Project

General

Profile

Issue #1063

Unable to establish a connection w/ECDSA Certs

Added by Aiden A almost 6 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Affected version:
5.3.2
Resolution:
No feedback

Description

Hello. I've attempted to create ECDSA certs/keys with the following commands:

ipsec pki --gen --type ecdsa --size 384 \
        --outform pem \
        > private/strongswanKey.pem

chmod 600 private/strongswanKey.pem

ipsec pki --self --ca --lifetime 3650 \
        --in private/strongswanKey.pem --type ecdsa \
        --dn "C=CH, O=strongSwan, CN=strongSwan Root CA" \
        --outform pem \
        > cacerts/strongswanCert.pem

ipsec pki --gen --type ecdsa --size 256 \
        --outform pem \
        > private/vpnHostKey.pem

chmod 600 private/vpnHostKey.pem

ipsec pki --pub --in private/vpnHostKey.pem --type ecdsa | \
        ipsec pki --issue --lifetime 730 \
        --cacert cacerts/strongswanCert.pem \
        --cakey private/strongswanKey.pem \
        --dn "C=CH, O=strongSwan, CN=SERVER.IP" \
        --san SERVER.IP \
        --flag serverAuth --flag ikeIntermediate \
        --outform pem > certs/vpnHostCert.pem

ipsec pki --gen --type ecdsa --size 256 \
        --outform pem \
        > private/ClientKey.pem

chmod 600 private/ClientKey.pem

ipsec pki --pub --in private/ClientKey.pem --type ecdsa | \
        ipsec pki --issue --lifetime 730 \
        --cacert cacerts/strongswanCert.pem \
        --cakey private/strongswanKey.pem \
        --dn "C=CH, O=strongSwan, CN=Client Key" \
        --san Client_Key \
        --outform pem > certs/ClientCert.pem

openssl pkcs12 -export -inkey private/ClientKey.pem \
        -in certs/ClientCert.pem -name "Client's VPN Certificate" \
        -certfile cacerts/strongswanCert.pem \
        -caname "strongSwan Root CA" \
        -out Client.p12

However, when I attempt to use these new certs/keys, I get this in the logs:

Aug  9 03:07:05 retro charon: 03[NET] received packet: from 172.56.2.244[56289] to 10.0.0.9[500]
Aug  9 03:07:05 retro charon: 03[NET] waiting for data on sockets
Aug  9 03:07:05 retro charon: 12[NET] received packet: from 172.56.2.244[56289] to 10.0.0.9[500] (668 bytes)
Aug  9 03:07:05 retro charon: 12[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]
Aug  9 03:07:05 retro charon: 12[CFG] looking for an ike config for 10.0.0.9...172.56.2.244
Aug  9 03:07:05 retro charon: 12[CFG]   candidate: %any...%any, prio 28
Aug  9 03:07:05 retro charon: 12[CFG] found matching ike config: %any...%any with prio 28
Aug  9 03:07:05 retro charon: 12[IKE] received NAT-T (RFC 3947) vendor ID
Aug  9 03:07:05 retro charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
Aug  9 03:07:05 retro charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Aug  9 03:07:05 retro charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Aug  9 03:07:05 retro charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Aug  9 03:07:05 retro charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Aug  9 03:07:05 retro charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Aug  9 03:07:05 retro charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Aug  9 03:07:05 retro charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Aug  9 03:07:05 retro charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Aug  9 03:07:05 retro charon: 12[IKE] received XAuth vendor ID
Aug  9 03:07:05 retro charon: 12[IKE] received Cisco Unity vendor ID
Aug  9 03:07:05 retro charon: 12[IKE] received FRAGMENTATION vendor ID
Aug  9 03:07:05 retro charon: 12[IKE] received DPD vendor ID
Aug  9 03:07:05 retro charon: 12[IKE] 172.56.2.244 is initiating a Main Mode IKE_SA
Aug  9 03:07:05 retro charon: 12[IKE] IKE_SA (unnamed)[4] state change: CREATED => CONNECTING
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro charon: 12[CFG] selecting proposal:
Aug  9 03:07:05 retro charon: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Aug  9 03:07:05 retro rsyslogd-2177: imuxsock begins to drop messages from pid 18539 due to rate-limiting
Aug  9 03:07:11 retro rsyslogd-2177: imuxsock lost 128 messages from pid 18539 due to rate-limiting
Aug  9 03:07:11 retro charon: 03[NET] received packet: from 172.56.2.244[22689] to 10.0.0.9[4500]
Aug  9 03:07:11 retro charon: 03[NET] waiting for data on sockets
Aug  9 03:07:14 retro charon: 03[NET] received packet: from 172.56.2.244[22689] to 10.0.0.9[4500]
Aug  9 03:07:14 retro charon: 03[NET] waiting for data on sockets
Aug  9 03:07:17 retro charon: 03[NET] received packet: from 172.56.2.244[22689] to 10.0.0.9[4500]
Aug  9 03:07:17 retro charon: 03[NET] waiting for data on sockets
Aug  9 03:07:30 retro charon: 03[NET] received packet: from 172.56.2.244[22689] to 10.0.0.9[4500]
Aug  9 03:07:30 retro charon: 03[NET] waiting for data on sockets

