[Openswan Users] OpenSwan to Strongswan RSA Problem
andy
andy at andynet.net
Tue Jul 4 12:36:10 EDT 2017
Hi Matt -
can you post the Openswan output from 'ipsec auto --status' please?
Thanks
Andy
On Tue, Jul 04, 2017 at 03:51:32PM +0000, Matt Killock wrote:
> Hello,
>
>
>
> I managed to make a working connection between two linux machines, one running
> OpenSwan and the other running StrongSwan using PSK. The config on the Openswan
> side was as follows:
>
>
>
> conn test
>
> authby=secret
>
> type=tunnel
>
> left=192.168.100.37
>
> leftsubnet=10.2.0.0/24
>
> right=192.168.100.38
>
> rightsubnet=10.1.0.0/24
>
> auto=start
>
> esp=aes128-sha1
>
> ike=aes128-sha1-modp2048
>
> rekey=yes
>
> dpdaction=clear
>
> dpddelay=15
>
> dpdtimeout=50
>
> compress=no
>
>
>
> However, after attempting to change this to work with RSA certs, I have run
> into a problem. The Openswan config now looks like this:
>
>
>
> conn test
>
> authby=rsasig
>
> type=tunnel
>
> left=192.168.100.37
>
> leftsubnet=10.2.0.0/24
>
> right=192.168.100.38
>
> rightsubnet=10.1.0.0/24
>
> auto=start
>
> esp=aes128-sha1
>
> ike=aes128-sha1-modp2048
>
> rekey=yes
>
> dpdaction=clear
>
> dpddelay=15
>
> dpdtimeout=50
>
> compress=no
>
> leftcert=/etc/ipsec.d/certs/covazfw.pem
>
> rightcert=/etc/ipsec.d/certs/aspfw2.pem
>
> leftid="C=CH, O=strongSwan, CN=covazfw"
>
> rightid="C=CH, O=strongSwan, CN=aspfw2"
>
>
>
> All the relevant public certs are in the ipsec.d subfolder hierarchy, along
> with the private key for the OpenSwan side covazfw.pem.
>
>
>
> Ipsec.secrets is as follows:
>
>
>
> : RSA /etc/ipsec.d/private/covazfw.pem
>
>
>
> The auth.log shows this:
>
>
>
> Jul 4 16:37:43 covtestvpn pluto[7623]: packet from 192.168.100.38:500:
> received Vendor ID payload [XAUTH]
>
> Jul 4 16:37:43 covtestvpn pluto[7623]: packet from 192.168.100.38:500:
> received Vendor ID payload [Dead Peer Detection]
>
> Jul 4 16:37:43 covtestvpn pluto[7623]: packet from 192.168.100.38:500:
> received Vendor ID payload [RFC 3947] method set to=109
>
> Jul 4 16:37:43 covtestvpn pluto[7623]: packet from 192.168.100.38:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
> already using method 109
>
> Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: responding to Main Mode
>
> Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: transition from state
> STATE_MAIN_R0 to state STATE_MAIN_R1
>
> Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: STATE_MAIN_R1: sent MR1,
> expecting MI2
>
> Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: NAT-Traversal: Result using
> RFC 3947 (NAT-Traversal): no NAT detected
>
> Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: transition from state
> STATE_MAIN_R1 to state STATE_MAIN_R2
>
> Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: STATE_MAIN_R2: sent MR2,
> expecting MI3
>
> Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: Main mode peer ID is
> ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
>
> Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: no suitable connection for
> peer 'C=CH, O=strongSwan, CN=aspfw2'
>
> Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: sending encrypted
> notification INVALID_ID_INFORMATION to 192.168.100.38:500
>
> Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: Main mode peer ID is
> ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
>
> Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: no suitable connection for
> peer 'C=CH, O=strongSwan, CN=aspfw2'
>
> Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: sending encrypted
> notification INVALID_ID_INFORMATION to 192.168.100.38:500
>
>
>
> It seems that it cannot / will not authenticate the certificate from the
> Strongswan side. Could someone tell me what I’m doing wrong please?
>
>
>
> Thanks
>
>
>
> Matt
>
>
> ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
>
> Plum Software is a fully owned subsidiary of Praemium Limited.
>
> This e-mail is confidential. It may also be legally privileged. If you are not
> the addressee, you may not copy, forward, disclose or use any part of it. If
> you have received this message in error, please delete it and all copies from
> your system and notify the sender immediately by return email. Internet
> communications cannot be guaranteed to be timely, secure, or error or virus
> free. The sender does not accept liability for any errors or omissions.
>
> In the UK the Praemium Group is: Praemium Portfolio Services Ltd (Company
> Number: 05362168), Praemium (UK) Ltd (Company Number: 05362153), Praemium
> Administration Ltd (Company Number: 06016828) and Smartfund Nominees Ltd
> (Company Number: 07153417) each having its registered office at 4th Floor,
> Suite 643-659, Salisbury House, London Wall, London, EC2M 5QQ, United Kingdom.
> Praemium Administration Ltd is authorised and regulated by the Financial
> Conduct Authority under reference 463566. See http://www.fca.org.uk/register
> for more details.
>
> In Jersey the Praemium Group is: Praemium International Ltd (Company Number:
> 107624) which has its registered office at 3rd Floor East, Salisbury House, 1-9
> Union Street, St Helier, JE2 3RF and is regulated under the Financial Service
> (Jersey) Law 1998 by the Jersey Financial Services Commission for the conduct
> of investment business in Jersey. See http://www.jerseyfsc.org for more
> details.
>
> Thank you for your cooperation. Please contact us on +44 (0)207 5622 450 if you
> require assistance.
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list