[Openswan Users] Issues with OpenSWAN / Cisco 2911 IOS 15 and Digital Certitifcates!

Madden, Joe Joe.Madden at mottmac.com
Fri Dec 5 08:42:06 EST 2014 

Hi all,

Currently working on a project that requires a site to site VPN using. We have chosen to authentication using Digital Certificates (rsasig on cisco).

Please see below for an outline of the cisco configuration:

crypto pki trustpoint ipsecvpn
enrollment terminal
fqdn gw.test.com
subject-name CN=gw.test.com,OU=TestOU,O=TestCompany,C=UK
revocation-check none
rsakeypair testrsapair

crypto pki certificate chain testrsapair
certificate 0A
certificate hash here ###
certificate ca 00E36E3DF10610AFEF
certitifcate hash here ###

crypto isakmp policy 10
encr aes 256
group 5
lifetime 3600

crypto ipsec transform-set IPSEC1 esp-aes 256 esp-sha-hmac
mode tunnel

crypto map test1 10 ipsec-isakmp
set peer 10.67.0.2
set transform-set IPSEC1
match address VPNTRAF1

interface GigabitEthernet0/0
ip address 10.67.0.1 255.255.255.0
duplex auto
speed auto
crypto map test1

I used the enrol terminal to generate a CSR and sign it and subsequently imported it back into the router. I believe this site of things is setup correctly.

IPsec config is as follows:

conn tunnelipsec
        authby=         rsasig
                auto=                    start
                type=                    tunnel
#
        left=              10.67.0.2
                leftid=                   "C=UK, O=testo2, OU=ou2, CN=gw.test1.org.uk"
        leftsubnets=              10.123.34.8/29,10.123.32.40/29,10.123.32.64/28
                leftcert=              gw.test1.org.uk
                leftrsasigkey=    %cert
                leftca=                  "/etc/ipsec.d/cacerts/masterca.pem"
#
                right=                    10.67.0.1
        rightid=        " OU=TestOU, O=TestCompany, C=UK, CN= gw.test.com "
        rightsubnet=    192.168.12.0/24
                rightca=                "/etc/ipsec.d/cacerts/masterca.pem"
                keyexchange=  ike
                ike=                       aes256-sha1;modp1536!
                #sha2_truncbug=            yes
                phase2=                               esp
                phase2alg=         aes256-sha1!

This configuration worked on Pre-Shared Keys however does not work when you introduce the certificate based authentication OpenSWAN does authenticate with the router but the router fails to find the correct certificates to return. The router logs output looks like this:

Dec  5 11:24:47.819: ISAKMP (1044): received packet from 10.67.0.2 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Dec  5 11:24:47.819: ISAKMP:(1044):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec  5 11:24:47.819: ISAKMP:(1044):Old State = IKE_R_MM4  New State = IKE_R_MM5

*Dec  5 11:24:47.819: ISAKMP:(1044): processing ID payload. message ID = 0
*Dec  5 11:24:47.819: ISAKMP (1044): ID payload
                next-payload : 6
                type         : 2
                FQDN name    : gw.test1.org.uk
                protocol     : 0
                port         : 0
                length       : 23
*Dec  5 11:24:47.819: ISAKMP:(0):: peer matches *none* of the profiles
*Dec  5 11:24:47.819: ISAKMP:(1044): processing CERT payload. message ID = 0
*Dec  5 11:24:47.819: ISAKMP:(1044): processing a CT_X509_SIGNATURE cert
*Dec  5 11:24:47.819: ISAKMP:(1044): IKE->PKI Add peer's certificate state (R) MM_KEY_EXCH (peer 10.67.0.2 )
*Dec  5 11:24:47.819: ISAKMP:(1044): PKI->IKE Added peer's certificate state (R) MM_KEY_EXCH (peer 10.67.0.2 )
*Dec  5 11:24:47.819: ISAKMP:(1044): IKE->PKI Get PeerCertificateChain state (R) MM_KEY_EXCH (peer 10.67.0.2 )
*Dec  5 11:24:47.823: ISAKMP:(1044): PKI->IKE Got PeerCertificateChain state (R) MM_KEY_EXCH (peer 10.67.0.2 )
*Dec  5 11:24:47.823: ISAKMP:(1044): peer's pubkey isn't cached
*Dec  5 11:24:47.823: ISAKMP:(0):: peer matches *none* of the profiles
*Dec  5 11:24:47.823: ISAKMP:(1044): IKE->PKI Validate certificate chain state (R) MM_KEY_EXCH (peer 10.67.0.2 )
*Dec  5 11:24:47.831: ISAKMP:(1044): PKI->IKE Validate certificate chain state (R) MM_KEY_EXCH (peer 10.67.0.2 )
*Dec  5 11:24:47.831: ISAKMP:(1044): processing CERT_REQ payload. message ID = 0
*Dec  5 11:24:47.831: ISAKMP:(1044): peer wants a CT_X509_SIGNATURE cert
*Dec  5 11:24:47.831: ISAKMP:(1044): issuer not specified in cert request
*Dec  5 11:24:47.831: ISAKMP:(1044): No issuer name in cert request.
*Dec  5 11:24:47.831: ISAKMP:(1044): processing SIG payload. message ID = 0
*Dec  5 11:24:47.839: ISAKMP:(1044):SA authentication status:
                authenticated

The router then goes on to get its owner certificate at which point it fails:

*Dec  5 11:24:47.839: ISAKMP:(1044):SA has been authenticated with 10.67.0.2
*Dec  5 11:24:47.839: ISAKMP:(1044):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Dec  5 11:24:47.839: ISAKMP:(1044):Old State = IKE_R_MM5  New State = IKE_R_MM5

*Dec  5 11:24:47.839: ISAKMP:(1044): IKE->PKI Get self CertificateChain state (R) MM_KEY_EXCH (peer 10.67.0.2 )
*Dec  5 11:24:47.839: ISAKMP:(1044): PKI->IKE Got self CertificateChain state (R) MM_KEY_EXCH (peer 10.67.0.2 )
*Dec  5 11:24:47.839: ISAKMP:(1044):Unable to get router cert or routerdoes not have a cert: needed to find DN!
*Dec  5 11:24:47.839: ISAKMP:(1044):SA is doing RSA signature authentication using id type ID_IPV4_ADDR
*Dec  5 11:24:47.839: ISAKMP (1044): ID payload
                next-payload : 6
                type         : 1
                address      : 10.67.0.1
                protocol     : 17
                port         : 500
                length       : 12
*Dec  5 11:24:47.839: ISAKMP:(1044):Total payload length: 12
*Dec  5 11:24:47.839: ISAKMP (1044): no cert chain to send to peer
*Dec  5 11:24:47.839: ISAKMP (1044): peer did not specify issuer and no suitable profile found
*Dec  5 11:24:47.839: ISAKMP (1044): FSM action returned error: 2
*Dec  5 11:24:47.839: ISAKMP:(1044):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Dec  5 11:24:47.839: ISAKMP:(1044):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

*Dec  5 11:24:57.831: ISAKMP (1044): received packet from 10.67.0.2  dport 500 sport 500 Global (R) MM_KEY_EXCH
*Dec  5 11:24:57.831: ISAKMP:(1044): phase 1 packet is a duplicate of a previous packet.
*Dec  5 11:24:57.831: ISAKMP:(1044): retransmitting due to retransmit phase 1
*Dec  5 11:24:57.831: ISAKMP:(1044): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH
*Dec  5 11:25:02.703: ISAKMP:(1041):purging node 1858511306
*Dec  5 11:25:02.703: ISAKMP:(1041):purging node -560727786
*Dec  5 11:25:02.703: ISAKMP:(1041):purging node 464479444
*Dec  5 11:25:02.707: ISAKMP: set new node 0 to QM_IDLE


Does anyone know if there a way to force the Cisco to map the correct certificate or better if there is a way to tell OpenSWAN include the issuer in the request. I can confirm that the X509 certificates have both been signed by the same CA and therefore have issuer information within them.

Thanks

Joe.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20141205/70faae94/attachment-0001.html>

More information about the Users mailing list