search

MicrosoftDocs / azure-docs

Open source documentation of Microsoft Azure
https://docs.microsoft.com/azure
Creative Commons Attribution 4.0 International
10.2k stars 21.35k forks source link

Wrong key size for private key in Azure P2S VPN Linux guide #50248

Closed CeciAc closed 1 year ago

CeciAc commented 4 years ago

@raidlman commented on Mon Mar 16 2020

According to https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about#certsettings client certificates should be generated with 4096 bits key length.

Issue

Both guides on https://docs.microsoft.com/de-de/azure/vpn-gateway/vpn-gateway-certificates-point-to-site-linux and https://docs.microsoft.com/de-de/azure/vpn-gateway/point-to-site-vpn-client-configuration-azure-cert#generate-certificates do not explicitly define the key length when generating the certificate.

The ipsec tool on Ubuntu 18.04 generates certificates with the default key length 2048:

# ipsec pki --gen --help
strongSwan 5.6.2 PKI tool
usage:
  pki --gen [--type rsa|ecdsa|ed25519|bliss] [--size bits] [--safe-primes]
            [--shares n] [--threshold l] [--outform der|pem]
        --help            (-h)  show usage information
        --type            (-t)  type of key, default: rsa
        --size            (-s)  keylength in bits, default: rsa 2048, ecdsa 384, bliss 1
        --safe-primes     (-p)  generate rsa safe primes
        --shares          (-n)  number of private rsa key shares
        --threshold       (-l)  minimum number of participating rsa key shares
        --outform         (-f)  encoding of generated private key, default: der
        --debug           (-v)  set debug level, default: 1
        --options         (-+)  read command line options from file

Result

Strongswan fails with

...
parsed IKE_AUTH response 8 [ EAP/REQ/TLS ]
received fatal TLS alert 'access denied'
EAP_TLS method failed
generating INFORMATIONAL request 9 [ N(AUTH_FAILED) ]
...

when doing an ipsec up azure.

Solution

Change documentation to

ipsec pki --gen --size 4096 --outform pem > caKey.pem

You can also refer to this excellent guide to improve your doumentation http://wiki.ciscolinux.co.uk/index.php?title=Azure/Point-to-Site_VPN.

@srvbpigh commented on Mon Mar 16 2020

Hello, @raidlman

Thank you for your feedback.

We are actively reviewing your comments and will get back to you soon.

Kind regards, Microsoft DOCS International Team

Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

femsulu commented 4 years ago

Thanks for your comment. We are actively investigating and will get back to you shortly. Thanks for your patience.

TravisCragg-MSFT commented 4 years ago

@CeciAc Thanks for the feedback! I have assigned the issue to the content author to evaluate and update as appropriate.

doug-fitzmaurice-rowden commented 3 years ago

I've run into a similar error message when trying to connect with ECDSA / ECDH key types. Is it a requirement of the gateway that RSA keys are used?

It would be helpful to have a list the acceptable valid key types and lengths.

ahamedm commented 3 years ago

I've tried 2 root-CA ECDSA 256 bits and RSA 4096 bits. In both cases, only client private key with 4096 size RSA keys works.

ipsec --version Linux strongSwan U5.8.2/K5.8.0-49-generic University of Applied Sciences Rapperswil, Switzerland

uname -a Linux dlab101 5.8.0-49-generic #55~20.04.1-Ubuntu SMP Fri Mar 26 01:01:07 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

mfaerevaag commented 1 year ago

Unfortunately, it's still not working for me using the referenced documentation: http://wiki.ciscolinux.co.uk/index.php?title=Azure/Point-to-Site_VPN

I see similar issues referencing the same issue, like this one https://github.com/MicrosoftDocs/azure-docs/issues/39270.

soaand01 commented 1 year ago

HI @mfaerevaag did you managed to make it work ? not working here either.

mfaerevaag commented 1 year ago

Nope! Seems like this is not area of priority for Azure. Therefore I had to go with another VPN provider as reliability on Linux clients was a requirement for me.

soaand01 commented 1 year ago

@mfaerevaag Yes, I noticed the same, unfortunately.

asudbring commented 1 year ago

Thank you for you dedication to our documentation.

Unfortunately, we have been unable to review this issue in a timely manner. We sincerely apologize for the delayed response. We are closing this issue. If you feel that the problem persists, please respond to this issue with additional information.

Please continue to provide feedback about the documentation. We appreciate your contributions to our community.

please-close