R8000 - 03/19 Kong Build - IPSec Issue...

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2, 3, 4  Next
Author Message
Siggyceline
DD-WRT User


Joined: 14 Jan 2018
Posts: 65

PostPosted: Sat Mar 24, 2018 13:43    Post subject: R8000 - 03/19 Kong Build - IPSec Issue... Reply with quote
I had originally posted this over in the Atheros main thread, since that is where Kong left the notice about his Tips page and the new IPSec guide. Thought to maybe move the post over here, since it belongs in Broadcom thread.

Fundamental issue is I cannot seem to get a valid User/Key/Cert made...


<Kong> wrote:


By the way, anyone checked out:

http://tips.desipro.de/

IPSec guide is up.



Checked out the guide...thanks very much for this.

Got the CA cert installed & trusted. But User/Key cert doesn’t work, as IOS indicates it is unsigned and expired in 2002? Any assistance would be appreciated..

I setup the CA cert for a 20yr expiration, and that seems to be fine. It loaded into iOS and I was able to trust it. iOS shows it expires in 2028.

The Private Key loads, but shows not verified. When I look at it it says it expired in 2002, and is not signed. It shows in red in my iOS profiles.

I don’t know if I’m doing something wrong, or if perhaps it is a bug in the 03/19 latest Kong test build for R8000.

Firmware Version: DD-WRT v3.0-r35360M kongac (03/19/1Cool
Kernel Version: Linux 4.4.121 #540 SMP Mon Mar 19 19:23:07 CET 2018 armv7l

I’m open to any ideas...

Thanks!
Sponsor
<Kong>
DD-WRT Guru


Joined: 15 Dec 2010
Posts: 4339
Location: Germany

PostPosted: Sat Mar 24, 2018 14:37    Post subject: Re: R8000 - 03/19 Kong Build - IPSec Issue... Reply with quote
Siggyceline wrote:
I had originally posted this over in the Atheros main thread, since that is where Kong left the notice about his Tips page and the new IPSec guide. Thought to maybe move the post over here, since it belongs in Broadcom thread.

Fundamental issue is I cannot seem to get a valid User/Key/Cert made...


<Kong> wrote:


By the way, anyone checked out:

http://tips.desipro.de/

IPSec guide is up.



Checked out the guide...thanks very much for this.

Got the CA cert installed & trusted. But User/Key cert doesn’t work, as IOS indicates it is unsigned and expired in 2002? Any assistance would be appreciated..

I setup the CA cert for a 20yr expiration, and that seems to be fine. It loaded into iOS and I was able to trust it. iOS shows it expires in 2028.

The Private Key loads, but shows not verified. When I look at it it says it expired in 2002, and is not signed. It shows in red in my iOS profiles.

I don’t know if I’m doing something wrong, or if perhaps it is a bug in the 03/19 latest Kong test build for R8000.

Firmware Version: DD-WRT v3.0-r35360M kongac (03/19/1Cool
Kernel Version: Linux 4.4.121 #540 SMP Mon Mar 19 19:23:07 CET 2018 armv7l

I’m open to any ideas...

Thanks!


Then your routers clock was not correct when you created the cert.
Before you create certs the routers must have the correct time.

_________________
KONG PB's: http://www.desipro.de/ddwrt/
KONG Info: http://tips.desipro.de/
slidermike
DD-WRT Guru


Joined: 11 Nov 2013
Posts: 1487
Location: USA

PostPosted: Sat Mar 24, 2018 14:46    Post subject: Reply with quote
exactly what I was thinking as I read the OP.
Then your routers clock was not correct when you created the cert.
Before you create certs the routers must have the correct time.

_________________
Router currently owned:
Netgear R7800 - Router
Netgear R7000 - AP mode

R7000 specific Tips/Tricks.
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=264152
Siggyceline
DD-WRT User


Joined: 14 Jan 2018
Posts: 65

PostPosted: Sat Mar 24, 2018 16:27    Post subject: Reply with quote
slidermike wrote:
exactly what I was thinking as I read the OP.
Then your routers clock was not correct when you created the cert.
Before you create certs the routers must have the correct time.


