[Openswan Users] OpenSwan to Strongswan RSA Problem
Andreas Steffen
andreas.steffen at strongsec.net
Tue Jul 4 13:29:59 EDT 2017
Hi Matt,
could you post the /etc/ipsec.d/certs/aspfw2.pem certificate?
Regards
Andreas
On 04.07.2017 17:51, Matt Killock wrote:
> Hello,
>
> I managed to make a working connection between two linux machines, one
> running OpenSwan and the other running StrongSwan using PSK. The config
> on the Openswan side was as follows:
>
> conn test
>
> authby=secret
>
> type=tunnel
>
> left=192.168.100.37
>
> leftsubnet=10.2.0.0/24
>
> right=192.168.100.38
>
> rightsubnet=10.1.0.0/24
>
> auto=start
>
> esp=aes128-sha1
>
> ike=aes128-sha1-modp2048
>
> rekey=yes
>
> dpdaction=clear
>
> dpddelay=15
>
> dpdtimeout=50
>
> compress=no
>
> However, after attempting to change this to work with RSA certs, I have
> run into a problem. The Openswan config now looks like this:
>
> conn test
>
> authby=rsasig
>
> type=tunnel
>
> left=192.168.100.37
>
> leftsubnet=10.2.0.0/24
>
> right=192.168.100.38
>
> rightsubnet=10.1.0.0/24
>
> auto=start
>
> esp=aes128-sha1
>
> ike=aes128-sha1-modp2048
>
> rekey=yes
>
> dpdaction=clear
>
> dpddelay=15
>
> dpdtimeout=50
>
> compress=no
>
> leftcert=/etc/ipsec.d/certs/covazfw.pem
>
> rightcert=/etc/ipsec.d/certs/aspfw2.pem
>
> leftid="C=CH, O=strongSwan, CN=covazfw"
>
> rightid="C=CH, O=strongSwan, CN=aspfw2"
>
> All the relevant public certs are in the ipsec.d subfolder hierarchy,
> along with the private key for the OpenSwan side covazfw.pem.
>
> Ipsec.secrets is as follows:
>
> : RSA /etc/ipsec.d/private/covazfw.pem
>
> The auth.log shows this:
>
> Jul 4 16:37:43 covtestvpn pluto[7623]: packet from 192.168.100.38:500:
> received Vendor ID payload [XAUTH]
>
> Jul 4 16:37:43 covtestvpn pluto[7623]: packet from 192.168.100.38:500:
> received Vendor ID payload [Dead Peer Detection]
>
> Jul 4 16:37:43 covtestvpn pluto[7623]: packet from 192.168.100.38:500:
> received Vendor ID payload [RFC 3947] method set to=109
>
> Jul 4 16:37:43 covtestvpn pluto[7623]: packet from 192.168.100.38:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
> but already using method 109
>
> Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: responding to Main Mode
>
> Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: transition from
> state STATE_MAIN_R0 to state STATE_MAIN_R1
>
> Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: STATE_MAIN_R1: sent
> MR1, expecting MI2
>
> Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: NAT-Traversal:
> Result using RFC 3947 (NAT-Traversal): no NAT detected
>
> Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: transition from
> state STATE_MAIN_R1 to state STATE_MAIN_R2
>
> Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: STATE_MAIN_R2: sent
> MR2, expecting MI3
>
> Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: Main mode peer ID is
> ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
>
> Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: no suitable
> connection for peer 'C=CH, O=strongSwan, CN=aspfw2'
>
> Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: sending encrypted
> notification INVALID_ID_INFORMATION to 192.168.100.38:500
>
> Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: Main mode peer ID is
> ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
>
> Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: no suitable
> connection for peer 'C=CH, O=strongSwan, CN=aspfw2'
>
> Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: sending encrypted
> notification INVALID_ID_INFORMATION to 192.168.100.38:500
>
> It seems that it cannot / will not authenticate the certificate from the
> Strongswan side. Could someone tell me what I’m doing wrong please?
>
> Thanks
>
> Matt
>
>
> ------------------------------------------------------------------------
>
> Plum Software is a fully owned subsidiary of Praemium Limited.
>
> This e-mail is confidential. It may also be legally privileged. If you
> are not the addressee, you may not copy, forward, disclose or use any
> part of it. If you have received this message in error, please delete it
> and all copies from your system and notify the sender immediately by
> return email. Internet communications cannot be guaranteed to be timely,
> secure, or error or virus free. The sender does not accept liability for
> any errors or omissions.
>
> In the UK the Praemium Group is: Praemium Portfolio Services Ltd
> (Company Number: 05362168), Praemium (UK) Ltd (Company Number:
> 05362153), Praemium Administration Ltd (Company Number: 06016828) and
> Smartfund Nominees Ltd (Company Number: 07153417) each having its
> registered office at 4th Floor, Suite 643-659, Salisbury House, London
> Wall, London, EC2M 5QQ, United Kingdom. Praemium Administration Ltd is
> authorised and regulated by the Financial Conduct Authority under
> reference 463566. See http://www.fca.org.uk/register for more details.
>
> In Jersey the Praemium Group is: Praemium International Ltd (Company
> Number: 107624) which has its registered office at 3rd Floor East,
> Salisbury House, 1-9 Union Street, St Helier, JE2 3RF and is regulated
> under the Financial Service (Jersey) Law 1998 by the Jersey Financial
> Services Commission for the conduct of investment business in Jersey.
> See http://www.jerseyfsc.org for more details.
>
> Thank you for your cooperation. Please contact us on +44 (0)207 5622 450
> if you require assistance.
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
--
=======================================================================
Andreas Steffen e-mail: andreas.steffen at strongsec.net
strongSec GmbH home: http://www.strongsec.net
Alter Zürichweg 20 phone: +41 44 730 80 64
CH-8952 Schlieren (Switzerland) fax: +41 44 730 80 65
==========================================[strong internet security]===
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3856 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openswan.org/pipermail/users/attachments/20170704/c49fe73c/attachment.bin>
More information about the Users
mailing list