[Openswan Users] Fwd: IPsec configuration
users-bounces at lists.openswan.org
users-bounces at lists.openswan.org
Mon Nov 18 07:33:24 UTC 2013
Rescued from the Spam bucket.
From: Leto <letoams at gmail.com>
Subject: Re: [Openswan Users] Fwd: IPsec configuration
Date: November 18, 2013 at 7:33:01 AM EST
To: Ana <kentdavies at gmail.com>
Cc: Bart Smink <bartsmink at gmail.com>, "users at lists.openswan.org" <users at lists.openswan.org>
you are missing the secret entries, eg:
: RSA "friendlyname"
you also use leftcert=friendlyname
in the conn
sent from a tiny device
On 2013-11-18, at 7:28, Ana <kentdavies at gmail.com> wrote:
> Hello and once again, thanks for your reply.
>
>
> I've then exported the certificates to the pkcs#12 format and imported the do my nss database. I've done that on both machines.
>
>
> I've edited both my secrets and conf files to reflect the ninckname that nss database shows but i'm still getting problems.
>
> Using the log I've managed to solve some problems but now I'm stuck.
>
>
> Here is my /var/log/secure on machine after service ipsec start:
> Nov 18 12:15:48 mainmachine ipsec__plutorun: Starting Pluto subsystem...
> Nov 18 12:15:48 mainmachine pluto[10894]: nss directory plutomain: /etc/ipsec.d
> Nov 18 12:15:48 mainmachine pluto[10894]: NSS Initialized
> Nov 18 12:15:48 mainmachine pluto[10894]: Non-fips mode set in /proc/sys/crypto/fips_enabled
> Nov 18 12:15:48 mainmachine pluto[10894]: Starting Pluto (Openswan Version 2.6.32; Vendor ID OEhyLdACecfa) pid:10894
> Nov 18 12:15:48 mainmachine pluto[10894]: Non-fips mode set in /proc/sys/crypto/fips_enabled
> Nov 18 12:15:48 mainmachine pluto[10894]: LEAK_DETECTIVE support [disabled]
> Nov 18 12:15:48 mainmachine pluto[10894]: OCF support for IKE [disabled]
> Nov 18 12:15:48 mainmachine pluto[10894]: SAref support [disabled]: Protocol not available
> Nov 18 12:15:48 mainmachine pluto[10894]: SAbind support [disabled]: Protocol not available
> Nov 18 12:15:48 mainmachine pluto[10894]: NSS support [enabled]
> Nov 18 12:15:48 mainmachine pluto[10894]: HAVE_STATSD notification support not compiled in
> Nov 18 12:15:48 mainmachine pluto[10894]: Setting NAT-Traversal port-4500 floating to on
> Nov 18 12:15:48 mainmachine pluto[10894]: port floating activation criteria nat_t=1/port_float=1
> Nov 18 12:15:48 mainmachine pluto[10894]: NAT-Traversal support [enabled]
> Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
> Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
> Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
> Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
> Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
> Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
> Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
> Nov 18 12:15:48 mainmachine pluto[10894]: starting up 1 cryptographic helpers
> Nov 18 12:15:48 mainmachine pluto[10894]: started helper (thread) pid=-1217217680 (fd:10)
> Nov 18 12:15:48 mainmachine pluto[10894]: Using Linux 2.6 IPsec interface code on 2.6.32-358.23.2.el6.i686 (experimental code)
> Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
> Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_add(): ERROR: Algorithm already exists
> Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
> Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_add(): ERROR: Algorithm already exists
> Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
> Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_add(): ERROR: Algorithm already exists
> Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
> Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_add(): ERROR: Algorithm already exists
> Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
> Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_add(): ERROR: Algorithm already exists
> Nov 18 12:15:48 mainmachine pluto[10894]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
> Nov 18 12:15:48 mainmachine pluto[10894]: Changed path to directory '/etc/ipsec.d/cacerts'
> Nov 18 12:15:48 mainmachine pluto[10894]: loaded CA cert file 'cacert.crt' (843 bytes)
> Nov 18 12:15:48 mainmachine pluto[10894]: Could not change to directory '/etc/ipsec.d/aacerts': /var/run/pluto
> Nov 18 12:15:48 mainmachine pluto[10894]: Could not change to directory '/etc/ipsec.d/ocspcerts': /var/run/pluto
> Nov 18 12:15:48 mainmachine pluto[10894]: Changing to directory '/etc/ipsec.d/crls'
> Nov 18 12:15:48 mainmachine pluto[10894]: loaded crl file 'crl.pem' (516 bytes)
> Nov 18 12:15:48 mainmachine pluto[10894]: | selinux support is enabled.
> Nov 18 12:15:48 mainmachine pluto[10894]: loading certificate from www.gwone.pt - ONE
> Nov 18 12:15:48 mainmachine pluto[10894]: added connection description "cert"
> Nov 18 12:15:48 mainmachine pluto[10894]: listening for IKE messages
> Nov 18 12:15:48 mainmachine pluto[10894]: adding interface eth3/eth3 172.16.1.1:500
> Nov 18 12:15:48 mainmachine pluto[10894]: adding interface eth3/eth3 172.16.1.1:4500
> Nov 18 12:15:48 mainmachine pluto[10894]: adding interface eth2/eth2 192.168.1.1:500
> Nov 18 12:15:48 mainmachine pluto[10894]: adding interface eth2/eth2 192.168.1.1:4500
> Nov 18 12:15:48 mainmachine pluto[10894]: adding interface eth1/eth1 10.1.1.254:500
> Nov 18 12:15:48 mainmachine pluto[10894]: adding interface eth1/eth1 10.1.1.254:4500
> Nov 18 12:15:48 mainmachine pluto[10894]: adding interface lo/lo 127.0.0.1:500
> Nov 18 12:15:48 mainmachine pluto[10894]: adding interface lo/lo 127.0.0.1:4500
> Nov 18 12:15:48 mainmachine pluto[10894]: adding interface lo/lo ::1:500
> Nov 18 12:15:48 mainmachine pluto[10894]: loading secrets from "/etc/ipsec.secrets"
> Nov 18 12:15:48 mainmachine pluto[10894]: loaded private key for keyid: PPK_RSA:AwEAAd7/L
> Nov 18 12:15:48 mainmachine pluto[10894]: "cert" #1: initiating Main Mode
> Nov 18 12:15:48 mainmachine pluto[10894]: ERROR: asynchronous network error report on eth2 (sport=500) for message to 192.168.1.2 port 500, complainant 192.168.1.2: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
> Nov 18 12:15:52 mainmachine pluto[10894]: packet from 192.168.1.2:500: received Vendor ID payload [Openswan (this version) 2.6.32 ]
> Nov 18 12:15:52 mainmachine pluto[10894]: packet from 192.168.1.2:500: received Vendor ID payload [Dead Peer Detection]
> Nov 18 12:15:52 mainmachine pluto[10894]: packet from 192.168.1.2:500: received Vendor ID payload [RFC 3947] method set to=109
> Nov 18 12:15:52 mainmachine pluto[10894]: packet from 192.168.1.2:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
> Nov 18 12:15:52 mainmachine pluto[10894]: packet from 192.168.1.2:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
> Nov 18 12:15:52 mainmachine pluto[10894]: packet from 192.168.1.2:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
> Nov 18 12:15:52 mainmachine pluto[10894]: packet from 192.168.1.2:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
> Nov 18 12:15:52 mainmachine pluto[10894]: "cert" #2: responding to Main Mode
> Nov 18 12:15:52 mainmachine pluto[10894]: "cert" #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Nov 18 12:15:52 mainmachine pluto[10894]: "cert" #2: STATE_MAIN_R1: sent MR1, expecting MI2
> Nov 18 12:15:52 mainmachine pluto[10894]: "cert" #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
> Nov 18 12:15:52 mainmachine pluto[10894]: "cert" #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Nov 18 12:15:52 mainmachine pluto[10894]: "cert" #2: STATE_MAIN_R2: sent MR2, expecting MI3
> Nov 18 12:15:52 mainmachine pluto[10894]: "cert" #2: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.2'
> Nov 18 12:15:52 mainmachine pluto[10894]: "cert" #2: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.2'
> Nov 18 12:15:52 mainmachine pluto[10894]: "cert" #2: no RSA public key known for '192.168.1.2'; DNS search for KEY failed (failure querying DNS for KEY of 2.1.168.192.in-addr.arpa.: Host name lookup failure)
> Nov 18 12:15:52 mainmachine pluto[10894]: "cert" #2: sending encrypted notification INVALID_KEY_INFORMATION to 192.168.1.2:500
>
> And after ipsec auto --up cert
>
> Nov 18 12:15:58 mainmachine pluto[10894]: "cert" #1: received Vendor ID payload [Openswan (this version) 2.6.32 ]
> Nov 18 12:15:58 mainmachine pluto[10894]: "cert" #1: received Vendor ID payload [Dead Peer Detection]
> Nov 18 12:15:58 mainmachine pluto[10894]: "cert" #1: received Vendor ID payload [RFC 3947] method set to=109
> Nov 18 12:15:58 mainmachine pluto[10894]: "cert" #1: enabling possible NAT-traversal with method 4
> Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
> Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: I am sending my cert
> Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: I am sending a certificate request
> Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: received Vendor ID payload [CAN-IKEv2]
> Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.2'
> Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.2'
> Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: no RSA public key known for '192.168.1.2'; DNS search for KEY failed (failure querying DNS for KEY of 2.1.168.192.in-addr.arpa.: Host name lookup failure)
> Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: sending encrypted notification INVALID_KEY_INFORMATION to 192.168.1.2:500
> Nov 18 12:15:59 mainmachine pluto[10894]: "cert" #1: received 1 malformed payload notifies
> Nov 18 12:16:03 mainmachine pluto[10894]: "cert" #2: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.2'
> Nov 18 12:16:03 mainmachine pluto[10894]: "cert" #2: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.2'
> Nov 18 12:16:03 mainmachine pluto[10894]: "cert" #2: no RSA public key known for '192.168.1.2'; DNS search for KEY failed (failure querying DNS for KEY of 2.1.168.192.in-addr.arpa.: Host name lookup failure)
> Nov 18 12:16:03 mainmachine pluto[10894]: "cert" #2: sending encrypted notification INVALID_KEY_INFORMATION to 192.168.1.2:500
> Nov 18 12:16:24 mainmachine pluto[10894]: "cert" #2: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.2'
> Nov 18 12:16:24 mainmachine pluto[10894]: "cert" #2: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.2'
> Nov 18 12:16:24 mainmachine pluto[10894]: "cert" #2: no RSA public key known for '192.168.1.2'; DNS search for KEY failed (failure querying DNS for KEY of 2.1.168.192.in-addr.arpa.: Host name lookup failure)
> Nov 18 12:16:24 mainmachine pluto[10894]: "cert" #2: sending encrypted notification INVALID_KEY_INFORMATION to 192.168.1.2:500
> Nov 18 12:17:07 mainmachine pluto[10894]: packet from 192.168.1.2:500: received Vendor ID payload [Openswan (this version) 2.6.32 ]
> Nov 18 12:17:07 mainmachine pluto[10894]: packet from 192.168.1.2:500: received Vendor ID payload [Dead Peer Detection]
> Nov 18 12:17:07 mainmachine pluto[10894]: packet from 192.168.1.2:500: received Vendor ID payload [RFC 3947] method set to=109
> Nov 18 12:17:07 mainmachine pluto[10894]: packet from 192.168.1.2:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
> Nov 18 12:17:07 mainmachine pluto[10894]: packet from 192.168.1.2:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
> Nov 18 12:17:07 mainmachine pluto[10894]: packet from 192.168.1.2:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
> Nov 18 12:17:07 mainmachine pluto[10894]: packet from 192.168.1.2:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
> Nov 18 12:17:07 mainmachine pluto[10894]: "cert" #3: responding to Main Mode
> Nov 18 12:17:07 mainmachine pluto[10894]: "cert" #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Nov 18 12:17:07 mainmachine pluto[10894]: "cert" #3: STATE_MAIN_R1: sent MR1, expecting MI2
> Nov 18 12:17:07 mainmachine pluto[10894]: "cert" #3: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
> Nov 18 12:17:07 mainmachine pluto[10894]: "cert" #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Nov 18 12:17:07 mainmachine pluto[10894]: "cert" #3: STATE_MAIN_R2: sent MR2, expecting MI3
> Nov 18 12:17:07 mainmachine pluto[10894]: "cert" #3: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.2'
> Nov 18 12:17:07 mainmachine pluto[10894]: "cert" #3: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.2'
> Nov 18 12:17:07 mainmachine pluto[10894]: "cert" #3: no RSA public key known for '192.168.1.2'; DNS search for KEY failed (failure querying DNS for KEY of 2.1.168.192.in-addr.arpa.: Host name lookup failure)
> Nov 18 12:17:07 mainmachine pluto[10894]: "cert" #3: sending encrypted notification INVALID_KEY_INFORMATION to 192.168.1.2:500
> Nov 18 12:17:18 mainmachine pluto[10894]: "cert" #3: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.2'
> Nov 18 12:17:18 mainmachine pluto[10894]: "cert" #3: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.2'
> Nov 18 12:17:18 mainmachine pluto[10894]: "cert" #3: no RSA public key known for '192.168.1.2'; DNS search for KEY failed (failure querying DNS for KEY of 2.1.168.192.in-addr.arpa.: Host name lookup failure)