Hi Guys,

Thanks, and appreciate the feedback and suggestion.

However, the clock is definitely set and reading the correct time for my time-zone (USA EDT currently).

"Current Time Sat, 24 Mar 2018 12:23:26 "

I'm using NTP @us.pool.ntp.org.

Also, I would wonder why the User/Key cert has this issue, but the CA certificate is correct? They were both created at the same time?

Siggy
slidermike
DD-WRT Guru


Joined: 11 Nov 2013
Posts: 1487
Location: USA

PostPosted: Sat Mar 24, 2018 16:37    Post subject: Reply with quote
Since you have verified the clock time is right, have you tried creating the cert again?
If it works this time then it would likely have been there was a clock/time stamp issue during the 1st creation.

_________________
Router currently owned:
Netgear R7800 - Router
Netgear R7000 - AP mode

R7000 specific Tips/Tricks.
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=264152
Siggyceline
DD-WRT User


Joined: 14 Jan 2018
Posts: 65

PostPosted: Sat Mar 24, 2018 20:00    Post subject: Reply with quote
slidermike wrote:
Since you have verified the clock time is right, have you tried creating the cert again?
If it works this time then it would likely have been there was a clock/time stamp issue during the 1st creation.


Thanks...no joy. I've created several times and downloaded to both an iPhone 6s Plus and iPad Pro. iOS shows the profile in red, saying it is not verified, and if I look at the cert details, iOS reports the certificate expired on Feb 11, 2002. (Also, when I first try to install the profile, iOS says it is not signed...it still lets me install, but after installing it shows in red and the details say expired Feb 11, 2002.)

I did a reboot, and the Freeradius user I created for the key generation disappeared. Created a new one, generated the cert, downloaded and installed on iOS...same thing as above.

I'm going to try downgrading to the Kong 02/19 release and see if there is any difference. Something is not right, but I'm not willing to give up that it is ME doing something wrong in trying to create the user/key cert. I've followed Kong's guide, but it is not very clear on if there is any "sequence" to creating the certs/user in the GUI. I'm wondering if there is particular sequence of "Save", "Apply Settings', "Generate" that I'm messing up. Also bothers me that the User I created went away after a reboot....
<Kong>
DD-WRT Guru


Joined: 15 Dec 2010
Posts: 4339
Location: Germany

PostPosted: Sat Mar 24, 2018 20:56    Post subject: Reply with quote
Siggyceline wrote:
slidermike wrote:
Since you have verified the clock time is right, have you tried creating the cert again?
If it works this time then it would likely have been there was a clock/time stamp issue during the 1st creation.


Thanks...no joy. I've created several times and downloaded to both an iPhone 6s Plus and iPad Pro. iOS shows the profile in red, saying it is not verified, and if I look at the cert details, iOS reports the certificate expired on Feb 11, 2002. (Also, when I first try to install the profile, iOS says it is not signed...it still lets me install, but after installing it shows in red and the details say expired Feb 11, 2002.)

I did a reboot, and the Freeradius user I created for the key generation disappeared. Created a new one, generated the cert, downloaded and installed on iOS...same thing as above.

I'm going to try downgrading to the Kong 02/19 release and see if there is any difference. Something is not right, but I'm not willing to give up that it is ME doing something wrong in trying to create the user/key cert. I've followed Kong's guide, but it is not very clear on if there is any "sequence" to creating the certs/user in the GUI. I'm wondering if there is particular sequence of "Save", "Apply Settings', "Generate" that I'm messing up. Also bothers me that the User I created went away after a reboot....


Only if the Root CA is installed and trusted the user cert will be accepted. Make sure your delete the old certs or better /jffs/freeradius... they are not overwritten if they exist.