My config file

config setup
  uniqueids=never
  charondebug="cfg 2, dmn 2, ike 2, net 2" 

conn %default
  keyexchange=ikev2
  ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
  esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
  dpdaction=clear
  dpddelay=300s
  dpdtimeout = 5s ## very important for iOS; reconnection issues without this!
  fragmentation=yes
  rekey=no
  left=%any
  leftid=SERVER.IP
  leftsubnet=0.0.0.0/0
  leftcert=vpnHostCert.pem
  leftsendcert=always
  right=%any
  rightdns=208.67.222.222,208.67.220.220
  rightsourceip=10.0.0.100/24

conn IKEv2
  keyexchange=ikev2
  auto=add
  rightauth=eap-mschapv2
  eap_identity=%any

conn IPSec
  keyexchange=ikev1
  # forceencaps=yes
  rightauth=pubkey
  rightauth2=xauth
  auto=add


Related issues

Related to Issue #3631: Unable to establish a connection w/ECDSA Certs (Follow up #1063)Closed

History

#1 Updated by Tobias Brunner almost 6 years ago

  • Status changed from New to Feedback
Aug  9 03:07:05 retro rsyslogd-2177: imuxsock begins to drop messages from pid 18539 due to rate-limiting
Aug  9 03:07:11 retro rsyslogd-2177: imuxsock lost 128 messages from pid 18539 due to rate-limiting

Your log is incomplete because your syslog daemon is dropping messages due to the rate limiting. So we don't see if there is actually any problem.

Please reduce the log level, use a file logger or change the syslog daemon's config.

#2 Updated by Aiden A almost 6 years ago

I was able to disable rate-limiting and was able to get this:

