Project

General

Profile

Issue #785

Win7 with user certificates fails with "no trusted certificate found"

Added by Marcel Müller almost 8 years ago. Updated almost 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
interoperability
Affected version:
5.2.1
Resolution:
No change required

Description

Hello,

after successfully setting up Win7 VPN with machine certificates I followed the steps in Windows7 to setup Win7 VPN with user certificates as well. My config looks like this:

conn %default
        keyexchange=ikev1
        auto=ignore
        left=%defaultroute
        leftupdown = /root/custom_updown
        dpdaction=clear
(...)
conn win7user
        leftcert=serverCert.pem
        leftauth=pubkey
        leftsubnet=172.31.0.0/16
        right=%any
        rightauth=eap-tls
        rightsendcert=never
        rightsourceip=172.31.90.1/32
        keyexchange=ikev2
        auto=add

My Server Cert:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: ...
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: ..
        Validity
            Not Before: Mar  2 18:11:42 2012 GMT
            Not After : Mar  2 18:11:42 2015 GMT
        Subject: C=DE, O=.., CN=intern.(..).de
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b8:c3:dc...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:E4:5C:

            X509v3 Extended Key Usage:
                TLS Web Server Authentication
    Signature Algorithm: sha1WithRSAEncryption
         ae:9f:e3:cb:...

and the client cert:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: ..
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: ..
        Validity
            Not Before: Dec 10 11:28:35 2014 GMT
            Not After : Dec  7 11:28:35 2024 GMT
        Subject: C=DE, O=.., CN=marcel.muellerTest@(..).de
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a1:8e:0e:...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:E4:5C:..

            X509v3 Subject Alternative Name:
                email:marcel.muellerTest@(..).de
            X509v3 Extended Key Usage:
                TLS Web Client Authentication
    Signature Algorithm: sha256WithRSAEncryption
         7b:73:90:..

