Hello,
I am trying to configure remote access authenticated by client certificates.
This is the client-side swanctl.conf:
connections {
home {
local_addrs = %any
remote_addrs = 37.120.163.19
vips = 0.0.0.0
local {
auth=pubkey
certs=udo-office.crt.pem
id=nw049994
}
remote {
auth=pubkey
id=server.upokojski.de
}
children {
home {
remote_ts=10.8.0.0/24
esp_proposals = aes128gcm128-x25519
}
}
version=2
proposals=aes128-sha256-x25519
}
}
secrets {
rsa-udo {
file=udo-office.key.pem
secret="Abc123"
}
}
Any connection attempt end with an authentication failure. The client
log says, that the private cannot be loaded:
Nov 24 13:52:40 client-udo charon-systemd[24951]: dnscert plugin is disabled
Nov 24 13:52:40 client-udo charon-systemd[24951]: ipseckey plugin is
disabled
Nov 24 13:52:40 client-udo charon-systemd[24951]: attr-sql plugin:
database URI not set
Nov 24 13:52:40 client-udo charon-systemd[24951]: loading ca
certificates from '/etc/ipsec.d/cacerts'
Nov 24 13:52:40 client-udo charon-systemd[24951]: loaded ca
certificate "C=DE, ST=NRW, L=Oberhausen, O=Home, OU=Homenet, CN=Home
PKI" from '/etc/ipsec.d/cacerts/ca-cert.pem'
Nov 24 13:52:40 client-udo charon-systemd[24951]: loading aa
certificates from '/etc/ipsec.d/aacerts'
Nov 24 13:52:40 client-udo charon-systemd[24951]: loading ocsp signer
certificates from '/etc/ipsec.d/ocspcerts'
Nov 24 13:52:40 client-udo charon-systemd[24951]: loading attribute
certificates from '/etc/ipsec.d/acerts'
Nov 24 13:52:40 client-udo charon-systemd[24951]: loading crls from
'/etc/ipsec.d/crls'
Nov 24 13:52:40 client-udo charon-systemd[24951]: loading secrets from
'/etc/ipsec.secrets'
Nov 24 13:52:40 client-udo charon-systemd[24951]: loaded EAP secret
for nw049994
Nov 24 13:52:40 client-udo charon-systemd[24951]: loaded RSA private
key from '/etc/ipsec.d/private/udo-office.plainkey.pem'
Nov 24 13:52:40 client-udo charon-systemd[24951]: sql plugin: database
URI not set
Nov 24 13:52:40 client-udo charon-systemd[24951]: opening triplet file
/etc/ipsec.d/triplets.dat failed: No such file or directory
Nov 24 13:52:40 client-udo charon-systemd[24951]: eap-simaka-sql
database URI missing
Nov 24 13:52:40 client-udo charon-systemd[24951]: loaded 0 RADIUS server
configurations
Nov 24 13:52:40 client-udo charon-systemd[24951]: HA config misses
local/remote address
Nov 24 13:52:40 client-udo charon-systemd[24951]: no threshold
configured for systime-fix, disabled
Nov 24 13:52:40 client-udo charon-systemd[24951]: coupling file path
unspecified
Nov 24 13:52:40 client-udo charon-systemd[24951]: loaded plugins:
charon-systemd charon-systemd test-vectors unbound ldap pkcs11 tpm aesni
aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints
acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey
pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc
cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr
kernel-netlink resolve socket-default connmark farp stroke vici updown
eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2
eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2
eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11
tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr
addrblock unity counters
Nov 24 13:52:40 client-udo charon-systemd[24951]: dropped capabilities,
running as uid 0, gid 0
Nov 24 13:52:40 client-udo charon-systemd[24951]: spawning 16 worker threads
Nov 24 13:52:40 client-udo kernel: [110583.945449] audit: type=1400
audit(1606222360.438:123): apparmor="ALLOWED" operation="sendmsg"
profile="/usr/sbin/charon-systemd" name="/run/systemd/notify" pid=24951
comm="charon-systemd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Nov 24 13:52:40 client-udo kernel: [110583.945478] audit: type=1400
audit(1606222360.438:124): apparmor="ALLOWED" operation="sendmsg"
profile="/usr/sbin/charon-systemd" name="/run/systemd/notify" pid=24951
comm="charon-systemd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Nov 24 13:52:40 client-udo charon-systemd[24951]: loaded certificate
'C=DE, ST=NRW, L=Oberhausen, O=Home, OU=VPN, CN=udonbwin'
Nov 24 13:52:40 client-udo charon-systemd[24951]: loaded certificate
'C=DE, ST=NRW, L=Oberhausen, O=Office, OU=VPN, CN=udo-office'
Nov 24 13:52:40 client-udo charon-systemd[24951]: loaded ANY private key
Nov 24 13:52:40 client-udo charon-systemd[24951]: building
CRED_PRIVATE_KEY - ANY failed, tried 10 builders
Nov 24 13:52:40 client-udo charon-systemd[24951]: added vici connection:
home
swanctl --load-creds asks for a password:
root@client-udo:/etc/strongswan.d/charon# swanctl --load-creds
loaded certificate from '/etc/swanctl/x509/udonbwin.crt.pem'
loaded certificate from '/etc/swanctl/x509/udo-office.crt.pem'
loaded rsa key from '/etc/swanctl/private/udo-office.plainkey.pem'
Password for private file 'udo-office.key.pem':
Password for private file 'udo-office.key.pem':
Password for private file 'udo-office.key.pem':
Password for private file 'udo-office.key.pem':
building CRED_PRIVATE_KEY - ANY failed, tried 9 builders
loading '/etc/swanctl/private/udo-office.key.pem' failed: parsing ANY
private key failed
I checked the pass by trying this:root@client-udo:/etc/swanctl/private#
openssl rsa -noout -text -in udo-office.key.pem
Enter pass phrase for udo-office.key.pem:
RSA Private-Key: (4096 bit, 2 primes)
modulus:
00:d5:e0:61:79:4a:73:ad:39:7c:e6:f0:c3:d1:57:
6c:86:8e:2e:ba:c5:32:f6:78:77:20:46:1d:28:2f:
fb:e2:f6:c5:f4:2f:6d:4e:95:70:80:39:9c:b4:60:
11:47:2b:b2:3c:c1:13:67:89:12:ca:89:52:de:f7:
e4:37:f1:27:c8:72:30:60:4b:20:43:01:24:48:4c:
cf:38:a2:a9:11:7d:5d:7e:a2:5b:f2:a0:bf:0d:4e:
[....]
Why is the correct password denied by swanctl?
Thanks,
Udo
