thanks, > Rajeev > > On Thu, Oct 5, 2017 at 11:56 AM, Andreas Steffen < > [email protected]> wrote: > >> Hi, >> >> you must not set the IKEv2 ID to >> >> id: fc00:cada:c404:607::1001 >> >> since this ID is not contained as a subjectAltName in the client >> certificate. >> >> Probably you didn't use the "certs" parameter in the local section of >> swanctl.conf so that the client certificate just got loaded from >> /etc/swanctl/x509. If you don't define the "id" parameter in the local >> section then the IPv6 address of the client is assumed as the "id" by >> default and because the IP address is not contained as a subjectAltName >> in the certificate then neither the certificate nor the corresponding >> private key is found. >> >> So the best approach is to define the following in swanctl.conf: >> >> local { >> auth = pubkey >> certs = myCert.pem >> } >> >> This first causes the private key to be found automatically based >> on the fingerprint of the public key contained in the certificate and >> the ID to be set to the subject distinguished name contained in the >> certificate. >> >> Best regards >> >> Andreas >> >> On 05.10.2017 17:33, rajeev nohria wrote: >> > I have seen this issue before and fixed it. But this time I am not able >> > to figure you. Let me know if anyone see issue or any suggestion. Thanks >> > in advance. >> > >> > Problem: >> > Getting error while initiating the connection. >> > >> > *[IKE] no private key found for 'fc00:cada:c404:607::1001'* >> > >> > *11[IKE] no private key found for 'fc00:cada:c404:607::1001'* >> > >> > * >> > * >> > >> > * >> > * >> > >> > * >> > * >> > >> > >> > We are able to load the certificate and keys. looking at logs following >> > are proof. >> > >> > >> > messages.0:Jan 1 09:09:23 E6kn-2016 daemon.info <http://daemon.info> : >> > 08[CFG] loaded RSA private key >> > >> > messages.0:Jan 1 09:09:23 E6kn-2016 daemon.info <http://daemon.info> : >> > 08[CFG] loaded certificate 'C=US, O=CableLabs, OU=TEST Root CA01, >> > CN=TEST CableLabs Root Certification Authority' >> > >> > messages.0:Jan 1 09:09:23 E6kn-2016 daemon.info <http://daemon.info> : >> > 08[CFG] loaded certificate 'C=US, O=ARRIS, OU=LOWELL, >> CN=00:33:5f:ab:8c:9e' >> > >> > messages.0:Jan 1 09:09:23 E6kn-2016 daemon.info <http://daemon.info> : >> > 08[CFG] loaded certificate 'C=US, O=CableLabs, OU=TEST Device CA01, >> > CN=TEST CableLabs Device Certification Authority' >> > >> > >> > >> > But when I initiate a connection, I get the following. >> > >> > >> > >> > root@E6kn-2016:# swanctl --initiate --child gcpfc00:cada:c404::200 >> > >> > 07[CFG] vici initiate 'gcpfc00:cada:c404::200' >> > >> > 09[IKE] initiating IKE_SA rpdfc00:cada:c404::200[1] to 2017::5002 >> > >> > [IKE] initiating IKE_SA rpdfc00:cada:c404::200[1] to 2017::5002 >> > >> > [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) >> > N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ] >> > >> > 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) >> > N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ] >> > >> > [NET] sending packet: from fc00:cada:c404:607::1001[500] to >> > 2017::5002[500] (264 bytes) >> > >> > 09[NET] sending packet: from fc00:cada:c404:607::1001[500] to >> > 2017::5002[500] (264 bytes) >> > >> > 11[NET] received packet: from 2017::5002[500] to >> > fc00:cada:c404:607::1001[500] (289 bytes) >> > >> > [NET] received packet: from 2017::5002[500] to >> > fc00:cada:c404:607::1001[500] (289 bytes) >> > >> > 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) >> > N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ] >> > >> > [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) >> > CERTREQ N(HASH_ALG) N(MULT_AUTH) ] >> > >> > [IKE] received cert request for "C=US, O=CableLabs, OU=TEST Device CA01, >> > CN=TEST CableLabs Device Certification Authority" >> > >> > 11[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Device >> > CA01, CN=TEST CableLabs Device Certification Authority" >> > >> > [IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01, >> > CN=TEST CableLabs Device Certification Authority" >> > >> > 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device >> > CA01, CN=TEST CableLabs Device Certification Authority" >> > >> > [IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01, >> > CN=TEST