Hi Roger, you have a time synchronisation problem on your linux boxes. The certificate you generated starts to be valid (notBefore) on
Aug 27 13:45:47 UTC 2009 The current time on moon is not known but on sun it is Aug 27 10:10:11 (Shandong local time). Since in China you are ahead of UTC by a couple of hours it is certainly not yet 13:45:47 UTC. While writing this email my watch tells me (Aug 27 5:33:00 UTC 2009) that your certificate will not become valid for about another 8 hours from now. So either generate a new certificate [without an email RDN anyway] or just be patient ;-) Best regards Andreas Zhang, Long (Roger) wrote: > Hi, > > I am trying IPSec with StrongSwan on two Linux. The example is > http://www.strongswan.org/uml/testresults43/ikev2/host2host-cert/ > > Currently I see a problem " no trusted RSA public key found". I do not know > why it is reported. My certificate sunCert.pem looks good. And the CA is > shared for sun and mood both sides. Anyone can help? Thanks! > > [r...@localhost etc]# /usr/local/sbin/ipsec up host-host > initiating IKE_SA host-host[1] to 135.252.130.87 > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > sending packet: from 135.252.131.87[500] to 135.252.130.87[500] > received packet: from 135.252.130.87[500] to 135.252.131.87[500] > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ > N(MULT_AUTH) ] > received cert request for "C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger > Zhang, e=zha...@alcatel-lucent.com" > sending cert request for "C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger > Zhang, e=zha...@alcatel-lucent.com" > authentication of 'moon.strongswan.org' (myself) with RSA signature successful > sending end entity cert "C=CN, ST=Shandong, O=ALU, OU=RD, > CN=moon.strongswan.org, e=m...@alcatel-lucent.com" > establishing CHILD_SA host-host > generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr > N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ] > sending packet: from 135.252.131.87[4500] to 135.252.130.87[4500] > received packet: from 135.252.130.87[4500] to 135.252.131.87[4500] > parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) > N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ] > received end entity cert "C=CN, ST=Shandong, O=ALU, OU=RD, > CN=sun.strongswan.org, e=...@alcatel-lucent.com" > using certificate "C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, > e=...@alcatel-lucent.com" > using trusted ca certificate "C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, > CN=Roger Zhang, e=zha...@alcatel-lucent.com" > subject certificate invalid (valid from Aug 27 13:45:47 UTC 2009 to Aug 27 > 13:45:47 UTC 2011) > no trusted RSA public key found for 'sun.strongswan.org' > > > The daemon.log on sun side. There are some failure at the beginning, but I > think it does not impact the problem. > > Aug 27 10:10:11 qdpat-xp charon: 01[DMN] Starting IKEv2 charon daemon > (strongSwan 4.3.4) > Aug 27 10:10:11 qdpat-xp charon: 01[LIB] plugin 'curl': failed to load > '/usr/local/libexec/ipsec/plugins/libstrongswan-curl.so' - > /usr/local/libexec/ipsec/plugins/libstrongswan-curl.so: cannot open shared > object file: No such file or directory > Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading ca certificates from > '/usr/local/etc/ipsec.d/cacerts' > Aug 27 10:10:11 qdpat-xp charon: 01[LIB] missing passphrase > Aug 27 10:10:11 qdpat-xp charon: 01[LIB] failed to create a builder