2

I am trying to create an x.509 based tunnel by using a self-signed CA certificate.

I am creating the solution at the AWS, and VPN gateways are Debian Stretch machines version Linux ip-10-0-0-208 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u3 (2018-08-19) x86_64 GNU/Linux, the strongSwan VERSION is Linux strongSwan U5.5.1/K4.9.0-8-amd64.

First I created just the RSA tunnel using for the east gateway : 

openssl genrsa -out us-east-a1.key 4096
openssl rsa -in us-east-a1.key -pubout > us-east-a1.pub

as well as I created the same kind of keys for the west gateway. Then I copied public keys to both gateways, and create the ipsec.conf and ipsec.secrets config files.

This configuration is working without any problem.

Now I am trying to make configuration which uses CA certificates, and that one is not establishing the connection.

I purged certs and ikes using

ipsec purgecerts
ipsec purgeike

so there are no leftovers in the IPsec cache, as well as I stopped both Ipsec and strongSwan.

Then

I created CA master key, then root CA certificate, then RSA certificates (private/public) for both the west-gateway and the east gateway.

After that, I created new ipsec.conf and ipsec.secrets at both gateways.

After starting the tunnel at both sides 

systemctl restart networking
systemctl start ipsec
systemclt start strongswan

I run the command 

ipsec statusall

and this is the output

Status of IKE charon daemon (strongSwan 5.5.1, Linux 4.9.0-9-amd64, x86_64):<br>

uptime: 45 minutes, since Aug 11 13:41:48 2019
malloc: sbrk 1486848, mmap 0, used 415232, free 1071616
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
loaded plugins: charon aesni aes rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
Listening IP addresses:
10.1.2.250
Connections:
tunnel-east: 54.88.xxx.yyy...13.57.zz.dd IKEv2, dpddelay=30s
tunnel-east: local: [C=DE, O=Orgname, CN=east-ssw-gateway] uses public key authentication
tunnel-east: remote: [C=DE, O=Orgname, CN=west-ssw-gateway] uses public key authentication
tunnel-east: child: 10.1.0.0/16 === 10.0.0.0/16 TUNNEL, dpdaction=restart
Security Associations (0 up, 1 connecting):
tunnel-east[1]: CONNECTING, 54.88.xxx.yyy[%any]...13.57.zz.dd[%any]
tunnel-east[1]: IKEv2 SPIs: a157af3c58009cd8_i* 0000000000000000_r
tunnel-east[1]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE

my ipsec.conf "west" look like this:

config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=no

conn %default

conn tunnel-west
left=13.57.zz.dd
leftsubnet=10.0.0.0/16
right=54.88.xxx.yyy
rightsubnet=10.1.0.0/16
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
authby=pubkey
auto=start
keyexchange=ikev2
type=tunnel
leftrsasigkey=vpn-west-public-certificate.pem
rightrsasigkey=vpn-east-public-certificate.pem
leftid="C=DE, O=Orgname, CN=west-ssw-gateway"
rightid="C=DE, O=Orgname, CN=east-ssw-gateway"

include /var/lib/strongswan/ipsec.conf.inc

the ipsec.secrets "west" look like this

include /var/lib/strongswan/ipsec.secrets.inc

: RSA vpn-west-private-key.pem

My ipsec.conf "east" look like this:

config setup<br>
    charondebug="all"<br>
    uniqueids=yes<br>
    strictcrlpolicy=no<br>


conn %default

conn tunnel-east
left=54.88.xxx.yyy
leftsubnet=10.1.0.0/16
right=13.57.zz.dd
rightsubnet=10.0.0.0/16
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
authby=pubkey
auto=start
keyexchange=ikev2
type=tunnel
leftrsasigkey=vpn-east-public-certificate.pem
rightrsasigkey=vpn-west-public-certificate.pem
leftid="C=DE, O=Orgname, CN=east-ssw-gateway"
rightid="C=DE, O=Orgname, CN=west-ssw-gateway"

include /var/lib/strongswan/ipsec.conf.inc

the ipsec.secrets "east" look like this

include /var/lib/strongswan/ipsec.secrets.inc <br>

: RSA vpn-east-private-key.pem

At both sides I got : 

Security Associations (0 up, 1 connecting):<br>

Any idea what I am making wrong?

As A.B suggested I added leftca= , without any change.

here is the charon.log

2019-08-11T17:34:27+0000 04[NET] error writing to socket: Invalid argument
2019-08-11T17:34:27+0000 01[JOB] next event in 3s 999ms, waiting
2019-08-11T17:34:27+0000 10[MGR] checkin IKE_SA tunnel-east[1]
2019-08-11T17:34:27+0000 10[MGR] checkin of IKE_SA successful
2019-08-11T17:34:31+0000 01[JOB] got event, queuing job for execution
2019-08-11T17:34:31+0000 01[JOB] next event in 999ms, waiting
2019-08-11T17:34:31+0000 12[MGR] checkout IKEv2 SA with SPIs 3dbe135f4a4d8d96_i 0000000000000000_r
2019-08-11T17:34:31+0000 12[MGR] IKE_SA tunnel-east[1] successfully checked out
2019-08-11T17:34:31+0000 12[IKE] retransmit 1 of request with message ID 0
2019-08-11T17:34:31+0000 12[NET] sending packet: from 54.88.xxx.yyy[500] to 13.57.zz.dd[500] (336 bytes)
2019-08-11T17:34:31+0000 12[MGR] checkin IKE_SA tunnel-east[1]
2019-08-11T17:34:31+0000 12[MGR] checkin of IKE_SA successful
2019-08-11T17:34:31+0000 04[NET] sending packet: from 54.88.xxx.yyy[500] to 13.57.zz.dd[500]
2019-08-11T17:34:31+0000 04[NET] error writing to socket: Invalid argument
2019-08-11T17:34:31+0000 01[JOB] next event in 998ms, waiting
2019-08-11T17:34:32+0000 01[JOB] got event, queuing job for execution
2019-08-11T17:34:32+0000 01[JOB] next event in 6s 200ms, waiting
2019-08-11T17:34:32+0000 13[MGR] checkout IKEv2 SA with SPIs
3dbe135f4a4d8d96_i 0000000000000000_r
2019-08-11T17:34:32+0000 13[MGR] IKE_SA tunnel-east[1] successfully checked out
2019-08-11T17:34:32+0000 13[IKE] retransmit 2 of request with message ID 0
2019-08-11T17:34:32+0000 13[NET] sending packet: from 54.88.xxx.yyy[500] to 13.57.zz.dd[500] (336 bytes)
2019-08-11T17:34:32+0000 13[MGR] checkin IKE_SA tunnel-east[1]
2019-08-11T17:34:32+0000 13[MGR] checkin of IKE_SA successful
2019-08-11T17:34:32+0000 04[NET] sending packet: from 54.88.xxx.yyy[500] to 13.57.zz.dd[500]
2019-08-11T17:34:32+0000 04[NET] error writing to socket: Invalid argument

So, it looks that writing to the socket is not working.

That could mean that the packet is not able to leave the server!

Here is interface listing:

root@ip-10-1-2-250:/var/log# ip a

1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 9001 qdisc pfifo_fast state UP group default qlen 1000 link/ether 12:09:c3:5b:9c:78 brd ff:ff:ff:ff:ff:ff inet 10.1.2.250/24 brd 10.1.2.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::1009:c3ff:fe5b:9c78/64 scope link valid_lft forever preferred_lft forever

It is clear that AWS public (EIP) is not directly addressed, that could be the reason.

So, how to solve that situation.

klaus
  • 41
  • 5
  • I don't see any leftca = ... etc. directive. Look at https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection and look for `left|rightca`. Increasing charon's log level would probably help too – A.B Aug 11 '19 at 16:12
  • I added leftca, should I add rightca as well? Since there is no difference just with the leftca. – klaus Aug 11 '19 at 16:40
  • I tried with the solution from https://serverfault.com/questions/699741/strongswan-vpn-tunnel-between-two-aws-instances-wont-connect, but since I am using CA authentication this is not working. – klaus Aug 11 '19 at 18:26
  • I manage to make it working playing with the parameters since I change few of them need to check which one really make it working – klaus Aug 14 '19 at 11:36

0 Answers0