[Openswan Users] Fwd: IPsec configuration
Ana
kentdavies at gmail.com
Mon Nov 18 12:28:46 UTC 2013
Hello and once again, thanks for your reply.
I've then exported the certificates to the pkcs#12 format and imported the
do my nss database. I've done that on both machines.
I've edited both my secrets and conf files to reflect the ninckname that
nss database shows but i'm still getting problems.
Using the log I've managed to solve some problems but now I'm stuck.
Here is my /var/log/secure on machine after service ipsec start:
Nov 18 12:15:48 mainmachine ipsec__plutorun: Starting Pluto subsystem...
Nov 18 12:15:48 mainmachine pluto[10894]: nss directory plutomain:
/etc/ipsec.d
Nov 18 12:15:48 mainmachine pluto[10894]: NSS Initialized
Nov 18 12:15:48 mainmachine pluto[10894]: Non-fips mode set in
/proc/sys/crypto/fips_enabled
Nov 18 12:15:48 mainmachine pluto[10894]: Starting Pluto (Openswan Version
2.6.32; Vendor ID OEhyLdACecfa) pid:10894
Nov 18 12:15:48 mainmachine pluto[10894]: Non-fips mode set in
/proc/sys/crypto/fips_enabled
Nov 18 12:15:48 mainmachine pluto[10894]: LEAK_DETECTIVE support [disabled]
Nov 18 12:15:48 mainmachine pluto[10894]: OCF support for IKE [disabled]
Nov 18 12:15:48 mainmachine pluto[10894]: SAref support [disabled]:
Protocol not available
Nov 18 12:15:48 mainmachine pluto[10894]: SAbind support [disabled]:
Protocol not available
Nov 18 12:15:48 mainmachine pluto[10894]: NSS support [enabled]
Nov 18 12:15:48 mainmachine pluto[10894]: HAVE_STATSD notification support
not compiled in
Nov 18 12:15:48 mainmachine pluto[10894]: Setting NAT-Traversal port-4500
floating to on
Nov 18 12:15:48 mainmachine pluto[10894]: port floating activation
criteria nat_t=1/port_float=1
Nov 18 12:15:48 mainmachine pluto[10894]: NAT-Traversal support
[enabled]
Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc():
Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc():
Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_hash():
Activating OAKLEY_SHA2_512: Ok (ret=0)
Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_hash():
Activating OAKLEY_SHA2_256: Ok (ret=0)
Nov 18 12:15:48 mainmachine pluto[10894]: starting up 1 cryptographic
helpers
Nov 18 12:15:48 mainmachine pluto[10894]: started helper (thread)
pid=-1217217680 (fd:10)
Nov 18 12:15:48 mainmachine pluto[10894]: Using Linux 2.6 IPsec interface
code on 2.6.32-358.23.2.el6.i686 (experimental code)
Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc():
Activating aes_ccm_8: Ok (ret=0)
Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_add(): ERROR: Algorithm
already exists
Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc():
Activating aes_ccm_12: FAILED (ret=-17)
Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_add(): ERROR: Algorithm
already exists
Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc():
Activating aes_ccm_16: FAILED (ret=-17)
Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_add(): ERROR: Algorithm
already exists
Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc():
Activating aes_gcm_8: FAILED (ret=-17)
Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_add(): ERROR: Algorithm
already exists
Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc():
Activating aes_gcm_12: FAILED (ret=-17)
Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_add(): ERROR: Algorithm
already exists
Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc():
Activating aes_gcm_16: FAILED (ret=-17)
Nov 18 12:15:48 mainmachine pluto[10894]: Changed path to directory
'/etc/ipsec.d/cacerts'
Nov 18 12:15:48 mainmachine pluto[10894]: loaded CA cert file
'cacert.crt' (843 bytes)
Nov 18 12:15:48 mainmachine pluto[10894]: Could not change to directory
'/etc/ipsec.d/aacerts': /var/run/pluto
Nov 18 12:15:48 mainmachine pluto[10894]: Could not change to directory
'/etc/ipsec.d/ocspcerts': /var/run/pluto
Nov 18 12:15:48 mainmachine pluto[10894]: Changing to directory
'/etc/ipsec.d/crls'
Nov 18 12:15:48 mainmachine pluto[10894]: loaded crl file 'crl.pem' (516
bytes)
Nov 18 12:15:48 mainmachine pluto[10894]: | selinux support is enabled.