> Nov 18 12:17:18 mainmachine pluto[10894]: "cert" #3: sending encrypted notification INVALID_KEY_INFORMATION to 192.168.1.2:500
> Nov 18 12:17:39 mainmachine pluto[10894]: "cert" #3: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.2'
> Nov 18 12:17:39 mainmachine pluto[10894]: "cert" #3: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.2'
> Nov 18 12:17:39 mainmachine pluto[10894]: "cert" #3: no RSA public key known for '192.168.1.2'; DNS search for KEY failed (failure querying DNS for KEY of 2.1.168.192.in-addr.arpa.: Host name lookup failure)
> Nov 18 12:17:39 mainmachine pluto[10894]: "cert" #3: sending encrypted notification INVALID_KEY_INFORMATION to 192.168.1.2:500
>
>
> Likewise, on macine B I got this:
> Nov 18 12:06:13 mainmachine ipsec__plutorun: Starting Pluto subsystem...
> Nov 18 12:06:13 mainmachine pluto[4985]: nss directory plutomain: /etc/ipsec.d
> Nov 18 12:06:13 mainmachine pluto[4985]: NSS Initialized
> Nov 18 12:06:13 mainmachine pluto[4985]: Non-fips mode set in /proc/sys/crypto/fips_enabled
> Nov 18 12:06:13 mainmachine pluto[4985]: Starting Pluto (Openswan Version 2.6.32; Vendor ID OEhyLdACecfa) pid:4985
> Nov 18 12:06:13 mainmachine pluto[4985]: Non-fips mode set in /proc/sys/crypto/fips_enabled
> Nov 18 12:06:13 mainmachine pluto[4985]: LEAK_DETECTIVE support [disabled]
> Nov 18 12:06:13 mainmachine pluto[4985]: OCF support for IKE [disabled]
> Nov 18 12:06:13 mainmachine pluto[4985]: SAref support [disabled]: Protocol not available
> Nov 18 12:06:13 mainmachine pluto[4985]: SAbind support [disabled]: Protocol not available
> Nov 18 12:06:13 mainmachine pluto[4985]: NSS support [enabled]
> Nov 18 12:06:13 mainmachine pluto[4985]: HAVE_STATSD notification support not compiled in
> Nov 18 12:06:13 mainmachine pluto[4985]: Setting NAT-Traversal port-4500 floating to on
> Nov 18 12:06:13 mainmachine pluto[4985]: port floating activation criteria nat_t=1/port_float=1
> Nov 18 12:06:13 mainmachine pluto[4985]: NAT-Traversal support [enabled]
> Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
> Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
> Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
> Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
> Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
> Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
> Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
> Nov 18 12:06:13 mainmachine pluto[4985]: starting up 1 cryptographic helpers
> Nov 18 12:06:13 mainmachine pluto[4985]: started helper (thread) pid=-1220584592 (fd:10)
> Nov 18 12:06:13 mainmachine pluto[4985]: Using Linux 2.6 IPsec interface code on 2.6.32-358.23.2.el6.i686 (experimental code)
> Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
> Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_add(): ERROR: Algorithm already exists
> Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
> Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_add(): ERROR: Algorithm already exists
> Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
> Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_add(): ERROR: Algorithm already exists
> Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
> Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_add(): ERROR: Algorithm already exists
> Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
> Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_add(): ERROR: Algorithm already exists
> Nov 18 12:06:13 mainmachine pluto[4985]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
> Nov 18 12:06:13 mainmachine pluto[4985]: Changed path to directory '/etc/ipsec.d/cacerts'
> Nov 18 12:06:13 mainmachine pluto[4985]: loaded CA cert file 'cacert.crt' (843 bytes)
> Nov 18 12:06:13 mainmachine pluto[4985]: Could not change to directory '/etc/ipsec.d/aacerts': /var/run/pluto
> Nov 18 12:06:13 mainmachine pluto[4985]: Could not change to directory '/etc/ipsec.d/ocspcerts': /var/run/pluto
> Nov 18 12:06:13 mainmachine pluto[4985]: Changing to directory '/etc/ipsec.d/crls'
> Nov 18 12:06:13 mainmachine pluto[4985]: loaded crl file 'crl.pem' (516 bytes)
> Nov 18 12:06:13 mainmachine pluto[4985]: | selinux support is enabled.
