[Openswan Users] Site-to-Site IPSec Tunnel Between Astaro (ASG8) And Centos 5.5 Fails Using RSA

Slava Sporish slovarikable at gmail.com
Tue Feb 1 11:46:33 EST 2011


 Hello everyone!

*The problem:*
I stack with a problem during Site-to-Site IPSec VPN setup between Ataro 8
and Centos 5.5 box.
My problem is that I always failing signature check and so cannot reach and
pass "STATE_MAIN_I3" phase.

*What do I have:*
Assume that on the "left" side I have a Centos 5.5 with Openswan 2.6.21
using NSS database that should use only RSA authentication mechanism sitting
on the 10.170.2.150 IP with subnet mask 255.255.255.0
On the "right" side there is an Astaro ASG8 that should communicate with a
Centos from the right side using Site-to-Site IPSec VPN sitting on
10.170.2.100 IP with the same subnet mask.

*Current Setup And Debug Info:**
*This my NSS DB (all listed certificates are also present in ASG) ("certutil
-L -d /etc/ipsec.d/"):
---------------------------------------------------------------------------------------------------
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI

Local X509 Cert (regenerated) u,u,u
vpnca CTu,Cu,Cu
Centos u,u,u
---------------------------------------------------------------------------------------------------

This is CA for both machines ("certutil -L -n vpnca -d /etc/ipsec.d/")
---------------------------------------------------------------------------------------------------
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
00:93:51:47:31
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "CN=vpnca"
Validity:
Not Before: Sun Jan 23 21:33:00 2011
Not After : Mon Jan 23 21:33:00 2012
Subject: "CN=vpnca"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
c6:69:51:2a:df:91:22:62:ad:3d:ef:c8:95:4c:e2:63:
48:05:67:e3:7e:41:b6:1a:76:6b:44:8d:1c:98:af:72:
0a:b3:6e:57:10:77:b8:04:84:de:c0:b7:d4:c9:56:c5:
50:a7:8f:00:ad:a8:97:7d:5b:37:49:ac:82:c3:84:c4:
9b:33:76:a6:b8:2d:0e:04:15:26:a3:2c:92:b9:83:71:
d1:41:ca:c4:96:87:c6:6e:1d:84:59:2a:3a:b3:b0:2e:
24:42:95:98:80:70:63:6e:8a:d5:cd:7f:76:b5:e6:09:
71:f7:cb:cd:98:8b:2c:67:ee:bb:84:fd:fc:8a:a6:ed
Exponent: 65537 (0x10001)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
50:6d:2c:fe:63:d4:39:4e:86:97:ae:5f:dc:49:cc:56:
d9:d1:63:06:f9:65:94:50:e1:25:4b:45:84:4e:af:4a:
6c:ea:24:13:73:87:29:b1:e4:f6:05:68:98:7f:00:4d:
90:23:c3:0a:99:9a:39:d2:10:95:a4:3c:02:b7:0a:4e:
6f:ba:c1:25:62:b1:7f:d1:c4:63:64:0b:4d:a9:b2:35:
45:87:67:fa:f0:92:e9:46:e0:ce:19:df:2f:c1:e2:61:
11:f2:1d:af:5c:02:03:77:ff:db:c7:c9:cc:05:fe:ec:
1c:be:bd:ca:48:c7:49:c3:50:3e:ae:91:b5:06:cd:61
Fingerprint (MD5):
AD:E2:31:01:8D:35:E5:04:D4:36:B9:94:3E:95:B1:CC
Fingerprint (SHA1):
BD:66:83:85:D5:1F:E8:FD:E6:00:CE:E9:E7:69:C1:20:07:74:E7:04

Certificate Trust Flags:
SSL Flags:
Valid CA
Trusted CA
User
Trusted Client CA
Email Flags:
Valid CA
Trusted CA
User
Object Signing Flags:
Valid CA
Trusted CA
User
---------------------------------------------------------------------------------------------------

This is Centos certificate ("certutil -L -n Centos -d /etc/ipsec.d/")
---------------------------------------------------------------------------------------------------
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
00:93:68:26:a7
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "CN=vpnca"
Validity:
Not Before: Tue Feb 01 23:51:23 2011
Not After : Wed Feb 01 23:51:23 2012
Subject: "CN=Centos"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
da:0c:fb:8d:30:2d:ae:51:99:e0:e5:c0:a3:47:b7:72:
0b:17:bf:bc:8e:5d:84:92:08:56:2e:db:0c:6a:a1:32:
b3:ed:6b:f5:69:5c:d8:10:77:7b:8f:1f:aa:4c:44:a1:
c0:f3:3f:23:04:a3:f3:af:30:dd:f6:2a:80:cf:8a:e5:
16:4b:24:4d:2c:67:b0:fb:04:7c:21:93:38:79:32:75:
a7:03:19:88:57:ac:01:13:7c:6d:50:a6:10:a6:2f:1e:
b2:93:8a:ae:c0:1d:56:58:96:9d:ec:eb:42:e0:f7:41:
96:56:bc:9b:ec:5b:13:c8:33:65:bd:53:2f:4c:b3:5d
Exponent: 65537 (0x10001)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
17:4d:f6:4f:9e:90:36:72:da:89:83:34:1b:dc:e2:90:
2d:05:f4:67:c3:55:96:d4:e4:a3:a0:6c:b2:bb:1d:86:
55:bc:e4:36:d6:a4:aa:f5:38:55:48:e6:b1:38:eb:20:
9d:df:25:6b:dc:0e:fc:98:df:19:12:2a:07:ea:b4:e5:
f3:af:28:0f:23:12:0f:ad:7d:8e:21:8a:55:2c:d3:48:
42:9e:e3:97:f9:f6:ce:9b:8d:bc:16:1d:3d:fc:24:fb:
4c:c1:43:0f:d6:9a:e5:e6:85:77:6d:e9:1a:6d:f0:5e:
2b:8f:8f:80:47:ca:4b:f4:25:6e:08:b0:26:86:aa:43
Fingerprint (MD5):
A2:51:89:61:6D:3D:BA:82:70:11:48:E5:15:96:DF:C5
Fingerprint (SHA1):
4F:B5:7A:53:62:D6:B4:A0:34:83:E3:26:A6:A8:DB:68:82:1B:61:23

Certificate Trust Flags:
SSL Flags:
User
Email Flags:
User
Object Signing Flags:
User
---------------------------------------------------------------------------------------------------

This is ASG certificate ("certutil -L -n 'Local X509 Cert (regenerated)' -d
/etc/ipsec.d/")
---------------------------------------------------------------------------------------------------
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 5376 (0x1500)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "CN=vpnca"
Validity:
Not Before: Tue Feb 01 15:01:24 2011
Not After : Mon Jan 23 21:33:23 2012
Subject: "E=censored at censored.com,CN=astaro"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
b4:ad:ec:66:ed:54:df:29:90:19:59:92:c9:18:cb:87:
df:44:e6:f5:93:cc:a0:62:70:26:92:83:3b:49:e3:5c:
46:ee:d6:77:58:82:60:e2:99:98:00:35:51:aa:7d:d2:
21:8d:92:5b:fe:71:ec:ad:99:43:52:c2:af:7d:2c:9b:
a9:30:33:23:f8:90:4c:e8:20:36:b8:eb:95:4b:db:c8:
b0:6b:52:e5:e4:85:06:5a:08:cb:f2:10:88:c3:0e:f1:
de:f4:cd:72:14:cc:c0:15:04:54:b1:5c:9e:86:1d:e8:
c1:f9:f7:24:11:94:93:5b:f2:48:67:41:f4:c0:57:0d
Exponent: 65537 (0x10001)
Signed Extensions:
Name: Certificate Subject Key ID
Data:
11:1e:4a:b8:1b:29:d3:95:3b:70:e0:66:55:55:4a:9e:
2a:d8:db:51

Name: Certificate Authority Key Identifier
Issuer:
Directory Name: "CN=vpnca"
Serial Number:
00:93:51:47:31

Name: Certificate Subject Alt Name
DNS name: "astaro"

Name: Certificate Basic Constraints
Data: Is not a CA.

Name: Certificate Key Usage
Usages: Digital Signature
Non-Repudiation
Key Encipherment

Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
2c:95:f0:fa:f6:6b:1e:c8:df:32:82:f4:33:14:9f:0f:
c9:fc:8b:94:9e:a3:82:65:dc:38:c2:19:1c:b1:10:92:
6f:16:f4:84:86:b7:aa:c5:44:c5:2b:62:08:b1:58:19:
19:e3:e7:95:d3:6d:eb:37:f2:07:28:85:d6:3d:a0:75:
93:6f:07:96:cf:46:2b:8c:37:96:6f:de:ad:96:0b:57:
a3:0e:8a:44:83:ac:62:76:24:25:3a:b6:34:23:04:cc:
0f:cc:f5:22:f6:be:10:60:9f:01:96:87:c6:f9:42:72:
56:c2:10:b1:9e:86:db:51:37:cd:a0:fb:8a:ab:ea:56
Fingerprint (MD5):
E3:F4:01:E2:E7:50:55:E8:B6:4E:C2:06:24:F8:2A:B8
Fingerprint (SHA1):
6D:54:F2:3C:36:23:3A:CA:54:07:1F:25:41:42:8D:A5:C1:81:D1:C3

Certificate Trust Flags:
SSL Flags:
User
Email Flags:
User
Object Signing Flags:
User
---------------------------------------------------------------------------------------------------


After running "ipsec auto --rereadall ; ipsec showhostkey --right ; ipsec
showhostkey --left" this is what I get
---------------------------------------------------------------------------------------------------
ipsec showhostkey nss directory showhostkey: /etc/ipsec.d
# rsakey AwEAAcZpU
rightrsasigkey=0sAwEAAcZpUSrfkSJirT3vyJVM4mNIBWfjfkG2GnZrRI0cmK9yCrNuVxB3uASE3sC31MlWxVCnjwCtqJd9WzdJrILDhMSbM3amuC0OBBUmoyySuYNx0UHKxJaHxm4dhFkqOrOwLiRClZiAcGNuitXNf3a15glx98vNmIssZ+67hP38iqbt
ipsec showhostkey nss directory showhostkey: /etc/ipsec.d
# rsakey AwEAAcZpU
leftrsasigkey=0sAwEAAcZpUSrfkSJirT3vyJVM4mNIBWfjfkG2GnZrRI0cmK9yCrNuVxB3uASE3sC31MlWxVCnjwCtqJd9WzdJrILDhMSbM3amuC0OBBUmoyySuYNx0UHKxJaHxm4dhFkqOrOwLiRClZiAcGNuitXNf3a15glx98vNmIssZ+67hP38iqbt
---------------------------------------------------------------------------------------------------

While the real ASG RSA local key is:
---------------------------------------------------------------------------------------------------
0sAQPAo14xragRJ2/DA0HJSmmeOjeFz1NtPituw3UFrKsPg2VIPKRteL1rZkmKOPkAgg5BC/3okIKZ4pW4SgA5G5TXVlgNgyG4dN5vwBD0fcMI2kzuvadcATQImMjYze3z7HP7yeOeP7eGfuxYaKMsVvheUfIYg9G5XY4fmgmP6/R8sQ==
---------------------------------------------------------------------------------------------------

This is ipsec.conf on the "left" side (Centos 5.5)
---------------------------------------------------------------------------------------------------
conn linux-to-linux
left=10.170.2.150
leftid="CN=Centos"
leftrsasigkey=%cert
leftcert=Centos
right=10.170.2.100
rightid="CN=astaro, E=censored at censored.com"
rightrsasigkey=%cert
rightcert="Local X509 Cert (regenerated)"
type="tunnel"
auto=start
---------------------------------------------------------------------------------------------------

This is ipsec.secrets on the "left" side (Centos 5.5)
---------------------------------------------------------------------------------------------------
: RSA vpnca

---------------------------------------------------------------------------------------------------

This is ipsec.conf on the "right" side (Astaro (ASG 8)) that I get after
setting up tunnel via ASG WebAdmin
---------------------------------------------------------------------------------------------------
#/etc/ipsec.conf - strongSwan IPsec configuration file

config setup
charonstart="no"
plutodebug="none"
uniqueids="no"
nocrsend="yes"
nat_traversal="yes"
keep_alive="60"
crlcheckinterval="0"
strictcrlpolicy="no"
probe_psk="no"

conn %default
rekeyfuzz="100%"
keyingtries="0"
leftsendcert="always"
dpddelay="30"
dpdtimeout="120"
dpdaction="restart"

# Centos-VPN
conn S_REF_eSpQByGRud_0
authby="rsasig"
auto="start"
compress="no"
esp="aes256-md5"
ike="aes256-md5-modp1536"
ikelifetime="7800"
keyexchange="ike"
keylife="3600"
left="10.170.2.100"
leftcert="/etc/ipsec.d/certs/REF_EhOPWqyoef.pem"
leftid="@astaro"
leftrsasigkey="%cert"
leftsourceip="10.170.2.100"
leftsubnet="10.170.2.100/32"
leftupdown="/usr/libexec/ipsec/updown strict"
pfs="no"
rekeymargin="540"
right="10.170.2.150"
rightid="CN=Centos"
rightrsasigkey="%cert"
rightsubnet="10.170.2.0/24"
type="tunnel"

conn X_REF_eSpQByGRud_0
authby="never"
auto="route"
left="10.170.2.100"
leftsubnet="10.170.2.100/32"
leftupdown="/bin/sh -c true"
right="255.255.255.255"
rightsubnet="10.170.2.100/32"
type="passthrough"
---------------------------------------------------------------------------------------------------

Log on the left side
---------------------------------------------------------------------------------------------------
Feb 2 02:32:53 SERVER-ONE ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Feb 2 02:32:53 SERVER-ONE ipsec__plutorun: 002 loading certificate from
Centos
Feb 2 02:32:53 SERVER-ONE ipsec__plutorun: 002 loading certificate from
Local X509 Cert (regenerated)
Feb 2 02:32:53 SERVER-ONE ipsec__plutorun: 002 added connection description
"linux-to-linux"
Feb 2 02:32:53 SERVER-ONE ipsec__plutorun: 104 "linux-to-linux" #1:
STATE_MAIN_I1: initiate
---------------------------------------------------------------------------------------------------

Log on the right side
---------------------------------------------------------------------------------------------------
2011:02:01-20:30:40 astaro pluto[5024]: "S_Centos-VPN" #1: initiating Main
Mode
2011:02:01-20:30:40 astaro pluto[5024]: added connection description
"X_Centos-VPN"
2011:02:01-20:30:40 astaro pluto[5024]: "S_Centos-VPN" #1: ignoring Vendor
ID payload [4f457e717f6b5a4e727d576b]
2011:02:01-20:30:40 astaro pluto[5024]: "S_Centos-VPN" #1: received Vendor
ID payload [Dead Peer Detection]
2011:02:01-20:30:40 astaro pluto[5024]: "S_Centos-VPN" #1: received Vendor
ID payload [RFC 3947]
2011:02:01-20:30:40 astaro pluto[5024]: "S_Centos-VPN" #1: enabling possible
NAT-traversal with method 3
2011:02:01-20:30:40 astaro pluto[5024]: "S_Centos-VPN" #1: NAT-Traversal:
Result using RFC 3947: no NAT detected
2011:02:01-20:30:40 astaro pluto[5024]: "S_Centos-VPN" #1: we have a cert
and are sending it
2011:02:01-20:30:40 astaro pluto[5024]: "S_Centos-VPN" #1: next payload type
of ISAKMP Hash Payload has an unknown value: 234
2011:02:01-20:30:40 astaro pluto[5024]: "S_Centos-VPN" #1: malformed payload
in packet
2011:02:01-20:30:50 astaro pluto[5024]: "S_Centos-VPN" #1: discarding
duplicate packet; already STATE_MAIN_I3
2011:02:01-20:30:50 astaro pluto[5024]: "S_Centos-VPN" #1: next payload type
of ISAKMP Hash Payload has an unknown value: 252
2011:02:01-20:30:50 astaro pluto[5024]: "S_Centos-VPN" #1: malformed payload
in packet
2011:02:01-20:30:55 astaro pluto[5024]: packet from 10.170.2.150:500:
ignoring Vendor ID payload [4f457e717f6b5a4e727d576b]
2011:02:01-20:30:55 astaro pluto[5024]: packet from 10.170.2.150:500:
received Vendor ID payload [Dead Peer Detection]
2011:02:01-20:30:55 astaro pluto[5024]: packet from 10.170.2.150:500:
received Vendor ID payload [RFC 3947]
2011:02:01-20:30:55 astaro pluto[5024]: packet from 10.170.2.150:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2011:02:01-20:30:55 astaro pluto[5024]: packet from 10.170.2.150:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2011:02:01-20:30:55 astaro pluto[5024]: packet from 10.170.2.150:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
2011:02:01-20:30:55 astaro pluto[5024]: packet from 10.170.2.150:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
2011:02:01-20:30:55 astaro pluto[5024]: "S_Centos-VPN" #2: responding to
Main Mode
2011:02:01-20:30:55 astaro pluto[5024]: "S_Centos-VPN" #2: NAT-Traversal:
Result using RFC 3947: no NAT detected
2011:02:01-20:30:55 astaro pluto[5024]: "S_Centos-VPN" #2: Informational
Exchange message must be encrypted
2011:02:01-20:31:05 astaro pluto[5024]: "S_Centos-VPN" #2: Informational
Exchange message must be encrypted
2011:02:01-20:31:10 astaro pluto[5024]: "S_Centos-VPN" #1: discarding
duplicate packet; already STATE_MAIN_I3
2011:02:01-20:31:10 astaro pluto[5024]: "S_Centos-VPN" #1: next payload type
of ISAKMP Hash Payload has an unknown value: 183
2011:02:01-20:31:10 astaro pluto[5024]: "S_Centos-VPN" #1: malformed payload
in packet
2011:02:01-20:31:25 astaro pluto[5024]: "S_Centos-VPN" #2: Informational
Exchange message must be encrypted
2011:02:01-20:31:50 astaro pluto[5024]: "S_Centos-VPN" #1: max number of
retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure:
no acceptable response to our first encrypted message
2011:02:01-20:31:50 astaro pluto[5024]: "S_Centos-VPN" #1: starting keying
attempt 2 of an unlimited number
2011:02:01-20:31:50 astaro pluto[5024]: "S_Centos-VPN" #3: initiating Main
Mode to replace #1
2011:02:01-20:31:50 astaro pluto[5024]: "S_Centos-VPN" #3: ignoring Vendor
ID payload [4f457e717f6b5a4e727d576b]
2011:02:01-20:31:50 astaro pluto[5024]: "S_Centos-VPN" #3: received Vendor
ID payload [Dead Peer Detection]
2011:02:01-20:31:50 astaro pluto[5024]: "S_Centos-VPN" #3: received Vendor
ID payload [RFC 3947]
2011:02:01-20:31:50 astaro pluto[5024]: "S_Centos-VPN" #3: enabling possible
NAT-traversal with method 3
2011:02:01-20:31:50 astaro pluto[5024]: "S_Centos-VPN" #3: NAT-Traversal:
Result using RFC 3947: no NAT detected
2011:02:01-20:31:50 astaro pluto[5024]: "S_Centos-VPN" #3: we have a cert
and are sending it
2011:02:01-20:31:50 astaro pluto[5024]: "S_Centos-VPN" #3: next payload type
of ISAKMP Hash Payload has an unknown value: 43
2011:02:01-20:31:50 astaro pluto[5024]: "S_Centos-VPN" #3: malformed payload
in packet
2011:02:01-20:32:00 astaro pluto[5024]: "S_Centos-VPN" #3: discarding
duplicate packet; already STATE_MAIN_I3
2011:02:01-20:32:00 astaro pluto[5024]: "S_Centos-VPN" #3: next payload type
of ISAKMP Hash Payload has an unknown value: 249
2011:02:01-20:32:00 astaro pluto[5024]: "S_Centos-VPN" #3: malformed payload
in packet
2011:02:01-20:32:05 astaro pluto[5024]: "S_Centos-VPN" #2: max number of
retransmissions (2) reached STATE_MAIN_R2
2011:02:01-20:32:20 astaro pluto[5024]: "S_Centos-VPN" #3: discarding
duplicate packet; already STATE_MAIN_I3
2011:02:01-20:32:20 astaro pluto[5024]: "S_Centos-VPN" #3: next payload type
of ISAKMP Hash Payload has an unknown value: 38
2011:02:01-20:32:20 astaro pluto[5024]: "S_Centos-VPN" #3: malformed payload
in packet
---------------------------------------------------------------------------------------------------
*
*
*What Do I Need:
*
Please guide me (at least in theory) how to setup RSA certificates in my
case.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110201/5a1d965a/attachment-0001.html 


More information about the Users mailing list