Nov 18 12:15:48 mainmachine pluto[10894]: loading certificate from
www.gwone.pt - ONE
Nov 18 12:15:48 mainmachine pluto[10894]: added connection description
"cert"
Nov 18 12:15:48 mainmachine pluto[10894]: listening for IKE messages
Nov 18 12:15:48 mainmachine pluto[10894]: adding interface eth3/eth3
172.16.1.1:500
Nov 18 12:15:48 mainmachine pluto[10894]: adding interface eth3/eth3
172.16.1.1:4500
Nov 18 12:15:48 mainmachine pluto[10894]: adding interface eth2/eth2
192.168.1.1:500
Nov 18 12:15:48 mainmachine pluto[10894]: adding interface eth2/eth2
192.168.1.1:4500
Nov 18 12:15:48 mainmachine pluto[10894]: adding interface eth1/eth1
10.1.1.254:500
Nov 18 12:15:48 mainmachine pluto[10894]: adding interface eth1/eth1
10.1.1.254:4500
Nov 18 12:15:48 mainmachine pluto[10894]: adding interface lo/lo
127.0.0.1:500
Nov 18 12:15:48 mainmachine pluto[10894]: adding interface lo/lo
127.0.0.1:4500
Nov 18 12:15:48 mainmachine pluto[10894]: adding interface lo/lo ::1:500
Nov 18 12:15:48 mainmachine pluto[10894]: loading secrets from
"/etc/ipsec.secrets"
Nov 18 12:15:48 mainmachine pluto[10894]: loaded private key for keyid:
PPK_RSA:AwEAAd7/L
Nov 18 12:15:48 mainmachine pluto[10894]: "cert" #1: initiating Main Mode
Nov 18 12:15:48 mainmachine pluto[10894]: ERROR: asynchronous network error
report on eth2 (sport=500) for message to 192.168.1.2 port 500, complainant
192.168.1.2: Connection refused [errno 111, origin ICMP type 3 code 3 (not
authenticated)]
Nov 18 12:15:52 mainmachine pluto[10894]: packet from 192.168.1.2:500:
received Vendor ID payload [Openswan (this version) 2.6.32 ]
Nov 18 12:15:52 mainmachine pluto[10894]: packet from 192.168.1.2:500:
received Vendor ID payload [Dead Peer Detection]
Nov 18 12:15:52 mainmachine pluto[10894]: packet from 192.168.1.2:500:
received Vendor ID payload [RFC 3947] method set to=109
Nov 18 12:15:52 mainmachine pluto[10894]: packet from 192.168.1.2:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but
already using method 109
Nov 18 12:15:52 mainmachine pluto[10894]: packet from 192.168.1.2:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
already using method 109
Nov 18 12:15:52 mainmachine pluto[10894]: packet from 192.168.1.2:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but
already using method 109
Nov 18 12:15:52 mainmachine pluto[10894]: packet from 192.168.1.2:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Nov 18 12:15:52 mainmachine pluto[10894]: "cert" #2: responding to Main Mode
Nov 18 12:15:52 mainmachine pluto[10894]: "cert" #2: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1
Nov 18 12:15:52 mainmachine pluto[10894]: "cert" #2: STATE_MAIN_R1: sent
MR1, expecting MI2
Nov 18 12:15:52 mainmachine pluto[10894]: "cert" #2: NAT-Traversal: Result
using RFC 3947 (NAT-Traversal): no NAT detected
Nov 18 12:15:52 mainmachine pluto[10894]: "cert" #2: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
Nov 18 12:15:52 mainmachine pluto[10894]: "cert" #2: STATE_MAIN_R2: sent
MR2, expecting MI3
Nov 18 12:15:52 mainmachine pluto[10894]: "cert" #2: Main mode peer ID is
ID_IPV4_ADDR: '192.168.1.2'
Nov 18 12:15:52 mainmachine pluto[10894]: "cert" #2: Main mode peer ID is
ID_IPV4_ADDR: '192.168.1.2'
Nov 18 12:15:52 mainmachine pluto[10894]: "cert" #2: no RSA public key
known for '192.168.1.2'; DNS search for KEY failed (failure querying DNS
for KEY of 2.1.168.192.in-addr.arpa.: Host name lookup failure)
Nov 18 12:15:52 mainmachine pluto[10894]: "cert" #2: sending encrypted
notification INVALID_KEY_INFORMATION to 192.168.1.2:500
And after ipsec auto --up cert
Nov 18 12:15:58 mainmachine pluto[10894]: "cert" #1: received Vendor ID
payload [Openswan (this version) 2.6.32 ]
Nov 18 12:15:58 mainmachine pluto[10894]: "cert" #1: received Vendor ID
payload [Dead Peer Detection]
Nov 18 12:15:58 mainmachine pluto[10894]: "cert" #1: received Vendor ID
payload [RFC 3947] method set to=109
Nov 18 12:15:58 mainmachine pluto[10894]: "cert" #1: enabling possible
NAT-traversal with method 4
Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: STATE_MAIN_I2: sent
MI2, expecting MR2
Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: NAT-Traversal: Result
using RFC 3947 (NAT-Traversal): no NAT detected
Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: I am sending my cert
Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: I am sending a
certificate request
Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: STATE_MAIN_I3: sent
MI3, expecting MR3
Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: received Vendor ID
payload [CAN-IKEv2]
Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: Main mode peer ID is
ID_IPV4_ADDR: '192.168.1.2'
Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: Main mode peer ID is
ID_IPV4_ADDR: '192.168.1.2'
Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: no RSA public key
known for '192.168.1.2'; DNS search for KEY failed (failure querying DNS
for KEY of 2.1.168.192.in-addr.arpa.: Host name lookup failure)
Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: sending encrypted
notification INVALID_KEY_INFORMATION to 192.168.1.2:500
Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: received 1 malformed
payload notifies
Nov 18 12:16:03 mainmachine pluto[10894]: "cert" #2: Main mode peer ID is
ID_IPV4_ADDR: '192.168.1.2'
Nov 18 12:16:03 mainmachine pluto[10894]: "cert" #2: Main mode peer ID is
ID_IPV4_ADDR: '192.168.1.2'
Nov 18 12:16:03 mainmachine pluto[10894]: "cert" #2: no RSA public key
known for '192.168.1.2'; DNS search for KEY failed (failure querying DNS
for KEY of 2.1.168.192.in-addr.arpa.: Host name lookup failure)
Nov 18 12:16:03 mainmachine pluto[10894]: "cert" #2: sending encrypted
notification INVALID_KEY_INFORMATION to 192.168.1.2:500
Nov 18 12:16:24 mainmachine pluto[10894]: "cert" #2: Main mode peer ID is
ID_IPV4_ADDR: '192.168.1.2'
Nov 18 12:16:24 mainmachine pluto[10894]: "cert" #2: Main mode peer ID is
ID_IPV4_ADDR: '192.168.1.2'
Nov 18 12:16:24 mainmachine pluto[10894]: "cert" #2: no RSA public key
known for '192.168.1.2'; DNS search for KEY failed (failure querying DNS
for KEY of 2.1.168.192.in-addr.arpa.: Host name lookup failure)
Nov 18 12:16:24 mainmachine pluto[10894]: "cert" #2: sending encrypted
notification INVALID_KEY_INFORMATION to 192.168.1.2:500
Nov 18 12:17:07 mainmachine pluto[10894]: packet from 192.168.1.2:500:
received Vendor ID payload [Openswan (this version) 2.6.32 ]
Nov 18 12:17:07 mainmachine pluto[10894]: packet from 192.168.1.2:500:
received Vendor ID payload [Dead Peer Detection]
Nov 18 12:17:07 mainmachine pluto[10894]: packet from 192.168.1.2:500:
received Vendor ID payload [RFC 3947] method set to=109
Nov 18 12:17:07 mainmachine pluto[10894]: packet from 192.168.1.2:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but
already using method 109
Nov 18 12:17:07 mainmachine pluto[10894]: packet from 192.168.1.2:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
already using method 109
Nov 18 12:17:07 mainmachine pluto[10894]: packet from 192.168.1.2:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but
already using method 109
Nov 18 12:17:07 mainmachine pluto[10894]: packet from 192.168.1.2:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Nov 18 12:17:07 mainmachine pluto[10894]: "cert" #3: responding to Main Mode
Nov 18 12:17:07 mainmachine pluto[10894]: "cert" #3: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1
Nov 18 12:17:07 mainmachine pluto[10894]: "cert" #3: STATE_MAIN_R1: sent
MR1, expecting MI2
Nov 18 12:17:07 mainmachine pluto[10894]: "cert" #3: NAT-Traversal: Result
using RFC 3947 (NAT-Traversal): no NAT detected
Nov 18 12:17:07 mainmachine pluto[10894]: "cert" #3: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
Nov 18 12:17:07 mainmachine pluto[10894]: "cert" #3: STATE_MAIN_R2: sent
MR2, expecting MI3
Nov 18 12:17:07 mainmachine pluto[10894]: "cert" #3: Main mode peer ID is
ID_IPV4_ADDR: '192.168.1.2'
Nov 18 12:17:07 mainmachine pluto[10894]: "cert" #3: Main mode peer ID is
ID_IPV4_ADDR: '192.168.1.2'
Nov 18 12:17:07 mainmachine pluto[10894]: "cert" #3: no RSA public key
known for '192.168.1.2'; DNS search for KEY failed (failure querying DNS
for KEY of 2.1.168.192.in-addr.arpa.: Host name lookup failure)
Nov 18 12:17:07 mainmachine pluto[10894]: "cert" #3: sending encrypted
notification INVALID_KEY_INFORMATION to 192.168.1.2:500
Nov 18 12:17:18 mainmachine pluto[10894]: "cert" #3: Main mode peer ID is
ID_IPV4_ADDR: '192.168.1.2'
Nov 18 12:17:18 mainmachine pluto[10894]: "cert" #3: Main mode peer ID is
ID_IPV4_ADDR: '192.168.1.2'
Nov 18 12:17:18 mainmachine pluto[10894]: "cert" #3: no RSA public key
known for '192.168.1.2'; DNS search for KEY failed (failure querying DNS
for KEY of 2.1.168.192.in-addr.arpa.: Host name lookup failure)