> Nov 18 12:06:13 mainmachine pluto[4985]: loading certificate from www.gwtwo.pt - ONE
> Nov 18 12:06:13 mainmachine pluto[4985]: loading certificate from www.gwone.pt - ONE
> Nov 18 12:06:13 mainmachine pluto[4985]: added connection description "cert"
> Nov 18 12:06:13 mainmachine pluto[4985]: listening for IKE messages
> Nov 18 12:06:13 mainmachine pluto[4985]: adding interface eth6/eth6 192.168.1.2:500
> Nov 18 12:06:13 mainmachine pluto[4985]: adding interface eth6/eth6 192.168.1.2:4500
> Nov 18 12:06:13 mainmachine pluto[4985]: adding interface eth5/eth5 10.1.2.254:500
> Nov 18 12:06:13 mainmachine pluto[4985]: adding interface eth5/eth5 10.1.2.254:4500
> Nov 18 12:06:13 mainmachine pluto[4985]: adding interface lo/lo 127.0.0.1:500
> Nov 18 12:06:13 mainmachine pluto[4985]: adding interface lo/lo 127.0.0.1:4500
> Nov 18 12:06:13 mainmachine pluto[4985]: adding interface lo/lo ::1:500
> Nov 18 12:06:13 mainmachine pluto[4985]: loading secrets from "/etc/ipsec.secrets"
> Nov 18 12:06:13 mainmachine pluto[4985]: loaded private key for keyid: PPK_RSA:AwEAAd7/L
> Nov 18 12:06:13 mainmachine pluto[4985]: loaded private key for keyid: PPK_RSA:AwEAAcFsb
> Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: initiating Main Mode
> Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: received Vendor ID payload [Openswan (this version) 2.6.32 ]
> Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: received Vendor ID payload [Dead Peer Detection]
> Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: received Vendor ID payload [RFC 3947] method set to=109
> Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: enabling possible NAT-traversal with method 4
> Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
> Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: I am sending my cert
> Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: I am sending a certificate request
> Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: ignoring informational payload, type INVALID_KEY_INFORMATION msgid=00000000
> Nov 18 12:06:13 mainmachine pluto[4985]: "cert" #1: received and ignored informational message
> Nov 18 12:06:19 mainmachine pluto[4985]: packet from 192.168.1.1:500: received Vendor ID payload [Openswan (this version) 2.6.32 ]
> Nov 18 12:06:19 mainmachine pluto[4985]: packet from 192.168.1.1:500: received Vendor ID payload [Dead Peer Detection]
> Nov 18 12:06:19 mainmachine pluto[4985]: packet from 192.168.1.1:500: received Vendor ID payload [RFC 3947] method set to=109
> Nov 18 12:06:19 mainmachine pluto[4985]: packet from 192.168.1.1:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
> Nov 18 12:06:19 mainmachine pluto[4985]: packet from 192.168.1.1:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
> Nov 18 12:06:19 mainmachine pluto[4985]: packet from 192.168.1.1:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
> Nov 18 12:06:19 mainmachine pluto[4985]: packet from 192.168.1.1:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
> Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: responding to Main Mode
> Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: STATE_MAIN_R1: sent MR1, expecting MI2
> Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
> Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: STATE_MAIN_R2: sent MR2, expecting MI3
> Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.1'
> Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: I am sending my cert
> Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
> Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: next payload type of ISAKMP Hash Payload has an unknown value: 251
> Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: malformed payload in packet
> Nov 18 12:06:19 mainmachine pluto[4985]: | payload malformed after IV
> Nov 18 12:06:19 mainmachine pluto[4985]: | d3 87 42 1b 2b 62 84 1e 13 0b 12 57 2d b3 4a 6c
> Nov 18 12:06:19 mainmachine pluto[4985]: "cert" #2: sending notification PAYLOAD_MALFORMED to 192.168.1.1:500
> Nov 18 12:06:23 mainmachine pluto[4985]: "cert" #1: ignoring informational payload, type INVALID_KEY_INFORMATION msgid=00000000
> Nov 18 12:06:23 mainmachine pluto[4985]: "cert" #1: received and ignored informational message
> Nov 18 12:06:43 mainmachine pluto[4985]: "cert" #1: ignoring informational payload, type INVALID_KEY_INFORMATION msgid=00000000
> Nov 18 12:06:43 mainmachine pluto[4985]: "cert" #1: received and ignored informational message
>
> and after ipsec auto --up cert
> Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
> Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #1: starting keying attempt 2 of an unlimited number
> Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: initiating Main Mode to replace #1
> Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: received Vendor ID payload [Openswan (this version) 2.6.32 ]
> Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: received Vendor ID payload [Dead Peer Detection]
> Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: received Vendor ID payload [RFC 3947] method set to=109
> Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: enabling possible NAT-traversal with method 4
> Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: STATE_MAIN_I2: sent MI2, expecting MR2
> Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
> Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: I am sending my cert
> Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: I am sending a certificate request
> Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: STATE_MAIN_I3: sent MI3, expecting MR3
> Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: ignoring informational payload, type INVALID_KEY_INFORMATION msgid=00000000
> Nov 18 12:07:23 mainmachine pluto[4985]: "cert" #3: received and ignored informational message
> Nov 18 12:07:33 mainmachine pluto[4985]: "cert" #3: ignoring informational payload, type INVALID_KEY_INFORMATION msgid=00000000
> Nov 18 12:07:33 mainmachine pluto[4985]: "cert" #3: received and ignored informational message
> Nov 18 12:07:53 mainmachine pluto[4985]: "cert" #3: ignoring informational payload, type INVALID_KEY_INFORMATION msgid=00000000
> Nov 18 12:07:53 mainmachine pluto[4985]: "cert" #3: received and ignored informational message
> Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #3: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
> Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #3: starting keying attempt 3 of an unlimited number
> Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: initiating Main Mode to replace #3
> Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: received Vendor ID payload [Openswan (this version) 2.6.32 ]
> Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: received Vendor ID payload [Dead Peer Detection]
> Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: received Vendor ID payload [RFC 3947] method set to=109
> Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: enabling possible NAT-traversal with method 4
> Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: STATE_MAIN_I2: sent MI2, expecting MR2
> Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
> Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: I am sending my cert
> Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: I am sending a certificate request
> Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: STATE_MAIN_I3: sent MI3, expecting MR3
> Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: ignoring informational payload, type INVALID_KEY_INFORMATION msgid=00000000
> Nov 18 12:08:33 mainmachine pluto[4985]: "cert" #4: received and ignored informational message
> Nov 18 12:08:43 mainmachine pluto[4985]: "cert" #4: ignoring informational payload, type INVALID_KEY_INFORMATION msgid=00000000
> Nov 18 12:08:43 mainmachine pluto[4985]: "cert" #4: received and ignored informational message
> Nov 18 12:09:03 mainmachine pluto[4985]: "cert" #4: ignoring informational payload, type INVALID_KEY_INFORMATION msgid=00000000
> Nov 18 12:09:03 mainmachine pluto[4985]: "cert" #4: received and ignored informational message
>
>
>
> On both machines, the only iptables rules that exists are this:
>
> iptables -A INPUT -p icmp -j ACCEPT
> iptables -A FORWARD -p icmp -j ACCEPT
> iptables -A INPUT -p esp -j ACCEPT
> iptables -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
> iptables -A INPUT -p udp --sport 4500 --dport 4500 -j ACCEPT
> iptables -A FORWARD -s 10.1.1.0/24 -d 10.1.2.0/24 -j ACCEPT
> iptables -A FORWARD -s 10.1.2.0/24 -d 10.1.1.0/24 -j ACCEPT
>
> Any idea of what I'm doing wrong?
>
> Thanks,
>
> Kent Davies
>
>
>
>
>
>
>
>
>
>
>
> On Mon, Nov 18, 2013 at 10:43 AM, Bart Smink <bartsmink at gmail.com> wrote:
> You could check the logs, and as you're on Centos they're in /var/log/secure . There you find the error that Openswan gives when you try to start the connection.
>
>
> 2013/11/18 Ana <kentdavies at gmail.com>
> Hello.
>
> Thanks for your answer.
>
> All you said is new to me.
>
> I've started by converting all my certs to the pkcs#12 format like this:
> openssl pkcs12 -export -clcerts -in cacert.crt -inkey cakey.key -out ca.p12
>
> And then, I've imported them to ipsec.d like this:
>
> [root at mainmachine ipsec.d]# pk12util -i /etc/pki/tls/ca.p12 -d /etc/ipsec.d/
> Enter Password or Pin for "NSS Certificate DB":
> Enter password for PKCS12 file:
> pk12util: no nickname for cert in PKCS12 file.
> pk12util: using nickname: www.mysite.com - XPTO
> pk12util: PKCS12 IMPORT SUCCESSFUL
>
> And now I'm completely lost :(
>
> Sorry, but what should I do next? I can't seem to find a proper tutorial explaining this steps.
>
> Thanks,
>
> Kent Davies
>
>
>
>
> On Mon, Nov 18, 2013 at 4:47 AM, Leto <letoams at gmail.com> wrote:
> if using the centos builds, those use nss, so you cannot put private key and certs in /etc/ipsec.d/
>
> you need to use ipsec initnss and then ipsec import on the certs in pkcs#12 format. see README.NSS
>
> sent from a tiny device
>
> On 2013-11-17, at 6:00, Ana <kentdavies at gmail.com> wrote:
>
>> Hi everybody. Hello again.
>>
>>
>>
>> Following my last cry for help, here am I again with some IPsec problems.
>>
>>
>>
>> After managing to get IPsec running using secrets, I'm now trying (without success) to accomplish the same but now using X.509 certificates.
>>
>>
>>
>> Just for remembering, I’m running two virtual machines with CentOS that simulates the network depicted in the bellow picture.
>>
>> <image.png>
>>
>>
>>
>>
>>
>> I want to create an IPsec tunnel between machine A and machine B. The keys should be negotiated using IKE and the tunnel should enable total connectivity between the two machines. My goal is to achieve this using x.509 certificates.
>>
>>
>>
>> My machine A will act as a gateway and as an Certificate Authority.
>>
>>
>>
>> The first step, was to create my CA and two certificates. One for machine A and one for machine B. So, on machine A I've run this commands:
>>
>> 1) Create the CA:
>>
>> openssl genrsa -des3 -out cakey.key 1024
>>
>> openssl req -new -key cakey.key -out cacsr.csr
>>
>> openssl x509 -req -days 365 -in cacsr.csr -out cacert.crt -signkey cakey.key
>>
>>
>> 2) For each machine, create a certificate signed using the CA created above:
>>
>>
>>
>> openssl genrsa -des3 -out gwonekey.key 1024
>>
>> openssl req -new -key gwonekey.key -out gwonecsr.csr
>>
>> openssl ca -in gwonecsr.csr -cert cacert.crt -keyfile cakey.key -out gwonecert.crt
>>
>>
>>
>> openssl genrsa -des3 -out gwtwokey.key 1024
>>
>> openssl req -new -key gwtwokey.key -out gwtwocsr.csr
>>
>> openssl ca -in gwtwocsr.csr -cert cacert.crt -keyfile cakey.key -out gwtwocert.crt
>>
>>
>>
>> 3) I've also created a Certification Revocation list:
>>
>> echo 01 > /etc/pki/CA/crlnumber
>>
>> openssl ca -gencrl -keyfile cakey.key -cert cacert.crt -out crl.pem
>>
>>
>>
>> On machine A I've done this:
>>
>> mkdir /etc/ipsec.d/private
>>
>> mkdir /etc/ipsec.d/certs
>>
>> mkdir /etc/ipsec.d/cacerts
>>
>> mkdir /etc/ipsec.d/crls
>>
>> cp gwonekey.key /etc/ipsec.d/private
>>
>> cp gwonecert.crt /etc/ipsec.d/certs
>>
>> cp cacert.crt /etc/ipsec.d/cacerts
>>
>> cp crl.pem /etc/ipsec.d/crls
>>
>>
>>
>>
>> And on Machine B after copying the files:
>>
>> mkdir /etc/ipsec.d/private
>>
>> mkdir /etc/ipsec.d/certs
>>
>> mkdir /etc/ipsec.d/cacerts
>>
>> mkdir /etc/ipsec.d/crls
>>
>> cp gwtwokey.key /etc/ipsec.d/private
>>
>> cp gwonecert.crt /etc/ipsec.d/certs
>>
>> cp gwtwocert.crt /etc/ipsec.d/certs
>>
>> cp cacert.crt /etc/ipsec.d/cacerts
>>
>>
>>
>>
>> I've then edited the ipsec.secrets file on both machines:
>>
>> Machine A:
>>
>> %any %any : PSK "test"
>>
>> : RSA gwonecert.crt "test"
>>
>>
>>
>>
>> Machine B:
>>
>> %any %any : PSK "test"
>>
>> : RSA gwonecert.crt "test"
>>
>> : RSA gwtwocert.crt "test"
>>
>>
>>
>>
>> The last step was to edit the ipsec.conf on those machines:
>>
>> Machine A:
>>
>> config setup
>> protostack=netkey
>> dumpdir=/var/run/pluto/
>> nat_traversal=yes
>> virtual_private=%v4:0.0.0.0/0,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.1.1.0/24
>>
>> #conn gw-to-gw
>> # authby=secret
>> # left=192.168.1.1
>> # leftsubnet=10.1.1.0/24
>> # right=192.168.1.2
>> # rightsubnet=10.1.2.0/24
>> # auto=start
>> # type=tunnel
>>
>> conn cert
>> authby=rsasig
>> leftrsasigkey=%cert
>> leftcert=gwonecert.crt
>> left=192.168.1.1
>> leftsubnet=10.1.1.0/24
>> right=192.168.1.2
>> rightsubnet=10.1.2.0/24
>> auto=start
>>
>> type=tunnel
>>
>>
>> Machine B:
>>
>> config setup
>> protostack=netkey
>> dumpdir=/var/run/pluto/
>> nat_traversal=yes
>> virtual_private=%v4:0.0.0.0/0,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.1.1.0/24
>>
>> #conn gw-to-gw
>> # authby=secret
>> # left=192.168.1.1
>> # leftsubnet=10.1.1.0/24
>> # right=192.168.1.2
>> # rightsubnet=10.1.2.0/24
>> # auto=start
>> # type=tunnel
>>
>> conn cert
>> authby=rsasig
>> leftrsasigkey=%cert
>> rightrsasigkey=%cert
>> leftcert=gwtwocert.crt
>> rightcert=gwonecert.crt
>> left=192.168.1.2
>> leftsubnet=10.1.2.0/24
>> right=192.168.1.1
>> rightsubnet=10.1.1.0/24
>> auto=start
>>
>> type=tunnel
>>
>>
>> I've restarted ipsec on both machines using service ipsec restart but now, after doing ipsec auto --up cert nothing happens. In terminal I have to hit ctrl C.
>>
>>
>>
>> Once again, can someone tell me what I am doing wrong?
>>
>>
>>
>> Many thanks,
>>
>>
>>
>> Kent Davies
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Users at lists.openswan.org
>> https://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
>
>
> --
> **** DISCLAIMER ****
>
> "This e-mail and any attachment thereto may contain information which is confidential and/or protected by intellectual property rights and are intended for the sole use of the recipient(s) named above.
> Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by other persons than the designated recipient(s) is prohibited.
> If you have received this e-mail in error, please notify the sender either by telephone or by e-mail and delete the material from any computer".
>
> Thank you for your cooperation.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20131118/137815c9/attachment-0001.html>
More information about the Users
mailing list