<div dir="ltr"><div class="gmail_quote"><div dir="ltr"><p class="MsoNormal"><span lang="EN-US">Hi
everybody. Hello again.</span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US">Following my last cry for help, here am I again with some IPsec problems.</span></p><p class="MsoNormal">
<span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US">After managing to get IPsec running using secrets, I'm now trying (without success) to accomplish the same but now using X.509 certificates.</span></p>
<p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal">Just for remembering, I’m running
two virtual machines with CentOS that simulates the network depicted in the
bellow picture.</p><p class="MsoNormal"><span lang="EN-US"><img src="cid:ii_14260a4a0eff4c49" alt="Inline image 1"><br></span></p><p class="MsoNormal"><span lang="EN-US"><span style="margin-left:101px;margin-top:878px;width:595px;min-height:329px"></span></span></p>
<p class="MsoNormal"><span lang="EN-US"><span style="margin-left:101px;margin-top:878px;width:595px;min-height:329px"></span></span></p><p class="MsoNormal"><br></p>
<p class="MsoNormal"><span lang="EN-US">I want to
create an IPsec tunnel between machine A and machine B. The keys should be negotiated
using IKE and the tunnel should enable total connectivity between the two
machines. My goal is to achieve this using x.509 certificates.</span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US">My machine A will act as a gateway and as an Certificate Authority.</span></p>
<p class="MsoNormal"><br></p><p class="MsoNormal">The first step, was to create my CA and two certificates. One for machine A and one for machine B. So, on machine A I've run this commands:</p><p class="MsoNormal"> 1) Create the CA:</p>
</div></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div class="gmail_quote"><div><p class="MsoNormal"><font size="1" face="courier new, monospace">openssl genrsa -des3 -out cakey.key 1024</font></p>
</div></div><div class="gmail_quote"><div><p class="MsoNormal"><font size="1" face="courier new, monospace">openssl req -new -key cakey.key -out cacsr.csr</font></p></div></div><div class="gmail_quote"><div><p class="MsoNormal">
<font size="1" face="courier new, monospace">openssl x509 -req -days 365 -in cacsr.csr -out cacert.crt -signkey cakey.key </font></p></div></div></blockquote><div class="gmail_quote"><div dir="ltr"><p class="MsoNormal"><br>
</p><p class="MsoNormal">2) For each machine, create a certificate signed using the CA created above:</p><p class="MsoNormal"><br></p></div></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div class="gmail_quote">
<div><p class="MsoNormal"><font size="1" face="courier new, monospace">openssl genrsa -des3 -out gwonekey.key 1024</font></p></div></div><div class="gmail_quote"><div><p class="MsoNormal"><font size="1" face="courier new, monospace">openssl req -new -key </font><span style="font-family:'courier new',monospace;font-size:x-small">gwonekey</span><font size="1" face="courier new, monospace">.key -out gwonecsr.csr</font></p>
</div></div><div class="gmail_quote"><div><p class="MsoNormal"><font size="1" face="courier new, monospace">openssl ca -in </font><span style="font-family:'courier new',monospace;font-size:x-small">gwonecsr</span><font size="1" face="courier new, monospace">.csr -cert cacert.crt -keyfile cakey.key -out </font><span style="font-family:'courier new',monospace;font-size:x-small">gwonecert</span><font size="1" face="courier new, monospace">.crt</font></p>
</div></div><div class="gmail_quote"><div><p class="MsoNormal"><font size="1" face="courier new, monospace"><br></font></p></div></div><div class="gmail_quote"><div><p class="MsoNormal"><font size="1" face="courier new, monospace">openssl genrsa -des3 -out gwtwokey.key 1024</font></p>
</div></div><div class="gmail_quote"><div><p class="MsoNormal"><font size="1" face="courier new, monospace">openssl req -new -key </font><span style="font-family:'courier new',monospace;font-size:x-small">gwtwokey</span><font size="1" face="courier new, monospace">.key -out </font><span style="font-family:'courier new',monospace;font-size:x-small">gwtwocsr</span><font size="1" face="courier new, monospace">.csr</font></p>
</div></div><div class="gmail_quote"><div><p class="MsoNormal"><font size="1" face="courier new, monospace">openssl ca -in </font><span style="font-family:'courier new',monospace;font-size:x-small">gwtwocsr</span><font size="1" face="courier new, monospace">.csr -cert cacert.crt -keyfile cakey.key -out gwtwocert.crt</font></p>
</div></div></blockquote><div class="gmail_quote"><div dir="ltr"><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US">3) I've also created a Certification Revocation list:</span></p>
</div></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div class="gmail_quote"><div><p class="MsoNormal"><span lang="EN-US"><font face="courier new, monospace" size="1">echo 01 > /etc/pki/CA/crlnumber</font></span></p>
</div></div><div class="gmail_quote"><div><p class="MsoNormal"><span lang="EN-US"><font face="courier new, monospace" size="1">openssl ca -gencrl -keyfile cakey.key -cert cacert.crt -out crl.pem</font></span></p></div></div>
