[Openswan Users] OpenSwan to Strongswan RSA Problem

Matt Killock matt.killock at praemium.com
Thu Jul 6 05:46:21 EDT 2017


Changing the rightid to @aspfw changes that line to read as follows:

000 "test": 10.2.0.0/24===192.168.100.37<192.168.100.37>[0x3068310B300906035504061302434831133011060355040A130A7374726F6E675377616E3110300E06035504031307636F76617A667700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,+S=C]...192.168.100.38<192.168.100.38>[@aspfw2,+S=C]===10.1.0.0/24; prospective erouted; eroute owner: #0

But it still doesn't work, the logs still show it trying to match the C=CH, O=strongSwan, CN=aspfw2 ID

I recopied the certs from the other server in case copy/pasting the text was in some way malformed. Auth log is the same, as far as I can tell.

Jul  6 10:34:05 covtestvpn ipsec__plutorun: Starting Pluto subsystem...
Jul  6 10:34:05 covtestvpn pluto[10258]: Starting Pluto (Openswan Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:10258
Jul  6 10:34:05 covtestvpn pluto[10258]: LEAK_DETECTIVE support [disabled]
Jul  6 10:34:05 covtestvpn pluto[10258]: OCF support for IKE [disabled]
Jul  6 10:34:05 covtestvpn pluto[10258]: SAref support [disabled]: Protocol not available
Jul  6 10:34:05 covtestvpn pluto[10258]: SAbind support [disabled]: Protocol not available
Jul  6 10:34:05 covtestvpn pluto[10258]: NSS support [disabled]
Jul  6 10:34:05 covtestvpn pluto[10258]: HAVE_STATSD notification support not compiled in
Jul  6 10:34:05 covtestvpn pluto[10258]: Setting NAT-Traversal port-4500 floating to on
Jul  6 10:34:05 covtestvpn pluto[10258]:    port floating activation criteria nat_t=1/port_float=1
Jul  6 10:34:05 covtestvpn pluto[10258]:    NAT-Traversal support  [enabled]
Jul  6 10:34:05 covtestvpn pluto[10258]: using /dev/urandom as source of random entropy
Jul  6 10:34:05 covtestvpn pluto[10258]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Jul  6 10:34:05 covtestvpn pluto[10258]: starting up 1 cryptographic helpers
Jul  6 10:34:05 covtestvpn pluto[10258]: started helper pid=10261 (fd:6)
Jul  6 10:34:05 covtestvpn pluto[10258]: Using Linux 2.6 IPsec interface code on 3.2.0-4-amd64 (experimental code)
Jul  6 10:34:05 covtestvpn pluto[10261]: using /dev/urandom as source of random entropy
Jul  6 10:34:05 covtestvpn pluto[10258]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Jul  6 10:34:05 covtestvpn pluto[10258]: ike_alg_add(): ERROR: Algorithm already exists
Jul  6 10:34:05 covtestvpn pluto[10258]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Jul  6 10:34:05 covtestvpn pluto[10258]: ike_alg_add(): ERROR: Algorithm already exists
Jul  6 10:34:05 covtestvpn pluto[10258]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Jul  6 10:34:05 covtestvpn pluto[10258]: ike_alg_add(): ERROR: Algorithm already exists
Jul  6 10:34:05 covtestvpn pluto[10258]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Jul  6 10:34:05 covtestvpn pluto[10258]: ike_alg_add(): ERROR: Algorithm already exists
Jul  6 10:34:05 covtestvpn pluto[10258]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Jul  6 10:34:05 covtestvpn pluto[10258]: ike_alg_add(): ERROR: Algorithm already exists
Jul  6 10:34:05 covtestvpn pluto[10258]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Jul  6 10:34:05 covtestvpn pluto[10258]: Changed path to directory '/etc/ipsec.d/cacerts'
Jul  6 10:34:05 covtestvpn pluto[10258]:   loaded CA cert file 'strongswanCert.pem' (1883 bytes)
Jul  6 10:34:05 covtestvpn pluto[10258]: Changed path to directory '/etc/ipsec.d/aacerts'
Jul  6 10:34:05 covtestvpn pluto[10258]: Changed path to directory '/etc/ipsec.d/ocspcerts'
Jul  6 10:34:05 covtestvpn pluto[10258]: Changing to directory '/etc/ipsec.d/crls'
Jul  6 10:34:05 covtestvpn pluto[10258]:   Warning: empty directory
Jul  6 10:34:05 covtestvpn pluto[10258]: loading certificate from /etc/ipsec.d/certs/covazfw.pem
Jul  6 10:34:05 covtestvpn pluto[10258]:   loaded host cert file '/etc/ipsec.d/certs/covazfw.pem' (1549 bytes)
Jul  6 10:34:05 covtestvpn pluto[10258]: loading certificate from /etc/ipsec.d/certs/aspfw2.pem
Jul  6 10:34:05 covtestvpn pluto[10258]:   loaded host cert file '/etc/ipsec.d/certs/aspfw2.pem' (1545 bytes)
Jul  6 10:34:05 covtestvpn pluto[10258]: added connection description "test"
Jul  6 10:34:05 covtestvpn pluto[10258]: listening for IKE messages
Jul  6 10:34:05 covtestvpn pluto[10258]: adding interface vlan2/vlan2 10.2.0.1:500
Jul  6 10:34:05 covtestvpn pluto[10258]: adding interface vlan2/vlan2 10.2.0.1:4500