(Note: I also tried "CN=marcel.muellerTest" and removing the SAN).
The user cert is correctly installed in the user certificate store and the CA cert in the trusted CA computer store. The client is set to IKEv2 and EAP-TLS using a certificate and the correct CA is selected (setup like Win7UserConfig). VPN fails with error 860.
strongSwan log:
Dec 10 00:52:18 10[NET] <69> received packet: from 172.31.2.110[500] to 172.31.1.5[500] (528 bytes)
Dec 10 00:52:18 10[ENC] <69> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Dec 10 00:52:18 10[IKE] <69> 172.31.2.110 is initiating an IKE_SA
Dec 10 00:52:18 10[ENC] <69> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Dec 10 00:52:18 10[NET] <69> sending packet: from 172.31.1.5[500] to 172.31.2.110[500] (308 bytes)
Dec 10 00:52:18 24[NET] <69> received packet: from 172.31.2.110[4500] to 172.31.1.5[4500] (1084 bytes)
Dec 10 00:52:18 24[ENC] <69> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Dec 10 00:52:18 24[IKE] <69> received cert request for "C=DE, O=.., CN=.." 
Dec 10 00:52:18 24[IKE] <69> received 37 cert requests for an unknown ca
Dec 10 00:52:18 24[CFG] <69> looking for peer configs matching 172.31.1.5[%any]...172.31.2.110[172.31.2.110]
Dec 10 00:52:18 24[CFG] <win7user|69> selected peer config 'win7user'
Dec 10 00:52:18 24[IKE] <win7user|69> initiating EAP_TLS method (id 0x9D)
Dec 10 00:52:18 24[IKE] <win7user|69> peer supports MOBIKE
Dec 10 00:52:18 24[IKE] <win7user|69> authentication of 'C=DE, O=.., CN=intern.(..).de' (myself) with RSA signature successful
Dec 10 00:52:18 24[IKE] <win7user|69> sending end entity cert "C=DE, O=.., CN=intern.(..).de" 
Dec 10 00:52:18 24[ENC] <win7user|69> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/TLS ]
Dec 10 00:52:18 24[NET] <win7user|69> sending packet: from 172.31.1.5[4500] to 172.31.2.110[4500] (1308 bytes)
Dec 10 00:52:18 13[NET] <win7user|69> received packet: from 172.31.2.110[4500] to 172.31.1.5[4500] (172 bytes)
Dec 10 00:52:18 13[ENC] <win7user|69> parsed IKE_AUTH request 2 [ EAP/RES/TLS ]
Dec 10 00:52:18 13[TLS] <win7user|69> negotiated TLS 1.0 using suite TLS_RSA_WITH_AES_128_CBC_SHA
Dec 10 00:52:18 13[TLS] <win7user|69> sending TLS server certificate 'C=DE, O=.., CN=intern.(..).de'
Dec 10 00:52:18 13[TLS] <win7user|69> sending TLS cert request for 'C=DE, O=.., CN=..'
Dec 10 00:52:18 13[ENC] <win7user|69> generating IKE_AUTH response 2 [ EAP/REQ/TLS ]
Dec 10 00:52:18 13[NET] <win7user|69> sending packet: from 172.31.1.5[4500] to 172.31.2.110[4500] (1084 bytes)
Dec 10 00:52:18 15[NET] <win7user|69> received packet: from 172.31.2.110[4500] to 172.31.1.5[4500] (68 bytes)
Dec 10 00:52:18 15[ENC] <win7user|69> parsed IKE_AUTH request 3 [ EAP/RES/TLS ]
Dec 10 00:52:18 15[ENC] <win7user|69> generating IKE_AUTH response 3 [ EAP/REQ/TLS ]
Dec 10 00:52:18 15[NET] <win7user|69> sending packet: from 172.31.1.5[4500] to 172.31.2.110[4500] (108 bytes)
Dec 10 00:52:18 26[NET] <win7user|69> received packet: from 172.31.2.110[4500] to 172.31.1.5[4500] (1460 bytes)
Dec 10 00:52:18 26[ENC] <win7user|69> parsed IKE_AUTH request 4 [ EAP/RES/TLS ]
Dec 10 00:52:18 26[ENC] <win7user|69> generating IKE_AUTH response 4 [ EAP/REQ/TLS ]
Dec 10 00:52:18 26[NET] <win7user|69> sending packet: from 172.31.1.5[4500] to 172.31.2.110[4500] (68 bytes)
Dec 10 00:52:18 23[NET] <win7user|69> received packet: from 172.31.2.110[4500] to 172.31.1.5[4500] (148 bytes)
Dec 10 00:52:18 23[ENC] <win7user|69> parsed IKE_AUTH request 5 [ EAP/RES/TLS ]
Dec 10 00:52:18 23[TLS] <win7user|69> received TLS peer certificate 'C=DE, O=.., CN=marcel.muellerTest'
Dec 10 00:52:18 23[TLS] <win7user|69> no trusted certificate found for '172.31.2.110' to verify TLS peer
Dec 10 00:52:18 23[TLS] <win7user|69> sending fatal TLS alert 'certificate unknown'
Dec 10 00:52:18 23[ENC] <win7user|69> generating IKE_AUTH response 5 [ EAP/REQ/TLS ]
Dec 10 00:52:18 23[NET] <win7user|69> sending packet: from 172.31.1.5[4500] to 172.31.2.110[4500] (76 bytes)
Dec 10 00:52:18 20[NET] <win7user|69> received packet: from 172.31.2.110[4500] to 172.31.1.5[4500] (68 bytes)
Dec 10 00:52:18 20[ENC] <win7user|69> parsed IKE_AUTH request 6 [ EAP/RES/TLS ]
Dec 10 00:52:18 20[IKE] <win7user|69> EAP method EAP_TLS failed for peer 172.31.2.110
Dec 10 00:52:18 20[ENC] <win7user|69> generating IKE_AUTH response 6 [ EAP/FAIL ]c
Dec 10 00:52:18 20[NET] <win7user|69> sending packet: from 172.31.1.5[4500] to 172.31.2.110[4500] (68 bytes)

After reading https://lists.strongswan.org/pipermail/users/2013-July/004969.html it looks like looking for peer configs matching 172.31.1.5[%any]...172.31.2.110[172.31.2.110] is the problem here and Win7 sends the IP instead of the certificates DN?! I tested 2 different computers with Win7 (one up to date and one freshly installed), both show the same behaviour. I also tested this from within the network and from an external source.

Any idea what I'm missing here?

Thanks in advance,
Marcel

History

#1 Updated by Martin Willi almost 8 years ago

  • Status changed from New to Feedback
  • Assignee set to Martin Willi

Hi Marcel,

In your setup, the client authenticates itself with an IP address. This probably is the IKE identity, as no EAP-Identity gets exchanged:

Dec 10 00:52:18 23[TLS] <win7user|69> no trusted certificate found for '172.31.2.110' to verify TLS peer
Dec 10 00:52:18 23[TLS] <win7user|69> sending fatal TLS alert 'certificate unknown'

That probably does not match the certificate exchanged in TLS, hence it is not considered for authentication.

To have a proper identity/username negotiated, try to set

eap_identity=%identity

and make sure to have the eap-identity module built and enabled.

This will trigger strongSwan to send an EAP-Identity request, for which the Windows 7 client usually replies with the UPN contained in your certificate. Possible that you need to generate certificates with a Microsoft UPN subjectAltName to make that work. strongSwan can then find the appropriate certificate for the given UPN.

