Discussion:
[strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert
Modster, Anthony
2018-11-15 00:36:15 UTC
Permalink
Hello



If VPN tunnel 1 is started before VPN tunnel 2.

Then VPN tunnel 2 does not select the correct SCA cert during TLS EAP.

It does show the correct SCA cert during configuration.

VPN tunnel 1 is ok



If VPN tunnel 2 is started before VPN tunnel 1.

Then both VPN tunnels are ok.



VPN tunnel 1: "user cert 1"->SCA 1->TA

VPN tunnel 2: "user cert 2"->SCA 4->TA

Note: TA is same for both VPN tunnels



VPN tunnel 1: left auth = pubkey

VPN tunnel 2: left auth = eap



Strongswan version: 5.5.1

VICI interface



Note: VPN tunnel 1 is up and ok



!!!Selected user cert is CN=TDY Test SCA 4

2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[CFG] certificate \"C=US, O=Teledyne Controls Engineering, OU=Systems Engineering, CN=TDY Test SCA 4\" key: 2048 bit RSA
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[CFG] using trusted ca certificate \"C=US, O=Teledyne Controls Engineering, OU=Systems Engineering, CN=TDY Test Root CA\"
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[CFG] checking certificate status of \"C=US, O=Teledyne Controls Engineering, OU=Systems Engineering, CN=TDY Test SCA 4\"
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[CFG] ocsp check skipped, no ocsp found
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[CFG] fetching crl from \'http://www.carillon.ca/caops/TEST-cisRCA1.crl\' ...
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[LIB] unable to fetch from http://www.carillon.ca/caops/TEST-cisRCA1.crl, no capable fetcher found
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[CFG] crl fetching failed
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[CFG] certificate status is not available
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[CFG] certificate policy 1.3.6.1.4.1.25054.3.1.113 for \'C=US, O=Teledyne Controls Engineering, OU=Systems Engineering, CN=ELS-VPAPP-WGL08 - ID, OU=Devices, OU=Aircraft Operator Ground Stations, OU=Teledyne Controls\' not allowed by trustchain, ignored
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[CFG] certificate \"C=US, O=Teledyne Controls Engineering, OU=Systems Engineering, CN=TDY Test Root CA\" key: 2048 bit RSA
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[CFG] reached self-signed root ca with a path length of 1
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[TLS] sending TLS peer certificate \'CN=RA00017.auth, O=Teledyne Controls Engineering, OU=Systems Engineering, C=US\'
!!! ? why did TLS send SCA 1 cert

2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[TLS] sending TLS intermediate certificate \'C=US, O=Teledyne Controls Engineering, OU=Systems Engineering, CN=TDY Test SCA 1\'
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[IKE] reinitiating already active tasks
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[IKE] IKE_AUTH task
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[ENC] generating IKE_AUTH request 6 [ EAP/RES/TLS ]
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[NET] sending packet: from 10.29.232.184[4500] to 76.232.248.211[4500] (1112 bytes)
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 15[NET] received packet: from 76.232.248.211[4500] to 10.29.232.184[4500] (88 bytes)
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 15[ENC] parsed IKE_AUTH response 6 [ EAP/REQ/TLS ]
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 15[IKE] reinitiating already active tasks
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 15[IKE] IKE_AUTH task
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 15[ENC] generating IKE_AUTH request 7 [ EAP/RES/TLS ]
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 15[NET] sending packet: from 10.29.232.184[4500] to 76.232.248.211[4500] (1112 bytes)
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 08[NET] received packet: from 76.232.248.211[4500] to 10.29.232.184[4500] (88 bytes)
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 08[ENC] parsed IKE_AUTH response 7 [ EAP/REQ/TLS ]
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 08[IKE] reinitiating already active tasks
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 08[IKE] IKE_AUTH task
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 08[ENC] generating IKE_AUTH request 8 [ EAP/RES/TLS ]
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 08[NET] sending packet: from 10.29.232.184[4500] to 76.232.248.211[4500] (1112 bytes)
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[NET] received packet: from 76.232.248.211[4500] to 10.29.232.184[4500] (88 bytes)
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[ENC] parsed IKE_AUTH response 8 [ EAP/REQ/TLS ]
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[IKE] reinitiating already active tasks
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[IKE] IKE_AUTH task
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[ENC] generating IKE_AUTH request 9 [ EAP/RES/TLS ]
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[NET] sending packet: from 10.29.232.184[4500] to 76.232.248.211[4500] (536 bytes)
2018 Nov 14 00:35:39+00:00 wglng-17 charon [info] 14[NET] received packet: from 76.232.248.211[4500] to 10.29.232.184[4500] (104 bytes)
2018 Nov 14 00:35:39+00:00 wglng-17 charon [info] 14[ENC] parsed IKE_AUTH response 9 [ EAP/REQ/TLS ]
2018 Nov 14 00:35:39+00:00 wglng-17 charon [info] 14[TLS] received fatal TLS alert \'access denied\'
2018 Nov 14 00:35:39+00:00 wglng-17 charon [info] 14[IKE] EAP_TLS method failed
2018 Nov 14 00:35:39+00:00 wglng-17 charon [info] 14[ENC] generating INFORMATIONAL request 10 [ N(AUTH_FAILED) ]

