On 3/25/2015 07:49, Andreas Steffen wrote:
Hi Karl,in order to find a match, the IKEv2 ID 'k...@denninger.net' must be contained as a subjectAltName in the X.509 client certificate. strongSwan does not do any matching to the CN= or E= fields of the certificate's subjectDistinguishedName. Best regards Andreas On 03/25/2015 05:36 AM, Karl Denninger wrote:I'm having a problem getting PKI-authenticated connections from BB10 smartphones to work. PSK-authentication works; I have the following stanza in ipsec.conf: conn BB10 left=%any leftsubnet=0.0.0.0/0 right=%any rightsourceip=192.168.2.0/24 rightauth=psk leftcert=genesis.denninger.net.crt leftauth=pubkey auto=add This works fine; the proper secret is in the ipsec.secrets file. If I change "rightauth" to "pubkey", however, and specify a client certificate to be sent on the client side I get this: Mar 24 23:30:19 NewFS charon: 16[NET] sending packet: from 70.169.168.7[500] to 192.168.1.21[500] (333 bytes) Mar 24 23:30:19 NewFS charon: 16[NET] received packet: from 192.168.1.21[500] to 70.169.168.7[500] (2444 bytes) Mar 24 23:30:19 NewFS charon: 16[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH CPRQ(ADDR MASK DNS DNS NBNS NBNS VER) N(INIT_CONTACT) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] Mar 24 23:30:19 NewFS charon: 16[IKE] received end entity cert "C=US, ST=Florida, O=Cuda Systems LLC, CN=Karl Denninger, E=k...@denninger.net" Mar 24 23:30:19 NewFS charon: 16[CFG] looking for peer configs matching 70.169.168.7[%any]...192.168.1.21[k...@denninger.net] Mar 24 23:30:19 NewFS charon: 16[CFG] selected peer config 'BB10' Mar 24 23:30:19 NewFS charon: 16[IKE] no trusted RSA public key found for 'k...@denninger.net' The public key, however, IS in the ipsec.d/certs directory and IS readable. In addition "ipsec listcacerts" does show the CA that issued the machine certificate. However, "ipsec listcerts" does not display it; all it shows is the machine cert for the server: [root@NewFS /usr/local/etc/ipsec.d]# ipsec listcerts List of X.509 End Entity Certificates: subject: "C=US, ST=Florida, O=Cuda Systems LLC, CN=genesis.denninger.net, E=postmas...@genesis.denninger.net" issuer: "C=US, ST=Florida, L=Niceville, O=Cuda Systems LLC, CN=Cuda Systems LLC CA, E=Cuda Systems LLC CA" serial: 17 validity: not before Mar 24 22:48:26 2015, ok not after Mar 21 22:48:26 2025, ok pubkey: RSA 4096 bits, has private key keyid: 58:e0:39:09:a8:60:69:4e:80:4e:03:c5:03:d4:62:4d:0e:f3:80:7d subjkey: e7:7b:7c:61:2e:5e:af:06:d0:9d:ff:29:3d:12:ae:a2:61:bf:60:56 authkey: 24:71:9b:9d:85:7d:fc:dd:dd:bd:b0:ca:92:94:03:a1:fa:d3:6d:35 [root@NewFS /usr/local/etc/ipsec.d]# What am I missing? -- Karl Denninger k...@denninger.net <mailto:k...@denninger.net> /The Market Ticker/====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
-- Karl Denninger k...@denninger.net <mailto:k...@denninger.net> /The Market Ticker/
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users