Aug 11 01:38:47 retro charon: 02[NET] received packet: from 172.56.18.4[38147] to 10.0.0.9[500]
Aug 11 01:38:47 retro charon: 02[NET] waiting for data on sockets
Aug 11 01:38:47 retro charon: 05[NET] received packet: from 172.56.18.4[38147] to 10.0.0.9[500] (668 bytes)
Aug 11 01:38:47 retro charon: 05[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]
Aug 11 01:38:47 retro charon: 05[CFG] looking for an ike config for 10.0.0.9...172.56.18.4
Aug 11 01:38:47 retro charon: 05[CFG]   candidate: %any...%any, prio 28
Aug 11 01:38:47 retro charon: 05[CFG] found matching ike config: %any...%any with prio 28
Aug 11 01:38:47 retro charon: 05[IKE] received NAT-T (RFC 3947) vendor ID
Aug 11 01:38:47 retro charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
Aug 11 01:38:47 retro charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Aug 11 01:38:47 retro charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Aug 11 01:38:47 retro charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Aug 11 01:38:47 retro charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Aug 11 01:38:47 retro charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Aug 11 01:38:47 retro charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Aug 11 01:38:47 retro charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Aug 11 01:38:47 retro charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Aug 11 01:38:47 retro charon: 05[IKE] received XAuth vendor ID
Aug 11 01:38:47 retro charon: 05[IKE] received Cisco Unity vendor ID
Aug 11 01:38:47 retro charon: 05[IKE] received FRAGMENTATION vendor ID
Aug 11 01:38:47 retro charon: 05[IKE] received DPD vendor ID
Aug 11 01:38:47 retro charon: 05[IKE] 172.56.18.4 is initiating a Main Mode IKE_SA
Aug 11 01:38:47 retro charon: 05[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
Aug 11 01:38:47 retro charon: 05[CFG] selecting proposal:
Aug 11 01:38:47 retro charon: 05[CFG]   no acceptable ENCRYPTION/_ALGORITHM/PSEUDO_RANDOM_FUNCTION/DIFFIE_HELLMAN_GROUP found
Aug 11 01:38:47 retro charon: 05[CFG] selecting proposal:
Aug 11 01:38:47 retro charon: 05[CFG]   proposal matches
Aug 11 01:38:47 retro charon: 05[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
Aug 11 01:38:47 retro charon: 05[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_4096, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_4096, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Aug 11 01:38:47 retro charon: 05[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Aug 11 01:38:47 retro charon: 05[IKE] sending XAuth vendor ID
Aug 11 01:38:47 retro charon: 05[IKE] sending DPD vendor ID
Aug 11 01:38:47 retro charon: 05[IKE] sending FRAGMENTATION vendor ID
Aug 11 01:38:47 retro charon: 05[IKE] sending NAT-T (RFC 3947) vendor ID
Aug 11 01:38:47 retro charon: 05[ENC] generating ID_PROT response 0 [ SA V V V V ]
Aug 11 01:38:47 retro charon: 05[NET] sending packet: from 10.0.0.9[500] to 172.56.18.4[38147] (160 bytes)
Aug 11 01:38:47 retro charon: 03[NET] sending packet: from 10.0.0.9[500] to 172.56.18.4[38147]
Aug 11 01:38:47 retro charon: 02[NET] received packet: from 172.56.18.4[38147] to 10.0.0.9[500]
Aug 11 01:38:47 retro charon: 02[NET] waiting for data on sockets
Aug 11 01:38:47 retro charon: 08[NET] received packet: from 172.56.18.4[38147] to 10.0.0.9[500] (228 bytes)
Aug 11 01:38:47 retro charon: 08[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Aug 11 01:38:47 retro charon: 08[IKE] local host is behind NAT, sending keep alives
Aug 11 01:38:47 retro charon: 08[IKE] remote host is behind NAT
Aug 11 01:38:47 retro charon: 08[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan Root CA" 
Aug 11 01:38:47 retro charon: 08[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
Aug 11 01:38:47 retro charon: 08[NET] sending packet: from 10.0.0.9[500] to 172.56.18.4[38147] (314 bytes)
Aug 11 01:38:47 retro charon: 03[NET] sending packet: from 10.0.0.9[500] to 172.56.18.4[38147]
Aug 11 01:38:48 retro charon: 02[NET] received packet: from 172.56.18.4[29038] to 10.0.0.9[4500]
Aug 11 01:38:48 retro charon: 02[NET] waiting for data on sockets
Aug 11 01:38:48 retro charon: 07[NET] received packet: from 172.56.18.4[29038] to 10.0.0.9[4500] (668 bytes)
Aug 11 01:38:48 retro charon: 07[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
Aug 11 01:38:48 retro charon: 07[IKE] ignoring certificate request without data
Aug 11 01:38:48 retro charon: 07[IKE] received end entity cert "C=CH, O=strongSwan, CN=Client Key" 
Aug 11 01:38:48 retro charon: 07[CFG] looking for XAuthInitRSA peer configs matching 10.0.0.9...172.56.18.4[C=CH, O=strongSwan, CN=Client Key]
Aug 11 01:38:48 retro charon: 07[CFG]   candidate "IPSec", match: 1/1/28 (me/other/ike)
Aug 11 01:38:48 retro charon: 07[CFG] selected peer config "IPSec" 
Aug 11 01:38:48 retro charon: 07[IKE] no trusted RSA public key found for 'C=CH, O=strongSwan, CN=Client Key'
Aug 11 01:38:48 retro charon: 07[CFG] no alternative config found
Aug 11 01:38:48 retro charon: 07[IKE] queueing INFORMATIONAL task
Aug 11 01:38:48 retro charon: 07[IKE] activating new tasks
Aug 11 01:38:48 retro charon: 07[IKE]   activating INFORMATIONAL task
Aug 11 01:38:48 retro charon: 07[ENC] generating INFORMATIONAL_V1 request 3247710638 [ HASH N(AUTH_FAILED) ]
Aug 11 01:38:48 retro charon: 07[NET] sending packet: from 10.0.0.9[4500] to 172.56.18.4[29038] (92 bytes)
Aug 11 01:38:48 retro charon: 07[IKE] IKE_SA IPSec[1] state change: CONNECTING => DESTROYING
Aug 11 01:38:48 retro charon: 03[NET] sending packet: from 10.0.0.9[4500] to 172.56.18.4[29038]
Aug 11 01:38:51 retro charon: 02[NET] received packet: from 172.56.18.4[29038] to 10.0.0.9[4500]
Aug 11 01:38:51 retro charon: 02[NET] waiting for data on sockets
Aug 11 01:38:54 retro charon: 02[NET] received packet: from 172.56.18.4[29038] to 10.0.0.9[4500]
Aug 11 01:38:54 retro charon: 02[NET] waiting for data on sockets
Aug 11 01:38:57 retro charon: 02[NET] received packet: from 172.56.18.4[29038] to 10.0.0.9[4500]
Aug 11 01:38:57 retro charon: 02[NET] waiting for data on sockets
Aug 11 01:39:09 retro charon: 02[NET] received packet: from 172.56.18.4[29038] to 10.0.0.9[4500]
Aug 11 01:39:09 retro charon: 02[NET] waiting for data on sockets