Nov 18 12:17:18 mainmachine pluto[10894]: "cert" #3: sending encrypted
notification INVALID_KEY_INFORMATION to 192.168.1.2:500
Nov 18 12:17:39 mainmachine pluto[10894]: "cert" #3: Main mode peer ID is
ID_IPV4_ADDR: '192.168.1.2'
Nov 18 12:17:39 mainmachine pluto[10894]: "cert" #3: Main mode peer ID is
ID_IPV4_ADDR: '192.168.1.2'
Nov 18 12:17:39 mainmachine pluto[10894]: "cert" #3: no RSA public key
known for '192.168.1.2'; DNS search for KEY failed (failure querying DNS
for KEY of 2.1.168.192.in-addr.arpa.: Host name lookup failure)
Nov 18 12:17:39 mainmachine pluto[10894]: "cert" #3: sending encrypted
notification INVALID_KEY_INFORMATION to 192.168.1.2:500
Likewise, on macine B I got this:
Nov 18 12:06:13 mainmachine ipsec__plutorun: Starting Pluto subsystem...
Nov 18 12:06:13 mainmachine pluto[4985]: nss directory plutomain:
/etc/ipsec.d
Nov 18 12:06:13 mainmachine pluto[4985]: NSS Initialized
Nov 18 12:06:13 mainmachine pluto[4985]: Non-fips mode set in
/proc/sys/crypto/fips_enabled
Nov 18 12:06:13 mainmachine pluto[4985]: Starting Pluto (Openswan Version
2.6.32; Vendor ID OEhyLdACecfa) pid:4985
Nov 18 12:06:13 mainmachine pluto[4985]: Non-fips mode set in
/proc/sys/crypto/fips_enabled
Nov 18 12:06:13 mainmachine pluto[4985]: LEAK_DETECTIVE support [disabled]
Nov 18 12:06:13 mainmachine pluto[4985]: OCF support for IKE [disabled]
Nov 18 12:06:13 mainmachine pluto[4985]: SAref support [disabled]: Protocol
not available
Nov 18 12:06:13 mainmachine pluto[4985]: SAbind support [disabled]:
Protocol not available
Nov 18 12:06:13 mainmachine pluto[4985]: NSS support [enabled]
Nov 18 12:06:13 mainmachine pluto[4985]: HAVE_STATSD notification support
not compiled in
Nov 18 12:06:13 mainmachine pluto[4985]: Setting NAT-Traversal port-4500
floating to on
Nov 18 12:06:13 mainmachine pluto[4985]: port floating activation
criteria nat_t=1/port_float=1
Nov 18 12:06:13 mainmachine pluto[4985]: NAT-Traversal support [enabled]
Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC: Ok (ret=0)
Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc(): Activating
OAKLEY_SERPENT_CBC: Ok (ret=0)
Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc(): Activating
OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_hash():
Activating OAKLEY_SHA2_512: Ok (ret=0)
Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_hash():
Activating OAKLEY_SHA2_256: Ok (ret=0)
Nov 18 12:06:13 mainmachine pluto[4985]: starting up 1 cryptographic helpers
Nov 18 12:06:13 mainmachine pluto[4985]: started helper (thread)
pid=-1220584592 (fd:10)
Nov 18 12:06:13 mainmachine pluto[4985]: Using Linux 2.6 IPsec interface
code on 2.6.32-358.23.2.el6.i686 (experimental code)
Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc(): Activating
aes_ccm_8: Ok (ret=0)
Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_add(): ERROR: Algorithm
already exists
Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc(): Activating
aes_ccm_12: FAILED (ret=-17)
Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_add(): ERROR: Algorithm
already exists
Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc(): Activating
aes_ccm_16: FAILED (ret=-17)
Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_add(): ERROR: Algorithm
already exists
Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc(): Activating
aes_gcm_8: FAILED (ret=-17)
Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_add(): ERROR: Algorithm
already exists
Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc(): Activating
aes_gcm_12: FAILED (ret=-17)
Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_add(): ERROR: Algorithm
already exists
Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc(): Activating
aes_gcm_16: FAILED (ret=-17)
Nov 18 12:06:13 mainmachine pluto[4985]: Changed path to directory
'/etc/ipsec.d/cacerts'
Nov 18 12:06:13 mainmachine pluto[4985]: loaded CA cert file 'cacert.crt'
(843 bytes)
Nov 18 12:06:13 mainmachine pluto[4985]: Could not change to directory
'/etc/ipsec.d/aacerts': /var/run/pluto
Nov 18 12:06:13 mainmachine pluto[4985]: Could not change to directory
'/etc/ipsec.d/ocspcerts': /var/run/pluto
Nov 18 12:06:13 mainmachine pluto[4985]: Changing to directory
'/etc/ipsec.d/crls'
Nov 18 12:06:13 mainmachine pluto[4985]: loaded crl file 'crl.pem' (516
bytes)
Nov 18 12:06:13 mainmachine pluto[4985]: | selinux support is enabled.
