[Openswan Users] OpenSwan to Strongswan RSA Problem

Matt Killock matt.killock at praemium.com
Wed Jul 5 03:09:59 EDT 2017


Hi, here you go:

-----BEGIN CERTIFICATE-----
MIIESTCCAjGgAwIBAgIIbrYZfTLP8nEwDQYJKoZIhvcNAQEFBQAwPzELMAkGA1UE
BhMCQ0gxEzARBgNVBAoTCnN0cm9uZ1N3YW4xGzAZBgNVBAMTElBsdW0gSVBTZWMg
Um9vdCBDQTAeFw0xNzA3MDQxMTAyMDhaFw0yNzA3MDIxMTAyMDhaMDMxCzAJBgNV
BAYTAkNIMRMwEQYDVQQKEwpzdHJvbmdTd2FuMQ8wDQYDVQQDEwZhc3BmdzIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMvnakEMwrkXbuF1ZEnIKQ6EH1
7ZM2bGoqD5zY/4uRCrrIgZoGxsP8rPU9J8bJz4C7IrefDaHfLeQhOqmQSPWaJfYg
0MBv7SRM1Jwzc1T0msQ/JURx+FR0phHWsHzr9elAlYCTqWEO+IaTrVQ3rEGCv3kS
UmkEzr1oGxq+PelN7GlfAhHFHxrPT7WXdqsfmvl+G7q9IOU2gwGLvBCufKxeYy4t
afcwyxTKvvm8rCIVM4OoL8sWPCFG6ZZf0tkcMSKDyxoqibEg+vvYn9zKp/zin4kK
xO5MzXp5bjkEIiRO1tycHDh92fySjG5UhACAj0zVVtMvDhTHyljgNrniyhcRAgMB
AAGjVTBTMB8GA1UdIwQYMBaAFOA/AvwW7WijMjOQWBlHnkffww69MBEGA1UdEQQK
MAiCBmFzcGZ3MjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUIAgIwDQYJKoZI
hvcNAQEFBQADggIBAGyaf3AQxFqFYXBgoRY+FFfOI+kVkJdeSSq7LLH+kD00knNs
SGlhlgR7T4BfjdJsPsuTngk650j4rgWMIlBULToCXTqGa80i6zNZx0Qod/bXJa5p
bkRsZpNUP2Whvw77B4YAaqkosRaYkYKV/bJisniLhs3HDzf3GBPEqYJn0pu101nL
1M3xW015ohe5h89E/X3y7xd32Hxc589fdBt6edbNazeRfSX1KiCBmF6gArxMMREU
G53Yye/yIn/WshkeJKlrGvM2UP9/tpS/Sbie4ZWteU+4AElRDB4eJHdEkI6Qxubm
AkwT6NBp7QOPEvbhD6+5LTRjYvFgl5cc1N3FC5Am2qjFR6nbo9xHCIfhkScIV2tm
14d15jItlyz7XNdsuL9UlkXbz15sXE1X+xId6InyFx0LNfF3B/mjHRFfxufQ+93Y
AaaGDtgymIcc/qQ1Kut/Gi5d6s4avx5zqKW0jQH6W7ktyTVPM7tUeEK1HJnv28QM
L7iKDmi+2joGJgWGQEjVaIbNEj052FM+Twj4eH2bHrpu3O/4kvL0nTFS4XnWy+/5
j2fcEjH++UmAnlnxRvFcTEWXkjP/HapNdrcnZ5GU850hCOWqE0vyl6kR1tBs+/A5
eQAAVgK/a9oQtkqjqp0PRhNRzo9rdPQX07BGr0mWVRnEu2EyBf8rdnpST5D9
-----END CERTIFICATE-----

Thanks
Matt

-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen at strongsec.net]
Sent: 04 July 2017 18:30
To: Matt Killock <matt.killock at praemium.com>; users at lists.openswan.org
Subject: Re: [Openswan Users] OpenSwan to Strongswan RSA Problem

Hi Matt,

could you post the /etc/ipsec.d/certs/aspfw2.pem certificate?