#3 Updated by Tobias Brunner almost 6 years ago

Aug 11 01:38:48 retro charon: 07[IKE] no trusted RSA public key found for 'C=CH, O=strongSwan, CN=Client Key'

Looks like the client's certificate can't be verified. Is the CA certificate installed and loaded? Check with ipsec listcacerts.

#4 Updated by Aiden A almost 6 years ago

List of X.509 CA Certificates:

  subject:  "C=CH, O=strongSwan, CN=strongSwan Root CA" 
  issuer:   "C=CH, O=strongSwan, CN=strongSwan Root CA" 
  serial:    6c:8d:51:3e:89:c1:19:40
  validity:  not before Aug 10 12:21:58 2015, ok
             not after  Aug 07 12:21:58 2025, ok 
  pubkey:    ECDSA 384 bits
  keyid:     70:c3:5b:e7:48:d8:3e:e8:56:04:9b:cb:35:0a:67:30:ab:a2:ad:28
  subjkey:   67:a6:c5:c9:14:a1:0f:c6:ad:27:11:c0:54:0a:33:09:ce:66:e2:ba

#5 Updated by Tobias Brunner almost 6 years ago

OK, and the client certificate definitely was issued by that CA (check the authkeyId in the output of pki --print)? And is that the certificate actually installed on the client? Increasing the log level for the cfg subsystem to 3 will also show what type of identity the client sends (in case that might be an issue).

