[Openswan Users] Authentication failure with RSA certificates configuration
Slava Sporish
slovarikable at gmail.com
Wed Feb 2 08:12:50 EST 2011
Hello everyone!
I have no trouble to configure site2site IPsec tunnel using latest stable
Openswan between two Centos 5.5 machines but can't in any way find
configuration to create site2site tunnel between Centos 5.5 and the Astaro
Security Gateway 8 using RSA authentication. It seems according to logs that
Centos using right certs from the NSS db and same certs found on the second
machine but there is no way that I can get Astaro to accept Centos' certs.
I'm stuck with this problem about a week and must solve it as soon as
possible.
Please help.
Or at last describe a theory of configuration with RSA authentication I mean
things like were should be public/private keys/certs located and how to
check if they are valid/in correct places?
Can someone tell me what I'm doing wrong?
Here are configuration files, certificates and logs:
#######################################################################################
###
###
### Configuration and certificates of the Centos 5.5 (left) machine
###
###
###
#######################################################################################
Content of the /etc/ipsec.conf
-------------->>>>>>><<<<<<<--------------
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
nat_traversal=yes
virtual_private=10.175.1.131
oe=off
# Enable this if you see "failed to find any available worker"
nhelpers=0
#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and
uncomment this.
include /etc/ipsec.d/*.conf
-------------->>>>>>><<<<<<<--------------
Content of the /etc/ipsec.secrets
-------------->>>>>>><<<<<<<--------------
include /etc/ipsec.d/*.secrets
-------------->>>>>>><<<<<<<--------------
Content of the /etc/ipsec.d/my_vpn.conf
-------------->>>>>>><<<<<<<--------------
conn linux-to-linux
left=10.170.2.150
leftid="CN=vpnca"
leftrsasigkey=%cert
leftcert=vpnca
right=10.170.2.100
rightid=10.170.2.100
rightrsasigkey=%cert
rightcert=HuiNanNy
type="tunnel"
auto=start
-------------->>>>>>><<<<<<<--------------
Contentt of the /etc/ipsec.d/my_vpn.secrets
-------------->>>>>>><<<<<<<--------------
: RSA vpnca
-------------->>>>>>><<<<<<<--------------
Content of certificate "vpnca" (which is should be a primary CA for both
machines)
-------------->>>>>>><<<<<<<--------------
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
00:93:51:47:31
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "CN=vpnca"
Validity:
Not Before: Sun Jan 23 21:33:00 2011
Not After : Mon Jan 23 21:33:00 2012
Subject: "CN=vpnca"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
c6:69:51:2a:df:91:22:62:ad:3d:ef:c8:95:4c:e2:63:
48:05:67:e3:7e:41:b6:1a:76:6b:44:8d:1c:98:af:72:
0a:b3:6e:57:10:77:b8:04:84:de:c0:b7:d4:c9:56:c5:
50:a7:8f:00:ad:a8:97:7d:5b:37:49:ac:82:c3:84:c4:
9b:33:76:a6:b8:2d:0e:04:15:26:a3:2c:92:b9:83:71:
d1:41:ca:c4:96:87:c6:6e:1d:84:59:2a:3a:b3:b0:2e:
24:42:95:98:80:70:63:6e:8a:d5:cd:7f:76:b5:e6:09:
71:f7:cb:cd:98:8b:2c:67:ee:bb:84:fd:fc:8a:a6:ed
Exponent: 65537 (0x10001)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
50:6d:2c:fe:63:d4:39:4e:86:97:ae:5f:dc:49:cc:56:
d9:d1:63:06:f9:65:94:50:e1:25:4b:45:84:4e:af:4a:
6c:ea:24:13:73:87:29:b1:e4:f6:05:68:98:7f:00:4d:
90:23:c3:0a:99:9a:39:d2:10:95:a4:3c:02:b7:0a:4e:
6f:ba:c1:25:62:b1:7f:d1:c4:63:64:0b:4d:a9:b2:35:
45:87:67:fa:f0:92:e9:46:e0:ce:19:df:2f:c1:e2:61:
11:f2:1d:af:5c:02:03:77:ff:db:c7:c9:cc:05:fe:ec:
1c:be:bd:ca:48:c7:49:c3:50:3e:ae:91:b5:06:cd:61
Fingerprint (MD5):
AD:E2:31:01:8D:35:E5:04:D4:36:B9:94:3E:95:B1:CC
Fingerprint (SHA1):
BD:66:83:85:D5:1F:E8:FD:E6:00:CE:E9:E7:69:C1:20:07:74:E7:04
Certificate Trust Flags:
SSL Flags:
Valid CA
Trusted CA
User
Trusted Client CA
Email Flags:
Valid CA
Trusted CA
User
Object Signing Flags:
Valid CA
Trusted CA
User
-------------->>>>>>><<<<<<<--------------
Content of certificate "HuiNanNy"
-------------->>>>>>><<<<<<<--------------
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 5378 (0x1502)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "CN=vpnca"
Validity:
Not Before: Wed Feb 02 11:55:45 2011
Not After : Mon Jan 23 21:33:23 2012
Subject: "O=Vertical Place,L=Tel-Aviv,C=il"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
ad:15:00:25:95:0c:2e:1a:b5:82:d4:18:37:3f:a8:1c:
27:3b:e6:80:27:d0:ac:be:c0:40:83:d7:8b:5b:02:8a:
df:6f:e9:b0:ed:b4:38:ba:f9:74:bf:6a:e0:8a:33:33:
08:06:99:7f:68:b1:12:f2:0b:0c:01:f0:b9:61:09:91:
a0:08:a3:e4:6e:de:77:0d:fc:c7:c3:77:53:c5:ba:e8:
4f:9f:71:8d:fb:7e:a9:ce:e5:9b:a0:2f:a2:b8:f3:79:
cc:eb:09:70:97:6f:06:50:a4:0d:30:fa:4d:a5:e9:d8:
f9:11:eb:0c:85:f9:1a:04:b8:90:3e:ad:f5:65:a2:f5
Exponent: 65537 (0x10001)
Signed Extensions:
Name: Certificate Subject Key ID
Data:
98:eb:2c:43:38:e0:52:9f:be:1f:b8:8a:9b:7f:89:eb:
fa:9f:cc:29
Name: Certificate Authority Key Identifier
Issuer:
Directory Name: "CN=vpnca"
Serial Number:
00:93:51:47:31
Name: Certificate Subject Alt Name
IP Address: 10.170.2.150
Name: Certificate Basic Constraints
Data: Is not a CA.
Name: Certificate Key Usage
Usages: Digital Signature
Non-Repudiation
Key Encipherment
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
a1:73:c5:4a:56:d3:fe:39:78:c1:2f:bb:ed:b6:eb:77:
02:21:e0:b1:ef:9b:f2:b1:1c:b9:e0:a1:8d:90:50:dd:
e0:5c:70:d8:f2:62:73:df:70:3a:76:05:36:ba:ee:17:
f6:29:27:d7:82:9f:f8:4b:44:dd:50:41:af:c5:f7:a3:
9c:fb:d0:93:44:bf:e7:28:46:a1:94:13:75:6f:bb:59:
12:bb:9e:4a:11:a4:78:58:d0:53:87:9a:74:55:03:e2:
6c:2a:61:37:2d:0b:4f:d4:de:ca:e0:32:9c:57:6e:8c:
b7:fb:be:e8:c3:ba:f7:03:91:94:2b:54:8a:7a:71:8d
Fingerprint (MD5):
4B:77:BE:B4:A2:67:72:66:24:E5:EE:9C:FE:F7:8F:D6
Fingerprint (SHA1):
DA:02:98:D5:AB:EE:BC:54:A5:C0:F0:B4:0D:7A:E5:99:2C:62:05:4B
Certificate Trust Flags:
SSL Flags:
User
Email Flags:
User
Object Signing Flags:
User
-------------->>>>>>><<<<<<<--------------
#######################################################################################
###
###
### Configuration and certificates of the Astaro Security Gateway 8 (right)
machine ###
###
###
#######################################################################################
Content of the /etc/ipsec.conf
-------------->>>>>>><<<<<<<--------------
#/etc/ipsec.conf - strongSwan IPsec configuration file
config setup
charonstart="no"
plutodebug="none"
uniqueids="no"
nocrsend="yes"
nat_traversal="yes"
keep_alive="60"
crlcheckinterval="0"
strictcrlpolicy="no"
probe_psk="no"
conn %default
rekeyfuzz="100%"