Nov 18 12:06:13 mainmachine pluto[4985]: loading certificate from
www.gwtwo.pt - ONE
Nov 18 12:06:13 mainmachine pluto[4985]: loading certificate from
www.gwone.pt - ONE
Nov 18 12:06:13 mainmachine pluto[4985]: added connection description "cert"
Nov 18 12:06:13 mainmachine pluto[4985]: listening for IKE messages
Nov 18 12:06:13 mainmachine pluto[4985]: adding interface eth6/eth6
192.168.1.2:500
Nov 18 12:06:13 mainmachine pluto[4985]: adding interface eth6/eth6
192.168.1.2:4500
Nov 18 12:06:13 mainmachine pluto[4985]: adding interface eth5/eth5
10.1.2.254:500
Nov 18 12:06:13 mainmachine pluto[4985]: adding interface eth5/eth5
10.1.2.254:4500
Nov 18 12:06:13 mainmachine pluto[4985]: adding interface lo/lo
127.0.0.1:500
Nov 18 12:06:13 mainmachine pluto[4985]: adding interface lo/lo
127.0.0.1:4500
Nov 18 12:06:13 mainmachine pluto[4985]: adding interface lo/lo ::1:500
Nov 18 12:06:13 mainmachine pluto[4985]: loading secrets from
"/etc/ipsec.secrets"
Nov 18 12:06:13 mainmachine pluto[4985]: loaded private key for keyid:
PPK_RSA:AwEAAd7/L
Nov 18 12:06:13 mainmachine pluto[4985]: loaded private key for keyid:
PPK_RSA:AwEAAcFsb
Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: initiating Main Mode
Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: received Vendor ID
payload [Openswan (this version) 2.6.32 ]
Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: received Vendor ID
payload [Dead Peer Detection]
Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: received Vendor ID
payload [RFC 3947] method set to=109
Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: enabling possible
NAT-traversal with method 4
Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: STATE_MAIN_I2: sent
MI2, expecting MR2
Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: NAT-Traversal: Result
using RFC 3947 (NAT-Traversal): no NAT detected
Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: I am sending my cert
Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: I am sending a
certificate request
Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: STATE_MAIN_I3: sent
MI3, expecting MR3
Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: ignoring informational
payload, type INVALID_KEY_INFORMATION msgid=00000000
Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: received and ignored
informational message
Nov 18 12:06:19 mainmachine pluto[4985]: packet from 192.168.1.1:500:
received Vendor ID payload [Openswan (this version) 2.6.32 ]
Nov 18 12:06:19 mainmachine pluto[4985]: packet from 192.168.1.1:500:
received Vendor ID payload [Dead Peer Detection]
Nov 18 12:06:19 mainmachine pluto[4985]: packet from 192.168.1.1:500:
received Vendor ID payload [RFC 3947] method set to=109
Nov 18 12:06:19 mainmachine pluto[4985]: packet from 192.168.1.1:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but
already using method 109
Nov 18 12:06:19 mainmachine pluto[4985]: packet from 192.168.1.1:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
already using method 109
Nov 18 12:06:19 mainmachine pluto[4985]: packet from 192.168.1.1:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but
already using method 109
Nov 18 12:06:19 mainmachine pluto[4985]: packet from 192.168.1.1:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: responding to Main Mode
Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1
Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: STATE_MAIN_R1: sent
MR1, expecting MI2
Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: NAT-Traversal: Result
using RFC 3947 (NAT-Traversal): no NAT detected
Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: STATE_MAIN_R2: sent
MR2, expecting MI3
Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: Main mode peer ID is
ID_IPV4_ADDR: '192.168.1.1'
Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: I am sending my cert
Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3
Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: STATE_MAIN_R3: sent
MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128
prf=oakley_sha group=modp2048}
Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: next payload type of
ISAKMP Hash Payload has an unknown value: 251
Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: malformed payload in
packet
Nov 18 12:06:19 mainmachine pluto[4985]: | payload malformed after IV
Nov 18 12:06:19 mainmachine pluto[4985]: | d3 87 42 1b 2b 62 84 1e 13
0b 12 57 2d b3 4a 6c
Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: sending notification
PAYLOAD_MALFORMED to 192.168.1.1:500
Nov 18 12:06:23 mainmachine pluto[4985]: "cert" #1: ignoring informational
payload, type INVALID_KEY_INFORMATION msgid=00000000
Nov 18 12:06:23 mainmachine pluto[4985]: "cert" #1: received and ignored
informational message
Nov 18 12:06:43 mainmachine pluto[4985]: "cert" #1: ignoring informational