Jul  6 10:34:05 covtestvpn pluto[10258]: adding interface eth0/eth0 192.168.100.37:500
Jul  6 10:34:05 covtestvpn pluto[10258]: adding interface eth0/eth0 192.168.100.37:4500
Jul  6 10:34:05 covtestvpn pluto[10258]: adding interface lo/lo 127.0.0.1:500
Jul  6 10:34:05 covtestvpn pluto[10258]: adding interface lo/lo 127.0.0.1:4500
Jul  6 10:34:05 covtestvpn pluto[10258]: loading secrets from "/etc/ipsec.secrets"
Jul  6 10:34:05 covtestvpn pluto[10258]:   loaded private key file '/etc/ipsec.d/private/covazfw.pem' (1679 bytes)
Jul  6 10:34:05 covtestvpn pluto[10258]: loaded private key for keyid: PPK_RSA:AwEAAcRgJ
Jul  6 10:34:05 covtestvpn pluto[10258]: "test" #1: initiating Main Mode
Jul  6 10:34:05 covtestvpn pluto[10258]: "test" #1: received Vendor ID payload [XAUTH]
Jul  6 10:34:05 covtestvpn pluto[10258]: "test" #1: received Vendor ID payload [Dead Peer Detection]
Jul  6 10:34:05 covtestvpn pluto[10258]: "test" #1: received Vendor ID payload [RFC 3947] method set to=109
Jul  6 10:34:05 covtestvpn pluto[10258]: "test" #1: enabling possible NAT-traversal with method 4
Jul  6 10:34:05 covtestvpn pluto[10258]: "test" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jul  6 10:34:05 covtestvpn pluto[10258]: "test" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jul  6 10:34:05 covtestvpn pluto[10258]: "test" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Jul  6 10:34:05 covtestvpn pluto[10258]: "test" #1: I am sending my cert
Jul  6 10:34:05 covtestvpn pluto[10258]: "test" #1: I am sending a certificate request
Jul  6 10:34:05 covtestvpn pluto[10258]: "test" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jul  6 10:34:05 covtestvpn pluto[10258]: "test" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jul  6 10:34:05 covtestvpn pluto[10258]: "test" #1: next payload type of ISAKMP Hash Payload has an unknown value: 94
Jul  6 10:34:05 covtestvpn pluto[10258]: "test" #1: malformed payload in packet
Jul  6 10:34:05 covtestvpn pluto[10258]: | payload malformed after IV
Jul  6 10:34:05 covtestvpn pluto[10258]: |   0f e3 68 74  cc 6f 7e c5  02 7c e7 89  d8 d1 71 43
Jul  6 10:34:05 covtestvpn pluto[10258]: "test" #1: sending notification PAYLOAD_MALFORMED to 192.168.100.38:500
Jul  6 10:35:07 covtestvpn pluto[10258]: packet from 192.168.100.38:500: received Vendor ID payload [XAUTH]
Jul  6 10:35:07 covtestvpn pluto[10258]: packet from 192.168.100.38:500: received Vendor ID payload [Dead Peer Detection]
Jul  6 10:35:07 covtestvpn pluto[10258]: packet from 192.168.100.38:500: received Vendor ID payload [RFC 3947] method set to=109
Jul  6 10:35:07 covtestvpn pluto[10258]: packet from 192.168.100.38:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Jul  6 10:35:07 covtestvpn pluto[10258]: "test" #2: responding to Main Mode
Jul  6 10:35:07 covtestvpn pluto[10258]: "test" #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul  6 10:35:07 covtestvpn pluto[10258]: "test" #2: STATE_MAIN_R1: sent MR1, expecting MI2
Jul  6 10:35:07 covtestvpn pluto[10258]: "test" #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Jul  6 10:35:07 covtestvpn pluto[10258]: "test" #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul  6 10:35:07 covtestvpn pluto[10258]: "test" #2: STATE_MAIN_R2: sent MR2, expecting MI3
Jul  6 10:35:07 covtestvpn pluto[10258]: "test" #2: Main mode peer ID is ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
Jul  6 10:35:07 covtestvpn pluto[10258]: "test" #2: no crl from issuer "C=CH, O=strongSwan, CN=Plum IPSec Root CA" found (strict=no)
Jul  6 10:35:07 covtestvpn pluto[10258]: "test" #2: no suitable connection for peer 'C=CH, O=strongSwan, CN=aspfw2'
Jul  6 10:35:07 covtestvpn pluto[10258]: "test" #2: sending encrypted notification INVALID_ID_INFORMATION to 192.168.100.38:500
Jul  6 10:35:11 covtestvpn pluto[10258]: "test" #2: Main mode peer ID is ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
Jul  6 10:35:11 covtestvpn pluto[10258]: "test" #2: no crl from issuer "C=CH, O=strongSwan, CN=Plum IPSec Root CA" found (strict=no)
Jul  6 10:35:11 covtestvpn pluto[10258]: "test" #2: no suitable connection for peer 'C=CH, O=strongSwan, CN=aspfw2'
Jul  6 10:35:11 covtestvpn pluto[10258]: "test" #2: sending encrypted notification INVALID_ID_INFORMATION to 192.168.100.38:500
Jul  6 10:35:15 covtestvpn pluto[10258]: "test" #1: max number of retransmissions (2) reached STATE_MAIN_I3.  Possible authentication failure: no acceptable response to our first encrypted message

