[Openswan Users] testing very simple openswan architecture

david ngc1976.m42 at caramail.com
Tue May 3 16:54:44 CEST 2005 

Hi all,

I would likw to test a very simple openswan architecture: hostA=============hostB
using openswan and certificats on hostA and hostB.

I read the documentation strongsec/freeswan and the how-to from Nate Carlson but I think I do not understand how to configure the ipsec.conf files for the two hosts.

HostA and hostB are directky linked.

--------------------HostA certificat files----------------------
/etc/openswan/ipsec.d/private/user01des.key
/etc/openswan/ipsec.d/certs/user01des.crt
/etc/openswan/ipsec.d/cacerts/ca.crt

-----------------------------end-----------------------------------

--------------------HostB certificat files----------------------
/etc/openswan/ipsec.d/private/user02des.key
/etc/openswan/ipsec.d/certs/user02des.crt
/etc/openswan/ipsec.d/cacerts/ca.crt

-----------------------------end-----------------------------------

user01des.crt and user02.crt are signed by the ca.crt
For all the keys, the length is 1024 with DES3.





-------------------host A ipsec.conf file------------------------
config setup	
         klipsdebug=none
	 plutodebug=all

# Add connections here
conn %default
         keyingtries=0
         authby=rsasig
	

# sample VPN connection
conn testvpnda
	left=195.212.109.202
	leftcert=user01des.crt
	right=195.212.109.203
	rightrsasigkey=%cert
	auto=add

------------------------------end-------------------------------------

I put the same configuration for hostA et hostB.

I know that this configuration is not good, cause it does not work.


----------------terminal (same message for hostA and hostb...)--------------

[root at dhcp203 openswan]# ipsec auto --up testvpnda
104 "testvpnda" #1: STATE_MAIN_I1: initiate
106 "testvpnda" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "testvpnda" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "testvpnda" #1: ignoring informational payload, type INVALID_ID_INFORMATION
003 "testvpnda" #1: received and ignored informational message
003 "testvpnda" #1: discarding duplicate packet; already STATE_MAIN_I3
010 "testvpnda" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
-----------------------------end----------------------------

----------------------log file on hostB------------------------------
 
localhost pluto[23706]: | certificate for "C=fr, ST=ile-de-france, L=paris, O=toto, CN=user01des, E=user01des at caramail.com" is validlocalhost pluto[23706]: | issuer cacert "C=fr, ST=ile-de-france, L=paris, O=toto, CN=rootca1024" foundlocalhost pluto[23706]: | signature algorithm: 'sha-1WithRSAEncryption' 
localhost pluto[23706]: |   digest:  6b 4e 46 49  de 50 5b 01  48 3d 12 0f  10 3e 9d 2b 
localhost pluto[23706]: |   f4 b3 d2 87 
localhost pluto[23706]: |   decrypted signature: 
localhost pluto[23706]: |   00 00 01 ff  ff ff ff ff  ff ff ff ff  ff ff ff ff 
localhost pluto[23706]: |   ff ff ff ff  ff ff ff ff  ff ff ff ff  ff ff ff ff 
localhost last message repeated 3 times 
localhost pluto[23706]: |   ff ff ff ff  ff ff ff ff  ff ff ff ff  ff 00 30 21 
localhost pluto[23706]: |   30 09 06 05  2b 0e 03 02  1a 05 00 04  14 6b 4e 46 
localhost pluto[23706]: |   49 de 50 5b  01 48 3d 12  0f 10 3e 9d  2b f4 b3 d2 
localhost pluto[23706]: |   87 
localhost pluto[23706]: | certificate signature (C=fr, ST=ile-de-france, L=paris, O=toto, CN=rootca1024 -> C=fr, ST=ile-de-france, L=paris, O=toto 
, CN=user01des, E=user01des at caramail.com) is valid 
localhost pluto[23706]: "testvpnda" #15: no crl from issuer "C=fr, ST=ile-de-france, L=paris, O=toto, CN=rootca1024" found (strict=no) 
localhost pluto[23706]: | subject: 'C=fr, ST=ile-de-france, L=paris, O=toto, CN=rootca1024' 
localhost pluto[23706]: | issuer:  'C=fr, ST=ile-de-france, L=paris, O=toto, CN=rootca1024' 
localhost pluto[23706]: |   not before  : May 03 11:11:24 UTC 2005 
localhost pluto[23706]: |   current time: May 03 12:03:26 UTC 2005 
localhost pluto[23706]: |   not after   : May 03 11:11:24 UTC 2025 
localhost pluto[23706]: | certificate for "C=fr, ST=ile-de-france, L=paris, O=toto, CN=rootca1024" is valid 
localhost pluto[23706]: | issuer cacert "C=fr, ST=ile-de-france, L=paris, O=toto, CN=rootca1024" found 
localhost pluto[23706]: | signature algorithm: 'sha-1WithRSAEncryption' 
localhost pluto[23706]: |   digest:  11 02 8a 52  2f 9c 7f 3b  65 19 e6 fc  1e fd da 96 
localhost pluto[23706]: |   56 4f f2 3f 
localhost pluto[23706]: |   decrypted signature: 
localhost pluto[23706]: |   00 00 01 ff  ff ff ff ff  ff ff ff ff  ff ff ff ff 
localhost pluto[23706]: |   ff ff ff ff  ff ff ff ff  ff ff ff ff  ff ff ff ff 
localhost last message repeated 3 times 
localhost pluto[23706]: |   ff ff ff ff  ff ff ff ff  ff ff ff ff  ff 00 30 21 
localhost pluto[23706]: |   30 09 06 05  2b 0e 03 02  1a 05 00 04  14 11 02 8a 
localhost pluto[23706]: |   52 2f 9c 7f  3b 65 19 e6  fc 1e fd da  96 56 4f f2 
localhost pluto[23706]: |   3f 
localhost pluto[23706]: | certificate signature (C=fr, ST=ile-de-france, L=paris, O=toto, CN=rootca1024 -> C=fr, ST=ile-de-france, L=paris, O=toto, CN=rootca1024) is valid 
localhost pluto[23706]: | reached self-signed root ca 
localhost pluto[23706]: | Public key validated 
localhost pluto[23706]: | unreference key: 0x80e83b0 C=fr, ST=ile-de-france, L=paris, O=toto, CN=user01des, E=user01des at caramail.com cnt 1-- 
localhost pluto[23706]: | unreference key: 0x80e8230 user01des at caramail.com cnt 1-- 
localhost pluto[23706]: | CR 
localhost pluto[23706]: | requested CA: '%any' 
localhost pluto[23706]: | refine_connection: starting with testvpnda 
localhost pluto[23706]: |    match_id a=C=fr, ST=ile-de-france, L=paris, O=toto, CN=user01des, E=user01des at caramail.com b=195.212.109.202 
localhost pluto[23706]: |   match_id called with a=C=fr, ST=ile-de-france, L=paris, O=toto, CN=user01des, E=user01des at caramail.com b=195.212.109.202 
localhost pluto[23706]: |   trusted_ca called with a=C=fr, ST=ile-de-france, L=paris, O=toto, CN=rootca1024 b=(empty) 
localhost pluto[23706]: | refine_connection: checking testvpnda against testvpnda, best=(none) with match=0(id=0/ca=1/reqca=1) 
localhost pluto[23706]: "testvpnda" #15: no suitable connection for peer 'C=fr, ST=ile-de-france, L=paris, O=toto, CN=user01des, E=user01des at caramail. 
com' 
localhost pluto[23706]: "testvpnda" #15: sending encrypted notification INVALID_ID_INFORMATION to 195.212.109.202:500

----------------------------end----------------------------------------



So I tried a lot of thing but I don't know what I have to put on the ipsec.conf files for using certificats.

can you help me ?

david

Comparez les prix de la high-tech avec Boursoprix.com - http://www.boursoprix.com

More information about the Users mailing list