Friday, June 8, 2018

Strongswan DYNAMIC vpnclient fortiOS IKEv2

https://www.strongswan.org/

To use IKEv2 and the strongswan vpnclient  deployment,  you need to be  made aware of the following. The client will validate the SubjectAlternativeName  section of the  certificate. This has cause numerous issues for users deploying the   strongswan client and the dread  not able to find a trusted RSA public key.

"no trusted RSA public key found for "


Do not build a  x509 certificate with just a CN and Subject Alternative Name  & if you want it to work across multiple client-types.


https://wiki.strongswan.org/issues/1540
http://tiebing.blogspot.com/2016/03/no-trusted-rsa-public-key-found.html






reference the above fellow blogger  article & about how strongswan checks the certs. 



The  CN  field  is not as important, but the SubjectAlternativeName  section is  very important and you might need to ensure the IKEv2 certificate display has a IP value that matches the vpnclient server configuration

Here's the wikipedia  definition of SAN and possible values


!!!!!!!!   In my example ,   I ONLY NEED A IP ENTRY,   BUT I CRAFT A CERTIFICATE WITH ALL TYPES  just   for demostration purpose    !!!!!!!!!



When crafting the certificate for the FortiOS, we need to apply the "IP" name in the SubjectAlternativeName value. I have never figured out why  the  clients  checks the "IP" field and not the "DNS" field in the  certificate.

  !!!! Do NOT use the fortiOS to generate a CSR, but build a CSR with openssl and send it for signing !!!!

openssl req -new -nodes -sha256 -config ./myaltnamesupplement.cnf -out  mycsr.csr -keyout mycsrkey.key



Here's a few example for extension-file  value that I will pass to my CA & my CSR for signing and the final certificate  output (  trunacated ). I also  add a few other not so common values that the SubjectAlternativeName can support  such as  URI and emailaddress.





Now the client  is simple to configure, you need to install a user  certificate and upload the  root_SignerCA   certificate into the client. The rest should be straight forward

   1:  define a profile name
   2:  define the server address/hostname that we will attempt connection to
   3:  select the user certficare the vpn-gateway is expecting
   4:  set the rootCA certificate


When you have all set, you should be able to connect in a similar fashion;



 Here's an established session  take note of the peerid details in the two sessions and the src_ports. This was me logging in from the same network from 2 android devices



!!!!!!  Note,  if strongswan  complains of no trusted RSA public key and provides and a ipv4address in the log message, that ensure you have a IP value in the Alternative Name field  that is correct  .  !!!!!!!!








 






NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \
 

No comments:

Post a Comment