On the other side, we have:

Jul  6 10:42:44 covtestvpn2 charon: 09[NET] sending packet: from 192.168.100.38[500] to 192.168.100.37[500] (1532 bytes)
Jul  6 10:42:44 covtestvpn2 charon: 10[NET] received packet: from 192.168.100.37[500] to 192.168.100.38[500] (76 bytes)
Jul  6 10:42:44 covtestvpn2 charon: 10[ENC] invalid HASH_V1 payload length, decryption failed?
Jul  6 10:42:44 covtestvpn2 charon: 10[ENC] could not decrypt payloads

That 76 byte response appears to correspond with 'INVALID_ID_INFORMATION' from openswan.

Jul  6 10:35:07 covtestvpn pluto[10258]: "test" #2: sending encrypted notification INVALID_ID_INFORMATION to 192.168.100.38:500

Does any of this help?

Matt

-----Original Message-----
From: Matt Killock
Sent: 06 July 2017 10:14
To: 'andy' <andy at andynet.net>
Cc: users at lists.openswan.org
Subject: RE: [Openswan Users] OpenSwan to Strongswan RSA Problem

Hi Andy,

The daemon log has this after a restart:

Jul  6 09:20:17 covtestvpn ipsec_setup: Stopping Openswan IPsec...
Jul  6 09:20:19 covtestvpn ipsec_setup: ...Openswan IPsec stopped Jul  6 09:20:19 covtestvpn ipsec_setup: Starting Openswan IPsec U2.6.37/K3.2.0-4-amd64...
Jul  6 09:20:19 covtestvpn ipsec_setup: Using NETKEY(XFRM) stack Jul  6 09:20:19 covtestvpn ipsec_setup: ...Openswan IPsec started Jul  6 09:20:19 covtestvpn ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d Jul  6 09:20:19 covtestvpn ipsec__plutorun: 002 loading certificate from /etc/ipsec.d/certs/covazfw.pem
Jul  6 09:20:19 covtestvpn ipsec__plutorun: 002   loaded host cert file '/etc/ipsec.d/certs/covazfw.pem' (1550 bytes)
Jul  6 09:20:19 covtestvpn ipsec__plutorun: 002 loading certificate from /etc/ipsec.d/certs/aspfw2.pem
Jul  6 09:20:19 covtestvpn ipsec__plutorun: 002   loaded host cert file '/etc/ipsec.d/certs/aspfw2.pem' (1545 bytes)
Jul  6 09:20:19 covtestvpn ipsec__plutorun: 002 added connection description "test"
Jul  6 09:20:19 covtestvpn ipsec__plutorun: 104 "test" #1: STATE_MAIN_I1: initiate

