[Openswan Users] issue configuring openwan using x509 certificates

Sambuddho Chakravarty sc2516 at columbia.edu
Thu Jun 26 15:46:52 EDT 2008 

Hello All
 I am trying to set up a IPSEC connection between two linux gateway
hosts using openswan. I created the x509 CA and CA signed certificates
for both the hosts. On each of the hosts I copied the server_key.pem
to /etc/ipsec.d/private and server_crt.pem to /etc/ipsec.d/certs. The
cacert.pem and crl.pem for them were interchanged and copied into
the /etc/ipsec.d/cacert directories in the peers. Next I tried to start
/etc/init.d/ipsec on both the machines using the following ipsec.conf

For host 1 (ip address 20.0.0.1)
-----------------------------------
conn linux-to-linux
        authby=rsasig
        left=20.0.0.1
        leftsubnet=10.0.0.0/24
        leftnexthop=%defaultroute
        leftrsasigkey=%cert
        leftcert=server_crt.pem
        leftsourceip=20.0.0.1
        right=20.0.0.2
        rightsubnet=30.0.0.0/24
        rightnexthop=%defaultroute
        rightrsasigkey=%cert
        rightsourceip=20.0.0.2
        auto=start

For host 2 (ip address 20.0.0.2)
-------------------------------------

conn linux-to-linux
        authby=rsasig
        left=20.0.0.1
        leftsubnet=10.0.0.0/24
        leftnexthop=%defaultroute
        leftrsasigkey=%cert
        leftsourceip=20.0.0.1
        right=20.0.0.2
        rightsubnet=30.0.0.0/24
        rightnexthop=%defaultroute
        rightrsasigkey=%cert
        rightcert=server_crt.pem
        rightsourceip=20.0.0.2
        auto=start

While the daemons are started I tried to monitor the /var/log/auth.log
files on both the gateways. This is what I observed.

For host 1
--------------------------------
Jun 26 15:42:47 host2 pluto[11654]: loading secrets from
"/etc/ipsec.secrets"
Jun 26 15:42:47 host2 pluto[11654]:   loaded private key file
'/etc/ipsec.d/private/server_key.pem' (951 bytes)
Jun 26 15:42:47 host2 pluto[11654]: loaded private key for keyid:
PPK_RSA:AwEAAcBxe
Jun 26 15:42:47 host2 pluto[11654]: "linux-to-linux": request to add a
prospective erouted policy with netkey kernel --- experimental
Jun 26 15:42:47 host2 pluto[11654]: "linux-to-linux" #1: initiating Main
Mode
Jun 26 15:42:47 host2 pluto[11654]: "linux-to-linux" #1: received Vendor
ID payload [Openswan (this version) 2.6.14 ]
Jun 26 15:42:47 host2 pluto[11654]: "linux-to-linux" #1: received Vendor
ID payload [Dead Peer Detection]
Jun 26 15:42:47 host2 pluto[11654]: "linux-to-linux" #1: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
Jun 26 15:42:47 host2 pluto[11654]: "linux-to-linux" #1: STATE_MAIN_I2:
sent MI2, expecting MR2
Jun 26 15:42:47 host2 pluto[11654]: "linux-to-linux" #1: I am sending my
cert
Jun 26 15:42:47 host2 pluto[11654]: "linux-to-linux" #1: I am sending a
certificate request
Jun 26 15:42:47 host2 pluto[11654]: "linux-to-linux" #1: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
Jun 26 15:42:47 host2 pluto[11654]: "linux-to-linux" #1: STATE_MAIN_I3:
sent MI3, expecting MR3
Jun 26 15:42:47 host2 pluto[11654]: "linux-to-linux" #1: ignoring
informational payload, type INVALID_KEY_INFORMATION msgid=00000000
Jun 26 15:42:47 host2 pluto[11654]: "linux-to-linux" #1: received and
ignored informational message
Jun 26 15:42:52 host2 pluto[11654]: packet from 20.0.0.2:500: received
Vendor ID payload [Openswan (this version) 2.6.14 ]
Jun 26 15:42:52 host2 pluto[11654]: packet from 20.0.0.2:500: received
Vendor ID payload [Dead Peer Detection]
Jun 26 15:42:52 host2 pluto[11654]: "linux-to-linux" #2: responding to
Main Mode
Jun 26 15:42:52 host2 pluto[11654]: "linux-to-linux" #2: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
Jun 26 15:42:52 host2 pluto[11654]: "linux-to-linux" #2: STATE_MAIN_R1:
sent MR1, expecting MI2
Jun 26 15:42:52 host2 pluto[11654]: "linux-to-linux" #2: transition from
state STATE_MAIN_R1 to state STATE_MAIN_R2
Jun 26 15:42:52 host2 pluto[11654]: "linux-to-linux" #2: STATE_MAIN_R2:
sent MR2, expecting MI3
Jun 26 15:42:52 host2 pluto[11654]: "linux-to-linux" #2: Main mode peer
ID is ID_IPV4_ADDR: '20.0.0.2'
Jun 26 15:42:52 host2 pluto[11654]: "linux-to-linux" #2: no RSA public
key known for '20.0.0.2'
Jun 26 15:42:52 host2 pluto[11654]: "linux-to-linux" #2: sending
encrypted notification INVALID_KEY_INFORMATION to 20.0.0.2:500
Jun 26 15:42:57 host2 pluto[11654]: "linux-to-linux" #1: discarding
duplicate packet; already STATE_MAIN_I3
Jun 26 15:42:57 host2 pluto[11654]: "linux-to-linux" #1: ignoring
informational payload, type INVALID_KEY_INFORMATION msgid=00000000
Jun 26 15:42:57 host2 pluto[11654]: "linux-to-linux" #1: received and
ignored informational message
Jun 26 15:43:02 host2 pluto[11654]: "linux-to-linux" #2: Main mode peer
ID is ID_IPV4_ADDR: '20.0.0.2'
Jun 26 15:43:02 host2 pluto[11654]: "linux-to-linux" #2: no RSA public
key known for '20.0.0.2'

