[Openswan Users] Issues with OpenSWAN / Cisco 2911 IOS 15 and Digital Certitifcates!
Madden, Joe
Joe.Madden at mottmac.com
Tue Dec 9 05:26:31 EST 2014
Hi All,
We use a X509 PKI for authentication of our IPsec VPN's. We have a number of Cisco 2911's and 2811's using this authentication method (RSASIG) successfully. We wish to interface a OpenSWAN configuration to a Cisco 2911 however despite trying a number of configurations none appear to work.
We have tested 2911 to 2911 successfully and then switched out a 2911 for a OpenSWAN instance with the following configuration:
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
protostack=netkey
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/16
# plutodebug=all
oe=off
#Load ipsec VPNs for a diffrence location
include /etc/ipsec.d/*.conf
/etc/ipsec.d/vpn.conf
conn tunnelipsec
authby= rsasig
auto= start
type= tunnel
#RRT
left= 172.0.0.2
leftid= "CN = gw.test1.org.uk"
leftsubnets= 10.123.34.8/29,10.123.32.40/29,10.123.32.64/28
leftcert= cert1.dc
leftrsasigkey= %cert
leftsendcert= always
#SAA
right= 172.0.0.1
rightid= "CN = gw.test2.org.uk"
rightsubnet= 192.168.12.0/24
keyexchange= ike
ike= aes256-sha1;modp1536!
#sha2_truncbug= yes
phase2= esp
phase2alg= aes256-sha1!
/etc/ipsec.d/vpn.secrets
172.0.0.1 172.0.0.2: RSA cert1.dc
This configuration will not connection to the 2911 router and var log secure shows the following:
Dec 9 09:51:03 172-0-0-2 ipsec__plutorun: Starting Pluto subsystem...
Dec 9 09:51:03 172-0-0-2 pluto[17666]: nss directory plutomain: /etc/ipsec.d
Dec 9 09:51:03 172-0-0-2 pluto[17666]: NSS Initialized
Dec 9 09:51:03 172-0-0-2 pluto[17666]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Dec 9 09:51:03 172-0-0-2 pluto[17666]: Starting Pluto (Openswan Version 2.6.32; Vendor ID OEhyLdACecfa) pid:17666
Dec 9 09:51:03 172-0-0-2 pluto[17666]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Dec 9 09:51:03 172-0-0-2 pluto[17666]: LEAK_DETECTIVE support [disabled]
Dec 9 09:51:03 172-0-0-2 pluto[17666]: OCF support for IKE [disabled]
Dec 9 09:51:03 172-0-0-2 pluto[17666]: SAref support [disabled]: Protocol not available
Dec 9 09:51:03 172-0-0-2 pluto[17666]: SAbind support [disabled]: Protocol not available
Dec 9 09:51:03 172-0-0-2 pluto[17666]: NSS support [enabled]
Dec 9 09:51:03 172-0-0-2 pluto[17666]: HAVE_STATSD notification support not compiled in
Dec 9 09:51:03 172-0-0-2 pluto[17666]: Setting NAT-Traversal port-4500 floating to on
Dec 9 09:51:03 172-0-0-2 pluto[17666]: port floating activation criteria nat_t=1/port_float=1
Dec 9 09:51:03 172-0-0-2 pluto[17666]: NAT-Traversal support [enabled]
Dec 9 09:51:03 172-0-0-2 pluto[17666]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Dec 9 09:51:03 172-0-0-2 pluto[17666]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Dec 9 09:51:03 172-0-0-2 pluto[17666]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Dec 9 09:51:03 172-0-0-2 pluto[17666]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Dec 9 09:51:03 172-0-0-2 pluto[17666]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Dec 9 09:51:03 172-0-0-2 pluto[17666]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Dec 9 09:51:03 172-0-0-2 pluto[17666]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Dec 9 09:51:03 172-0-0-2 pluto[17666]: starting up 1 cryptographic helpers
Dec 9 09:51:03 172-0-0-2 pluto[17666]: started helper (thread) pid=139636807268096 (fd:10)
Dec 9 09:51:03 172-0-0-2 pluto[17666]: Using Linux 2.6 IPsec interface code on 2.6.32-279.el6.x86_64 (experimental code)
