[Swan-dev] how to send certificate request payload in IKE_AUTH request
Balaji Thoguluva
tbbalaji at gmail.com
Tue Jul 14 22:51:31 UTC 2020
Hi Folks,
I am trying to establish an IKEv2/IPsec tunnel using certificate based
authentication so that both ends can exchange certificates to authenticate
themselves.
How can I configure Libreswan which initiates the connection to send a
"certificate request" (CERTREQ) payload in IKE_AUTH request so that the
other end can send it's certificate in the IKE_AUTH response back?
For example, I have configured as follows
conn radcert
ikev2=yes
left=10.196.175.174
leftsubnet=10.196.175.174/32
leftca=%same
leftrsasigkey=%cert
leftid=libswan at xyz.com <------ other end's identity
leftprotoport=17/1812
right=10.196.172.139
rightsubnet=10.196.172.139/32
rightprotoport=17/1812
auto=ondemand
ike=aes128-sha1;dh14
phase2=esp
phase2alg=aes128-sha1;modp2048
pfs=yes
rightcert="mycert"
rightrsasigkey=%cert
rightsendcert=always
rightid=@abc.com
rightca=%same
type=tunnel
esn=no
rekey=yes
salifetime=28800s
ikelifetime=3600s
dpddelay=0s
dpdtimeout=0s
dpdaction=hold
I have p12 file in /etc/ipsec.d directory which is a container of mycert
crtificate, mycert's CA certificate and private key of mycert. This p12
file is imported.
When this connection is activated, Libreswan sends its certificate (because
rightsendcert=always) in CERT payload however it does not send CERTREQ
payload. Is there a way to instruct Libreswan to send CERTREQ payload?
Jul 14 22:06:51 [localhost] pluto[6672]: "radcert" #1: initiating v2 parent
SA
Jul 14 22:06:51 [localhost] pluto[6672]: "radcert" #1: local IKE proposals
for radcert (IKE SA initiator selecting KE):
1:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP2048
Jul 14 22:06:51 [localhost] pluto[6672]: "radcert" #1: STATE_PARENT_I1:
sent v2I1, expected v2R1
Jul 14 22:06:51 [localhost] pluto[6672]: "radcert" #1: local ESP/AH
proposals for radcert (IKE SA initiator emitting ESP/AH proposals):
1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;DH=NONE;ESN=DISABLED
Jul 14 22:06:51 [localhost] pluto[6672]: "radcert" #2: STATE_PARENT_I2:
sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_128 integ=sha1_96 prf=sha
group=MODP2048}
Jul 14 22:06:51 [localhost] pluto[6672]: "radcert" #2: IKEv2 mode peer ID
is ID_USER_FQDN: 'libswan at xyz.com'
Jul 14 22:06:51 [localhost] pluto[6672]: "radcert" #2: no RSA public key
known for 'libswan at xyz.com' <-----------------------------------
Jul 14 22:06:51 [localhost] pluto[6672]: "radcert" #2: Digital Signature
authentication failed
Jul 14 22:06:51 [localhost] pluto[6672]: "radcert" #2: deleting state
(STATE_PARENT_I2) and NOT sending notification
Any help is greatly appreciated. Let me know if you need any other
information.
Thanks,
Balaji
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20200714/62b67335/attachment.html>
More information about the Swan-dev
mailing list