Re: [strongSwan] Certificate-based IPsec tunnel failing to complete
Hello,
Check the type of the ID the other host sends. It might be of type KEYID, not
FQDN.
The logging settings on the HelpRequests page configure a logger that shows you
the type as well.
An ID can mismatch if the type is incorrect already.
Kind regards
Noel
Am 04.07.19 um 14:16 schrieb Regel, Julian (CSS):
> Hi
>
> I am trying to configure an IPsec tunnel between a Cisco ASA and StrongSWAN,
> using IKEv2 and certificates for authentication.
>
> I'm running StrongSWAN version 5.6.2-1ubuntu2.4, installed on Ubuntu 18.04.2
> LTS.
>
> I am using a self-signed certificate on the ASA end. Unfortunately, I'm
> getting the following error (full error log below, and I've obviously
> sanitised the FQDN and DN):
>
> [CFG] constraint check failed: identity 'vpntest.$MY_ORG.co.uk' required
>
> Based on the StrongSWAN FAQ, I assumed this was the SAN field in the
> certificate that was wrong, but on checking, it appears okay(?).
>
> Please can you advise what I need to check to help fix this?
>
> Many thanks
>
> Julian
>
>
> ## ASA certificate
>
> $ openssl x509 -in asa.crt -text -noout
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 2 (0x2)
> Signature Algorithm: ecdsa-with-SHA256
> Issuer: C = UK, ST = $MY_STATE, L = $MY_CITY, O = $MY_ORG, OU =
> $MY_OU, CN = CA Root (ECDSA)
> Validity
> Not Before: Jul 4 10:43:17 2019 GMT
> Not After : Jul 3 10:43:17 2020 GMT
> Subject: C = UK, ST = $MY_STATE, O = $MY_ORG, OU = $MY_OU, CN =
> vpntest.$MY_ORG.co.uk
> Subject Public Key Info:
> Public Key Algorithm: id-ecPublicKey
> Public-Key: (256 bit)
> pub:
> 04:0b:73:8e:6e:7f:41:99:18:3b:70:27:3c:97:4e:
> c2:84:8a:19:fa:37:fd:51:eb:cd:64:a1:27:ac:68:
> 36:30:c5:64:eb:75:85:99:e3:ff:3e:d5:2f:f8:6b:
> 4c:b0:ee:45:00:59:dd:06:06:b5:5e:d5:d8:b1:8f:
> a6:10:33:a5:e6
> ASN1 OID: prime256v1
> NIST CURVE: P-256
> X509v3 extensions:
> X509v3 Subject Alternative Name:
> DNS:vpntest.$MY_ORG.co.uk
> Signature Algorithm: ecdsa-with-SHA256
> 30:46:02:21:00:c3:0b:fc:15:e9:f2:19:86:8d:51:3c:12:0c:
> f7:4f:22:12:07:a7:1f:ff:73:b3:52:3a:ac:c8:6b:ee:e8:5c:
> 36:02:21:00:ed:51:ca:79:8a:13:d0:45:80:ee:bf:18:4f:59:
> 54:94:72:41:c0:88:52:56:d1:9f:c5:17:8d:c0:88:7d:20:3d
>
> ## /etc/swanctl.conf:
>
> connections {
> onprem-to-azure {
> local_addrs = 172.26.0.85
> remote_addrs = ON_PREM_EXT_IP
> local {
> auth = pubkey
> certs = occert.pem
> id = vpn.production.$MY_ORG.cloud
> }
> remote {
> auth = pubkey
> id = vpntest.MY_ORG.co.uk
> }
> children {
> net1-net1 {
> local_ts = 172.26.0.85
> remote_ts = 10.1.0.0/16
> #updown = /usr/local/libexec/ipsec/_updown iptables
> rekey_time = 5400
> rekey_bytes = 5
> rekey_packets = 100
> esp_proposals = aes128gcm16-ecp256 # Phase 2
> }
> }
> version = 2
> mobike = yes
> reauth_time = 10800
> proposals = aes128gcm16-prfsha256-ecp256 # Phase 1
> }
> }
>
>
> ### Trying to bring the tunnel up:
>
> root@s00C-vpn-uks-01:/etc/swanctl/x509ca# swanctl -i -c net1-net1
> [IKE] initiating IKE_SA onprem-to-azure[1] to $MY_ON_PREM_EXT_IP
> [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> [NET] sending packet: from 172.26.0.85[500] to $MY_ON_PREM_EXT_IP[500] (264
> bytes)
> [NET] received packet: from $MY_ON_PREM_EXT_IP[500] to 172.26.0.85[500] (659
> bytes)
> [ENC] parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP)
> CERTREQ N(FRAG_SUP) V ]
> [IKE] received Cisco Delete Reason vendor ID
> [IKE] received Cisco Copyright (c) 2009 vendor ID
> [IKE] received FRAGMENTATION vendor ID
> [IKE] local host is behind NAT, sending keep alives
> [IKE] received cert request for "C=UK, ST=$MY_STATE, L=$MY_CITY, O=$MY_ORG,
> OU=$MY_OU, CN=CA Root (ECDSA)"
> [IKE] received cert request for "C=UK, ST=$MY_STATE, L=$MY_CITY, O=$MY_ORG,
> OU=$MY_OU, CN=CA Root (ECDSA)"
> [IKE] received cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Global
> SSL ICA G3"
> [IKE] received cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root
> CA 2 G3"
> [IKE] received 10 cert requests for an unknown ca
> [IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA
> 2 G3"
> [IKE] sending cert request for "C=UK, ST=$MY_STATE, L=$MY_CITY, O=$MY_ORG,
> OU=$MY_OU, CN=CA Root (ECDSA)"
> [IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Global
> SSL ICA G3"
> [IKE] authentication of 'vpn.production.$MY_ORG.cloud' (myself) with
> ECDSA-256 signature successful
> [IKE] sending end entity cert "C=GB, ST=London, L=London, O=$MY_ORG PLC,
> CN=vpn.production.$MY_ORG.cloud"
> [IKE] establishing CHILD_SA net1-net1{1}
> [ENC]
Re: [strongSwan] Multiple IKEv2 proposals
Hi Just to close the loop Noel replied unicast. But to answer your Q, I did read the man page (it's clear and explicitly says to use a ',' between proposals), but I was fat fingering the proposals and so it was failing hence I thought that it wasn't possible. Thanks for the help. cheers On 02/07/2019, 08:31, "Tobias Brunner" wrote: Hi Graham, > Is it possible to send multiple IKEv2 proposals? Sure, why do you think it's not? smime.p7s Description: S/MIME cryptographic signature
[strongSwan] Certificate-based IPsec tunnel failing to complete
Hi
I am trying to configure an IPsec tunnel between a Cisco ASA and StrongSWAN,
using IKEv2 and certificates for authentication.
I'm running StrongSWAN version 5.6.2-1ubuntu2.4, installed on Ubuntu 18.04.2
LTS.
I am using a self-signed certificate on the ASA end. Unfortunately, I'm getting
the following error (full error log below, and I've obviously sanitised the
FQDN and DN):
[CFG] constraint check failed: identity 'vpntest.$MY_ORG.co.uk' required
Based on the StrongSWAN FAQ, I assumed this was the SAN field in the
certificate that was wrong, but on checking, it appears okay(?).
Please can you advise what I need to check to help fix this?
Many thanks
Julian
## ASA certificate
$ openssl x509 -in asa.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = UK, ST = $MY_STATE, L = $MY_CITY, O = $MY_ORG, OU = $MY_OU,
CN = CA Root (ECDSA)
Validity
Not Before: Jul 4 10:43:17 2019 GMT
Not After : Jul 3 10:43:17 2020 GMT
Subject: C = UK, ST = $MY_STATE, O = $MY_ORG, OU = $MY_OU, CN =
vpntest.$MY_ORG.co.uk
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:0b:73:8e:6e:7f:41:99:18:3b:70:27:3c:97:4e:
c2:84:8a:19:fa:37:fd:51:eb:cd:64:a1:27:ac:68:
36:30:c5:64:eb:75:85:99:e3:ff:3e:d5:2f:f8:6b:
4c:b0:ee:45:00:59:dd:06:06:b5:5e:d5:d8:b1:8f:
a6:10:33:a5:e6
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:vpntest.$MY_ORG.co.uk
Signature Algorithm: ecdsa-with-SHA256
30:46:02:21:00:c3:0b:fc:15:e9:f2:19:86:8d:51:3c:12:0c:
f7:4f:22:12:07:a7:1f:ff:73:b3:52:3a:ac:c8:6b:ee:e8:5c:
36:02:21:00:ed:51:ca:79:8a:13:d0:45:80:ee:bf:18:4f:59:
54:94:72:41:c0:88:52:56:d1:9f:c5:17:8d:c0:88:7d:20:3d
## /etc/swanctl.conf:
connections {
onprem-to-azure {
local_addrs = 172.26.0.85
remote_addrs = ON_PREM_EXT_IP
local {
auth = pubkey
certs = occert.pem
id = vpn.production.$MY_ORG.cloud
}
remote {
auth = pubkey
id = vpntest.MY_ORG.co.uk
}
children {
net1-net1 {
local_ts = 172.26.0.85
remote_ts = 10.1.0.0/16
#updown = /usr/local/libexec/ipsec/_updown iptables
rekey_time = 5400
rekey_bytes = 5
rekey_packets = 100
esp_proposals = aes128gcm16-ecp256 # Phase 2
}
}
version = 2
mobike = yes
reauth_time = 10800
proposals = aes128gcm16-prfsha256-ecp256 # Phase 1
}
}
### Trying to bring the tunnel up:
root@s00C-vpn-uks-01:/etc/swanctl/x509ca# swanctl -i -c net1-net1
[IKE] initiating IKE_SA onprem-to-azure[1] to $MY_ON_PREM_EXT_IP
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 172.26.0.85[500] to $MY_ON_PREM_EXT_IP[500] (264
bytes)
[NET] received packet: from $MY_ON_PREM_EXT_IP[500] to 172.26.0.85[500] (659
bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP)
CERTREQ N(FRAG_SUP) V ]
[IKE] received Cisco Delete Reason vendor ID
[IKE] received Cisco Copyright (c) 2009 vendor ID
[IKE] received FRAGMENTATION vendor ID
[IKE] local host is behind NAT, sending keep alives
[IKE] received cert request for "C=UK, ST=$MY_STATE, L=$MY_CITY, O=$MY_ORG,
OU=$MY_OU, CN=CA Root (ECDSA)"
[IKE] received cert request for "C=UK, ST=$MY_STATE, L=$MY_CITY, O=$MY_ORG,
OU=$MY_OU, CN=CA Root (ECDSA)"
[IKE] received cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Global
SSL ICA G3"
[IKE] received cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA
2 G3"
[IKE] received 10 cert requests for an unknown ca
[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2
G3"
[IKE] sending cert request for "C=UK, ST=$MY_STATE, L=$MY_CITY, O=$MY_ORG,
OU=$MY_OU, CN=CA Root (ECDSA)"
[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Global
SSL ICA G3"
[IKE] authentication of 'vpn.production.$MY_ORG.cloud' (myself) with ECDSA-256
signature successful
[IKE] sending end entity cert "C=GB, ST=London, L=London, O=$MY_ORG PLC,
CN=vpn.production.$MY_ORG.cloud"
[IKE] establishing CHILD_SA net1-net1{1}
[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH
SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[ENC] splitting IKE message with length of 2018 bytes into 2 fragments
[ENC] generating IKE_AUTH request 1 [ EF(1/2) ]
[ENC] generating IKE_AUTH request 1 [ EF(2/2) ]
[NET] sending packet: from 172.26.0.85[4500] to $MY_ON_PREM_EXT_IP[4500] (1248
bytes)
[NET] sending packet: from 172.26.0.85[4500] to $MY_ON_PREM_EXT_IP[4500] (835
bytes)
[NET] received packet: from $MY_ON_PREM_EXT_IP[4500] to 172.26.0.85[4500] (525
Re: [strongSwan] IKEv2: how to set the DNS search attribute on the peer?
On 7/1/19 3:06 PM, Tobias Brunner wrote: Nobody forces you to use IPsec :-) :-(
