[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-users
Subject: Re: [strongSwan] Authentication failed error,
From: Andreas Schuldei <schuldei+strongswan () spotify ! com>
Date: 2009-12-23 23:22:26
Message-ID: f5327b860912231522n4c9f78d1se5fd70b719215245 () mail ! gmail ! com
[Download RAW message or body]
Thank you Andreas!
i am reworing my CA now.
i think it would make sense to encode the IP AND the hostname into the
ca and see if they match with the peer talking to me. do both need to
go into the subjectAltName? i did something similar in 2000 with
isakmpd on openbsd and encoded the hostname in the CN and the IP in
the subjectAltName like this:
# PKI and friends
# generate the CA first
(cat << 'EOF'
[ req ]
default_bits = 1024
distinguished_name = req_DN
[ req_DN ]
countryName = "Country Name"
countryName_value = $ENV::CERT_COUNTRY
localityName = "Locality Name"
localityName_value = $ENV::CERT_LOCALITY
organizationName = "Organisation"
organizationName_value = $ENV::CERT_ORG
commonName = "Common Name"
commonName_value = $ENV::CERT_CN
[ x509v3 ]
subjectAltName_value = $ENV::CERT_IP
EOF
)> local_openssl.conf
# key and cert for the CA
export CERT_COUNTRY="se"
export CERT_LOCALITY="${NAME[0]}"
export CERT_ORG=Frontyard
export CERT_CN="FrontyardCA"
export CERT_IP="${IP[0]}"
would that work with strongswan, too? would you say that is a too
ridgid setup (it might fail for example if there are several IPs on
the interface.)?
how would that need to look in the ipsec.conf file, then?
On Tue, Dec 22, 2009 at 11:41 PM, Andreas Steffen
<andreas.steffen@strongswan.org> wrote:
> Hello Andreas,
>
> the problem is that the Fully Qualified Domain Names
>
> leftid=@krista.sto.spotify.net
> rightid=@nadia.lon.spotify.net
>
> that you are using are not contained as subjectAltNames in
> the end entity certificates. Thus either add them to the corresponding
> certificates or use the subject DNs as IDs instead:
>
> leftid="C=NA, ST=NA, L=Stockholm, O=Spotify Operations, \
> OU=Spotify CA, CN=krista.sto.spotify.net, \
> E=hostmaster@krista.sto.spotify.net"
>
> The problem with the 'E=..' relative DN has been fixed in
> strongswan-4.3.5 but I recommend *not* to use the ST=, L=, and E> RDNs anyway (just \
> leave them empty).
> Best regards
>
> Andreas
>
> Andreas Schuldei wrote:
> > Hi!
> >
> > here is a dump of the configuration of my two involved hosts. as far
> > as i can see my certificates are from the same ca and i dont use
> > strongswan 4.3 which aparently had problems with some DNs or so (I
> > found that in the mailinglist archive).
> >
> > later on i want do do a full mash of hosts, how should my ipsec.conf
> > look like for that? I can easily generate an entry for all involved
> > hosts as the configuration files are machine generated. but i would
> > like to keep them as short as possible, anyway.
> >
> >
> > root@krista:~# ipsec restart; sleep 10
> > Stopping strongSwan IPsec...
> > Starting strongSwan 4.2.4 IPsec [starter]...
> >
> > root@krista:~# ipsec up host-host
> > initiating IKE_SA 'host-host' to 78.31.10.108
> > IKE_SA 'host-host' state change: CREATED => CONNECTING
> > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> > sending packet: from 78.31.14.93[500] to 78.31.10.108[500]
> > received packet: from 78.31.10.108[500] to 78.31.14.93[500]
> > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
> > received cert request for "C=NA, ST=NA, L=Stockholm, O=Spotify
> > Operations, OU=Spotify CA, CN=Spotify CA, E=operations@spotify.com"
> > sending cert request for "C=NA, ST=NA, L=Stockholm, O=Spotify
> > Operations, OU=Spotify CA, CN=Spotify CA, E=operations@spotify.com"
> > authentication of 'C=NA, ST=NA, L=Stockholm, O=Spotify Operations,
> > OU=Spotify CA, CN=krista.sto.spotify.net,
> > E=hostmaster@krista.sto.spotify.net' (myself) with RSA signature
> > successful
> > sending end entity cert "C=NA, ST=NA, L=Stockholm, O=Spotify
> > Operations, OU=Spotify CA, CN=krista.sto.spotify.net,
> > E=hostmaster@krista.sto.spotify.net"
> > establishing CHILD_SA
> > generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH
> > N(USE_TRANSP) SA TSi TSr ]
> > sending packet: from 78.31.14.93[500] to 78.31.10.108[500]
> > received packet: from 78.31.10.108[500] to 78.31.14.93[500]
> > parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> > received AUTHENTICATION_FAILED notify error
> > root@krista:~# tail -n 30 /var/log/daemon.log
> > 2009-12-22T21:12:41.000+00:00 krista.sto.spotify.net charon: 01[LIB]
> > loaded certificate file '/etc/ipsec.d/cacerts/ca.crt'
> > 2009-12-22T21:12:41.000+00:00 krista.sto.spotify.net charon: 01[CFG]
> > loading aa certificates from '/etc/ipsec.d/aacerts'
> > 2009-12-22T21:12:41.000+00:00 krista.sto.spotify.net charon: 01[CFG]
> > loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> > 2009-12-22T21:12:41.000+00:00 krista.sto.spotify.net charon: 01[CFG]
> > loading attribute certificates from '/etc/ipsec.d/acerts'
> > 2009-12-22T21:12:41.000+00:00 krista.sto.spotify.net charon: 01[CFG]
> > loading crls from '/etc/ipsec.d/crls'
> > 2009-12-22T21:12:41.000+00:00 krista.sto.spotify.net charon: 01[CFG]
> > loading secrets from '/etc/ipsec.secrets'
> > 2009-12-22T21:12:41.000+00:00 krista.sto.spotify.net charon: 01[CFG]
> > loaded private key file '/etc/ssl/private/krista.sto.spotify.net.key'
> > 2009-12-22T21:12:41.000+00:00 krista.sto.spotify.net charon: 01[JOB]
> > spawning 16 worker threads
> > 2009-12-22T21:12:41.000+00:00 krista.sto.spotify.net charon: 04[CFG]
> > received stroke: add connection 'host-host'
> > 2009-12-22T21:12:41.000+00:00 krista.sto.spotify.net charon: 04[LIB]
> > loaded certificate file '/etc/ssl/certs/krista.sto.spotify.net.crt'
> > 2009-12-22T21:12:41.000+00:00 krista.sto.spotify.net charon: 04[CFG]
> > peerid krista.sto.spotify.net not confirmed by certificate, defaulting
> > to subject DN
> > 2009-12-22T21:12:41.000+00:00 krista.sto.spotify.net charon: 04[CFG]
> > added configuration 'host-host': 78.31.14.93[C=NA, ST=NA, L=Stockholm,
> > O=Spotify Operations, OU=Spotify CA, CN=krista.sto.spotify.net,
> > E=hostmaster@krista.sto.spotify.net]...78.31.10.108[nadia.lon.spotify.net]
> > 2009-12-22T21:12:51.000+00:00 krista.sto.spotify.net charon: 07[CFG]
> > received stroke: initiate 'host-host'
> > 2009-12-22T21:12:51.000+00:00 krista.sto.spotify.net charon: 11[AUD]
> > initiating IKE_SA 'host-host' to 78.31.10.108
> > 2009-12-22T21:12:51.000+00:00 krista.sto.spotify.net charon: 11[IKE]
> > IKE_SA 'host-host' state change: CREATED => CONNECTING
> > 2009-12-22T21:12:51.000+00:00 krista.sto.spotify.net charon: 11[ENC]
> > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> > ]
