Re: [strongSwan] Certificate-based IPsec tunnel failing to complete

2019-07-05 Thread Regel, Julian (CSS) 
Hi

[sorry - previously replied to single poster, not the list]

Thanks for the pointer. I've got it working!

The Cisco ASA appears to send the Distinguished Name as its identifier, so 
changing:

id = vpntest.example.com

to

id = "C=UK, ST=Example, O=Example, OU=Example, CN=vpntest.example.com"

Worked!

The key to solving this is understanding what the remote end is sending, and 
this appears to vary depending on device.

Hopefully this information will be useful to others too.

Thanks

Julian

You are receiving this message from Capita Software. Should you wish to see how 
we may have collected or may use your information, or view ways to exercise 
your individual rights, see our Privacy 
Notice


This email is security checked and subject to the disclaimer on web-page: 
http://www.capita.co.uk/email-disclaimer.aspx

Re: [strongSwan] Certificate-based IPsec tunnel failing to complete

2019-07-05 Thread Regel, Julian (CSS) 
Hi Andreas

Thanks for the reply.

As per my other email to the list, the problem appears to be the format of the 
"id" value in the swanctl.conf.

Given that this is fixed by specifying the DN in the id parameter, does the 
subjectAltName actually get used and is it still important? Does it only apply 
if the peer device sends FQDN instead of DN?

Many thanks

Julian




-Original Message-
From: Andreas Steffen 
Sent: 05 July 2019 10:50
To: Regel, Julian (CSS) ; users@lists.strongswan.org
Subject: Re: [strongSwan] Certificate-based IPsec tunnel failing to complete

Hi Julian,

hmmm, the connection definition:

remote {
   auth = pubkey
   id = vpntest.MY_ORG.co.uk
}

lists the subjectAltName which is apparently contained in the certificate:

   X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:vpntest.$MY_ORG.co.uk

so the identity matching is supposed to work if there is no typo or some 
strange Unicode characters in the SAN.

Does the strongSwan swanctl --list-certs command list the SAN of the received 
peer certificate?

Would it be possible to send the peer certificate to me for closer inspection?

Best regards

Andreas


You are receiving this message from Capita Software. Should you wish to see how 
we may have collected or may use your information, or view ways to exercise 
your individual rights, see our Privacy 
Notice<https://www.capitasoftware.com/PrivacyNotice>


This email is security checked and subject to the disclaimer on web-page: 
http://www.capita.co.uk/email-disclaimer.aspx

[strongSwan] Certificate-based IPsec tunnel failing to complete

2019-07-04 Thread Regel, Julian (CSS) 
Hi

I am trying to configure an IPsec tunnel between a Cisco ASA and StrongSWAN, 
using IKEv2 and certificates for authentication.

I'm running StrongSWAN version 5.6.2-1ubuntu2.4, installed on Ubuntu 18.04.2 
LTS.

I am using a self-signed certificate on the ASA end. Unfortunately, I'm getting 
the following error (full error log below, and I've obviously sanitised the 
FQDN and DN):

[CFG] constraint check failed: identity 'vpntest.$MY_ORG.co.uk' required

Based on the StrongSWAN FAQ, I assumed this was the SAN field in the 
certificate that was wrong, but on checking, it appears okay(?).

Please can you advise what I need to check to help fix this?

