2014年5月22日 星期四

strongSwan id (IPSec IDR) setting

4.3 Configuring the peer side using CA certificates
http://www.strongswan.org/docs/readme4.htm#section_4.3

The ID by which a peer is identifying itself during IKE main mode can by any of the ID types IPV4_ADDR, FQDN, USER_FQDN or DER_ASN1_DN. If one of the first three ID types is used, then the accompanying X.509 certificate of the peer must contain a matching subjectAltName field of the type ipAddress (IP:), dnsName (DNS:) or rfc822Name (email:), respectively. With the fourth type DER_ASN1_DN, the identifier must completely match the subject field of the peer's certificate. One of the two possible representations of a Distinguished Name (DN) is the LDAP-type format
     rightid="C=CH,O=Linux strongSwan, CN=sun.strongswan.org"
Additional whitespace can be added everywhere as desired since it will be automatically eliminated by the X.509 parser. An exception is the single whitespace between individual words , like e.g. in Linux strongSwan, which is preserved by the parser.
The Relative Distinguished Names (RDNs) can alternatively be separated by a slash ( '/')  instead of a comma (',')
rightid="/C=CH/O=Linux strongSwan/CN=sun.strongswan.org"
This is the representation extracted from the certificate by the OpenSSL command line option
openssl x509 -in sunCert.pem -noout -subject
Re: [strongSwan] rightid (Ipsec with Certificates)
https://www.mail-archive.com/users@lists.strongswan.org/msg04084.html
rightid and leftid are required to prevent an endpoint having
a valid and trusted certificate to take on the identity of another
endpoint (e.g. a client acting as the SEGW).
The leftid must exactly match either the subjectDistinguishedName or
a subjectAltName in the leftcert. rightid must match the identity
of the remote endpoint but may contain wildcards, the most general
being rightid=%any which returns a full match for any id. rightid
is sent by the initiator in the optional IDr payload in order to
assist the remote endpoint in the selection of the identity to be
used if the remote endpoint has multiple identities (e.g. multiple
certificates). If rightid contains at least one wildcard ('*' character)
then IDr is omitted but the the responder must always return its
full IDr not containing any wildcards.

In your first example where you define

  rightid="C=*, O=*, OU=*, CN=*"

the IDr payload is not sent by the initiator and the responder
returns an IDr of the form

 "O=Alcatel, CN=654...@alcatel-lucent.com"

which does not match your rightid template because the C= and OU=
RDNs are missing and the following local error is produced:

constraint check failed: identity 'C=*, O=*, OU=*, CN=*' required
selected peer config '30' inacceptable
no alternative config found

In order for your example to work you must either define

  rightid="O=*, CN=*"

or if you don't know exaclty which type of RDNs are used by the
SEGW in its certificate just

  rightid=%any

Please be aware that the use of wildcards makes your endpoints
vulnerable to kind of man-in-the-middle attacks mentioned in the
first paragraph.

In your second example you didn't specify any rightid. In that case
by default the IP address specified by right is used as rightid, i.e.

  rightid=172.21.11.181

Since this IDr is not contained in the SEGW's certificate the
remote error

parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error

is received.
Re: [strongSwan] understanding %fromcert
https://www.mail-archive.com/users@lists.strongswan.org/msg06371.html
leftid=%fromcert
is an OpenSwan option not supported by strongSwan. The strongSwan
configuration is

  leftcert=carolCert.pem
  leftid=ca...@strongswan.org

or simply

  leftcert=carolCert.pem

If leftid is missing then left, i.e. the IP address is chosen by
default for leftid but since the IP address usually is not
contained as a subjectAltName in the certificate, the fallback
is for leftid to assume the value of the subject Distinguished
Name as e.g.

  leftid="C=CH, O=strongSwan, CN=ca...@strongswan.org"
'Re: [strongSwan] FQDN based certificate authentication for ikev2' - MARC
https://www.assembla.com/spaces/wbgi-tpe
if you want to use FQDNs as IDs then you must set rightid and
leftid accordingly:

On the initiator 10.0.0.2:

   left=10.0.0.2
   leftcert="/etc/ipsec/certs/ipsec.d//certs/ib-cert.pem"
   leftid=ib.atca.nsn.com
   right=10.0.0.1
   rightid=cla.atca.nsn.com

On the responder 10.0.0.1:

   left=10.0.0.1
   leftcert="/etc/ipsec/certs/ipsec.d//certs/cla-cert.pem"
   leftid=cla.atca.nsn.com
   right=%any
'Re: [strongSwan] Cannot set ID to FQDN with certificate loaded,' - MARC
http://marc.info/?l=strongswan-users&m=121804213112206
subjectAltNames don't go into the Distinguished Name (DN) itself as you
did in

[O=MyCo Ltd, OU=SW, L=Swindon, ST=Wiltshire, C=GB, CN=sgw.myco.com,
subjectAltName=sgw.myco.co]

but into an X.509v3 certificate extension. Enter the subjectAltName
in the form

subjectAltName=DNS:sgw.myco.com

in the appropriate place in your openssl.cnf file before you generate
your certificate.
QA Cafe - Knowledgebase - How do I display the contents of a SSL certificate?
https://lounge.qacafe.com/kb/articles/show/153

# openssl x509 -in acs.qacafe.com.pem -text
 
 
 
 

Certificates


Public key certificate - Wikipedia, the free encyclopedia
http://en.wikipedia.org/wiki/Public_key_certificate

Certificate Signing Request (CSR)

Certificate signing request - Wikipedia, the free encyclopedia
http://en.wikipedia.org/wiki/Certificate_signing_request

How To Generate SSL Key, CSR and Self Signed Certificate For Apache
http://www.thegeekstuff.com/2009/07/linux-apache-mod-ssl-generate-key-csr-crt-file/

# openssl req -new -key www.thegeekstuff.com.key -out www.thegeekstuff.com.csr

Setting-up a Simple CA Using the strongSwan PKI Tool - SimpleCA - strongSwan - strongSwan
http://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA


The Most Common OpenSSL Commands
http://www.sslshopper.com/article-most-common-openssl-commands.html

2014年5月21日 星期三

Convertion between hex string and binary: XXD

Binary to Hex:

# echo 0123456789abcdef0123456789abcdef | xxd
0000000: 3031 3233 3435 3637 3839 6162 6364 6566  0123456789abcdef
0000010: 3031 3233 3435 3637 3839 6162 6364 6566  0123456789abcdef
0000020: 0a   

# echo 0123456789abcdef0123456789abcdef | xxd -g1
0000000: 30 31 32 33 34 35 36 37 38 39 61 62 63 64 65 66  0123456789abcdef
0000010: 30 31 32 33 34 35 36 37 38 39 61 62 63 64 65 66  0123456789abcdef
0000020: 0a                                               .

# echo 0123456789abcdef0123456789abcdef | xxd -i
  0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x61, 0x62,
  0x63, 0x64, 0x65, 0x66, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
  0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x0a

Hex string to binary:
# echo 0123456789abcdef0123456789abcdef | xxd    | xxd -r
0123456789abcdef0123456789abcdef

# echo 0123456789abcdef0123456789abcdef | xxd -g1| xxd -r
0123456789abcdef0123456789abcdef

# echo 0123456789abcdef0123456789abcdef | xxd -i | xxd -r -p
0123456789abcdef0123456789abcdef
# echo 0123456789abcdef0123456789abcdef | xxd -r -p | xxd
0000000: 0123 4567 89ab cdef 0123 4567 89ab cdef  .#Eg.....#Eg....

2014年5月20日 星期二

strongswan IPSec related route

Issue #467: What if I use 0.0.0.0/0 as leftsubnet and rightsubnet in ipsec.conf - strongSwan - strongSwan - IKEv2/IPsec VPN for Linux, Android, FreeBSD, Mac OS X
http://wiki.strongswan.org/issues/467

A route is installed in routing table 220 by default (use ip route list table 220 to view it).