Dec 9 09:51:03 172-0-0-2 pluto[17666]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Dec 9 09:51:03 172-0-0-2 pluto[17666]: ike_alg_add(): ERROR: Algorithm already exists
Dec 9 09:51:03 172-0-0-2 pluto[17666]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Dec 9 09:51:03 172-0-0-2 pluto[17666]: ike_alg_add(): ERROR: Algorithm already exists
Dec 9 09:51:03 172-0-0-2 pluto[17666]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Dec 9 09:51:03 172-0-0-2 pluto[17666]: ike_alg_add(): ERROR: Algorithm already exists
Dec 9 09:51:03 172-0-0-2 pluto[17666]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Dec 9 09:51:03 172-0-0-2 pluto[17666]: ike_alg_add(): ERROR: Algorithm already exists
Dec 9 09:51:03 172-0-0-2 pluto[17666]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Dec 9 09:51:03 172-0-0-2 pluto[17666]: ike_alg_add(): ERROR: Algorithm already exists
Dec 9 09:51:03 172-0-0-2 pluto[17666]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Dec 9 09:51:03 172-0-0-2 pluto[17666]: Changed path to directory '/etc/ipsec.d/cacerts'
Dec 9 09:51:03 172-0-0-2 pluto[17666]: loaded CA cert file 'cacert.pem' (1472 bytes)
Dec 9 09:51:03 172-0-0-2 pluto[17666]: Changed path to directory '/etc/ipsec.d/aacerts'
Dec 9 09:51:03 172-0-0-2 pluto[17666]: Changed path to directory '/etc/ipsec.d/ocspcerts'
Dec 9 09:51:03 172-0-0-2 pluto[17666]: Changing to directory '/etc/ipsec.d/crls'
Dec 9 09:51:03 172-0-0-2 pluto[17666]: Warning: empty directory
Dec 9 09:51:03 172-0-0-2 pluto[17666]: | selinux support is enabled.
Dec 9 09:51:03 172-0-0-2 pluto[17666]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Dec 9 09:51:03 172-0-0-2 pluto[17666]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Dec 9 09:51:03 172-0-0-2 pluto[17666]: loading certificate from gw.harcc.org.uk.dc
Dec 9 09:51:03 172-0-0-2 pluto[17666]: added connection description "tunnelipsec/1x0"
Dec 9 09:51:03 172-0-0-2 pluto[17666]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Dec 9 09:51:03 172-0-0-2 pluto[17666]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Dec 9 09:51:03 172-0-0-2 pluto[17666]: loading certificate from gw.harcc.org.uk.dc
Dec 9 09:51:03 172-0-0-2 pluto[17666]: added connection description "tunnelipsec/2x0"
Dec 9 09:51:03 172-0-0-2 pluto[17666]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Dec 9 09:51:03 172-0-0-2 pluto[17666]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Dec 9 09:51:03 172-0-0-2 pluto[17666]: loading certificate from gw.harcc.org.uk.dc
Dec 9 09:51:03 172-0-0-2 pluto[17666]: added connection description "tunnelipsec/3x0"
Dec 9 09:51:03 172-0-0-2 pluto[17666]: listening for IKE messages
Dec 9 09:51:03 172-0-0-2 pluto[17666]: adding interface eth0/eth0 172.0.0.2:500
Dec 9 09:51:03 172-0-0-2 pluto[17666]: adding interface eth0/eth0 172.0.0.2:4500
Dec 9 09:51:03 172-0-0-2 pluto[17666]: adding interface lo/lo 127.0.0.1:500
Dec 9 09:51:03 172-0-0-2 pluto[17666]: adding interface lo/lo 127.0.0.1:4500
Dec 9 09:51:03 172-0-0-2 pluto[17666]: loading secrets from "/etc/ipsec.secrets"
Dec 9 09:51:03 172-0-0-2 pluto[17666]: loading secrets from "/etc/ipsec.d/SSL.secrets"
Dec 9 09:51:03 172-0-0-2 pluto[17666]: loaded private key for keyid: PPK_RSA:AwEAAeRSy
Dec 9 09:51:03 172-0-0-2 pluto[17666]: initiating all conns with alias='tunnelipsec'
Dec 9 09:51:03 172-0-0-2 pluto[17666]: "tunnelipsec/3x0" #1: initiating Main Mode
Dec 9 09:51:03 172-0-0-2 pluto[17666]: "tunnelipsec/3x0" #1: received Vendor ID payload [RFC 3947] method set to=109
Dec 9 09:51:03 172-0-0-2 pluto[17666]: "tunnelipsec/3x0" #1: enabling possible NAT-traversal with method 4
Dec 9 09:51:03 172-0-0-2 pluto[17666]: "tunnelipsec/3x0" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Dec 9 09:51:03 172-0-0-2 pluto[17666]: "tunnelipsec/3x0" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Dec 9 09:51:03 172-0-0-2 pluto[17666]: "tunnelipsec/3x0" #1: received Vendor ID payload [Cisco-Unity]
Dec 9 09:51:03 172-0-0-2 pluto[17666]: "tunnelipsec/3x0" #1: received Vendor ID payload [Dead Peer Detection]
Dec 9 09:51:03 172-0-0-2 pluto[17666]: "tunnelipsec/3x0" #1: ignoring unknown Vendor ID payload [4f6fe869d5b9a2b9c45b7adfd1f01694]
Dec 9 09:51:03 172-0-0-2 pluto[17666]: "tunnelipsec/3x0" #1: received Vendor ID payload [XAUTH]
Dec 9 09:51:03 172-0-0-2 pluto[17666]: "tunnelipsec/3x0" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Dec 9 09:51:03 172-0-0-2 pluto[17666]: "tunnelipsec/3x0" #1: I am sending my cert
Dec 9 09:51:03 172-0-0-2 pluto[17666]: "tunnelipsec/3x0" #1: I am sending a certificate request
Dec 9 09:51:03 172-0-0-2 pluto[17666]: "tunnelipsec/3x0" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Dec 9 09:51:03 172-0-0-2 pluto[17666]: "tunnelipsec/3x0" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Dec 9 09:51:39 172-0-0-2 pluto[17666]: shutting down
Dec 9 09:51:39 172-0-0-2 pluto[17666]: forgetting secrets
Dec 9 09:51:39 172-0-0-2 pluto[17666]: "tunnelipsec/3x0": deleting connection
Dec 9 09:51:39 172-0-0-2 pluto[17666]: "tunnelipsec/3x0" #1: deleting state (STATE_MAIN_I3)
Dec 9 09:51:39 172-0-0-2 pluto[17666]: "tunnelipsec/2x0": deleting connection
Dec 9 09:51:39 172-0-0-2 pluto[17666]: "tunnelipsec/1x0": deleting connection
2911 debug output shows:
*Dec 9 09:41:09.243: ISAKMP (0): received packet from 172.0.0.2 dport 500 sport 500 Global (N) NEW SA
*Dec 9 09:41:09.243: ISAKMP: Found a peer struct for 172.0.0.2, peer port 500
*Dec 9 09:41:09.243: ISAKMP: Locking peer struct 0x3C7E38E4, refcount 9 for crypto_isakmp_process_block
*Dec 9 09:41:09.243: ISAKMP: local port 500, remote port 500
*Dec 9 09:41:09.243: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 21D908D4
*Dec 9 09:41:09.243: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec 9 09:41:09.243: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Dec 9 09:41:09.243: ISAKMP:(0): processing SA payload. message ID = 0
*Dec 9 09:41:09.243: ISAKMP:(0): processing vendor id payload
*Dec 9 09:41:09.243: ISAKMP:(0): vendor ID seems Unity/DPD but major 0 mismatch
*Dec 9 09:41:09.243: ISAKMP:(0): processing vendor id payload
*Dec 9 09:41:09.243: ISAKMP:(0): vendor ID is DPD
*Dec 9 09:41:09.243: ISAKMP:(0): processing vendor id payload
*Dec 9 09:41:09.243: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Dec 9 09:41:09.243: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Dec 9 09:41:09.243: ISAKMP:(0): processing vendor id payload
*Dec 9 09:41:09.243: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Dec 9 09:41:09.243: ISAKMP:(0): vendor ID is NAT-T v3
*Dec 9 09:41:09.243: ISAKMP:(0): processing vendor id payload
*Dec 9 09:41:09.243: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Dec 9 09:41:09.243: ISAKMP:(0): vendor ID is NAT-T v2
*Dec 9 09:41:09.243: ISAKMP:(0): processing vendor id payload
*Dec 9 09:41:09.243: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
*Dec 9 09:41:09.243: ISAKMP:(0): processing vendor id payload
*Dec 9 09:41:09.243: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch
*Dec 9 09:41:09.243: ISAKMP : Scanning profiles for xauth ...
*Dec 9 09:41:09.243: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (R) MM_NO_STATE (peer 172.0.0.2)
*Dec 9 09:41:09.243: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (R) MM_NO_STATE (peer 172.0.0.2)
*Dec 9 09:41:09.243: ISAKMP:(0):Checking ISAKMP transform 0 against priority 10 policy
*Dec 9 09:41:09.243: ISAKMP: life type in seconds
*Dec 9 09:41:09.243: ISAKMP: life duration (basic) of 3600
*Dec 9 09:41:09.243: ISAKMP: encryption AES-CBC
*Dec 9 09:41:09.243: ISAKMP: hash SHA
*Dec 9 09:41:09.243: ISAKMP: auth RSA sig
*Dec 9 09:41:09.243: ISAKMP: default group 5
*Dec 9 09:41:09.243: ISAKMP: keylength of 256
*Dec 9 09:41:09.247: ISAKMP:(0):atts are acceptable. Next payload is 0
*Dec 9 09:41:09.247: ISAKMP:(0):Acceptable atts:actual life: 0
*Dec 9 09:41:09.247: ISAKMP:(0):Acceptable atts:life: 0
*Dec 9 09:41:09.247: ISAKMP:(0):Basic life_in_seconds:3600
*Dec 9 09:41:09.247: ISAKMP:(0): IKE->PKI Start PKI Session state (R) MM_NO_STATE (peer 172.0.0.2)
*Dec 9 09:41:09.247: ISAKMP:(0): PKI->IKE Started PKI Session state (R) MM_NO_STATE (peer 172.0.0.2)
*Dec 9 09:41:09.247: ISAKMP:(0):Returning Actual lifetime: 3600
*Dec 9 09:41:09.247: ISAKMP:(0)::Started lifetime timer: 3600.
*Dec 9 09:41:09.247: ISAKMP:(0): processing vendor id payload
*Dec 9 09:41:09.247: ISAKMP:(0): vendor ID seems Unity/DPD but major 0 mismatch
*Dec 9 09:41:09.247: ISAKMP:(0): processing vendor id payload
*Dec 9 09:41:09.247: ISAKMP:(0): vendor ID is DPD
*Dec 9 09:41:09.247: ISAKMP:(0): processing vendor id payload
*Dec 9 09:41:09.247: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Dec 9 09:41:09.247: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Dec 9 09:41:09.247: ISAKMP:(0): processing vendor id payload
*Dec 9 09:41:09.247: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Dec 9 09:41:09.247: ISAKMP:(0): vendor ID is NAT-T v3
*Dec 9 09:41:09.247: ISAKMP:(0): processing vendor id payload
*Dec 9 09:41:09.247: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Dec 9 09:41:09.247: ISAKMP:(0): vendor ID is NAT-T v2
*Dec 9 09:41:09.247: ISAKMP:(0): processing vendor id payload
*Dec 9 09:41:09.247: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
*Dec 9 09:41:09.247: ISAKMP:(0): processing vendor id payload
*Dec 9 09:41:09.247: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch
*Dec 9 09:41:09.247: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Dec 9 09:41:09.247: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Dec 9 09:41:09.247: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Dec 9 09:41:09.247: ISAKMP:(0): sending packet to 172.0.0.2 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Dec 9 09:41:09.247: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Dec 9 09:41:09.247: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Dec 9 09:41:09.247: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Dec 9 09:41:09.251: ISAKMP (0): received packet from 172.0.0.2 dport 500 sport 500 Global (R) MM_SA_SETUP
*Dec 9 09:41:09.251: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec 9 09:41:09.251: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Dec 9 09:41:09.251: ISAKMP:(0): processing KE payload. message ID = 0
*Dec 9 09:41:09.315: ISAKMP:(0): processing NONCE payload. message ID = 0
*Dec 9 09:41:09.319: ISAKMP:received payload type 20
*Dec 9 09:41:09.319: ISAKMP (1009): His hash no match - this node outside NAT
*Dec 9 09:41:09.319: ISAKMP:received payload type 20
*Dec 9 09:41:09.319: ISAKMP (1009): No NAT Found for self or peer
*Dec 9 09:41:09.319: ISAKMP:(1009):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Dec 9 09:41:09.319: ISAKMP:(1009):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Dec 9 09:41:09.319: ISAKMP:(1009): IKE->PKI Get configured TrustPoints state (R) MM_KEY_EXCH (peer 172.0.0.2)
*Dec 9 09:41:09.319: ISAKMP:(1009): PKI->IKE Got configured TrustPoints state (R) MM_KEY_EXCH (peer 172.0.0.2)
*Dec 9 09:41:09.319: ISAKMP:(1009): IKE->PKI Get IssuerNames state (R) MM_KEY_EXCH (peer 172.0.0.2)
*Dec 9 09:41:09.319: ISAKMP:(1009): PKI->IKE Got IssuerNames state (R) MM_KEY_EXCH (peer 172.0.0.2)
*Dec 9 09:41:09.319: ISAKMP (1009): constructing CERT_REQ for issuer e=helpdesk at test.com,cn=MasterCA,ou=test-ou,o=test-o,l=Glasgow,st=Scotland,c=UK
*Dec 9 09:41:09.319: ISAKMP:(1009): sending packet to 172.0.0.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Dec 9 09:41:09.319: ISAKMP:(1009):Sending an IKE IPv4 Packet.
*Dec 9 09:41:09.319: ISAKMP:(1009):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Dec 9 09:41:09.319: ISAKMP:(1009):Old State = IKE_R_MM3 New State = IKE_R_MM4
*Dec 9 09:41:09.335: ISAKMP (1009): received packet from 172.0.0.2 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Dec 9 09:41:09.335: ISAKMP:(1009):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec 9 09:41:09.335: ISAKMP:(1009):Old State = IKE_R_MM4 New State = IKE_R_MM5
*Dec 9 09:41:09.335: ISAKMP:(1009): processing ID payload. message ID = 0
*Dec 9 09:41:09.335: ISAKMP (1009): ID payload
next-payload : 6
type : 9
Dist. name : cn=gw.test1.org.uk
protocol : 0
port : 0
length : 36
*Dec 9 09:41:09.335: ISAKMP:(0):: peer matches *none* of the profiles
*Dec 9 09:41:09.335: ISAKMP:(1009): processing CERT payload. message ID = 0
*Dec 9 09:41:09.335: ISAKMP:(1009): processing a CT_X509_SIGNATURE cert
*Dec 9 09:41:09.335: ISAKMP:(1009): IKE->PKI Add peer's certificate state (R) MM_KEY_EXCH (peer 172.0.0.2)
*Dec 9 09:41:09.335: ISAKMP:(1009): PKI->IKE Added peer's certificate state (R) MM_KEY_EXCH (peer 172.0.0.2)
*Dec 9 09:41:09.335: ISAKMP:(1009): IKE->PKI Get PeerCertificateChain state (R) MM_KEY_EXCH (peer 172.0.0.2)
*Dec 9 09:41:09.335: ISAKMP:(1009): PKI->IKE Got PeerCertificateChain state (R) MM_KEY_EXCH (peer 172.0.0.2)
*Dec 9 09:41:09.335: ISAKMP:(1009): peer's pubkey isn't cached
*Dec 9 09:41:09.335: ISAKMP:(0):: peer matches *none* of the profiles
*Dec 9 09:41:09.335: ISAKMP:(1009): IKE->PKI Validate certificate chain state (R) MM_KEY_EXCH (peer 172.0.0.2)
*Dec 9 09:41:09.343: ISAKMP:(1009): PKI->IKE Validate certificate chain state (R) MM_KEY_EXCH (peer 172.0.0.2)
*Dec 9 09:41:09.343: %CRYPTO-6-IKMP_NO_ID_CERT_DN_MATCH: ID of cn=gw.test1.org.uk (type 9) and certificate DN with e=gw.test1.org.uk,cn=gw.test1.org.uk,ou=test-ou,o=test-o,l=Glasgow,st=Scotland,c=UK
*Dec 9 09:41:09.343: ISAKMP:(1009): processing CERT_REQ payload. message ID = 0
*Dec 9 09:41:09.343: ISAKMP:(1009): peer wants a CT_X509_SIGNATURE cert
**** *Dec 9 09:41:09.343: ISAKMP:(1009): issuer not specified in cert request ***
*** *Dec 9 09:41:09.343: ISAKMP:(1009): No issuer name in cert request .***
*Dec 9 09:41:09.343: ISAKMP:(1009): processing SIG payload. message ID = 0
*Dec 9 09:41:09.351: ISAKMP:(1009):SA authentication status:
authenticated
*Dec 9 09:41:09.351: ISAKMP:(1009):SA has been authenticated with 172.0.0.2
*Dec 9 09:41:09.351: ISAKMP:(1009):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Dec 9 09:41:09.351: ISAKMP:(1009):Old State = IKE_R_MM5 New State = IKE_R_MM5
*Dec 9 09:41:09.351: ISAKMP:(1009): IKE->PKI Get self CertificateChain state (R) MM_KEY_EXCH (peer 172.0.0.2)
*Dec 9 09:41:09.351: ISAKMP:(1009): PKI->IKE Got self CertificateChain state (R) MM_KEY_EXCH (peer 172.0.0.2)
*** *Dec 9 09:41:09.351: ISAKMP:(1009):Unable to get router cert or routerdoes not have a cert: needed to find DN! ***
*Dec 9 09:41:09.351: ISAKMP:(1009):SA is doing RSA signature authentication using id type ID_IPV4_ADDR
*Dec 9 09:41:09.351: ISAKMP (1009): ID payload
next-payload : 6
type : 1
address : 172.0.0.1
protocol : 17
port : 500
length : 12
*Dec 9 09:41:09.351: ISAKMP:(1009):Total payload length: 12
*Dec 9 09:41:09.351: ISAKMP (1009): no cert chain to send to peer
*Dec 9 09:41:09.351: ISAKMP (1009): peer did not specify issuer and no suitable profile found
*Dec 9 09:41:09.351: ISAKMP (1009): FSM action returned error: 2
*Dec 9 09:41:09.351: ISAKMP:(1009):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Dec 9 09:41:09.351: ISAKMP:(1009):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
*Dec 9 09:41:19.343: ISAKMP (1009): received packet from 172.0.0.2 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Dec 9 09:41:19.343: ISAKMP:(1009): phase 1 packet is a duplicate of a previous packet.
*Dec 9 09:41:19.343: ISAKMP:(1009): retransmitting due to retransmit phase 1
*Dec 9 09:41:19.343: ISAKMP:(1009): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH
*Dec 9 09:41:39.363: ISAKMP (1009): received packet from 172.0.0.2 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Dec 9 09:41:39.363: ISAKMP:(1009): phase 1 packet is a duplicate of a previous packet.
*Dec 9 09:41:39.363: ISAKMP:(1009): retransmitting due to retransmit phase 1
*Dec 9 09:41:39.363: ISAKMP:(1009): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH
According to this, it would suggest that OpenSWAN is not sending the issuer of the certificate, and therefore the router cannot send the counter certificate back. Please Note the relevant sections are marked with ***
Any advice would be excellent.
Thanks
Joe.
From: Madden, Joe
Sent: 05 December 2014 13:42
To: 'users at lists.openswan.org'
Subject: Issues with OpenSWAN / Cisco 2911 IOS 15 and Digital Certitifcates!
Hi all,
Currently working on a project that requires a site to site VPN using. We have chosen to authentication using Digital Certificates (rsasig on cisco).
Please see below for an outline of the cisco configuration:
crypto pki trustpoint ipsecvpn
enrollment terminal
fqdn gw.test.com
subject-name CN=gw.test.com,OU=TestOU,O=TestCompany,C=UK
revocation-check none
rsakeypair testrsapair
crypto pki certificate chain testrsapair
certificate 0A
certificate hash here ###
certificate ca 00E36E3DF10610AFEF
certitifcate hash here ###
crypto isakmp policy 10
encr aes 256
group 5
lifetime 3600
crypto ipsec transform-set IPSEC1 esp-aes 256 esp-sha-hmac
mode tunnel
crypto map test1 10 ipsec-isakmp
set peer 10.67.0.2
set transform-set IPSEC1
match address VPNTRAF1
interface GigabitEthernet0/0
ip address 10.67.0.1 255.255.255.0
duplex auto
speed auto
crypto map test1
I used the enrol terminal to generate a CSR and sign it and subsequently imported it back into the router. I believe this site of things is setup correctly.
IPsec config is as follows:
conn tunnelipsec
authby= rsasig
auto= start
type= tunnel
#
left= 10.67.0.2
leftid= "C=UK, O=testo2, OU=ou2, CN=gw.test1.org.uk"
leftsubnets= 10.123.34.8/29,10.123.32.40/29,10.123.32.64/28
leftcert= gw.test1.org.uk
leftrsasigkey= %cert
leftca= "/etc/ipsec.d/cacerts/masterca.pem"
#
right= 10.67.0.1
rightid= " OU=TestOU, O=TestCompany, C=UK, CN= gw.test.com "
rightsubnet= 192.168.12.0/24
rightca= "/etc/ipsec.d/cacerts/masterca.pem"
keyexchange= ike
ike= aes256-sha1;modp1536!
#sha2_truncbug= yes
phase2= esp
phase2alg= aes256-sha1!
This configuration worked on Pre-Shared Keys however does not work when you introduce the certificate based authentication OpenSWAN does authenticate with the router but the router fails to find the correct certificates to return. The router logs output looks like this:
Dec 5 11:24:47.819: ISAKMP (1044): received packet from 10.67.0.2 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Dec 5 11:24:47.819: ISAKMP:(1044):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec 5 11:24:47.819: ISAKMP:(1044):Old State = IKE_R_MM4 New State = IKE_R_MM5
*Dec 5 11:24:47.819: ISAKMP:(1044): processing ID payload. message ID = 0
*Dec 5 11:24:47.819: ISAKMP (1044): ID payload
next-payload : 6
type : 2
FQDN name : gw.test1.org.uk
protocol : 0
port : 0
length : 23
*Dec 5 11:24:47.819: ISAKMP:(0):: peer matches *none* of the profiles
*Dec 5 11:24:47.819: ISAKMP:(1044): processing CERT payload. message ID = 0
*Dec 5 11:24:47.819: ISAKMP:(1044): processing a CT_X509_SIGNATURE cert
*Dec 5 11:24:47.819: ISAKMP:(1044): IKE->PKI Add peer's certificate state (R) MM_KEY_EXCH (peer 10.67.0.2 )
*Dec 5 11:24:47.819: ISAKMP:(1044): PKI->IKE Added peer's certificate state (R) MM_KEY_EXCH (peer 10.67.0.2 )
*Dec 5 11:24:47.819: ISAKMP:(1044): IKE->PKI Get PeerCertificateChain state (R) MM_KEY_EXCH (peer 10.67.0.2 )
*Dec 5 11:24:47.823: ISAKMP:(1044): PKI->IKE Got PeerCertificateChain state (R) MM_KEY_EXCH (peer 10.67.0.2 )
*Dec 5 11:24:47.823: ISAKMP:(1044): peer's pubkey isn't cached
*Dec 5 11:24:47.823: ISAKMP:(0):: peer matches *none* of the profiles
*Dec 5 11:24:47.823: ISAKMP:(1044): IKE->PKI Validate certificate chain state (R) MM_KEY_EXCH (peer 10.67.0.2 )
*Dec 5 11:24:47.831: ISAKMP:(1044): PKI->IKE Validate certificate chain state (R) MM_KEY_EXCH (peer 10.67.0.2 )
*Dec 5 11:24:47.831: ISAKMP:(1044): processing CERT_REQ payload. message ID = 0
*Dec 5 11:24:47.831: ISAKMP:(1044): peer wants a CT_X509_SIGNATURE cert
*Dec 5 11:24:47.831: ISAKMP:(1044): issuer not specified in cert request
*Dec 5 11:24:47.831: ISAKMP:(1044): No issuer name in cert request.
*Dec 5 11:24:47.831: ISAKMP:(1044): processing SIG payload. message ID = 0
*Dec 5 11:24:47.839: ISAKMP:(1044):SA authentication status:
authenticated
The router then goes on to get its owner certificate at which point it fails:
*Dec 5 11:24:47.839: ISAKMP:(1044):SA has been authenticated with 10.67.0.2
*Dec 5 11:24:47.839: ISAKMP:(1044):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Dec 5 11:24:47.839: ISAKMP:(1044):Old State = IKE_R_MM5 New State = IKE_R_MM5
*Dec 5 11:24:47.839: ISAKMP:(1044): IKE->PKI Get self CertificateChain state (R) MM_KEY_EXCH (peer 10.67.0.2 )
*Dec 5 11:24:47.839: ISAKMP:(1044): PKI->IKE Got self CertificateChain state (R) MM_KEY_EXCH (peer 10.67.0.2 )
*Dec 5 11:24:47.839: ISAKMP:(1044):Unable to get router cert or routerdoes not have a cert: needed to find DN!
*Dec 5 11:24:47.839: ISAKMP:(1044):SA is doing RSA signature authentication using id type ID_IPV4_ADDR
*Dec 5 11:24:47.839: ISAKMP (1044): ID payload
next-payload : 6
type : 1
address : 10.67.0.1
protocol : 17
port : 500
length : 12
*Dec 5 11:24:47.839: ISAKMP:(1044):Total payload length: 12
*Dec 5 11:24:47.839: ISAKMP (1044): no cert chain to send to peer
*Dec 5 11:24:47.839: ISAKMP (1044): peer did not specify issuer and no suitable profile found
*Dec 5 11:24:47.839: ISAKMP (1044): FSM action returned error: 2
*Dec 5 11:24:47.839: ISAKMP:(1044):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Dec 5 11:24:47.839: ISAKMP:(1044):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
*Dec 5 11:24:57.831: ISAKMP (1044): received packet from 10.67.0.2 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Dec 5 11:24:57.831: ISAKMP:(1044): phase 1 packet is a duplicate of a previous packet.
*Dec 5 11:24:57.831: ISAKMP:(1044): retransmitting due to retransmit phase 1
*Dec 5 11:24:57.831: ISAKMP:(1044): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH
*Dec 5 11:25:02.703: ISAKMP:(1041):purging node 1858511306
*Dec 5 11:25:02.703: ISAKMP:(1041):purging node -560727786
*Dec 5 11:25:02.703: ISAKMP:(1041):purging node 464479444
*Dec 5 11:25:02.707: ISAKMP: set new node 0 to QM_IDLE
Does anyone know if there a way to force the Cisco to map the correct certificate or better if there is a way to tell OpenSWAN include the issuer in the request. I can confirm that the X509 certificates have both been signed by the same CA and therefore have issuer information within them.
Thanks
Joe.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20141209/ae3b07ea/attachment-0001.html>
More information about the Users
mailing list