Thanks
Tobias Brunner
2018-11-16 09:44:49 UTC
Permalink
Hi Anthony,
Post by Modster, Anthony
!!!Selected user cert is CN=TDY Test SCA 4
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[CFG] certificate \"C=US, O=Teledyne Controls Engineering, OU=Systems Engineering, CN=TDY Test SCA 4\" key: 2048 bit RSA
That's the server's certificate, selected to verify the authentication.
Post by Modster, Anthony
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[TLS] sending TLS peer certificate \'CN=RA00017.auth, O=Teledyne Controls Engineering, OU=Systems Engineering, C=US\'
!!! ? why did TLS send SCA 1 cert
That certificate is selected based on the identity (whatever it is you
configured). If a private key is loaded for this key and identity, why
shouldn't it be selected?

Did you perhaps use the same key for different identities (or use the
same identity for different keys)? Also, how does your configuration
actually look like?

Regards,
Tobias
Modster, Anthony
2018-11-16 18:22:55 UTC
Permalink
Hello Tobais

We are using VICI (not from configuration files), so I hope were getting everything.

For this setup are credential directory looks like this
/media/sde1/certs/Org1:
Org1.chain Org1.crt Org1.key Org1.sca1 Org1.ta
/media/sde1/certs/Org2:
Org2.chain Org2.crt Org2.key Org2.sca2 Org2.ta

So we only load the "user cert" using VICI, were letting charon select the correct key and sca.

Test 1, Org1/Org1.crt (196) and Org2/Org2.crt (211), when using this setup 196 VPN comes up and 211 VPN does not (incorrect SCA selected)
Test 2, Org2/Org2.crt (211), when using this setup 211 VPN does come up
Test 3, Org1/Org1.crt (211) and Org2/Org2.crt (196), when using this setup both 211 VPN and 196 VPN and comes up

I verified the keys are different, the "user certs" and SCA files are the correct.
The log file indicates the correct "user certs" are used for each tunnel.

? what else should I check

Below is sample code:

/* load connection
* returns: 0 = for ok, else 1
* Note:
* reference doc for swanctl.conf https://wiki.strongswan.org/projects/strongswan/wiki/Swanctlconf
* reference doc for ipsec.conf: config setup https://wiki.strongswan.org/projects/strongswan/wiki/ConfigSetupSection
* example config file /etc/swanctl/swanctl.conf
*/
int load_conn(vici_conn_t *conn, struct s_connection_parameters *param)
{
vici_req_t *req;
vici_res_t *res;
int ret = 0;
char buf[128] = { 0 };
int idx;
chunk_t cert;

//load the user cert
load_cert_from_file( param->local_cert, &cert );
if( cert.ptr == NULL )
{
printf("load connection failed : error loading local cert.\n");
return 1;
}

req = vici_begin("load-conn");

vici_begin_section(req,param->conn_name);

//connections.<conn>.version
vici_add_key_valuef(req,"version","%s",param->ike_version);

//connections.<conn>.local_addrs
vici_begin_list(req,"local_addrs");
vici_add_list_itemf(req,"%s",param->local_addrs);
vici_end_list(req);

//connections.<conn>.remote_addrs
vici_begin_list(req,"remote_addrs");
vici_add_list_itemf(req,"%s",param->remote_addrs);
vici_end_list(req);

//connections.<conn>.local_port
//connections.<conn>.remote_port

//connections.<conn>.proposals
create_list_for_proposals( req, "proposals", param->proposals );

//connections.<conn>.vips
//note: allows the assignment of "virtual IP's" for local_ts and remote_ts
vici_begin_list(req,"vips");
vici_add_list_itemf(req,"%s","0.0.0.0");
vici_end_list(req);

//connections.<conn>.aggressive
//connections.<conn>.pull
//connections.<conn>.encap

//we do not want to use mobike (no searching for other interfaces)
//note: it is enabled by default
//connections.<conn>.mobike
//vici_add_key_valuef(req,"mobike","%s","no");
vici_add_key_valuef(req,"mobike","%s",param->mobike);

//connections.<conn>.dpd_delay
//vici_add_key_valuef(req,"dpd_delay","%s","2s");
vici_add_key_valuef(req,"dpd_delay","%s",param->dpd_delay);

//connections.<conn>.dpd_timeout
//connections.<conn>.fragmentation
//connections.<conn>.send_certreq
//connections.<conn>.send_cert