> > 2009-12-22T21:12:51.000+00:00 krista.sto.spotify.net charon: 11[NET]
> > sending packet: from 78.31.14.93[500] to 78.31.10.108[500]
> > 2009-12-22T21:12:51.000+00:00 krista.sto.spotify.net charon: 12[NET]
> > received packet: from 78.31.10.108[500] to 78.31.14.93[500]
> > 2009-12-22T21:12:51.000+00:00 krista.sto.spotify.net charon: 12[ENC]
> > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> > CERTREQ ]
> > 2009-12-22T21:12:51.000+00:00 krista.sto.spotify.net charon: 12[IKE]
> > received cert request for "C=NA, ST=NA, L=Stockholm, O=Spotify
> > Operations, OU=Spotify CA, CN=Spotify CA, E=operations@spotify.com"
> > 2009-12-22T21:12:51.000+00:00 krista.sto.spotify.net charon: 12[IKE]
> > sending cert request for "C=NA, ST=NA, L=Stockholm, O=Spotify
> > Operations, OU=Spotify CA, CN=Spotify CA, E=operations@spotify.com"
> > 2009-12-22T21:12:51.000+00:00 krista.sto.spotify.net charon: 12[IKE]
> > authentication of 'C=NA, ST=NA, L=Stockholm, O=Spotify Operations,
> > OU=Spotify CA, CN=krista.sto.spotify.net,
> > E=hostmaster@krista.sto.spotify.net' (myself) with RSA signature
> > successful
> > 2009-12-22T21:12:51.000+00:00 krista.sto.spotify.net charon: 12[IKE]
> > sending end entity cert "C=NA, ST=NA, L=Stockholm, O=Spotify
> > Operations, OU=Spotify CA, CN=krista.sto.spotify.net,
> > E=hostmaster@krista.sto.spotify.net"
> > 2009-12-22T21:12:51.000+00:00 krista.sto.spotify.net charon: 12[AUD]
> > establishing CHILD_SA
> > 2009-12-22T21:12:51.000+00:00 krista.sto.spotify.net charon: 12[ENC]
> > generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH
> > N(USE_TRANSP) SA TSi TSr ]
> > 2009-12-22T21:12:51.000+00:00 krista.sto.spotify.net charon: 12[NET]
> > sending packet: from 78.31.14.93[500] to 78.31.10.108[500]
> > 2009-12-22T21:12:51.000+00:00 krista.sto.spotify.net charon: 13[NET]
> > received packet: from 78.31.10.108[500] to 78.31.14.93[500]
> > 2009-12-22T21:12:51.000+00:00 krista.sto.spotify.net charon: 13[ENC]
> > parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> > 2009-12-22T21:12:51.000+00:00 krista.sto.spotify.net charon: 13[AUD]
> > received AUTHENTICATION_FAILED notify error
> > 2009-12-22T21:12:51.000+00:00 krista.sto.spotify.net charon: 13[AUD]
> > establishing CHILD_SA failed
> > root@krista:~# cat /etc/ipsec.conf
> > # generated by fai
> > # /etc/ipsec.conf - strongSwan IPsec configuration file
> >
> >
> > config setup
> > crlcheckinterval�0
> > strictcrlpolicy=no
> > plutostart=no
> >
> > conn %default
> > ikelifetime`m
> > keylife m
> > rekeymargin=3m
> > keyingtries=1
> > mobike=no
> > keyexchange=ikev2
> > right=%any
> > rightca="C=NA, ST=NA, L=Stockholm, O=Spotify Operations, OU=Spotify
> > CA, CN=Spotify CA/emailAddress=operations@spotify.com"
> > leftsendcert=ifasked
> >
> > conn host-host
> > leftx.31.14.93
> > leftcert=/etc/ssl/certs/krista.sto.spotify.net.crt
> > leftid=@krista.sto.spotify.net
> > rightx.31.10.108
> > rightid=@nadia.lon.spotify.net
> > type=transport
> > autod
> > root@krista:~# cat /etc/strongswan.conf
> > # /etc/strongswan.conf - strongSwan configuration file
> >
> > charon {
> > threads = 16
> > #load = gmp random x509 hmac xcbc stroke
> > multiple_authentication = no
> > }
> > root@krista:~# ipsec listall
> >
> > List of X.509 End Entity Certificates:
> >
> > subject: "C=NA, ST=NA, L=Stockholm, O=Spotify Operations,
> > OU=Spotify CA, CN=krista.sto.spotify.net,
> > E=hostmaster@krista.sto.spotify.net"
> > issuer: "C=NA, ST=NA, L=Stockholm, O=Spotify Operations,
> > OU=Spotify CA, CN=Spotify CA, E=operations@spotify.com"
> > serial: 0f
> > validity: not before Dec 22 15:35:18 2009, ok
> > not after Dec 22 15:35:18 2010, ok
> > pubkey: RSA 2048 bits, has private key
> > keyid: ab:be:c4:1d:d6:db:ab:52:81:70:3e:01:42:d6:b0:65:45:19:1b:79
> > subjkey: 9f:86:76:44:df:34:cb:59:0d:32:86:d0:23:35:6b:81:0b:77:b0:06
> > authkey: 22:7f:35:38:c4:6f:f9:c0:a9:7f:ed:ce:e6:12:11:08:80:53:66:ee
> >
> > List of X.509 CA Certificates:
> >
> > subject: "C=NA, ST=NA, L=Stockholm, O=Spotify Operations,
> > OU=Spotify CA, CN=Spotify CA, E=operations@spotify.com"
> > issuer: "C=NA, ST=NA, L=Stockholm, O=Spotify Operations,
> > OU=Spotify CA, CN=Spotify CA, E=operations@spotify.com"
> > serial: 00:8c:e7:8c:65:22:8f:ea:c4
> > validity: not before Jul 09 23:42:35 2009, ok
> > not after Jul 07 23:42:35 2019, ok
> > pubkey: RSA 2048 bits
> > keyid: 53:c4:21:66:29:52:36:a9:9a:9b:8d:7c:d5:30:0d:f5:34:95:4c:bd
> > subjkey: 22:7f:35:38:c4:6f:f9:c0:a9:7f:ed:ce:e6:12:11:08:80:53:66:ee
> > authkey: 22:7f:35:38:c4:6f:f9:c0:a9:7f:ed:ce:e6:12:11:08:80:53:66:ee
> > root@krista:~# ipsec statusall
> > Performance:
> > uptime: 10 seconds, since Dec 22 21:12:41 2009
> > worker threads: 10 idle of 16, job queue load: 0, scheduled events: 2
> > loaded plugins: ldap gmp random x509 pubkey hmac xcbc openssl stroke
> > Listening IP addresses:
> > 78.31.14.93
> > Connections:
> > host-host: 78.31.14.93[C=NA, ST=NA, L=Stockholm, O=Spotify
> > Operations, OU=Spotify CA, CN=krista.sto.spotify.net,
> > E=hostmaster@krista.sto.spotify.net]...78.31.10.108[nadia.lon.spotify.net]
> > host-host: dynamic/32 === dynamic/32
> > Security Associations:
> > none
> > root@krista:~# openssl x509 -text -in /etc/ipsec.d/cacerts/ca.crt
> > Certificate:
> > Data:
> > Version: 3 (0x2)
> > Serial Number:
> > 8c:e7:8c:65:22:8f:ea:c4
> > Signature Algorithm: sha1WithRSAEncryption
> > Issuer: C=NA, ST=NA, L=Stockholm, O=Spotify Operations,
> > OU=Spotify CA, CN=Spotify CA/emailAddress=operations@spotify.com
> > Validity
> > Not Before: Jul 9 23:42:35 2009 GMT
> > Not After : Jul 7 23:42:35 2019 GMT
> > Subject: C=NA, ST=NA, L=Stockholm, O=Spotify Operations,
> > OU=Spotify CA, CN=Spotify CA/emailAddress=operations@spotify.com
> > Subject Public Key Info:
> > Public Key Algorithm: rsaEncryption
> > RSA Public Key: (2048 bit)
> > Modulus (2048 bit):
> > 00:aa:a6:e4:1c:25:71:5c:6f:3b:eb:dc:31:af:78:
> > d0:4d:ce:0c:f5:7d:c7:b2:d5:2f:0a:f7:41:b5:ed:
> > 92:02:b8:a6:cb:e9:ac:bf:85:cc:87:be:81:fb:bc:
> > 9a:71:88:58:25:34:38:89:95:63:ad:13:e3:4a:af:
> > 21:1e:81:2b:a3:4e:a6:42:e3:06:99:18:af:38:6c:
> > 1c:e4:23:e4:95:77:93:ed:fd:b3:ec:c6:27:00:85:
> > c3:63:18:c5:01:c2:d8:63:fb:6e:87:1a:2c:cc:b6:
> > 9d:15:0b:48:dd:56:22:d1:8d:19:58:cf:3f:2b:12:
> > 99:31:d8:3f:50:2f:d0:93:54:3b:bc:c6:7a:4b:cf:
> > a7:48:1b:78:6f:3b:db:cd:14:5a:cb:a6:e8:ce:8e:
> > 9b:44:de:f1:66:e1:23:26:37:05:9f:38:bc:ef:78:
> > b8:f6:0f:a2:38:15:58:20:31:a5:f3:b3:ee:fd:4f:
> > b0:bb:2f:85:9a:62:03:bb:74:0f:cf:44:23:a0:17:
> > f8:cb:be:06:ce:06:05:67:75:d2:2a:ce:10:e0:f2:
> > aa:ba:9b:43:d4:77:98:62:0b:31:f9:73:8a:ed:b1:
