Discussion:
[strongSwan-dev] What triggers StrongSwan to include CERTREQ in the SA_INIT response?
Alan Evans
2017-09-07 14:43:49 UTC
Permalink
Hello Devs,

Can anyone shed some light on my problem?

I have 2 StrongSwan VPN gateways both running very similar software and
very similar configuration. (I've tried 5.0.1 and 5.5.0)

One GW includes a CERTREQ in the SA_INIT response whilst the other one
does not.
If the GW includes the CERTREQ then the client provides the CERT in the
subsequent AUTH and the client is successfully authenticated.
If th GW does not include the CERTREQ then the client does *not* provide
the CERT and the authentication fails with the error: "no trusted RSA
public key found "

Not Working:
parsed     IKE_SA_INIT request 0  [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N((16430)) N((16431)) N(REDIR_SUP) ]
generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(HASH_ALG) N(MULT_AUTH) ]
parsed     IKE_AUTH request 1  [ IDi N(INIT_CONTACT) CERTREQ AUTH
CP(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP)
N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]

Working:
parsed IKE_SA_INIT request 0  [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N((16430)) N((16431)) N(REDIR_SUP) ]
generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
*CERTREQ *N(MULT_AUTH) ]
parsed IKE_AUTH request 1 [ IDi *CERT *N(INIT_CONTACT) CERTREQ AUTH
CP(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP)
N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]

Any ideas what tiggers the GW to include the CERTREQ? I've been playing
with the sendcert attributes but it doesn't seem to help.

Many thanks for reading

Alan.


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
Tobias Brunner
2017-09-08 08:43:03 UTC
Permalink
Hi Alan,
Post by Alan Evans
Any ideas what tiggers the GW to include the CERTREQ? I've been playing
with the sendcert attributes but it doesn't seem to help.
Yep, that's the one.

Regards,
Tobias
Alan Evans
2017-09-08 09:16:06 UTC
Permalink
Hi Tobias,
Post by Tobias Brunner
Hi Alan,
Post by Alan Evans
Any ideas what tiggers the GW to include the CERTREQ? I've been playing
with the sendcert attributes but it doesn't seem to help.
Yep, that's the one.
I've fixed the problem and the solution was very surprising, for me at
least.
The problem was due to the location of the conn section in the
ipsec.conf file.

If the conn section immediately follows the default section then it
works as expected, the server includes the CERTREQ in the SA_INIT response.
if, however, there are other conn sections in between then it fails, the
server does *not* include the CERTREQ in the SA_INIT response.

All I did I was move the conn section. It feels like a bug to me.

regards
Alan

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
Tobias Brunner
2017-09-08 09:53:34 UTC
Permalink
Hi Alan,
Post by Alan Evans
If the conn section immediately follows the default section then it
works as expected, the server includes the CERTREQ in the SA_INIT response.
if, however, there are other conn sections in between then it fails, the
server does *not* include the CERTREQ in the SA_INIT response.
All I did I was move the conn section. It feels like a bug to me.
When processing an IKE_SA_INIT a preliminary config is selected based on
the IP addresses. If there are multiple configs that match equally well
the first one is used. And if requesting certificates is disabled in
that config no CERTREQs will be sent.

Regards,
Tobias
Alan Evans
2017-09-08 11:43:49 UTC
Permalink
Hi Tobias,
Post by Tobias Brunner
And if requesting certificates is disabled in
that config no CERTREQs will be sent.
Many thanks for explaining this, you learn something new every day.

Alan


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

Loading...