CableLabs Root Certification Authority" >> > >> > 11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01, >> > CN=TEST CableLabs Root Certification Authority" >> > >> > *[IKE] no private key found for 'fc00:cada:c404:607::1001'* >> > >> > *11[IKE] no private key found for 'fc00:cada:c404:607::1001'* >> > >> > ** >> > >> > *initiate failed: establishing CHILD_SA 'gcpfc00:cada:c404::200' failed* >> > >> > >> > >> > >> > >> > root@E6kn-2016:# swanctl --list-conns >> > >> > rpdfc00:cada:c404::200: IKEv2, no reauthentication, rekeying every >> 14400s >> > >> > local: fc00:cada:c404:607::1001 >> > >> > remote: 2017::5002 >> > >> > local public key authentication: >> > >> > id: fc00:cada:c404:607::1001 >> > >> > remote public key authentication: >> > >> > gcpfc00:cada:c404::200: TRANSPORT, rekeying every 3600s >> > >> > local: fc00:cada:c404:607::1001/128[tcp] >> > >> > remote: 2017::5002/128[tcp] >> > >> > l2tpfc00:cada:c404::200: TRANSPORT, rekeying every 3600s >> > >> > local: fc00:cada:c404:607::1001/128[l2tp] >> > >> > remote: 2017::5002/128[l2tp] >> > >> > >> > >> > >> > root@E6kn-2016:# swanctl --list-certs >> > >> > >> > List of X.509 End Entity Certificates >> > >> > >> > subject: "C=US, O=ARRIS, OU=LOWELL, CN=00:33:5f:ab:8c:9e" >> > >> > issuer: "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs >> > Device Certification Authority" >> > >> > validity: not before Sep 28 18:18:53 2017, ok >> > >> > not after Sep 28 18:18:53 2037, ok (expires in 7300 days) >> > >> > serial: dd:dc:09:21:36:f2:e8:71 >> > >> > authkeyId: f6:dc:40:8a:89:b6:7b:7a:08:f6: >> 78:b5:4a:28:7a:7f:57:9b:f9:9b >> > >> > subjkeyId: 9d:c7:c5:20:f7:bf:0c:fb:39:d2: >> 5d:a2:8f:73:37:f1:f3:e0:a4:f9 >> > >> > pubkey: RSA 2048 bits, has private key >> > >> > keyid: 8d:40:7d:fb:38:7b:4b:e2:fe:00: >> ba:72:6c:82:63:2b:6b:75:30:6e >> > >> > subjkey: 9d:c7:c5:20:f7:bf:0c:fb:39:d2: >> 5d:a2:8f:73:37:f1:f3:e0:a4:f9 >> > >> > >> > List of X.509 CA Certificates >> > >> > >> > subject: "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs >> > Device Certification Authority" >> > >> > issuer: "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs >> > Root Certification Authority" >> > >> > validity: not before Dec 09 23:08:49 2014, ok >> > >> > not after Dec 09 23:08:49 2049, ok (expires in 11755 days) >> > >> > serial: a0:16:bc:73:85:0e:65:37 >> > >> > altNames: CN=SYMC-3072-5 >> > >> > flags: CA CRLSign >> > >> > pathlen: 0 >> > >> > authkeyId: 89:62:79:3d:b4:07:c9:f3:c6:97: >> 59:dd:b6:dc:65:0b:33:54:ff:fb >> > >> > subjkeyId: f6:dc:40:8a:89:b6:7b:7a:08:f6: >> 78:b5:4a:28:7a:7f:57:9b:f9:9b >> > >> > pubkey: RSA 3072 bits >> > >> > keyid: b7:98:32:e4:ae:30:02:57:f7:ad: >> cb:2b:37:41:17:9c:1b:9d:79:28 >> > >> > subjkey: f6:dc:40:8a:89:b6:7b:7a:08:f6: >> 78:b5:4a:28:7a:7f:57:9b:f9:9b >> > >> > >> > subject: "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs >> > Root Certification Authority" >> > >> > issuer: "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs >> > Root Certification Authority" >> > >> > validity: not before Nov 11 17:19:44 2014, ok >> > >> > not after Nov 11 17:19:44 2064, ok (expires in 17206 days) >> > >> > serial: b1:b0:d3:be:83:ee:bf:e3 >> > >> > altNames: CN=MPKI-4096-1-206 >> > >> > flags: CA CRLSign self-signed >> > >> > subjkeyId: 89:62:79:3d:b4:07:c9:f3:c6:97: >> 59:dd:b6:dc:65:0b:33:54:ff:fb >> > >> > pubkey: RSA 4096 bits >> > >> > keyid: bd:0e:4c:0f:21:cf:f0:49:af:19: >> 34:3b:c2:64:c5:31:a1:2e:11:07 >> > >> > subjkey: 89:62:79:3d:b4:07:c9:f3:c6:97: >> 59:dd:b6:dc:65:0b:33:54:ff:fb >> > >> > >> > >> > pki --print --type rsa-priv --in privKey.pem >> > >> > privkey: RSA 2048 bits >> > >> > keyid: 8d:40:7d:fb:38:7b:4b:e2:fe:00: >> ba:72:6c:82:63:2b:6b:75:30:6e >> > >> > subjkey: 9d:c7:c5:20:f7:bf:0c:fb:39:d2: >> 5d:a2:8f:73:37:f1:f3:e0:a4:f9 >> > >> > >> >> -- >> ====================================================================== >> Andreas Steffen [email protected] >> strongSwan - the Open Source VPN Solution! www.strongswan.org >> Institute for Networked Solutions >> HSR University of Applied Sciences Rapperswil >> CH-8640 Rapperswil (Switzerland) >> ===========================================================[INS-HSR]== >> > >