> > 51:09:12:0f:0d:bc:ac:e2:05:df:df:87:29:1e:fe:
> > 53:13:d8:0b:d5:0b:24:8e:35:20:d9:25:41:cb:a0:
> > 5e:0d
> > Exponent: 65537 (0x10001)
> > X509v3 extensions:
> > X509v3 Subject Key Identifier:
> > 22:7F:35:38:C4:6F:F9:C0:A9:7F:ED:CE:E6:12:11:08:80:53:66:EE
> > X509v3 Authority Key Identifier:
> >
> > keyid:22:7F:35:38:C4:6F:F9:C0:A9:7F:ED:CE:E6:12:11:08:80:53:66:EE
> > DirName:/C=NA/ST=NA/L=Stockholm/O=Spotify
> > Operations/OU=Spotify CA/CN=Spotify
> > CA/emailAddress=operations@spotify.com
> > serial:8C:E7:8C:65:22:8F:EA:C4
> >
> > X509v3 Basic Constraints:
> > CA:TRUE
> > Signature Algorithm: sha1WithRSAEncryption
> > 7b:b0:ba:e1:6d:43:df:58:f0:9a:59:30:55:30:b3:19:92:ea:
> > 35:07:0d:00:9d:e1:4e:ac:3f:b2:b6:a3:c0:a9:ca:d9:56:0e:
> > 2c:ea:d1:bb:5c:83:13:50:d4:b4:92:11:cb:f1:74:91:03:56:
> > 9b:d8:07:c8:92:2f:06:c8:44:93:db:90:77:15:ee:98:38:46:
> > eb:1c:5f:24:07:5d:98:35:1f:ba:c9:3c:e9:8c:77:f3:e5:ba:
> > a5:35:fa:c9:38:52:cf:f5:1d:ea:40:b7:ca:30:8f:ee:05:09:
> > 60:de:7e:04:9e:cb:fc:f2:d8:86:86:6a:a6:b3:aa:9a:fd:08:
> > d1:80:58:58:9d:1c:27:7b:59:83:cd:4e:e8:4c:1a:84:3e:d1:
> > 55:68:3c:27:95:f1:a4:95:f4:69:73:0f:45:34:b6:2a:45:24:
> > c1:79:54:79:89:ed:73:24:d1:e5:eb:94:76:51:ed:54:82:16:
> > 05:82:21:b0:6e:09:fd:11:15:5f:8a:d5:2c:a7:b1:7a:11:db:
> > 4c:a1:ac:e6:0a:5a:9b:3d:56:d7:80:0c:67:a1:c5:45:35:e7:
> > f1:d0:03:41:e5:a8:76:69:73:ca:bf:30:2b:34:d9:d6:65:e1:
> > 5a:71:43:f0:8b:9c:aa:f3:d9:fc:00:21:9e:36:45:a6:a7:00:
> > 69:88:5e:d3
> > -----BEGIN CERTIFICATE-----
> > MIIExDCCA6ygAwIBAgIJAIznjGUij+rEMA0GCSqGSIb3DQEBBQUAMIGcMQswCQYD
> > VQQGEwJOQTELMAkGA1UECBMCTkExEjAQBgNVBAcTCVN0b2NraG9sbTEbMBkGA1UE
> > ChMSU3BvdGlmeSBPcGVyYXRpb25zMRMwEQYDVQQLEwpTcG90aWZ5IENBMRMwEQYD
> > VQQDEwpTcG90aWZ5IENBMSUwIwYJKoZIhvcNAQkBFhZvcGVyYXRpb25zQHNwb3Rp
> > ZnkuY29tMB4XDTA5MDcwOTIzNDIzNVoXDTE5MDcwNzIzNDIzNVowgZwxCzAJBgNV
> > BAYTAk5BMQswCQYDVQQIEwJOQTESMBAGA1UEBxMJU3RvY2tob2xtMRswGQYDVQQK
> > ExJTcG90aWZ5IE9wZXJhdGlvbnMxEzARBgNVBAsTClNwb3RpZnkgQ0ExEzARBgNV
> > BAMTClNwb3RpZnkgQ0ExJTAjBgkqhkiG9w0BCQEWFm9wZXJhdGlvbnNAc3BvdGlm
> > eS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqpuQcJXFcbzvr
> > 3DGveNBNzgz1fcey1S8K90G17ZICuKbL6ay/hcyHvoH7vJpxiFglNDiJlWOtE+NK
> > ryEegSujTqZC4waZGK84bBzkI+SVd5Pt/bPsxicAhcNjGMUBwthj+26HGizMtp0V
> > C0jdViLRjRlYzz8rEpkx2D9QL9CTVDu8xnpLz6dIG3hvO9vNFFrLpujOjptE3vFm
> > 4SMmNwWfOLzveLj2D6I4FVggMaXzs+79T7C7L4WaYgO7dA/PRCOgF/jLvgbOBgVn
> > ddIqzhDg8qq6m0PUd5hiCzH5c4rtsVEJEg8NvKziBd/fhyke/lMT2AvVCySONSDZ
> > JUHLoF4NAgMBAAGjggEFMIIBATAdBgNVHQ4EFgQUIn81OMRv+cCpf+3O5hIRCIBT
> > Zu4wgdEGA1UdIwSByTCBxoAUIn81OMRv+cCpf+3O5hIRCIBTZu6hgaKkgZ8wgZwx
> > CzAJBgNVBAYTAk5BMQswCQYDVQQIEwJOQTESMBAGA1UEBxMJU3RvY2tob2xtMRsw
> > GQYDVQQKExJTcG90aWZ5IE9wZXJhdGlvbnMxEzARBgNVBAsTClNwb3RpZnkgQ0Ex
> > EzARBgNVBAMTClNwb3RpZnkgQ0ExJTAjBgkqhkiG9w0BCQEWFm9wZXJhdGlvbnNA
> > c3BvdGlmeS5jb22CCQCM54xlIo/qxDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
> > BQUAA4IBAQB7sLrhbUPfWPCaWTBVMLMZkuo1Bw0AneFOrD+ytqPAqcrZVg4s6tG7
> > XIMTUNS0khHL8XSRA1ab2AfIki8GyEST25B3Fe6YOEbrHF8kB12YNR+6yTzpjHfz
> > 5bqlNfrJOFLP9R3qQLfKMI/uBQlg3n4Ensv88tiGhmqms6qa/QjRgFhYnRwne1mD
> > zU7oTBqEPtFVaDwnlfGklfRpcw9FNLYqRSTBeVR5ie1zJNHl65R2Ue1UghYFgiGw
> > bgn9ERVfitUsp7F6EdtMoazmClqbPVbXgAxnocVFNefx0ANB5ah2aXPKvzArNNnW
> > ZeFacUPwi5yq89n8ACGeNkWmpwBpiF7T
> > -----END CERTIFICATE-----
> > root@krista:~# openssl x509 -text -in /etc/ssl/certs/*spotify.net.crt
> > Certificate:
> > Data:
> > Version: 3 (0x2)
> > Serial Number: 15 (0xf)
> > Signature Algorithm: sha1WithRSAEncryption
> > Issuer: C=NA, ST=NA, L=Stockholm, O=Spotify Operations,
> > OU=Spotify CA, CN=Spotify CA/emailAddress=operations@spotify.com
> > Validity
> > Not Before: Dec 22 15:35:18 2009 GMT
> > Not After : Dec 22 15:35:18 2010 GMT
> > Subject: C=NA, ST=NA, L=Stockholm, O=Spotify Operations,
> > OU=Spotify CA, CN=krista.sto.spotify.net/emailAddress=hostmaster@krista.sto.spotify.net
> > Subject Public Key Info:
> > Public Key Algorithm: rsaEncryption
> > RSA Public Key: (2048 bit)
> > Modulus (2048 bit):
> > 00:de:58:87:74:9f:c8:78:cf:33:21:2c:36:f4:5e:
> > 16:f9:cc:44:0b:80:88:91:2b:c6:55:8a:8c:26:5c:
> > cf:59:14:96:7f:d8:b5:0a:f0:ce:5d:26:20:9f:01:
> > 7a:dd:e7:a7:ba:5e:7d:46:4b:8f:38:a4:83:93:21:
> > f1:2b:da:c1:78:41:8f:b9:f2:74:97:5b:8d:99:ec:
> > 2e:42:f3:48:a5:c6:4b:7d:9a:33:cd:5f:6c:a6:10:
> > f1:8a:e1:4f:82:ee:dc:0a:f6:74:0d:31:3f:e2:2e:
> > 96:26:f5:e8:81:c8:47:45:1b:c4:1c:e0:98:ae:03:
> > 94:07:56:84:53:2e:70:b0:f2:1d:50:03:82:74:06:
> > 00:44:ec:d2:b0:e8:73:c1:0c:23:7d:09:ee:3f:be:
> > 21:b1:81:c0:e0:df:18:6a:47:29:bf:97:9b:f5:bd:
> > fb:c0:7f:4f:e3:84:ec:42:f9:72:d4:5b:92:17:29:
> > f9:84:53:b2:a6:25:39:b0:86:c8:dc:0e:c4:47:41:
> > bf:a3:64:bd:c3:f3:64:d9:0c:49:20:78:34:e3:41:
> > 44:f6:b1:0c:c3:4e:5c:d8:2d:48:e4:be:0d:9a:0a:
> > 8e:7d:04:d9:6d:bf:c9:13:de:61:16:ae:1a:a9:9b:
> > bd:db:5d:60:5e:9b:1e:73:ef:22:c6:d3:15:93:03:
> > 55:7d
> > Exponent: 65537 (0x10001)
> > X509v3 extensions:
> > X509v3 Basic Constraints:
> > CA:FALSE
> > Netscape Cert Type:
> > SSL Server
> > Netscape Comment:
> > Spotify CA cert
> > X509v3 Subject Key Identifier:
> > 9F:86:76:44:DF:34:CB:59:0D:32:86:D0:23:35:6B:81:0B:77:B0:06
> > X509v3 Authority Key Identifier:
> >
> > keyid:22:7F:35:38:C4:6F:F9:C0:A9:7F:ED:CE:E6:12:11:08:80:53:66:EE
> > DirName:/C=NA/ST=NA/L=Stockholm/O=Spotify
> > Operations/OU=Spotify CA/CN=Spotify
> > CA/emailAddress=operations@spotify.com
> > serial:8C:E7:8C:65:22:8F:EA:C4
> >
> > X509v3 Extended Key Usage:
> > TLS Web Server Authentication
> > X509v3 Key Usage:
> > Digital Signature, Key Encipherment
> > Signature Algorithm: sha1WithRSAEncryption
> > 19:08:cb:b4:32:34:b7:88:89:4b:c4:c7:eb:5c:bd:4d:83:7c:
> > 0c:30:3f:10:b0:6c:10:c0:1b:0f:b3:f6:64:cf:9f:36:07:cd:
> > c2:1f:1e:b4:90:78:3a:3e:e6:04:06:a7:6b:ce:a5:76:94:51:
> > 90:9f:9f:2b:98:07:fd:9e:f5:81:61:9c:9f:15:d1:74:65:9a:
> > 10:c0:5a:01:49:ee:a8:f3:ce:fc:8c:60:25:7c:8e:d1:75:09:
> > 9f:28:98:64:00:ca:e3:e7:c4:e4:5c:25:b0:94:67:f6:76:97:
> > 3e:38:ae:93:96:f6:0a:1d:32:28:74:54:ca:89:43:ec:02:6a:
> > 60:32:83:d9:df:8b:ab:99:02:f3:f0:62:d1:a7:c9:e0:f6:c0:
> > c4:75:39:dc:a7:d0:bd:45:c1:02:40:ca:de:18:57:8b:a1:e2:
> > 82:fc:53:df:d2:66:fb:ce:67:63:8f:5d:32:5a:86:ec:ef:68:
> > 70:9f:d9:b5:2a:cc:27:c3:88:e3:ca:3a:3b:1a:2c:75:51:68:
> > b4:88:82:a5:68:61:66:02:1f:04:5e:e0:9f:e2:45:91:63:7e:
> > 8a:5a:62:d1:3c:74:e8:45:e4:25:66:0e:57:2c:a9:7b:1f:4b:
> > d9:14:50:fa:49:7c:92:3d:fe:44:cf:84:2e:5e:b9:a5:a4:32:
> > b7:9a:d0:f9
> > -----BEGIN CERTIFICATE-----
> > MIIFJTCCBA2gAwIBAgIBDzANBgkqhkiG9w0BAQUFADCBnDELMAkGA1UEBhMCTkEx
> > CzAJBgNVBAgTAk5BMRIwEAYDVQQHEwlTdG9ja2hvbG0xGzAZBgNVBAoTElNwb3Rp
> > ZnkgT3BlcmF0aW9uczETMBEGA1UECxMKU3BvdGlmeSBDQTETMBEGA1UEAxMKU3Bv
> > dGlmeSBDQTElMCMGCSqGSIb3DQEJARYWb3BlcmF0aW9uc0BzcG90aWZ5LmNvbTAe
> > Fw0wOTEyMjIxNTM1MThaFw0xMDEyMjIxNTM1MThaMIGzMQswCQYDVQQGEwJOQTEL
> > MAkGA1UECBMCTkExEjAQBgNVBAcTCVN0b2NraG9sbTEbMBkGA1UEChMSU3BvdGlm
> > eSBPcGVyYXRpb25zMRMwEQYDVQQLEwpTcG90aWZ5IENBMR8wHQYDVQQDExZrcmlz
> > dGEuc3RvLnNwb3RpZnkubmV0MTAwLgYJKoZIhvcNAQkBFiFob3N0bWFzdGVyQGty
> > aXN0YS5zdG8uc3BvdGlmeS5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
> > AoIBAQDeWId0n8h4zzMhLDb0Xhb5zEQLgIiRK8ZViowmXM9ZFJZ/2LUK8M5dJiCf
> > AXrd56e6Xn1GS484pIOTIfEr2sF4QY+58nSXW42Z7C5C80ilxkt9mjPNX2ymEPGK
> > 4U+C7twK9nQNMT/iLpYm9eiByEdFG8Qc4JiuA5QHVoRTLnCw8h1QA4J0BgBE7NKw
> > 6HPBDCN9Ce4/viGxgcDg3xhqRym/l5v1vfvAf0/jhOxC+XLUW5IXKfmEU7KmJTmw
> > hsjcDsRHQb+jZL3D82TZDEkgeDTjQUT2sQzDTlzYLUjkvg2aCo59BNltv8kT3mEW
> > rhqpm73bXWBemx5z7yLG0xWTA1V9AgMBAAGjggFXMIIBUzAJBgNVHRMEAjAAMBEG
> > CWCGSAGG+EIBAQQEAwIGQDAeBglghkgBhvhCAQ0EERYPU3BvdGlmeSBDQSBjZXJ0
> > MB0GA1UdDgQWBBSfhnZE3zTLWQ0yhtAjNWuBC3ewBjCB0QYDVR0jBIHJMIHGgBQi
> > fzU4xG/5wKl/7c7mEhEIgFNm7qGBoqSBnzCBnDELMAkGA1UEBhMCTkExCzAJBgNV
> > BAgTAk5BMRIwEAYDVQQHEwlTdG9ja2hvbG0xGzAZBgNVBAoTElNwb3RpZnkgT3Bl
> > cmF0aW9uczETMBEGA1UECxMKU3BvdGlmeSBDQTETMBEGA1UEAxMKU3BvdGlmeSBD
> > QTElMCMGCSqGSIb3DQEJARYWb3BlcmF0aW9uc0BzcG90aWZ5LmNvbYIJAIznjGUi
> > j+rEMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIFoDANBgkqhkiG9w0B
> > AQUFAAOCAQEAGQjLtDI0t4iJS8TH61y9TYN8DDA/ELBsEMAbD7P2ZM+fNgfNwh8e
> > tJB4Oj7mBAana86ldpRRkJ+fK5gH/Z71gWGcnxXRdGWaEMBaAUnuqPPO/IxgJXyO
> > 0XUJnyiYZADK4+fE5FwlsJRn9naXPjiuk5b2Ch0yKHRUyolD7AJqYDKD2d+Lq5kC
> > 8/Bi0afJ4PbAxHU53KfQvUXBAkDK3hhXi6HigvxT39Jm+85nY49dMlqG7O9ocJ/Z
> > tSrMJ8OI48o6OxosdVFotIiCpWhhZgIfBF7gn+JFkWN+ilpi0Tx06EXkJWYOVyyp
> > ex9L2RRQ+kl8kj3+RM+ELl65paQyt5rQ+Q=>> -----END CERTIFICATE-----
> >
> >
> >
> > root@krista:~# ipsec up host-host
> > initiating IKE_SA 'host-host' to 78.31.10.108
> > IKE_SA 'host-host' state change: CREATED => CONNECTING
> > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> > sending packet: from 78.31.14.93[500] to 78.31.10.108[500]
> > received packet: from 78.31.10.108[500] to 78.31.14.93[500]
> > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
> > received cert request for "C=NA, ST=NA, L=Stockholm, O=Spotify
> > Operations, OU=Spotify CA, CN=Spotify CA, E=operations@spotify.com"
> > sending cert request for "C=NA, ST=NA, L=Stockholm, O=Spotify
> > Operations, OU=Spotify CA, CN=Spotify CA, E=operations@spotify.com"
> > authentication of 'C=NA, ST=NA, L=Stockholm, O=Spotify Operations,
> > OU=Spotify CA, CN=krista.sto.spotify.net,
> > E=hostmaster@krista.sto.spotify.net' (myself) with RSA signature
> > successful
> > sending end entity cert "C=NA, ST=NA, L=Stockholm, O=Spotify
> > Operations, OU=Spotify CA, CN=krista.sto.spotify.net,
> > E=hostmaster@krista.sto.spotify.net"
> > establishing CHILD_SA
> > generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH
> > N(USE_TRANSP) SA TSi TSr ]
> > sending packet: from 78.31.14.93[500] to 78.31.10.108[500]
> > received packet: from 78.31.10.108[500] to 78.31.14.93[500]
> > parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> > received AUTHENTICATION_FAILED notify error
> > root@krista:~# ipsec listall
> >
> > List of X.509 End Entity Certificates:
> >
> > subject: "C=NA, ST=NA, L=Stockholm, O=Spotify Operations,
> > OU=Spotify CA, CN=krista.sto.spotify.net,
> > E=hostmaster@krista.sto.spotify.net"
> > issuer: "C=NA, ST=NA, L=Stockholm, O=Spotify Operations,
> > OU=Spotify CA, CN=Spotify CA, E=operations@spotify.com"
> > serial: 0f
> > validity: not before Dec 22 15:35:18 2009, ok
> > not after Dec 22 15:35:18 2010, ok
> > pubkey: RSA 2048 bits, has private key
> > keyid: ab:be:c4:1d:d6:db:ab:52:81:70:3e:01:42:d6:b0:65:45:19:1b:79
> > subjkey: 9f:86:76:44:df:34:cb:59:0d:32:86:d0:23:35:6b:81:0b:77:b0:06
> > authkey: 22:7f:35:38:c4:6f:f9:c0:a9:7f:ed:ce:e6:12:11:08:80:53:66:ee
> >
> > List of X.509 CA Certificates:
> >
> > subject: "C=NA, ST=NA, L=Stockholm, O=Spotify Operations,
> > OU=Spotify CA, CN=Spotify CA, E=operations@spotify.com"
> > issuer: "C=NA, ST=NA, L=Stockholm, O=Spotify Operations,
> > OU=Spotify CA, CN=Spotify CA, E=operations@spotify.com"
> > serial: 00:8c:e7:8c:65:22:8f:ea:c4
> > validity: not before Jul 09 23:42:35 2009, ok
> > not after Jul 07 23:42:35 2019, ok
> > pubkey: RSA 2048 bits
> > keyid: 53:c4:21:66:29:52:36:a9:9a:9b:8d:7c:d5:30:0d:f5:34:95:4c:bd
> > subjkey: 22:7f:35:38:c4:6f:f9:c0:a9:7f:ed:ce:e6:12:11:08:80:53:66:ee
> > authkey: 22:7f:35:38:c4:6f:f9:c0:a9:7f:ed:ce:e6:12:11:08:80:53:66:ee
> > root@krista:~# ipsec listall
> >
> > List of X.509 End Entity Certificates:
> >
> > subject: "C=NA, ST=NA, L=Stockholm, O=Spotify Operations,
> > OU=Spotify CA, CN=krista.sto.spotify.net,
> > E=hostmaster@krista.sto.spotify.net"
> > issuer: "C=NA, ST=NA, L=Stockholm, O=Spotify Operations,
> > OU=Spotify CA, CN=Spotify CA, E=operations@spotify.com"
> > serial: 0f
> > validity: not before Dec 22 15:35:18 2009, ok
> > not after Dec 22 15:35:18 2010, ok
> > pubkey: RSA 2048 bits, has private key
> > keyid: ab:be:c4:1d:d6:db:ab:52:81:70:3e:01:42:d6:b0:65:45:19:1b:79
> > subjkey: 9f:86:76:44:df:34:cb:59:0d:32:86:d0:23:35:6b:81:0b:77:b0:06
> > authkey: 22:7f:35:38:c4:6f:f9:c0:a9:7f:ed:ce:e6:12:11:08:80:53:66:ee
> >
> > subject: "C=NA, ST=NA, L=Stockholm, O=Spotify Operations,
> > OU=Spotify CA, CN=nadia.lon.spotify.net,
> > E=hostmaster@nadia.lon.spotify.net"
> > issuer: "C=NA, ST=NA, L=Stockholm, O=Spotify Operations,
> > OU=Spotify CA, CN=Spotify CA, E=operations@spotify.com"
> > serial: 0e
> > validity: not before Jul 10 07:55:15 2009, ok
> > not after Jul 10 07:55:15 2010, ok
> > pubkey: RSA 2048 bits
> > keyid: dc:0d:85:73:2d:c3:6b:02:e9:52:bb:73:1e:a6:71:fe:34:09:0e:1d
> > subjkey: f0:76:38:09:bc:b7:c2:f7:64:f2:dc:88:49:79:32:6a:49:28:ba:8b
> > authkey: 22:7f:35:38:c4:6f:f9:c0:a9:7f:ed:ce:e6:12:11:08:80:53:66:ee
> >
> > List of X.509 CA Certificates:
> >
> > subject: "C=NA, ST=NA, L=Stockholm, O=Spotify Operations,
> > OU=Spotify CA, CN=Spotify CA, E=operations@spotify.com"
> > issuer: "C=NA, ST=NA, L=Stockholm, O=Spotify Operations,
> > OU=Spotify CA, CN=Spotify CA, E=operations@spotify.com"
> > serial: 00:8c:e7:8c:65:22:8f:ea:c4
> > validity: not before Jul 09 23:42:35 2009, ok
> > not after Jul 07 23:42:35 2019, ok
> > pubkey: RSA 2048 bits
> > keyid: 53:c4:21:66:29:52:36:a9:9a:9b:8d:7c:d5:30:0d:f5:34:95:4c:bd
> > subjkey: 22:7f:35:38:c4:6f:f9:c0:a9:7f:ed:ce:e6:12:11:08:80:53:66:ee
> > authkey: 22:7f:35:38:c4:6f:f9:c0:a9:7f:ed:ce:e6:12:11:08:80:53:66:ee
> >
> >
> > root@nadia:~# ipsec restart; sleep 10
> > Stopping strongSwan IPsec...
