[Swan-dev] how to send certificate request payload in IKE_AUTH request
Paul Wouters
paul at nohats.ca
Wed Jul 15 02:18:59 UTC 2020
On Tue, 14 Jul 2020, Balaji Thoguluva wrote:
> I am trying to establish an IKEv2/IPsec tunnel using certificate based authentication so that both ends can exchange certificates to authenticate
> themselves.
>
> How can I configure Libreswan which initiates the connection to send a "certificate request" (CERTREQ) payload in IKE_AUTH request so that the other end
> can send it's certificate in the IKE_AUTH response back?
The two are not related. The CERTREQ is just a "hint" for the other side
to pick its own CERT if it has more than one to choose from.
> For example, I have configured as follows
>
> conn radcert
> ikev2=yes
> left=10.196.175.174
> leftsubnet=10.196.175.174/32
> leftca=%same
> leftrsasigkey=%cert
> leftid=libswan at xyz.com <------ other end's identity
> leftprotoport=17/1812
> right=10.196.172.139
> rightsubnet=10.196.172.139/32
> rightprotoport=17/1812
> auto=ondemand
> ike=aes128-sha1;dh14
> phase2=esp
> phase2alg=aes128-sha1;modp2048
> pfs=yes
> rightcert="mycert"
> rightrsasigkey=%cert
> rightsendcert=always
> rightid=@abc.com
> rightca=%same
> type=tunnel
> esn=no
> rekey=yes
> salifetime=28800s
> ikelifetime=3600s
> dpddelay=0s
> dpdtimeout=0s
> dpdaction=hold
looks good, other than the dpd values which should never be 0, and
dpdaction hold should be restart.
> I have p12 file in /etc/ipsec.d directory which is a container of mycert crtificate, mycert's CA certificate and private key of mycert. This p12 file is
> imported.
>
> When this connection is activated, Libreswan sends its certificate (because rightsendcert=always) in CERT payload however it does not send CERTREQ
> payload. Is there a way to instruct Libreswan to send CERTREQ payload?
Why does it need to send a CERTREQ? Does the other end not send any CERT
otherwise?
> Jul 14 22:06:51 [localhost] pluto[6672]: "radcert" #1: initiating v2 parent SA
> Jul 14 22:06:51 [localhost] pluto[6672]: "radcert" #1: local IKE proposals for radcert (IKE SA initiator selecting KE):
> 1:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP2048
> Jul 14 22:06:51 [localhost] pluto[6672]: "radcert" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
> Jul 14 22:06:51 [localhost] pluto[6672]: "radcert" #1: local ESP/AH proposals for radcert (IKE SA initiator emitting ESP/AH proposals):
> 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;DH=NONE;ESN=DISABLED
> Jul 14 22:06:51 [localhost] pluto[6672]: "radcert" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_128 integ=sha1_96 prf=sha
> group=MODP2048}
> Jul 14 22:06:51 [localhost] pluto[6672]: "radcert" #2: IKEv2 mode peer ID is ID_USER_FQDN: 'libswan at xyz.com'
> Jul 14 22:06:51 [localhost] pluto[6672]: "radcert" #2: no RSA public key known for 'libswan at xyz.com' <-----------------------------------
Does the ID libswan at xyz.com appear as SAN on the certificate?
Perhaps you can run with plutodebug=all enabled so we can have a closer
look?
Paul
More information about the Swan-dev
mailing list