_________________
KONG PB's: http://www.desipro.de/ddwrt/
KONG Info: http://tips.desipro.de/
Dr_K
DD-WRT User


Joined: 23 Mar 2018
Posts: 442

PostPosted: Sat Mar 24, 2018 21:30    Post subject: Reply with quote
Just a thought...
Reminds me of when I made my first certs for OpenVPN
Because my time zone is before the standard, I had to wait a couple hours for them to become valid.
Don't really know if this is still the case because now I don't apply new certs till the next day out of habit

_________________
Location 1
R6300V2- DD-WRT v3.0-r39345M kongac (04-03-19) Gateway
WNDR3400v1 DD-WRT v3.0-r35531_mega-nv64k (03/26/18 ) Access Point
WRT160Nv3 DD-WRT ?v3?.0-r35531 mini (03/26/18 ) Access Point
WRT54GSv5 DD-WRT v24-r33555_micro_generic (10/20/17) Repeater
Location 2
R6300V2- DD-WRT v3.0-r39345M kongac (04/03/19) Gateway
R6300V2- DD-WRT v3.0-r39345M kongac (04/03/19) Access Point
WNDR3700v2 DD-WRT v3.0-r35531 std (03/26/18 ) Access Point
E1200 v2 DD-WRT v3.0-r35531 mega-nv64k (03/26/18 ) Gateway(for trivial reasons)
RBWAPG-5HACT2HND-BE RouterOS-v6.46.4 (2/21/20) Outdoor Access Point
2 devices: RBSXTG-5HPACD RouterOS-v6.46.4 (2/21/20) PTP Bridge (0.8km/0.5mi)tx/rx 866.6Mbps-1GbpsLAN
Location 3
R7000 DD-WRT v3.0-r44627 netgear-r7000 (10/22/20) Access Point
2 devices: RBWAPG-60AD RouterOS-v6.45.9 (04/30/20) PTP Bridge tx/rx 2.3Gbps-1GbpsLAN


Thank You BrainSlayer & <Kong> for ALL that you do & have done, also to "most" everyone here that shares their knowledge
Siggyceline
DD-WRT User


Joined: 14 Jan 2018
Posts: 65

PostPosted: Sat Mar 24, 2018 23:04    Post subject: Reply with quote
<Kong> wrote:
Siggyceline wrote:
slidermike wrote:
Since you have verified the clock time is right, have you tried creating the cert again?
If it works this time then it would likely have been there was a clock/time stamp issue during the 1st creation.


Thanks...no joy. I've created several times and downloaded to both an iPhone 6s Plus and iPad Pro. iOS shows the profile in red, saying it is not verified, and if I look at the cert details, iOS reports the certificate expired on Feb 11, 2002. (Also, when I first try to install the profile, iOS says it is not signed...it still lets me install, but after installing it shows in red and the details say expired Feb 11, 2002.)

I did a reboot, and the Freeradius user I created for the key generation disappeared. Created a new one, generated the cert, downloaded and installed on iOS...same thing as above.

I'm going to try downgrading to the Kong 02/19 release and see if there is any difference. Something is not right, but I'm not willing to give up that it is ME doing something wrong in trying to create the user/key cert. I've followed Kong's guide, but it is not very clear on if there is any "sequence" to creating the certs/user in the GUI. I'm wondering if there is particular sequence of "Save", "Apply Settings', "Generate" that I'm messing up. Also bothers me that the User I created went away after a reboot....


Only if the Root CA is installed and trusted the user cert will be accepted. Make sure your delete the old certs or better /jffs/freeradius... they are not overwritten if they exist.


Thanks Kong. I turned off Freeradius, cleaned jffs, turned off Jffs. Rebooted. Downgraded to 02/19 build. rebooted. Turned on jffs, cleaned jffs, turned off cleaning. rebooted. Turned on FreeRadius, remade CA root cert. That all worked. Created User, generated cert from User to get to the download pop-up. Downloaded the CA root to my iOS device. It was accepted and installed. Expiration is 2038 as expected. Went to General/About/certs on iOS and trusted the CA Root cert. All is good. Then I downloaded the Strongswan Private Key (per your tip/guide) and iOS will accept the download, but tells me the cert is not signed. iOS will install it though. iOS asks for password during installation, and I enter it, iOS installs. After installation, iOS cert details for the Strongswan Private Key show cert expired Feb 11, 2002. In the profiles page on iOS, the Private Key profile shows in Red font.