> > Starting strongSwan 4.2.4 IPsec [starter]...
> > root@nadia:~# ipsec up host-host
> > initiating IKE_SA 'host-host' to 78.31.14.93
> > IKE_SA 'host-host' state change: CREATED => CONNECTING
> > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> > sending packet: from 78.31.10.108[500] to 78.31.14.93[500]
> > received packet: from 78.31.14.93[500] to 78.31.10.108[500]
> > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
> > received cert request for "C=NA, ST=NA, L=Stockholm, O=Spotify
> > Operations, OU=Spotify CA, CN=Spotify CA, E=operations@spotify.com"
> > sending cert request for "C=NA, ST=NA, L=Stockholm, O=Spotify
> > Operations, OU=Spotify CA, CN=Spotify CA, E=operations@spotify.com"
> > authentication of 'C=NA, ST=NA, L=Stockholm, O=Spotify Operations,
> > OU=Spotify CA, CN=nadia.lon.spotify.net,
> > E=hostmaster@nadia.lon.spotify.net' (myself) with RSA signature
> > successful
> > sending end entity cert "C=NA, ST=NA, L=Stockholm, O=Spotify
> > Operations, OU=Spotify CA, CN=nadia.lon.spotify.net,
> > E=hostmaster@nadia.lon.spotify.net"
> > establishing CHILD_SA
> > generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH
> > N(USE_TRANSP) SA TSi TSr ]
> > sending packet: from 78.31.10.108[500] to 78.31.14.93[500]
> > received packet: from 78.31.14.93[500] to 78.31.10.108[500]
> > parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> > received AUTHENTICATION_FAILED notify error
> > root@nadia:~# tail -n 30 /var/log/daemon.log
> > 2009-12-22T21:12:21.000+00:00 nadia.lon.spotify.net charon: 01[LIB]
> > loaded certificate file '/etc/ipsec.d/cacerts/spotify-ipsec-cert.crt'
> > 2009-12-22T21:12:21.000+00:00 nadia.lon.spotify.net charon: 01[CFG]
> > loading aa certificates from '/etc/ipsec.d/aacerts'
> > 2009-12-22T21:12:21.000+00:00 nadia.lon.spotify.net charon: 01[CFG]
> > loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> > 2009-12-22T21:12:21.000+00:00 nadia.lon.spotify.net charon: 01[CFG]
> > loading attribute certificates from '/etc/ipsec.d/acerts'
> > 2009-12-22T21:12:21.000+00:00 nadia.lon.spotify.net charon: 01[CFG]
> > loading crls from '/etc/ipsec.d/crls'
> > 2009-12-22T21:12:21.000+00:00 nadia.lon.spotify.net charon: 01[CFG]
> > loading secrets from '/etc/ipsec.secrets'
> > 2009-12-22T21:12:21.000+00:00 nadia.lon.spotify.net charon: 01[CFG]
> > loaded private key file '/etc/ssl/private/nadia.lon.spotify.net.key'
> > 2009-12-22T21:12:21.000+00:00 nadia.lon.spotify.net charon: 01[JOB]
> > spawning 16 worker threads
> > 2009-12-22T21:12:21.000+00:00 nadia.lon.spotify.net charon: 04[CFG]
> > received stroke: add connection 'host-host'
> > 2009-12-22T21:12:21.000+00:00 nadia.lon.spotify.net charon: 04[LIB]
> > loaded certificate file '/etc/ssl/certs/nadia.lon.spotify.net.crt'
> > 2009-12-22T21:12:21.000+00:00 nadia.lon.spotify.net charon: 04[CFG]
> > peerid nadia.lon.spotify.net not confirmed by certificate, defaulting
> > to subject DN
> > 2009-12-22T21:12:21.000+00:00 nadia.lon.spotify.net charon: 04[CFG]
> > added configuration 'host-host': 78.31.10.108[C=NA, ST=NA,
> > L=Stockholm, O=Spotify Operations, OU=Spotify CA,
> > CN=nadia.lon.spotify.net,
> > E=hostmaster@nadia.lon.spotify.net]...78.31.14.93[krista.sto.spotify.net]
> > 2009-12-22T21:12:31.000+00:00 nadia.lon.spotify.net charon: 06[CFG]
> > received stroke: initiate 'host-host'
> > 2009-12-22T21:12:31.000+00:00 nadia.lon.spotify.net charon: 10[AUD]
> > initiating IKE_SA 'host-host' to 78.31.14.93
> > 2009-12-22T21:12:31.000+00:00 nadia.lon.spotify.net charon: 10[IKE]
> > IKE_SA 'host-host' state change: CREATED => CONNECTING
> > 2009-12-22T21:12:31.000+00:00 nadia.lon.spotify.net charon: 10[ENC]
> > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> > ]
> > 2009-12-22T21:12:31.000+00:00 nadia.lon.spotify.net charon: 10[NET]
> > sending packet: from 78.31.10.108[500] to 78.31.14.93[500]
> > 2009-12-22T21:12:31.000+00:00 nadia.lon.spotify.net charon: 11[NET]
> > received packet: from 78.31.14.93[500] to 78.31.10.108[500]
> > 2009-12-22T21:12:31.000+00:00 nadia.lon.spotify.net charon: 11[ENC]
> > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> > CERTREQ ]
> > 2009-12-22T21:12:31.000+00:00 nadia.lon.spotify.net charon: 11[IKE]
> > received cert request for "C=NA, ST=NA, L=Stockholm, O=Spotify
> > Operations, OU=Spotify CA, CN=Spotify CA, E=operations@spotify.com"
> > 2009-12-22T21:12:31.000+00:00 nadia.lon.spotify.net charon: 11[IKE]
> > sending cert request for "C=NA, ST=NA, L=Stockholm, O=Spotify
> > Operations, OU=Spotify CA, CN=Spotify CA, E=operations@spotify.com"
> > 2009-12-22T21:12:31.000+00:00 nadia.lon.spotify.net charon: 11[IKE]
> > authentication of 'C=NA, ST=NA, L=Stockholm, O=Spotify Operations,
> > OU=Spotify CA, CN=nadia.lon.spotify.net,
> > E=hostmaster@nadia.lon.spotify.net' (myself) with RSA signature
> > successful
> > 2009-12-22T21:12:31.000+00:00 nadia.lon.spotify.net charon: 11[IKE]
> > sending end entity cert "C=NA, ST=NA, L=Stockholm, O=Spotify
> > Operations, OU=Spotify CA, CN=nadia.lon.spotify.net,
> > E=hostmaster@nadia.lon.spotify.net"
> > 2009-12-22T21:12:31.000+00:00 nadia.lon.spotify.net charon: 11[AUD]
> > establishing CHILD_SA
> > 2009-12-22T21:12:31.000+00:00 nadia.lon.spotify.net charon: 11[ENC]
> > generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH
> > N(USE_TRANSP) SA TSi TSr ]
> > 2009-12-22T21:12:31.000+00:00 nadia.lon.spotify.net charon: 11[NET]
> > sending packet: from 78.31.10.108[500] to 78.31.14.93[500]
> > 2009-12-22T21:12:31.000+00:00 nadia.lon.spotify.net charon: 12[NET]
> > received packet: from 78.31.14.93[500] to 78.31.10.108[500]
> > 2009-12-22T21:12:31.000+00:00 nadia.lon.spotify.net charon: 12[ENC]
> > parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> > 2009-12-22T21:12:31.000+00:00 nadia.lon.spotify.net charon: 12[AUD]
> > received AUTHENTICATION_FAILED notify error
> > 2009-12-22T21:12:31.000+00:00 nadia.lon.spotify.net charon: 12[AUD]
> > establishing CHILD_SA failed
> > root@nadia:~# cat /etc/ipsec.conf
> > # generated by fai
> > # /etc/ipsec.conf - strongSwan IPsec configuration file
> >
> >
> > config setup
> > crlcheckinterval�0
> > strictcrlpolicy=no
> > plutostart=no
> >
> > conn %default
> > ikelifetime`m
> > keylife m
> > rekeymargin=3m
> > keyingtries=1
> > mobike=no
> > keyexchange=ikev2
> > right=%any
> > rightca="C=NA, ST=NA, L=Stockholm, O=Spotify Operations, OU=Spotify
> > CA, CN=Spotify CA/emailAddress=operations@spotify.com"
> > leftsendcert=ifasked
> >
> > conn host-host
> > leftx.31.10.108
> > leftcert=/etc/ssl/certs/nadia.lon.spotify.net.crt
> > leftid=@nadia.lon.spotify.net
> > rightx.31.14.93
> > rightid=@krista.sto.spotify.net
> > type=transport
> > autod
> > root@nadia:~# cat /etc/strongswan.conf
> > # /etc/strongswan.conf - strongSwan configuration file
> >
> > charon {
> > threads = 16
> > #load = gmp random x509 hmac xcbc stroke
> > multiple_authentication = no
> > }
> > root@nadia:~# ipsec listall
> >
> > List of X.509 End Entity Certificates:
> >
> > subject: "C=NA, ST=NA, L=Stockholm, O=Spotify Operations,
> > OU=Spotify CA, CN=nadia.lon.spotify.net,
> > E=hostmaster@nadia.lon.spotify.net"
> > issuer: "C=NA, ST=NA, L=Stockholm, O=Spotify Operations,
> > OU=Spotify CA, CN=Spotify CA, E=operations@spotify.com"
> > serial: 0e
> > validity: not before Jul 10 07:55:15 2009, ok
> > not after Jul 10 07:55:15 2010, ok
> > pubkey: RSA 2048 bits, has private key
> > keyid: dc:0d:85:73:2d:c3:6b:02:e9:52:bb:73:1e:a6:71:fe:34:09:0e:1d
> > subjkey: f0:76:38:09:bc:b7:c2:f7:64:f2:dc:88:49:79:32:6a:49:28:ba:8b
> > authkey: 22:7f:35:38:c4:6f:f9:c0:a9:7f:ed:ce:e6:12:11:08:80:53:66:ee
> >
> > List of X.509 CA Certificates:
> >
> > subject: "C=NA, ST=NA, L=Stockholm, O=Spotify Operations,
> > OU=Spotify CA, CN=Spotify CA, E=operations@spotify.com"
> > issuer: "C=NA, ST=NA, L=Stockholm, O=Spotify Operations,
> > OU=Spotify CA, CN=Spotify CA, E=operations@spotify.com"
> > serial: 00:8c:e7:8c:65:22:8f:ea:c4
> > validity: not before Jul 09 23:42:35 2009, ok
> > not after Jul 07 23:42:35 2019, ok
> > pubkey: RSA 2048 bits
> > keyid: 53:c4:21:66:29:52:36:a9:9a:9b:8d:7c:d5:30:0d:f5:34:95:4c:bd
> > subjkey: 22:7f:35:38:c4:6f:f9:c0:a9:7f:ed:ce:e6:12:11:08:80:53:66:ee
> > authkey: 22:7f:35:38:c4:6f:f9:c0:a9:7f:ed:ce:e6:12:11:08:80:53:66:ee
> > root@nadia:~# ipsec statusall
> > Performance:
> > uptime: 10 seconds, since Dec 22 21:12:21 2009
> > worker threads: 10 idle of 16, job queue load: 0, scheduled events: 2
> > loaded plugins: ldap gmp random x509 pubkey hmac xcbc openssl stroke
> > Listening IP addresses:
> > 78.31.10.108
> > Connections:
> > host-host: 78.31.10.108[C=NA, ST=NA, L=Stockholm, O=Spotify
> > Operations, OU=Spotify CA, CN=nadia.lon.spotify.net,
> > E=hostmaster@nadia.lon.spotify.net]...78.31.14.93[krista.sto.spotify.net]
> > host-host: dynamic/32 === dynamic/32
> > Security Associations:
> > none
> > root@nadia:~# openssl x509 -text -in /etc/ipsec.d/cacerts/ca.crt
> > Certificate:
> > Data:
> > Version: 3 (0x2)
> > Serial Number:
> > 8c:e7:8c:65:22:8f:ea:c4
> > Signature Algorithm: sha1WithRSAEncryption
> > Issuer: C=NA, ST=NA, L=Stockholm, O=Spotify Operations,
> > OU=Spotify CA, CN=Spotify CA/emailAddress=operations@spotify.com
> > Validity
> > Not Before: Jul 9 23:42:35 2009 GMT
> > Not After : Jul 7 23:42:35 2019 GMT
> > Subject: C=NA, ST=NA, L=Stockholm, O=Spotify Operations,
> > OU=Spotify CA, CN=Spotify CA/emailAddress=operations@spotify.com
> > Subject Public Key Info:
> > Public Key Algorithm: rsaEncryption
> > RSA Public Key: (2048 bit)
> > Modulus (2048 bit):
> > 00:aa:a6:e4:1c:25:71:5c:6f:3b:eb:dc:31:af:78:
> > d0:4d:ce:0c:f5:7d:c7:b2:d5:2f:0a:f7:41:b5:ed:
> > 92:02:b8:a6:cb:e9:ac:bf:85:cc:87:be:81:fb:bc:
> > 9a:71:88:58:25:34:38:89:95:63:ad:13:e3:4a:af:
> > 21:1e:81:2b:a3:4e:a6:42:e3:06:99:18:af:38:6c:
> > 1c:e4:23:e4:95:77:93:ed:fd:b3:ec:c6:27:00:85:
> > c3:63:18:c5:01:c2:d8:63:fb:6e:87:1a:2c:cc:b6:
> > 9d:15:0b:48:dd:56:22:d1:8d:19:58:cf:3f:2b:12:
> > 99:31:d8:3f:50:2f:d0:93:54:3b:bc:c6:7a:4b:cf:
> > a7:48:1b:78:6f:3b:db:cd:14:5a:cb:a6:e8:ce:8e:
> > 9b:44:de:f1:66:e1:23:26:37:05:9f:38:bc:ef:78:
> > b8:f6:0f:a2:38:15:58:20:31:a5:f3:b3:ee:fd:4f:
> > b0:bb:2f:85:9a:62:03:bb:74:0f:cf:44:23:a0:17:
> > f8:cb:be:06:ce:06:05:67:75:d2:2a:ce:10:e0:f2:
> > aa:ba:9b:43:d4:77:98:62:0b:31:f9:73:8a:ed:b1:
> > 51:09:12:0f:0d:bc:ac:e2:05:df:df:87:29:1e:fe:
> > 53:13:d8:0b:d5:0b:24:8e:35:20:d9:25:41:cb:a0:
> > 5e:0d
> > Exponent: 65537 (0x10001)
> > X509v3 extensions:
> > X509v3 Subject Key Identifier:
> > 22:7F:35:38:C4:6F:F9:C0:A9:7F:ED:CE:E6:12:11:08:80:53:66:EE
> > X509v3 Authority Key Identifier:
> >
> > keyid:22:7F:35:38:C4:6F:F9:C0:A9:7F:ED:CE:E6:12:11:08:80:53:66:EE
> > DirName:/C=NA/ST=NA/L=Stockholm/O=Spotify
> > Operations/OU=Spotify CA/CN=Spotify
> > CA/emailAddress=operations@spotify.com
> > serial:8C:E7:8C:65:22:8F:EA:C4
> >
> > X509v3 Basic Constraints:
> > CA:TRUE
> > Signature Algorithm: sha1WithRSAEncryption
> > 7b:b0:ba:e1:6d:43:df:58:f0:9a:59:30:55:30:b3:19:92:ea:
> > 35:07:0d:00:9d:e1:4e:ac:3f:b2:b6:a3:c0:a9:ca:d9:56:0e:
> > 2c:ea:d1:bb:5c:83:13:50:d4:b4:92:11:cb:f1:74:91:03:56:
> > 9b:d8:07:c8:92:2f:06:c8:44:93:db:90:77:15:ee:98:38:46:
> > eb:1c:5f:24:07:5d:98:35:1f:ba:c9:3c:e9:8c:77:f3:e5:ba:
> > a5:35:fa:c9:38:52:cf:f5:1d:ea:40:b7:ca:30:8f:ee:05:09:
> > 60:de:7e:04:9e:cb:fc:f2:d8:86:86:6a:a6:b3:aa:9a:fd:08:
> > d1:80:58:58:9d:1c:27:7b:59:83:cd:4e:e8:4c:1a:84:3e:d1:
> > 55:68:3c:27:95:f1:a4:95:f4:69:73:0f:45:34:b6:2a:45:24:
> > c1:79:54:79:89:ed:73:24:d1:e5:eb:94:76:51:ed:54:82:16:
> > 05:82:21:b0:6e:09:fd:11:15:5f:8a:d5:2c:a7:b1:7a:11:db:
> > 4c:a1:ac:e6:0a:5a:9b:3d:56:d7:80:0c:67:a1:c5:45:35:e7:
> > f1:d0:03:41:e5:a8:76:69:73:ca:bf:30:2b:34:d9:d6:65:e1:
> > 5a:71:43:f0:8b:9c:aa:f3:d9:fc:00:21:9e:36:45:a6:a7:00:
> > 69:88:5e:d3
> > -----BEGIN CERTIFICATE-----
> > MIIExDCCA6ygAwIBAgIJAIznjGUij+rEMA0GCSqGSIb3DQEBBQUAMIGcMQswCQYD
> > VQQGEwJOQTELMAkGA1UECBMCTkExEjAQBgNVBAcTCVN0b2NraG9sbTEbMBkGA1UE
> > ChMSU3BvdGlmeSBPcGVyYXRpb25zMRMwEQYDVQQLEwpTcG90aWZ5IENBMRMwEQYD
> > VQQDEwpTcG90aWZ5IENBMSUwIwYJKoZIhvcNAQkBFhZvcGVyYXRpb25zQHNwb3Rp
> > ZnkuY29tMB4XDTA5MDcwOTIzNDIzNVoXDTE5MDcwNzIzNDIzNVowgZwxCzAJBgNV
> > BAYTAk5BMQswCQYDVQQIEwJOQTESMBAGA1UEBxMJU3RvY2tob2xtMRswGQYDVQQK
> > ExJTcG90aWZ5IE9wZXJhdGlvbnMxEzARBgNVBAsTClNwb3RpZnkgQ0ExEzARBgNV
> > BAMTClNwb3RpZnkgQ0ExJTAjBgkqhkiG9w0BCQEWFm9wZXJhdGlvbnNAc3BvdGlm
> > eS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqpuQcJXFcbzvr
> > 3DGveNBNzgz1fcey1S8K90G17ZICuKbL6ay/hcyHvoH7vJpxiFglNDiJlWOtE+NK
> > ryEegSujTqZC4waZGK84bBzkI+SVd5Pt/bPsxicAhcNjGMUBwthj+26HGizMtp0V
> > C0jdViLRjRlYzz8rEpkx2D9QL9CTVDu8xnpLz6dIG3hvO9vNFFrLpujOjptE3vFm
> > 4SMmNwWfOLzveLj2D6I4FVggMaXzs+79T7C7L4WaYgO7dA/PRCOgF/jLvgbOBgVn
> > ddIqzhDg8qq6m0PUd5hiCzH5c4rtsVEJEg8NvKziBd/fhyke/lMT2AvVCySONSDZ
> > JUHLoF4NAgMBAAGjggEFMIIBATAdBgNVHQ4EFgQUIn81OMRv+cCpf+3O5hIRCIBT
> > Zu4wgdEGA1UdIwSByTCBxoAUIn81OMRv+cCpf+3O5hIRCIBTZu6hgaKkgZ8wgZwx
> > CzAJBgNVBAYTAk5BMQswCQYDVQQIEwJOQTESMBAGA1UEBxMJU3RvY2tob2xtMRsw
> > GQYDVQQKExJTcG90aWZ5IE9wZXJhdGlvbnMxEzARBgNVBAsTClNwb3RpZnkgQ0Ex
> > EzARBgNVBAMTClNwb3RpZnkgQ0ExJTAjBgkqhkiG9w0BCQEWFm9wZXJhdGlvbnNA
> > c3BvdGlmeS5jb22CCQCM54xlIo/qxDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
> > BQUAA4IBAQB7sLrhbUPfWPCaWTBVMLMZkuo1Bw0AneFOrD+ytqPAqcrZVg4s6tG7
> > XIMTUNS0khHL8XSRA1ab2AfIki8GyEST25B3Fe6YOEbrHF8kB12YNR+6yTzpjHfz
> > 5bqlNfrJOFLP9R3qQLfKMI/uBQlg3n4Ensv88tiGhmqms6qa/QjRgFhYnRwne1mD
> > zU7oTBqEPtFVaDwnlfGklfRpcw9FNLYqRSTBeVR5ie1zJNHl65R2Ue1UghYFgiGw
> > bgn9ERVfitUsp7F6EdtMoazmClqbPVbXgAxnocVFNefx0ANB5ah2aXPKvzArNNnW
> > ZeFacUPwi5yq89n8ACGeNkWmpwBpiF7T
> > -----END CERTIFICATE-----
> > root@nadia:~# openssl x509 -text -in /etc/ssl/certs/*spotify.net.crt
> > Certificate:
> > Data:
> > Version: 3 (0x2)
> > Serial Number: 14 (0xe)
> > Signature Algorithm: sha1WithRSAEncryption
> > Issuer: C=NA, ST=NA, L=Stockholm, O=Spotify Operations,
> > OU=Spotify CA, CN=Spotify CA/emailAddress=operations@spotify.com
> > Validity
> > Not Before: Jul 10 07:55:15 2009 GMT
> > Not After : Jul 10 07:55:15 2010 GMT
> > Subject: C=NA, ST=NA, L=Stockholm, O=Spotify Operations,
> > OU=Spotify CA, CN=nadia.lon.spotify.net/emailAddress=hostmaster@nadia.lon.spotify.net
> > Subject Public Key Info:
> > Public Key Algorithm: rsaEncryption
> > RSA Public Key: (2048 bit)
> > Modulus (2048 bit):
> > 00:b3:bc:ca:10:14:22:0a:53:7a:32:99:a1:a0:07:
> > cc:e5:bc:a8:8f:69:55:c7:fe:96:13:22:bd:4b:87:
> > cf:a0:21:1c:a6:7c:5b:f0:24:f2:cb:d8:8e:1b:f3:
> > 26:10:ff:9b:5c:5f:9b:83:24:d7:3d:ba:33:b2:a2:
> > 7a:70:c7:d4:6c:d4:0b:ae:f0:55:3c:80:e6:e7:e9:
> > fe:04:1f:40:e4:42:a0:a4:80:98:e7:d3:3b:35:c1:
> > dc:9e:99:a5:e1:3d:1e:dc:63:d7:d8:19:9f:ab:7e:
> > 46:38:12:a6:35:62:29:e5:1e:d6:4e:a7:98:80:98:
> > 45:db:3d:4a:69:57:ab:b5:4c:09:77:15:b1:fd:78:
> > 30:f9:19:ad:9c:20:57:6f:98:4e:1f:ad:ca:c7:20:
> > 01:78:26:f1:d7:06:75:af:1f:e8:c2:b5:0a:db:8d:
> > 68:f6:95:87:ec:a7:e9:99:d3:93:0d:7e:c5:14:65:
> > 7c:19:03:94:a7:d7:ee:63:7e:14:41:f7:f7:28:cf:
> > a3:55:e0:58:f9:6f:72:89:78:9f:46:99:eb:c6:31:
> > f7:ac:7e:38:46:eb:22:01:28:41:2c:1a:dd:28:9e:
> > 5c:bb:8f:b4:cd:ce:6d:69:7f:ff:5c:6a:58:fc:7e:
> > 61:5c:02:7b:26:6d:ad:36:9a:8e:61:03:d0:02:66:
> > 45:9d
> > Exponent: 65537 (0x10001)
> > X509v3 extensions:
> > X509v3 Basic Constraints:
> > CA:FALSE
> > Netscape Cert Type:
> > SSL Server
> > Netscape Comment:
> > Spotify CA cert
> > X509v3 Subject Key Identifier:
> > F0:76:38:09:BC:B7:C2:F7:64:F2:DC:88:49:79:32:6A:49:28:BA:8B
> > X509v3 Authority Key Identifier:
> >
> > keyid:22:7F:35:38:C4:6F:F9:C0:A9:7F:ED:CE:E6:12:11:08:80:53:66:EE
> > DirName:/C=NA/ST=NA/L=Stockholm/O=Spotify
> > Operations/OU=Spotify CA/CN=Spotify
> > CA/emailAddress=operations@spotify.com
> > serial:8C:E7:8C:65:22:8F:EA:C4
> >
> > X509v3 Extended Key Usage:
> > TLS Web Server Authentication
> > X509v3 Key Usage:
> > Digital Signature, Key Encipherment
> > Signature Algorithm: sha1WithRSAEncryption
> > 34:14:00:d1:ae:f3:a6:57:0a:d5:5a:8e:33:5c:4d:01:b6:cf:
> > e3:9e:11:23:de:f3:52:4a:73:13:60:c4:ce:84:d0:12:d3:c8:
> > 40:9e:f2:09:cd:76:d9:58:f7:56:81:e4:14:fe:dd:96:42:ff:
> > c0:5c:59:35:dc:f1:36:6e:b4:d6:04:6b:fa:11:bd:50:d8:25:
> > 5a:c0:e3:92:e5:0d:17:e2:4f:8a:8d:14:19:7e:bf:ef:2b:0c:
> > cb:68:3e:95:0a:f8:81:1b:e7:b5:b4:15:66:8d:e9:a8:f0:4b:
> > ae:8d:29:20:bc:39:9b:3c:6b:87:5a:81:39:19:1a:03:7d:93:
> > de:14:38:f6:96:3c:0f:b0:4b:62:83:ca:0b:a2:07:ce:0c:52:
> > 57:35:4a:cd:de:87:12:7d:e1:0a:77:b2:30:c1:a0:ae:88:2b:
> > 61:24:41:90:fa:73:66:fb:f0:87:ad:1c:02:a6:f5:ba:12:9a:
> > 27:06:0f:0e:a5:6b:20:8e:20:ed:c6:2f:a2:63:86:61:42:d7:
> > bf:9d:83:22:9e:2b:d4:3f:26:9e:76:be:90:d6:a2:f1:72:d3:
> > 8b:09:a9:ce:d2:01:9f:08:0a:b3:a2:c9:5a:5e:38:16:75:14:
> > 47:47:95:e5:34:79:ea:81:23:a4:4d:06:8e:78:ee:56:c3:3c:
> > 53:ed:44:ce
> > -----BEGIN CERTIFICATE-----
> > MIIFIzCCBAugAwIBAgIBDjANBgkqhkiG9w0BAQUFADCBnDELMAkGA1UEBhMCTkEx
> > CzAJBgNVBAgTAk5BMRIwEAYDVQQHEwlTdG9ja2hvbG0xGzAZBgNVBAoTElNwb3Rp
> > ZnkgT3BlcmF0aW9uczETMBEGA1UECxMKU3BvdGlmeSBDQTETMBEGA1UEAxMKU3Bv
> > dGlmeSBDQTElMCMGCSqGSIb3DQEJARYWb3BlcmF0aW9uc0BzcG90aWZ5LmNvbTAe
> > Fw0wOTA3MTAwNzU1MTVaFw0xMDA3MTAwNzU1MTVaMIGxMQswCQYDVQQGEwJOQTEL
> > MAkGA1UECBMCTkExEjAQBgNVBAcTCVN0b2NraG9sbTEbMBkGA1UEChMSU3BvdGlm