Auth.log has this

Jul  6 09:20:17 covtestvpn pluto[7623]: shutting down Jul  6 09:20:17 covtestvpn pluto[7623]: forgetting secrets Jul  6 09:20:17 covtestvpn pluto[7623]: "test": deleting connection Jul  6 09:20:17 covtestvpn pluto[7623]: "test" #1236: deleting state (STATE_MAIN_I1) Jul  6 09:20:17 covtestvpn pluto[7623]: shutting down interface lo/lo 127.0.0.1:4500 Jul  6 09:20:17 covtestvpn pluto[7623]: shutting down interface lo/lo 127.0.0.1:500 Jul  6 09:20:17 covtestvpn pluto[7623]: shutting down interface eth0/eth0 192.168.100.37:4500 Jul  6 09:20:17 covtestvpn pluto[7623]: shutting down interface eth0/eth0 192.168.100.37:500 Jul  6 09:20:17 covtestvpn pluto[7623]: shutting down interface vlan2/vlan2 10.2.0.1:4500 Jul  6 09:20:17 covtestvpn pluto[7623]: shutting down interface vlan2/vlan2 10.2.0.1:500 Jul  6 09:20:17 covtestvpn pluto[7627]: pluto_crypto_helper: helper (0) is  normal exiting Jul  6 09:20:19 covtestvpn ipsec__plutorun: Starting Pluto subsystem...
Jul  6 09:20:19 covtestvpn pluto[8428]: Starting Pluto (Openswan Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:8428 Jul  6 09:20:19 covtestvpn pluto[8428]: LEAK_DETECTIVE support [disabled] Jul  6 09:20:19 covtestvpn pluto[8428]: OCF support for IKE [disabled] Jul  6 09:20:19 covtestvpn pluto[8428]: SAref support [disabled]: Protocol not available Jul  6 09:20:19 covtestvpn pluto[8428]: SAbind support [disabled]: Protocol not available Jul  6 09:20:19 covtestvpn pluto[8428]: NSS support [disabled] Jul  6 09:20:19 covtestvpn pluto[8428]: HAVE_STATSD notification support not compiled in Jul  6 09:20:19 covtestvpn pluto[8428]: Setting NAT-Traversal port-4500 floating to on
Jul  6 09:20:19 covtestvpn pluto[8428]:    port floating activation criteria nat_t=1/port_float=1
Jul  6 09:20:19 covtestvpn pluto[8428]:    NAT-Traversal support  [enabled]
Jul  6 09:20:19 covtestvpn pluto[8428]: using /dev/urandom as source of random entropy Jul  6 09:20:19 covtestvpn pluto[8428]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0) Jul  6 09:20:19 covtestvpn pluto[8428]: starting up 1 cryptographic helpers Jul  6 09:20:19 covtestvpn pluto[8428]: started helper pid=8432 (fd:6) Jul  6 09:20:19 covtestvpn pluto[8428]: Using Linux 2.6 IPsec interface code on 3.2.0-4-amd64 (experimental code) Jul  6 09:20:19 covtestvpn pluto[8432]: using /dev/urandom as source of random entropy Jul  6 09:20:19 covtestvpn pluto[8428]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0) Jul  6 09:20:19 covtestvpn pluto[8428]: ike_alg_add(): ERROR: Algorithm already exists Jul  6 09:20:19 covtestvpn pluto[8428]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17) Jul  6 09:20:19 covtestvpn pluto[8428]: ike_alg_add(): ERROR: Algorithm already exists Jul  6 09:20:19 covtestvpn pluto[8428]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17) Jul  6 09:20:19 covtestvpn pluto[8428]: ike_alg_add(): ERROR: Algorithm already exists Jul  6 09:20:19 covtestvpn pluto[8428]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17) Jul  6 09:20:19 covtestvpn pluto[8428]: ike_alg_add(): ERROR: Algorithm already exists Jul  6 09:20:19 covtestvpn pluto[8428]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17) Jul  6 09:20:19 covtestvpn pluto[8428]: ike_alg_add(): ERROR: Algorithm already exists Jul  6 09:20:19 covtestvpn pluto[8428]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17) Jul  6 09:20:19 covtestvpn pluto[8428]: Changed path to directory '/etc/ipsec.d/cacerts'
Jul  6 09:20:19 covtestvpn pluto[8428]:   loaded CA cert file 'strongswanCert.pem' (1883 bytes)
Jul  6 09:20:19 covtestvpn pluto[8428]:   discarded CA cert file 'crl.pem', bad size 0 bytes
Jul  6 09:20:19 covtestvpn pluto[8428]: Changed path to directory '/etc/ipsec.d/aacerts'
Jul  6 09:20:19 covtestvpn pluto[8428]: Changed path to directory '/etc/ipsec.d/ocspcerts'
Jul  6 09:20:19 covtestvpn pluto[8428]: Changing to directory '/etc/ipsec.d/crls'
Jul  6 09:20:19 covtestvpn pluto[8428]:   Warning: empty directory
Jul  6 09:20:19 covtestvpn pluto[8428]: loading certificate from /etc/ipsec.d/certs/covazfw.pem
Jul  6 09:20:19 covtestvpn pluto[8428]:   loaded host cert file '/etc/ipsec.d/certs/covazfw.pem' (1550 bytes)
Jul  6 09:20:19 covtestvpn pluto[8428]: loading certificate from /etc/ipsec.d/certs/aspfw2.pem
Jul  6 09:20:19 covtestvpn pluto[8428]:   loaded host cert file '/etc/ipsec.d/certs/aspfw2.pem' (1545 bytes)
Jul  6 09:20:19 covtestvpn pluto[8428]: added connection description "test"
Jul  6 09:20:19 covtestvpn pluto[8428]: listening for IKE messages Jul  6 09:20:19 covtestvpn pluto[8428]: adding interface vlan2/vlan2 10.2.0.1:500 Jul  6 09:20:19 covtestvpn pluto[8428]: adding interface vlan2/vlan2 10.2.0.1:4500 Jul  6 09:20:19 covtestvpn pluto[8428]: adding interface eth0/eth0 192.168.100.37:500 Jul  6 09:20:19 covtestvpn pluto[8428]: adding interface eth0/eth0 192.168.100.37:4500 Jul  6 09:20:19 covtestvpn pluto[8428]: adding interface lo/lo 127.0.0.1:500 Jul  6 09:20:19 covtestvpn pluto[8428]: adding interface lo/lo 127.0.0.1:4500 Jul  6 09:20:19 covtestvpn pluto[8428]: loading secrets from "/etc/ipsec.secrets"
Jul  6 09:20:19 covtestvpn pluto[8428]:   loaded private key file '/etc/ipsec.d/private/covazfw.pem' (1680 bytes)
Jul  6 09:20:19 covtestvpn pluto[8428]: loaded private key for keyid: PPK_RSA:AwEAAcRgJ Jul  6 09:20:19 covtestvpn pluto[8428]: "test" #1: initiating Main Mode Jul  6 09:20:19 covtestvpn pluto[8428]: "test" #1: ERROR: asynchronous network error report on eth0 (sport=500) for message to 192.168.100.38 port 500, complainant 192.168.100.
38: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)] Jul  6 09:20:29 covtestvpn pluto[8428]: "test" #1: ERROR: asynchronous network error report on eth0 (sport=500) for message to 192.168.100.38 port 500, complainant 192.168.100.
38: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)] Jul  6 09:20:49 covtestvpn pluto[8428]: "test" #1: ERROR: asynchronous network error report on eth0 (sport=500) for message to 192.168.100.38 port 500, complainant 192.168.100.
38: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]

And for completeness, ipsec auto --listall shows:


000
000 List of Public Keys:
000
000 Jul 06 10:11:07 2017, 2048 RSA Key AwEAAcy+d (no private key), until Jul 02 12:02:08 2027 ok
000        ID_FQDN '@aspfw2'
000        Issuer 'C=CH, O=strongSwan, CN=Plum IPSec Root CA'
000 Jul 06 10:11:07 2017, 2048 RSA Key AwEAAcy+d (no private key), until Jul 02 12:02:08 2027 ok
000        ID_DER_ASN1_DN 'C=CH, O=strongSwan, CN=aspfw2'
000        Issuer 'C=CH, O=strongSwan, CN=Plum IPSec Root CA'
000 Jul 06 10:11:07 2017, 2048 RSA Key AwEAAcRgJ (has private key), until Jul 02 12:02:33 2027 ok
000        ID_FQDN '@covazfw'
000        Issuer 'C=CH, O=strongSwan, CN=Plum IPSec Root CA'
000 Jul 06 10:11:07 2017, 2048 RSA Key AwEAAcRgJ (has private key), until Jul 02 12:02:33 2027 ok
000        ID_DER_ASN1_DN 'C=CH, O=strongSwan, CN=covazfw'
000        Issuer 'C=CH, O=strongSwan, CN=Plum IPSec Root CA'
000 List of Pre-shared secrets (from /etc/ipsec.secrets)
000     13: RSA (none) (none)
000
000 List of X.509 End Certificates:
000
000 Jul 06 10:11:07 2017, count: 1
000        subject: 'C=CH, O=strongSwan, CN=aspfw2'
000        issuer:  'C=CH, O=strongSwan, CN=Plum IPSec Root CA'
000        serial:   6e:b6:19:7d:32:cf:f2:71
000        pubkey:   2048 RSA Key AwEAAcy+d
000        validity: not before Jul 04 12:02:08 2017 ok
000                  not after  Jul 02 12:02:08 2027 ok
000        authkey:  e0:3f:02:fc:16:ed:68:a3:32:33:90:58:19:47:9e:47:df:c3:0e:bd
000 Jul 06 10:11:07 2017, count: 1
000        subject: 'C=CH, O=strongSwan, CN=covazfw'
000        issuer:  'C=CH, O=strongSwan, CN=Plum IPSec Root CA'
000        serial:   7e:e8:67:46:30:ab:d3:9b
000        pubkey:   2048 RSA Key AwEAAcRgJ, has private key
000        validity: not before Jul 04 12:02:33 2017 ok
000                  not after  Jul 02 12:02:33 2027 ok
000        authkey:  e0:3f:02:fc:16:ed:68:a3:32:33:90:58:19:47:9e:47:df:c3:0e:bd
000
000 List of X.509 CA Certificates:
000
000 Jul 06 10:11:07 2017, count: 1
000        subject: 'C=CH, O=strongSwan, CN=Plum IPSec Root CA'
000        issuer:  'C=CH, O=strongSwan, CN=Plum IPSec Root CA'
000        serial:   04:7f:62:d3:d0:15:8c:d5
000        pubkey:   4096 RSA Key AwEAAdpxe
000        validity: not before Jul 04 12:01:26 2017 ok
000                  not after  Jul 02 12:01:26 2027 ok
000        subjkey:  e0:3f:02:fc:16:ed:68:a3:32:33:90:58:19:47:9e:47:df:c3:0e:bd