So it seems to me that R8000 is not signing the cert? I'm no cert guru and am learning here.... But like I say, I don't see any problem with the CA Root cert/profile. That seems to be installed and able to be trusted as expected and also shows it has a 20yr expiration as created on the R8000. It only seems to be with the Swanstrong Private Key (User) cert, which doesn't seem to be getting signed, and is showing expired on Feb 11, 2002.
nolimitz
DD-WRT Guru


Joined: 26 Nov 2010
Posts: 572

PostPosted: Sun Mar 25, 2018 7:40    Post subject: Reply with quote
Siggyceline wrote:
<Kong> wrote:
Siggyceline wrote:
slidermike wrote:
Since you have verified the clock time is right, have you tried creating the cert again?
If it works this time then it would likely have been there was a clock/time stamp issue during the 1st creation.


Thanks...no joy. I've created several times and downloaded to both an iPhone 6s Plus and iPad Pro. iOS shows the profile in red, saying it is not verified, and if I look at the cert details, iOS reports the certificate expired on Feb 11, 2002. (Also, when I first try to install the profile, iOS says it is not signed...it still lets me install, but after installing it shows in red and the details say expired Feb 11, 2002.)

I did a reboot, and the Freeradius user I created for the key generation disappeared. Created a new one, generated the cert, downloaded and installed on iOS...same thing as above.

I'm going to try downgrading to the Kong 02/19 release and see if there is any difference. Something is not right, but I'm not willing to give up that it is ME doing something wrong in trying to create the user/key cert. I've followed Kong's guide, but it is not very clear on if there is any "sequence" to creating the certs/user in the GUI. I'm wondering if there is particular sequence of "Save", "Apply Settings', "Generate" that I'm messing up. Also bothers me that the User I created went away after a reboot....


Only if the Root CA is installed and trusted the user cert will be accepted. Make sure your delete the old certs or better /jffs/freeradius... they are not overwritten if they exist.


Thanks Kong. I turned off Freeradius, cleaned jffs, turned off Jffs. Rebooted. Downgraded to 02/19 build. rebooted. Turned on jffs, cleaned jffs, turned off cleaning. rebooted. Turned on FreeRadius, remade CA root cert. That all worked. Created User, generated cert from User to get to the download pop-up. Downloaded the CA root to my iOS device. It was accepted and installed. Expiration is 2038 as expected. Went to General/About/certs on iOS and trusted the CA Root cert. All is good. Then I downloaded the Strongswan Private Key (per your tip/guide) and iOS will accept the download, but tells me the cert is not signed. iOS will install it though. iOS asks for password during installation, and I enter it, iOS installs. After installation, iOS cert details for the Strongswan Private Key show cert expired Feb 11, 2002. In the profiles page on iOS, the Private Key profile shows in Red font.

So it seems to me that R8000 is not signing the cert? I'm no cert guru and am learning here.... But like I say, I don't see any problem with the CA Root cert/profile. That seems to be installed and able to be trusted as expected and also shows it has a 20yr expiration as created on the R8000. It only seems to be with the Swanstrong Private Key (User) cert, which doesn't seem to be getting signed, and is showing expired on Feb 11, 2002.




I used build 35360 on R6300v2 setup as access point and i did the following like you, my client cert is also not signed but not expired:

Turned on FreeRadius,
Generated CA root cert.
Created User and generated cert from User to get to the download pop-up.
Downloaded the CA root to my iOS device. It was accepted and installed. Expiration is 2028. Went to General/About/certs on iOS and trusted the CA Root cert.

Then I downloaded the Strongswan Private Key and iOS will accept the download, but tells me the cert is not signed. iOS will install it though. iOS asks for password during installation, and I enter it, iOS installs. After installation, iOS cert details for the Strongswan Private Key expiry is same as CA Root cert (2028).

Now i cannot connect using my iOS, after turning vpn on, it spends sometime connecting then says not connected.

What ports do i need to open in my isp’s gateways firewall?
I have UDP port 500, 4500 and 1701 forwarded to my R6300v2, did i miss something?

