[Openswan Users] OpenSwan to Strongswan RSA Problem
Matt Killock
matt.killock at praemium.com
Tue Jul 4 15:13:08 EDT 2017
Hi Andy,
By all means:
000 using kernel interface: netkey
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.100.37
000 interface eth0/eth0 192.168.100.37
000 interface vlan2/vlan2 10.2.0.1
000 interface vlan2/vlan2 10.2.0.1
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 6 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, fd00::/8, fe80::/10
000 - disallowed 0 subnets:
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000 private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,1,64} trans={0,1,3072} attrs={0,1,2048}
000
000 "test": 10.2.0.0/24===192.168.100.37<192.168.100.37>[0x3068310B300906035504061302434831133011060355040A130A7374726F6E675377616E3110300E06035504031307636F76617A667700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,+S=C]...192.168.100.38<192.168.100.38>[0x3066310B300906035504061302434831133011060355040A130A7374726F6E675377616E310F300D06035504031306617370667732000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,+S=C]===10.1.0.0/24; prospective erouted; eroute owner: #0
000 "test": myip=unset; hisip=unset;
000 "test": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "test": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK; prio: 24,24; interface: eth0;
000 "test": dpd: action:clear; delay:15; timeout:50;
000 "test": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "test": IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP2048(14); flags=-strict
000 "test": IKE algorithms found: AES_CBC(7)_128-SHA1(2)_160-MODP2048(14)
000 "test": ESP algorithms wanted: AES(12)_128-SHA1(2)_000; flags=-strict
000 "test": ESP algorithms loaded: AES(12)_128-SHA1(2)_160
000
000 #122: "test":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 2s; nodpd; idle; import:admin initiate
000 #122: pending Phase 2 for "test" replacing #0
000
Thanks
Matt
-----Original Message-----
From: andy [mailto:andy at andynet.net]
Sent: 04 July 2017 17:36
To: Matt Killock <matt.killock at praemium.com>
Cc: users at lists.openswan.org
Subject: Re: [Openswan Users] OpenSwan to Strongswan RSA Problem
Hi Matt -
can you post the Openswan output from 'ipsec auto --status' please?
Thanks
Andy
On Tue, Jul 04, 2017 at 03:51:32PM +0000, Matt Killock wrote:
> Hello,
>
>
>
> I managed to make a working connection between two linux machines, one running
> OpenSwan and the other running StrongSwan using PSK. The config on the Openswan
> side was as follows:
>
>
>
> conn test
>
> authby=secret
>
> type=tunnel
>
> left=192.168.100.37
>
> leftsubnet=10.2.0.0/24
>
> right=192.168.100.38
>
> rightsubnet=10.1.0.0/24
>
> auto=start
>
> esp=aes128-sha1
>
> ike=aes128-sha1-modp2048
>
> rekey=yes
>
> dpdaction=clear
>
> dpddelay=15
>
> dpdtimeout=50
>
> compress=no
>
>
>
> However, after attempting to change this to work with RSA certs, I have run
> into a problem. The Openswan config now looks like this:
>
>
>
> conn test
>
> authby=rsasig
>
> type=tunnel
>
> left=192.168.100.37
>
> leftsubnet=10.2.0.0/24
>
> right=192.168.100.38
>
> rightsubnet=10.1.0.0/24
>
> auto=start
>
> esp=aes128-sha1
>
> ike=aes128-sha1-modp2048
>
> rekey=yes
>
> dpdaction=clear
>
> dpddelay=15
>
> dpdtimeout=50
>
> compress=no
>
> leftcert=/etc/ipsec.d/certs/covazfw.pem
>
> rightcert=/etc/ipsec.d/certs/aspfw2.pem
>
> leftid="C=CH, O=strongSwan, CN=covazfw"
>
> rightid="C=CH, O=strongSwan, CN=aspfw2"
>
>
>
> All the relevant public certs are in the ipsec.d subfolder hierarchy, along
> with the private key for the OpenSwan side covazfw.pem.
>
>
>
> Ipsec.secrets is as follows:
>
>
>
> : RSA /etc/ipsec.d/private/covazfw.pem
>
>
>
> The auth.log shows this:
>
>
>
> Jul 4 16:37:43 covtestvpn pluto[7623]: packet from 192.168.100.38:500:
> received Vendor ID payload [XAUTH]
>
> Jul 4 16:37:43 covtestvpn pluto[7623]: packet from 192.168.100.38:500:
> received Vendor ID payload [Dead Peer Detection]
>
> Jul 4 16:37:43 covtestvpn pluto[7623]: packet from 192.168.100.38:500:
> received Vendor ID payload [RFC 3947] method set to=109
>
> Jul 4 16:37:43 covtestvpn pluto[7623]: packet from 192.168.100.38:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
> already using method 109
>
> Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: responding to Main Mode
>
> Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: transition from state
> STATE_MAIN_R0 to state STATE_MAIN_R1
>
> Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: STATE_MAIN_R1: sent MR1,
> expecting MI2
>
> Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: NAT-Traversal: Result using
> RFC 3947 (NAT-Traversal): no NAT detected
>
> Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: transition from state
> STATE_MAIN_R1 to state STATE_MAIN_R2
>
> Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: STATE_MAIN_R2: sent MR2,
> expecting MI3
>
> Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: Main mode peer ID is
> ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
>
> Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: no suitable connection for
> peer 'C=CH, O=strongSwan, CN=aspfw2'
>
> Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: sending encrypted
> notification INVALID_ID_INFORMATION to 192.168.100.38:500
>
> Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: Main mode peer ID is
> ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
>
> Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: no suitable connection for
> peer 'C=CH, O=strongSwan, CN=aspfw2'
>
> Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: sending encrypted
> notification INVALID_ID_INFORMATION to 192.168.100.38:500
>
>
>
> It seems that it cannot / will not authenticate the certificate from the
> Strongswan side. Could someone tell me what I’m doing wrong please?
>
>
>
> Thanks
>
>
>
> Matt
>
>
> ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
>
> Plum Software is a fully owned subsidiary of Praemium Limited.
>
> This e-mail is confidential. It may also be legally privileged. If you are not
> the addressee, you may not copy, forward, disclose or use any part of it. If
> you have received this message in error, please delete it and all copies from
> your system and notify the sender immediately by return email. Internet
> communications cannot be guaranteed to be timely, secure, or error or virus
> free. The sender does not accept liability for any errors or omissions.
>
> In the UK the Praemium Group is: Praemium Portfolio Services Ltd (Company
> Number: 05362168), Praemium (UK) Ltd (Company Number: 05362153), Praemium
> Administration Ltd (Company Number: 06016828) and Smartfund Nominees Ltd
> (Company Number: 07153417) each having its registered office at 4th Floor,
> Suite 643-659, Salisbury House, London Wall, London, EC2M 5QQ, United Kingdom.
> Praemium Administration Ltd is authorised and regulated by the Financial
> Conduct Authority under reference 463566. See http://www.fca.org.uk/register
> for more details.
>
> In Jersey the Praemium Group is: Praemium International Ltd (Company Number:
> 107624) which has its registered office at 3rd Floor East, Salisbury House, 1-9
> Union Street, St Helier, JE2 3RF and is regulated under the Financial Service
> (Jersey) Law 1998 by the Jersey Financial Services Commission for the conduct
> of investment business in Jersey. See http://www.jerseyfsc.org for more
> details.
>
> Thank you for your cooperation. Please contact us on +44 (0)207 5622 450 if you
> require assistance.
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
________________________________
Plum Software is a fully owned subsidiary of Praemium Limited.
This e-mail is confidential. It may also be legally privileged. If you are not the addressee, you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return email. Internet communications cannot be guaranteed to be timely, secure, or error or virus free. The sender does not accept liability for any errors or omissions.
In the UK the Praemium Group is: Praemium Portfolio Services Ltd (Company Number: 05362168), Praemium (UK) Ltd (Company Number: 05362153), Praemium Administration Ltd (Company Number: 06016828) and Smartfund Nominees Ltd (Company Number: 07153417) each having its registered office at 4th Floor, Suite 643-659, Salisbury House, London Wall, London, EC2M 5QQ, United Kingdom. Praemium Administration Ltd is authorised and regulated by the Financial Conduct Authority under reference 463566. See http://www.fca.org.uk/register for more details.
In Jersey the Praemium Group is: Praemium International Ltd (Company Number: 107624) which has its registered office at 3rd Floor East, Salisbury House, 1-9 Union Street, St Helier, JE2 3RF and is regulated under the Financial Service (Jersey) Law 1998 by the Jersey Financial Services Commission for the conduct of investment business in Jersey. See http://www.jerseyfsc.org for more details.
Thank you for your cooperation. Please contact us on +44 (0)207 5622 450 if you require assistance.
More information about the Users
mailing list