Hi Julian,
hmmm, the connection definition:
remote {
auth = pubkey
id = vpntest.MY_ORG.co.uk
}
lists the subjectAltName which is apparently contained in
the certificate:
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:vpntest.$MY_ORG.co.uk
so the identity matching is supposed to work if there is no typo
or some strange Unicode characters in the SAN.
Does the strongSwan swanctl --list-certs command list the SAN of the
received peer certificate?
Would it be possible to send the peer certificate to me for closer
inspection?
Best regards
Andreas
On 04.07.19 14:16, Regel, Julian (CSS) wrote:
> Hi
>
> I am trying to configure an IPsec tunnel between a Cisco ASA and StrongSWAN,
> using IKEv2 and certificates for authentication.
>
> I'm running StrongSWAN version 5.6.2-1ubuntu2.4, installed on Ubuntu 18.04.2
> LTS.
>
> I am using a self-signed certificate on the ASA end. Unfortunately, I'm
> getting the following error (full error log below, and I've obviously
> sanitised the FQDN and DN):
>
> [CFG] constraint check failed: identity 'vpntest.$MY_ORG.co.uk' required
>
> Based on the StrongSWAN FAQ, I assumed this was the SAN field in the
> certificate that was wrong, but on checking, it appears okay(?).
>
> Please can you advise what I need to check to help fix this?
>
> Many thanks
>
> Julian
>
>
> ########## ASA certificate
>
> $ openssl x509 -in asa.crt -text -noout
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 2 (0x2)
> Signature Algorithm: ecdsa-with-SHA256
> Issuer: C = UK, ST = $MY_STATE, L = $MY_CITY, O = $MY_ORG, OU =
> $MY_OU, CN = CA Root (ECDSA)
> Validity
> Not Before: Jul 4 10:43:17 2019 GMT
> Not After : Jul 3 10:43:17 2020 GMT
> Subject: C = UK, ST = $MY_STATE, O = $MY_ORG, OU = $MY_OU, CN =
> vpntest.$MY_ORG.co.uk
> Subject Public Key Info:
> Public Key Algorithm: id-ecPublicKey
> Public-Key: (256 bit)
> pub:
> 04:0b:73:8e:6e:7f:41:99:18:3b:70:27:3c:97:4e:
> c2:84:8a:19:fa:37:fd:51:eb:cd:64:a1:27:ac:68:
> 36:30:c5:64:eb:75:85:99:e3:ff:3e:d5:2f:f8:6b:
> 4c:b0:ee:45:00:59:dd:06:06:b5:5e:d5:d8:b1:8f:
> a6:10:33:a5:e6
> ASN1 OID: prime256v1
> NIST CURVE: P-256
> X509v3 extensions:
> X509v3 Subject Alternative Name:
> DNS:vpntest.$MY_ORG.co.uk
> Signature Algorithm: ecdsa-with-SHA256
> 30:46:02:21:00:c3:0b:fc:15:e9:f2:19:86:8d:51:3c:12:0c:
> f7:4f:22:12:07:a7:1f:ff:73:b3:52:3a:ac:c8:6b:ee:e8:5c:
> 36:02:21:00:ed:51:ca:79:8a:13:d0:45:80:ee:bf:18:4f:59:
> 54:94:72:41:c0:88:52:56:d1:9f:c5:17:8d:c0:88:7d:20:3d
>
> ########## /etc/swanctl.conf:
>
> connections {
> onprem-to-azure {
> local_addrs = 172.26.0.85
> remote_addrs = ON_PREM_EXT_IP
> local {
> auth = pubkey
> certs = occert.pem
> id = vpn.production.$MY_ORG.cloud
> }
> remote {
> auth = pubkey
> id = vpntest.MY_ORG.co.uk
> }
> children {
> net1-net1 {
> local_ts = 172.26.0.85
> remote_ts = 10.1.0.0/16
> #updown = /usr/local/libexec/ipsec/_updown iptables
> rekey_time = 5400
> rekey_bytes = 500000000
> rekey_packets = 1000000
> esp_proposals = aes128gcm16-ecp256 # Phase 2
> }
> }
> version = 2
> mobike = yes
> reauth_time = 10800
> proposals = aes128gcm16-prfsha256-ecp256 # Phase 1
> }
> }
>
>
> ########### Trying to bring the tunnel up:
>
> root@s00C-vpn-uks-01:/etc/swanctl/x509ca# swanctl -i -c net1-net1
> [IKE] initiating IKE_SA onprem-to-azure[1] to $MY_ON_PREM_EXT_IP
> [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> [NET] sending packet: from 172.26.0.85[500] to $MY_ON_PREM_EXT_IP[500] (264
> bytes)
> [NET] received packet: from $MY_ON_PREM_EXT_IP[500] to 172.26.0.85[500] (659
> bytes)
> [ENC] parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP)
> CERTREQ N(FRAG_SUP) V ]
> [IKE] received Cisco Delete Reason vendor ID
> [IKE] received Cisco Copyright (c) 2009 vendor ID
> [IKE] received FRAGMENTATION vendor ID
> [IKE] local host is behind NAT, sending keep alives
> [IKE] received cert request for "C=UK, ST=$MY_STATE, L=$MY_CITY, O=$MY_ORG,
> OU=$MY_OU, CN=CA Root (ECDSA)"
> [IKE] received cert request for "C=UK, ST=$MY_STATE, L=$MY_CITY, O=$MY_ORG,
> OU=$MY_OU, CN=CA Root (ECDSA)"
> [IKE] received cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Global
> SSL ICA G3"
> [IKE] received cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root
> CA 2 G3"
> [IKE] received 10 cert requests for an unknown ca
> [IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA
> 2 G3"
> [IKE] sending cert request for "C=UK, ST=$MY_STATE, L=$MY_CITY, O=$MY_ORG,
> OU=$MY_OU, CN=CA Root (ECDSA)"
> [IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Global
> SSL ICA G3"
> [IKE] authentication of 'vpn.production.$MY_ORG.cloud' (myself) with
> ECDSA-256 signature successful
> [IKE] sending end entity cert "C=GB, ST=London, L=London, O=$MY_ORG PLC,
> CN=vpn.production.$MY_ORG.cloud"
> [IKE] establishing CHILD_SA net1-net1{1}
> [ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr
> AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
> [ENC] splitting IKE message with length of 2018 bytes into 2 fragments
> [ENC] generating IKE_AUTH request 1 [ EF(1/2) ]
> [ENC] generating IKE_AUTH request 1 [ EF(2/2) ]
> [NET] sending packet: from 172.26.0.85[4500] to $MY_ON_PREM_EXT_IP[4500]
> (1248 bytes)
> [NET] sending packet: from 172.26.0.85[4500] to $MY_ON_PREM_EXT_IP[4500] (835
> bytes)
> [NET] received packet: from $MY_ON_PREM_EXT_IP[4500] to 172.26.0.85[4500]
> (525 bytes)
> [ENC] parsed IKE_AUTH response 1 [ EF(1/4) ]
> [ENC] received fragment #1 of 4, waiting for complete IKE message
> [NET] received packet: from $MY_ON_PREM_EXT_IP[4500] to 172.26.0.85[4500]
> (525 bytes)
> [ENC] parsed IKE_AUTH response 1 [ EF(3/4) ]
> [ENC] received fragment #3 of 4, waiting for complete IKE message
> [NET] received packet: from $MY_ON_PREM_EXT_IP[4500] to 172.26.0.85[4500]
> (525 bytes)
> [ENC] parsed IKE_AUTH response 1 [ EF(2/4) ]
> [ENC] received fragment #2 of 4, waiting for complete IKE message
> [NET] received packet: from $MY_ON_PREM_EXT_IP[4500] to 172.26.0.85[4500] (76
> bytes)
> [ENC] parsed IKE_AUTH response 1 [ EF(4/4) ]
> [ENC] received fragment #4 of 4, reassembling fragmented IKE message
> [ENC] parsed IKE_AUTH response 1 [ V IDr CERT CERT AUTH SA TSi TSr
> N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) N(MOBIKE_SUP) ]
> [IKE] received end entity cert "C=UK, ST=$MY_STATE, O=$MY_ORG, OU=$MY_OU,
> CN=vpntest.$MY_ORG.co.uk"
> [IKE] received issuer cert "C=UK, ST=$MY_STATE, L=$MY_CITY, O=$MY_ORG,
> OU=$MY_OU, CN=CA Root (ECDSA)"
> [CFG] using certificate "C=UK, ST=$MY_STATE, O=$MY_ORG, OU=$MY_OU,
> CN=vpntest.$MY_ORG.co.uk"
> [CFG] using trusted ca certificate "C=UK, ST=$MY_STATE, L=$MY_CITY,
> O=$MY_ORG, OU=$MY_OU, CN=CA Root (ECDSA)"
> [CFG] checking certificate status of "C=UK, ST=$MY_STATE, O=$MY_ORG,
> OU=MY_OU, CN=vpntest.$MY_ORG.co.uk"
> [CFG] certificate status is not available
> [CFG] reached self-signed root ca with a path length of 0
> [IKE] authentication of 'C=UK, ST=$MY_STATE, O=$MY_ORG, OU=MY_OU,
> CN=vpntest.$MY_ORG.co.uk' with ECDSA-256 signature successful
> [CFG] constraint check failed: identity 'vpntest.$MY_ORG.co.uk' required
> [CFG] selected peer config 'onprem-to-azure' inacceptable: constraint
> checking failed
> [CFG] no alternative config found
> [ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
> [NET] sending packet: from 172.26.0.85[4500] to $MY_ON_PREM_EXT_IP[4500] (65
> bytes)
> initiate failed: establishing CHILD_SA 'net1-net1' failed
>
>
>
>
> You are receiving this message from Capita Software. Should you wish to see
> how we may have collected or may use your information, or view ways to
> exercise your individual rights, see our Privacy
> Notice<https://www.capitasoftware.com/PrivacyNotice>
>
>
> This email is security checked and subject to the disclaimer on web-page:
> http://www.capita.co.uk/email-disclaimer.aspx
>
--
======================================================================
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==
