[Openswan Users] OpenSwan NSS X509 authentication issue

jeffchen jeffchen at ruggedcom.com
Fri May 2 10:40:39 EDT 2014 

I almost have the same configuration except the leftid/rightid is 
different (that is because I have the different subject for the 
certificate when I generate it).
The ipsec tunnel is established successfully. The log message in your 
case is not an error. Maybe you can paste the whole log message and 
configuration on both sides.

> Hi,
>
> I'm having troubles getting X509 certs working with Openswan. I've 
> followed the directions in README.nss, except that I am using EJBCA to 
> create keys, sign certs, etc.
> I should only need to load the [host].p12 files on each host as it 
> contains the CA also. Both ends have identical configuration.
>
> *NSS Database Setup**:
> *
> [root at mgmt2 ipsec.d]$ rm -f *db
> [root at mgmt2 ipsec.d]$ pk12util -i mgmt2.p12 -d /etc/ipsec.d
> Enter a password which will be used to encrypt your keys.
> The password should be at least 8 characters long,
> and should contain at least one non-alphabetic character.
>
> Enter new password:
> Re-enter password:
> Enter password for PKCS12 file:
> pk12util: PKCS12 IMPORT SUCCESSFUL
> [root at mgmt2 ipsec.d]$ certutil -M -n RootCA -t "C,C,C" -d /etc/ipsec.d
> [root at mgmt2 ipsec.d]$ certutil -L -d /etc/ipsec.d
>
> Certificate Nickname                                         Trust 
> Attributes
>                                                              
> SSL,S/MIME,JAR/XPI
>
> mgmt2                                                        u,u,u
> RootCA                                                       C,C,C
>
>
> *OpenSwan sees them fine:**
> *
> [root at mgmt2 ipsec.d]$ ipsec auto --listall
> 000
> 000 List of Public Keys:
> 000
> 000 May 01 23:39:16 2014, 1024 RSA Key ....... (no private key), until 
> May 31 09:58:26 2014 ok
> 000        ID_FQDN '@mgmt2'
> 000        Issuer 'CN=RootCA, O=xxxxx, C=xx'
> 000 May 01 23:39:16 2014, 1024 RSA Key ....... (no private key), until 
> May 31 09:58:26 2014 ok
> 000        ID_DER_ASN1_DN 'CN=mgmt2'
> 000        Issuer 'CN=RootCA, O=xxxxx, C=xx'
> 000 List of Pre-shared secrets (from /etc/ipsec.secrets)
> 000
> 000 List of X.509 End Certificates:
> 000
> 000 May 01 23:39:16 2014, count: 1
> 000        subject: 'CN=mgmt2'
> 000        issuer:  'CN=RootCA, O=xxxxx, C=xx'
> 000        serial:   14:0e:c0:bf:04:34:d9:c4
> 000        pubkey:   1024 RSA Key .....
> 000        validity: not before May 01 09:58:26 2014 ok
> 000                  not after  May 31 09:58:26 2014 warning (expires 
> in 29 days)
> 000        subjkey:  xxxxxxxxxxxxx
> 000        authkey:  xxxxxxxxxxxxx
> 000
> 000 List of X.509 CA Certificates:
> 000
> 000 May 01 23:39:16 2014, count: 1
> 000        subject: 'CN=RootCA, O=xxxxx, C=xx'
> 000        issuer:  'CN=RootCA, O=xxxxx, C=xx'
> 000        serial:   26:5f:11:73:bd:40:06:16
> 000        pubkey:   2048 RSA Key ....
> 000        validity: not before Mar 19 19:07:38 2014 ok
> 000                  not after  Mar 19 19:07:38 2034 ok
> 000        subjkey:  xxxxxxxxxxxxx
> 000        authkey:  xxxxxxxxxxxxx
>
>
> However the authentication fails and it seems as though the secret 
> mechanism isn't working properly:
>
>     May  1 09:30:11 mgmt2 pluto[6914]: | processing connection mgmt1-mgmt2
>     May  1 09:30:11 mgmt2 pluto[6914]: | started looking for secret
>     for CN=mgmt2 ->xxx.xxx.xxx.xxx of kind PPK_PSK
>     May  1 09:30:11 mgmt2 pluto[6914]: | actually looking for secret
>     for CN=mgmt2 ->xxx.xxx.xxx.xxx of kind PPK_PSK
>     May  1 09:30:11 mgmt2 pluto[6914]: | concluding with best_match=0
>     best=(nil) (lineno=-1)
>     May  1 09:30:11 mgmt2 pluto[6914]: | parent1 type: 7 group: 14
>     len: 2776
>     May  1 09:30:11 mgmt2 pluto[6914]: | 0: w->pcw_dead: 0
>     w->pcw_work: 0 cnt: 1
>     May  1 09:30:11 mgmt2 pluto[6914]: | asking helper 0 to do compute
>     dh+iv op on seq: 4 (len=2776, pcw_work=1)
>     May  1 09:30:11 mgmt2 pluto[6914]: | crypto helper write of
>     request: cnt=2776<wlen=2776.
>     May  1 09:30:11 mgmt2 pluto[6914]: | inserting event
>     EVENT_CRYPTO_FAILED, timeout in 300 seconds for #2
>
>
> *Secrets
>
> *[root at mgmt2 ipsec.d]$ cat ../ipsec.secrets
>  : RSA mgmt2
>
>
> *Config**
> *
> [root at mgmt2 ipsec.d]$ cat ../ipsec.conf
>
> version 2.0
>
> config setup
>         plutodebug="control parsing"
>         dumpdir=/var/run/pluto
>         #nat_traversal=yes
>         virtual_private=%v4:192.168.0.0/16,%v4:10.0.0.0/8
>         oe=off
>         protostack=netkey
>
> conn %default
>     type=            tunnel
>     pfs=             no
>     rekey=           no
>     auto=            start
>
> conn mgmt1-mgmt2
>     authby=          rsasig
>     leftid=          "CN=mgmt1"
>     leftcert=        mgmt1
>     leftrsasigkey=   %cert
>     left=            xxx.xxx.xxx.xxx
>     leftsourceip=    192.168.1.2
>     leftsubnet=      192.168.1.0/24
>
>     rightid=         "CN=mgmt2"
>     rightcert=       mgmt2
>     rightrsasigkey=  %cert
>     right=           yyy.yyy.yyy.yyy
>     rightsourceip=   192.168.20.1
>     rightsubnet=     192.168.20.0/24
>
>
> Can anyone shed some light on what might the problem be? I'm stumped. 
> I had the same hosts running with pre shared keys with no issues.
>
> Cheers
> Jason
>


-- 
Jeff Chen
Software Engineer

Siemens Canada Limited
300 Applewood Crescent
Concord, ON, L4K 5C7
Tel:     905-482-4580
Fax:     905-856-1995
e-mail:  jeff.chen at siemens.com
www.ruggedcom.com

This e-mail is intended only for the named recipient(s) and may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. No waiver of privilege, confidence or otherwise is intended by virtue of communication via the internet. Any unauthorized use, dissemination or copying is strictly prohibited. If you have received this e-mail in error, or are not named as a recipient, please immediately notify the sender and destroy all copies of this e-mail. Please be aware that internet communications are subject to the risk of data corruption and other transmission errors. For information of extraordinary sensitivity, we do not recommend communication by e-mail with us.
By submitting personal information to Siemens Canada Limited or its affiliates, service providers and agents, you consent to our collection, use and disclosure of such information for the purposes described in our Privacy Code available at www.siemens.ca. To the extent you provided us with personal information of another individual, you represent that you have the authority and/or have obtained all necessary consents from such individual to enable us to collect, use and disclose such information for the purposes described in our Privacy Code. To obtain further information, please contact our Chief Privacy Officer at privacy.panel.ca at siemens.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20140502/848c276f/attachment-0001.html>

More information about the Users mailing list