StrongSwan IKEv2 VPN tunnel with X509 Authentication - help

Question

I am doing a proof of concept, trying to get a router with StrongSwan embedded in it, for a Site-to-Site IKEv2 VPN tunnel back to HQ, using certificate authentication.

The remote side (router) has a dynamic IP address.

At the HQ side, the tunnel is configured as a dynamic/dialup tunnel.

If we can make it work, there will be about 200 more just like it later.

If I use PSK, the tunnel comes up and stays up, so connectivity between the remote site and HQ appear to be good.

If I use X509, the tunnel comes up for about 10 seconds, I see the phase 2 up in the IPSec monitor and the route gets installed on the Fortinet/HQ side, and then there is a failure (on the StrongSWAN side) with the logs with error message "certificate status is not available" and something about not being able to reach the CRL or OCSP servers, with a timeout of 10000ms (which lines up with the tunnel coming up for 10 seconds). The full logs are at the bottom.

Now I am not an expert with certs at all, so maybe I am doing something wrong.

We are using our own "Root" and "issuing" CA's and the CRL is externally accessible.

At HQ, we have a cert that is signed and issued by the issuing CA. The "root" and "issuing" CA certificates are installed on the HQ firewall, and the CRL is reachable. In the cert, there is a SAN of "hq.company.com" and there is a valid DNS record for that name as well, that points to the external IP of our HQ firewall.

On the router (with StrongSwan embedded), the public IP is dynamic, so I can't do a DNS record for it. On the router, I first import the Root CA, creating the first trustpoint. Then I import the issuing CA, creating the second trustpoint.

The cert for the remote end, I put a SAN in it, as "VPN1.company.com" even though that DNS record doesn't exist, but I am not sure if that is the correct thing to do. Should I put in maybe the internal IP of the router, since that is known and static?

I import the .key file, enter the passphrase for the cert, and I finally import the cert itself. By all considerations the cert chain is complete. I create the VPN, using the "issuing"CA as the trust point (I tried it with the root and the tunnel wouldn't even come up)

The logs mention an untrusted cert, which I don't fully understand, as well as the CRL/OCSP error.

If I telnet over port 80 to the CA hosting the CRL, I can reach it. If I do a WGET (from another machine since I can't from the router) for the CRL, it pulls it down. DNS resolution is working.

So I am very confused as to the nature of the issue. Not being super versed as to certificate authentication,

I wouldn't be surprised if I was doing something wrong or if I am missing something.

The version of StrongSwan installed on the router is 5.91.

Does anyone have any pointers for me to try?

Here is the logs from the router/strongswan side. I cleaned up the config with generic names and IP addresses.

Feb 12 19:31:03 GMT %IPSEC_STARTER-6: charon (9861) started after 16420 ms
Feb 12 19:31:22 GMT %IPSEC_STARTER-6: Starting strongSwan 5.9.1 IPsec [starter]...
Feb 12 19:31:22 GMT %IPSEC_STARTER-6: charon is already running (/var/run/charon.pid exists) -- skipping daemon start
Feb 12 19:31:23 GMT %IPSEC_STARTER-6: starter is already running (/var/run/starter.charon.pid exists) -- no fork done
Feb 12 19:31:24 GMT %IPSECMGR-6: Starting up
Feb 12 19:31:25 GMT %IPSECMGR-6: 01[LIB] libcurl request failed [28]: Connection timeout after 10000 ms
Feb 12 19:31:25 GMT %IPSECMGR-6: 01[CFG] crl fetching failed
Feb 12 19:31:25 GMT %IPSECMGR-6: 01[CFG] certificate status is not available
Feb 12 19:31:25 GMT %IPSECMGR-6: 01[CFG] using untrusted intermediate certificate "Our-Internal-Root-CA"
Feb 12 19:31:25 GMT %IPSECMGR-6: 01[CFG] checking certificate status of "Our-Internal-Issuing-CA"
Feb 12 19:31:25 GMT %IPSECMGR-6: 01[CFG] fetching crl from 'http://CA-Public-name/crl/Root-CA.crl' ...
Feb 12 19:31:32 GMT %IPSECMGR-6: Exiting 0
Feb 12 19:31:32 GMT %IPSEC_STARTER-6: Starting strongSwan 5.9.1 IPsec [starter]...
Feb 12 19:31:32 GMT %IPSEC_STARTER-6: charon is already running (/var/run/charon.pid exists) -- skipping daemon start
Feb 12 19:31:32 GMT %IPSEC_STARTER-6: starter is already running (/var/run/starter.charon.pid exists) -- no fork done
Feb 12 19:31:33 GMT %IPSECMGR-6: Starting up
Feb 12 19:31:35 GMT %IPSECMGR-6: 01[LIB] libcurl request failed [28]: Connection timeout after 10001 ms
Feb 12 19:31:35 GMT %IPSECMGR-6: 01[CFG] crl fetching failed
Feb 12 19:31:35 GMT %IPSECMGR-6: 01[CFG] certificate status is not available
Feb 12 19:31:35 GMT %IPSECMGR-6: 01[CFG] self-signed certificate "Our-Internal-Root-CA" is not trusted
Feb 12 19:31:35 GMT %IPSECMGR-6: 01[IKE] no trusted RSA public key found for 'C=US, ST=CA, L=LosAngeles, O=Company, OU=Company, CN=VPN-HQ.company.com'
Feb 12 19:31:35 GMT %IPSECMGR-6: 01[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Feb 12 19:31:35 GMT %IPSECMGR-6: 01[NET] sending packet: from 2.2.2.2 [4500] to 1.1.1.1[4500] (96 bytes)
Feb 12 19:31:35 GMT %IPSECMGR-6: 13[IKE] initiating IKE_SA peer-1.1.1.1-tunnel-1[2] to 1.1.1.1
Feb 12 19:31:35 GMT %IPSECMGR-6: 14[CFG] vici connection 4 unknown
Feb 12 19:31:35 GMT %IPSECMGR-6: 11[CFG] vici connection 3 unknown
Feb 12 19:31:35 GMT %IPSECMGR-6: 15[CFG] vici connection 7 unknown
Feb 12 19:31:35 GMT %IPSECMGR-6: 13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Feb 12 19:31:35 GMT %IPSECMGR-6: 13[NET] sending packet: from 0.0.0.0[500] to 1.1.1.1[500] (368 bytes)
Feb 12 19:31:35 GMT %IPSECMGR-6: 10[NET] received packet: from 1.1.1.1[500] to 2.2.2.2 [500] (341 bytes)
Feb 12 19:31:35 GMT %IPSECMGR-6: 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) ]
Feb 12 19:31:35 GMT %IPSECMGR-6: 10[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521
Feb 12 19:31:35 GMT %IPSECMGR-6: 10[IKE] local host is behind NAT, sending keep alives
Feb 12 19:31:35 GMT %IPSECMGR-6: 10[IKE] received cert request for "Our-Internal-Issuing-CA"
Feb 12 19:31:35 GMT %IPSECMGR-6: 10[IKE] sending cert request for "Our-Internal-Issuing-CA"
Feb 12 19:31:36 GMT %IPSECMGR-6: 10[IKE] authentication of 'C=US, ST=CA, L=LosAngeles, O=Company, OU=Company, CN=VPN-remote-1.company.com' (myself) with RSA signature successful
Feb 12 19:31:36 GMT %IPSECMGR-6: 10[IKE] sending end entity cert "C=US, ST=CA, L=LosAngeles, O=Company, OU=Company, CN=VPN-remote-1.company.com"
Feb 12 19:31:36 GMT %IPSECMGR-6: 10[IKE] establishing CHILD_SA peer-1.1.1.1-tunnel-1{2}
Feb 12 19:31:36 GMT %IPSECMGR-6: 10[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Feb 12 19:31:36 GMT %IPSECMGR-6: 10[ENC] splitting IKE message (2288 bytes) into 2 fragments
Feb 12 19:31:36 GMT %IPSECMGR-6: 10[ENC] generating IKE_AUTH request 1 [ EF(1/2) ]
Feb 12 19:31:36 GMT %IPSECMGR-6: 10[ENC] generating IKE_AUTH request 1 [ EF(2/2) ]
Feb 12 19:31:36 GMT %IPSECMGR-6: 10[NET] sending packet: from 2.2.2.2 [4500] to 1.1.1.1[4500] (1236 bytes)
Feb 12 19:31:36 GMT %IPSECMGR-6: 10[NET] sending packet: from 2.2.2.2 [4500] to 1.1.1.1[4500] (1140 bytes)
Feb 12 19:31:36 GMT %IPSECMGR-6: 14[NET] received packet: from 1.1.1.1[4500] to 2.2.2.2 [4500] (1124 bytes)
Feb 12 19:31:36 GMT %IPSECMGR-6: 14[ENC] received fragment #1 of 5, waiting for complete IKE message
Feb 12 19:31:36 GMT %IPSECMGR-6: 14[ENC] parsed IKE_AUTH response 1 [ EF(1/5) ]
Feb 12 19:31:36 GMT %IPSECMGR-6: 15[NET] received packet: from 1.1.1.1[4500] to 2.2.2.2 [4500] (1124 bytes)
Feb 12 19:31:36 GMT %IPSECMGR-6: 15[ENC] parsed IKE_AUTH response 1 [ EF(2/5) ]
Feb 12 19:31:36 GMT %IPSECMGR-6: 15[ENC] received fragment #2 of 5, waiting for complete IKE message
Feb 12 19:31:36 GMT %IPSECMGR-6: 16[NET] received packet: from 1.1.1.1[4500] to 2.2.2.2 [4500] (1124 bytes)
Feb 12 19:31:36 GMT %IPSECMGR-6: 16[ENC] parsed IKE_AUTH response 1 [ EF(3/5) ]
Feb 12 19:31:36 GMT %IPSECMGR-6: 16[ENC] received fragment #3 of 5, waiting for complete IKE message
Feb 12 19:31:36 GMT %IPSECMGR-6: 07[NET] received packet: from 1.1.1.1[4500] to 2.2.2.2 [4500] (1124 bytes)
Feb 12 19:31:36 GMT %IPSECMGR-6: 07[ENC] parsed IKE_AUTH response 1 [ EF(4/5) ]
Feb 12 19:31:36 GMT %IPSECMGR-6: 07[ENC] received fragment #4 of 5, waiting for complete IKE message
Feb 12 19:31:36 GMT %IPSECMGR-6: 09[NET] received packet: from 1.1.1.1[4500] to 2.2.2.2 [4500] (996 bytes)
Feb 12 19:31:36 GMT %IPSECMGR-6: 09[ENC] parsed IKE_AUTH response 1 [ EF(5/5) ]
Feb 12 19:31:36 GMT %IPSECMGR-6: 09[ENC] received fragment #5 of 5, reassembled fragmented IKE message (5136 bytes)
Feb 12 19:31:36 GMT %IPSECMGR-6: 09[ENC] parsed IKE_AUTH response 1 [ IDr CERT CERT CERT AUTH N(MSG_ID_SYN_SUP) SA TSi TSr ]
Feb 12 19:31:36 GMT %IPSECMGR-6: 09[IKE] received end entity cert "C=US, ST=CA, L=LosAngeles, O=Company, OU=Company, CN=VPN-HQ.company.com"
Feb 12 19:31:36 GMT %IPSECMGR-6: 09[IKE] received issuer cert "Our-Internal-Issuing-CA"
Feb 12 19:31:36 GMT %IPSECMGR-6: 09[IKE] received issuer cert "Our-Internal-Root-CA"
Feb 12 19:31:36 GMT %IPSECMGR-6: 09[CFG] using certificate "C=US, ST=CA, L=LosAngeles, O=Company, OU=Company, CN=VPN-HQ.company.com"
Feb 12 19:31:36 GMT %IPSECMGR-6: 09[CFG] using trusted intermediate ca certificate "Our-Internal-Issuing-CA"
Feb 12 19:31:36 GMT %IPSECMGR-6: 09[CFG] checking certificate status of "C=US, ST=CA, L=LosAngeles, O=Company, OU=Company, CN=VPN-HQ.company.com"
Feb 12 19:31:36 GMT %IPSECMGR-6: 09[CFG] requesting ocsp status from 'http://CA-Public-name/ocsp' ...
Feb 12 19:31:46 GMT %IPSECMGR-6: 09[LIB] libcurl request failed [28]: Connection timeout after 10000 ms
Feb 12 19:31:46 GMT %IPSECMGR-6: 09[CFG] ocsp request to http://CA-Public-name/ocsp failed
Feb 12 19:31:46 GMT %IPSECMGR-6: 09[CFG] ocsp check failed, fallback to crl
Feb 12 19:31:46 GMT %IPSECMGR-6: 09[CFG] fetching crl from 'http://CA-Public-name/crl/ISSUING.crl' ...
Feb 12 19:31:56 GMT %IPSECMGR-6: 09[LIB] libcurl request failed [28]: Connection timeout after 10001 ms
Feb 12 19:31:56 GMT %IPSECMGR-6: 09[CFG] crl fetching failed
Feb 12 19:31:56 GMT %IPSECMGR-6: 09[CFG] certificate status is not available
Feb 12 19:31:56 GMT %IPSECMGR-6: 09[CFG] using untrusted intermediate certificate "Our-Internal-Root-CA"
Feb 12 19:31:56 GMT %IPSECMGR-6: 09[CFG] checking certificate status of "Our-Internal-Issuing-CA"
Feb 12 19:31:56 GMT %IPSECMGR-6: 09[CFG] fetching crl from 'http://CA-Public-name/crl/Root-CA.crl' ...
Feb 12 19:32:06 GMT %IPSECMGR-6: 09[LIB] libcurl request failed [28]: Connection timeout after 10001 ms
Feb 12 19:32:06 GMT %IPSECMGR-6: 09[CFG] crl fetching failed
Feb 12 19:32:06 GMT %IPSECMGR-6: 09[CFG] certificate status is not available
Feb 12 19:32:06 GMT %IPSECMGR-6: 09[CFG] self-signed certificate "Our-Internal-Root-CA" is not trusted
Feb 12 19:32:06 GMT %IPSECMGR-6: 09[IKE] no trusted RSA public key found for 'C=US, ST=CA, L=LosAngeles, O=Company, OU=Company, CN=VPN-HQ.company.com'
Feb 12 19:32:06 GMT %IPSECMGR-6: 09[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Feb 12 19:32:06 GMT %IPSECMGR-6: 09[NET] sending packet: from 2.2.2.2 [4500] to 1.1.1.1[4500] (96 bytes)
Feb 12 19:32:06 GMT %IPSECMGR-6: 07[CFG] vici connection 10 unknown
Feb 12 19:32:06 GMT %IPSECMGR-6: 14[CFG] vici connection 11 unknown
Feb 12 19:32:06 GMT %IPSECMGR-6: 01[CFG] vici connection 12 unknown
Feb 12 19:32:06 GMT %IPSECMGR-6: 16[CFG] vici connection 13 unknown

xshkurti · Answer

@The_electrik_one
You mention that if you telnet over port 80 to the CA hosting the CRL, you can reach it.
from strongswan try to do: curl http://CA-Public-name/crl/ISSUING.crl
If you do a WGET (from another machine since you can't from the router) for the CRL, it pulls it down. DNS resolution is working. --DNS resolution works on another machine, but does it work in strongswan? this is what you are troubleshooting.

Try this command in strongswan:
curl http://CA-Public-name/crl/ISSUING.crl

If that does not work, there is your problem. You should fix connectivity to this crl link.

As a second option would be to disable "revocation list check" in strongswan conf file.

In strongswan.conf disable strict checking

charon {
 revocation {
 strict = no
 }
}
 
With this, it will work, but consider security as well.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded