[Openswan Users] PSK works, certificates not

Arno Lehmann al at its-lehmann.de
Tue Jul 17 05:55:00 EDT 2007


Hi,

and thanks for your hints. But...

17.07.2007 09:55,, D h @ v @ l wrote::
> 
> 
> */>Arno Lehmann <al at its-lehmann.de>/* wrote:
...
> 
>  >I created a connection in ipsec.conf like this:
> 
>  >config setup
>  >interfaces="ipsec0=eth2 ipsec1=eth1 ipsec2=eth0"
>  >klipsdebug=
>  >plutodebug=
>  >manualstart=
>  >syslog=
>  >plutowait=yes
>  >nhelpers=0
>  >#
> 
> Just disable klipsdebug, plutodebug, mannualstart, syslog or gives 
> options yes or no but not leave blanck.

Ok, I did that, though the above didn't produce any unexpected behaviour.

...
> Here you have to specify
> leftrsasigkey=%cert
> leftsubnet=192.168.0.0/24

The setup now looks like this:

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration

config setup
         interfaces="ipsec0=eth2 ipsec1=eth1 ipsec2=eth0"
         # klipsdebug=
         # plutodebug=
         # manualstart=
         # syslog=
         plutowait=yes
         nhelpers=0
         # 
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v
4:!192.168.0.0/24,%v4:!192.168.37.0/24
         # nat_traversal=yes

conn intern-cert
         # war %default
         pfs=no
         authby=rsasig
         rightrsasigkey=%cert
         leftcert=ITS-VPN.pem
         left=192.168.0.22
         leftrsasigkey=%cert
         leftprotoport=17/1701
         right=%any
         rightprotoport=17/1701
         rightsubnet=vhost:%no,%priv
         rightca=%same
         auto=add

...
>I copied the server-related files to the vpn gateway
> (/etc/ipsec.d/certs, .../cacerts, .../private - certificate, CA
> certificate, private key for certificate, respectivels) and restarted
> the ipsec subsystem.
> 
>  >When I keep the gateway certificate protected by a password, and have
> a line like ": RSA "password" in ipsec.secrets, I get these
> messages:
> 
> you have to specify this thing in ipsec.secrets file
> : RSA ITS-VPN.key "password"
> This ITS-VPN.key is key file which is copied to private folder. This 
> solve that key not found problem.

True... that at least worked. (Quite stupid of me... I actually left 
out the file name :-)

...
> Just to make certificate refer 
> http://www.natecarlson.com/linux/ipsec-x509.php guide. Also make crl.pem 
> file. then follow 
> http://www.jacco2.dds.nl/networking/vista-openswan.html to go ahead.

Hmm... I'd really prefer doing that through tinyCA, and I'm not sure 
that tinyCA does anything different. Except I get a more friendly user 
interface :-)

Anyway, I'm still stuck with the same messages with the modified setup.

But I set plutodebug=all and found something interesting...
.
A few steps into the conversation, I get the following messages:
(shortened for better readability)
> Jul 17 11:25:42 balrog pluto[20631]: | started looking for secret for C=DE, L=...->192.168.0.88 of kind PPK_PSK
> Jul 17 11:25:42 balrog pluto[20631]: | instantiating him to 0.0.0.0
> Jul 17 11:25:42 balrog pluto[20631]: | actually looking for secret for C=DE, L=...->0.0.0.0 of kind PPK_PSK
> Jul 17 11:25:42 balrog pluto[20631]: | 1: compared PSK 0.0.0.0 to C=DE, L=... / 192.168.0.88 -> 2
> Jul 17 11:25:42 balrog pluto[20631]: | 2: compared PSK 192.168.37.1 to C=DE, L=... / 192.168.0.88 -> 2
> Jul 17 11:25:42 balrog pluto[20631]: | 1: compared PSK 0.0.0.0 to C=DE, L=... / 192.168.0.88 -> 2
> Jul 17 11:25:42 balrog pluto[20631]: | 2: compared PSK 192.168.0.22 to C=DE, L=... / 192.168.0.88 -> 2
> Jul 17 11:25:42 balrog pluto[20631]: | concluding with best_match=0 best=(nil) (lineno=-1)

Do I read this correct that pluto does *NOT* find a secret for its own 
certificate?

 From the README.x509 file, I concluded that I would not need a 
leftid= line in ipsec.conf because the DNs would be used for matching. 
And these are identical, I double-checked that the lines quoted above 
have the same DN text in them.

Regards,

Arno

-- 
Arno Lehmann
IT-Service Lehmann
www.its-lehmann.de


More information about the Users mailing list