/* connections.<conn>.keyingtries
* Number of retransmission sequences to perform during initial connect.
* Instead of giving up initiation after the first retransmission sequence with the default value of 1,
* additional sequences may be started according to the configured value.
* A value of 0 initiates a new sequence until the connection establishes or fails with a permanent error.
*/
//vici_add_key_valuef(req,"keyingtries","%s","0");
vici_add_key_valuef(req,"keyingtries","%s",param->keying_tries);

//connections.<conn>.unique

//connections.<conn>.reauth_time
vici_add_key_valuef(req,"reauth_time","%s",param->ike_reauth_time);

//connections.<conn>.rekey_time
vici_add_key_valuef(req,"rekey_time","%s",param->ike_rekey_time);

//connections.<conn>.over_time
//connections.<conn>.rand_time
//connections.<conn>.pools

//Section for a local authentication round ( local<suffix>, the <suffix> is optional )
vici_begin_section(req,"local");

//connections.<conn>.local.round

//connections.<conn>.local.certs
vici_begin_list(req,"certs");
vici_add_list_item(req, cert.ptr, cert.len);
chunk_free(&cert);
vici_end_list(req);

//connections.<conn>.local.pubkeys

//connections.<conn>.local.auth
//vici_add_key_valuef(req,"auth","%s","eap"); //were only using IKEv2 EAP
//vici_add_key_valuef(req,"auth","%s","pubkey");
vici_add_key_valuef(req,"auth","%s",param->left_auth);

//connections.<conn>.local.id
vici_add_key_valuef(req,"id","%s",param->local_id);

//connections.<conn>.local.eap_id
if( strlen( param->eap_id ) )
{//eap_id is available
vici_add_key_valuef(req,"eap_id","%s",param->eap_id);
}

//connections.<conn>.local.aaa_id
//connections.<conn>.local.xauth_id

vici_end_section(req); //section end for local

//Section for a remote authentication round ( remote<suffix>, the <suffix> is optional )
vici_begin_section(req,"remote");

//connections.<conn>.remote.round

//connections.<conn>.remote.id
vici_add_key_valuef(req,"id","%s",param->remote_id);

//connections.<conn>.remote.groups
//connections.<conn>.remote.certs
//connections.<conn>.remote.cacerts
//connections.<conn>.remote.pubkeys

//connections.<conn>.remote.revocation
vici_add_key_valuef(req,"revocation","%s","relaxed");

//connections.<conn>.remote.auth
vici_add_key_valuef(req,"auth","%s","pubkey");

vici_end_section(req); //section end for remote

//CHILD_SA configuration sub-section ( <child> = <conn>, for now )
vici_begin_section(req,"children");

vici_begin_section(req,param->conn_name);

//connections.<conn>.children.<child>.ah_proposals

//connections.<conn>.children.<child>.esp_proposals
create_list_for_proposals( req, "esp_proposals", param->esp_proposals );

//connections.<conn>.children.<child>.local_ts
//note: allow peer to set IP address and mask
vici_begin_list(req,"local_ts");
// vici_add_list_itemf(req,"%s","172.16.207.251");
vici_add_list_itemf(req,"%s","dynamic");
vici_end_list(req);

//connections.<conn>.children.<child>.remote_ts
//note: allow peer to set IP address and mask
vici_begin_list(req,"remote_ts");
//???tony, need to change because it could be a list (comma seperated) child_remote_ts[BUF_LEN]
if( strlen( param->child_remote_ts ) )
vici_add_list_itemf(req,"%s",param->child_remote_ts);
else
vici_add_list_itemf(req,"%s","dynamic");
// vici_add_list_itemf(req,"%s","172.16.207.150");
// vici_add_list_itemf(req,"%s","0.0.0.0/0"); //for IPv4
// vici_add_list_itemf(req,"%s","0.0.0.0/0,0::0"); //for IPv6
// vici_add_list_itemf(req,"%s","dynamic");
vici_end_list(req);

//connections.<conn>.children.<child>.rekey_time
vici_add_key_valuef(req,"rekey_time","%s",param->child_rekey_time);

//connections.<conn>.children.<child>.life_time
//connections.<conn>.children.<child>.rand_time
//connections.<conn>.children.<child>.rekey_bytes
//connections.<conn>.children.<child>.life_bytes
//connections.<conn>.children.<child>.rand_bytes
//connections.<conn>.children.<child>.rekey_packets
//connections.<conn>.children.<child>.life_packets
//connections.<conn>.children.<child>.rand_packets

//connections.<conn>.children.<child>.updown
vici_add_key_valuef(req,"updown","%s","/usr/lib32/ipsec/_updown_tdy.py");

//connections.<conn>.children.<child>.hostaccess

//connections.<conn>.children.<child>.mode
vici_add_key_valuef(req,"mode","%s","tunnel");

//connections.<conn>.children.<child>.dpd_action
//vici_add_key_valuef(req,"dpd_action","%s","clear");
//vici_add_key_valuef(req,"dpd_action","%s","restart");
vici_add_key_valuef(req,"dpd_action","%s",param->child_dpd_action);

