[Openswan Users] Openswan 2.6.32-37.el6.x86_64 + CentOS 6.5
Valentin
zyggix at gmail.com
Fri Dec 5 04:44:01 EST 2014
Hello everyone,
Sorry for my bad english but I have a problem :
I would like to have a VPN tunnel (transport mode) using X509 certs and
roadwarrior connection.
I've tested with PSK and it works ! but not with x509.
1. create directory
[root at nStest pki]# cd /etc/pki/CA
[root at nStest CA]# ll
total 40
drwxr-xr-x. 2 root root 4096 6 nov 13:36 certs
drwxr-xr-x. 2 root root 4096 6 nov 13:36 crl
-rw-r--r--. 1 root root 242 4 déc 17:15 index.txt
-rw-r--r--. 1 root root 21 4 déc 17:15 index.txt.attr
-rw-r--r--. 1 root root 21 4 déc 17:00 index.txt.attr.old
-rw-r--r--. 1 root root 112 4 déc 17:10 index.txt.old
drwxr-xr-x. 2 root root 4096 4 déc 17:15 newcerts
drwx------. 2 root root 4096 6 nov 13:36 private
-rw-r--r--. 1 root root 3 4 déc 17:15 serial
-rw-r--r--. 1 root root 3 4 déc 17:11 serial.old
nano index.txt
V 151204160041Z 02 unknown
/C=BE/ST=HA/O=xxx/OU=microelectronics/CN=test/emailAddress=test at xxx.com
V 151204161456Z 04 unknown
/C=BE/ST=HA/O=xxx/OU=microelectronics/CN=test_valentin/emailAddress=test_valent
in at xxx.com
2. I generated my file following Openswan by Paul Wouters / Ken Bantoft
#openssl req -x509 -days 3650 -newkey rsa:1024 -keyout caKey.pem -out caCert.pe
m
# openssl req -newkey rsa:1024 -keyout server.key -out serverReq.pem
# openssl ca -in serverReq.pem -days 365 -out serverCert.pem -notext -cert
caCert.pem -keyfile caKey.pem
and I repeated
# openssl req -newkey rsa:1024 -keyout server.key -out serverReq.pem
# openssl ca -in roadwarriorReq.pem -days 365 -out roadwarriorCert.pem
-notext -cert caCert.pem -keyfile caKey.pem
------------
I placed correctly my files :
[root at nStest CA]# cd /etc/ipsec.d/
[root at nStest ipsec.d]# ll
total 188
drwxr-xr-x. 2 root root 4096 4 déc 17:01 cacerts
-rw-r--r--. 1 root root 1834 4 déc 16:58 caKey.pem
-rw-------. 1 root root 65536 5 déc 09:25 cert8.db
-rw-------. 1 root root 65536 20 nov 18:23 cert8.db_old
-rw-------. 1 root root 11264 5 déc 09:25 cert9.db
drwxr-xr-x. 2 root root 4096 4 déc 17:43 certs
-rw-------. 1 root root 39 5 déc 09:31 ipsec.secrets
-rw-------. 1 root root 16384 5 déc 09:25 key3.db
-rw-------. 1 root root 17408 5 déc 09:33 key4.db
-rw-------. 1 root root 434 4 déc 18:03 pkcs11.txt
drwx------. 2 root root 4096 20 nov 18:38 policies
drwx------. 2 root root 4096 4 déc 17:43 private
-rw-------. 1 root root 16384 20 nov 16:57 secmod.db
-rw-r--r--. 1 root root 1131 4 déc 16:59 serverReq.pem
-rw-r--r--. 1 root root 1155 4 déc 17:14 valentinReq.pem
-rw-r--r--. 1 root root 3814 4 déc 17:18 winCert.p12
[root at nStest ipsec.d]# cd cacerts
[root at nStest cacerts]# ll
total 4
-rw-r--r--. 1 root root 1415 4 déc 16:58 caCert.pem
[root at nStest ipsec.d]# cd certs
[root at nStest certs]# ll
total 8
-rw-r--r--. 1 root root 1444 4 déc 17:00 serverCert.pem
-rw-r--r--. 1 root root 1468 4 déc 17:15 valentinCert.pem
[root at nStest ipsec.d]# cd private
[root at nStest private]# ll
total 8
-rw-r--r--. 1 root root 1834 4 déc 16:59 server.key
-rw-r--r--. 1 root root 1834 4 déc 17:14 valentin.key
and my ipsec.conf is (nano /etc/ipsec.conf)
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
nat_traversal=yes
virtual_private=%v4:172.17.1.0/22
oe=off
# Enable this if you see "failed to find any available worker"
# nhelpers=0
#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and
uncomment this.
#include /etc/ipsec.d/*.conf
conn %default
keyingtries=3
#failureshunt=drop
#keylife=1h
#ikeylifetime=8h
conn RoadWarrior_x509
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
leftcert=serverCert.pem
auto=add
pfs=no
type=transport
left=193.190.210.88
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
rightca="C=*, ST=*, O=*, OU=*, CN=*, E=*"
nano /ipsec.d/ipsec.secrets
---------------------------
include /etc/ipsec.d/*.secrets
#PSK TEST 25-11-2014
193.100.100.100 %any: PSK "MyPassForPSK" #for PSK tunnel
: RSA serverKey.pem # for ... X509 ??
after :
I used the command on page 124 to convert to pkcs#12 and I imported CA and
my valentin.p12 in mmc WINDOWS 7.
personal cert and the CA into the root certificate authority trusted.
BUT ... when i input my username and my pass which from chap-secrets, i have
an error ...(already in the ipsec)
[root at nStest private]# ipsec setup restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: ERROR: Module xfrm4_mode_transport is in use
ipsec_setup: ERROR: Module esp4 is in use
ipsec_setup: Starting Openswan IPsec U2.6.38dr2/K2.6.32-431.el6.x86_64...
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in
/proc/sys/crypto/fips_enabled
IN the /var/log/secure
-----------------------
Dec 5 10:34:11 nStest pluto[18622]: shutting down
Dec 5 10:34:11 nStest pluto[18622]: forgetting secrets
Dec 5 10:34:11 nStest pluto[18622]: "RoadWarrior_x509": deleting connection
Dec 5 10:34:11 nStest pluto[18622]: shutting down interface lo/lo ::1:500
Dec 5 10:34:11 nStest pluto[18622]: shutting down interface lo/lo
127.0.0.1:4500
Dec 5 10:34:11 nStest pluto[18622]: shutting down interface lo/lo 127.0.0.1:50
0
Dec 5 10:34:11 nStest pluto[18622]: shutting down interface eth0/eth0
172.17.6.254:4500
Dec 5 10:34:11 nStest pluto[18622]: shutting down interface eth0/eth0
172.17.6.254:500
Dec 5 10:34:11 nStest pluto[18622]: shutting down interface eth1/eth1
193.190.210.88:4500
Dec 5 10:34:11 nStest pluto[18622]: shutting down interface eth1/eth1
193.190.210.88:500
Dec 5 10:34:13 nStest ipsec__plutorun: Starting Pluto subsystem...
Dec 5 10:34:13 nStest pluto[18891]: nss directory plutomain: /etc/ipsec.d
Dec 5 10:34:13 nStest pluto[18891]: NSS Initialized
Dec 5 10:34:13 nStest pluto[18891]: Starting Pluto (Openswan Version
2.6.38dr2; Vendor ID OEKpRpA\177v[kY) pid:18891
Dec 5 10:34:13 nStest pluto[18891]: Non-fips mode set in
/proc/sys/crypto/fips_enabled
Dec 5 10:34:13 nStest pluto[18891]: LEAK_DETECTIVE support [disabled]
Dec 5 10:34:13 nStest pluto[18891]: OCF support for IKE [disabled]
Dec 5 10:34:13 nStest pluto[18891]: SAref support [disabled]: Protocol not
available
Dec 5 10:34:13 nStest pluto[18891]: SAbind support [disabled]: Protocol not
available
Dec 5 10:34:13 nStest pluto[18891]: NSS support [enabled]
Dec 5 10:34:13 nStest pluto[18891]: HAVE_STATSD notification support not
compiled in
Dec 5 10:34:13 nStest pluto[18891]: Setting NAT-Traversal port-4500
floating to on
Dec 5 10:34:13 nStest pluto[18891]: port floating activation criteria
nat_t=1/port_float=1
Dec 5 10:34:13 nStest pluto[18891]: NAT-Traversal support [enabled]
Dec 5 10:34:13 nStest pluto[18891]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Dec 5 10:34:13 nStest pluto[18891]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_512: Ok (ret=0)
Dec 5 10:34:13 nStest pluto[18891]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_256: Ok (ret=0)
Dec 5 10:34:13 nStest pluto[18891]: starting up 3 cryptographic helpers
Dec 5 10:34:13 nStest pluto[18891]: started helper (thread)
pid=140297936140032 (fd:7)
Dec 5 10:34:13 nStest pluto[18891]: started helper (thread)
pid=140297858184960 (fd:9)
Dec 5 10:34:13 nStest pluto[18891]: started helper (thread)
pid=140297847695104 (fd:11)
Dec 5 10:34:13 nStest pluto[18891]: Using Linux 2.6 IPsec interface code on
2.6.32-431.el6.x86_64 (experimental code)
Dec 5 10:34:13 nStest pluto[18891]: ike_alg_register_enc(): Activating
aes_ccm_8: Ok (ret=0)
Dec 5 10:34:13 nStest pluto[18891]: ike_alg_add(): ERROR: Algorithm already
exists
Dec 5 10:34:13 nStest pluto[18891]: ike_alg_register_enc(): Activating
aes_ccm_12: FAILED (ret=-17)
Dec 5 10:34:13 nStest pluto[18891]: ike_alg_add(): ERROR: Algorithm already
exists
Dec 5 10:34:13 nStest pluto[18891]: ike_alg_register_enc(): Activating
aes_gcm_16: FAILED (ret=-17)
Dec 5 10:34:13 nStest pluto[18891]: Changed path to directory
'/etc/ipsec.d/cacerts'
Dec 5 10:34:13 nStest pluto[18891]: loaded CA cert file 'caCert.pem'
(1415 bytes)
Dec 5 10:34:13 nStest pluto[18891]: Could not change to directory
'/etc/ipsec.d/aacerts': /
Dec 5 10:34:13 nStest pluto[18891]: Could not change to directory
'/etc/ipsec.d/ocspcerts': /
Dec 5 10:34:13 nStest pluto[18891]: Could not change to directory
'/etc/ipsec.d/crls'
Dec 5 10:34:13 nStest pluto[18891]: loading certificate from serverCert.pem
Dec 5 10:34:13 nStest pluto[18891]: could not open host cert with nick
name 'serverCert.pem' in NSS DB
Dec 5 10:34:13 nStest pluto[18891]: added connection description
"RoadWarrior_x509"
Dec 5 10:34:13 nStest pluto[18891]: listening for IKE messages
Dec 5 10:34:13 nStest pluto[18891]: adding interface eth1/eth1
193.190.210.88:500
Dec 5 10:34:13 nStest pluto[18891]: adding interface eth1/eth1
193.190.210.88:4500
Dec 5 10:34:13 nStest pluto[18891]: adding interface eth0/eth0 172.17.6.254:50
0
Dec 5 10:34:13 nStest pluto[18891]: adding interface eth0/eth0
172.17.6.254:4500
Dec 5 10:34:13 nStest pluto[18891]: adding interface lo/lo 127.0.0.1:500
Dec 5 10:34:13 nStest pluto[18891]: adding interface lo/lo 127.0.0.1:4500
Dec 5 10:34:13 nStest pluto[18891]: adding interface lo/lo ::1:500
Dec 5 10:34:13 nStest pluto[18891]: loading secrets from "/etc/ipsec.secrets"
Dec 5 10:34:13 nStest pluto[18891]: loading secrets from
"/etc/ipsec.d/ipsec.secrets"
Dec 5 10:34:13 nStest pluto[18891]: could not open host cert with nick
name '/etc/ipsec.d/private/server.key' in NSS DB
Dec 5 10:34:13 nStest pluto[18891]: "/etc/ipsec.d/ipsec.secrets" line 2:
NSS certficate not found
Dec 5 10:34:13 nStest pluto[18891]: could not open host cert with nick
name 'serverKey.pem' in NSS DB
Dec 5 10:34:13 nStest pluto[18891]: "/etc/ipsec.secrets" line 5: NSS
certficate not found
When i connect my windows
Dec 5 10:36:09 nStest pluto[18891]: packet from 193.100.100.100:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
Dec 5 10:36:09 nStest pluto[18891]: packet from 193.100.100.100:500:
received Vendor ID payload [RFC 3947] method set to=109
Dec 5 10:36:09 nStest pluto[18891]: packet from 193.100.100.100:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
already using method 109
Dec 5 10:36:09 nStest pluto[18891]: packet from 193.100.100.100:500:
ignoring Vendor ID payload [FRAGMENTATION]
Dec 5 10:36:09 nStest pluto[18891]: packet from 193.100.100.100:500:
ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Dec 5 10:36:09 nStest pluto[18891]: packet from 193.100.100.100:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Dec 5 10:36:09 nStest pluto[18891]: packet from 193.100.100.100:500:
ignoring Vendor ID payload [IKE CGA version 1]
Dec 5 10:36:09 nStest pluto[18891]: "RoadWarrior_x509"[1] 193.100.100.100
#1: responding to Main Mode from unknown peer 193.100.100.100
Dec 5 10:36:09 nStest pluto[18891]: "RoadWarrior_x509"[1] 193.100.100.100
#1: OAKLEY_GROUP 20 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
Dec 5 10:36:09 nStest pluto[18891]: "RoadWarrior_x509"[1] 193.100.100.100
#1: OAKLEY_GROUP 19 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
Dec 5 10:36:09 nStest pluto[18891]: "RoadWarrior_x509"[1] 193.100.100.100
#1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Dec 5 10:36:09 nStest pluto[18891]: "RoadWarrior_x509"[1] 193.100.100.100
#1: STATE_MAIN_R1: sent MR1, expecting MI2
Dec 5 10:36:09 nStest pluto[18891]: "RoadWarrior_x509"[1] 193.100.100.100
#1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
Dec 5 10:36:09 nStest pluto[18891]: "RoadWarrior_x509"[1] 193.100.100.100
#1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Dec 5 10:36:09 nStest pluto[18891]: "RoadWarrior_x509"[1] 193.100.100.100
#1: STATE_MAIN_R2: sent MR2, expecting MI3
Dec 5 10:36:09 nStest pluto[18891]: "RoadWarrior_x509"[1] 193.100.100.100
#1: Main mode peer ID is ID_DER_ASN1_DN: 'C=BE, ST=HA, O=xxx,
OU=microelectronics, CN=test_valentin, E=test_valentin at xxx.com'
Dec 5 10:36:09 nStest pluto[18891]: "RoadWarrior_x509"[1] 193.100.100.100
#1: no crl from issuer "C=BE, ST=HA, L=Mons, O=xxx, OU=microelectronics,
CN=test, E=test at xxx.com" found (strict=no)
Dec 5 10:36:09 nStest pluto[18891]: "RoadWarrior_x509"[1] 193.100.100.100
#1: no suitable connection for peer 'C=BE, ST=HA, O=xxx,
OU=microelectronics, CN=test_valentin, E=test_valentin at xxx.com'
Dec 5 10:36:09 nStest pluto[18891]: "RoadWarrior_x509"[1] 193.100.100.100
#1: sending encrypted notification INVALID_ID_INFORMATION to 193.100.100.100:50
0
Dec 5 10:36:11 nStest pluto[18891]: "RoadWarrior_x509"[1] 193.100.100.100
#1: Main mode peer ID is ID_DER_ASN1_DN: 'C=BE, ST=HA, O=xxx,
OU=microelectronics, CN=test_valentin, E=test_valentin at xxx.com'
Dec 5 10:36:11 nStest pluto[18891]: "RoadWarrior_x509"[1] 193.100.100.100
#1: no crl from issuer "C=BE, ST=HA, L=Mons, O=xxx, OU=microelectronics,
CN=test, E=test at xxx.com" found (strict=no)
Dec 5 10:36:11 nStest pluto[18891]: "RoadWarrior_x509"[1] 193.100.100.100
#1: no suitable connection for peer 'C=BE, ST=HA, O=xxx,
OU=microelectronics, CN=test_valentin, E=test_valentin at xxx.com'
Dec 5 10:36:11 nStest pluto[18891]: "RoadWarrior_x509"[1] 193.100.100.100
#1: sending encrypted notification INVALID_ID_INFORMATION to 193.100.100.100:50
0
Where is the problem ?
I think is in the NSS db. (I'm on unix system more or less just one week...).
Thanks you very much
More information about the Users
mailing list