I wonder if I should be using ID_FQDN '@aspfw2' these instead?

I'll try and report back

Matt



-----Original Message-----
From: andy [mailto:andy at andynet.net]
Sent: 05 July 2017 13:24
To: Matt Killock <mailto:matt.killock at praemium.com>
Cc: mailto:users at lists.openswan.org
Subject: Re: [Openswan Users] OpenSwan to Strongswan RSA Problem

On Tue, Jul 04, 2017 at 07:13:08PM +0000, Matt Killock wrote:

..snip..
> 000 "test":
> 10.2.0.0/24===192.168.100.37<192.168.100.37>[0x3068310B300906035504061
> 302434831133011060355040A130A7374726F6E675377616E3110300E0603550403130
> 7636F76617A66770000000000000000000000000000000000000000000000000000000
> 0000000000000000000000000000000000000000000000000,+S=C]...192.168.100.
> 38<192.168.100.38>[0x3066310B300906035504061302434831133011060355040A1
> 30A7374726F6E675377616E310F300D060355040313066173706677320000000000000
> 0000000000000000000000000000000000000000000000000000000000000000000000
> 0000000000000000000,+S=C]===10.1.0.0/24; prospective erouted; eroute
> owner: #0

Hmm - this is weird! Looks to me that maybe your config hasn't loaded properly - I'd expect to see the left/rightids inside the square brackets here, not these long hex strings. I've never seen that before.
But maybe something has changed in recent versions of Openswan - it's beeen a while since I used it.

I was expecting to see something like:
"test": 10.2.0.0/24===192.168.100.37<192.168.100.37>[C=CH, O=strongSwan, CN=covazfw]...192.168.100.38<192.168.100.38>[C=CH, O=strongSwan, CN=aspfw2]===10.1.0.0/24

If it's getting the IDs wrong somehow, that would explain why it can't find a matching connection.

Perhaps there are more clues in the logs? Does it mention if it's loaded the CA cert? Perhaps you could post all of /var/log/auth.log while restarting Openswan? I'm not sure what else to suggest atm.





> 000 "test":     myip=unset; hisip=unset;
> 000 "test":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "test":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK; prio: 24,24; interface: eth0;
> 000 "test":   dpd: action:clear; delay:15; timeout:50;
> 000 "test":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000 "test":   IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP2048(14); flags=-strict
> 000 "test":   IKE algorithms found:  AES_CBC(7)_128-SHA1(2)_160-MODP2048(14)
> 000 "test":   ESP algorithms wanted: AES(12)_128-SHA1(2)_000; flags=-strict
> 000 "test":   ESP algorithms loaded: AES(12)_128-SHA1(2)_160
> 000
> 000 #122: "test":500 STATE_MAIN_I1 (sent MI1, expecting MR1);
> EVENT_RETRANSMIT in 2s; nodpd; idle; import:admin initiate
> 000 #122: pending Phase 2 for "test" replacing #0
> 000
>
> Thanks
> Matt
>
>
> -----Original Message-----
> From: andy [mailto:andy at andynet.net]
> Sent: 04 July 2017 17:36
> To: Matt Killock <mailto:matt.killock at praemium.com>
> Cc: mailto:users at lists.openswan.org
> Subject: Re: [Openswan Users] OpenSwan to Strongswan RSA Problem
>
> Hi Matt -
> can you post the Openswan output from 'ipsec auto --status' please?
>
> Thanks
> Andy
>
> On Tue, Jul 04, 2017 at 03:51:32PM +0000, Matt Killock wrote:
> > Hello,
> >
> >
> >
> > I managed to make a working connection between two linux machines,
> > one running OpenSwan and the other running StrongSwan using PSK. The
> > config on the Openswan side was as follows:
> >
> >
> >
> > conn test
> >
> >         authby=secret
> >
> >         type=tunnel
> >
> >         left=192.168.100.37
> >
> >         leftsubnet=10.2.0.0/24
> >
> >         right=192.168.100.38
> >
> >         rightsubnet=10.1.0.0/24
> >
> >         auto=start
> >
> >         esp=aes128-sha1
> >
> >         ike=aes128-sha1-modp2048
> >
> >         rekey=yes
> >
> >         dpdaction=clear
> >
> >         dpddelay=15
> >
> >         dpdtimeout=50
> >
> >         compress=no
> >
> >
> >
> > However, after attempting to change this to work with RSA certs, I
> > have run into a problem. The Openswan config now looks like this:
> >
> >
> >
> > conn test
> >
> >         authby=rsasig
> >
> >         type=tunnel
> >
> >         left=192.168.100.37
> >
> >         leftsubnet=10.2.0.0/24
> >
> >         right=192.168.100.38
> >
> >         rightsubnet=10.1.0.0/24
> >
> >         auto=start
> >
> >         esp=aes128-sha1
> >
> >         ike=aes128-sha1-modp2048
> >
> >         rekey=yes
> >
> >         dpdaction=clear
> >
> >         dpddelay=15
> >
> >         dpdtimeout=50
> >
> >         compress=no
> >
> >         leftcert=/etc/ipsec.d/certs/covazfw.pem
> >
> >         rightcert=/etc/ipsec.d/certs/aspfw2.pem
> >
> >         leftid="C=CH, O=strongSwan, CN=covazfw"
> >
> >         rightid="C=CH, O=strongSwan, CN=aspfw2"
> >
> >
> >
> > All the relevant public certs are in the ipsec.d subfolder
> > hierarchy, along with the private key for the OpenSwan side covazfw.pem.
> >
> >
> >
> > Ipsec.secrets is as follows:
> >
> >
> >
> > : RSA /etc/ipsec.d/private/covazfw.pem
> >
> >
> >
> > The auth.log shows this:
> >
> >
> >
> > Jul  4 16:37:43 covtestvpn pluto[7623]: packet from 192.168.100.38:500:
> > received Vendor ID payload [XAUTH]
> >
> > Jul  4 16:37:43 covtestvpn pluto[7623]: packet from 192.168.100.38:500:
> > received Vendor ID payload [Dead Peer Detection]
> >
> > Jul  4 16:37:43 covtestvpn pluto[7623]: packet from 192.168.100.38:500:
> > received Vendor ID payload [RFC 3947] method set to=109
> >
> > Jul  4 16:37:43 covtestvpn pluto[7623]: packet from 192.168.100.38:500:
> > received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
> > meth=106, but already using method 109
> >
> > Jul  4 16:37:43 covtestvpn pluto[7623]: "test" #14: responding to
> > Main Mode
> >
> > Jul  4 16:37:43 covtestvpn pluto[7623]: "test" #14: transition from
> > state
> > STATE_MAIN_R0 to state STATE_MAIN_R1
> >
> > Jul  4 16:37:43 covtestvpn pluto[7623]: "test" #14: STATE_MAIN_R1:
> > sent MR1, expecting MI2
> >
> > Jul  4 16:37:43 covtestvpn pluto[7623]: "test" #14: NAT-Traversal:
> > Result using RFC 3947 (NAT-Traversal): no NAT detected
> >
> > Jul  4 16:37:43 covtestvpn pluto[7623]: "test" #14: transition from
> > state
> > STATE_MAIN_R1 to state STATE_MAIN_R2
> >
> > Jul  4 16:37:43 covtestvpn pluto[7623]: "test" #14: STATE_MAIN_R2:
> > sent MR2, expecting MI3
> >
> > Jul  4 16:37:43 covtestvpn pluto[7623]: "test" #14: Main mode peer
> > ID is
> > ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
> >
> > Jul  4 16:37:43 covtestvpn pluto[7623]: "test" #14: no suitable
> > connection for peer 'C=CH, O=strongSwan, CN=aspfw2'
> >
> > Jul  4 16:37:43 covtestvpn pluto[7623]: "test" #14: sending
> > encrypted notification INVALID_ID_INFORMATION to 192.168.100.38:500
> >
> > Jul  4 16:37:47 covtestvpn pluto[7623]: "test" #14: Main mode peer
> > ID is
> > ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
> >
> > Jul  4 16:37:47 covtestvpn pluto[7623]: "test" #14: no suitable
> > connection for peer 'C=CH, O=strongSwan, CN=aspfw2'
> >
> > Jul  4 16:37:47 covtestvpn pluto[7623]: "test" #14: sending
> > encrypted notification INVALID_ID_INFORMATION to 192.168.100.38:500
> >
> >
> >
> > It seems that it cannot / will not authenticate the certificate from
> > the Strongswan side. Could someone tell me what I’m doing wrong please?
> >
> >
> >
> > Thanks
> >
> >
> >
> > Matt
> >
> >
> > ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
> > ━━━━━━━━━━━
> >
> > Plum Software is a fully owned subsidiary of Praemium Limited.
> >
> > This e-mail is confidential. It may also be legally privileged. If
> > you are not the addressee, you may not copy, forward, disclose or
> > use any part of it. If you have received this message in error,
> > please delete it and all copies from your system and notify the
> > sender immediately by return email. Internet communications cannot
> > be guaranteed to be timely, secure, or error or virus free. The sender does not accept liability for any errors or omissions.
> >
> > In the UK the Praemium Group is: Praemium Portfolio Services Ltd
> > (Company
> > Number: 05362168), Praemium (UK) Ltd (Company Number: 05362153),
> > Praemium Administration Ltd (Company Number: 06016828) and Smartfund
> > Nominees Ltd (Company Number: 07153417) each having its registered
> > office at 4th Floor, Suite 643-659, Salisbury House, London Wall, London, EC2M 5QQ, United Kingdom.
> > Praemium Administration Ltd is authorised and regulated by the
> > Financial Conduct Authority under reference 463566. See
> > http://www.fca.org.uk/register for more details.
> >
> > In Jersey the Praemium Group is: Praemium International Ltd (Company Number:
> > 107624) which has its registered office at 3rd Floor East, Salisbury
> > House, 1-9 Union Street, St Helier, JE2 3RF and is regulated under
> > the Financial Service
> > (Jersey) Law 1998 by the Jersey Financial Services Commission for
> > the conduct of investment business in Jersey. See
> > http://www.jerseyfsc.org for more details.
> >
> > Thank you for your cooperation. Please contact us on +44 (0)207 5622
> > 450 if you require assistance.
> >
> > --
> > This message has been scanned for viruses and dangerous content by
> > MailScanner, and is believed to be clean.
>
> > _______________________________________________
> > mailto:Users at lists.openswan.org
> > https://lists.openswan.org/mailman/listinfo/users
> > Micropayments:
> > https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > Building and Integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=28
> > 3155
>
>
> ________________________________
>
> Plum Software is a fully owned subsidiary of Praemium Limited.
>
> This e-mail is confidential. It may also be legally privileged. If you are not the addressee, you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return email. Internet communications cannot be guaranteed to be timely, secure, or error or virus free. The sender does not accept liability for any errors or omissions.
>
> In the UK the Praemium Group is: Praemium Portfolio Services Ltd (Company Number: 05362168), Praemium (UK) Ltd (Company Number: 05362153), Praemium Administration Ltd (Company Number: 06016828) and Smartfund Nominees Ltd (Company Number: 07153417) each having its registered office at 4th Floor, Suite 643-659, Salisbury House, London Wall, London, EC2M 5QQ, United Kingdom. Praemium Administration Ltd is authorised and regulated by the Financial Conduct Authority under reference 463566. See http://www.fca.org.uk/register for more details.
>
> In Jersey the Praemium Group is: Praemium International Ltd (Company Number: 107624) which has its registered office at 3rd Floor East, Salisbury House, 1-9 Union Street, St Helier, JE2 3RF and is regulated under the Financial Service (Jersey) Law 1998 by the Jersey Financial Services Commission for the conduct of investment business in Jersey. See http://www.jerseyfsc.org for more details.
>
> Thank you for your cooperation. Please contact us on +44 (0)207 5622 450 if you require assistance.
>
> --
> This message has been scanned for viruses and dangerous content by
> MailScanner, and is believed to be clean.
>
>

________________________________

Plum Software is a fully owned subsidiary of Praemium Limited.

This e-mail is confidential. It may also be legally privileged. If you are not the addressee, you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return email. Internet communications cannot be guaranteed to be timely, secure, or error or virus free. The sender does not accept liability for any errors or omissions.

In the UK the Praemium Group is: Praemium Portfolio Services Ltd (Company Number: 05362168), Praemium (UK) Ltd (Company Number: 05362153), Praemium Administration Ltd (Company Number: 06016828) and Smartfund Nominees Ltd (Company Number: 07153417) each having its registered office at 4th Floor, Suite 643-659, Salisbury House, London Wall, London, EC2M 5QQ, United Kingdom. Praemium Administration Ltd is authorised and regulated by the Financial Conduct Authority under reference 463566. See http://www.fca.org.uk/register for more details.

In Jersey the Praemium Group is: Praemium International Ltd (Company Number: 107624) which has its registered office at 3rd Floor East, Salisbury House, 1-9 Union Street, St Helier, JE2 3RF and is regulated under the Financial Service (Jersey) Law 1998 by the Jersey Financial Services Commission for the conduct of investment business in Jersey. See http://www.jerseyfsc.org for more details.

Thank you for your cooperation. Please contact us on +44 (0)207 5622 450 if you require assistance.


More information about the Users mailing list