</blockquote><div class="gmail_quote"><div dir="ltr"><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US">On machine A I've done this:</span></p></div></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px">
<div class="gmail_quote"><div><p class="MsoNormal"><font face="courier new, monospace" size="1">mkdir /etc/ipsec.d/private</font></p></div></div><div class="gmail_quote"><div><p class="MsoNormal"><font face="courier new, monospace" size="1">mkdir /etc/ipsec.d/certs</font></p>
</div></div><div class="gmail_quote"><div><p class="MsoNormal"><font face="courier new, monospace" size="1">mkdir /etc/ipsec.d/cacerts</font></p></div></div><div class="gmail_quote"><div><p class="MsoNormal"><font face="courier new, monospace" size="1">mkdir /etc/ipsec.d/crls</font></p>
</div></div><div class="gmail_quote"><div><p class="MsoNormal"><font face="courier new, monospace" size="1">cp gwonekey.key /etc/ipsec.d/private</font></p></div></div><div class="gmail_quote"><div><p class="MsoNormal"><font face="courier new, monospace" size="1">cp gwonecert.crt /etc/ipsec.d/certs</font></p>
</div></div><div class="gmail_quote"><div><p class="MsoNormal"><font face="courier new, monospace" size="1">cp cacert.crt /etc/ipsec.d/cacerts</font></p></div></div><div class="gmail_quote"><div><p class="MsoNormal"><font face="courier new, monospace" size="1">cp crl.pem /etc/ipsec.d/crls</font></p>
</div></div></blockquote><div class="gmail_quote"><div dir="ltr"><p class="MsoNormal"><font face="courier new, monospace" size="1"><span lang="EN-US"></span></font></p><p class="MsoNormal"><br></p><p class="MsoNormal">And on Machine B after copying the files:</p>
</div></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div class="gmail_quote"><div><p class="MsoNormal"><font size="1" face="courier new, monospace">mkdir /etc/ipsec.d/private</font></p></div></div>
<div class="gmail_quote"><div><p class="MsoNormal"><font size="1" face="courier new, monospace">mkdir /etc/ipsec.d/certs</font></p></div></div><div class="gmail_quote"><div><p class="MsoNormal"><font size="1" face="courier new, monospace">mkdir /etc/ipsec.d/cacerts</font></p>
</div></div><div class="gmail_quote"><div><p class="MsoNormal"><font size="1" face="courier new, monospace">mkdir /etc/ipsec.d/crls</font></p></div></div><div class="gmail_quote"><div><p class="MsoNormal"><font size="1" face="courier new, monospace">cp gwtwokey.key /etc/ipsec.d/private</font></p>
<p class="MsoNormal"><span style="font-family:'courier new',monospace;font-size:x-small">cp gwonecert.crt /etc/ipsec.d/certs</span><font size="1" face="courier new, monospace"><br></font></p></div></div><div class="gmail_quote">
<div><p class="MsoNormal"><font size="1" face="courier new, monospace">cp gwtwocert.crt /etc/ipsec.d/certs</font></p></div></div><div class="gmail_quote"><div><p class="MsoNormal"><font size="1" face="courier new, monospace">cp cacert.crt /etc/ipsec.d/cacerts</font></p>
</div></div></blockquote><div class="gmail_quote"><div dir="ltr"><p class="MsoNormal"><span lang="EN-US"></span></p><p class="MsoNormal"><br></p><p class="MsoNormal"><span lang="EN-US">I've then edited the <b>ipsec.secrets</b> file on both machines:</span></p>
<p class="MsoNormal"><span lang="EN-US">Machine A:</span></p></div></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div class="gmail_quote"><div><p class="MsoNormal"><font face="courier new, monospace" size="1">%any %any : PSK "test"</font></p>
</div></div><div class="gmail_quote"><div><p class="MsoNormal"><font face="courier new, monospace" size="1">: RSA gwonecert.crt "test"</font></p></div></div></blockquote><div class="gmail_quote"><div dir="ltr"><p class="MsoNormal">
<font face="courier new, monospace" size="1"><span lang="EN-US"></span></font></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US">Machine B:</span></p></div></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px">
<div class="gmail_quote"><div><p class="MsoNormal"><font size="1" face="courier new, monospace">%any %any : PSK "test"</font></p></div></div><div class="gmail_quote"><div><p class="MsoNormal"><font size="1" face="courier new, monospace">: RSA gwonecert.crt "test"</font></p>
<p class="MsoNormal"><span style="font-family:'courier new',monospace;font-size:x-small">: RSA gwtwocert.crt "test"</span><font size="1" face="courier new, monospace"><br></font></p></div></div></blockquote>
<div class="gmail_quote"><div dir="ltr"><p class="MsoNormal"><font size="1"><span lang="EN-US"></span></font></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US">The last step was to edit the <b>ipsec.conf</b> on those machines:</span></p>
<p class="MsoNormal"><span lang="EN-US">Machine A:</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black">config setup</span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> protostack=netkey</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> dumpdir=/var/run/pluto/</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> nat_traversal=yes</span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> virtual_private=%v4:<a href="http://0.0.0.0/0,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.1.1.0/24">0.0.0.0/0,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.1.1.0/24</a></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> </span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black">#conn gw-to-gw</span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"># authby=secret</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"># left=192.168.1.1</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"># leftsubnet=<a href="http://10.1.1.0/24">10.1.1.0/24</a></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"># right=192.168.1.2</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"># rightsubnet=<a href="http://10.1.2.0/24">10.1.2.0/24</a></span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"># auto=start</span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"># type=tunnel</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> </span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black">conn cert</span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> authby=rsasig</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> leftrsasigkey=%cert</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> leftcert=gwonecert.crt</span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> left=192.168.1.1</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> leftsubnet=<a href="http://10.1.1.0/24">10.1.1.0/24</a></span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> right=192.168.1.2</span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> rightsubnet=<a href="http://10.1.2.0/24">10.1.2.0/24</a></span></p><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> auto=start</span></p><p class="MsoNormal"><span lang="EN-US">
</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> type=tunnel</span></p><p class="MsoNormal"><span lang="EN-US"><br>
</span></p><p class="MsoNormal">Machine B:<br></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black">config setup</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> protostack=netkey</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> dumpdir=/var/run/pluto/</span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> nat_traversal=yes</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> virtual_private=%v4:<a href="http://0.0.0.0/0,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.1.1.0/24">0.0.0.0/0,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.1.1.0/24</a></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> </span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black">#conn gw-to-gw</span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"># authby=secret</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"># left=192.168.1.1</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"># leftsubnet=<a href="http://10.1.1.0/24">10.1.1.0/24</a></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"># right=192.168.1.2</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"># rightsubnet=<a href="http://10.1.2.0/24">10.1.2.0/24</a></span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"># auto=start</span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"># type=tunnel</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> </span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black">conn cert</span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> authby=rsasig</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> leftrsasigkey=%cert</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> rightrsasigkey=%cert</span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> leftcert=gwtwocert.crt</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> rightcert=gwonecert.crt</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> left=192.168.1.2</span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> leftsubnet=<a href="http://10.1.2.0/24">10.1.2.0/24</a></span></p><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> right=192.168.1.1</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> rightsubnet=<a href="http://10.1.1.0/24">10.1.1.0/24</a></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> auto=start</span></p><p class="MsoNormal"><span lang="EN-US">
</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> type=tunnel</span></p><p class="MsoNormal"><span lang="EN-US"><br>
</span></p><p class="MsoNormal"><span lang="EN-US">I've restarted ipsec on both machines using <b>service ipsec restart</b> but now, after doing <b>ipsec auto --up</b> <b>cert </b>nothing happens. In terminal I have to hit ctrl C.</span></p>
<p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US">Once again, can someone tell me what I am doing wrong?</span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal">
<span lang="EN-US">Many thanks,</span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US">Kent Davies</span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal">
<span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><br></p><p class="MsoNormal"><span lang="EN-US"> </span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p>
<p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br>
</span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br>
</span></p>
<p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p>
<p class="MsoNormal">
<span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal">
<span lang="EN-US"><br>
</span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br>
</span></p>
<p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p></div>
</div><br></div>