[Openswan Users] OpenSwan NSS X509 authentication issue

SEPAROVIC, Jason (Jason)** CTR ** Jason.Separovic at alcatel-lucent.com
Fri May 2 00:58:31 EDT 2014 

Hi,

I'm having troubles getting X509 certs working with Openswan. I've followed the directions in README.nss, except that I am using EJBCA to create keys, sign certs, etc.
I should only need to load the [host].p12 files on each host as it contains the CA also. Both ends have identical configuration.

NSS Database Setup:

[root at mgmt2 ipsec.d]$ rm -f *db
[root at mgmt2 ipsec.d]$ pk12util -i mgmt2.p12 -d /etc/ipsec.d
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password:
Re-enter password:
Enter password for PKCS12 file:
pk12util: PKCS12 IMPORT SUCCESSFUL
[root at mgmt2 ipsec.d]$ certutil -M -n RootCA -t "C,C,C" -d /etc/ipsec.d
[root at mgmt2 ipsec.d]$ certutil -L -d /etc/ipsec.d

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

mgmt2                                                        u,u,u
RootCA                                                       C,C,C


OpenSwan sees them fine:

[root at mgmt2 ipsec.d]$ ipsec auto --listall
000
000 List of Public Keys:
000
000 May 01 23:39:16 2014, 1024 RSA Key ....... (no private key), until May 31 09:58:26 2014 ok
000        ID_FQDN '@mgmt2'
000        Issuer 'CN=RootCA, O=xxxxx, C=xx'
000 May 01 23:39:16 2014, 1024 RSA Key ....... (no private key), until May 31 09:58:26 2014 ok
000        ID_DER_ASN1_DN 'CN=mgmt2'
000        Issuer 'CN=RootCA, O=xxxxx, C=xx'
000 List of Pre-shared secrets (from /etc/ipsec.secrets)
000
000 List of X.509 End Certificates:
000
000 May 01 23:39:16 2014, count: 1
000        subject: 'CN=mgmt2'
000        issuer:  'CN=RootCA, O=xxxxx, C=xx'
000        serial:   14:0e:c0:bf:04:34:d9:c4
000        pubkey:   1024 RSA Key .....
000        validity: not before May 01 09:58:26 2014 ok
000                  not after  May 31 09:58:26 2014 warning (expires in 29 days)
000        subjkey:  xxxxxxxxxxxxx
000        authkey:  xxxxxxxxxxxxx
000
000 List of X.509 CA Certificates:
000
000 May 01 23:39:16 2014, count: 1
000        subject: 'CN=RootCA, O=xxxxx, C=xx'
000        issuer:  'CN=RootCA, O=xxxxx, C=xx'
000        serial:   26:5f:11:73:bd:40:06:16
000        pubkey:   2048 RSA Key ....
000        validity: not before Mar 19 19:07:38 2014 ok
000                  not after  Mar 19 19:07:38 2034 ok
000        subjkey:  xxxxxxxxxxxxx
000        authkey:  xxxxxxxxxxxxx


However the authentication fails and it seems as though the secret mechanism isn't working properly:

May  1 09:30:11 mgmt2 pluto[6914]: | processing connection mgmt1-mgmt2
May  1 09:30:11 mgmt2 pluto[6914]: | started looking for secret for CN=mgmt2 ->xxx.xxx.xxx.xxx of kind PPK_PSK
May  1 09:30:11 mgmt2 pluto[6914]: | actually looking for secret for CN=mgmt2 ->xxx.xxx.xxx.xxx of kind PPK_PSK
May  1 09:30:11 mgmt2 pluto[6914]: | concluding with best_match=0 best=(nil) (lineno=-1)
May  1 09:30:11 mgmt2 pluto[6914]: | parent1 type: 7 group: 14 len: 2776
May  1 09:30:11 mgmt2 pluto[6914]: | 0: w->pcw_dead: 0 w->pcw_work: 0 cnt: 1
May  1 09:30:11 mgmt2 pluto[6914]: | asking helper 0 to do compute dh+iv op on seq: 4 (len=2776, pcw_work=1)
May  1 09:30:11 mgmt2 pluto[6914]: | crypto helper write of request: cnt=2776<wlen=2776.
May  1 09:30:11 mgmt2 pluto[6914]: | inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #2

Secrets

[root at mgmt2 ipsec.d]$ cat ../ipsec.secrets
 : RSA mgmt2


Config

[root at mgmt2 ipsec.d]$ cat ../ipsec.conf

version 2.0

config setup
        plutodebug="control parsing"
        dumpdir=/var/run/pluto
        #nat_traversal=yes
        virtual_private=%v4:192.168.0.0/16,%v4:10.0.0.0/8
        oe=off
        protostack=netkey

conn %default
    type=            tunnel
    pfs=             no
    rekey=           no
    auto=            start

conn mgmt1-mgmt2
    authby=          rsasig
    leftid=          "CN=mgmt1"
    leftcert=        mgmt1
    leftrsasigkey=   %cert
    left=            xxx.xxx.xxx.xxx
    leftsourceip=    192.168.1.2
    leftsubnet=      192.168.1.0/24

    rightid=         "CN=mgmt2"
    rightcert=       mgmt2
    rightrsasigkey=  %cert
    right=           yyy.yyy.yyy.yyy
    rightsourceip=   192.168.20.1
    rightsubnet=     192.168.20.0/24


Can anyone shed some light on what might the problem be? I'm stumped. I had the same hosts running with pre shared keys with no issues.

Cheers
Jason

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20140502/0f1ee7b4/attachment.html>

More information about the Users mailing list