Hi Julian, hmmm, the connection definition:
remote { auth = pubkey id = vpntest.MY_ORG.co.uk } lists the subjectAltName which is apparently contained in the certificate: X509v3 extensions: X509v3 Subject Alternative Name: DNS:vpntest.$MY_ORG.co.uk so the identity matching is supposed to work if there is no typo or some strange Unicode characters in the SAN. Does the strongSwan swanctl --list-certs command list the SAN of the received peer certificate? Would it be possible to send the peer certificate to me for closer inspection? Best regards Andreas On 04.07.19 14:16, Regel, Julian (CSS) wrote: > Hi > > I am trying to configure an IPsec tunnel between a Cisco ASA and StrongSWAN, > using IKEv2 and certificates for authentication. > > I'm running StrongSWAN version 5.6.2-1ubuntu2.4, installed on Ubuntu 18.04.2 > LTS. > > I am using a self-signed certificate on the ASA end. Unfortunately, I'm > getting the following error (full error log below, and I've obviously > sanitised the FQDN and DN): > > [CFG] constraint check failed: identity 'vpntest.$MY_ORG.co.uk' required > > Based on the StrongSWAN FAQ, I assumed this was the SAN field in the > certificate that was wrong, but on checking, it appears okay(?). > > Please can you advise what I need to check to help fix this? > > Many thanks > > Julian > > > ########## ASA certificate > > $ openssl x509 -in asa.crt -text -noout > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 2 (0x2) > Signature Algorithm: ecdsa-with-SHA256 > Issuer: C = UK, ST = $MY_STATE, L = $MY_CITY, O = $MY_ORG, OU = > $MY_OU, CN = CA Root (ECDSA) > Validity > Not Before: Jul 4 10:43:17 2019 GMT > Not After : Jul 3 10:43:17 2020 GMT > Subject: C = UK, ST = $MY_STATE, O = $MY_ORG, OU = $MY_OU, CN = > vpntest.$MY_ORG.co.uk > Subject Public Key Info: > Public Key Algorithm: id-ecPublicKey > Public-Key: (256 bit) > pub: > 04:0b:73:8e:6e:7f:41:99:18:3b:70:27:3c:97:4e: > c2:84:8a:19:fa:37:fd:51:eb:cd:64:a1:27:ac:68: > 36:30:c5:64:eb:75:85:99:e3:ff:3e:d5:2f:f8:6b: > 4c:b0:ee:45:00:59:dd:06:06:b5:5e:d5:d8:b1:8f: > a6:10:33:a5:e6 > ASN1 OID: prime256v1 > NIST CURVE: P-256 > X509v3 extensions: > X509v3 Subject Alternative Name: > DNS:vpntest.$MY_ORG.co.uk > Signature Algorithm: ecdsa-with-SHA256 > 30:46:02:21:00:c3:0b:fc:15:e9:f2:19:86:8d:51:3c:12:0c: > f7:4f:22:12:07:a7:1f:ff:73:b3:52:3a:ac:c8:6b:ee:e8:5c: > 36:02:21:00:ed:51:ca:79:8a:13:d0:45:80:ee:bf:18:4f:59: > 54:94:72:41:c0:88:52:56:d1:9f:c5:17:8d:c0:88:7d:20:3d > > ########## /etc/swanctl.conf: > > connections { > onprem-to-azure { > local_addrs = 172.26.0.85 > remote_addrs = ON_PREM_EXT_IP > local { > auth = pubkey > certs = occert.pem > id = vpn.production.$MY_ORG.cloud > } > remote { > auth = pubkey > id = vpntest.MY_ORG.co.uk > } > children { > net1-net1 { > local_ts = 172.26.0.85 > remote_ts = 10.1.0.0/16 > #updown = /usr/local/libexec/ipsec/_updown iptables > rekey_time = 5400 > rekey_bytes = 500000000 > rekey_packets = 1000000 > esp_proposals = aes128gcm16-ecp256 # Phase 2 > } > } > version = 2 > mobike = yes > reauth_time = 10800 > proposals = aes128gcm16-prfsha256-ecp256 # Phase 1 > } > } > > > ########### Trying to bring the tunnel up: > > root@s00C-vpn-uks-01:/etc/swanctl/x509ca# swanctl -i -c net1-net1 > [IKE] initiating IKE_SA onprem-to-azure[1] to $MY_ON_PREM_EXT_IP > [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) > N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] > [NET] sending packet: from 172.26.0.85[500] to $MY_ON_PREM_EXT_IP[500] (264 > bytes) > [NET] received packet: from $MY_ON_PREM_EXT_IP[500] to 172.26.0.85[500] (659 > bytes) > [ENC] parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) > CERTREQ N(FRAG_SUP) V ] > [IKE] received Cisco Delete Reason vendor ID > [IKE] received Cisco Copyright (c) 2009 vendor ID > [IKE] received FRAGMENTATION vendor ID > [IKE] local host is behind NAT, sending keep alives > [IKE] received cert request for "C=UK, ST=$MY_STATE, L=$MY_CITY, O=$MY_ORG, > OU=$MY_OU, CN=CA Root (ECDSA)" > [IKE] received cert request for "C=UK, ST=$MY_STATE, L=$MY_CITY, O=$MY_ORG, > OU=$MY_OU, CN=CA Root (ECDSA)" > [IKE] received cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Global > SSL ICA G3" > [IKE] received cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root > CA 2 G3" > [IKE] received 10 cert requests for an unknown ca > [IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA > 2 G3" > [IKE] sending cert request for "C=UK, ST=$MY_STATE, L=$MY_CITY, O=$MY_ORG, > OU=$MY_OU, CN=CA Root (ECDSA)" > [IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Global > SSL ICA G3" > [IKE] authentication of 'vpn.production.$MY_ORG.cloud' (myself) with > ECDSA-256 signature successful > [IKE] sending end entity cert "C=GB, ST=London, L=London, O=$MY_ORG PLC, > CN=vpn.production.$MY_ORG.cloud" > [IKE] establishing CHILD_SA net1-net1{1} > [ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr > AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] > [ENC] splitting IKE message with length of 2018 bytes into 2 fragments > [ENC] generating IKE_AUTH request 1 [ EF(1/2) ] > [ENC] generating IKE_AUTH request 1 [ EF(2/2) ] > [NET] sending packet: from 172.26.0.85[4500] to $MY_ON_PREM_EXT_IP[4500] > (1248 bytes) > [NET] sending packet: from 172.26.0.85[4500] to $MY_ON_PREM_EXT_IP[4500] (835 > bytes) > [NET] received packet: from $MY_ON_PREM_EXT_IP[4500] to 172.26.0.85[4500] > (525 bytes) > [ENC] parsed IKE_AUTH response 1 [ EF(1/4) ] > [ENC] received fragment #1 of 4, waiting for complete IKE message > [NET] received packet: from $MY_ON_PREM_EXT_IP[4500] to 172.26.0.85[4500] > (525 bytes) > [ENC] parsed IKE_AUTH response 1 [ EF(3/4) ] > [ENC] received fragment #3 of 4, waiting for complete IKE message > [NET] received packet: from $MY_ON_PREM_EXT_IP[4500] to 172.26.0.85[4500] > (525 bytes) > [ENC] parsed IKE_AUTH response 1 [ EF(2/4) ] > [ENC] received fragment #2 of 4, waiting for complete IKE message > [NET] received packet: from $MY_ON_PREM_EXT_IP[4500] to 172.26.0.85[4500] (76 > bytes) > [ENC] parsed IKE_AUTH response 1 [ EF(4/4) ] > [ENC] received fragment #4 of 4, reassembling fragmented IKE message > [ENC] parsed IKE_AUTH response 1 [ V IDr CERT CERT AUTH SA TSi TSr > N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) N(MOBIKE_SUP) ] > [IKE] received end entity cert "C=UK, ST=$MY_STATE, O=$MY_ORG, OU=$MY_OU, > CN=vpntest.$MY_ORG.co.uk" > [IKE] received issuer cert "C=UK, ST=$MY_STATE, L=$MY_CITY, O=$MY_ORG, > OU=$MY_OU, CN=CA Root (ECDSA)" > [CFG] using certificate "C=UK, ST=$MY_STATE, O=$MY_ORG, OU=$MY_OU, > CN=vpntest.$MY_ORG.co.uk" > [CFG] using trusted ca certificate "C=UK, ST=$MY_STATE, L=$MY_CITY, > O=$MY_ORG, OU=$MY_OU, CN=CA Root (ECDSA)" > [CFG] checking certificate status of "C=UK, ST=$MY_STATE, O=$MY_ORG, > OU=MY_OU, CN=vpntest.$MY_ORG.co.uk" > [CFG] certificate status is not available > [CFG] reached self-signed root ca with a path length of 0 > [IKE] authentication of 'C=UK, ST=$MY_STATE, O=$MY_ORG, OU=MY_OU, > CN=vpntest.$MY_ORG.co.uk' with ECDSA-256 signature successful > [CFG] constraint check failed: identity 'vpntest.$MY_ORG.co.uk' required > [CFG] selected peer config 'onprem-to-azure' inacceptable: constraint > checking failed > [CFG] no alternative config found > [ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ] > [NET] sending packet: from 172.26.0.85[4500] to $MY_ON_PREM_EXT_IP[4500] (65 > bytes) > initiate failed: establishing CHILD_SA 'net1-net1' failed > > > > > You are receiving this message from Capita Software. Should you wish to see > how we may have collected or may use your information, or view ways to > exercise your individual rights, see our Privacy > Notice<https://www.capitasoftware.com/PrivacyNotice> > > > This email is security checked and subject to the disclaimer on web-page: > http://www.capita.co.uk/email-disclaimer.aspx > -- ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions HSR University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[INS-HSR]==