For host2
----------------------------------------------------

Jun 26 15:52:04 host3 pluto[18462]: loading secrets from
"/etc/ipsec.secrets"
Jun 26 15:52:04 host3 pluto[18462]:   loaded private key file
'/etc/ipsec.d/private/server_key.pem' (963 bytes)
Jun 26 15:52:04 host3 pluto[18462]: loaded private key for keyid:
PPK_RSA:AwEAAdwtK
Jun 26 15:52:04 host3 pluto[18462]: "linux-to-linux": request to add a
prospective erouted policy with netkey kernel --- experimental
Jun 26 15:52:04 host3 pluto[18462]: "linux-to-linux" #1: initiating Main
Mode
Jun 26 15:52:04 host3 pluto[18462]: "linux-to-linux" #1: ERROR:
asynchronous network error report on eth1 (sport=500) for message to
20.0.0.1 port 500, complainant 20.0.0.1: Connection refused [errno 111,
origin ICMP type 3 code 3 (not authenticated)]
Jun 26 15:52:09 host3 pluto[18462]: packet from 20.0.0.1:500: received
Vendor ID payload [Openswan (this version) 2.6.14 ]
Jun 26 15:52:09 host3 pluto[18462]: packet from 20.0.0.1:500: received
Vendor ID payload [Dead Peer Detection]
Jun 26 15:52:09 host3 pluto[18462]: "linux-to-linux" #2: responding to
Main Mode
Jun 26 15:52:09 host3 pluto[18462]: "linux-to-linux" #2: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
Jun 26 15:52:09 host3 pluto[18462]: "linux-to-linux" #2: STATE_MAIN_R1:
sent MR1, expecting MI2
Jun 26 15:52:09 host3 pluto[18462]: "linux-to-linux" #2: transition from
state STATE_MAIN_R1 to state STATE_MAIN_R2
Jun 26 15:52:09 host3 pluto[18462]: "linux-to-linux" #2: STATE_MAIN_R2:
sent MR2, expecting MI3
Jun 26 15:52:09 host3 pluto[18462]: "linux-to-linux" #2: Main mode peer
ID is ID_IPV4_ADDR: '20.0.0.1'
Jun 26 15:52:09 host3 pluto[18462]: "linux-to-linux" #2: no RSA public
key known for '20.0.0.1'
Jun 26 15:52:09 host3 pluto[18462]: "linux-to-linux" #2: sending
encrypted notification INVALID_KEY_INFORMATION to 20.0.0.1:500
Jun 26 15:52:14 host3 pluto[18462]: "linux-to-linux" #1: received Vendor
ID payload [Openswan (this version) 2.6.14 ]
Jun 26 15:52:14 host3 pluto[18462]: "linux-to-linux" #1: received Vendor
ID payload [Dead Peer Detection]
Jun 26 15:52:14 host3 pluto[18462]: "linux-to-linux" #1: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
Jun 26 15:52:14 host3 pluto[18462]: "linux-to-linux" #1: STATE_MAIN_I2:
sent MI2, expecting MR2
Jun 26 15:52:14 host3 pluto[18462]: "linux-to-linux" #1: I am sending my
cert
Jun 26 15:52:14 host3 pluto[18462]: "linux-to-linux" #1: I am sending a
certificate request
Jun 26 15:52:14 host3 pluto[18462]: "linux-to-linux" #1: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
Jun 26 15:52:14 host3 pluto[18462]: "linux-to-linux" #1: STATE_MAIN_I3:
sent MI3, expecting MR3
Jun 26 15:52:14 host3 pluto[18462]: "linux-to-linux" #1: ignoring
informational payload, type INVALID_KEY_INFORMATION msgid=00000000