for > credential type CRED_CERTIFICATE, subtype (1) > Aug 27 10:10:11 qdpat-xp charon: 01[LIB] loaded certificate file > '/usr/local/etc/ipsec.d/cacerts/strongswanCert.pem' > Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading aa certificates from > '/usr/local/etc/ipsec.d/aacerts' > Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading ocsp signer certificates > from '/usr/local/etc/ipsec.d/ocspcerts' > Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading attribute certificates from > '/usr/local/etc/ipsec.d/acerts' > Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading crls from > '/usr/local/etc/ipsec.d/crls' > Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loading secrets from > '/usr/local/etc/ipsec.secrets' > Aug 27 10:10:11 qdpat-xp charon: 01[CFG] loaded private key file > '/usr/local/etc/ipsec.d/reqs/hostKey.pem' > Aug 27 10:10:11 qdpat-xp charon: 01[KNL] listening on interfaces: > Aug 27 10:10:11 qdpat-xp charon: 01[KNL] eth0 > Aug 27 10:10:11 qdpat-xp charon: 01[KNL] 135.252.130.87 > Aug 27 10:10:11 qdpat-xp charon: 01[KNL] 172.16.25.2 > Aug 27 10:10:11 qdpat-xp charon: 01[KNL] fe80::213:72ff:fe93:850d > Aug 27 10:10:11 qdpat-xp charon: 01[KNL] vmnet1 > Aug 27 10:10:11 qdpat-xp charon: 01[KNL] 172.16.25.1 > Aug 27 10:10:11 qdpat-xp charon: 01[KNL] fe80::250:56ff:fec0:1 > Aug 27 10:10:11 qdpat-xp charon: 01[KNL] vmnet8 > Aug 27 10:10:11 qdpat-xp charon: 01[KNL] 172.16.223.1 > Aug 27 10:10:11 qdpat-xp charon: 01[KNL] fe80::250:56ff:fec0:8 > Aug 27 10:10:11 qdpat-xp charon: 01[DMN] loaded plugins: aes des sha1 sha2 > md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown > Aug 27 10:10:11 qdpat-xp charon: 01[JOB] spawning 16 worker threads > Aug 27 10:10:11 qdpat-xp charon: 03[CFG] received stroke: add connection > 'host-host' > Aug 27 10:10:11 qdpat-xp charon: 03[LIB] loaded certificate file > '/usr/local/etc/ipsec.d/certs/sunCert.pem' > Aug 27 10:10:11 qdpat-xp charon: 03[CFG] added configuration 'host-host' > Aug 27 10:10:15 qdpat-xp charon: 10[NET] received packet: from > 135.252.131.87[500] to 135.252.130.87[500] > Aug 27 10:10:15 qdpat-xp charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE > No N(NATD_S_IP) N(NATD_D_IP) ] > Aug 27 10:10:15 qdpat-xp charon: 10[IKE] 135.252.131.87 is initiating an > IKE_SA > Aug 27 10:10:15 qdpat-xp charon: 10[IKE] sending cert request for "C=CN, > ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang, e=zha...@alcatel-lucent.com" > Aug 27 10:10:15 qdpat-xp charon: 10[ENC] generating IKE_SA_INIT response 0 [ > SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] > Aug 27 10:10:15 qdpat-xp charon: 10[NET] sending packet: from > 135.252.130.87[500] to 135.252.131.87[500] > Aug 27 10:10:15 qdpat-xp charon: 11[NET] received packet: from > 135.252.131.87[4500] to 135.252.130.87[4500] > Aug 27 10:10:15 qdpat-xp charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi CERT > CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ] > Aug 27 10:10:15 qdpat-xp charon: 11[IKE] received cert request for "C=CN, > ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang, e=zha...@alcatel-lucent.com" > Aug 27 10:10:15 qdpat-xp charon: 11[IKE] received end entity cert "C=CN, > ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, e=m...