<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-GB link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='color:#1F497D'>Hi all,<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Currently working on a project that requires a site to site VPN using. We have chosen to authentication using Digital Certificates (rsasig on cisco).<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Please see below for an outline of the cisco configuration:<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>crypto pki trustpoint ipsecvpn<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> enrollment terminal<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> fqdn gw.test.com<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> subject-name CN=gw.test.com,OU=TestOU,O=TestCompany,C=UK<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> revocation-check none<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> rsakeypair testrsapair<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>crypto pki certificate chain testrsapair<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>certificate 0A<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>certificate hash here ###<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>certificate ca 00E36E3DF10610AFEF<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>certitifcate hash here ###<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>crypto isakmp policy 10<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> encr aes 256<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> group 5<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> lifetime 3600<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>crypto ipsec transform-set IPSEC1 esp-aes 256 esp-sha-hmac<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> mode tunnel<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>crypto map test1 10 ipsec-isakmp<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> set peer 10.67.0.2<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> set transform-set IPSEC1<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> match address VPNTRAF1<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>interface GigabitEthernet0/0<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> ip address 10.67.0.1 255.255.255.0<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> duplex auto<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> speed auto<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> crypto map test1<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>I used the enrol terminal to generate a CSR and sign it and subsequently imported it back into the router. I believe this site of things is setup correctly.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>IPsec config is as follows:<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>conn tunnelipsec<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> authby= rsasig<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> auto= start<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> type= tunnel <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>#<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> left= 10.67.0.2 <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> leftid= "C=UK, O=testo2, OU=ou2, CN=gw.test1.org.uk"<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> leftsubnets= 10.123.34.8/29,10.123.32.40/29,10.123.32.64/28<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> leftcert= gw.test1.org.uk <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> leftrsasigkey= %cert<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> leftca= "/etc/ipsec.d/cacerts/masterca.pem"<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>#<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> right= 10.67.0.1<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> rightid= " OU=TestOU, O=TestCompany, C=UK, CN= gw.test.com "<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> rightsubnet= 192.168.12.0/24<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> rightca= "/etc/ipsec.d/cacerts/masterca.pem"<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> keyexchange= ike<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> ike= aes256-sha1;modp1536!<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> #sha2_truncbug= yes<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> phase2= esp<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> phase2alg= aes256-sha1!<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>This configuration worked on Pre-Shared Keys however does not work when you introduce the certificate based authentication OpenSWAN does authenticate with the router but the router fails to find the correct certificates to return. The router logs output looks like this:<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Dec 5 11:24:47.819: ISAKMP (1044): received packet from 10.67.0.2 dport 500 sport 500 Global (R) MM_KEY_EXCH<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.819: ISAKMP:(1044):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.819: ISAKMP:(1044):Old State = IKE_R_MM4 New State = IKE_R_MM5 <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.819: ISAKMP:(1044): processing ID payload. message ID = 0<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.819: ISAKMP (1044): ID payload <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> next-payload : 6<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> type : 2 <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> FQDN name : gw.test1.org.uk<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> protocol : 0 <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> port : 0 <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> length : 23<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.819: ISAKMP:(0):: peer matches *none* of the profiles<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.819: ISAKMP:(1044): processing CERT payload. message ID = 0<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.819: ISAKMP:(1044): processing a CT_X509_SIGNATURE cert<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.819: ISAKMP:(1044): IKE->PKI Add peer's certificate state (R) MM_KEY_EXCH (peer 10.67.0.2 )<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.819: ISAKMP:(1044): PKI->IKE Added peer's certificate state (R) MM_KEY_EXCH (peer 10.67.0.2 )<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.819: ISAKMP:(1044): IKE->PKI Get PeerCertificateChain state (R) MM_KEY_EXCH (peer 10.67.0.2 )<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.823: ISAKMP:(1044): PKI->IKE Got PeerCertificateChain state (R) MM_KEY_EXCH (peer 10.67.0.2 )<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.823: ISAKMP:(1044): peer's pubkey isn't cached<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.823: ISAKMP:(0):: peer matches *none* of the profiles<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.823: ISAKMP:(1044): IKE->PKI Validate certificate chain state (R) MM_KEY_EXCH (peer 10.67.0.2 )<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.831: ISAKMP:(1044): PKI->IKE Validate certificate chain state (R) MM_KEY_EXCH (peer 10.67.0.2 )<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.831: ISAKMP:(1044): processing CERT_REQ payload. message ID = 0<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.831: ISAKMP:(1044): peer wants a CT_X509_SIGNATURE cert<o:p></o:p></span></p><p class=MsoNormal><b><span style='color:red'>*Dec 5 11:24:47.831: ISAKMP:(1044): issuer not specified in cert request<o:p></o:p></span></b></p><p class=MsoNormal><b><span style='color:red'>*Dec 5 11:24:47.831: ISAKMP:(1044): No issuer name in cert request.<o:p></o:p></span></b></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.831: ISAKMP:(1044): processing SIG payload. message ID = 0<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.839: ISAKMP:(1044):SA authentication status:<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> authenticated<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>The router then goes on to get its owner certificate at which point it fails:<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.839: ISAKMP:(1044):SA has been authenticated with 10.67.0.2 <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.839: ISAKMP:(1044):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.839: ISAKMP:(1044):Old State = IKE_R_MM5 New State = IKE_R_MM5 <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.839: ISAKMP:(1044): IKE->PKI Get self CertificateChain state (R) MM_KEY_EXCH (peer 10.67.0.2 )<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.839: ISAKMP:(1044): PKI->IKE Got self CertificateChain state (R) MM_KEY_EXCH (peer 10.67.0.2 )<o:p></o:p></span></p><p class=MsoNormal><b><span style='color:red'>*Dec 5 11:24:47.839: ISAKMP:(1044):Unable to get router cert or routerdoes not have a cert: needed to find DN!<o:p></o:p></span></b></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.839: ISAKMP:(1044):SA is doing RSA signature authentication using id type ID_IPV4_ADDR<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.839: ISAKMP (1044): ID payload <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> next-payload : 6<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> type : 1 <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> address : 10.67.0.1<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> protocol : 17 <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> port : 500 <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> length : 12<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.839: ISAKMP:(1044):Total payload length: 12<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.839: ISAKMP (1044): no cert chain to send to peer<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.839: ISAKMP (1044): peer did not specify issuer and no suitable profile found<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.839: ISAKMP (1044): FSM action returned error: 2<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.839: ISAKMP:(1044):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.839: ISAKMP:(1044):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:57.831: ISAKMP (1044): received packet from 10.67.0.2 dport 500 sport 500 Global (R) MM_KEY_EXCH<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:57.831: ISAKMP:(1044): phase 1 packet is a duplicate of a previous packet.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:57.831: ISAKMP:(1044): retransmitting due to retransmit phase 1<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:57.831: ISAKMP:(1044): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:25:02.703: ISAKMP:(1041):purging node 1858511306<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:25:02.703: ISAKMP:(1041):purging node -560727786<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:25:02.703: ISAKMP:(1041):purging node 464479444<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:25:02.707: ISAKMP: set new node 0 to QM_IDLE <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Does anyone know if there a way to force the Cisco to map the correct certificate or better if there is a way to tell OpenSWAN include the issuer in the request. I can confirm that the X509 certificates have both been signed by the same CA and therefore have issuer information within them.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Thanks<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Joe.<o:p></o:p></span></p></div></body></html>