Many thanks

Julian


## ASA certificate

$ openssl x509 -in asa.crt -text -noout

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = UK, ST = $MY_STATE, L = $MY_CITY, O = $MY_ORG, OU = $MY_OU, 
CN = CA Root (ECDSA)
Validity
Not Before: Jul  4 10:43:17 2019 GMT
Not After : Jul  3 10:43:17 2020 GMT
Subject: C = UK, ST = $MY_STATE, O = $MY_ORG, OU = $MY_OU, CN = 
vpntest.$MY_ORG.co.uk
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:0b:73:8e:6e:7f:41:99:18:3b:70:27:3c:97:4e:
c2:84:8a:19:fa:37:fd:51:eb:cd:64:a1:27:ac:68:
36:30:c5:64:eb:75:85:99:e3:ff:3e:d5:2f:f8:6b:
4c:b0:ee:45:00:59:dd:06:06:b5:5e:d5:d8:b1:8f:
a6:10:33:a5:e6
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:vpntest.$MY_ORG.co.uk
Signature Algorithm: ecdsa-with-SHA256
 30:46:02:21:00:c3:0b:fc:15:e9:f2:19:86:8d:51:3c:12:0c:
 f7:4f:22:12:07:a7:1f:ff:73:b3:52:3a:ac:c8:6b:ee:e8:5c:
 36:02:21:00:ed:51:ca:79:8a:13:d0:45:80:ee:bf:18:4f:59:
 54:94:72:41:c0:88:52:56:d1:9f:c5:17:8d:c0:88:7d:20:3d

## /etc/swanctl.conf:

connections {
onprem-to-azure {
local_addrs  = 172.26.0.85
remote_addrs = ON_PREM_EXT_IP
local {
auth = pubkey
certs = occert.pem
id = vpn.production.$MY_ORG.cloud
}
remote {
auth = pubkey
id = vpntest.MY_ORG.co.uk
}
children {
net1-net1 {
local_ts  = 172.26.0.85
remote_ts = 10.1.0.0/16
#updown = /usr/local/libexec/ipsec/_updown iptables
rekey_time = 5400
rekey_bytes = 5
rekey_packets = 100
esp_proposals = aes128gcm16-ecp256 # Phase 2
}
}
version = 2
mobike = yes
reauth_time = 10800
proposals = aes128gcm16-prfsha256-ecp256 # Phase 1
}
}


### Trying to bring the tunnel up:

root@s00C-vpn-uks-01:/etc/swanctl/x509ca# swanctl -i -c net1-net1
[IKE] initiating IKE_SA onprem-to-azure[1] to $MY_ON_PREM_EXT_IP
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 172.26.0.85[500] to $MY_ON_PREM_EXT_IP[500] (264 
bytes)
[NET] received packet: from $MY_ON_PREM_EXT_IP[500] to 172.26.0.85[500] (659 
bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) 
CERTREQ N(FRAG_SUP) V ]
[IKE] received Cisco Delete Reason vendor ID
[IKE] received Cisco Copyright (c) 2009 vendor ID
[IKE] received FRAGMENTATION vendor ID
[IKE] local host is behind NAT, sending keep alives
[IKE] received cert request for "C=UK, ST=$MY_STATE, L=$MY_CITY, O=$MY_ORG, 
OU=$MY_OU, CN=CA Root (ECDSA)"
[IKE] received cert request for "C=UK, ST=$MY_STATE, L=$MY_CITY, O=$MY_ORG, 
OU=$MY_OU, CN=CA Root (ECDSA)"
[IKE] received cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Global 
SSL ICA G3"
[IKE] received cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 
2 G3"
[IKE] received 10 cert requests for an unknown ca
[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2 
G3"
[IKE] sending cert request for "C=UK, ST=$MY_STATE, L=$MY_CITY, O=$MY_ORG, 
OU=$MY_OU, CN=CA Root (ECDSA)"
[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Global 
SSL ICA G3"
[IKE] authentication of 'vpn.production.$MY_ORG.cloud' (myself) with ECDSA-256 
signature successful
[IKE] sending end entity cert "C=GB, ST=London, L=London, O=$MY_ORG PLC, 
CN=vpn.production.$MY_ORG.cloud"
[IKE] establishing CHILD_SA net1-net1{1}
[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH 
SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[ENC] splitting IKE message with length of 2018 bytes into 2 fragments
[ENC] generating IKE_AUTH request 1 [ EF(1/2) ]
[ENC] generating IKE_AUTH request 1 [ EF(2/2) ]
[NET] sending packet: from 172.26.0.85[4500] to $MY_ON_PREM_EXT_IP[4500] (1248 
bytes)
[NET] sending packet: from 172.26.0.85[4500] to $MY_ON_PREM_EXT_IP[4500] (835 
bytes)
[NET] received packet: from $MY_ON_PREM_EXT_IP[4500] to 172.26.0.85[4500] (525