//connections.<conn>.children.<child>.policies
//connections.<conn>.children.<child>.dpd_action
//connections.<conn>.children.<child>.ipcomp
//connections.<conn>.children.<child>.inactivity
//connections.<conn>.children.<child>.reqid
//connections.<conn>.children.<child>.mark_in
//connections.<conn>.children.<child>.mark_out
//connections.<conn>.children.<child>.tfc_padding
//connections.<conn>.children.<child>.replay_window
//connections.<conn>.children.<child>.start_action
//connections.<conn>.children.<child>.close_action

vici_end_section(req); //section end for child / connection

vici_end_section(req); //section end for child

vici_end_section(req); //section end for connection

res = vici_submit(req, conn);
if( !res)
{
printf("load connection failed :%s \n", strerror(errno));
return 1;
}

if (!streq(vici_find_str(res,"no","success"),"yes"))
{
printf("loading connection %s failed : %s \n", "myserver", vici_find_str(res,"","errmsg"));
return 1;
}
else
{
printf("loaded connection %s \n","myserver");
vici_free_res(res);
}

return 0;
}


-----Original Message-----
From: Tobias Brunner <***@strongswan.org>
Sent: Friday, November 16, 2018 1:45 AM
To: Modster, Anthony <***@Teledyne.com>; ***@lists.strongswan.org
Subject: Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

Hi Anthony,
Post by Modster, Anthony
!!!Selected user cert is CN=TDY Test SCA 4
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[CFG] certificate \"C=US, O=Teledyne Controls Engineering, OU=Systems Engineering, CN=TDY Test SCA 4\" key: 2048 bit RSA
That's the server's certificate, selected to verify the authentication.
Post by Modster, Anthony
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[TLS] sending TLS peer certificate \'CN=RA00017.auth, O=Teledyne Controls Engineering, OU=Systems Engineering, C=US\'
!!! ? why did TLS send SCA 1 cert
That certificate is selected based on the identity (whatever it is you configured). If a private key is loaded for this key and identity, why shouldn't it be selected?

Did you perhaps use the same key for different identities (or use the same identity for different keys)? Also, how does your configuration actually loo
Tobias Brunner
2018-11-19 10:59:30 UTC
Permalink
Hi Anthony,
Post by Modster, Anthony
For this setup are credential directory looks like this
Org1.chain Org1.crt Org1.key Org1.sca1 Org1.ta
Org2.chain Org2.crt Org2.key Org2.sca2 Org2.ta
So we only load the "user cert" using VICI, were letting charon select the correct key and sca.
Could you please provide more information on these certificate chains
(preferably the files themselves, but output from `pki --print` might
help too) and the configured certificates/identities (the code you added
is itself configured via `struct s_connection_parameters`).

Regards,
Tobias
Modster, Anthony
2018-11-26 23:46:18 UTC
Permalink
Hello Tobias
Sorry for the late reply, I was on vacation.
Let me know if you get this email and all attachments.

Attached are the credentials in both locations on the target ".tar".

Also attached is the credentials dumped using "ipsec pki --print".

Provide certificates to strongswan
• swanctl.tar ipsecd.tar
More cert information
• ipsec pki –-print –i /etc/swanctl/x509/Org1.crt
• ipsec pki –-print –i /etc/swanctl/x509ca/Org1.sca1
• ipsec pki –-print –i /etc/swanctl/x509ca/Org1.ta
• ipsec pki –-print –i /etc/swanctl/x509/Org2.crt
• ipsec pki –-print –i /etc/swanctl/x509ca/Org2.sca1
• ipsec pki –-print –i /etc/swanctl/x509ca/Org2.ta
• https://wiki.strongswan.org/projects/strongswan/wiki/IpsecPkiPrint
Debug for configured certificates/identities in struct s_connectin_parameters
• vici_do_connect() conn_name=sgateway1-radio2 ike_version=2 local_addrs=10.20.64.145 remote_addrs=76.232.248.196 eap_id= proposals=aes256-sha512-sha384-ecp256-sha256-modp2048-prfsha1 ike_reauth_time=240m ike_rekey_time=0 local_cert=/etc/swanctl/x509/Org1.crt local_id=***@teledyne.com remote_id=C=US, O=Teledyne Controls Engineering, OU=Systems Engineering, CN=WGL196 - ID, OU=Devices, OU=Aircraft Operator Ground Stations, OU=Teledyne Controls esp_proposals=aes256-sha1 child_local_ts= child_remote_ts=80.80.80.15 child_rekey_time=0 left_auth=pubkey mobike=no dpd_delay=20s child_dpd_action=restart dpd_timeout= keying_tries=0
• vici_do_connect() conn_name=sgateway2-radio2 ike_version=2 local_addrs=10.20.64.145 remote_addrs=76.232.248.211 eap_id= proposals=aes256-sha384-modp2048 ike_reauth_time=240m ike_rekey_time=0 local_cert=/etc/swanctl/x509/Org2.crt local_id=***@teledyne.com remote_id=C=US, O=Teledyne Controls Engineering, OU=Systems Engineering, CN=ELS-VPAPP-WGL08 - ID, OU=Devices, OU=Aircraft Operator Ground Stations, OU=Teledyne Controls esp_proposals=aes256-sha256-sha1 child_local_ts= child_remote_ts=172.16.207.140 child_rekey_time=0 left_auth=eap mobike=no dpd_delay=20s child_dpd_action=restart dpd_timeout= keying_tries=0

