[Swan] Question with IKEv2 VPN server for road warrior setup with pubkey

Mirsad Goran Todorovac mirsad.todorovac at alu.unizg.hr
Tue Jan 4 10:17:35 EET 2022 

Hi all,

I have been asking about IKEv1 that did not work, but it was the ISP 
firewall issue. Then I promised that I will test IKEv2 as a better 
option once IKEv1 is working.

However, I ran into basic problems with certs.

I have a couple of questions:

1. I have added:

     pfs=yes
     type=tunnel

to my IKEv1 configuration, as Paul asserted there are issues with the 
transport mode connection. Is that legal? I can't see much from 
Googling, as the libreswan doc site example also uses transport mode.

2. Regarding my IKEv2 connection attempt, it seems that NSS is unable to 
find the CA cert, but it appears to be in the key store:

root at domac:~# certutil -L -d sql:/var/lib/ipsec/nss

Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI

vpn.alu.hr u,u,u
ALU-UNIZG CA                                                 ,,
root at domac:~#

The SA proposal seems to be accepted, but NSS can't find the cert that 
is in the store:

Jan  4 08:51:28.723966: | accepted IKE proposal ikev2_proposal: 
2:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048
Jan  4 08:51:28.737919: | NSS: locating CA cert 'CN=ALU-UNIZG CA, 
O=Akademija likovnih umjetnosti, L=Zagreb, C=HR' for CERTREQ using 
CERT_FindCertByName() failed: SEC_ERROR 35 (0x23): Certificate extension 
not found.
Jan  4 08:51:28.788515: | NSS: locating CA cert 'CN=ALU-UNIZG CA, 
O=Akademija likovnih umjetnosti, L=Zagreb, C=HR' for CERTREQ using 
CERT_FindCertByName() failed: error code not saved by NSS

It seems obvious that the "ALU-UNIZG CA" is in NSS store, so I wonder 
what am I doing wrong?

I have generated the cert pair according to the instructions here:

https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2

Any idea might be welcome, as I've even read the IKEv2 RFC but I seem to 
be stuck in this NSS issue ...

Kind regards,
Mirsad

--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
-- 
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355

More information about the Swan mailing list