@alcatel-lucent.com" > Aug 27 10:10:15 qdpat-xp charon: 11[CFG] looking for peer configs matching > 135.252.130.87[sun.strongswan.org]...135.252.131.87[moon.strongswan.org] > Aug 27 10:10:15 qdpat-xp charon: 11[CFG] selected peer config 'host-host' > Aug 27 10:10:15 qdpat-xp charon: 11[CFG] using certificate "C=CN, > ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, e=m...@alcatel-lucent.com" > Aug 27 10:10:15 qdpat-xp charon: 11[CFG] using trusted ca certificate > "C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang, > e=zha...@alcatel-lucent.com" > Aug 27 10:10:15 qdpat-xp charon: 11[CFG] checking certificate status of > "C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, > e=m...@alcatel-lucent.com" > Aug 27 10:10:15 qdpat-xp charon: 11[CFG] certificate status is not available > Aug 27 10:10:15 qdpat-xp charon: 11[IKE] authentication of > 'moon.strongswan.org' with RSA signature successful > Aug 27 10:10:15 qdpat-xp charon: 11[IKE] peer supports MOBIKE > Aug 27 10:10:15 qdpat-xp charon: 11[IKE] authentication of > 'sun.strongswan.org' (myself) with RSA signature successful > Aug 27 10:10:15 qdpat-xp charon: 11[IKE] scheduling reauthentication in 3275s > Aug 27 10:10:15 qdpat-xp charon: 11[IKE] maximum IKE_SA lifetime 3455s > Aug 27 10:10:15 qdpat-xp charon: 11[IKE] IKE_SA host-host[1] established > between > 135.252.130.87[sun.strongswan.org]...135.252.131.87[moon.strongswan.org] > Aug 27 10:10:15 qdpat-xp charon: 11[IKE] sending end entity cert "C=CN, > ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, e=...@alcatel-lucent.com" > Aug 27 10:10:15 qdpat-xp charon: 11[IKE] CHILD_SA host-host{1} established > with SPIs c31f5aa7_i c8b570e8_o and TS 135.252.130.87/32 === 135.252.131.87/32 > Aug 27 10:10:15 qdpat-xp charon: 11[ENC] generating IKE_AUTH response 1 [ IDr > CERT AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) > N(ADD_4_ADDR) ] > Aug 27 10:10:15 qdpat-xp charon: 11[NET] sending packet: from > 135.252.130.87[4500] to 135.252.131.87[4500] > Aug 27 10:18:58 qdpat-xp charon: 01[DMN] signal of type SIGINT received. > Shutting down > Aug 27 10:18:58 qdpat-xp charon: 01[IKE] deleting IKE_SA host-host[1] between > 135.252.130.87[sun.strongswan.org]...135.252.131.87[moon.strongswan.org] > Aug 27 10:18:58 qdpat-xp charon: 01[IKE] sending DELETE for IKE_SA > host-host[1] > Aug 27 10:18:58 qdpat-xp charon: 01[ENC] generating INFORMATIONAL request 0 [ > D ] > Aug 27 10:18:58 qdpat-xp charon: 01[NET] sending packet: from > 135.252.130.87[4500] to 135.252.131.87[4500] > > The sunCert.pem > > root:/usr/local/etc/ipsec.d/certs# openssl x509 -in sunCert.pem -noout -text > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 2 (0x2) > Signature Algorithm: sha1WithRSAEncryption > Issuer: C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger > Zhang/emailaddress=zha...@alcatel-lucent.com > Validity > Not Before: Aug 25 10:02:20 2009 GMT > Not After : Aug 25 10:02:20 2011 GMT > Subject: C=CN, ST=Shandong, O=ALU, OU=RD, > CN=sun.strongswan.org/emailaddress=...@alcatel-lucent.com > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > RSA Public Key: (1024 bit) > Modulus (1024 bit): > 00:ac:88:ee:ed:cf:0e:5f:de:fd:27:79:93:12:a9: > 9a:8a:61:69:41:3a:a6:cc:f5:1f:15:6e:5b:f8:1f: > 66:34:ce:69:6f:75:80:8d:e4:35:4b:45:74:6c:38: > de:59:a3:2b:f0:fc:3f:26:1b:60:a8:b2:f4:0f:43: > 09:54:5a:93:61:f1:d6:3f:71:5c:8a:a2:e8:f4:d5: > 1d:57:87:88:a9:25:a2:19:bb:e1:72:ad:7b:be:70: > 9c:1c:7b:30:89:4e:7f:f1:fc:c6:e8:cf:37:33:82: > a4:c1:50:5c:01:44:e0:bc:6a:36:f8:b8:44:23:be: > 48:96:7e:e6:9f:15:3d:b7:eb > Exponent: 65537 (0x10001) > X509v3 extensions: > X509v3 Basic Constraints: > CA:FALSE > Netscape Comment: > OpenSSL Generated Certificate > X509v3 Subject Key Identifier: > C4:1E:CC:CF:2D:51:16:7B:A1:3C:CE:1A:FD:35:23:CA:D9:1B:1D:BE > X509v3 Authority Key Identifier: > > keyid:C4:6D:F2:07:C9:C1:2D:6C:B7:5E:E9:92:BD:97:A6:61:C2:23:E6:23 > > Signature Algorithm: sha1WithRSAEncryption > 7b:98:6d:20:1b:87:33:56:9d:a3:4f:a8:9c:ae:b3:ad:b6:58: > 31:41:5f:d4:38:1b:8c:51:ac:25:3f:cb:fc:99:0b:4b:19:9c: > 77:92:ec:bf:67:1a:be:49:03:76:46:36:a8:88:8f:c3:ae:f0: > f6:b5:b2:62:4d:77:ae:16:0f:76:e3:7d:9e:33:0e:7f:fd:47: > 7a:69:89:9c:cb:ac:3d:8a:a4:14:ae:a2:7f:96:57:66:bb:58: > c4:87:a2:86:c8:0d:52:f4:36:46:29:a4:1b:ac:bb:e8:2b:23: > 3c:87:c7:07:2b:81:2d:19:f5:49:1f:9b:2f:93:3f:ba:76:40: > a7:2b:d4:ac:df:ac:7e:21:fc:fd:d5:5d:57:2d:94:78:d8:eb: > 91:df:e2:00:2c:80:35:87:68:c1:3e:74:79:14:c4:3e:ab:d4: > 64:16:83:38:20:4f:be:f5:b7:36:6f:59:f2:d6:bd:34:fb:06: > ec:a8:ef:05:90:ba:83:74:0b:a4:77:33:a2:93:67:5c:a4:c7: > c3:de:83:56:dd:ad:0c:d7:56:30:c3:bf:82:71:c6:b9:23:98: > 45:80:93:4c:f0:8b:97:58:c2:78:eb:37:73:ea:84:f4:4f:27: > e4:17:f5:c0:d4:b0:7b:5e:01:7b:ee:42:46:0e:f2:d3:62:b1: > f3:9b:13:7b > > > > The moonCert.pem > > [r...@localhost certs]# openssl x509 -in moonCert.pem -noout -text > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 2 (0x2) > Signature Algorithm: sha1WithRSAEncryption > Issuer: C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger > Zhang/emailaddress=zha...@alcatel-lucent.com > Validity > Not Before: Aug 26 03:35:21 2009 GMT > Not After : Aug 26 03:35:21 2011 GMT > Subject: C=CN, ST=Shandong, O=ALU, OU=RD, > CN=moon.strongswan.org/emailaddress=m...@alcatel-lucent.com > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > RSA Public Key: (1024 bit) > Modulus (1024 bit): > 00:c1:21:20:a3:88:b7:bd:87:03:6e:0b:31:8a:77: > eb:93:ba:5f:75:6f:7b:83:f3:84:28:60:3b:12:e5: > 2c:f3:ce:c3:72:a9:4a:72:e7:03:86:bf:83:1f:73: > 3c:14:47:79:27:b6:1b:bf:92:5a:42:5b:8c:62:f1: > c4:23:54:98:13:53:a3:e5:a9:9e:82:69:c6:3d:8e: > 66:10:73:46:48:50:24:93:ae:98:d7:61:93:54:01: > c4:0a:19:4e:31:42:c8:68:0b:79:c4:39:00:5b:5e: > 63:5e:e6:8f:91:1b:0a:a8:07:4c:32:2d:a5:72:61: > 18:7d:94:3b:22:f1:1c:25:51 > Exponent: 65537 (0x10001) > X509v3 extensions: > X509v3 Basic Constraints: > CA:FALSE > Netscape Comment: > OpenSSL Generated Certificate > X509v3 Subject Key Identifier: > 00:A5:D7:C3:CF:B7:F0:C3:FA:E4:70:0F:F3:96:CE:99:CC:58:1A:BE > X509v3 Authority Key Identifier: > > keyid:C4:6D:F2:07:C9:C1:2D:6C:B7:5E:E9:92:BD:97:A6:61:C2:23:E6:23 > > Signature Algorithm: sha1WithRSAEncryption > 97:c0:5b:45:11:7b:34:d3:09:c7:ae:83:77:e1:d8:e6:5d:aa: > 0b:17:3d:23:d6:4f:74:71:18:33:7d:99:dd:4c:3d:c9:61:ca: > 0c:08:f9:40:07:37:1b:9b:06:dc:f8:12:8b:34:ff:b3:06:12: > 9a:ec:08:07:68:52:58:15:4f:6d:f6:90:40:0d:8b:b0:a0:94: > c9:d1:79:72:9f:c0:a6:ff:53:b1:ce:ac:7b:c3:3c:9a:dd:6b: > da:8a:70:df:a1:c6:a9:80:2c:9a:71:ed:d9:ff:e8:b8:61:06: > 50:a9:a7:3c:3f:d3:89:4e:b4:d5:c0:3c:28:bd:1a:61:17:51: > 7d:de:3e:ab:bc:85:61:d5:d2:25:18:a4:54:94:b9:c4:67:56: > 3d:73:60:0b:14:14:0a:71:ca:ef:c1:bb:05:74:71:fd:db:3d: > aa:ba:eb:17:5a:10:9c:15:51:4b:2f:25:c3:e4:94:5f:b0:1a: > e0:8d:63:31:53:ac:2d:7e:6c:d3:bd:59:45:a9:75:15:b1:eb: > 0b:c7:58:d6:3a:2f:8d:7b:0d:80:b6:5d:d5:3e:cd:c7:ee:73: > 1f:2a:d3:6d:c0:53:fa:1d:ae:38:4a:f4:91:71:97:2f:6b:57: > 9d:63:2d:90:7f:71:3e:66:f8:72:c5:2b:c4:b6:c2:ac:c6:b9: > 9d:47:30:11 > > Roger ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users