payload, type INVALID_KEY_INFORMATION msgid=00000000
Nov 18 12:06:43 mainmachine pluto[4985]: "cert" #1: received and ignored
informational message
and after ipsec auto --up cert
Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #1: max number of
retransmissions (2) reached STATE_MAIN_I3. Possible authentication
failure: no acceptable response to our first encrypted message
Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #1: starting keying attempt
2 of an unlimited number
Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: initiating Main Mode to
replace #1
Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: received Vendor ID
payload [Openswan (this version) 2.6.32 ]
Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: received Vendor ID
payload [Dead Peer Detection]
Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: received Vendor ID
payload [RFC 3947] method set to=109
Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: enabling possible
NAT-traversal with method 4
Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: STATE_MAIN_I2: sent
MI2, expecting MR2
Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: NAT-Traversal: Result
using RFC 3947 (NAT-Traversal): no NAT detected
Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: I am sending my cert
Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: I am sending a
certificate request
Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: STATE_MAIN_I3: sent
MI3, expecting MR3
Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: ignoring informational
payload, type INVALID_KEY_INFORMATION msgid=00000000
Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: received and ignored
informational message
Nov 18 12:07:33 mainmachine pluto[4985]: "cert" #3: ignoring informational
payload, type INVALID_KEY_INFORMATION msgid=00000000
Nov 18 12:07:33 mainmachine pluto[4985]: "cert" #3: received and ignored
informational message
Nov 18 12:07:53 mainmachine pluto[4985]: "cert" #3: ignoring informational
payload, type INVALID_KEY_INFORMATION msgid=00000000
Nov 18 12:07:53 mainmachine pluto[4985]: "cert" #3: received and ignored
informational message
Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #3: max number of
retransmissions (2) reached STATE_MAIN_I3. Possible authentication
failure: no acceptable response to our first encrypted message
Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #3: starting keying attempt
3 of an unlimited number
Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: initiating Main Mode to
replace #3
Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: received Vendor ID
payload [Openswan (this version) 2.6.32 ]
Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: received Vendor ID
payload [Dead Peer Detection]
Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: received Vendor ID
payload [RFC 3947] method set to=109
Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: enabling possible
NAT-traversal with method 4
Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: STATE_MAIN_I2: sent
MI2, expecting MR2
Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: NAT-Traversal: Result
using RFC 3947 (NAT-Traversal): no NAT detected
Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: I am sending my cert
Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: I am sending a
certificate request
Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: STATE_MAIN_I3: sent
MI3, expecting MR3
Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: ignoring informational
payload, type INVALID_KEY_INFORMATION msgid=00000000
Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: received and ignored
informational message
Nov 18 12:08:43 mainmachine pluto[4985]: "cert" #4: ignoring informational
payload, type INVALID_KEY_INFORMATION msgid=00000000
Nov 18 12:08:43 mainmachine pluto[4985]: "cert" #4: received and ignored
informational message
Nov 18 12:09:03 mainmachine pluto[4985]: "cert" #4: ignoring informational
payload, type INVALID_KEY_INFORMATION msgid=00000000
Nov 18 12:09:03 mainmachine pluto[4985]: "cert" #4: received and ignored
informational message
On both machines, the only iptables rules that exists are this:
iptables -A INPUT -p icmp -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT
iptables -A INPUT -p esp -j ACCEPT
iptables -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
iptables -A INPUT -p udp --sport 4500 --dport 4500 -j ACCEPT
iptables -A FORWARD -s 10.1.1.0/24 -d 10.1.2.0/24 -j ACCEPT
iptables -A FORWARD -s 10.1.2.0/24 -d 10.1.1.0/24 -j ACCEPT
Any idea of what I'm doing wrong?
Thanks,
Kent Davies
On Mon, Nov 18, 2013 at 10:43 AM, Bart Smink <bartsmink at gmail.com> wrote:
> You could check the logs, and as you're on Centos they're in
> /var/log/secure . There you find the error that Openswan gives when you try
> to start the connection.
>
>
> 2013/11/18 Ana <kentdavies at gmail.com>
>
>> Hello.
>>
>> Thanks for your answer.
>>
>> All you said is new to me.
>>
>> I've started by converting all my certs to the pkcs#12 format like this:
>>
>> openssl pkcs12 -export -clcerts -in cacert.crt -inkey cakey.key -out
>> ca.p12
>>
>>
>> And then, I've imported them to ipsec.d like this:
>>
>> [root at mainmachine ipsec.d]# pk12util -i /etc/pki/tls/ca.p12 -d
>> /etc/ipsec.d/
>> Enter Password or Pin for "NSS Certificate DB":
>> Enter password for PKCS12 file:
>> pk12util: no nickname for cert in PKCS12 file.
>> pk12util: using nickname: www.mysite.com - XPTO
>> pk12util: PKCS12 IMPORT SUCCESSFUL
>>
>>
>> And now I'm completely lost :(
>>
>> Sorry, but what should I do next? I can't seem to find a proper tutorial
>> explaining this steps.
>>
>> Thanks,
>>
>> Kent Davies
>>
>>
>>
>>
>> On Mon, Nov 18, 2013 at 4:47 AM, Leto <letoams at gmail.com> wrote:
>>
>>> if using the centos builds, those use nss, so you cannot put private key
>>> and certs in /etc/ipsec.d/
>>>
>>> you need to use ipsec initnss and then ipsec import on the certs in
>>> pkcs#12 format. see README.NSS
>>>
>>> sent from a tiny device
>>>
>>> On 2013-11-17, at 6:00, Ana <kentdavies at gmail.com> wrote:
>>>
>>> Hi everybody. Hello again.
>>>
>>>
>>> Following my last cry for help, here am I again with some IPsec problems.
>>>
>>>
>>> After managing to get IPsec running using secrets, I'm now trying
>>> (without success) to accomplish the same but now using X.509 certificates.
>>>
>>>
>>> Just for remembering, I’m running two virtual machines with CentOS that
>>> simulates the network depicted in the bellow picture.
>>>
>>> <image.png>
>>>
>>>
>>> I want to create an IPsec tunnel between machine A and machine B. The
>>> keys should be negotiated using IKE and the tunnel should enable total
>>> connectivity between the two machines. My goal is to achieve this using
>>> x.509 certificates.
>>>
>>>
>>> My machine A will act as a gateway and as an Certificate Authority.
>>>
>>>
>>> The first step, was to create my CA and two certificates. One for
>>> machine A and one for machine B. So, on machine A I've run this commands:
>>>
>>> 1) Create the CA:
>>>
>>> openssl genrsa -des3 -out cakey.key 1024
>>>
>>> openssl req -new -key cakey.key -out cacsr.csr
>>>
>>> openssl x509 -req -days 365 -in cacsr.csr -out cacert.crt -signkey
>>> cakey.key
>>>
>>>
>>> 2) For each machine, create a certificate signed using the CA created
>>> above:
>>>
>>>
>>> openssl genrsa -des3 -out gwonekey.key 1024
>>>
>>> openssl req -new -key gwonekey.key -out gwonecsr.csr
>>>
>>> openssl ca -in gwonecsr.csr -cert cacert.crt -keyfile cakey.key -out
>>> gwonecert.crt
>>>
>>>
>>> openssl genrsa -des3 -out gwtwokey.key 1024
>>>
>>> openssl req -new -key gwtwokey.key -out gwtwocsr.csr
>>>
>>> openssl ca -in gwtwocsr.csr -cert cacert.crt -keyfile cakey.key -out
>>> gwtwocert.crt
>>>
>>>
>>> 3) I've also created a Certification Revocation list:
>>>
>>> echo 01 > /etc/pki/CA/crlnumber
>>>
>>> openssl ca -gencrl -keyfile cakey.key -cert cacert.crt -out crl.pem
>>>
>>>
>>> On machine A I've done this:
>>>
>>> mkdir /etc/ipsec.d/private
>>>
>>> mkdir /etc/ipsec.d/certs
>>>
>>> mkdir /etc/ipsec.d/cacerts
>>>
>>> mkdir /etc/ipsec.d/crls
>>>
>>> cp gwonekey.key /etc/ipsec.d/private
>>>
>>> cp gwonecert.crt /etc/ipsec.d/certs
>>>
>>> cp cacert.crt /etc/ipsec.d/cacerts
>>>
>>> cp crl.pem /etc/ipsec.d/crls
>>>
>>>
>>> And on Machine B after copying the files:
>>>
>>> mkdir /etc/ipsec.d/private
>>>
>>> mkdir /etc/ipsec.d/certs
>>>
>>> mkdir /etc/ipsec.d/cacerts
>>>
>>> mkdir /etc/ipsec.d/crls
>>>
>>> cp gwtwokey.key /etc/ipsec.d/private
>>>
>>> cp gwonecert.crt /etc/ipsec.d/certs
>>>
>>> cp gwtwocert.crt /etc/ipsec.d/certs
>>>
>>> cp cacert.crt /etc/ipsec.d/cacerts
>>>
>>>
>>> I've then edited the *ipsec.secrets* file on both machines:
>>>
>>> Machine A:
>>>
>>> %any %any : PSK "test"
>>>
>>> : RSA gwonecert.crt "test"
>>>
>>>
>>> Machine B:
>>>
>>> %any %any : PSK "test"
>>>
>>> : RSA gwonecert.crt "test"
>>>
>>> : RSA gwtwocert.crt "test"
>>>
>>>
>>> The last step was to edit the *ipsec.conf* on those machines:
>>>
>>> Machine A:
>>>
>>> config setup
>>>
>>> protostack=netkey
>>>
>>> dumpdir=/var/run/pluto/
>>>
>>> nat_traversal=yes
>>>
>>> virtual_private=%v4:
>>> 0.0.0.0/0,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.1.1.0/24
>>>
>>>
>>>
>>> #conn gw-to-gw
>>>
>>> # authby=secret
>>>
>>> # left=192.168.1.1
>>>
>>> # leftsubnet=10.1.1.0/24
>>>
>>> # right=192.168.1.2
>>>
>>> # rightsubnet=10.1.2.0/24
>>>
>>> # auto=start
>>>
>>> # type=tunnel
>>>
>>>
>>>
>>> conn cert
>>>
>>> authby=rsasig
>>>
>>> leftrsasigkey=%cert
>>>
>>> leftcert=gwonecert.crt
>>>
>>> left=192.168.1.1
>>>
>>> leftsubnet=10.1.1.0/24
>>>
>>> right=192.168.1.2
>>>
>>> rightsubnet=10.1.2.0/24
>>>
>>> auto=start
>>>
>>> type=tunnel
>>>
>>>
>>> Machine B:
>>>
>>> config setup
>>>
>>> protostack=netkey
>>>
>>> dumpdir=/var/run/pluto/
>>>
>>> nat_traversal=yes
>>>
>>> virtual_private=%v4:
>>> 0.0.0.0/0,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.1.1.0/24
>>>
>>>
>>>
>>> #conn gw-to-gw
>>>
>>> # authby=secret
>>>
>>> # left=192.168.1.1
>>>
>>> # leftsubnet=10.1.1.0/24
>>>
>>> # right=192.168.1.2
>>>
>>> # rightsubnet=10.1.2.0/24
>>>
>>> # auto=start
>>>
>>> # type=tunnel
>>>
>>>
>>>
>>> conn cert
>>>
>>> authby=rsasig
>>>
>>> leftrsasigkey=%cert
>>>
>>> rightrsasigkey=%cert
>>>
>>> leftcert=gwtwocert.crt
>>>
>>> rightcert=gwonecert.crt
>>>
>>> left=192.168.1.2
>>>
>>> leftsubnet=10.1.2.0/24
>>>
>>> right=192.168.1.1
>>>
>>> rightsubnet=10.1.1.0/24
>>>
>>> auto=start
>>>
>>> type=tunnel
>>>
>>>
>>> I've restarted ipsec on both machines using *service ipsec restart* but
>>> now, after doing *ipsec auto --up* *cert *nothing happens. In terminal
>>> I have to hit ctrl C.
>>>
>>>
>>> Once again, can someone tell me what I am doing wrong?
>>>
>>>
>>> Many thanks,
>>>
>>>
>>> Kent Davies
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Users at lists.openswan.org
>>> https://lists.openswan.org/mailman/listinfo/users
>>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>> Building and Integrating Virtual Private Networks with Openswan:
>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>>
>>>
>>
>> _______________________________________________
>> Users at lists.openswan.org
>> https://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>>
>
>
> --
> **** DISCLAIMER ****
>
> "This e-mail and any attachment thereto may contain information which is
> confidential and/or protected by intellectual property rights and are
> intended for the sole use of the recipient(s) named above.
> Any use of the information contained herein (including, but not limited
> to, total or partial reproduction, communication or distribution in any
> form) by other persons than the designated recipient(s) is prohibited.
> If you have received this e-mail in error, please notify the sender either
> by telephone or by e-mail and delete the material from any computer".
>
> Thank you for your cooperation.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20131118/9a23dcb1/attachment-0001.html>
More information about the Users
mailing list