[Openswan Users] OpenSwan to Strongswan RSA Problem

Matt Killock matt.killock at praemium.com
Tue Jul 4 11:51:32 EDT 2017 

Hello,

I managed to make a working connection between two linux machines, one running OpenSwan and the other running StrongSwan using PSK. The config on the Openswan side was as follows:

conn test
        authby=secret
        type=tunnel
        left=192.168.100.37
        leftsubnet=10.2.0.0/24
        right=192.168.100.38
        rightsubnet=10.1.0.0/24
        auto=start
        esp=aes128-sha1
        ike=aes128-sha1-modp2048
        rekey=yes
        dpdaction=clear
        dpddelay=15
        dpdtimeout=50
        compress=no

However, after attempting to change this to work with RSA certs, I have run into a problem. The Openswan config now looks like this:

conn test
        authby=rsasig
        type=tunnel
        left=192.168.100.37
        leftsubnet=10.2.0.0/24
        right=192.168.100.38
        rightsubnet=10.1.0.0/24
        auto=start
        esp=aes128-sha1
        ike=aes128-sha1-modp2048
        rekey=yes
        dpdaction=clear
        dpddelay=15
        dpdtimeout=50
        compress=no
        leftcert=/etc/ipsec.d/certs/covazfw.pem
        rightcert=/etc/ipsec.d/certs/aspfw2.pem
        leftid="C=CH, O=strongSwan, CN=covazfw"
        rightid="C=CH, O=strongSwan, CN=aspfw2"

All the relevant public certs are in the ipsec.d subfolder hierarchy, along with the private key for the OpenSwan side covazfw.pem.

Ipsec.secrets is as follows:

: RSA /etc/ipsec.d/private/covazfw.pem

The auth.log shows this:

Jul  4 16:37:43 covtestvpn pluto[7623]: packet from 192.168.100.38:500: received Vendor ID payload [XAUTH]
Jul  4 16:37:43 covtestvpn pluto[7623]: packet from 192.168.100.38:500: received Vendor ID payload [Dead Peer Detection]
Jul  4 16:37:43 covtestvpn pluto[7623]: packet from 192.168.100.38:500: received Vendor ID payload [RFC 3947] method set to=109
Jul  4 16:37:43 covtestvpn pluto[7623]: packet from 192.168.100.38:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Jul  4 16:37:43 covtestvpn pluto[7623]: "test" #14: responding to Main Mode
Jul  4 16:37:43 covtestvpn pluto[7623]: "test" #14: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul  4 16:37:43 covtestvpn pluto[7623]: "test" #14: STATE_MAIN_R1: sent MR1, expecting MI2
Jul  4 16:37:43 covtestvpn pluto[7623]: "test" #14: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Jul  4 16:37:43 covtestvpn pluto[7623]: "test" #14: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul  4 16:37:43 covtestvpn pluto[7623]: "test" #14: STATE_MAIN_R2: sent MR2, expecting MI3
Jul  4 16:37:43 covtestvpn pluto[7623]: "test" #14: Main mode peer ID is ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
Jul  4 16:37:43 covtestvpn pluto[7623]: "test" #14: no suitable connection for peer 'C=CH, O=strongSwan, CN=aspfw2'
Jul  4 16:37:43 covtestvpn pluto[7623]: "test" #14: sending encrypted notification INVALID_ID_INFORMATION to 192.168.100.38:500
Jul  4 16:37:47 covtestvpn pluto[7623]: "test" #14: Main mode peer ID is ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
Jul  4 16:37:47 covtestvpn pluto[7623]: "test" #14: no suitable connection for peer 'C=CH, O=strongSwan, CN=aspfw2'
Jul  4 16:37:47 covtestvpn pluto[7623]: "test" #14: sending encrypted notification INVALID_ID_INFORMATION to 192.168.100.38:500

It seems that it cannot / will not authenticate the certificate from the Strongswan side. Could someone tell me what I'm doing wrong please?

Thanks

Matt

________________________________

Plum Software is a fully owned subsidiary of Praemium Limited.

This e-mail is confidential. It may also be legally privileged. If you are not the addressee, you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return email. Internet communications cannot be guaranteed to be timely, secure, or error or virus free. The sender does not accept liability for any errors or omissions.

In the UK the Praemium Group is: Praemium Portfolio Services Ltd (Company Number: 05362168), Praemium (UK) Ltd (Company Number: 05362153), Praemium Administration Ltd (Company Number: 06016828) and Smartfund Nominees Ltd (Company Number: 07153417) each having its registered office at 4th Floor, Suite 643-659, Salisbury House, London Wall, London, EC2M 5QQ, United Kingdom. Praemium Administration Ltd is authorised and regulated by the Financial Conduct Authority under reference 463566. See http://www.fca.org.uk/register for more details.

In Jersey the Praemium Group is: Praemium International Ltd (Company Number: 107624) which has its registered office at 3rd Floor East, Salisbury House, 1-9 Union Street, St Helier, JE2 3RF and is regulated under the Financial Service (Jersey) Law 1998 by the Jersey Financial Services Commission for the conduct of investment business in Jersey. See http://www.jerseyfsc.org for more details.

Thank you for your cooperation. Please contact us on +44 (0)207 5622 450 if you require assistance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20170704/252a31b3/attachment-0001.html>

More information about the Users mailing list