#6 Updated by Aiden A almost 6 years ago

cfg lvl 3

Aug 11 12:53:06 retro charon: 02[NET] received packet: from 107.188.2.76[52225] to 10.0.0.9[500]
Aug 11 12:53:06 retro charon: 02[NET] waiting for data on sockets
Aug 11 12:53:06 retro charon: 13[NET] received packet: from 107.188.2.76[52225] to 10.0.0.9[500] (668 bytes)
Aug 11 12:53:06 retro charon: 13[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]
Aug 11 12:53:06 retro charon: 13[CFG] looking for an ike config for 10.0.0.9...107.188.2.76
Aug 11 12:53:06 retro charon: 13[CFG] ike config match: 0 (10.0.0.9 107.188.2.76 IKEv1)
Aug 11 12:53:06 retro charon: 13[CFG] ike config match: 28 (10.0.0.9 107.188.2.76 IKEv1)
Aug 11 12:53:06 retro charon: 13[CFG]   candidate: %any...%any, prio 28
Aug 11 12:53:06 retro charon: 13[CFG] found matching ike config: %any...%any with prio 28
Aug 11 12:53:06 retro charon: 13[IKE] received NAT-T (RFC 3947) vendor ID
Aug 11 12:53:06 retro charon: 13[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
Aug 11 12:53:06 retro charon: 13[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Aug 11 12:53:06 retro charon: 13[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Aug 11 12:53:06 retro charon: 13[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Aug 11 12:53:06 retro charon: 13[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Aug 11 12:53:06 retro charon: 13[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Aug 11 12:53:06 retro charon: 13[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Aug 11 12:53:06 retro charon: 13[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Aug 11 12:53:06 retro charon: 13[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Aug 11 12:53:06 retro charon: 13[IKE] received XAuth vendor ID
Aug 11 12:53:06 retro charon: 13[IKE] received Cisco Unity vendor ID
Aug 11 12:53:06 retro charon: 13[IKE] received FRAGMENTATION vendor ID
Aug 11 12:53:06 retro charon: 13[IKE] received DPD vendor ID
Aug 11 12:53:06 retro charon: 13[IKE] 107.188.2.76 is initiating a Main Mode IKE_SA
Aug 11 12:53:06 retro charon: 13[IKE] IKE_SA (unnamed)[5] state change: CREATED => CONNECTING
Aug 11 12:53:06 retro charon: 13[CFG] selecting proposal:
Aug 11 12:53:06 retro charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM/PSEUDO_RANDOM_FUNCTION/DIFFIE_HELLMAN_GROUP found
Aug 11 12:53:06 retro charon: 13[CFG] selecting proposal:
Aug 11 12:53:06 retro charon: 13[CFG]   proposal matches
Aug 11 12:53:06 retro charon: 13[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
Aug 11 12:53:06 retro charon: 13[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_4096, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_4096, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Aug 11 12:53:06 retro charon: 13[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Aug 11 12:53:06 retro charon: 13[IKE] sending XAuth vendor ID
Aug 11 12:53:06 retro charon: 13[IKE] sending DPD vendor ID
Aug 11 12:53:06 retro charon: 13[IKE] sending FRAGMENTATION vendor ID
Aug 11 12:53:06 retro charon: 13[IKE] sending NAT-T (RFC 3947) vendor ID
Aug 11 12:53:06 retro charon: 13[ENC] generating ID_PROT response 0 [ SA V V V V ]
Aug 11 12:53:06 retro charon: 13[NET] sending packet: from 10.0.0.9[500] to 107.188.2.76[52225] (160 bytes)
Aug 11 12:53:06 retro charon: 03[NET] sending packet: from 10.0.0.9[500] to 107.188.2.76[52225]
Aug 11 12:53:06 retro charon: 02[NET] received packet: from 107.188.2.76[52225] to 10.0.0.9[500]
Aug 11 12:53:06 retro charon: 02[NET] waiting for data on sockets
Aug 11 12:53:06 retro charon: 06[NET] received packet: from 107.188.2.76[52225] to 10.0.0.9[500] (228 bytes)
Aug 11 12:53:06 retro charon: 06[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Aug 11 12:53:06 retro charon: 06[IKE] local host is behind NAT, sending keep alives
Aug 11 12:53:06 retro charon: 06[IKE] remote host is behind NAT
Aug 11 12:53:06 retro charon: 06[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan Root CA" 
Aug 11 12:53:06 retro charon: 06[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
Aug 11 12:53:06 retro charon: 06[NET] sending packet: from 10.0.0.9[500] to 107.188.2.76[52225] (314 bytes)
Aug 11 12:53:06 retro charon: 03[NET] sending packet: from 10.0.0.9[500] to 107.188.2.76[52225]
Aug 11 12:53:07 retro charon: 02[NET] received packet: from 107.188.2.76[52226] to 10.0.0.9[4500]
Aug 11 12:53:07 retro charon: 02[NET] waiting for data on sockets
Aug 11 12:53:07 retro charon: 05[NET] received packet: from 107.188.2.76[52226] to 10.0.0.9[4500] (668 bytes)
Aug 11 12:53:07 retro charon: 05[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
Aug 11 12:53:07 retro charon: 05[IKE] ignoring certificate request without data
Aug 11 12:53:07 retro charon: 05[IKE] received end entity cert "C=CH, O=strongSwan, CN=Client Key" 
Aug 11 12:53:07 retro charon: 05[CFG] looking for XAuthInitRSA peer configs matching 10.0.0.9...107.188.2.76[C=CH, O=strongSwan, CN=Client Key]
Aug 11 12:53:07 retro charon: 05[CFG] peer config match local: 1 (ID_ANY)
Aug 11 12:53:07 retro charon: 05[CFG] peer config match remote: 1 (ID_DER_ASN1_DN -> 30:37:31:0b:30:09:06:03:55:04:06:13:02:43:48:31:13:30:11:06:03:55:04:0a:13:0a:73:74:72:6f:6e:67:53:77:61:6e:31:13:30:11:06:03:55:04:03:13:0a:43:6c:69:65:6e:74:20:4b:65:79)
Aug 11 12:53:07 retro charon: 05[CFG] ike config match: 0 (10.0.0.9 107.188.2.76 IKEv1)
Aug 11 12:53:07 retro charon: 05[CFG] peer config match local: 1 (ID_ANY)
Aug 11 12:53:07 retro charon: 05[CFG] peer config match remote: 1 (ID_DER_ASN1_DN -> 30:37:31:0b:30:09:06:03:55:04:06:13:02:43:48:31:13:30:11:06:03:55:04:0a:13:0a:73:74:72:6f:6e:67:53:77:61:6e:31:13:30:11:06:03:55:04:03:13:0a:43:6c:69:65:6e:74:20:4b:65:79)
Aug 11 12:53:07 retro charon: 05[CFG] ike config match: 28 (10.0.0.9 107.188.2.76 IKEv1)
Aug 11 12:53:07 retro charon: 05[CFG]   candidate "IPSec", match: 1/1/28 (me/other/ike)
Aug 11 12:53:07 retro charon: 05[CFG] selected peer config "IPSec" 
Aug 11 12:53:07 retro charon: 05[IKE] no trusted RSA public key found for 'C=CH, O=strongSwan, CN=Client Key'
Aug 11 12:53:07 retro charon: 05[CFG] no alternative config found
Aug 11 12:53:07 retro charon: 05[IKE] queueing INFORMATIONAL task
Aug 11 12:53:07 retro charon: 05[IKE] activating new tasks
Aug 11 12:53:07 retro charon: 05[IKE]   activating INFORMATIONAL task
Aug 11 12:53:07 retro charon: 05[ENC] generating INFORMATIONAL_V1 request 2644362964 [ HASH N(AUTH_FAILED) ]
Aug 11 12:53:07 retro charon: 05[NET] sending packet: from 10.0.0.9[4500] to 107.188.2.76[52226] (92 bytes)
Aug 11 12:53:07 retro charon: 05[IKE] IKE_SA IPSec[5] state change: CONNECTING => DESTROYING
Aug 11 12:53:07 retro charon: 03[NET] sending packet: from 10.0.0.9[4500] to 107.188.2.76[52226]
Aug 11 12:53:10 retro charon: 02[NET] received packet: from 107.188.2.76[52226] to 10.0.0.9[4500]
Aug 11 12:53:10 retro charon: 02[NET] waiting for data on sockets
Aug 11 12:53:13 retro charon: 02[NET] received packet: from 107.188.2.76[52226] to 10.0.0.9[4500]
Aug 11 12:53:13 retro charon: 02[NET] waiting for data on sockets
Aug 11 12:53:16 retro charon: 02[NET] received packet: from 107.188.2.76[52226] to 10.0.0.9[4500]
Aug 11 12:53:16 retro charon: 02[NET] waiting for data on sockets
Aug 11 12:53:28 retro charon: 02[NET] received packet: from 107.188.2.76[52226] to 10.0.0.9[4500]
Aug 11 12:53:28 retro charon: 02[NET] waiting for data on sockets

At the moment, using the command sudo pki --print doesn't give me any output.

#7 Updated by Tobias Brunner almost 6 years ago

Log looks fine, the client sends a proper DN. How did you call pki --print? You have to either pass --in <path to cert> or pipe the certificate's content into it. Make sure it really is the client certificate (i.e. the one actually installed on the client).

#8 Updated by Aiden A almost 6 years ago

My bad. Was literally typing only pki --print in the command line.

ipsec pki --print --in cacerts/strongswanCert.pem

cert:      X509
subject:  "C=CH, O=strongSwan, CN=strongSwan Root CA" 
issuer:   "C=CH, O=strongSwan, CN=strongSwan Root CA" 
validity:  not before Aug 10 12:21:58 2015, ok
           not after  Aug 07 12:21:58 2025, ok (expires in 3648 days)
serial:    6c:8d:51:3e:89:c1:19:40
flags:     CA CRLSign self-signed 
subjkeyId: 67:a6:c5:c9:14:a1:0f:c6:ad:27:11:c0:54:0a:33:09:ce:66:e2:ba
pubkey:    ECDSA 384 bits
keyid:     70:c3:5b:e7:48:d8:3e:e8:56:04:9b:cb:35:0a:67:30:ab:a2:ad:28
subjkey:   67:a6:c5:c9:14:a1:0f:c6:ad:27:11:c0:54:0a:33:09:ce:66:e2:ba

The client cert is installed

#9 Updated by Tobias Brunner almost 6 years ago

That's the CA cert, how about the client's cert.

#10 Updated by Aiden A almost 6 years ago

ipsec pki --print --in certs/ClientCert.pem

cert:      X509
subject:  "C=CH, O=strongSwan, CN=Client Key" 
issuer:   "C=CH, O=strongSwan, CN=strongSwan Root CA" 
validity:  not before Aug 10 12:21:59 2015, ok
           not after  Aug 09 12:21:59 2017, ok (expires in 728 days)
serial:    2c:45:ee:20:09:2e:31:40
altNames:  Client_Key
flags:     
authkeyId: 67:a6:c5:c9:14:a1:0f:c6:ad:27:11:c0:54:0a:33:09:ce:66:e2:ba
subjkeyId: 50:f1:b6:bc:87:c0:ce:cc:73:e2:8a:a7:b9:91:36:59:26:e2:b2:c5
pubkey:    ECDSA 256 bits
keyid:     15:36:c8:b4:31:67:ce:b5:79:2e:f1:41:75:bd:5a:49:05:01:e0:24
subjkey:   50:f1:b6:bc:87:c0:ce:cc:73:e2:8a:a7:b9:91:36:59:26:e2:b2:c5

#11 Updated by Tobias Brunner almost 6 years ago

Looks fine.

Aug 11 12:53:07 retro charon: 05[IKE] no trusted RSA public key found for 'C=CH, O=strongSwan, CN=Client Key'

Sorry for not noticing this before. But it looks like the daemon is actually explicitly looking for an RSA key. That's because you use IKEv1 with XAuth/RSA <---. With that scheme the daemon creates a pubkey authenticator limited to RSA (the ECDSA schemes defined in RFC 4754, on the other hand, will force the authenticator to look for ECDSA public keys). Using ECDSA with XAuth/RSA seems incorrect, however, there is currently no XAuth/ECDSA and the client explicitly sets the authentication method to XAuth/RSA. What client are you using?

I suppose we could look for any kind of key with a matching identity (at least for the XAuth schemes), but that might not always result in the right certificate getting selected either (e.g. when a server has an RSA and an ECDSA key with the same identity to use in different connections).

#12 Updated by Aiden A over 5 years ago

The client I'm using is a MacBook running Yosemite (10.10.4)

#13 Updated by Tobias Brunner over 5 years ago

The client I'm using is a MacBook running Yosemite (10.10.4)

Hm, OK. Apple often does strange stuff. You could try the attached patch, not sure if we are going to apply it upstream though, as it could lead to the wrong key getting selected if multiple keys of different types share the same identity.

#14 Updated by Aiden A over 5 years ago

Do you know how and where I should be applying the patch?

#15 Updated by Tobias Brunner over 5 years ago

Do you know how and where I should be applying the patch?

Download the patch then apply it to the strongSwan sources with patch -p1 < search-for-any-key-for-xauthrsa.patch or if you checked out the sources via Git with git apply search-for-any-key-for-xauthrsa.patch. InstallationDocumentation has more on building from sources.

#16 Updated by Aiden A over 5 years ago

I've tried to apply the patch using the following command, but I got this:

can't find file to patch at input line 5
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git a/src/libcharon/sa/authenticator.c b/src/libcharon/sa/authenticator.c
|index 6c3681a2d2d3..8f825969d08c 100644
|--- a/src/libcharon/sa/authenticator.c
|+++ b/src/libcharon/sa/authenticator.c
--------------------------
File to patch: 

#17 Updated by Tobias Brunner over 5 years ago

Did you run this in the top-level source directory (you should see a src subdirectory) and with -p1?

#18 Updated by Aiden A over 5 years ago

I tried running the patch in usr/src/ but thats where I get that output in my last post.

#19 Updated by Tobias Brunner over 5 years ago

Why in /usr/src? I was referring to the strongSwan sources, did you check InstallationDocumentation?

#20 Updated by Noel Kuntze over 3 years ago

  • Status changed from Feedback to Closed
  • Resolution set to No feedback

#21 Updated by Tobias Brunner 6 months ago

  • Related to Issue #3631: Unable to establish a connection w/ECDSA Certs (Follow up #1063) added

Also available in: Atom PDF