[Openswan Users] The example on README.nss does not work.
Booja Seong
bjseong at yahoo.com
Wed Apr 11 19:14:11 EDT 2012
Hello,
I followed the example described in README.nss to setup ipsec with certs in tunnel mode using NSS.
However, I got the following error messages captured at machine 1. Looks like validating the peer (i.e.g, machine 2) certificates at machine 1 failed.
----------------------------------------------------------------------------------------------------------------
Apr 11 16:17:54 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #134: NSS: failure in verifying signature
Apr 11 16:17:54 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #134: invalid certificate signature from "CN=cacert1" on "CN=usercert2"
Apr 11 16:17:54 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #134: X.509 certificate rejected
Apr 11 16:17:54 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #134: no suitable connection for peer 'CN=usercert2'
----------------------------------------------------------------------------------------------------------------
I took the exact same steps shown in README.nss, which is also attached below. What is missing here in README.nss?
Can you please give me a light on how to make it work? More error messages captured at machine 1 is attached below.
Thank you in advance.
BJ
P.S. I checked the validation of certificates at machines 1 and 2. All of them are valid, as shown below:
-------------
machine1
-------------
[root at rhel-5-1-32-server-ws55 ~]# certutil -L -d /etc/ipsec.d
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
cacert1 Cu,Cu,Cu
usercert1 u,u,u
[root at rhel-5-1-32-server-ws55 ~]#
[root at rhel-5-1-32-server-ws55 ~]# certutil -K -d /etc/ipsec.d
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services "
< 0> rsa 1029af12cdb13ef4f1aebd21ee796b6c0ad4c30a NSS Certificate DB:cacert1
< 1> rsa 677dbe4d5465b7abf4b73252678916f96bf810ae NSS Certificate DB:usercert1
[root at rhel-5-1-32-server-ws55 ~]#
[root at rhel-5-1-32-server-ws55 ~]# certutil -V -n cacert1 -u CVS -e -l -d /etc/ipsec.d
certutil: certificate is valid
[root at rhel-5-1-32-server-ws55 ~]# certutil -V -n usercert1 -u CVS -e -l -d /etc/ipsec.d
certutil: certificate is valid
[root at rhel-5-1-32-server-ws55 ~]#
-------------
machine2
-------------
[root at rhel-5-1-32-server-ws55 ~]# certutil -L -d /etc/ipsec.d
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
cacert1 Cu,Cu,Cu
usercert2 u,u,u
[root at rhel-5-1-32-server-ws55 ~]# certutil -K -d /etc/ipsec.d
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services "
< 0> rsa 1029af12cdb13ef4f1aebd21ee796b6c0ad4c30a cacert1
< 1> rsa 3f9e69e1601d90db6d86d474bbba62361ccc12ee NSS Certificate DB:usercert2
[root at rhel-5-1-32-server-ws55 ~]# certutil -V -n cacert1 -u CVS -e -l -d /etc/ipsec.d
certutil: certificate is valid
[root at rhel-5-1-32-server-ws55 ~]# certutil -V -n usercert2 -u CVS -e -l -d /etc/ipsec.d
certutil: certificate is valid
[root at rhel-5-1-32-server-ws55 ~]#
==========
README.nss
==========
An example Scenario: To setup ipsec with certs in tunnel mode using NSS
------------------------------------------------------------
GW Machine 1: w1.x1.y1.z1
GW Machine 2: w2.x2.y2.z2
w1.x1.y1.z1 <---> w2.x2.y2.z2
Note: In this example setup, both machines are using NSS. If you want to use
NSS only at one machine, say machine 1, you can use the following procedure
only at machine 1, and you can use traditional ipsec setup at machine 2.
1. Create a new (if not already) nss db on both machines as follows:
certutil -N -d <path-to-ipsec.d dir>/ipsec.d
2. Creating CA certs at both machines:
On machine 1:
certutil -S -k rsa -n cacert1 -s "CN=cacert1" -v 12 -d . -t "C,C,C" -x -d \
<path-to-ipsec.d dir>/ipsec.d
As we want to use the same certificate "cacert1" at machine 2, it needs to be
exported first. To export the cacert1, do the following at machine 1:
pk12util -o cacert1.p12 -n cacert1 -d /etc/ipsec.d
Copy the file "cacert1.p12" to the machine2 in "/etc/ipsec.d" directory.
On machine 2:
Import the "cacert1" as follows:
cd /etc/ipsec.d
pk12util -i cacert1.p12 -d /etc/ipsec.d
certutil -M -n cacert1 -t "C,C,C" -d /etc/ipsec.d
Now machine 2 also has the CA certificates "cacert1" in its NSS database.
3. Creating user certs at both machines:
On machine 1:
certutil -S -k rsa -c cacert1 -n usercert1 -s "CN=usercert1" -v 12 -t "u,u,u" \
-d /etc/ipsec.d
(Note this cert is signed by "cacert1")
On machine 2:
certutil -S -k rsa -c cacert1 -n usercert2 -s "CN=usercert2" -v 12 -t "u,u,u" \
-d /etc/ipsec.d
(Note this cert is signed by "cacert1" too)
4. Preparing ipsec.conf at both machines
ipsec.conf at machine 1:
conn pluto-1-2
left=w1.x1.y1.z1
leftid="CN=usercert1"
leftsourceip=w1.x1.y1.z1
leftrsasigkey=%cert
leftcert=usercert1
leftnexthop=w2.x2.y2.z2
right=w2.x2.y2.z2
rightid="CN=usercert2"
rightsourceip=w2.x2.y2.z2
rightrsasigkey=%cert
rightnexthop=w1.x1.y1.z1
rekey=no
esp="aes-sha1"
ike="aes-sha1"
auto=add
ipsec.conf at machine 2:
conn pluto-1-2
left=w2.x2.y2.z2
leftid="CN=usercert2"
leftsourceip=w2.x2.y2.z2
leftrsasigkey=%cert
leftcert=usercert2
leftnexthop=w1.x1.y1.z1
right=w1.x1.y1.z1
rightid="CN=usercert1"
rightsourceip=w1.x1.y1.z1
rightrsasigkey=%cert
rightnexthop=w2.x2.y2.z2
rekey=no
esp="aes-sha1"
ike="aes-sha1"
auto=add
5. Preparing ipsec.secrets at both machines
ipsec.secrets at machine 1:
: RSA usercert1
ipsec.secrets at machine 1:
: RSA usercert2
=============================
Error messages captured at machine 1
=============================
Apr 11 16:17:44 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #134: Main mode peer ID is ID_DER_ASN1_DN: 'CN=usercert2'
Apr 11 16:17:44 rhel-5-1-32-server-ws55 pluto[28113]: | NSS : RSA Signature NOT verified
Apr 11 16:17:44 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #134: NSS: failure in verifying signature
Apr 11 16:17:44 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #134: invalid certificate signature from "CN=cacert1" on "CN=usercert2"
Apr 11 16:17:44 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #134: X.509 certificate rejected
Apr 11 16:17:44 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #134: no suitable connection for peer 'CN=usercert2'
Apr 11 16:17:44 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #134: sending encrypted notification INVALID_ID_INFORMATION to 10.20.114.238:500
Apr 11 16:17:54 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #134: Main mode peer ID is ID_DER_ASN1_DN: 'CN=usercert2'
Apr 11 16:17:54 rhel-5-1-32-server-ws55 pluto[28113]: | NSS : RSA Signature NOT verified
Apr 11 16:17:54 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #134: NSS: failure in verifying signature
Apr 11 16:17:54 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #134: invalid certificate signature from "CN=cacert1" on "CN=usercert2"
Apr 11 16:17:54 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #134: X.509 certificate rejected
Apr 11 16:17:54 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #134: no suitable connection for peer 'CN=usercert2'
Apr 11 16:17:54 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #134: sending encrypted notification INVALID_ID_INFORMATION to 10.20.114.238:500
Apr 11 16:18:14 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #134: Main mode peer ID is ID_DER_ASN1_DN: 'CN=usercert2'
Apr 11 16:18:14 rhel-5-1-32-server-ws55 pluto[28113]: | NSS : RSA Signature NOT verified
Apr 11 16:18:14 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #134: NSS: failure in verifying signature
Apr 11 16:18:14 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #134: invalid certificate signature from "CN=cacert1" on "CN=usercert2"
Apr 11 16:18:14 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #134: X.509 certificate rejected
Apr 11 16:18:14 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #134: no suitable connection for peer 'CN=usercert2'
Apr 11 16:18:14 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #134: sending encrypted notification INVALID_ID_INFORMATION to 10.20.114.238:500
Apr 11 16:18:54 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #134: max number of retransmissions (2) reached STATE_MAIN_R2
Apr 11 16:18:54 rhel-5-1-32-server-ws55 pluto[28113]: packet from 10.20.114.238:500: received Vendor ID payload [Openswan (this version) 2.6.21 ]
Apr 11 16:18:54 rhel-5-1-32-server-ws55 pluto[28113]: packet from 10.20.114.238:500: received Vendor ID payload [Dead Peer Detection]
Apr 11 16:18:54 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #135: responding to Main Mode
Apr 11 16:18:54 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #135: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Apr 11 16:18:54 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #135: STATE_MAIN_R1: sent MR1, expecting MI2
Apr 11 16:18:54 rhel-5-1-32-server-ws55 pluto[28113]: pluto_do_crypto: helper (0) is exiting
Apr 11 16:18:54 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #135: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr 11 16:18:54 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #135: STATE_MAIN_R2: sent MR2, expecting MI3
Apr 11 16:18:54 rhel-5-1-32-server-ws55 pluto[28113]: pluto_do_crypto: helper (0) is exiting
Apr 11 16:18:54 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #135: Main mode peer ID is ID_DER_ASN1_DN: 'CN=usercert2'
Apr 11 16:18:54 rhel-5-1-32-server-ws55 pluto[28113]: | NSS : RSA Signature NOT verified
Apr 11 16:18:54 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #135: NSS: failure in verifying signature
Apr 11 16:18:54 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #135: invalid certificate signature from "CN=cacert1" on "CN=usercert2"
Apr 11 16:18:54 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #135: X.509 certificate rejected
Apr 11 16:18:54 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #135: no suitable connection for peer 'CN=usercert2'
Apr 11 16:18:54 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #135: sending encrypted notification INVALID_ID_INFORMATION to 10.20.114.238:500
Apr 11 16:19:04 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #135: Main mode peer ID is ID_DER_ASN1_DN: 'CN=usercert2'
Apr 11 16:19:04 rhel-5-1-32-server-ws55 pluto[28113]: | NSS : RSA Signature NOT verified
Apr 11 16:19:04 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #135: NSS: failure in verifying signature
Apr 11 16:19:04 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #135: invalid certificate signature from "CN=cacert1" on "CN=usercert2"
Apr 11 16:19:04 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #135: X.509 certificate rejected
Apr 11 16:19:04 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #135: no suitable connection for peer 'CN=usercert2'
Apr 11 16:19:04 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #135: sending encrypted notification INVALID_ID_INFORMATION to 10.20.114.238:500
Apr 11 16:19:24 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #135: Main mode peer ID is ID_DER_ASN1_DN: 'CN=usercert2'
Apr 11 16:19:24 rhel-5-1-32-server-ws55 pluto[28113]: | NSS : RSA Signature NOT verified
Apr 11 16:19:24 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #135: NSS: failure in verifying signature
Apr 11 16:19:24 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #135: invalid certificate signature from "CN=cacert1" on "CN=usercert2"
Apr 11 16:19:24 rhel-5-1-32-server-ws55 pluto[28113]: "pluto-1-2" #135: X.509 certificate rejected
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openswan.org/pipermail/users/attachments/20120411/0cacbd6e/attachment-0001.html>
More information about the Users
mailing list