Regards
Martin

#2 Updated by Marcel Müller almost 8 years ago

Hello Martin,

thanks for your response! I'll try the eap-identitiy plugin and report back.
Do you know why this is needed in first place? According to the wiki this should work without an additional eap roundtrip, shouldn't it?
Can I include an UPN SAN via ipsec pki tool?

thanks in advance,
Marcel

#3 Updated by Marcel Müller almost 8 years ago

Hello Martin,

using eap_identity=%identity worked perfectly! This worked with the already issued certificates, so no need to add a Microsoft UPN SAN (a matching SAN is still required, though). Is this missing in the wiki or is there anything different in my setup?

One thing I noticed: strongSwan sends the wrong TLS server certificate (I have installed 2 server certificates from 2 CAs). Config:

conn win7user
        leftcert=serverCert2014.pem
        leftcert2=serverCert2014.pem
        leftauth=pubkey
        leftsubnet=172.31.0.0/16
        right=%any
        rightauth=eap-tls
        rightsendcert=never
        rightsourceip=172.31.11.0/24
        keyexchange=ikev2
        eap_identity=%identity
        ike=aes256-sha1-modp1024!
        esp=aes256-sha1!

I would assume that strongSwan now sends the serverCert2014.pem certificate to the client, but it still sends the old one (serverCert.pem which is used in other conn-sections).
Dec 11 10:55:31 17[IKE] <1833> remote host is behind NAT
Dec 11 10:55:31 24[IKE] <1833> received cert request for "C=DE, O=(...), CN=(NEW CA)" 
Dec 11 10:55:31 24[IKE] <1833> received 37 cert requests for an unknown ca
Dec 11 10:55:31 24[CFG] <1833> looking for peer configs matching 172.31.1.5[%any]...(..)[172.20.10.2]
Dec 11 10:55:31 24[CFG] <1833>   candidate "marcel.mueller", match: 1/1/28 (me/other/ike)
Dec 11 10:55:31 24[CFG] <marcel.mueller|1833> selected peer config 'marcel.mueller'
Dec 11 10:55:31 24[IKE] <marcel.mueller|1833> using configured EAP-Identity C=DE, O=(..), CN=marcel.mueller
Dec 11 10:55:31 24[IKE] <marcel.mueller|1833> initiating EAP_TLS method (id 0x82)
Dec 11 10:55:31 24[IKE] <marcel.mueller|1833> peer supports MOBIKE
Dec 11 10:55:31 24[IKE] <marcel.mueller|1833> authentication of 'C=DE, O=(..), CN=intern.(..).de' (myself) with RSA signature successful   *New ServerCert2014.pem
Dec 11 10:55:31 24[IKE] <marcel.mueller|1833> sending end entity cert "C=DE, O=(...), CN=intern.(...).de"                                  *New ServerCert2014.pem
Dec 11 10:55:31 28[TLS] <marcel.mueller|1833> negotiated TLS 1.0 using suite TLS_RSA_WITH_AES_128_CBC_SHA
Dec 11 10:55:31 28[TLS] <marcel.mueller|1833> sending TLS server certificate 'C=DE, O=(..), CN=intern.(..).de'  *Old ServerCert.pem .... Why?
Dec 11 10:55:31 28[TLS] <marcel.mueller|1833> sending TLS cert request for 'C=DE, O=(..), CN=(New CA)'          *New ServerCert2014.pem
Dec 11 10:55:31 28[TLS] <marcel.mueller|1833> sending TLS cert request for 'C=DE, O=(..), CN=(Old CA)'          *Old ServerCert.pem
Dec 11 10:55:31 07[TLS] <marcel.mueller|1833> received fatal TLS alert 'unknown ca'
Dec 11 10:55:31 07[IKE] <marcel.mueller|1833> EAP method EAP_TLS failed for peer 172.20.10.2

In sending TLS server certificate strongSwan uses the old server certificate. Shouldn't the new one (als specified by leftcert / leftcert2) be used here?

Thanks in advance,
best Regards,
Marcel

#4 Updated by Martin Willi almost 8 years ago

In sending TLS server certificate strongSwan uses the old server certificate. Shouldn't the new one (als specified by leftcert / leftcert2) be used here?

It is currently not possible to enforce a specific certificate to use in TLS, the stack just picks the first usable certificate that matches your configured identity. So it is not really defined which one is used if multiple certificates match.

The leftcert2 option does not define the certificate for EAP-TLS as responder, either. While it is a trick that allows you to load an additional certificate, it is not specifically bound to the EAP-TLS exchange (the mutual EAP-TLS server authentication is actually not an authentication round, but part of the clients authentication).

Regards
Martin

#5 Updated by Martin Willi almost 8 years ago

  • Status changed from Feedback to Closed
  • Resolution set to No change required

Closing the issue, as the EAP-Identity exchange has fixed the original issue. Directly specifying a TLS certificate is currently not supported; if required please open a separate ticket for that issue.

Regards
Martin

Also available in: Atom PDF