keyingtries="0"
leftsendcert="always"
dpddelay="30"
dpdtimeout="120"
dpdaction="restart"
# Centos-VPN
conn S_REF_eSpQByGRud_0
authby="rsasig"
auto="start"
compress="no"
esp="aes256-md5"
ike="aes256-md5-modp1536"
ikelifetime="7800"
keyexchange="ike"
keylife="3600"
left="10.170.2.100"
leftcert="/etc/ipsec.d/certs/REF_WcWZBkCkUA.pem"
leftid="10.170.2.150"
leftrsasigkey="%cert"
leftsourceip="10.170.2.100"
leftsubnet="10.170.2.100/32"
leftupdown="/usr/libexec/ipsec/updown strict"
pfs="no"
rekeymargin="540"
right="10.170.2.150"
rightcert="/etc/ipsec.d/certs/REF_eGfDyXnwdH_2392a33d.pem"
rightid="CN=vpnca"
rightrsasigkey="%cert"
rightsubnet="10.170.2.0/24"
type="tunnel"
conn X_REF_eSpQByGRud_0
authby="never"
auto="route"
left="10.170.2.100"
leftsubnet="10.170.2.100/32"
leftupdown="/bin/sh -c true"
right="255.255.255.255"
rightsubnet="10.170.2.100/32"
type="passthrough"
-------------->>>>>>><<<<<<<--------------
Content of the /etc/ipsec.secrets
-------------->>>>>>><<<<<<<--------------
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA REF_WcWZBkCkUA.pem
-------------->>>>>>><<<<<<<--------------
Content of the /etc/ipsec.d/certs/REF_WcWZBkCkUA.pem
-------------->>>>>>><<<<<<<--------------
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 5378 (0x1502)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=vpnca
Validity
Not Before: Feb 2 11:55:45 2011 GMT
Not After : Jan 23 21:33:23 2012 GMT
Subject: C=il, L=Tel-Aviv, O=Vertical Place
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:ad:15:00:25:95:0c:2e:1a:b5:82:d4:18:37:3f:
a8:1c:27:3b:e6:80:27:d0:ac:be:c0:40:83:d7:8b:
5b:02:8a:df:6f:e9:b0:ed:b4:38:ba:f9:74:bf:6a:
e0:8a:33:33:08:06:99:7f:68:b1:12:f2:0b:0c:01:
f0:b9:61:09:91:a0:08:a3:e4:6e:de:77:0d:fc:c7:
c3:77:53:c5:ba:e8:4f:9f:71:8d:fb:7e:a9:ce:e5:
9b:a0:2f:a2:b8:f3:79:cc:eb:09:70:97:6f:06:50:
a4:0d:30:fa:4d:a5:e9:d8:f9:11:eb:0c:85:f9:1a:
04:b8:90:3e:ad:f5:65:a2:f5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
98:EB:2C:43:38:E0:52:9F:BE:1F:B8:8A:9B:7F:89:EB:FA:9F:CC:29
X509v3 Authority Key Identifier:
DirName:/CN=vpnca
serial:93:51:47:31
X509v3 Subject Alternative Name:
IP Address:10.170.2.150
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Signature Algorithm: sha1WithRSAEncryption
a1:73:c5:4a:56:d3:fe:39:78:c1:2f:bb:ed:b6:eb:77:02:21:
e0:b1:ef:9b:f2:b1:1c:b9:e0:a1:8d:90:50:dd:e0:5c:70:d8:
f2:62:73:df:70:3a:76:05:36:ba:ee:17:f6:29:27:d7:82:9f:
f8:4b:44:dd:50:41:af:c5:f7:a3:9c:fb:d0:93:44:bf:e7:28:
46:a1:94:13:75:6f:bb:59:12:bb:9e:4a:11:a4:78:58:d0:53:
87:9a:74:55:03:e2:6c:2a:61:37:2d:0b:4f:d4:de:ca:e0:32:
9c:57:6e:8c:b7:fb:be:e8:c3:ba:f7:03:91:94:2b:54:8a:7a:
71:8d
-----BEGIN CERTIFICATE-----
MIICMjCCAZugAwIBAgICFQIwDQYJKoZIhvcNAQEFBQAwEDEOMAwGA1UEAxMFdnBu
Y2EwHhcNMTEwMjAyMTE1NTQ1WhcNMTIwMTIzMjEzMzIzWjA5MQswCQYDVQQGEwJp
bDERMA8GA1UEBxMIVGVsLUF2aXYxFzAVBgNVBAoTDlZlcnRpY2FsIFBsYWNlMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCtFQAllQwuGrWC1Bg3P6gcJzvmgCfQ
rL7AQIPXi1sCit9v6bDttDi6+XS/auCKMzMIBpl/aLES8gsMAfC5YQmRoAij5G7e
dw38x8N3U8W66E+fcY37fqnO5ZugL6K483nM6wlwl28GUKQNMPpNpenY+RHrDIX5
GgS4kD6t9WWi9QIDAQABo3IwcDAdBgNVHQ4EFgQUmOssQzjgUp++H7iKm3+J6/qf
zCkwJgYDVR0jBB8wHaEUpBIwEDEOMAwGA1UEAxMFdnBuY2GCBQCTUUcxMA8GA1Ud
EQQIMAaHBAqqApYwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwDQYJKoZIhvcNAQEF
BQADgYEAoXPFSlbT/jl4wS+77bbrdwIh4LHvm/KxHLngoY2QUN3gXHDY8mJz33A6
dgU2uu4X9ikn14Kf+EtE3VBBr8X3o5z70JNEv+coRqGUE3Vvu1kSu55KEaR4WNBT
h5p0VQPibCphNy0LT9TeyuAynFdujLf7vujDuvcDkZQrVIp6cY0=
-----END CERTIFICATE-----
-------------->>>>>>><<<<<<<--------------
Content of the /etc/ipsec.d/certs/REF_eGfDyXnwdH_2392a33d.pem
-------------->>>>>>><<<<<<<--------------
Bag Attributes
friendlyName: vpnca
localKeyID: BD 66 83 85 D5 1F E8 FD E6 00 CE E9 E7 69 C1 20 07 74 E7 04
subject=/CN=vpnca
issuer=/CN=vpnca
-----BEGIN CERTIFICATE-----
MIIBmDCCAQGgAwIBAgIFAJNRRzEwDQYJKoZIhvcNAQEFBQAwEDEOMAwGA1UEAxMF
dnBuY2EwHhcNMTEwMTIzMjEzMzAwWhcNMTIwMTIzMjEzMzAwWjAQMQ4wDAYDVQQD
EwV2cG5jYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxmlRKt+RImKtPe/I
lUziY0gFZ+N+QbYadmtEjRyYr3IKs25XEHe4BITewLfUyVbFUKePAK2ol31bN0ms
gsOExJszdqa4LQ4EFSajLJK5g3HRQcrElofGbh2EWSo6s7AuJEKVmIBwY26K1c1/
drXmCXH3y82Yiyxn7ruE/fyKpu0CAwEAATANBgkqhkiG9w0BAQUFAAOBgQBQbSz+
Y9Q5ToaXrl/cScxW2dFjBvlllFDhJUtFhE6vSmzqJBNzhymx5PYFaJh/AE2QI8MK
mZo50hCVpDwCtwpOb7rBJWKxf9HEY2QLTamyNUWHZ/rwkulG4M4Z3y/B4mER8h2v
XAIDd//bx8nMBf7sHL69ykjHScNQPq6RtQbNYQ==
-----END CERTIFICATE-----
-------------->>>>>>><<<<<<<--------------
#######################################################################################
###
###
### Logs during connection from both machines
###
###
###
#######################################################################################
IPsec Log on the Centos (left) side
-------------->>>>>>><<<<<<<--------------
Feb 2 22:08:37 SERVER-ONE ipsec_setup: Stopping Openswan IPsec...
Feb 2 22:08:38 SERVER-ONE ipsec_setup: ...Openswan IPsec stopped
Feb 2 22:08:44 SERVER-ONE ipsec_setup: Starting Openswan IPsec
U2.6.21/K2.6.18-194.32.1.el5...
Feb 2 22:08:44 SERVER-ONE ipsec_setup: Using NETKEY(XFRM) stack
Feb 2 22:08:44 SERVER-ONE ipsec_setup: Command line is not complete. Try
option "help"
Feb 2 22:08:44 SERVER-ONE ipsec_setup: ...Openswan IPsec started
Feb 2 22:08:44 SERVER-ONE pluto: adjusting ipsec.d to /etc/ipsec.d
Feb 2 22:08:44 SERVER-ONE ipsec__plutorun: adjusting ipsec.d to
/etc/ipsec.d
Feb 2 22:08:44 SERVER-ONE ipsec__plutorun: 002 loading certificate from
vpnca
Feb 2 22:08:44 SERVER-ONE ipsec__plutorun: 002 loading certificate from
HuiNanNy
Feb 2 22:08:44 SERVER-ONE ipsec__plutorun: 002 added connection description
"linux-to-linux"
Feb 2 22:08:44 SERVER-ONE ipsec__plutorun: 104 "linux-to-linux" #1:
STATE_MAIN_I1: initiate
-------------->>>>>>><<<<<<<--------------
IPsec Log on the Astaro (right) side
-------------->>>>>>><<<<<<<--------------
2011:02:02-16:06:20 astaro pluto[28743]: loaded private key from
'HuiNanNy.pem'
2011:02:02-16:06:20 astaro pluto[28743]: loaded host certificate from
'/etc/ipsec.d/certs/HuiNanNy.pem'
2011:02:02-16:06:20 astaro pluto[28743]: loaded host certificate from
'/etc/ipsec.d/certs/REF_eGfDyXnwdH.pem'
2011:02:02-16:06:20 astaro pluto[28743]: added connection description
"S_Centos-VPN"
2011:02:02-16:06:20 astaro pluto[28743]: "S_Centos-VPN" #1: initiating Main
Mode
2011:02:02-16:06:20 astaro pluto[28743]: added connection description
"X_Centos-VPN"
2011:02:02-16:06:20 astaro pluto[28743]: "S_Centos-VPN" #1: ignoring Vendor
ID payload [4f457e717f6b5a4e727d576b]
2011:02:02-16:06:20 astaro pluto[28743]: "S_Centos-VPN" #1: received Vendor
ID payload [Dead Peer Detection]
2011:02:02-16:06:20 astaro pluto[28743]: "S_Centos-VPN" #1: received Vendor
ID payload [RFC 3947]
2011:02:02-16:06:20 astaro pluto[28743]: "S_Centos-VPN" #1: enabling
possible NAT-traversal with method 3
2011:02:02-16:06:20 astaro pluto[28743]: "S_Centos-VPN" #1: NAT-Traversal:
Result using RFC 3947: no NAT detected
2011:02:02-16:06:20 astaro pluto[28743]: "S_Centos-VPN" #1: we have a cert
and are sending it
2011:02:02-16:06:20 astaro pluto[28743]: "S_Centos-VPN" #1: next payload
type of ISAKMP Hash Payload has an unknown value: 24
2011:02:02-16:06:20 astaro pluto[28743]: "S_Centos-VPN" #1: malformed
payload in packet
2011:02:02-16:06:30 astaro pluto[28743]: "S_Centos-VPN" #1: discarding
duplicate packet; already STATE_MAIN_I3
2011:02:02-16:06:30 astaro pluto[28743]: "S_Centos-VPN" #1: next payload
type of ISAKMP Hash Payload has an unknown value: 53
2011:02:02-16:06:30 astaro pluto[28743]: "S_Centos-VPN" #1: malformed
payload in packet
2011:02:02-16:06:43 astaro pluto[28743]: packet from 10.170.2.150:500:
ignoring Vendor ID payload [4f457e717f6b5a4e727d576b]
2011:02:02-16:06:43 astaro pluto[28743]: packet from 10.170.2.150:500:
received Vendor ID payload [Dead Peer Detection]
2011:02:02-16:06:43 astaro pluto[28743]: packet from 10.170.2.150:500:
received Vendor ID payload [RFC 3947]
2011:02:02-16:06:43 astaro pluto[28743]: packet from 10.170.2.150:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2011:02:02-16:06:43 astaro pluto[28743]: packet from 10.170.2.150:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2011:02:02-16:06:43 astaro pluto[28743]: packet from 10.170.2.150:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
2011:02:02-16:06:43 astaro pluto[28743]: packet from 10.170.2.150:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
2011:02:02-16:06:43 astaro pluto[28743]: "S_Centos-VPN" #2: responding to
Main Mode
2011:02:02-16:06:43 astaro pluto[28743]: "S_Centos-VPN" #2: NAT-Traversal:
Result using RFC 3947: no NAT detected
2011:02:02-16:06:43 astaro pluto[28743]: "S_Centos-VPN" #2: Peer ID is
ID_DER_ASN1_DN: 'CN=vpnca'
2011:02:02-16:06:43 astaro pluto[28743]: "S_Centos-VPN" #2: crl not found
2011:02:02-16:06:43 astaro pluto[28743]: "S_Centos-VPN" #2: certificate
status unknown
2011:02:02-16:06:43 astaro pluto[28743]: "S_Centos-VPN" #2: signature check
for 'CN=vpnca' failed: wrong key?; tried 1
2011:02:02-16:06:43 astaro pluto[28743]: "S_Centos-VPN" #2: sending
encrypted notification INVALID_KEY_INFORMATION to 10.170.2.150:500
2011:02:02-16:06:43 astaro pluto[28743]: "S_Centos-VPN" #2: Informational
Exchange message must be encrypted
2011:02:02-16:06:50 astaro pluto[28743]: "S_Centos-VPN" #1: discarding
duplicate packet; already STATE_MAIN_I3
2011:02:02-16:06:50 astaro pluto[28743]: "S_Centos-VPN" #1: next payload
type of ISAKMP Hash Payload has an unknown value: 142
2011:02:02-16:06:50 astaro pluto[28743]: "S_Centos-VPN" #1: malformed
payload in packet
-------------->>>>>>><<<<<<<--------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110202/56672bea/attachment-0001.html
More information about the Users
mailing list