Join Log in
Score:0
curious_weather avatar Server

Strongswan IPsec ignores empty certificate request

in flag
curious_weather

I am trying to set up a certificate based VPN connection to a modem (a Digi WAN Connect 3G) in the field.

Using ipsec version Linux strongSwan U5.8.2/K5.8.0-55-generic on Ubuntu 20.04.

I am pretty certain that I am setting up the certificates correctly with pki. After executing ipsec up modem15 on the server I get these messages:

initiating Main Mode IKE_SA modem15[1] to ..
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from ..[500] to ..[500] (248 bytes)
received packet: from ..[500] to ..[500] (144 bytes)
parsed ID_PROT response 0 [ SA V V V ]
received NAT-T (RFC 3947) vendor ID
received draft-ietf-ipsec-nat-t-ike-00 vendor ID
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from ..[500] to ..[500] (308 bytes)
received packet: from ..[500] to ..[500] (358 bytes)
parsed ID_PROT response 0 [ KE No CERTREQ CERTREQ NAT-D NAT-D ]
received cert request for 'C=AT, O=.., CN=..'
**ignoring certificate request without data**
sending cert request for "C=AT, O=.., CN=.."
authentication of 'C=AT, O=.., CN=..' (myself) successful
sending end entity cert "C=AT, O=.., CN=.."
generating ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
sending packet: from ..[500] to ..[500] (1548 bytes)
sending retransmit 1 of request message ID 0, seq 3

Then it just keeps retransmitting.

On the modem I get these error messages:

2021-07-06 14:42:24 ipsec      Responder received MM[3] and sent MM[4]
2021-07-06 14:42:24 ipsec      peer @..: Main mode i3r3, peer certificate failed check
2021-07-06 14:42:24 ipsec      peer @..: Main mode i3r3, peer's message contains an unexpected header

My ipsec.conf is as follows:

config setup

conn %default
        ikelifetime=24h
        keylife=23h
        rekeymargin=10m
        ike=3des-sha-modp1536
        keyexchange=ikev1
        authby=rsasig
        left=%any
        leftid=$serverip
        leftcert=/etc/ipsec.d/certs/server-cert.pem
        leftsendcert=always
        leftsubnet=172.29.0.0/24
        leftfirewall=yes
        dpdaction=clear
        dpddelay=300s
        rightsendcert=always
        auto=add

conn modem15
        right=$dyndnsip
        rightsubnet=$rightsn
        rightid="C=AT, O=.., CN=modem15"

I have tried all kinds of ipsec.conf options.

My current belief is that ipsec on the server should send the certificate when the modem sends an empty cert request. I have not found options or ways to do that, however.

Can you help me out here? I'm really banging my head against the wall with this one.

100
0 + 1
vpn
cn flag
ecdsa
The empty certificate request is not really a problem (as the log messages says, it's just ignored). As you can see, the certificate is actually sent in the third MM request (`CERT` payload). But apparently, the modem doesn't like the server's certificate so it doesn't respond (no idea what the log message regarding an unexpected header means). Maybe something is missing there (like a trust anchor), or your certificates are not correct afterall.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.