Sample Header Ad - 728x90

StrongSwan says certificate not found but loads it when it boots up

0 votes
0 answers
75 views
vpn ipsec strongswan
I'm setting up a VPN server with strongSwan, but I’ve hit a weird issue where the licenses aren’t loading properly. Right now, I’m using a Let’s Encrypt cert to connect from my iOS and macOS devices, and everything works fine with username and password auth. Now I’m trying to switch to public key authentication, and here’s what I’ve got in my config file: 
config setup
    charondebug="ike 2, knl 2, cfg 2, net 2, dmn 2"
    uniqueids=no

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no

    left=%any
    leftid=@redacted.com
    leftcert=/etc/ipsec.d/certs/server.crt # My LetsEncrypt fullchain.pem certificate
    leftsendcert=always
    leftsubnet=0.0.0.0/0

    right=%any
    rightid=%any
    rightsourceip=10.10.10.0/24
    rightdns=8.8.8.8,8.8.4.4

    rightauth=pubkey
    leftauth=pubkey
    rightca=/etc/ipsec.d/cacerts/ca-cert.pem # My self-signed CA certificate

    ike=aes256-sha1-modp2048, aes256-sha256-modp2048, aes256gcm128-sha256-modp2048, aes256gcm16-sha256-modp2048, chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
    esp=aes256-sha1, aes256-sha256, aes256gcm16, aes256gcm128-sha256, chacha20poly1305-sha512,aes256gcm16-ecp384,3des-sha1!
ipsec.secrets file: 
: ECDSA "server.key"
My server logs: 
00[DMN] Starting IKE charon daemon (strongSwan 5.9.13, Linux 6.8.0-52-generic, x86_64)
00[LIB] providers loaded by OpenSSL: legacy default
00[CFG] install DNS servers in '/etc/resolv.conf'
00[KNL] XFRM interfaces supported by kernel
00[KNL] known interfaces and IP addresses:
00[KNL]   lo
00[KNL]     127.0.0.1
00[KNL]     ::1
00[KNL]   eth0
00[KNL]     116.203.145.16
00[KNL]     2a01:4f8:c2c:adc1::1
00[KNL]     fe80::9400:4ff:fe37:cad
00[KNL]   docker0
00[KNL]     172.17.0.1
00[KNL]     fe80::42:23ff:fec8:9e46
00[KNL]   br-4c7a050e9086
00[KNL]     172.18.0.1
00[KNL]     fe80::42:cbff:feb7:b0bd
00[KNL]   veth1dd5702
00[KNL]     fe80::8445:b8ff:feb9:730
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG]   loaded ca certificate "C=US, O=Let's Encrypt, CN=E6" from '/etc/ipsec.d/cacerts/chain.pem'
00[CFG]   loaded ca certificate "CN=Redacted CA" from '/etc/ipsec.d/cacerts/ca-cert.pem'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG]   loaded ECDSA private key from '/etc/ipsec.d/private/server.key'
00[LIB] loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf gmp agent xcbc hmac kdf gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
00[LIB] dropped capabilities, running as uid 0, gid 0
00[JOB] spawning 16 worker threads
04[NET] waiting for data on sockets
06[CFG] received stroke: add connection 'ikev2-vpn'
06[CFG] conn ikev2-vpn
06[CFG]   left=%any
06[CFG]   leftsubnet=0.0.0.0/0
06[CFG]   leftauth=pubkey
06[CFG]   leftid=@redacted.com
06[CFG]   leftcert=/etc/ipsec.d/certs/server.crt
06[CFG]   right=%any
06[CFG]   rightsourceip=10.10.10.0/24
06[CFG]   rightdns=8.8.8.8,8.8.4.4
06[CFG]   rightauth=pubkey
06[CFG]   rightid=%any
06[CFG]   rightca=/etc/ipsec.d/cacerts/ca-cert.pem
06[CFG]   ike=aes256-sha1-modp2048, aes256-sha256-modp2048, aes256gcm128-sha256-modp2048, aes256gcm16-sha256-modp2048, chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
06[CFG]   esp=aes256-sha1, aes256-sha256, aes256gcm16, aes256gcm128-sha256, chacha20poly1305-sha512,aes256gcm16-ecp384,3des-sha1!
06[CFG]   dpddelay=300
06[CFG]   dpdtimeout=150
06[CFG]   dpdaction=1
06[CFG]   sha256_96=no
06[CFG]   mediation=no
06[CFG]   keyexchange=ikev2
06[CFG] adding virtual IP address pool 10.10.10.0/24
06[CFG]   loaded certificate "CN=redacted.com" from '/etc/ipsec.d/certs/server.crt'
06[CFG] CA certificate "/etc/ipsec.d/cacerts/ca-cert.pem" not found, discarding CA constraint
06[CFG] added configuration 'ikev2-vpn'
04[NET] received packet: from 46.99.24.33 to 116.203.145.16
04[NET] waiting for data on sockets
10[NET] received packet: from 46.99.24.33 to 116.203.145.16 (356 bytes)
10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
10[CFG] looking for an IKEv2 config for 116.203.145.16...46.99.24.33
10[CFG]   candidate: %any...%any, prio 28
10[CFG] found matching ike config: %any...%any with prio 28
10[IKE] local endpoint changed from 0.0.0.0 to 116.203.145.16
10[IKE] remote endpoint changed from 0.0.0.0 to 46.99.24.33
10[IKE] 46.99.24.33 is initiating an IKE_SA
10[IKE] IKE_SA (unnamed) state change: CREATED => CONNECTING
10[CFG] selecting proposal:
10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
10[CFG] selecting proposal:
10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
10[CFG] selecting proposal:
10[CFG]   no acceptable INTEGRITY_ALGORITHM found
10[CFG] selecting proposal:
10[CFG]   no acceptable INTEGRITY_ALGORITHM found
10[CFG] selecting proposal:
10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
10[CFG] selecting proposal:
10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
10[CFG] selecting proposal:
10[CFG]   no acceptable KEY_EXCHANGE_METHOD found
10[CFG] selecting proposal:
10[CFG]   proposal matches
10[CFG] received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
10[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048, IKE:CHACHA20_POLY1305/PRF_HMAC_SHA2_512/CURVE_25519, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
10[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
10[IKE] remote host is behind NAT
10[IKE] DH group ECP_256 unacceptable, requesting MODP_2048
10[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
10[NET] sending packet: from 116.203.145.16 to 46.99.24.33 (38 bytes)
10[IKE] IKE_SA (unnamed) state change: CONNECTING => DESTROYING
05[NET] sending packet: from 116.203.145.16 to 46.99.24.33
04[NET] received packet: from 46.99.24.33 to 116.203.145.16
04[NET] waiting for data on sockets
11[NET] received packet: from 46.99.24.33 to 116.203.145.16 (548 bytes)
11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
11[CFG] looking for an IKEv2 config for 116.203.145.16...46.99.24.33
11[CFG]   candidate: %any...%any, prio 28
11[CFG] found matching ike config: %any...%any with prio 28
11[IKE] local endpoint changed from 0.0.0.0 to 116.203.145.16
11[IKE] remote endpoint changed from 0.0.0.0 to 46.99.24.33
11[IKE] 46.99.24.33 is initiating an IKE_SA
11[IKE] IKE_SA (unnamed) state change: CREATED => CONNECTING
11[CFG] selecting proposal:
11[CFG]   no acceptable ENCRYPTION_ALGORITHM found
11[CFG] selecting proposal:
11[CFG]   no acceptable ENCRYPTION_ALGORITHM found
11[CFG] selecting proposal:
11[CFG]   no acceptable INTEGRITY_ALGORITHM found
11[CFG] selecting proposal:
11[CFG]   no acceptable INTEGRITY_ALGORITHM found
11[CFG] selecting proposal:
11[CFG]   no acceptable ENCRYPTION_ALGORITHM found
11[CFG] selecting proposal:
11[CFG]   no acceptable ENCRYPTION_ALGORITHM found
11[CFG] selecting proposal:
11[CFG]   no acceptable KEY_EXCHANGE_METHOD found
11[CFG] selecting proposal:
11[CFG]   proposal matches
11[CFG] received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
11[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048, IKE:CHACHA20_POLY1305/PRF_HMAC_SHA2_512/CURVE_25519, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
11[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
11[IKE] remote host is behind NAT
11[IKE] sending cert request for "C=US, O=Let's Encrypt, CN=E6"
11[IKE] sending cert request for "CN=Redacted CA"
11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
11[NET] sending packet: from 116.203.145.16 to 46.99.24.33 (501 bytes)
05[NET] sending packet: from 116.203.145.16 to 46.99.24.33
04[NET] received packet: from 46.99.24.33 to 116.203.145.16
04[NET] waiting for data on sockets
I think the certificates are loaded properly based on these logs: 
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' 00[CFG]   loaded ca certificate "C=US, O=Let's Encrypt, CN=E6" from '/etc/ipsec.d/cacerts/chain.pem' 00[CFG]   loaded ca certificate "CN=Redacted CA" from '/etc/ipsec.d/cacerts/ca-cert.pem'
The weird error that I think might be causing the issue: 
06[CFG] CA certificate "/etc/ipsec.d/cacerts/ca-cert.pem" not found, discarding CA constraint
Here's how I generated the certificates: 
#!/bin/bash

# Paths for the certificate files
BASE_DIR="$(pwd)"
CA_CERT="$BASE_DIR/ca-cert.pem"
CA_KEY="$BASE_DIR/ca-key.pem"
SERVER_CERT="$BASE_DIR/server.crt"
SERVER_KEY="$BASE_DIR/server-key.pem"
CLIENT_CERT="$BASE_DIR/client.crt"
CLIENT_KEY="$BASE_DIR/client-key.pem"
P12_FILE="$BASE_DIR/client.p12"
P12_PASSWORD="test"  # Password for the .p12 file

# Common Name for the CA
CA_CN="Redacted CA"

# Generate the CA private key (ECDSA, no password)
openssl ecparam -name prime256v1 -genkey -noout -out "$CA_KEY"
chmod 600 "$CA_KEY"

# Generate the CA certificate
openssl req -key "$CA_KEY" -new -x509 -out "$CA_CERT" -days 3650 -subj "/CN=$CA_CN" -nodes

# Generate server private key (ECDSA, no password)
openssl ecparam -name prime256v1 -genkey -noout -out "$SERVER_KEY"
chmod 600 "$SERVER_KEY"

# Generate server certificate signing request (CSR)
openssl req -new -key "$SERVER_KEY" -out "$BASE_DIR/server.csr" -subj "/CN=redacted.com" -nodes

# Sign the server certificate with the CA
openssl x509 -req -in "$BASE_DIR/server.csr" -CA "$CA_CERT" -CAkey "$CA_KEY" -CAcreateserial -out "$SERVER_CERT" -days 3650

# Generate client private key (ECDSA, no password)
openssl ecparam -name prime256v1 -genkey -noout -out "$CLIENT_KEY"
chmod 600 "$CLIENT_KEY"

# Generate client certificate signing request (CSR)
openssl req -new -key "$CLIENT_KEY" -out "$BASE_DIR/client.csr" -subj "/CN=client.redacted.com" -nodes

# Sign the client certificate with the CA
openssl x509 -req -in "$BASE_DIR/client.csr" -CA "$CA_CERT" -CAkey "$CA_KEY" -CAcreateserial -out "$CLIENT_CERT" -days 3650

# Combine the client certificate and key into a .p12 file with password "test"
openssl pkcs12 -export -in "$CLIENT_CERT" -inkey "$CLIENT_KEY" -out "$P12_FILE" -name "client" -passout pass:"$P12_PASSWORD"

# Clean up the CSR files
rm "$BASE_DIR/server.csr" "$BASE_DIR/client.csr"

echo "ECDSA certificates and .p12 file with password 'test' generated successfully!"
When the clients try to connect to the server, it disconnects them right away. The username-password one works perfectly when I configure it. - I tried to connect to the server in iOS (using a .mobileconfig file) and MacOS but same result in both. * I gave all system users 777 permissions for the certificates directory to test if it was a permissions thing, it still showed the same error. * I disabled AppArmor fully, still the same issue. * I tried to run the server as a docker container and as a normal process in the host - same issue. Since I use a self-signed CA certificate to sign the private keys, could that cause any issues since I use a LetsEncrypt one for the server auth? The end goal is to have a secure way to connect to the VPN server using an iOS application. I read it somewhere that username-password authentication wasn't supported if you want to have your app in AppStore. Any tips would be very helpful! Meanwhile, I'll continue my research. Thank you in advance! Edit #1 Here's how I configured the certificate files on the Docker version: docker run -d --name ikev2-vpn-server \ --privileged \ --cap-add=NET_ADMIN \ --net=host \ --restart=always \ -v $VPN_CONFIG_DIR/ipsec.conf:/etc/ipsec.conf \ -v $VPN_CONFIG_DIR/ipsec.secrets:/etc/ipsec.secrets \ -v $VPN_CERTIFICATES_DIR/server/chain.pem:/etc/ipsec.d/cacerts/chain.pem \ -v $VPN_CERTIFICATES_DIR/server/fullchain.pem:/etc/ipsec.d/certs/server.crt \ -v $VPN_CERTIFICATES_DIR/server/privkey.pem:/etc/ipsec.d/private/server.key \ -v $VPN_CERTIFICATES_DIR/vpn-ca/ca-cert.pem:/etc/ipsec.d/cacerts/ca-cert.pem \ -v $VPN_CERTIFICATES_DIR/vpn-client/client-key.pem:/etc/ipsec.d/private/client-key.pem \ ermalferati/ikev2-vpn-server
Asked by Ermal Ferati (1 rep)
Apr 13, 2025, 01:01 AM
Last activity: Apr 13, 2025, 01:07 AM
Sidebar Ad - 300x250
Related Questions

Browse more questions from Unix & Linux Stack Exchange

More questions tagged "vpn"
More questions tagged "ipsec"
More questions tagged "strongswan"
Footer Ad - 728x90