[Swan-dev] how to send certificate request payload in IKE_AUTH request

Balaji Thoguluva tbbalaji at gmail.com
Tue Jul 14 22:51:31 UTC 2020 

Hi Folks,

I am trying to establish an IKEv2/IPsec tunnel using certificate based
authentication so that both ends can exchange certificates to authenticate
themselves.

How can I configure Libreswan which initiates the connection to send a
"certificate request" (CERTREQ) payload in IKE_AUTH request so that the
other end can send it's certificate in the IKE_AUTH response back?

For example, I have configured as follows

conn radcert
        ikev2=yes
        left=10.196.175.174
        leftsubnet=10.196.175.174/32
        leftca=%same
        leftrsasigkey=%cert
        leftid=libswan at xyz.com   <------ other end's identity
        leftprotoport=17/1812
        right=10.196.172.139
        rightsubnet=10.196.172.139/32
        rightprotoport=17/1812
        auto=ondemand
        ike=aes128-sha1;dh14
        phase2=esp
        phase2alg=aes128-sha1;modp2048
        pfs=yes
        rightcert="mycert"
        rightrsasigkey=%cert
        rightsendcert=always
        rightid=@abc.com
        rightca=%same
        type=tunnel
        esn=no
        rekey=yes
        salifetime=28800s
        ikelifetime=3600s
        dpddelay=0s
        dpdtimeout=0s
        dpdaction=hold

I have p12 file in /etc/ipsec.d directory which is a container of mycert
crtificate, mycert's CA certificate and private key of mycert. This p12
file is imported.

When this connection is activated, Libreswan sends its certificate (because
rightsendcert=always) in CERT payload however it does not send CERTREQ
payload. Is there a way to instruct Libreswan to send CERTREQ payload?

Jul 14 22:06:51 [localhost] pluto[6672]: "radcert" #1: initiating v2 parent
SA
Jul 14 22:06:51 [localhost] pluto[6672]: "radcert" #1: local IKE proposals
for radcert (IKE SA initiator selecting KE):
1:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP2048
Jul 14 22:06:51 [localhost] pluto[6672]: "radcert" #1: STATE_PARENT_I1:
sent v2I1, expected v2R1
Jul 14 22:06:51 [localhost] pluto[6672]: "radcert" #1: local ESP/AH
proposals for radcert (IKE SA initiator emitting ESP/AH proposals):
1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;DH=NONE;ESN=DISABLED
Jul 14 22:06:51 [localhost] pluto[6672]: "radcert" #2: STATE_PARENT_I2:
sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_128 integ=sha1_96 prf=sha
group=MODP2048}
Jul 14 22:06:51 [localhost] pluto[6672]: "radcert" #2: IKEv2 mode peer ID
is ID_USER_FQDN: 'libswan at xyz.com'
Jul 14 22:06:51 [localhost] pluto[6672]: "radcert" #2: no RSA public key
known for 'libswan at xyz.com'  <-----------------------------------

Jul 14 22:06:51 [localhost] pluto[6672]: "radcert" #2: Digital Signature
authentication failed
Jul 14 22:06:51 [localhost] pluto[6672]: "radcert" #2: deleting state
(STATE_PARENT_I2) and NOT sending notification

Any help is greatly appreciated. Let me know if you need any other
information.

Thanks,
Balaji
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20200714/62b67335/attachment.html>

More information about the Swan-dev mailing list