Regards

Andreas

On 04.07.2017 17:51, Matt Killock wrote:
> Hello,
>
> I managed to make a working connection between two linux machines, one
> running OpenSwan and the other running StrongSwan using PSK. The config
> on the Openswan side was as follows:
>
> conn test
>
>          authby=secret
>
>          type=tunnel
>
>          left=192.168.100.37
>
>          leftsubnet=10.2.0.0/24
>
>          right=192.168.100.38
>
>          rightsubnet=10.1.0.0/24
>
>          auto=start
>
>          esp=aes128-sha1
>
>          ike=aes128-sha1-modp2048
>
>          rekey=yes
>
>          dpdaction=clear
>
>          dpddelay=15
>
>          dpdtimeout=50
>
>          compress=no
>
> However, after attempting to change this to work with RSA certs, I have
> run into a problem. The Openswan config now looks like this:
>
> conn test
>
>          authby=rsasig
>
>          type=tunnel
>
>          left=192.168.100.37
>
>          leftsubnet=10.2.0.0/24
>
>          right=192.168.100.38
>
>          rightsubnet=10.1.0.0/24
>
>          auto=start
>
>          esp=aes128-sha1
>
>          ike=aes128-sha1-modp2048
>
>          rekey=yes
>
>          dpdaction=clear
>
>          dpddelay=15
>
>          dpdtimeout=50
>
>          compress=no
>
>          leftcert=/etc/ipsec.d/certs/covazfw.pem
>
>          rightcert=/etc/ipsec.d/certs/aspfw2.pem
>
>          leftid="C=CH, O=strongSwan, CN=covazfw"
>
>          rightid="C=CH, O=strongSwan, CN=aspfw2"
>
> All the relevant public certs are in the ipsec.d subfolder hierarchy,
> along with the private key for the OpenSwan side covazfw.pem.
>
> Ipsec.secrets is as follows:
>
> : RSA /etc/ipsec.d/private/covazfw.pem
>
> The auth.log shows this:
>
> Jul  4 16:37:43 covtestvpn pluto[7623]: packet from 192.168.100.38:500:
> received Vendor ID payload [XAUTH]
>
> Jul  4 16:37:43 covtestvpn pluto[7623]: packet from 192.168.100.38:500:
> received Vendor ID payload [Dead Peer Detection]
>
> Jul  4 16:37:43 covtestvpn pluto[7623]: packet from 192.168.100.38:500:
> received Vendor ID payload [RFC 3947] method set to=109
>
> Jul  4 16:37:43 covtestvpn pluto[7623]: packet from 192.168.100.38:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
> but already using method 109
>
> Jul  4 16:37:43 covtestvpn pluto[7623]: "test" #14: responding to Main Mode
>
> Jul  4 16:37:43 covtestvpn pluto[7623]: "test" #14: transition from
> state STATE_MAIN_R0 to state STATE_MAIN_R1
>
> Jul  4 16:37:43 covtestvpn pluto[7623]: "test" #14: STATE_MAIN_R1: sent
> MR1, expecting MI2
>
> Jul  4 16:37:43 covtestvpn pluto[7623]: "test" #14: NAT-Traversal:
> Result using RFC 3947 (NAT-Traversal): no NAT detected
>
> Jul  4 16:37:43 covtestvpn pluto[7623]: "test" #14: transition from
> state STATE_MAIN_R1 to state STATE_MAIN_R2
>
> Jul  4 16:37:43 covtestvpn pluto[7623]: "test" #14: STATE_MAIN_R2: sent
> MR2, expecting MI3
>
> Jul  4 16:37:43 covtestvpn pluto[7623]: "test" #14: Main mode peer ID is
> ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
>
> Jul  4 16:37:43 covtestvpn pluto[7623]: "test" #14: no suitable
> connection for peer 'C=CH, O=strongSwan, CN=aspfw2'
>
> Jul  4 16:37:43 covtestvpn pluto[7623]: "test" #14: sending encrypted
> notification INVALID_ID_INFORMATION to 192.168.100.38:500
>
> Jul  4 16:37:47 covtestvpn pluto[7623]: "test" #14: Main mode peer ID is
> ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
>
> Jul  4 16:37:47 covtestvpn pluto[7623]: "test" #14: no suitable
> connection for peer 'C=CH, O=strongSwan, CN=aspfw2'
>
> Jul  4 16:37:47 covtestvpn pluto[7623]: "test" #14: sending encrypted
> notification INVALID_ID_INFORMATION to 192.168.100.38:500
>
> It seems that it cannot / will not authenticate the certificate from the
> Strongswan side. Could someone tell me what I’m doing wrong please?
>
> Thanks
>
> Matt
>
>
> ------------------------------------------------------------------------
>
> Plum Software is a fully owned subsidiary of Praemium Limited.
>
> This e-mail is confidential. It may also be legally privileged. If you
> are not the addressee, you may not copy, forward, disclose or use any
> part of it. If you have received this message in error, please delete it
> and all copies from your system and notify the sender immediately by
> return email. Internet communications cannot be guaranteed to be timely,
> secure, or error or virus free. The sender does not accept liability for
> any errors or omissions.
>
> In the UK the Praemium Group is: Praemium Portfolio Services Ltd
> (Company Number: 05362168), Praemium (UK) Ltd (Company Number:
> 05362153), Praemium Administration Ltd (Company Number: 06016828) and
> Smartfund Nominees Ltd (Company Number: 07153417) each having its
> registered office at 4th Floor, Suite 643-659, Salisbury House, London
> Wall, London, EC2M 5QQ, United Kingdom. Praemium Administration Ltd is
> authorised and regulated by the Financial Conduct Authority under
> reference 463566. See http://www.fca.org.uk/register for more details.
>
> In Jersey the Praemium Group is: Praemium International Ltd (Company
> Number: 107624) which has its registered office at 3rd Floor East,
> Salisbury House, 1-9 Union Street, St Helier, JE2 3RF and is regulated
> under the Financial Service (Jersey) Law 1998 by the Jersey Financial
> Services Commission for the conduct of investment business in Jersey.
> See http://www.jerseyfsc.org for more details.
>
> Thank you for your cooperation. Please contact us on +44 (0)207 5622 450
> if you require assistance.
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>

--
=======================================================================
Andreas Steffen                   e-mail: andreas.steffen at strongsec.net
strongSec GmbH                    home:   http://www.strongsec.net
Alter Zürichweg 20                phone:  +41 44 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 44 730 80 65
==========================================[strong internet security]===


________________________________

Plum Software is a fully owned subsidiary of Praemium Limited.

This e-mail is confidential. It may also be legally privileged. If you are not the addressee, you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return email. Internet communications cannot be guaranteed to be timely, secure, or error or virus free. The sender does not accept liability for any errors or omissions.

In the UK the Praemium Group is: Praemium Portfolio Services Ltd (Company Number: 05362168), Praemium (UK) Ltd (Company Number: 05362153), Praemium Administration Ltd (Company Number: 06016828) and Smartfund Nominees Ltd (Company Number: 07153417) each having its registered office at 4th Floor, Suite 643-659, Salisbury House, London Wall, London, EC2M 5QQ, United Kingdom. Praemium Administration Ltd is authorised and regulated by the Financial Conduct Authority under reference 463566. See http://www.fca.org.uk/register for more details.

In Jersey the Praemium Group is: Praemium International Ltd (Company Number: 107624) which has its registered office at 3rd Floor East, Salisbury House, 1-9 Union Street, St Helier, JE2 3RF and is regulated under the Financial Service (Jersey) Law 1998 by the Jersey Financial Services Commission for the conduct of investment business in Jersey. See http://www.jerseyfsc.org for more details.

Thank you for your cooperation. Please contact us on +44 (0)207 5622 450 if you require assistance.


More information about the Users mailing list