[Openswan Users] OpenSwan to Strongswan RSA Problem
andy
andy at andynet.net
Fri Jul 7 13:06:31 EDT 2017
On Fri, Jul 07, 2017 at 02:27:39PM +0000, Matt Killock wrote:
> OK, I got this working…
Cool!
>
> BUT - it makes no sense to me. My OpenSwan config now looks like this:
>
> conn test
> authby=rsasig
> type=tunnel
> left=192.168.100.37
> leftsubnet=10.2.0.0/24
> right=192.168.100.38
> rightsubnet=10.1.0.0/24
> auto=start
> esp=aes128-sha1
> ike=aes128-sha1-modp2048
> rekey=yes
> dpdaction=clear
> dpddelay=15
> dpdtimeout=50
> compress=no
> leftcert=/etc/ipsec.d/certs/covazfw.pem
> rightcert=/etc/ipsec.d/certs/aspfw2.pem
> leftid="aaaaaaaaaaaaaaaaaaaa"
> rightid="bbbbbbbbbbbbbbbbbbb"
>
>
> So what made it work was adding those bogus leftid/rightid lines.
Weird indeed.
Just comparing with a similar setup that's working for me:
In my case I have
leftcert=xxx.pem
leftid=%fromcert
rightid="DN from peer cert"
and I have no rightcert entry - shouldn't be needed as the peer sends its cert.
None of that seems to explain what you're seeing! But may be something else to try.
>
> Ipsec auto --status now shows the expected values:
>
> 000 "test": 10.2.0.0/24===192.168.100.37<192.168.100.37>[C=CH, O=strongSwan2, CN=covazfw,+S=C]...192.168.100.38<192.168.100.38>[C=CH, O=strongSwan2, CN=aspfw2,+S=C]===10.1.0.0/24; erouted; eroute owner: #2
>
> When I changed just the leftid, I saw this in the logs:
>
> Jul 7 15:11:03 covtestvpn pluto[20554]: "test" #1: we require peer to have ID '0x3068310B300906035504061302434831143012060355040A130B7374726F6E675377616E32310F300D0603550403130661737066773200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000', but peer declares 'C=CH, O=strongSwan2, CN=aspfw2'
>
> Which seems to confirm the theory that OpenSwan was trying to match the long HEX value to the DN.
>
> So... Huh? Hope that makes sense to someone!
>
> Anyway, thanks for your help, it helped me narrow down what things to experiment with to find a solution.
>
> Matt
>
> -----Original Message-----
> From: Users [mailto:users-bounces at lists.openswan.org] On Behalf Of Matt Killock
> Sent: 07 July 2017 13:08
> To: andy <andy at andynet.net>
> Cc: users at lists.openswan.org
> Subject: Re: [Openswan Users] OpenSwan to Strongswan RSA Problem
>
> Sorry I hit send too soon.
>
> The Strongswan side seems to receive the cert from the Openswan side OK, (2nd line) but then it can't match the config on it's own side? Is that right? What does the 'invalid ID_DER_AS1_DN' refer to? The covazfw cert or it's own cert (aspfw2)?
>
> Then it seems to say there is no config that matches the request, and sends back a failure message.
>
> Jul 7 13:05:26 covtestvpn2 charon: 08[IKE] received cert request for 'C=CH, O=strongSwan2, CN=Plum IPSec Root CA'
> Jul 7 13:05:26 covtestvpn2 charon: 08[IKE] received end entity cert "C=CH, O=strongSwan2, CN=covazfw"
> Jul 7 13:05:26 covtestvpn2 charon: 08[CFG] looking for RSA signature peer configs matching 192.168.100.38...192.168.100.37[C=CH, O=strongSwan2, CN=covazfw, (invalid ID_DER_ASN1_DN)] Jul 7 13:05:26 covtestvpn2 charon: 08[IKE] no peer config found Jul 7 13:05:26 covtestvpn2 charon: 08[ENC] generating INFORMATIONAL_V1 request 3812851300 [ HASH N(AUTH_FAILED) ]
>
> So is the problem on the Strongswan side?
>
> Matt
>
> -----Original Message-----
> From: andy [mailto:andy at andynet.net]
> Sent: 06 July 2017 18:56
> To: Matt Killock <matt.killock at praemium.com>
> Cc: Andreas Steffen <andreas.steffen at strongsec.net>; users at lists.openswan.org
> Subject: Re: [Openswan Users] OpenSwan to Strongswan RSA Problem
>
> A long shot - I see your CA cert has a 4096 bit key. There are some issues with Openswan to do with 4096 bit
> *private* keys - I don't recall anyone mentioning any problem with a public key that long. But you never know...
> So you might want to try with a 2048 bit key...
>
> Another possibility - your version of Openswan is quite old, maybe worth upgrading?
>
> - Andy
>
>
> On Thu, Jul 06, 2017 at 04:19:28PM +0000, Matt Killock wrote:
> > Any ideas Andreas?
> >
> > I read somewhere about a possible fragmentation issue with large certificates so I tried 1024 bit certificates and got nowhere, these don't seem to be accepted by Strongswan, so I reverted to the 2048 bit certs. The certificates seem to load OK both sides, ipsec auto --listall shows them, along with the correct 'has private key' notice. I am doubtful about fragmentation issues as these two machines are VMs on the same host machine on the same subnet, and tcpdump icmp shows no fragmentation notices.
> >
> > As Andy noted, the ipsec auto --status seems to show long HEX values, instead of the DNs, is that expected?
> >
> > 000 "test":
> > 10.2.0.0/24===192.168.100.37<192.168.100.37>[0x3068310B300906035504061
> > 302434831133011060355040A130A7374726F6E675377616E3110300E0603550403130
> > 7636F76617A66770000000000000000000000000000000000000000000000000000000
> > 0000000000000000000000000000000000000000000000000,+S=C]...192.168.100.
> > 38<192.168.100.38>[0x3066310B300906035504061302434831133011060355040A1
> > 30A7374726F6E675377616E310F300D060355040313066173706677320000000000000
> > 0000000000000000000000000000000000000000000000000000000000000000000000
> > 0000000000000000000,+S=C]===10.1.0.0/24; prospective erouted; eroute
> > owner: #0
> >
> > Openswan doesn't seem to recognise the cert, is it trying to match 'C=CH, O=strongSwan, CN=aspfw2' against '0x3066310B300906035504061302434831133011060355040A130A7374726F6E675377616E310F300D06035504031306617370667732000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' ?
> >
> > Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: responding to Main
> > Mode Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: transition
> > from state STATE_MAIN_R0 to state STATE_MAIN_R1 Jul 6 17:15:02
> > covtestvpn pluto[13386]: "test" #2: STATE_MAIN_R1: sent MR1, expecting
> > MI2 Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: NAT-Traversal:
> > Result using RFC 3947 (NAT-Traversal): no NAT detected Jul 6 17:15:02
> > covtestvpn pluto[13386]: "test" #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: STATE_MAIN_R2: sent MR2, expecting MI3 Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: Main mode peer ID is ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
> > Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: no crl from issuer
> > "C=CH, O=strongSwan, CN=Plum IPSec Root CA" found (strict=no) Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: no suitable connection for peer 'C=CH, O=strongSwan, CN=aspfw2'
> > Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: sending encrypted
> > notification INVALID_ID_INFORMATION to 192.168.100.38:500
> >
> > Any clues might be helpful
> >
> > Thanks
> >
> > Matt
> >
> > -----Original Message-----
> > From: Andreas Steffen [mailto:andreas.steffen at strongsec.net]
> > Sent: 04 July 2017 18:30
> > To: Matt Killock <matt.killock at praemium.com>; users at lists.openswan.org
> > Subject: Re: [Openswan Users] OpenSwan to Strongswan RSA Problem
> >
> > Hi Matt,
> >
> > could you post the /etc/ipsec.d/certs/aspfw2.pem certificate?
> >
> > Regards
> >
> > Andreas
> >
> > On 04.07.2017 17:51, Matt Killock wrote:
> > > Hello,
> > >
> > > I managed to make a working connection between two linux machines,
> > > one running OpenSwan and the other running StrongSwan using PSK. The
> > > config on the Openswan side was as follows:
> > >
> > > conn test
> > >
> > > authby=secret
> > >
> > > type=tunnel
> > >
> > > left=192.168.100.37
> > >
> > > leftsubnet=10.2.0.0/24
> > >
> > > right=192.168.100.38
> > >
> > > rightsubnet=10.1.0.0/24
> > >
> > > auto=start
> > >
> > > esp=aes128-sha1
> > >
> > > ike=aes128-sha1-modp2048
> > >
> > > rekey=yes
> > >
> > > dpdaction=clear
> > >
> > > dpddelay=15
> > >
> > > dpdtimeout=50
> > >
> > > compress=no
> > >
> > > However, after attempting to change this to work with RSA certs, I
> > > have run into a problem. The Openswan config now looks like this:
> > >
> > > conn test
> > >
> > > authby=rsasig
> > >
> > > type=tunnel
> > >
> > > left=192.168.100.37
> > >
> > > leftsubnet=10.2.0.0/24
> > >
> > > right=192.168.100.38
> > >
> > > rightsubnet=10.1.0.0/24
> > >
> > > auto=start
> > >
> > > esp=aes128-sha1
> > >
> > > ike=aes128-sha1-modp2048
> > >
> > > rekey=yes
> > >
> > > dpdaction=clear
> > >
> > > dpddelay=15
> > >
> > > dpdtimeout=50
> > >
> > > compress=no
> > >
> > > leftcert=/etc/ipsec.d/certs/covazfw.pem
> > >
> > > rightcert=/etc/ipsec.d/certs/aspfw2.pem
> > >
> > > leftid="C=CH, O=strongSwan, CN=covazfw"
> > >
> > > rightid="C=CH, O=strongSwan, CN=aspfw2"
> > >
> > > All the relevant public certs are in the ipsec.d subfolder
> > > hierarchy, along with the private key for the OpenSwan side covazfw.pem.
> > >
> > > Ipsec.secrets is as follows:
> > >
> > > : RSA /etc/ipsec.d/private/covazfw.pem
> > >
> > > The auth.log shows this:
> > >
> > > Jul 4 16:37:43 covtestvpn pluto[7623]: packet from 192.168.100.38:500:
> > > received Vendor ID payload [XAUTH]
> > >
> > > Jul 4 16:37:43 covtestvpn pluto[7623]: packet from 192.168.100.38:500:
> > > received Vendor ID payload [Dead Peer Detection]
> > >
> > > Jul 4 16:37:43 covtestvpn pluto[7623]: packet from 192.168.100.38:500:
> > > received Vendor ID payload [RFC 3947] method set to=109
> > >
> > > Jul 4 16:37:43 covtestvpn pluto[7623]: packet from 192.168.100.38:500:
> > > received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
> > > meth=106, but already using method 109
> > >
> > > Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: responding to
> > > Main Mode
> > >
> > > Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: transition from
> > > state STATE_MAIN_R0 to state STATE_MAIN_R1
> > >
> > > Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: STATE_MAIN_R1:
> > > sent MR1, expecting MI2
> > >
> > > Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: NAT-Traversal:
> > > Result using RFC 3947 (NAT-Traversal): no NAT detected
> > >
> > > Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: transition from
> > > state STATE_MAIN_R1 to state STATE_MAIN_R2
> > >
> > > Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: STATE_MAIN_R2:
> > > sent MR2, expecting MI3
> > >
> > > Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: Main mode peer
> > > ID is
> > > ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
> > >
> > > Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: no suitable
> > > connection for peer 'C=CH, O=strongSwan, CN=aspfw2'
> > >
> > > Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: sending
> > > encrypted notification INVALID_ID_INFORMATION to 192.168.100.38:500
> > >
> > > Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: Main mode peer
> > > ID is
> > > ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
> > >
> > > Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: no suitable
> > > connection for peer 'C=CH, O=strongSwan, CN=aspfw2'
> > >
> > > Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: sending
> > > encrypted notification INVALID_ID_INFORMATION to 192.168.100.38:500
> > >
> > > It seems that it cannot / will not authenticate the certificate from
> > > the Strongswan side. Could someone tell me what I’m doing wrong please?
> > >
> > > Thanks
> > >
> > > Matt
> > >
> > >
> > > --------------------------------------------------------------------
> > > ----
> > >
> > > Plum Software is a fully owned subsidiary of Praemium Limited.
> > >
> > > This e-mail is confidential. It may also be legally privileged. If
> > > you are not the addressee, you may not copy, forward, disclose or
> > > use any part of it. If you have received this message in error,
> > > please delete it and all copies from your system and notify the
> > > sender immediately by return email. Internet communications cannot
> > > be guaranteed to be timely, secure, or error or virus free. The
> > > sender does not accept liability for any errors or omissions.
> > >
> > > In the UK the Praemium Group is: Praemium Portfolio Services Ltd
> > > (Company Number: 05362168), Praemium (UK) Ltd (Company Number:
> > > 05362153), Praemium Administration Ltd (Company Number: 06016828)
> > > and Smartfund Nominees Ltd (Company Number: 07153417) each having
> > > its registered office at 4th Floor, Suite 643-659, Salisbury House,
> > > London Wall, London, EC2M 5QQ, United Kingdom. Praemium
> > > Administration Ltd is authorised and regulated by the Financial
> > > Conduct Authority under reference 463566. See http://www.fca.org.uk/register for more details.
> > >
> > > In Jersey the Praemium Group is: Praemium International Ltd (Company
> > > Number: 107624) which has its registered office at 3rd Floor East,
> > > Salisbury House, 1-9 Union Street, St Helier, JE2 3RF and is
> > > regulated under the Financial Service (Jersey) Law 1998 by the
> > > Jersey Financial Services Commission for the conduct of investment business in Jersey.
> > > See http://www.jerseyfsc.org for more details.
> > >
> > > Thank you for your cooperation. Please contact us on +44 (0)207 5622
> > > 450 if you require assistance.
> > >
> > >
> > > _______________________________________________
> > > Users at lists.openswan.org
> > > https://lists.openswan.org/mailman/listinfo/users
> > > Micropayments:
> > > https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > > Building and Integrating Virtual Private Networks with Openswan:
> > > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=28
> > > 3155
> > >
> >
> > --
> > =======================================================================
> > Andreas Steffen e-mail: andreas.steffen at strongsec.net
> > strongSec GmbH home: http://www.strongsec.net
> > Alter Zürichweg 20 phone: +41 44 730 80 64
> > CH-8952 Schlieren (Switzerland) fax: +41 44 730 80 65
> > ==========================================[strong internet
> > security]===
> >
> >
> > ________________________________
> >
> > Plum Software is a fully owned subsidiary of Praemium Limited.
> >
> > This e-mail is confidential. It may also be legally privileged. If you are not the addressee, you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return email. Internet communications cannot be guaranteed to be timely, secure, or error or virus free. The sender does not accept liability for any errors or omissions.
> >
> > In the UK the Praemium Group is: Praemium Portfolio Services Ltd (Company Number: 05362168), Praemium (UK) Ltd (Company Number: 05362153), Praemium Administration Ltd (Company Number: 06016828) and Smartfund Nominees Ltd (Company Number: 07153417) each having its registered office at 4th Floor, Suite 643-659, Salisbury House, London Wall, London, EC2M 5QQ, United Kingdom. Praemium Administration Ltd is authorised and regulated by the Financial Conduct Authority under reference 463566. See http://www.fca.org.uk/register for more details.
> >
> > In Jersey the Praemium Group is: Praemium International Ltd (Company Number: 107624) which has its registered office at 3rd Floor East, Salisbury House, 1-9 Union Street, St Helier, JE2 3RF and is regulated under the Financial Service (Jersey) Law 1998 by the Jersey Financial Services Commission for the conduct of investment business in Jersey. See http://www.jerseyfsc.org for more details.
> >
> > Thank you for your cooperation. Please contact us on +44 (0)207 5622 450 if you require assistance.
> > _______________________________________________
> > Users at lists.openswan.org
> > https://lists.openswan.org/mailman/listinfo/users
> > Micropayments:
> > https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > Building and Integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=2831
> > 55
> > --
> > This message has been scanned for viruses and dangerous content by
> > MailScanner, and is believed to be clean.
> >
> >
>
> ________________________________
>
> Plum Software is a fully owned subsidiary of Praemium Limited.
>
> This e-mail is confidential. It may also be legally privileged. If you are not the addressee, you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return email. Internet communications cannot be guaranteed to be timely, secure, or error or virus free. The sender does not accept liability for any errors or omissions.
>
> In the UK the Praemium Group is: Praemium Portfolio Services Ltd (Company Number: 05362168), Praemium (UK) Ltd (Company Number: 05362153), Praemium Administration Ltd (Company Number: 06016828) and Smartfund Nominees Ltd (Company Number: 07153417) each having its registered office at 4th Floor, Suite 643-659, Salisbury House, London Wall, London, EC2M 5QQ, United Kingdom. Praemium Administration Ltd is authorised and regulated by the Financial Conduct Authority under reference 463566. See http://www.fca.org.uk/register for more details.
>
> In Jersey the Praemium Group is: Praemium International Ltd (Company Number: 107624) which has its registered office at 3rd Floor East, Salisbury House, 1-9 Union Street, St Helier, JE2 3RF and is regulated under the Financial Service (Jersey) Law 1998 by the Jersey Financial Services Commission for the conduct of investment business in Jersey. See http://www.jerseyfsc.org for more details.
>
> Thank you for your cooperation. Please contact us on +44 (0)207 5622 450 if you require assistance.
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
> ________________________________
>
> Plum Software is a fully owned subsidiary of Praemium Limited.
>
> This e-mail is confidential. It may also be legally privileged. If you are not the addressee, you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return email. Internet communications cannot be guaranteed to be timely, secure, or error or virus free. The sender does not accept liability for any errors or omissions.
>
> In the UK the Praemium Group is: Praemium Portfolio Services Ltd (Company Number: 05362168), Praemium (UK) Ltd (Company Number: 05362153), Praemium Administration Ltd (Company Number: 06016828) and Smartfund Nominees Ltd (Company Number: 07153417) each having its registered office at 4th Floor, Suite 643-659, Salisbury House, London Wall, London, EC2M 5QQ, United Kingdom. Praemium Administration Ltd is authorised and regulated by the Financial Conduct Authority under reference 463566. See http://www.fca.org.uk/register for more details.
>
> In Jersey the Praemium Group is: Praemium International Ltd (Company Number: 107624) which has its registered office at 3rd Floor East, Salisbury House, 1-9 Union Street, St Helier, JE2 3RF and is regulated under the Financial Service (Jersey) Law 1998 by the Jersey Financial Services Commission for the conduct of investment business in Jersey. See http://www.jerseyfsc.org for more details.
>
> Thank you for your cooperation. Please contact us on +44 (0)207 5622 450 if you require assistance.
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
More information about the Users
mailing list