My ISP fiber ONT has only two protocol options for port forwarding TCP and UDP, some articles online say IP Protocol 50 and 51 are used in IKEv2, what to do about that?
<Kong>
DD-WRT Guru


Joined: 15 Dec 2010
Posts: 4339
Location: Germany

PostPosted: Sun Mar 25, 2018 8:37    Post subject: Reply with quote
nolimitz wrote:
Siggyceline wrote:
<Kong> wrote:
Siggyceline wrote:
slidermike wrote:
Since you have verified the clock time is right, have you tried creating the cert again?
If it works this time then it would likely have been there was a clock/time stamp issue during the 1st creation.


Thanks...no joy. I've created several times and downloaded to both an iPhone 6s Plus and iPad Pro. iOS shows the profile in red, saying it is not verified, and if I look at the cert details, iOS reports the certificate expired on Feb 11, 2002. (Also, when I first try to install the profile, iOS says it is not signed...it still lets me install, but after installing it shows in red and the details say expired Feb 11, 2002.)

I did a reboot, and the Freeradius user I created for the key generation disappeared. Created a new one, generated the cert, downloaded and installed on iOS...same thing as above.

I'm going to try downgrading to the Kong 02/19 release and see if there is any difference. Something is not right, but I'm not willing to give up that it is ME doing something wrong in trying to create the user/key cert. I've followed Kong's guide, but it is not very clear on if there is any "sequence" to creating the certs/user in the GUI. I'm wondering if there is particular sequence of "Save", "Apply Settings', "Generate" that I'm messing up. Also bothers me that the User I created went away after a reboot....


Only if the Root CA is installed and trusted the user cert will be accepted. Make sure your delete the old certs or better /jffs/freeradius... they are not overwritten if they exist.


Thanks Kong. I turned off Freeradius, cleaned jffs, turned off Jffs. Rebooted. Downgraded to 02/19 build. rebooted. Turned on jffs, cleaned jffs, turned off cleaning. rebooted. Turned on FreeRadius, remade CA root cert. That all worked. Created User, generated cert from User to get to the download pop-up. Downloaded the CA root to my iOS device. It was accepted and installed. Expiration is 2038 as expected. Went to General/About/certs on iOS and trusted the CA Root cert. All is good. Then I downloaded the Strongswan Private Key (per your tip/guide) and iOS will accept the download, but tells me the cert is not signed. iOS will install it though. iOS asks for password during installation, and I enter it, iOS installs. After installation, iOS cert details for the Strongswan Private Key show cert expired Feb 11, 2002. In the profiles page on iOS, the Private Key profile shows in Red font.

So it seems to me that R8000 is not signing the cert? I'm no cert guru and am learning here.... But like I say, I don't see any problem with the CA Root cert/profile. That seems to be installed and able to be trusted as expected and also shows it has a 20yr expiration as created on the R8000. It only seems to be with the Swanstrong Private Key (User) cert, which doesn't seem to be getting signed, and is showing expired on Feb 11, 2002.




I used build 35360 on R6300v2 setup as access point and i did the following like you, my client cert is also not signed but not expired:

Turned on FreeRadius,
Generated CA root cert.
Created User and generated cert from User to get to the download pop-up.
Downloaded the CA root to my iOS device. It was accepted and installed. Expiration is 2028. Went to General/About/certs on iOS and trusted the CA Root cert.

Then I downloaded the Strongswan Private Key and iOS will accept the download, but tells me the cert is not signed. iOS will install it though. iOS asks for password during installation, and I enter it, iOS installs. After installation, iOS cert details for the Strongswan Private Key expiry is same as CA Root cert (2028).

Now i cannot connect using my iOS, after turning vpn on, it spends sometime connecting then says not connected.

What ports do i need to open in my isp’s gateways firewall?
I have UDP port 500, 4500 and 1701 forwarded to my R6300v2, did i miss something?

My ISP fiber ONT has only two protocol options for port forwarding TCP and UDP, some articles online say IP Protocol 50 and 51 are used in IKEv2, what to do about that?



500 and 4500 should be forwarded, did you watch /var/log/messsages when connecting, strongswan outputs nice info that makes it easy to tell where the error lies.

But most likely the error comes from the fact, that something with your cert is not correct. Both must show up as valid, not sure if there is still a timestamp issue, with other region settings, did you check start date of the cert, might be a few hours off.

_________________
KONG PB's: http://www.desipro.de/ddwrt/
KONG Info: http://tips.desipro.de/
<Kong>
DD-WRT Guru


Joined: 15 Dec 2010
Posts: 4339
Location: Germany

PostPosted: Sun Mar 25, 2018 8:50    Post subject: Reply with quote
<Kong> wrote:
nolimitz wrote:
Siggyceline wrote:
<Kong> wrote:
Siggyceline wrote:
slidermike wrote:
Since you have verified the clock time is right, have you tried creating the cert again?
If it works this time then it would likely have been there was a clock/time stamp issue during the 1st creation.


Thanks...no joy. I've created several times and downloaded to both an iPhone 6s Plus and iPad Pro. iOS shows the profile in red, saying it is not verified, and if I look at the cert details, iOS reports the certificate expired on Feb 11, 2002. (Also, when I first try to install the profile, iOS says it is not signed...it still lets me install, but after installing it shows in red and the details say expired Feb 11, 2002.)

I did a reboot, and the Freeradius user I created for the key generation disappeared. Created a new one, generated the cert, downloaded and installed on iOS...same thing as above.

I'm going to try downgrading to the Kong 02/19 release and see if there is any difference. Something is not right, but I'm not willing to give up that it is ME doing something wrong in trying to create the user/key cert. I've followed Kong's guide, but it is not very clear on if there is any "sequence" to creating the certs/user in the GUI. I'm wondering if there is particular sequence of "Save", "Apply Settings', "Generate" that I'm messing up. Also bothers me that the User I created went away after a reboot....


Only if the Root CA is installed and trusted the user cert will be accepted. Make sure your delete the old certs or better /jffs/freeradius... they are not overwritten if they exist.


Thanks Kong. I turned off Freeradius, cleaned jffs, turned off Jffs. Rebooted. Downgraded to 02/19 build. rebooted. Turned on jffs, cleaned jffs, turned off cleaning. rebooted. Turned on FreeRadius, remade CA root cert. That all worked. Created User, generated cert from User to get to the download pop-up. Downloaded the CA root to my iOS device. It was accepted and installed. Expiration is 2038 as expected. Went to General/About/certs on iOS and trusted the CA Root cert. All is good. Then I downloaded the Strongswan Private Key (per your tip/guide) and iOS will accept the download, but tells me the cert is not signed. iOS will install it though. iOS asks for password during installation, and I enter it, iOS installs. After installation, iOS cert details for the Strongswan Private Key show cert expired Feb 11, 2002. In the profiles page on iOS, the Private Key profile shows in Red font.

So it seems to me that R8000 is not signing the cert? I'm no cert guru and am learning here.... But like I say, I don't see any problem with the CA Root cert/profile. That seems to be installed and able to be trusted as expected and also shows it has a 20yr expiration as created on the R8000. It only seems to be with the Swanstrong Private Key (User) cert, which doesn't seem to be getting signed, and is showing expired on Feb 11, 2002.




I used build 35360 on R6300v2 setup as access point and i did the following like you, my client cert is also not signed but not expired:

Turned on FreeRadius,
Generated CA root cert.
Created User and generated cert from User to get to the download pop-up.
Downloaded the CA root to my iOS device. It was accepted and installed. Expiration is 2028. Went to General/About/certs on iOS and trusted the CA Root cert.

Then I downloaded the Strongswan Private Key and iOS will accept the download, but tells me the cert is not signed. iOS will install it though. iOS asks for password during installation, and I enter it, iOS installs. After installation, iOS cert details for the Strongswan Private Key expiry is same as CA Root cert (2028).

Now i cannot connect using my iOS, after turning vpn on, it spends sometime connecting then says not connected.

What ports do i need to open in my isp’s gateways firewall?
I have UDP port 500, 4500 and 1701 forwarded to my R6300v2, did i miss something?

My ISP fiber ONT has only two protocol options for port forwarding TCP and UDP, some articles online say IP Protocol 50 and 51 are used in IKEv2, what to do about that?



500 and 4500 should be forwarded, did you watch /var/log/messsages when connecting, strongswan outputs nice info that makes it easy to tell where the error lies.

But most likely the error comes from the fact, that something with your cert is not correct. Both must show up as valid, not sure if there is still a timestamp issue, with other region settings, did you check start date of the cert, might be a few hours off.


Do you have a screenshot of the client cert certificate details, it should tell start and end date, an name of issuer which matches the root ca that you installed before.

_________________
KONG PB's: http://www.desipro.de/ddwrt/
KONG Info: http://tips.desipro.de/
Siggyceline
DD-WRT User


Joined: 14 Jan 2018
Posts: 65

PostPosted: Sun Mar 25, 2018 13:16    Post subject: Reply with quote
Ok...decided to start over one more time.

1.) Deleted everything on Freeradius setup page in GUI
2.) Disabled Freeradius in GUI
3.) Cleaned JFFS
4.) Rebooted
5.) Login ssh cli
5.) From ssh, deleted Certs folder from /jffs/etc/freeradius
6.) From ssh, deleted freeradius folder from /jffs/etc/
7.) From ssh, deleted ipsec.d from /jffs/etc/
8.) From GUI, set time zone to GMT
9.) reboot
10) Login GUI, confirm Clock set to GMT time.
11.) Goto GUI jffs setup page. Disable, save.
12.) Confirm jffs not mounted.
13.) Reenable jffs w/clean.
14.) confirm jffs mounted
15.) disable jffs clean, save.
16) confirm jffs mounted...note space sizes. (All good).
17.) Goto GUI freeradius setup page
18.) Configure CA Root cert.
19.) Wait for CA Root cert created.
20.) Create User, save.
21.) Wait 10 hrs (sleeping)
22.) Download Strongswan Private Key PEM to IOS

23.) Same issue, as Strongswan Private key PEM is not signed and expired Feb 11, 2002.

24.) From Freeradius setup page, deleted User, save.
25.) Create new user with new/different values, save
26.) Push “gen” button from User settings...wait for pop up (about 10 sec)
27.) From popup, download new user Strongswan Private key PEM.
28.) Confimed new values per new user config

28.) Same issue...new Strongswan Private Key PEM is unsigned, expired.

This is all from 02/19 Kong build.

I’m kind of convinced there is some kind of time stamp bug/problem in the dd-wrt firmware signing the Strongswan Private key PEM... No matter what I do, the behavior is consistent with it being expired and not signed (according to iOS).

I have a learning curve here on Linux, so once I figure HOW to do what I WANT to do from CLI, I’ll go try that and report back.
Siggyceline
DD-WRT User


Joined: 14 Jan 2018
Posts: 65

PostPosted: Sun Mar 25, 2018 13:26    Post subject: Reply with quote
<Kong> wrote:
<Kong> wrote:
nolimitz wrote:
Siggyceline wrote:
<Kong> wrote:
Siggyceline wrote:
slidermike wrote:
Since you have verified the clock time is right, have you tried creating the cert again?
If it works this time then it would likely have been there was a clock/time stamp issue during the 1st creation.


Thanks...no joy. I've created several times and downloaded to both an iPhone 6s Plus and iPad Pro. iOS shows the profile in red, saying it is not verified, and if I look at the cert details, iOS reports the certificate expired on Feb 11, 2002. (Also, when I first try to install the profile, iOS says it is not signed...it still lets me install, but after installing it shows in red and the details say expired Feb 11, 2002.)

I did a reboot, and the Freeradius user I created for the key generation disappeared. Created a new one, generated the cert, downloaded and installed on iOS...same thing as above.

I'm going to try downgrading to the Kong 02/19 release and see if there is any difference. Something is not right, but I'm not willing to give up that it is ME doing something wrong in trying to create the user/key cert. I've followed Kong's guide, but it is not very clear on if there is any "sequence" to creating the certs/user in the GUI. I'm wondering if there is particular sequence of "Save", "Apply Settings', "Generate" that I'm messing up. Also bothers me that the User I created went away after a reboot....


Only if the Root CA is installed and trusted the user cert will be accepted. Make sure your delete the old certs or better /jffs/freeradius... they are not overwritten if they exist.


Thanks Kong. I turned off Freeradius, cleaned jffs, turned off Jffs. Rebooted. Downgraded to 02/19 build. rebooted. Turned on jffs, cleaned jffs, turned off cleaning. rebooted. Turned on FreeRadius, remade CA root cert. That all worked. Created User, generated cert from User to get to the download pop-up. Downloaded the CA root to my iOS device. It was accepted and installed. Expiration is 2038 as expected. Went to General/About/certs on iOS and trusted the CA Root cert. All is good. Then I downloaded the Strongswan Private Key (per your tip/guide) and iOS will accept the download, but tells me the cert is not signed. iOS will install it though. iOS asks for password during installation, and I enter it, iOS installs. After installation, iOS cert details for the Strongswan Private Key show cert expired Feb 11, 2002. In the profiles page on iOS, the Private Key profile shows in Red font.

So it seems to me that R8000 is not signing the cert? I'm no cert guru and am learning here.... But like I say, I don't see any problem with the CA Root cert/profile. That seems to be installed and able to be trusted as expected and also shows it has a 20yr expiration as created on the R8000. It only seems to be with the Swanstrong Private Key (User) cert, which doesn't seem to be getting signed, and is showing expired on Feb 11, 2002.




I used build 35360 on R6300v2 setup as access point and i did the following like you, my client cert is also not signed but not expired:

Turned on FreeRadius,
Generated CA root cert.
Created User and generated cert from User to get to the download pop-up.
Downloaded the CA root to my iOS device. It was accepted and installed. Expiration is 2028. Went to General/About/certs on iOS and trusted the CA Root cert.

Then I downloaded the Strongswan Private Key and iOS will accept the download, but tells me the cert is not signed. iOS will install it though. iOS asks for password during installation, and I enter it, iOS installs. After installation, iOS cert details for the Strongswan Private Key expiry is same as CA Root cert (2028).

Now i cannot connect using my iOS, after turning vpn on, it spends sometime connecting then says not connected.

What ports do i need to open in my isp’s gateways firewall?
I have UDP port 500, 4500 and 1701 forwarded to my R6300v2, did i miss something?

My ISP fiber ONT has only two protocol options for port forwarding TCP and UDP, some articles online say IP Protocol 50 and 51 are used in IKEv2, what to do about that?



500 and 4500 should be forwarded, did you watch /var/log/messsages when connecting, strongswan outputs nice info that makes it easy to tell where the error lies.

But most likely the error comes from the fact, that something with your cert is not correct. Both must show up as valid, not sure if there is still a timestamp issue, with other region settings, did you check start date of the cert, might be a few hours off.


Do you have a screenshot of the client cert certificate details, it should tell start and end date, an name of issuer which matches the root ca that you installed before.


On mine, for Strongswan Private Key PEM, name of issuer matches CA Root. Start date is correct, but end date shows Feb 11, 2002. I.e., “Not valid before” is correct and within current time. “Not valid After” is Feb 11, 2002.

I seem to remember a similar signing issue my Software engineer at the time mentioned to me about the private key end date being expired...this was on a different, non-dd-wrt project. He fixed it, but I can’t remember more details at the moment....hopefully it will filter up from the recesses of my brain. I do remember he was proud that he caught the bug prior to release. I was Product Manager at the time, and so the conversation was just part of general progress briefing...
nolimitz
DD-WRT Guru


Joined: 26 Nov 2010
Posts: 572

PostPosted: Sun Mar 25, 2018 13:52    Post subject: Reply with quote
<Kong> wrote:

Do you have a screenshot of the client cert certificate details, it should tell start and end date, an name of issuer which matches the root ca that you installed before.


thanks for the reply <Kong>,

screenshot attached, date and time look fine on mine.



attach2.jpg
 Description:
 Filesize:  31.55 KB
 Viewed:  3537 Time(s)

attach2.jpg


Goto page 1, 2, 3, 4  Next Display posts from previous:    Page 1 of 4
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum