[Openswan Users] how to configure a X.509 certificate between two hosts(host-to-host)

zengyan swallowfly at gmail.com
Thu Nov 2 03:17:35 EST 2006 

I want to configure the simplest, host-to-host IPsec tunnel between two
Linux(Redhat9) machines running Openswan. And I choose X.509 certificates
for authentication.(RSA Signature Method I have tried is OK)
But the configuration can't be successful,so I turn for your help!

I choose one machine act as CA and host(192.168.0.16),and the other one is
client(192.168.0.9).The two hosts are under the same subnet(becasue I have
no more hardware equipments).The reference I used is:
http://www.natecarlson.com/linux/ipsec-x509.php

The ipsec status and conf list below:
[root at ca]# ipsec auto --status
000 interface ipsec0/eth0 192.168.0.16
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=64, keysizemin=56,
keysizemax=56
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=168,
keysizemax=168
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=64, keysizemin=40,
keysizemax=128
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=65289, name=OAKLEY_SSH_PRIVATE_65289,
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=6, name=OAKLEY_CAST_CBC, blocksize=8,
keydeflen=128
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8,
keydeflen=128
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=2, name=OAKLEY_SHA, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=1, name=OAKLEY_GROUP_MODP768, bits=768
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,9,36}
trans={0,9,96} attrs={0,9,160}
000
000 "myipsec": 192.168.0.16[@luyang]---192.168.0.1...192.168.0.9[@why]
000 "myipsec":   CAs: '%any'...'%any'
000 "myipsec":   ike_life: 720s; ipsec_life: 600s; rekey_margin: 20s;
rekey_fuzz: 50%; keyingtries: 0
000 "myipsec":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; interface:
eth0; trap erouted
000 "myipsec":   newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "myipsec":   IKE algorithms wanted: 5_000-1-5, 5_000-2-5, 5_000-1-2,
5_000-2-2, 5_000-1-1, 5_000-2-1, flags=-strict
000 "myipsec":   IKE algorithms found:  5_192-1_128-5, 5_192-2_160-5,
5_192-1_128-2, 5_192-2_160-2, 5_192-1_128-1, 5_192-2_160-1,
000 "myipsec":   ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "myipsec":   ESP algorithms loaded: 3_168-1_128, 3_168-2_160,
000
000 #16: "myipsec" STATE_MAIN_R2 (sent MR2, expecting MI3); EVENT_RETRANSMIT
in 17s
000 #17: "myipsec" STATE_MAIN_I3 (sent MI3, expecting MR3); EVENT_RETRANSMIT
in 5s
But it seems it exists route between 192.168.0.16 and 192.168.0.9 through
typing: route -n (interface ipsec0,gateway 192.168.0.1)

# /etc/ipsec.conf
#luyang(192.168.0.16)
conn %default
 keyingtries=0
 compress=yes
 disablearrivalcheck=no
 leftrsasigkey=%cert
 rightrsasigkey=%cert
 authby=rsasig

conn myipsec
        left=%defaultroute
        leftcert=luyang.pem
        right=192.168.0.9
        pfs=yes
        auto=start

#why(192.168.0.1)
conn %default
 keyingtries=0
 compress=yes
 disablearrivalcheck=no
 leftrsasigkey=%cert
 rightrsasigkey=%cert
 authby=rsasig

conn myipsec
        left=192.168.0.16
        leftcert=luyang.pem
        leftid=@luyang
        right=%defaultroute
        rightcert=why.pem
        rightid=@why
        pfs=yes
        auto=start

-- 
Best wishes!
Yan Zeng(曾艳)
Pharmaceutical Informatics Institute
Department of Chinese Medicine Science & Engineering,Zhejiang Univ.
Email:swallowfly at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20061102/8fabd631/attachment-0001.html

More information about the Users mailing list