1

I set up an Algo VPN instance on AWS Lightsail using the official Ansible playbook. I can establish the VPN connection using Wireguard, however I cannot get it to work with strongSwan.

I configured two different Ubuntu clients with according to these official instructions: https://github.com/trailofbits/algo/blob/master/docs/client-linux-ipsec.md

I always get the error 'no issuer certificate found for "CN="', even though I did provide the server public key in /etc/ipsec.d/cacerts. This certificate seems to be self-signed.

$ cat /etc/ipsec.d/cacerts/cacert.pem

-----BEGIN CERTIFICATE----- <...> -----END CERTIFICATE-----

$ ipsec listcacerts

<no output>

Here's what happens when I tried to fire up the tunnel:

$ ipsec up algovpn-35.180.123.456
initiating IKE_SA algovpn-35.180.123.456[1] to 35.180.123.456
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.168.5.196[500] to 35.180.123.456[500] (294 bytes)
received packet: from 35.180.123.456[500] to 192.168.5.196[500] (319 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/ECP_384
local host is behind NAT, sending keep alives
remote host is behind NAT
received 1 cert requests for an unknown ca
authentication of 'CN=remote1' (myself) with ECDSA_WITH_SHA384_DER successful
sending end entity cert "CN=remote1"
establishing CHILD_SA algovpn-35.180.123.456{1}
generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 192.168.5.196[4500] to 35.180.123.456[4500] (973 bytes)
received packet: from 35.180.123.456[4500] to 192.168.5.196[4500] (883 bytes)
parsed IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) ]
received end entity cert "CN=35.180.123.456"
using certificate "CN=35.180.123.456"
no issuer certificate found for "CN=35.180.123.456"
issuer is "CN=35.180.123.456"
no trusted ECDSA public key found for '35.180.123.456'
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
sending packet: from 192.168.5.196[4500] to 35.180.123.456[4500] (65 bytes)
establishing connection 'algovpn-35.180.123.456' failed

Does anybody know how I can get this working?

Best regards,

Jona

Piotr P. Karwasz
  • 5,748
  • 2
  • 11
  • 21
jaj
  • 11
  • 3
  • The certificates are read, when **charon** starts. Issue `ipsec rereadcacerts` to read them again. – Piotr P. Karwasz Mar 21 '20 at 18:10
  • That doesn't seem to change anything. $ sudo ls /etc/ipsec.d/cacerts/ cacert.pem $ sudo ipsec rereadcacerts $ sudo ipsec listcacerts $ – jaj Mar 22 '20 at 12:08

2 Answers2

0

Only CA certificates are automatically loaded from /etc/ipsec.d/cacerts (certificates with a CA basic constraint set), no end-entity/server certificates (unless you force the stroke plugin to do that via ignore_missing_ca_basic_constraint option, but I wouldn't recommend doing so).

If you want to use a (self-signed) server certificate directly, put it in /etc/ipsec.d/certs and load it via rightcert option in your conn section.

ecdsa
  • 3,973
  • 15
  • 29
0

This ultimately boils down to an incompatibility between how algo configures the CA certificate and strongswan. See https://github.com/trailofbits/algo/issues/1758 for a workaround.

jaj
  • 11
  • 3