Project

General

Profile

Issue #3675

ca certificate expired and some client failed to connect after updating the certificate

Added by Royi Cohen about 1 month ago. Updated about 1 month ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
configuration
Affected version:
5.9.1
Resolution:
No change required

Description

Hi,

The ca certificate was expired on our strongSwan server. After updating the certificate, some of our Android clients are falling to connect.
The configuration on the server is as followed:

conn android
fragmentation=yes
keyexchange=ikev2
leftauth=pubkey
left=%defaultroute
leftsubnet=::/0,0.0.0.0/0
#leftsubnet=0.0.0.0/0::/0
leftfirewall=yes
leftcert=serverCert.pem
leftsendcert=always
right=%any
rightauth=eap-md5
rightsourceip=10.2.0.0/16,fec1::0/16
eap_identity=%identity
auto=add
reauth=no

And the log provides the following information:
Jan 17 12:01:01 12[ENC] <27707> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 17 12:01:01 12[IKE] <27707> 2.55.1.9 is initiating an IKE_SA
Jan 17 12:01:01 12[CFG] <27707> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/CURVE_25519
Jan 17 12:01:01 12[IKE] <27707> remote host is behind NAT
Jan 17 12:01:01 12[IKE] <27707> DH group ECP_256 unacceptable, requesting CURVE_25519
Jan 17 12:01:01 12[ENC] <27707> generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Jan 17 12:01:01 12[NET] <27707> sending packet: from 109.207.79.189500 to 2.55.1.946166 (38 bytes)
Jan 17 12:01:01 09[NET] <27708> received packet: from 2.55.1.946166 to 109.207.79.189500 (684 bytes)
Jan 17 12:01:01 09[ENC] <27708> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 17 12:01:01 09[IKE] <27708> 2.55.1.9 is initiating an IKE_SA
Jan 17 12:01:01 09[CFG] <27708> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/CURVE_25519
Jan 17 12:01:01 09[IKE] <27708> remote host is behind NAT
Jan 17 12:01:01 09[IKE] <27708> sending cert request for "C=CN, O=xxxxxxxxxx, CN=xxxxxxxxxx CA"
Jan 17 12:01:01 09[ENC] <27708> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Jan 17 12:01:01 09[NET] <27708> sending packet: from 109.207.79.189500 to 2.55.1.946166 (265 bytes)
Jan 17 12:01:01 02[NET] <27708> received packet: from 2.55.1.946167 to 109.207.79.1894500 (1236 bytes)
Jan 17 12:01:01 02[ENC] <27708> parsed IKE_AUTH request 1 [ EF ]
Jan 17 12:01:01 02[ENC] <27708> received fragment #1 of 3, waiting for complete IKE message
Jan 17 12:01:01 12[NET] <27708> received packet: from 2.55.1.946167 to 109.207.79.1894500 (1236 bytes)
Jan 17 12:01:01 12[ENC] <27708> parsed IKE_AUTH request 1 [ EF ]Jan 17 12:01:01 12[ENC] <27708> received fragment #2 of 3, waiting for complete IKE message
Jan 17 12:01:01 09[NET] <27708> received packet: from 2.55.1.946167 to 109.207.79.1894500 (932 bytes)
Jan 17 12:01:01 09[ENC] <27708> parsed IKE_AUTH request 1 [ EF ]
Jan 17 12:01:01 09[ENC] <27708> received fragment #3 of 3, reassembled fragmented IKE message (3264 bytes)
Jan 17 12:01:01 09[ENC] <27708> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jan 17 12:01:01 09[IKE] <27708> received 137 cert requests for an unknown ca
Jan 17 12:01:01 09[CFG] <27708> looking for peer configs matching 109.207.79.189[OU=Domain Control Validated, CN=*.xxxxxxxxxx.com]...2.55.1.9[1-224022031]
Jan 17 12:01:01 09[CFG] <android|27708> selected peer config 'android'
Jan 17 12:01:01 09[IKE] <android|27708> ===>> eap_identity_create_peer
Jan 17 12:01:01 09[IKE] <android|27708> ===>> process_server
Jan 17 12:01:01 09[IKE] <android|27708> initiating EAP_IDENTITY method (id 0x00)
Jan 17 12:01:01 09[IKE] <android|27708> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jan 17 12:01:01 09[IKE] <android|27708> peer supports MOBIKE
Jan 17 12:01:01 09[IKE] <android|27708> authentication of 'OU=Domain Control Validated, CN=*.xxxxxxxxxx.com' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Jan 17 12:01:01 09[IKE] <android|27708> sending end entity cert "OU=Domain Control Validated, CN=*.xxxxxxxxxx.com"
Jan 17 12:01:01 09[ENC] <android|27708> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Jan 17 12:01:01 09[ENC] <android|27708> splitting IKE message (2032 bytes) into 2 fragments
Jan 17 12:01:01 09[ENC] <android|27708> generating IKE_AUTH response 1 [ EF ]
Jan 17 12:01:01 09[ENC] <android|27708> generating IKE_AUTH response 1 [ EF ]
Jan 17 12:01:01 09[NET] <android|27708> sending packet: from 109.207.79.1894500 to 2.55.1.946167 (1236 bytes)
Jan 17 12:01:01 09[NET] <android|27708> sending packet: from 109.207.79.1894500 to 2.55.1.946167 (868 bytes)
Jan 17 12:01:01 05[NET] <android|27708> received packet: from 2.55.1.946167 to 109.207.79.1894500 (80 bytes)
Jan 17 12:01:01 05[ENC] <android|27708> parsed INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Jan 17 12:01:01 05[ENC] <android|27708> generating INFORMATIONAL response 2 [ N(AUTH_FAILED) ]
Jan 17 12:01:01 05[NET] <android|27708> sending packet: from 109.207.79.1894500 to 2.55.1.946167 (80 bytes)
Jan 17 12:01:01 05[IKE] <android|27708> ===>> destroy

Do we have an option to tell the client apk to update the connection?

History

#1 Updated by Royi Cohen about 1 month ago

found the problem, I was missing the CA certificate of Godday - the issuer of our certificate

#2 Updated by Tobias Brunner about 1 month ago

  • Category set to configuration
  • Status changed from New to Closed
  • Resolution set to No change required

Also available in: Atom PDF