Jun 26 15:52:14 host3 pluto[18462]: "linux-to-linux" #1: received and
ignored informational message
Jun 26 15:52:19 host3 pluto[18462]: "linux-to-linux" #2: Main mode peer
ID is ID_IPV4_ADDR: '20.0.0.1'
Jun 26 15:52:19 host3 pluto[18462]: "linux-to-linux" #2: no RSA public
key known for '20.0.0.1'
Jun 26 15:52:19 host3 pluto[18462]: "linux-to-linux" #2: sending
encrypted notification INVALID_KEY_INFORMATION to 20.0.0.1:500
Jun 26 15:52:24 host3 pluto[18462]: "linux-to-linux" #1: discarding
duplicate packet; already STATE_MAIN_I3
Jun 26 15:52:24 host3 pluto[18462]: "linux-to-linux" #1: ignoring
informational payload, type INVALID_KEY_INFORMATION msgid=00000000
Jun 26 15:52:24 host3 pluto[18462]: "linux-to-linux" #1: received and
ignored informational message
Jun 26 15:52:39 host3 pluto[18462]: "linux-to-linux" #2: Main mode peer
ID is ID_IPV4_ADDR: '20.0.0.1'
Jun 26 15:52:39 host3 pluto[18462]: "linux-to-linux" #2: no RSA public
key known for '20.0.0.1'
Jun 26 15:52:39 host3 pluto[18462]: "linux-to-linux" #2: sending
encrypted notification INVALID_KEY_INFORMATION to 20.0.0.1:500
Jun 26 15:52:44 host3 pluto[18462]: "linux-to-linux" #1: discarding
duplicate packet; already STATE_MAIN_I3
Jun 26 15:52:44 host3 pluto[18462]: "linux-to-linux" #1: ignoring
informational payload, type INVALID_KEY_INFORMATION msgid=00000000
Jun 26 15:52:44 host3 pluto[18462]: "linux-to-linux" #1: received and
ignored informational message
Jun 26 15:53:19 host3 pluto[18462]: "linux-to-linux" #2: max number of
retransmissions (2) reached STATE_MAIN_R2
Jun 26 15:53:19 host3 pluto[18462]: packet from 20.0.0.1:500: received
Vendor ID payload [Openswan (this version) 2.6.14 ]
Jun 26 15:53:19 host3 pluto[18462]: packet from 20.0.0.1:500: received
Vendor ID payload [Dead Peer Detection]
Jun 26 15:53:19 host3 pluto[18462]: "linux-to-linux" #3: responding to
Main Mode
Jun 26 15:53:19 host3 pluto[18462]: "linux-to-linux" #3: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
Jun 26 15:53:19 host3 pluto[18462]: "linux-to-linux" #3: STATE_MAIN_R1:
sent MR1, expecting MI2
Jun 26 15:53:19 host3 pluto[18462]: "linux-to-linux" #3: transition from
state STATE_MAIN_R1 to state STATE_MAIN_R2
Jun 26 15:53:19 host3 pluto[18462]: "linux-to-linux" #3: STATE_MAIN_R2:
sent MR2, expecting MI3
Jun 26 15:53:19 host3 pluto[18462]: "linux-to-linux" #3: Main mode peer
ID is ID_IPV4_ADDR: '20.0.0.1'
Jun 26 15:53:19 host3 pluto[18462]: "linux-to-linux" #3: no RSA public
key known for '20.0.0.1'
.....

NOTE : the UDP port 500 is open on both the peers. 
ALSO NOTE : the same physical / firewalling configuration (using
iptables and no rules , so 'allow all' by default) worked when used
simple RSA key-pair and preshared keys. 

Any help would be appreciated. 

Thanks
Sambuddho

More information about the Users mailing list