Thanks

-----Original Message-----
From: Tobias Brunner <***@strongswan.org>
Sent: Monday, November 19, 2018 3:00 AM
To: Modster, Anthony <***@Teledyne.com>; ***@lists.strongswan.org
Subject: Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

Hi Anthony,
Post by Modster, Anthony
For this setup are credential directory looks like this
Org1.chain Org1.crt Org1.key Org1.sca1 Org1.ta
Org2.chain Org2.crt Org2.key Org2.sca2 Org2.ta
So we only load the "user cert" using VICI, were letting charon select the correct key and sca.
Could you please provide more information on these certificate chains (preferably the files themselves, but output from `pki --print` might help too) and the configured certificates/identities (the code you added is itself configured via `struct s_connection_parameters`).

Regards,
Tobias
Tobias Brunner
2018-11-28 10:20:54 UTC
Permalink
Hi Anthony,

As I suspected, you use the same identity for the two end-entity
ipsec pki –-print –i /etc/swanctl/x509/Org1.crt> subject: "CN=RA00017.auth, ..."
issuer: "..., CN=TDY Test SCA 1"
...
...
ipsec pki –-print –i /etc/swanctl/x509/Org2.crt
subject: "CN=RA00017.auth, ..."
issuer: "..., CN=TDY Test SCA 4"
...
...
The configured identity is ***@teledyne.com in both configs, that
you also configure a different certificate explicitly doesn't matter
because EAP-TLS currently doesn't use that setting (the lookup is done
based on the configured identity only). Certificate requests should be
considered, but if the cert request is for the root CA that won't help
(it might even depend on the order of the certificate requests if
multiple are received).

Regards,
Tobias
Modster, Anthony
2018-11-28 18:31:30 UTC
Permalink
Hello Tobias

? can VICI be configured to load a specific SCA cert per VPN (would this help)

-----Original Message-----
From: Tobias Brunner <***@strongswan.org>
Sent: Wednesday, November 28, 2018 2:21 AM
To: Modster, Anthony <***@Teledyne.com>; ***@lists.strongswan.org
Subject: Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

Hi Anthony,
ipsec pki –-print –i /etc/swanctl/x509/Org1.crt> subject: "CN=RA00017.auth, ..."
issuer: "..., CN=TDY Test SCA 1"
...
...
ipsec pki –-print –i /etc/swanctl/x509/Org2.crt
subject: "CN=RA00017.auth, ..."
issuer: "..., CN=TDY Test SCA 4"
...
...
The configured identity is ***@teledyne.com in both configs, that you also configure a different certificate explicitly doesn't matter because EAP-TLS currently doesn't use that setting (the lookup is done based on the configured identity only). Certificate requests should be considered, but if the cert request is for the root CA that won't help (it might even depend on the order of the certificate requests if multiple are re
Tobias Brunner
2018-11-29 13:12:07 UTC
Permalink
Hi Anthony,
Post by Modster, Anthony
? can VICI be configured to load a specific SCA cert per VPN (would this help)
That doesn't make a difference. As mentioned, only the identity is
relevant on the client. So unless you can get the server to send a TLS
certificate request only for a specific intermediate CA you can't
control the client's certificate selection if you use the same identity
for both end-entity certificates. Similarly, on the server side, where
strongSwan sends TLS certificate requests for all available CA
certificates (i.e. like the certs option, the cacerts option is only
relevant for IKE, not for EAP-TLS).

Regards,
Tobias

Modster, Anthony
2018-11-27 22:02:29 UTC
Permalink
Hello Tobias
? did you get my last email with attachments

-----Original Message-----
From: Modster, Anthony
Sent: Monday, November 26, 2018 3:46 PM
To: 'Tobias Brunner' <***@strongswan.org>; ***@lists.strongswan.org
Subject: RE: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

Hello Tobias
Sorry for the late reply, I was on vacation.
Let me know if you get this email and all attachments.

Attached are the credentials in both locations on the target ".tar".

Also attached is the credentials dumped using "ipsec pki --print".

Provide certificates to strongswan
• swanctl.tar ipsecd.tar
More cert information
• ipsec pki –-print –i /etc/swanctl/x509/Org1.crt
• ipsec pki –-print –i /etc/swanctl/x509ca/Org1.sca1
• ipsec pki –-print –i /etc/swanctl/x509ca/Org1.ta
• ipsec pki –-print –i /etc/swanctl/x509/Org2.crt
• ipsec pki –-print –i /etc/swanctl/x509ca/Org2.sca1
• ipsec pki –-print –i /etc/swanctl/x509ca/Org2.ta
• https://wiki.strongswan.org/projects/strongswan/wiki/IpsecPkiPrint
Debug for configured certificates/identities in struct s_connectin_parameters
• vici_do_connect() conn_name=sgateway1-radio2 ike_version=2 local_addrs=10.20.64.145 remote_addrs=76.232.248.196 eap_id= proposals=aes256-sha512-sha384-ecp256-sha256-modp2048-prfsha1 ike_reauth_time=240m ike_rekey_time=0 local_cert=/etc/swanctl/x509/Org1.crt local_id=***@teledyne.com remote_id=C=US, O=Teledyne Controls Engineering, OU=Systems Engineering, CN=WGL196 - ID, OU=Devices, OU=Aircraft Operator Ground Stations, OU=Teledyne Controls esp_proposals=aes256-sha1 child_local_ts= child_remote_ts=80.80.80.15 child_rekey_time=0 left_auth=pubkey mobike=no dpd_delay=20s child_dpd_action=restart dpd_timeout= keying_tries=0
• vici_do_connect() conn_name=sgateway2-radio2 ike_version=2 local_addrs=10.20.64.145 remote_addrs=76.232.248.211 eap_id= proposals=aes256-sha384-modp2048 ike_reauth_time=240m ike_rekey_time=0 local_cert=/etc/swanctl/x509/Org2.crt local_id=***@teledyne.com remote_id=C=US, O=Teledyne Controls Engineering, OU=Systems Engineering, CN=ELS-VPAPP-WGL08 - ID, OU=Devices, OU=Aircraft Operator Ground Stations, OU=Teledyne Controls esp_proposals=aes256-sha256-sha1 child_local_ts= child_remote_ts=172.16.207.140 child_rekey_time=0 left_auth=eap mobike=no dpd_delay=20s child_dpd_action=restart dpd_timeout= keying_tries=0

Thanks

-----Original Message-----
From: Tobias Brunner <***@strongswan.org>
Sent: Monday, November 19, 2018 3:00 AM
To: Modster, Anthony <***@Teledyne.com>; ***@lists.strongswan.org
Subject: Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

Hi Anthony,
Post by Modster, Anthony
For this setup are credential directory looks like this
Org1.chain Org1.crt Org1.key Org1.sca1 Org1.ta
Org2.chain Org2.crt Org2.key Org2.sca2 Org2.ta
So we only load the "user cert" using VICI, were letting charon select the correct key and sca.
Could you please provide more information on these certificate chains (preferably the files themselves, but output from `pki --print` might help too) and the configured certificates/identities (the code you added is itself configured via `struct s_connection_parame
Modster, Anthony
2018-11-16 18:29:48 UTC
Permalink
Hello Tobais
I forgot

Test 1, Org1/Org1.crt LeftAuth=pubkey (196) and Org2/Org2.crt LeftAuth=eap (211), when using this setup 196 VPN comes up and 211 VPN does not (incorrect SCA selected)
Test 2, Org2/Org2.crt LeftAuth=eap (211), when using this setup 211 VPN does come up
Test 3, Org1/Org1.crt LeftAuth=pubkey (211) and Org2/Org2.crt LeftAuth=eap (196), when using this setup both 211 VPN and 196 VPN and comes up
Test 4, Org1/Org1.crt LeftAuth=pubkey (196) and Org2/Org2.crt LeftAuth=pubkey (220), when using this setup 196 VPN and 220 VPN comes up

It seems like when using TLS the selection of SCA is a problem

-----Original Message-----
From: Modster, Anthony
Sent: Friday, November 16, 2018 10:23 AM
To: 'Tobias Brunner' <***@strongswan.org>; ***@lists.strongswan.org
Subject: RE: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

Hello Tobais

We are using VICI (not from configuration files), so I hope were getting everything.

For this setup are credential directory looks like this
/media/sde1/certs/Org1:
Org1.chain Org1.crt Org1.key Org1.sca1 Org1.ta
/media/sde1/certs/Org2:
Org2.chain Org2.crt Org2.key Org2.sca2 Org2.ta

So we only load the "user cert" using VICI, were letting charon select the correct key and sca.

Test 1, Org1/Org1.crt (196) and Org2/Org2.crt (211), when using this setup 196 VPN comes up and 211 VPN does not (incorrect SCA selected)
Test 2, Org2/Org2.crt (211), when using this setup 211 VPN does come up
Test 3, Org1/Org1.crt (211) and Org2/Org2.crt (196), when using this setup both 211 VPN and 196 VPN and comes up

I verified the keys are different, the "user certs" and SCA files are the correct.
The log file indicates the correct "user certs" are used for each tunnel.

? what else should I check

Below is sample code:

/* load connection
* returns: 0 = for ok, else 1
* Note:
* reference doc for swanctl.conf https://wiki.strongswan.org/projects/strongswan/wiki/Swanctlconf
* reference doc for ipsec.conf: config setup https://wiki.strongswan.org/projects/strongswan/wiki/ConfigSetupSection
* example config file /etc/swanctl/swanctl.conf
*/
int load_conn(vici_conn_t *conn, struct s_connection_parameters *param) { vici_req_t *req; vici_res_t *res; int ret = 0; char buf[128] = { 0 }; int idx; chunk_t cert;

//load the user cert
load_cert_from_file( param->local_cert, &cert );
if( cert.ptr == NULL )
{
printf("load connection failed : error loading local cert.\n");
return 1;
}

req = vici_begin("load-conn");

vici_begin_section(req,param->conn_name);

//connections.<conn>.version
vici_add_key_valuef(req,"version","%s",param->ike_version);

//connections.<conn>.local_addrs
vici_begin_list(req,"local_addrs");
vici_add_list_itemf(req,"%s",param->local_addrs);
vici_end_list(req);

//connections.<conn>.remote_addrs
vici_begin_list(req,"remote_addrs");
vici_add_list_itemf(req,"%s",param->remote_addrs);
vici_end_list(req);

//connections.<conn>.local_port
//connections.<conn>.remote_port

//connections.<conn>.proposals
create_list_for_proposals( req, "proposals", param->proposals );

//connections.<conn>.vips
//note: allows the assignment of "virtual IP's" for local_ts and remote_ts
vici_begin_list(req,"vips");
vici_add_list_itemf(req,"%s","0.0.0.0");
vici_end_list(req);

//connections.<conn>.aggressive
//connections.<conn>.pull
//connections.<conn>.encap

//we do not want to use mobike (no searching for other interfaces)
//note: it is enabled by default
//connections.<conn>.mobike
//vici_add_key_valuef(req,"mobike","%s","no");
vici_add_key_valuef(req,"mobike","%s",param->mobike);

//connections.<conn>.dpd_delay
//vici_add_key_valuef(req,"dpd_delay","%s","2s");
vici_add_key_valuef(req,"dpd_delay","%s",param->dpd_delay);

//connections.<conn>.dpd_timeout
//connections.<conn>.fragmentation
//connections.<conn>.send_certreq
//connections.<conn>.send_cert

/* connections.<conn>.keyingtries
* Number of retransmission sequences to perform during initial connect.
* Instead of giving up initiation after the first retransmission sequence with the default value of 1,
* additional sequences may be started according to the configured value.
* A value of 0 initiates a new sequence until the connection establishes or fails with a permanent error.
*/
//vici_add_key_valuef(req,"keyingtries","%s","0");
vici_add_key_valuef(req,"keyingtries","%s",param->keying_tries);

//connections.<conn>.unique

//connections.<conn>.reauth_time
vici_add_key_valuef(req,"reauth_time","%s",param->ike_reauth_time);

//connections.<conn>.rekey_time
vici_add_key_valuef(req,"rekey_time","%s",param->ike_rekey_time);

//connections.<conn>.over_time
//connections.<conn>.rand_time
//connections.<conn>.pools

//Section for a local authentication round ( local<suffix>, the <suffix> is optional )
vici_begin_section(req,"local");

//connections.<conn>.local.round

//connections.<conn>.local.certs
vici_begin_list(req,"certs");
vici_add_list_item(req, cert.ptr, cert.len);
chunk_free(&cert);
vici_end_list(req);

//connections.<conn>.local.pubkeys

//connections.<conn>.local.auth
//vici_add_key_valuef(req,"auth","%s","eap"); //were only using IKEv2 EAP
//vici_add_key_valuef(req,"auth","%s","pubkey");
vici_add_key_valuef(req,"auth","%s",param->left_auth);

//connections.<conn>.local.id
vici_add_key_valuef(req,"id","%s",param->local_id);

//connections.<conn>.local.eap_id
if( strlen( param->eap_id ) )
{//eap_id is available
vici_add_key_valuef(req,"eap_id","%s",param->eap_id);
}

//connections.<conn>.local.aaa_id
//connections.<conn>.local.xauth_id

vici_end_section(req); //section end for local

//Section for a remote authentication round ( remote<suffix>, the <suffix> is optional )
vici_begin_section(req,"remote");

//connections.<conn>.remote.round

//connections.<conn>.remote.id
vici_add_key_valuef(req,"id","%s",param->remote_id);

//connections.<conn>.remote.groups
//connections.<conn>.remote.certs
//connections.<conn>.remote.cacerts
//connections.<conn>.remote.pubkeys

//connections.<conn>.remote.revocation
vici_add_key_valuef(req,"revocation","%s","relaxed");

//connections.<conn>.remote.auth
vici_add_key_valuef(req,"auth","%s","pubkey");

vici_end_section(req); //section end for remote

//CHILD_SA configuration sub-section ( <child> = <conn>, for now )
vici_begin_section(req,"children");

vici_begin_section(req,param->conn_name);

//connections.<conn>.children.<child>.ah_proposals

//connections.<conn>.children.<child>.esp_proposals
create_list_for_proposals( req, "esp_proposals", param->esp_proposals );

//connections.<conn>.children.<child>.local_ts
//note: allow peer to set IP address and mask
vici_begin_list(req,"local_ts");
// vici_add_list_itemf(req,"%s","172.16.207.251");
vici_add_list_itemf(req,"%s","dynamic");
vici_end_list(req);

//connections.<conn>.children.<child>.remote_ts
//note: allow peer to set IP address and mask
vici_begin_list(req,"remote_ts"); //???tony, need to change because it could be a list (comma seperated) child_remote_ts[BUF_LEN]
if( strlen( param->child_remote_ts ) )
vici_add_list_itemf(req,"%s",param->child_remote_ts);
else
vici_add_list_itemf(req,"%s","dynamic");
// vici_add_list_itemf(req,"%s","172.16.207.150");
// vici_add_list_itemf(req,"%s","0.0.0.0/0"); //for IPv4
// vici_add_list_itemf(req,"%s","0.0.0.0/0,0::0"); //for IPv6
// vici_add_list_itemf(req,"%s","dynamic");
vici_end_list(req);

//connections.<conn>.children.<child>.rekey_time
vici_add_key_valuef(req,"rekey_time","%s",param->child_rekey_time);

//connections.<conn>.children.<child>.life_time
//connections.<conn>.children.<child>.rand_time
//connections.<conn>.children.<child>.rekey_bytes
//connections.<conn>.children.<child>.life_bytes
//connections.<conn>.children.<child>.rand_bytes
//connections.<conn>.children.<child>.rekey_packets
//connections.<conn>.children.<child>.life_packets
//connections.<conn>.children.<child>.rand_packets

//connections.<conn>.children.<child>.updown
vici_add_key_valuef(req,"updown","%s","/usr/lib32/ipsec/_updown_tdy.py");

//connections.<conn>.children.<child>.hostaccess

//connections.<conn>.children.<child>.mode
vici_add_key_valuef(req,"mode","%s","tunnel");

//connections.<conn>.children.<child>.dpd_action
//vici_add_key_valuef(req,"dpd_action","%s","clear");
//vici_add_key_valuef(req,"dpd_action","%s","restart");
vici_add_key_valuef(req,"dpd_action","%s",param->child_dpd_action);

//connections.<conn>.children.<child>.policies
//connections.<conn>.children.<child>.dpd_action
//connections.<conn>.children.<child>.ipcomp
//connections.<conn>.children.<child>.inactivity
//connections.<conn>.children.<child>.reqid
//connections.<conn>.children.<child>.mark_in
//connections.<conn>.children.<child>.mark_out
//connections.<conn>.children.<child>.tfc_padding
//connections.<conn>.children.<child>.replay_window
//connections.<conn>.children.<child>.start_action
//connections.<conn>.children.<child>.close_action

vici_end_section(req); //section end for child / connection

vici_end_section(req); //section end for child

vici_end_section(req); //section end for connection

res = vici_submit(req, conn);
if( !res)
{
printf("load connection failed :%s \n", strerror(errno));
return 1;
}

if (!streq(vici_find_str(res,"no","success"),"yes"))
{
printf("loading connection %s failed : %s \n", "myserver", vici_find_str(res,"","errmsg"));
return 1;
}
else
{
printf("loaded connection %s \n","myserver");
vici_free_res(res);
}

return 0;
}


-----Original Message-----
From: Tobias Brunner <***@strongswan.org>
Sent: Friday, November 16, 2018 1:45 AM
To: Modster, Anthony <***@Teledyne.com>; ***@lists.strongswan.org
Subject: Re: [strongSwan] VPN tunnel using TLS EAP is using wrong SCA cert

Hi Anthony,
Post by Modster, Anthony
!!!Selected user cert is CN=TDY Test SCA 4
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[CFG] certificate \"C=US, O=Teledyne Controls Engineering, OU=Systems Engineering, CN=TDY Test SCA 4\" key: 2048 bit RSA
That's the server's certificate, selected to verify the authentication.
Post by Modster, Anthony
2018 Nov 14 00:35:36+00:00 wglng-17 charon [info] 06[TLS] sending TLS peer certificate \'CN=RA00017.auth, O=Teledyne Controls Engineering, OU=Systems Engineering, C=US\'
!!! ? why did TLS send SCA 1 cert
That certificate is selected based on the identity (whatever it is you configured). If a private key is loaded for this key and identity, why shouldn't it be selected?

Did you perhaps use the same key for different identities (or use the same identity for different keys)? Also, how does your configuration
Loading...