> > eSBPcGVyYXRpb25zMRMwEQYDVQQLEwpTcG90aWZ5IENBMR4wHAYDVQQDExVuYWRp
> > YS5sb24uc3BvdGlmeS5uZXQxLzAtBgkqhkiG9w0BCQEWIGhvc3RtYXN0ZXJAbmFk
> > aWEubG9uLnNwb3RpZnkubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
> > AQEAs7zKEBQiClN6MpmhoAfM5byoj2lVx/6WEyK9S4fPoCEcpnxb8CTyy9iOG/Mm
> > EP+bXF+bgyTXPbozsqJ6cMfUbNQLrvBVPIDm5+n+BB9A5EKgpICY59M7NcHcnpml
> > 4T0e3GPX2Bmfq35GOBKmNWIp5R7WTqeYgJhF2z1KaVertUwJdxWx/Xgw+RmtnCBX
> > b5hOH63KxyABeCbx1wZ1rx/owrUK241o9pWH7KfpmdOTDX7FFGV8GQOUp9fuY34U
> > Qff3KM+jVeBY+W9yiXifRpnrxjH3rH44RusiAShBLBrdKJ5cu4+0zc5taX//XGpY
> > /H5hXAJ7Jm2tNpqOYQPQAmZFnQIDAQABo4IBVzCCAVMwCQYDVR0TBAIwADARBglg
> > hkgBhvhCAQEEBAMCBkAwHgYJYIZIAYb4QgENBBEWD1Nwb3RpZnkgQ0EgY2VydDAd
> > BgNVHQ4EFgQU8HY4Cby3wvdk8tyISXkyakkouoswgdEGA1UdIwSByTCBxoAUIn81
> > OMRv+cCpf+3O5hIRCIBTZu6hgaKkgZ8wgZwxCzAJBgNVBAYTAk5BMQswCQYDVQQI
> > EwJOQTESMBAGA1UEBxMJU3RvY2tob2xtMRswGQYDVQQKExJTcG90aWZ5IE9wZXJh
> > dGlvbnMxEzARBgNVBAsTClNwb3RpZnkgQ0ExEzARBgNVBAMTClNwb3RpZnkgQ0Ex
> > JTAjBgkqhkiG9w0BCQEWFm9wZXJhdGlvbnNAc3BvdGlmeS5jb22CCQCM54xlIo/q
> > xDATBgNVHSUEDDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBaAwDQYJKoZIhvcNAQEF
> > BQADggEBADQUANGu86ZXCtVajjNcTQG2z+OeESPe81JKcxNgxM6E0BLTyECe8gnN
> > dtlY91aB5BT+3ZZC/8BcWTXc8TZutNYEa/oRvVDYJVrA45LlDRfiT4qNFBl+v+8r
> > DMtoPpUK+IEb57W0FWaN6ajwS66NKSC8OZs8a4dagTkZGgN9k94UOPaWPA+wS2KD
> > yguiB84MUlc1Ss3ehxJ94Qp3sjDBoK6IK2EkQZD6c2b78IetHAKm9boSmicGDw6l
> > ayCOIO3GL6JjhmFC17+dgyKeK9Q/Jp52vpDWovFy04sJqc7SAZ8ICrOiyVpeOBZ1
> > FEdHleU0eeqBI6RNBo547lbDPFPtRM4>> -----END CERTIFICATE-----
> > root@nadia:~#
> > root@nadia:~# ipsec up host-host
> > initiating IKE_SA 'host-host' to 78.31.14.93
> > IKE_SA 'host-host' state change: CREATED => CONNECTING
> > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> > sending packet: from 78.31.10.108[500] to 78.31.14.93[500]
> > received packet: from 78.31.14.93[500] to 78.31.10.108[500]
> > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
> > received cert request for "C=NA, ST=NA, L=Stockholm, O=Spotify
> > Operations, OU=Spotify CA, CN=Spotify CA, E=operations@spotify.com"
> > sending cert request for "C=NA, ST=NA, L=Stockholm, O=Spotify
> > Operations, OU=Spotify CA, CN=Spotify CA, E=operations@spotify.com"
> > authentication of 'C=NA, ST=NA, L=Stockholm, O=Spotify Operations,
> > OU=Spotify CA, CN=nadia.lon.spotify.net,
> > E=hostmaster@nadia.lon.spotify.net' (myself) with RSA signature
> > successful
> > sending end entity cert "C=NA, ST=NA, L=Stockholm, O=Spotify
> > Operations, OU=Spotify CA, CN=nadia.lon.spotify.net,
> > E=hostmaster@nadia.lon.spotify.net"
> > establishing CHILD_SA
> > generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH
> > N(USE_TRANSP) SA TSi TSr ]
> > sending packet: from 78.31.10.108[500] to 78.31.14.93[500]
> > received packet: from 78.31.14.93[500] to 78.31.10.108[500]
> > parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> > received AUTHENTICATION_FAILED notify error
> > root@nadia:~# ipsec statusall
> > Performance:
> > uptime: 84 seconds, since Dec 22 21:12:21 2009
> > worker threads: 10 idle of 16, job queue load: 0, scheduled events: 1
> > loaded plugins: ldap gmp random x509 pubkey hmac xcbc openssl stroke
> > Listening IP addresses:
> > 78.31.10.108
> > Connections:
> > host-host: 78.31.10.108[C=NA, ST=NA, L=Stockholm, O=Spotify
> > Operations, OU=Spotify CA, CN=nadia.lon.spotify.net,
> > E=hostmaster@nadia.lon.spotify.net]...78.31.14.93[krista.sto.spotify.net]
> > host-host: dynamic/32 === dynamic/32
> > Security Associations:
> > none
> > root@nadia:~# ipsec listall
> >
> > List of X.509 End Entity Certificates:
> >
> > subject: "C=NA, ST=NA, L=Stockholm, O=Spotify Operations,
> > OU=Spotify CA, CN=nadia.lon.spotify.net,
> > E=hostmaster@nadia.lon.spotify.net"
> > issuer: "C=NA, ST=NA, L=Stockholm, O=Spotify Operations,
> > OU=Spotify CA, CN=Spotify CA, E=operations@spotify.com"
> > serial: 0e
> > validity: not before Jul 10 07:55:15 2009, ok
> > not after Jul 10 07:55:15 2010, ok
> > pubkey: RSA 2048 bits, has private key
> > keyid: dc:0d:85:73:2d:c3:6b:02:e9:52:bb:73:1e:a6:71:fe:34:09:0e:1d
> > subjkey: f0:76:38:09:bc:b7:c2:f7:64:f2:dc:88:49:79:32:6a:49:28:ba:8b
> > authkey: 22:7f:35:38:c4:6f:f9:c0:a9:7f:ed:ce:e6:12:11:08:80:53:66:ee
> >
> > subject: "C=NA, ST=NA, L=Stockholm, O=Spotify Operations,
> > OU=Spotify CA, CN=krista.sto.spotify.net,
> > E=hostmaster@krista.sto.spotify.net"
> > issuer: "C=NA, ST=NA, L=Stockholm, O=Spotify Operations,
> > OU=Spotify CA, CN=Spotify CA, E=operations@spotify.com"
> > serial: 0f
> > validity: not before Dec 22 15:35:18 2009, ok
> > not after Dec 22 15:35:18 2010, ok
> > pubkey: RSA 2048 bits
> > keyid: ab:be:c4:1d:d6:db:ab:52:81:70:3e:01:42:d6:b0:65:45:19:1b:79
> > subjkey: 9f:86:76:44:df:34:cb:59:0d:32:86:d0:23:35:6b:81:0b:77:b0:06
> > authkey: 22:7f:35:38:c4:6f:f9:c0:a9:7f:ed:ce:e6:12:11:08:80:53:66:ee
> >
> > List of X.509 CA Certificates:
> >
> > subject: "C=NA, ST=NA, L=Stockholm, O=Spotify Operations,
> > OU=Spotify CA, CN=Spotify CA, E=operations@spotify.com"
> > issuer: "C=NA, ST=NA, L=Stockholm, O=Spotify Operations,
> > OU=Spotify CA, CN=Spotify CA, E=operations@spotify.com"
> > serial: 00:8c:e7:8c:65:22:8f:ea:c4
> > validity: not before Jul 09 23:42:35 2009, ok
> > not after Jul 07 23:42:35 2019, ok
> > pubkey: RSA 2048 bits
> > keyid: 53:c4:21:66:29:52:36:a9:9a:9b:8d:7c:d5:30:0d:f5:34:95:4c:bd
> > subjkey: 22:7f:35:38:c4:6f:f9:c0:a9:7f:ed:ce:e6:12:11:08:80:53:66:ee
> > authkey: 22:7f:35:38:c4:6f:f9:c0:a9:7f:ed:ce:e6:12:11:08:80:53:66:ee
>
> =====================================================================> Andreas \
> Steffen andreas.steffen@strongswan.org \
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]=>
>
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic