To use IKEv2 and the strongswan vpnclient deployment, you need to be made aware of the following. The client will validate the SubjectAlternativeName section of the certificate. This has cause numerous issues for users deploying the strongswan client and the dread not able to find a trusted RSA public key.
"no trusted RSA public key found for "
Do not build a x509 certificate with just a CN and Subject Alternative Name & if you want it to work across multiple client-types.
https://wiki.strongswan.org/issues/1540
http://tiebing.blogspot.com/2016/03/no-trusted-rsa-public-key-found.html
reference the above fellow blogger article & about how strongswan checks the certs.
The CN field is not as important, but the SubjectAlternativeName section is very important and you might need to ensure the IKEv2 certificate display has a IP value that matches the vpnclient server configuration
Here's the wikipedia definition of SAN and possible values
!!!!!!!! In my example , I ONLY NEED A IP ENTRY, BUT I CRAFT A CERTIFICATE WITH ALL TYPES just for demostration purpose !!!!!!!!!
When crafting the certificate for the FortiOS, we need to apply the "IP" name in the SubjectAlternativeName value. I have never figured out why the clients checks the "IP" field and not the "DNS" field in the certificate.
!!!! Do NOT use the fortiOS to generate a CSR, but build a CSR with openssl and send it for signing !!!!
openssl req -new -nodes -sha256 -config ./myaltnamesupplement.cnf -out mycsr.csr -keyout mycsrkey.key
Here's a few example for extension-file value that I will pass to my CA & my CSR for signing and the final certificate output ( trunacated ). I also add a few other not so common values that the SubjectAlternativeName can support such as URI and emailaddress.
Now the client is simple to configure, you need to install a user certificate and upload the root_SignerCA certificate into the client. The rest should be straight forward
1: define a profile name
2: define the server address/hostname that we will attempt connection to
3: select the user certficare the vpn-gateway is expecting
4: set the rootCA certificate
When you have all set, you should be able to connect in a similar fashion;
Here's an established session take note of the peerid details in the two sessions and the src_ports. This was me logging in from the same network from 2 android devices
!!!!!! Note, if strongswan complains of no trusted RSA public key and provides and a ipv4address in the log message, that ensure you have a IP value in the Alternative Name field that is correct . !!!!!!!!
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment