[Openswan Users] OpenSwan to Strongswan RSA Problem

Discussion:

Matt Killock

2017-07-04 15:51:32 UTC

Hello,

I managed to make a working connection between two linux machines, one running OpenSwan and the other running StrongSwan using PSK. The config on the Openswan side was as follows:

conn test
authby=secret
type=tunnel
left=192.168.100.37
leftsubnet=10.2.0.0/24
right=192.168.100.38
rightsubnet=10.1.0.0/24
auto=start
esp=aes128-sha1
ike=aes128-sha1-modp2048
rekey=yes
dpdaction=clear
dpddelay=15
dpdtimeout=50
compress=no

However, after attempting to change this to work with RSA certs, I have run into a problem. The Openswan config now looks like this:

conn test
authby=rsasig
type=tunnel
left=192.168.100.37
leftsubnet=10.2.0.0/24
right=192.168.100.38
rightsubnet=10.1.0.0/24
auto=start
esp=aes128-sha1
ike=aes128-sha1-modp2048
rekey=yes
dpdaction=clear
dpddelay=15
dpdtimeout=50
compress=no
leftcert=/etc/ipsec.d/certs/covazfw.pem
rightcert=/etc/ipsec.d/certs/aspfw2.pem
leftid="C=CH, O=strongSwan, CN=covazfw"
rightid="C=CH, O=strongSwan, CN=aspfw2"

All the relevant public certs are in the ipsec.d subfolder hierarchy, along with the private key for the OpenSwan side covazfw.pem.

Ipsec.secrets is as follows:

: RSA /etc/ipsec.d/private/covazfw.pem

The auth.log shows this:

Jul 4 16:37:43 covtestvpn pluto[7623]: packet from 192.168.100.38:500: received Vendor ID payload [XAUTH]
Jul 4 16:37:43 covtestvpn pluto[7623]: packet from 192.168.100.38:500: received Vendor ID payload [Dead Peer Detection]
Jul 4 16:37:43 covtestvpn pluto[7623]: packet from 192.168.100.38:500: received Vendor ID payload [RFC 3947] method set to=109
Jul 4 16:37:43 covtestvpn pluto[7623]: packet from 192.168.100.38:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: responding to Main Mode
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: STATE_MAIN_R1: sent MR1, expecting MI2
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: STATE_MAIN_R2: sent MR2, expecting MI3
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: Main mode peer ID is ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: no suitable connection for peer 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: sending encrypted notification INVALID_ID_INFORMATION to 192.168.100.38:500
Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: Main mode peer ID is ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: no suitable connection for peer 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: sending encrypted notification INVALID_ID_INFORMATION to 192.168.100.38:500

It seems that it cannot / will not authenticate the certificate from the Strongswan side. Could someone tell me what I'm doing wrong please?

Thanks

Matt

________________________________

Plum Software is a fully owned subsidiary of Praemium Limited.

This e-mail is confidential. It may also be legally privileged. If you are not the addressee, you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return email. Internet communications cannot be guaranteed to be timely, secure, or error or virus free. The sender does not accept liability for any errors or omissions.

In the UK the Praemium Group is: Praemium Portfolio Services Ltd (Company Number: 05362168), Praemium (UK) Ltd (Company Number: 05362153), Praemium Administration Ltd (Company Number: 06016828) and Smartfund Nominees Ltd (Company Number: 07153417) each having its registered office at 4th Floor, Suite 643-659, Salisbury House, London Wall, London, EC2M 5QQ, United Kingdom. Praemium Administration Ltd is authorised and regulated by the Financial Conduct Authority under reference 463566. See http://www.fca.org.uk/register for more details.

In Jersey the Praemium Group is: Praemium International Ltd (Company Number: 107624) which has its registered office at 3rd Floor East, Salisbury House, 1-9 Union Street, St Helier, JE2 3RF and is regulated under the Financial Service (Jersey) Law 1998 by the Jersey Financial Services Commission for the conduct of investment business in Jersey. See http://www.jerseyfsc.org for more details.

Thank you for your cooperation. Please contact us on +44 (0)207 5622 450 if you require assistance.

andy

2017-07-04 16:36:10 UTC

Permalink

Hi Matt -
can you post the Openswan output from 'ipsec auto --status' please?

Thanks
Andy

Post by Matt Killock
Hello,
I managed to make a working connection between two linux machines, one running
OpenSwan and the other running StrongSwan using PSK. The config on the Openswan
conn test
authby=secret
type=tunnel
left=192.168.100.37
leftsubnet=10.2.0.0/24
right=192.168.100.38
rightsubnet=10.1.0.0/24
auto=start
esp=aes128-sha1
ike=aes128-sha1-modp2048
rekey=yes
dpdaction=clear
dpddelay=15
dpdtimeout=50
compress=no
However, after attempting to change this to work with RSA certs, I have run
conn test
authby=rsasig
type=tunnel
left=192.168.100.37
leftsubnet=10.2.0.0/24
right=192.168.100.38
rightsubnet=10.1.0.0/24
auto=start
esp=aes128-sha1
ike=aes128-sha1-modp2048
rekey=yes
dpdaction=clear
dpddelay=15
dpdtimeout=50
compress=no
leftcert=/etc/ipsec.d/certs/covazfw.pem
rightcert=/etc/ipsec.d/certs/aspfw2.pem
leftid="C=CH, O=strongSwan, CN=covazfw"
rightid="C=CH, O=strongSwan, CN=aspfw2"
All the relevant public certs are in the ipsec.d subfolder hierarchy, along
with the private key for the OpenSwan side covazfw.pem.
: RSA /etc/ipsec.d/private/covazfw.pem
received Vendor ID payload [XAUTH]
received Vendor ID payload [Dead Peer Detection]
received Vendor ID payload [RFC 3947] method set to=109
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
already using method 109
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: responding to Main Mode
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: STATE_MAIN_R1: sent MR1, expecting MI2
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: NAT-Traversal: Result using
RFC 3947 (NAT-Traversal): no NAT detected
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: STATE_MAIN_R2: sent MR2, expecting MI3
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: Main mode peer ID is
ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: no suitable connection for
peer 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: sending encrypted
notification INVALID_ID_INFORMATION to 192.168.100.38:500
Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: Main mode peer ID is
ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: no suitable connection for
peer 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: sending encrypted
notification INVALID_ID_INFORMATION to 192.168.100.38:500
It seems that it cannot / will not authenticate the certificate from the
Strongswan side. Could someone tell me what I’m doing wrong please?
Thanks
Matt
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Plum Software is a fully owned subsidiary of Praemium Limited.
This e-mail is confidential. It may also be legally privileged. If you are not
the addressee, you may not copy, forward, disclose or use any part of it. If
you have received this message in error, please delete it and all copies from
your system and notify the sender immediately by return email. Internet
communications cannot be guaranteed to be timely, secure, or error or virus
free. The sender does not accept liability for any errors or omissions.
In the UK the Praemium Group is: Praemium Portfolio Services Ltd (Company
Number: 05362168), Praemium (UK) Ltd (Company Number: 05362153), Praemium
Administration Ltd (Company Number: 06016828) and Smartfund Nominees Ltd
(Company Number: 07153417) each having its registered office at 4th Floor,
Suite 643-659, Salisbury House, London Wall, London, EC2M 5QQ, United Kingdom.
Praemium Administration Ltd is authorised and regulated by the Financial
Conduct Authority under reference 463566. See http://www.fca.org.uk/register
for more details.
107624) which has its registered office at 3rd Floor East, Salisbury House, 1-9
Union Street, St Helier, JE2 3RF and is regulated under the Financial Service
(Jersey) Law 1998 by the Jersey Financial Services Commission for the conduct
of investment business in Jersey. See http://www.jerseyfsc.org for more
details.
Thank you for your cooperation. Please contact us on +44 (0)207 5622 450 if you
require assistance.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
_______________________________________________
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

_______________________________________________
***@lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/1

Matt Killock

2017-07-04 19:13:08 UTC

Permalink

Hi Andy,

By all means:

000 using kernel interface: netkey
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.100.37
000 interface eth0/eth0 192.168.100.37
000 interface vlan2/vlan2 10.2.0.1
000 interface vlan2/vlan2 10.2.0.1
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 6 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, fd00::/8, fe80::/10
000 - disallowed 0 subnets:
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000 private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,1,64} trans={0,1,3072} attrs={0,1,2048}
000
000 "test": 10.2.0.0/24===192.168.100.37<192.168.100.37>[0x3068310B300906035504061302434831133011060355040A130A7374726F6E675377616E3110300E06035504031307636F76617A667700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,+S=C]...192.168.100.38<192.168.100.38>[0x3066310B300906035504061302434831133011060355040A130A7374726F6E675377616E310F300D06035504031306617370667732000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,+S=C]===10.1.0.0/24; prospective erouted; eroute owner: #0
000 "test": myip=unset; hisip=unset;
000 "test": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "test": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK; prio: 24,24; interface: eth0;
000 "test": dpd: action:clear; delay:15; timeout:50;
000 "test": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "test": IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP2048(14); flags=-strict
000 "test": IKE algorithms found: AES_CBC(7)_128-SHA1(2)_160-MODP2048(14)
000 "test": ESP algorithms wanted: AES(12)_128-SHA1(2)_000; flags=-strict
000 "test": ESP algorithms loaded: AES(12)_128-SHA1(2)_160
000
000 #122: "test":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 2s; nodpd; idle; import:admin initiate
000 #122: pending Phase 2 for "test" replacing #0
000

Thanks
Matt

-----Original Message-----
From: andy [mailto:***@andynet.net]
Sent: 04 July 2017 17:36
To: Matt Killock <***@praemium.com>
Cc: ***@lists.openswan.org
Subject: Re: [Openswan Users] OpenSwan to Strongswan RSA Problem

Hi Matt -
can you post the Openswan output from 'ipsec auto --status' please?

Thanks
Andy

andy

2017-07-05 12:24:00 UTC

Permalink

On Tue, Jul 04, 2017 at 07:13:08PM +0000, Matt Killock wrote:

..snip..

Post by Matt Killock
000 "test": 10.2.0.0/24===192.168.100.37<192.168.100.37>[0x3068310B300906035504061302434831133011060355040A130A7374726F6E675377616E3110300E06035504031307636F76617A667700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,+S=C]...192.168.100.38<192.168.100.38>[0x3066310B300906035504061302434831133011060355040A130A7374726F6E675377616E310F300D06035504031306617370667732000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,+S=C]===10.1.0.0/24; prospective erouted; eroute owner: #0

Hmm - this is weird! Looks to me that maybe your config hasn't loaded properly - I'd expect to see the left/rightids inside the
square brackets here, not these long hex strings. I've never seen that before.
But maybe something has changed in recent versions of Openswan - it's beeen a while since I used it.

I was expecting to see something like:
"test": 10.2.0.0/24===192.168.100.37<192.168.100.37>[C=CH, O=strongSwan, CN=covazfw]...192.168.100.38<192.168.100.38>[C=CH, O=strongSwan, CN=aspfw2]===10.1.0.0/24

If it's getting the IDs wrong somehow, that would explain why it can't find a matching connection.

Perhaps there are more clues in the logs? Does it mention if it's loaded the CA cert? Perhaps you could post all of /var/log/auth.log
while restarting Openswan? I'm not sure what else to suggest atm.

Post by Matt Killock
000 "test": myip=unset; hisip=unset;
000 "test": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "test": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK; prio: 24,24; interface: eth0;
000 "test": dpd: action:clear; delay:15; timeout:50;
000 "test": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "test": IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP2048(14); flags=-strict
000 "test": IKE algorithms found: AES_CBC(7)_128-SHA1(2)_160-MODP2048(14)
000 "test": ESP algorithms wanted: AES(12)_128-SHA1(2)_000; flags=-strict
000 "test": ESP algorithms loaded: AES(12)_128-SHA1(2)_160
000
000 #122: "test":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 2s; nodpd; idle; import:admin initiate
000 #122: pending Phase 2 for "test" replacing #0
000
Thanks
Matt
-----Original Message-----
Sent: 04 July 2017 17:36
Subject: Re: [Openswan Users] OpenSwan to Strongswan RSA Problem
Hi Matt -
can you post the Openswan output from 'ipsec auto --status' please?
Thanks
Andy

Post by Matt Killock
Hello,
I managed to make a working connection between two linux machines, one running
OpenSwan and the other running StrongSwan using PSK. The config on the Openswan
conn test
authby=secret
type=tunnel
left=192.168.100.37
leftsubnet=10.2.0.0/24
right=192.168.100.38
rightsubnet=10.1.0.0/24
auto=start
esp=aes128-sha1
ike=aes128-sha1-modp2048
rekey=yes
dpdaction=clear
dpddelay=15
dpdtimeout=50
compress=no
However, after attempting to change this to work with RSA certs, I have run
conn test
authby=rsasig
type=tunnel
left=192.168.100.37
leftsubnet=10.2.0.0/24
right=192.168.100.38
rightsubnet=10.1.0.0/24
auto=start
esp=aes128-sha1
ike=aes128-sha1-modp2048
rekey=yes
dpdaction=clear
dpddelay=15
dpdtimeout=50
compress=no
leftcert=/etc/ipsec.d/certs/covazfw.pem
rightcert=/etc/ipsec.d/certs/aspfw2.pem
leftid="C=CH, O=strongSwan, CN=covazfw"
rightid="C=CH, O=strongSwan, CN=aspfw2"
All the relevant public certs are in the ipsec.d subfolder hierarchy, along
with the private key for the OpenSwan side covazfw.pem.
: RSA /etc/ipsec.d/private/covazfw.pem
received Vendor ID payload [XAUTH]
received Vendor ID payload [Dead Peer Detection]
received Vendor ID payload [RFC 3947] method set to=109
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
already using method 109
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: responding to Main Mode
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: STATE_MAIN_R1: sent MR1,
expecting MI2
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: NAT-Traversal: Result using
RFC 3947 (NAT-Traversal): no NAT detected
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: STATE_MAIN_R2: sent MR2,
expecting MI3
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: Main mode peer ID is
ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: no suitable connection for
peer 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: sending encrypted
notification INVALID_ID_INFORMATION to 192.168.100.38:500
Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: Main mode peer ID is
ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: no suitable connection for
peer 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: sending encrypted
notification INVALID_ID_INFORMATION to 192.168.100.38:500
It seems that it cannot / will not authenticate the certificate from the
Strongswan side. Could someone tell me what I’m doing wrong please?
Thanks
Matt
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Plum Software is a fully owned subsidiary of Praemium Limited.
This e-mail is confidential. It may also be legally privileged. If you are not
the addressee, you may not copy, forward, disclose or use any part of it. If
you have received this message in error, please delete it and all copies from
your system and notify the sender immediately by return email. Internet
communications cannot be guaranteed to be timely, secure, or error or virus
free. The sender does not accept liability for any errors or omissions.
In the UK the Praemium Group is: Praemium Portfolio Services Ltd (Company
Number: 05362168), Praemium (UK) Ltd (Company Number: 05362153), Praemium
Administration Ltd (Company Number: 06016828) and Smartfund Nominees Ltd
(Company Number: 07153417) each having its registered office at 4th Floor,
Suite 643-659, Salisbury House, London Wall, London, EC2M 5QQ, United Kingdom.
Praemium Administration Ltd is authorised and regulated by the Financial
Conduct Authority under reference 463566. See http://www.fca.org.uk/register
for more details.
107624) which has its registered office at 3rd Floor East, Salisbury House, 1-9
Union Street, St Helier, JE2 3RF and is regulated under the Financial Service
(Jersey) Law 1998 by the Jersey Financial Services Commission for the conduct
of investment business in Jersey. See http://www.jerseyfsc.org for more
details.
Thank you for your cooperation. Please contact us on +44 (0)207 5622 450 if you
require assistance.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
_______________________________________________
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Matt Killock

2017-07-06 09:14:03 UTC

Permalink

Hi Andy,

The daemon log has this after a restart:

Jul 6 09:20:17 covtestvpn ipsec_setup: Stopping Openswan IPsec...
Jul 6 09:20:19 covtestvpn ipsec_setup: ...Openswan IPsec stopped
Jul 6 09:20:19 covtestvpn ipsec_setup: Starting Openswan IPsec U2.6.37/K3.2.0-4-amd64...
Jul 6 09:20:19 covtestvpn ipsec_setup: Using NETKEY(XFRM) stack
Jul 6 09:20:19 covtestvpn ipsec_setup: ...Openswan IPsec started
Jul 6 09:20:19 covtestvpn ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Jul 6 09:20:19 covtestvpn ipsec__plutorun: 002 loading certificate from /etc/ipsec.d/certs/covazfw.pem
Jul 6 09:20:19 covtestvpn ipsec__plutorun: 002 loaded host cert file '/etc/ipsec.d/certs/covazfw.pem' (1550 bytes)
Jul 6 09:20:19 covtestvpn ipsec__plutorun: 002 loading certificate from /etc/ipsec.d/certs/aspfw2.pem
Jul 6 09:20:19 covtestvpn ipsec__plutorun: 002 loaded host cert file '/etc/ipsec.d/certs/aspfw2.pem' (1545 bytes)
Jul 6 09:20:19 covtestvpn ipsec__plutorun: 002 added connection description "test"
Jul 6 09:20:19 covtestvpn ipsec__plutorun: 104 "test" #1: STATE_MAIN_I1: initiate

Auth.log has this

Jul 6 09:20:17 covtestvpn pluto[7623]: shutting down
Jul 6 09:20:17 covtestvpn pluto[7623]: forgetting secrets
Jul 6 09:20:17 covtestvpn pluto[7623]: "test": deleting connection
Jul 6 09:20:17 covtestvpn pluto[7623]: "test" #1236: deleting state (STATE_MAIN_I1)
Jul 6 09:20:17 covtestvpn pluto[7623]: shutting down interface lo/lo 127.0.0.1:4500
Jul 6 09:20:17 covtestvpn pluto[7623]: shutting down interface lo/lo 127.0.0.1:500
Jul 6 09:20:17 covtestvpn pluto[7623]: shutting down interface eth0/eth0 192.168.100.37:4500
Jul 6 09:20:17 covtestvpn pluto[7623]: shutting down interface eth0/eth0 192.168.100.37:500
Jul 6 09:20:17 covtestvpn pluto[7623]: shutting down interface vlan2/vlan2 10.2.0.1:4500
Jul 6 09:20:17 covtestvpn pluto[7623]: shutting down interface vlan2/vlan2 10.2.0.1:500
Jul 6 09:20:17 covtestvpn pluto[7627]: pluto_crypto_helper: helper (0) is normal exiting
Jul 6 09:20:19 covtestvpn ipsec__plutorun: Starting Pluto subsystem...
Jul 6 09:20:19 covtestvpn pluto[8428]: Starting Pluto (Openswan Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:8428
Jul 6 09:20:19 covtestvpn pluto[8428]: LEAK_DETECTIVE support [disabled]
Jul 6 09:20:19 covtestvpn pluto[8428]: OCF support for IKE [disabled]
Jul 6 09:20:19 covtestvpn pluto[8428]: SAref support [disabled]: Protocol not available
Jul 6 09:20:19 covtestvpn pluto[8428]: SAbind support [disabled]: Protocol not available
Jul 6 09:20:19 covtestvpn pluto[8428]: NSS support [disabled]
Jul 6 09:20:19 covtestvpn pluto[8428]: HAVE_STATSD notification support not compiled in
Jul 6 09:20:19 covtestvpn pluto[8428]: Setting NAT-Traversal port-4500 floating to on
Jul 6 09:20:19 covtestvpn pluto[8428]: port floating activation criteria nat_t=1/port_float=1
Jul 6 09:20:19 covtestvpn pluto[8428]: NAT-Traversal support [enabled]
Jul 6 09:20:19 covtestvpn pluto[8428]: using /dev/urandom as source of random entropy
Jul 6 09:20:19 covtestvpn pluto[8428]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Jul 6 09:20:19 covtestvpn pluto[8428]: starting up 1 cryptographic helpers
Jul 6 09:20:19 covtestvpn pluto[8428]: started helper pid=8432 (fd:6)
Jul 6 09:20:19 covtestvpn pluto[8428]: Using Linux 2.6 IPsec interface code on 3.2.0-4-amd64 (experimental code)
Jul 6 09:20:19 covtestvpn pluto[8432]: using /dev/urandom as source of random entropy
Jul 6 09:20:19 covtestvpn pluto[8428]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Jul 6 09:20:19 covtestvpn pluto[8428]: ike_alg_add(): ERROR: Algorithm already exists
Jul 6 09:20:19 covtestvpn pluto[8428]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Jul 6 09:20:19 covtestvpn pluto[8428]: ike_alg_add(): ERROR: Algorithm already exists
Jul 6 09:20:19 covtestvpn pluto[8428]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Jul 6 09:20:19 covtestvpn pluto[8428]: ike_alg_add(): ERROR: Algorithm already exists
Jul 6 09:20:19 covtestvpn pluto[8428]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Jul 6 09:20:19 covtestvpn pluto[8428]: ike_alg_add(): ERROR: Algorithm already exists
Jul 6 09:20:19 covtestvpn pluto[8428]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Jul 6 09:20:19 covtestvpn pluto[8428]: ike_alg_add(): ERROR: Algorithm already exists
Jul 6 09:20:19 covtestvpn pluto[8428]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Jul 6 09:20:19 covtestvpn pluto[8428]: Changed path to directory '/etc/ipsec.d/cacerts'
Jul 6 09:20:19 covtestvpn pluto[8428]: loaded CA cert file 'strongswanCert.pem' (1883 bytes)
Jul 6 09:20:19 covtestvpn pluto[8428]: discarded CA cert file 'crl.pem', bad size 0 bytes
Jul 6 09:20:19 covtestvpn pluto[8428]: Changed path to directory '/etc/ipsec.d/aacerts'
Jul 6 09:20:19 covtestvpn pluto[8428]: Changed path to directory '/etc/ipsec.d/ocspcerts'
Jul 6 09:20:19 covtestvpn pluto[8428]: Changing to directory '/etc/ipsec.d/crls'
Jul 6 09:20:19 covtestvpn pluto[8428]: Warning: empty directory
Jul 6 09:20:19 covtestvpn pluto[8428]: loading certificate from /etc/ipsec.d/certs/covazfw.pem
Jul 6 09:20:19 covtestvpn pluto[8428]: loaded host cert file '/etc/ipsec.d/certs/covazfw.pem' (1550 bytes)
Jul 6 09:20:19 covtestvpn pluto[8428]: loading certificate from /etc/ipsec.d/certs/aspfw2.pem
Jul 6 09:20:19 covtestvpn pluto[8428]: loaded host cert file '/etc/ipsec.d/certs/aspfw2.pem' (1545 bytes)
Jul 6 09:20:19 covtestvpn pluto[8428]: added connection description "test"
Jul 6 09:20:19 covtestvpn pluto[8428]: listening for IKE messages
Jul 6 09:20:19 covtestvpn pluto[8428]: adding interface vlan2/vlan2 10.2.0.1:500
Jul 6 09:20:19 covtestvpn pluto[8428]: adding interface vlan2/vlan2 10.2.0.1:4500
Jul 6 09:20:19 covtestvpn pluto[8428]: adding interface eth0/eth0 192.168.100.37:500
Jul 6 09:20:19 covtestvpn pluto[8428]: adding interface eth0/eth0 192.168.100.37:4500
Jul 6 09:20:19 covtestvpn pluto[8428]: adding interface lo/lo 127.0.0.1:500
Jul 6 09:20:19 covtestvpn pluto[8428]: adding interface lo/lo 127.0.0.1:4500
Jul 6 09:20:19 covtestvpn pluto[8428]: loading secrets from "/etc/ipsec.secrets"
Jul 6 09:20:19 covtestvpn pluto[8428]: loaded private key file '/etc/ipsec.d/private/covazfw.pem' (1680 bytes)
Jul 6 09:20:19 covtestvpn pluto[8428]: loaded private key for keyid: PPK_RSA:AwEAAcRgJ
Jul 6 09:20:19 covtestvpn pluto[8428]: "test" #1: initiating Main Mode
Jul 6 09:20:19 covtestvpn pluto[8428]: "test" #1: ERROR: asynchronous network error report on eth0 (sport=500) for message to 192.168.100.38 port 500, complainant 192.168.100.
38: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Jul 6 09:20:29 covtestvpn pluto[8428]: "test" #1: ERROR: asynchronous network error report on eth0 (sport=500) for message to 192.168.100.38 port 500, complainant 192.168.100.
38: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Jul 6 09:20:49 covtestvpn pluto[8428]: "test" #1: ERROR: asynchronous network error report on eth0 (sport=500) for message to 192.168.100.38 port 500, complainant 192.168.100.
38: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]

And for completeness, ipsec auto --listall shows:

000
000 List of Public Keys:
000
000 Jul 06 10:11:07 2017, 2048 RSA Key AwEAAcy+d (no private key), until Jul 02 12:02:08 2027 ok
000 ID_FQDN '@aspfw2'
000 Issuer 'C=CH, O=strongSwan, CN=Plum IPSec Root CA'
000 Jul 06 10:11:07 2017, 2048 RSA Key AwEAAcy+d (no private key), until Jul 02 12:02:08 2027 ok
000 ID_DER_ASN1_DN 'C=CH, O=strongSwan, CN=aspfw2'
000 Issuer 'C=CH, O=strongSwan, CN=Plum IPSec Root CA'
000 Jul 06 10:11:07 2017, 2048 RSA Key AwEAAcRgJ (has private key), until Jul 02 12:02:33 2027 ok
000 ID_FQDN '@covazfw'
000 Issuer 'C=CH, O=strongSwan, CN=Plum IPSec Root CA'
000 Jul 06 10:11:07 2017, 2048 RSA Key AwEAAcRgJ (has private key), until Jul 02 12:02:33 2027 ok
000 ID_DER_ASN1_DN 'C=CH, O=strongSwan, CN=covazfw'
000 Issuer 'C=CH, O=strongSwan, CN=Plum IPSec Root CA'
000 List of Pre-shared secrets (from /etc/ipsec.secrets)
000 13: RSA (none) (none)
000
000 List of X.509 End Certificates:
000
000 Jul 06 10:11:07 2017, count: 1
000 subject: 'C=CH, O=strongSwan, CN=aspfw2'
000 issuer: 'C=CH, O=strongSwan, CN=Plum IPSec Root CA'
000 serial: 6e:b6:19:7d:32:cf:f2:71
000 pubkey: 2048 RSA Key AwEAAcy+d
000 validity: not before Jul 04 12:02:08 2017 ok
000 not after Jul 02 12:02:08 2027 ok
000 authkey: e0:3f:02:fc:16:ed:68:a3:32:33:90:58:19:47:9e:47:df:c3:0e:bd
000 Jul 06 10:11:07 2017, count: 1
000 subject: 'C=CH, O=strongSwan, CN=covazfw'
000 issuer: 'C=CH, O=strongSwan, CN=Plum IPSec Root CA'
000 serial: 7e:e8:67:46:30:ab:d3:9b
000 pubkey: 2048 RSA Key AwEAAcRgJ, has private key
000 validity: not before Jul 04 12:02:33 2017 ok
000 not after Jul 02 12:02:33 2027 ok
000 authkey: e0:3f:02:fc:16:ed:68:a3:32:33:90:58:19:47:9e:47:df:c3:0e:bd
000
000 List of X.509 CA Certificates:
000
000 Jul 06 10:11:07 2017, count: 1
000 subject: 'C=CH, O=strongSwan, CN=Plum IPSec Root CA'
000 issuer: 'C=CH, O=strongSwan, CN=Plum IPSec Root CA'
000 serial: 04:7f:62:d3:d0:15:8c:d5
000 pubkey: 4096 RSA Key AwEAAdpxe
000 validity: not before Jul 04 12:01:26 2017 ok
000 not after Jul 02 12:01:26 2027 ok
000 subjkey: e0:3f:02:fc:16:ed:68:a3:32:33:90:58:19:47:9e:47:df:c3:0e:bd

I wonder if I should be using ID_FQDN '@aspfw2' these instead?

I'll try and report back

Matt

-----Original Message-----
From: andy [mailto:***@andynet.net]
Sent: 05 July 2017 13:24
To: Matt Killock <***@praemium.com>
Cc: ***@lists.openswan.org
Subject: Re: [Openswan Users] OpenSwan to Strongswan RSA Problem

On Tue, Jul 04, 2017 at 07:13:08PM +0000, Matt Killock wrote:

..snip..

Post by Matt Killock
Hello,
I managed to make a working connection between two linux machines, one running
OpenSwan and the other running StrongSwan using PSK. The config on the Openswan
conn test
authby=secret
type=tunnel
left=192.168.100.37
leftsubnet=10.2.0.0/24
right=192.168.100.38
rightsubnet=10.1.0.0/24
auto=start
esp=aes128-sha1
ike=aes128-sha1-modp2048
rekey=yes
dpdaction=clear
dpddelay=15
dpdtimeout=50
compress=no
However, after attempting to change this to work with RSA certs, I have run
conn test
authby=rsasig
type=tunnel
left=192.168.100.37
leftsubnet=10.2.0.0/24
right=192.168.100.38
rightsubnet=10.1.0.0/24
auto=start
esp=aes128-sha1
ike=aes128-sha1-modp2048
rekey=yes
dpdaction=clear
dpddelay=15
dpdtimeout=50
compress=no
leftcert=/etc/ipsec.d/certs/covazfw.pem
rightcert=/etc/ipsec.d/certs/aspfw2.pem
leftid="C=CH, O=strongSwan, CN=covazfw"
rightid="C=CH, O=strongSwan, CN=aspfw2"
All the relevant public certs are in the ipsec.d subfolder hierarchy, along
with the private key for the OpenSwan side covazfw.pem.
: RSA /etc/ipsec.d/private/covazfw.pem
received Vendor ID payload [XAUTH]
received Vendor ID payload [Dead Peer Detection]
received Vendor ID payload [RFC 3947] method set to=109
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
already using method 109
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: responding to Main Mode
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: STATE_MAIN_R1: sent MR1,
expecting MI2
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: NAT-Traversal: Result using
RFC 3947 (NAT-Traversal): no NAT detected
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: STATE_MAIN_R2: sent MR2,
expecting MI3
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: Main mode peer ID is
ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: no suitable connection for
peer 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: sending encrypted
notification INVALID_ID_INFORMATION to 192.168.100.38:500
Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: Main mode peer ID is
ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: no suitable connection for
peer 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: sending encrypted
notification INVALID_ID_INFORMATION to 192.168.100.38:500
It seems that it cannot / will not authenticate the certificate from the
Strongswan side. Could someone tell me what I’m doing wrong please?
Thanks
Matt
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Plum Software is a fully owned subsidiary of Praemium Limited.
This e-mail is confidential. It may also be legally privileged. If you are not
the addressee, you may not copy, forward, disclose or use any part of it. If
you have received this message in error, please delete it and all copies from
your system and notify the sender immediately by return email. Internet
communications cannot be guaranteed to be timely, secure, or error or virus
free. The sender does not accept liability for any errors or omissions.
In the UK the Praemium Group is: Praemium Portfolio Services Ltd (Company
Number: 05362168), Praemium (UK) Ltd (Company Number: 05362153), Praemium
Administration Ltd (Company Number: 06016828) and Smartfund Nominees Ltd
(Company Number: 07153417) each having its registered office at 4th Floor,
Suite 643-659, Salisbury House, London Wall, London, EC2M 5QQ, United Kingdom.
Praemium Administration Ltd is authorised and regulated by the Financial
Conduct Authority under reference 463566. See http://www.fca.org.uk/register
for more details.
107624) which has its registered office at 3rd Floor East, Salisbury House, 1-9
Union Street, St Helier, JE2 3RF and is regulated under the Financial Service
(Jersey) Law 1998 by the Jersey Financial Services Commission for the conduct
of investment business in Jersey. See http://www.jerseyfsc.org for more
details.
Thank you for your cooperation. Please contact us on +44 (0)207 5622 450 if you
require assistance.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
_______________________________________________
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Matt Killock

2017-07-06 09:46:21 UTC

Permalink

Changing the rightid to @aspfw changes that line to read as follows:

000 "test": 10.2.0.0/24===192.168.100.37<192.168.100.37>[0x3068310B300906035504061302434831133011060355040A130A7374726F6E675377616E3110300E06035504031307636F76617A667700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,+S=C]...192.168.100.38<192.168.100.38>[@aspfw2,+S=C]===10.1.0.0/24; prospective erouted; eroute owner: #0

But it still doesn't work, the logs still show it trying to match the C=CH, O=strongSwan, CN=aspfw2 ID

I recopied the certs from the other server in case copy/pasting the text was in some way malformed. Auth log is the same, as far as I can tell.

Jul 6 10:34:05 covtestvpn ipsec__plutorun: Starting Pluto subsystem...
Jul 6 10:34:05 covtestvpn pluto[10258]: Starting Pluto (Openswan Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:10258
Jul 6 10:34:05 covtestvpn pluto[10258]: LEAK_DETECTIVE support [disabled]
Jul 6 10:34:05 covtestvpn pluto[10258]: OCF support for IKE [disabled]
Jul 6 10:34:05 covtestvpn pluto[10258]: SAref support [disabled]: Protocol not available
Jul 6 10:34:05 covtestvpn pluto[10258]: SAbind support [disabled]: Protocol not available
Jul 6 10:34:05 covtestvpn pluto[10258]: NSS support [disabled]
Jul 6 10:34:05 covtestvpn pluto[10258]: HAVE_STATSD notification support not compiled in
Jul 6 10:34:05 covtestvpn pluto[10258]: Setting NAT-Traversal port-4500 floating to on
Jul 6 10:34:05 covtestvpn pluto[10258]: port floating activation criteria nat_t=1/port_float=1
Jul 6 10:34:05 covtestvpn pluto[10258]: NAT-Traversal support [enabled]
Jul 6 10:34:05 covtestvpn pluto[10258]: using /dev/urandom as source of random entropy
Jul 6 10:34:05 covtestvpn pluto[10258]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Jul 6 10:34:05 covtestvpn pluto[10258]: starting up 1 cryptographic helpers
Jul 6 10:34:05 covtestvpn pluto[10258]: started helper pid=10261 (fd:6)
Jul 6 10:34:05 covtestvpn pluto[10258]: Using Linux 2.6 IPsec interface code on 3.2.0-4-amd64 (experimental code)
Jul 6 10:34:05 covtestvpn pluto[10261]: using /dev/urandom as source of random entropy
Jul 6 10:34:05 covtestvpn pluto[10258]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Jul 6 10:34:05 covtestvpn pluto[10258]: ike_alg_add(): ERROR: Algorithm already exists
Jul 6 10:34:05 covtestvpn pluto[10258]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Jul 6 10:34:05 covtestvpn pluto[10258]: ike_alg_add(): ERROR: Algorithm already exists
Jul 6 10:34:05 covtestvpn pluto[10258]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Jul 6 10:34:05 covtestvpn pluto[10258]: ike_alg_add(): ERROR: Algorithm already exists
Jul 6 10:34:05 covtestvpn pluto[10258]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Jul 6 10:34:05 covtestvpn pluto[10258]: ike_alg_add(): ERROR: Algorithm already exists
Jul 6 10:34:05 covtestvpn pluto[10258]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Jul 6 10:34:05 covtestvpn pluto[10258]: ike_alg_add(): ERROR: Algorithm already exists
Jul 6 10:34:05 covtestvpn pluto[10258]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Jul 6 10:34:05 covtestvpn pluto[10258]: Changed path to directory '/etc/ipsec.d/cacerts'
Jul 6 10:34:05 covtestvpn pluto[10258]: loaded CA cert file 'strongswanCert.pem' (1883 bytes)
Jul 6 10:34:05 covtestvpn pluto[10258]: Changed path to directory '/etc/ipsec.d/aacerts'
Jul 6 10:34:05 covtestvpn pluto[10258]: Changed path to directory '/etc/ipsec.d/ocspcerts'
Jul 6 10:34:05 covtestvpn pluto[10258]: Changing to directory '/etc/ipsec.d/crls'
Jul 6 10:34:05 covtestvpn pluto[10258]: Warning: empty directory
Jul 6 10:34:05 covtestvpn pluto[10258]: loading certificate from /etc/ipsec.d/certs/covazfw.pem
Jul 6 10:34:05 covtestvpn pluto[10258]: loaded host cert file '/etc/ipsec.d/certs/covazfw.pem' (1549 bytes)
Jul 6 10:34:05 covtestvpn pluto[10258]: loading certificate from /etc/ipsec.d/certs/aspfw2.pem
Jul 6 10:34:05 covtestvpn pluto[10258]: loaded host cert file '/etc/ipsec.d/certs/aspfw2.pem' (1545 bytes)
Jul 6 10:34:05 covtestvpn pluto[10258]: added connection description "test"
Jul 6 10:34:05 covtestvpn pluto[10258]: listening for IKE messages
Jul 6 10:34:05 covtestvpn pluto[10258]: adding interface vlan2/vlan2 10.2.0.1:500
Jul 6 10:34:05 covtestvpn pluto[10258]: adding interface vlan2/vlan2 10.2.0.1:4500
Jul 6 10:34:05 covtestvpn pluto[10258]: adding interface eth0/eth0 192.168.100.37:500
Jul 6 10:34:05 covtestvpn pluto[10258]: adding interface eth0/eth0 192.168.100.37:4500
Jul 6 10:34:05 covtestvpn pluto[10258]: adding interface lo/lo 127.0.0.1:500
Jul 6 10:34:05 covtestvpn pluto[10258]: adding interface lo/lo 127.0.0.1:4500
Jul 6 10:34:05 covtestvpn pluto[10258]: loading secrets from "/etc/ipsec.secrets"
Jul 6 10:34:05 covtestvpn pluto[10258]: loaded private key file '/etc/ipsec.d/private/covazfw.pem' (1679 bytes)
Jul 6 10:34:05 covtestvpn pluto[10258]: loaded private key for keyid: PPK_RSA:AwEAAcRgJ
Jul 6 10:34:05 covtestvpn pluto[10258]: "test" #1: initiating Main Mode
Jul 6 10:34:05 covtestvpn pluto[10258]: "test" #1: received Vendor ID payload [XAUTH]
Jul 6 10:34:05 covtestvpn pluto[10258]: "test" #1: received Vendor ID payload [Dead Peer Detection]
Jul 6 10:34:05 covtestvpn pluto[10258]: "test" #1: received Vendor ID payload [RFC 3947] method set to=109
Jul 6 10:34:05 covtestvpn pluto[10258]: "test" #1: enabling possible NAT-traversal with method 4
Jul 6 10:34:05 covtestvpn pluto[10258]: "test" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jul 6 10:34:05 covtestvpn pluto[10258]: "test" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jul 6 10:34:05 covtestvpn pluto[10258]: "test" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Jul 6 10:34:05 covtestvpn pluto[10258]: "test" #1: I am sending my cert
Jul 6 10:34:05 covtestvpn pluto[10258]: "test" #1: I am sending a certificate request
Jul 6 10:34:05 covtestvpn pluto[10258]: "test" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jul 6 10:34:05 covtestvpn pluto[10258]: "test" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jul 6 10:34:05 covtestvpn pluto[10258]: "test" #1: next payload type of ISAKMP Hash Payload has an unknown value: 94
Jul 6 10:34:05 covtestvpn pluto[10258]: "test" #1: malformed payload in packet
Jul 6 10:34:05 covtestvpn pluto[10258]: | payload malformed after IV
Jul 6 10:34:05 covtestvpn pluto[10258]: | 0f e3 68 74 cc 6f 7e c5 02 7c e7 89 d8 d1 71 43
Jul 6 10:34:05 covtestvpn pluto[10258]: "test" #1: sending notification PAYLOAD_MALFORMED to 192.168.100.38:500
Jul 6 10:35:07 covtestvpn pluto[10258]: packet from 192.168.100.38:500: received Vendor ID payload [XAUTH]
Jul 6 10:35:07 covtestvpn pluto[10258]: packet from 192.168.100.38:500: received Vendor ID payload [Dead Peer Detection]
Jul 6 10:35:07 covtestvpn pluto[10258]: packet from 192.168.100.38:500: received Vendor ID payload [RFC 3947] method set to=109
Jul 6 10:35:07 covtestvpn pluto[10258]: packet from 192.168.100.38:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Jul 6 10:35:07 covtestvpn pluto[10258]: "test" #2: responding to Main Mode
Jul 6 10:35:07 covtestvpn pluto[10258]: "test" #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 6 10:35:07 covtestvpn pluto[10258]: "test" #2: STATE_MAIN_R1: sent MR1, expecting MI2
Jul 6 10:35:07 covtestvpn pluto[10258]: "test" #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Jul 6 10:35:07 covtestvpn pluto[10258]: "test" #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 6 10:35:07 covtestvpn pluto[10258]: "test" #2: STATE_MAIN_R2: sent MR2, expecting MI3
Jul 6 10:35:07 covtestvpn pluto[10258]: "test" #2: Main mode peer ID is ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
Jul 6 10:35:07 covtestvpn pluto[10258]: "test" #2: no crl from issuer "C=CH, O=strongSwan, CN=Plum IPSec Root CA" found (strict=no)
Jul 6 10:35:07 covtestvpn pluto[10258]: "test" #2: no suitable connection for peer 'C=CH, O=strongSwan, CN=aspfw2'
Jul 6 10:35:07 covtestvpn pluto[10258]: "test" #2: sending encrypted notification INVALID_ID_INFORMATION to 192.168.100.38:500
Jul 6 10:35:11 covtestvpn pluto[10258]: "test" #2: Main mode peer ID is ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
Jul 6 10:35:11 covtestvpn pluto[10258]: "test" #2: no crl from issuer "C=CH, O=strongSwan, CN=Plum IPSec Root CA" found (strict=no)
Jul 6 10:35:11 covtestvpn pluto[10258]: "test" #2: no suitable connection for peer 'C=CH, O=strongSwan, CN=aspfw2'
Jul 6 10:35:11 covtestvpn pluto[10258]: "test" #2: sending encrypted notification INVALID_ID_INFORMATION to 192.168.100.38:500
Jul 6 10:35:15 covtestvpn pluto[10258]: "test" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message

On the other side, we have:

Jul 6 10:42:44 covtestvpn2 charon: 09[NET] sending packet: from 192.168.100.38[500] to 192.168.100.37[500] (1532 bytes)
Jul 6 10:42:44 covtestvpn2 charon: 10[NET] received packet: from 192.168.100.37[500] to 192.168.100.38[500] (76 bytes)
Jul 6 10:42:44 covtestvpn2 charon: 10[ENC] invalid HASH_V1 payload length, decryption failed?
Jul 6 10:42:44 covtestvpn2 charon: 10[ENC] could not decrypt payloads

That 76 byte response appears to correspond with 'INVALID_ID_INFORMATION' from openswan.

Jul 6 10:35:07 covtestvpn pluto[10258]: "test" #2: sending encrypted notification INVALID_ID_INFORMATION to 192.168.100.38:500

Does any of this help?

Matt

-----Original Message-----
From: Matt Killock
Sent: 06 July 2017 10:14
To: 'andy' <***@andynet.net>
Cc: ***@lists.openswan.org
Subject: RE: [Openswan Users] OpenSwan to Strongswan RSA Problem

Hi Andy,

The daemon log has this after a restart:

Jul 6 09:20:17 covtestvpn ipsec_setup: Stopping Openswan IPsec...
Jul 6 09:20:19 covtestvpn ipsec_setup: ...Openswan IPsec stopped Jul 6 09:20:19 covtestvpn ipsec_setup: Starting Openswan IPsec U2.6.37/K3.2.0-4-amd64...
Jul 6 09:20:19 covtestvpn ipsec_setup: Using NETKEY(XFRM) stack Jul 6 09:20:19 covtestvpn ipsec_setup: ...Openswan IPsec started Jul 6 09:20:19 covtestvpn ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d Jul 6 09:20:19 covtestvpn ipsec__plutorun: 002 loading certificate from /etc/ipsec.d/certs/covazfw.pem
Jul 6 09:20:19 covtestvpn ipsec__plutorun: 002 loaded host cert file '/etc/ipsec.d/certs/covazfw.pem' (1550 bytes)
Jul 6 09:20:19 covtestvpn ipsec__plutorun: 002 loading certificate from /etc/ipsec.d/certs/aspfw2.pem
Jul 6 09:20:19 covtestvpn ipsec__plutorun: 002 loaded host cert file '/etc/ipsec.d/certs/aspfw2.pem' (1545 bytes)
Jul 6 09:20:19 covtestvpn ipsec__plutorun: 002 added connection description "test"
Jul 6 09:20:19 covtestvpn ipsec__plutorun: 104 "test" #1: STATE_MAIN_I1: initiate

Auth.log has this

Jul 6 09:20:17 covtestvpn pluto[7623]: shutting down Jul 6 09:20:17 covtestvpn pluto[7623]: forgetting secrets Jul 6 09:20:17 covtestvpn pluto[7623]: "test": deleting connection Jul 6 09:20:17 covtestvpn pluto[7623]: "test" #1236: deleting state (STATE_MAIN_I1) Jul 6 09:20:17 covtestvpn pluto[7623]: shutting down interface lo/lo 127.0.0.1:4500 Jul 6 09:20:17 covtestvpn pluto[7623]: shutting down interface lo/lo 127.0.0.1:500 Jul 6 09:20:17 covtestvpn pluto[7623]: shutting down interface eth0/eth0 192.168.100.37:4500 Jul 6 09:20:17 covtestvpn pluto[7623]: shutting down interface eth0/eth0 192.168.100.37:500 Jul 6 09:20:17 covtestvpn pluto[7623]: shutting down interface vlan2/vlan2 10.2.0.1:4500 Jul 6 09:20:17 covtestvpn pluto[7623]: shutting down interface vlan2/vlan2 10.2.0.1:500 Jul 6 09:20:17 covtestvpn pluto[7627]: pluto_crypto_helper: helper (0) is normal exiting Jul 6 09:20:19 covtestvpn ipsec__plutorun: Starting Pluto subsystem...
Jul 6 09:20:19 covtestvpn pluto[8428]: Starting Pluto (Openswan Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:8428 Jul 6 09:20:19 covtestvpn pluto[8428]: LEAK_DETECTIVE support [disabled] Jul 6 09:20:19 covtestvpn pluto[8428]: OCF support for IKE [disabled] Jul 6 09:20:19 covtestvpn pluto[8428]: SAref support [disabled]: Protocol not available Jul 6 09:20:19 covtestvpn pluto[8428]: SAbind support [disabled]: Protocol not available Jul 6 09:20:19 covtestvpn pluto[8428]: NSS support [disabled] Jul 6 09:20:19 covtestvpn pluto[8428]: HAVE_STATSD notification support not compiled in Jul 6 09:20:19 covtestvpn pluto[8428]: Setting NAT-Traversal port-4500 floating to on
Jul 6 09:20:19 covtestvpn pluto[8428]: port floating activation criteria nat_t=1/port_float=1
Jul 6 09:20:19 covtestvpn pluto[8428]: NAT-Traversal support [enabled]
Jul 6 09:20:19 covtestvpn pluto[8428]: using /dev/urandom as source of random entropy Jul 6 09:20:19 covtestvpn pluto[8428]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0) Jul 6 09:20:19 covtestvpn pluto[8428]: starting up 1 cryptographic helpers Jul 6 09:20:19 covtestvpn pluto[8428]: started helper pid=8432 (fd:6) Jul 6 09:20:19 covtestvpn pluto[8428]: Using Linux 2.6 IPsec interface code on 3.2.0-4-amd64 (experimental code) Jul 6 09:20:19 covtestvpn pluto[8432]: using /dev/urandom as source of random entropy Jul 6 09:20:19 covtestvpn pluto[8428]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0) Jul 6 09:20:19 covtestvpn pluto[8428]: ike_alg_add(): ERROR: Algorithm already exists Jul 6 09:20:19 covtestvpn pluto[8428]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17) Jul 6 09:20:19 covtestvpn pluto[8428]: ike_alg_add(): ERROR: Algorithm already exists Jul 6 09:20:19 covtestvpn pluto[8428]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17) Jul 6 09:20:19 covtestvpn pluto[8428]: ike_alg_add(): ERROR: Algorithm already exists Jul 6 09:20:19 covtestvpn pluto[8428]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17) Jul 6 09:20:19 covtestvpn pluto[8428]: ike_alg_add(): ERROR: Algorithm already exists Jul 6 09:20:19 covtestvpn pluto[8428]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17) Jul 6 09:20:19 covtestvpn pluto[8428]: ike_alg_add(): ERROR: Algorithm already exists Jul 6 09:20:19 covtestvpn pluto[8428]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17) Jul 6 09:20:19 covtestvpn pluto[8428]: Changed path to directory '/etc/ipsec.d/cacerts'
Jul 6 09:20:19 covtestvpn pluto[8428]: loaded CA cert file 'strongswanCert.pem' (1883 bytes)
Jul 6 09:20:19 covtestvpn pluto[8428]: discarded CA cert file 'crl.pem', bad size 0 bytes
Jul 6 09:20:19 covtestvpn pluto[8428]: Changed path to directory '/etc/ipsec.d/aacerts'
Jul 6 09:20:19 covtestvpn pluto[8428]: Changed path to directory '/etc/ipsec.d/ocspcerts'
Jul 6 09:20:19 covtestvpn pluto[8428]: Changing to directory '/etc/ipsec.d/crls'
Jul 6 09:20:19 covtestvpn pluto[8428]: Warning: empty directory
Jul 6 09:20:19 covtestvpn pluto[8428]: loading certificate from /etc/ipsec.d/certs/covazfw.pem
Jul 6 09:20:19 covtestvpn pluto[8428]: loaded host cert file '/etc/ipsec.d/certs/covazfw.pem' (1550 bytes)
Jul 6 09:20:19 covtestvpn pluto[8428]: loading certificate from /etc/ipsec.d/certs/aspfw2.pem
Jul 6 09:20:19 covtestvpn pluto[8428]: loaded host cert file '/etc/ipsec.d/certs/aspfw2.pem' (1545 bytes)
Jul 6 09:20:19 covtestvpn pluto[8428]: added connection description "test"
Jul 6 09:20:19 covtestvpn pluto[8428]: listening for IKE messages Jul 6 09:20:19 covtestvpn pluto[8428]: adding interface vlan2/vlan2 10.2.0.1:500 Jul 6 09:20:19 covtestvpn pluto[8428]: adding interface vlan2/vlan2 10.2.0.1:4500 Jul 6 09:20:19 covtestvpn pluto[8428]: adding interface eth0/eth0 192.168.100.37:500 Jul 6 09:20:19 covtestvpn pluto[8428]: adding interface eth0/eth0 192.168.100.37:4500 Jul 6 09:20:19 covtestvpn pluto[8428]: adding interface lo/lo 127.0.0.1:500 Jul 6 09:20:19 covtestvpn pluto[8428]: adding interface lo/lo 127.0.0.1:4500 Jul 6 09:20:19 covtestvpn pluto[8428]: loading secrets from "/etc/ipsec.secrets"
Jul 6 09:20:19 covtestvpn pluto[8428]: loaded private key file '/etc/ipsec.d/private/covazfw.pem' (1680 bytes)
Jul 6 09:20:19 covtestvpn pluto[8428]: loaded private key for keyid: PPK_RSA:AwEAAcRgJ Jul 6 09:20:19 covtestvpn pluto[8428]: "test" #1: initiating Main Mode Jul 6 09:20:19 covtestvpn pluto[8428]: "test" #1: ERROR: asynchronous network error report on eth0 (sport=500) for message to 192.168.100.38 port 500, complainant 192.168.100.
38: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)] Jul 6 09:20:29 covtestvpn pluto[8428]: "test" #1: ERROR: asynchronous network error report on eth0 (sport=500) for message to 192.168.100.38 port 500, complainant 192.168.100.
38: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)] Jul 6 09:20:49 covtestvpn pluto[8428]: "test" #1: ERROR: asynchronous network error report on eth0 (sport=500) for message to 192.168.100.38 port 500, complainant 192.168.100.
38: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]

And for completeness, ipsec auto --listall shows:

000
000 List of Public Keys:
000
000 Jul 06 10:11:07 2017, 2048 RSA Key AwEAAcy+d (no private key), until Jul 02 12:02:08 2027 ok
000 ID_FQDN '@aspfw2'
000 Issuer 'C=CH, O=strongSwan, CN=Plum IPSec Root CA'
000 Jul 06 10:11:07 2017, 2048 RSA Key AwEAAcy+d (no private key), until Jul 02 12:02:08 2027 ok
000 ID_DER_ASN1_DN 'C=CH, O=strongSwan, CN=aspfw2'
000 Issuer 'C=CH, O=strongSwan, CN=Plum IPSec Root CA'
000 Jul 06 10:11:07 2017, 2048 RSA Key AwEAAcRgJ (has private key), until Jul 02 12:02:33 2027 ok
000 ID_FQDN '@covazfw'
000 Issuer 'C=CH, O=strongSwan, CN=Plum IPSec Root CA'
000 Jul 06 10:11:07 2017, 2048 RSA Key AwEAAcRgJ (has private key), until Jul 02 12:02:33 2027 ok
000 ID_DER_ASN1_DN 'C=CH, O=strongSwan, CN=covazfw'
000 Issuer 'C=CH, O=strongSwan, CN=Plum IPSec Root CA'
000 List of Pre-shared secrets (from /etc/ipsec.secrets)
000 13: RSA (none) (none)
000
000 List of X.509 End Certificates:
000
000 Jul 06 10:11:07 2017, count: 1
000 subject: 'C=CH, O=strongSwan, CN=aspfw2'
000 issuer: 'C=CH, O=strongSwan, CN=Plum IPSec Root CA'
000 serial: 6e:b6:19:7d:32:cf:f2:71
000 pubkey: 2048 RSA Key AwEAAcy+d
000 validity: not before Jul 04 12:02:08 2017 ok
000 not after Jul 02 12:02:08 2027 ok
000 authkey: e0:3f:02:fc:16:ed:68:a3:32:33:90:58:19:47:9e:47:df:c3:0e:bd
000 Jul 06 10:11:07 2017, count: 1
000 subject: 'C=CH, O=strongSwan, CN=covazfw'
000 issuer: 'C=CH, O=strongSwan, CN=Plum IPSec Root CA'
000 serial: 7e:e8:67:46:30:ab:d3:9b
000 pubkey: 2048 RSA Key AwEAAcRgJ, has private key
000 validity: not before Jul 04 12:02:33 2017 ok
000 not after Jul 02 12:02:33 2027 ok
000 authkey: e0:3f:02:fc:16:ed:68:a3:32:33:90:58:19:47:9e:47:df:c3:0e:bd
000
000 List of X.509 CA Certificates:
000
000 Jul 06 10:11:07 2017, count: 1
000 subject: 'C=CH, O=strongSwan, CN=Plum IPSec Root CA'
000 issuer: 'C=CH, O=strongSwan, CN=Plum IPSec Root CA'
000 serial: 04:7f:62:d3:d0:15:8c:d5
000 pubkey: 4096 RSA Key AwEAAdpxe
000 validity: not before Jul 04 12:01:26 2017 ok
000 not after Jul 02 12:01:26 2027 ok
000 subjkey: e0:3f:02:fc:16:ed:68:a3:32:33:90:58:19:47:9e:47:df:c3:0e:bd

I wonder if I should be using ID_FQDN '@aspfw2' these instead?

I'll try and report back

Matt

-----Original Message-----
From: andy [mailto:***@andynet.net]
Sent: 05 July 2017 13:24
To: Matt Killock <mailto:***@praemium.com>
Cc: mailto:***@lists.openswan.org
Subject: Re: [Openswan Users] OpenSwan to Strongswan RSA Problem

On Tue, Jul 04, 2017 at 07:13:08PM +0000, Matt Killock wrote:

..snip..

Post by Matt Killock
10.2.0.0/24===192.168.100.37<192.168.100.37>[0x3068310B300906035504061
302434831133011060355040A130A7374726F6E675377616E3110300E0603550403130
7636F76617A66770000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000,+S=C]...192.168.100.
38<192.168.100.38>[0x3066310B300906035504061302434831133011060355040A1
30A7374726F6E675377616E310F300D060355040313066173706677320000000000000
0000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000,+S=C]===10.1.0.0/24; prospective erouted; eroute
owner: #0

Hmm - this is weird! Looks to me that maybe your config hasn't loaded properly - I'd expect to see the left/rightids inside the square brackets here, not these long hex strings. I've never seen that before.
But maybe something has changed in recent versions of Openswan - it's beeen a while since I used it.

I was expecting to see something like:
"test": 10.2.0.0/24===192.168.100.37<192.168.100.37>[C=CH, O=strongSwan, CN=covazfw]...192.168.100.38<192.168.100.38>[C=CH, O=strongSwan, CN=aspfw2]===10.1.0.0/24

If it's getting the IDs wrong somehow, that would explain why it can't find a matching connection.

Perhaps there are more clues in the logs? Does it mention if it's loaded the CA cert? Perhaps you could post all of /var/log/auth.log while restarting Openswan? I'm not sure what else to suggest atm.

Post by Matt Killock
000 "test": myip=unset; hisip=unset;
000 "test": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "test": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK; prio: 24,24; interface: eth0;
000 "test": dpd: action:clear; delay:15; timeout:50;
000 "test": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "test": IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP2048(14); flags=-strict
000 "test": IKE algorithms found: AES_CBC(7)_128-SHA1(2)_160-MODP2048(14)
000 "test": ESP algorithms wanted: AES(12)_128-SHA1(2)_000; flags=-strict
000 "test": ESP algorithms loaded: AES(12)_128-SHA1(2)_160
000
000 #122: "test":500 STATE_MAIN_I1 (sent MI1, expecting MR1);
EVENT_RETRANSMIT in 2s; nodpd; idle; import:admin initiate
000 #122: pending Phase 2 for "test" replacing #0
000
Thanks
Matt
-----Original Message-----
Sent: 04 July 2017 17:36
Subject: Re: [Openswan Users] OpenSwan to Strongswan RSA Problem
Hi Matt -
can you post the Openswan output from 'ipsec auto --status' please?
Thanks
Andy

Post by Matt Killock
Hello,
I managed to make a working connection between two linux machines,
one running OpenSwan and the other running StrongSwan using PSK. The
conn test
authby=secret
type=tunnel
left=192.168.100.37
leftsubnet=10.2.0.0/24
right=192.168.100.38
rightsubnet=10.1.0.0/24
auto=start
esp=aes128-sha1
ike=aes128-sha1-modp2048
rekey=yes
dpdaction=clear
dpddelay=15
dpdtimeout=50
compress=no
However, after attempting to change this to work with RSA certs, I
conn test
authby=rsasig
type=tunnel
left=192.168.100.37
leftsubnet=10.2.0.0/24
right=192.168.100.38
rightsubnet=10.1.0.0/24
auto=start
esp=aes128-sha1
ike=aes128-sha1-modp2048
rekey=yes
dpdaction=clear
dpddelay=15
dpdtimeout=50
compress=no
leftcert=/etc/ipsec.d/certs/covazfw.pem
rightcert=/etc/ipsec.d/certs/aspfw2.pem
leftid="C=CH, O=strongSwan, CN=covazfw"
rightid="C=CH, O=strongSwan, CN=aspfw2"
All the relevant public certs are in the ipsec.d subfolder
hierarchy, along with the private key for the OpenSwan side covazfw.pem.
: RSA /etc/ipsec.d/private/covazfw.pem
received Vendor ID payload [XAUTH]
received Vendor ID payload [Dead Peer Detection]
received Vendor ID payload [RFC 3947] method set to=109
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
meth=106, but already using method 109
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: responding to Main Mode
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1
sent MR1, expecting MI2
Result using RFC 3947 (NAT-Traversal): no NAT detected
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
sent MR2, expecting MI3
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: Main mode peer ID is
ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: no suitable
connection for peer 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: sending
encrypted notification INVALID_ID_INFORMATION to 192.168.100.38:500
Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: Main mode peer ID is
ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: no suitable
connection for peer 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: sending
encrypted notification INVALID_ID_INFORMATION to 192.168.100.38:500
It seems that it cannot / will not authenticate the certificate from
the Strongswan side. Could someone tell me what I’m doing wrong please?
Thanks
Matt
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━
Plum Software is a fully owned subsidiary of Praemium Limited.
This e-mail is confidential. It may also be legally privileged. If
you are not the addressee, you may not copy, forward, disclose or
use any part of it. If you have received this message in error,
please delete it and all copies from your system and notify the
sender immediately by return email. Internet communications cannot
be guaranteed to be timely, secure, or error or virus free. The sender does not accept liability for any errors or omissions.
In the UK the Praemium Group is: Praemium Portfolio Services Ltd (Company
Number: 05362168), Praemium (UK) Ltd (Company Number: 05362153),
Praemium Administration Ltd (Company Number: 06016828) and Smartfund
Nominees Ltd (Company Number: 07153417) each having its registered
office at 4th Floor, Suite 643-659, Salisbury House, London Wall, London, EC2M 5QQ, United Kingdom.
Praemium Administration Ltd is authorised and regulated by the
Financial Conduct Authority under reference 463566. See
http://www.fca.org.uk/register for more details.
107624) which has its registered office at 3rd Floor East, Salisbury
House, 1-9 Union Street, St Helier, JE2 3RF and is regulated under
the Financial Service
(Jersey) Law 1998 by the Jersey Financial Services Commission for
the conduct of investment business in Jersey. See
http://www.jerseyfsc.org for more details.
Thank you for your cooperation. Please contact us on +44 (0)207 5622
450 if you require assistance.
--
This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.
_______________________________________________
https://lists.openswan.org/mailman/listinfo/users
https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=28
3155

Andreas Steffen

2017-07-04 17:29:59 UTC

Permalink

Hi Matt,

could you post the /etc/ipsec.d/certs/aspfw2.pem certificate?

Regards

Andreas

Post by Matt Killock
Hello,
I managed to make a working connection between two linux machines, one
running OpenSwan and the other running StrongSwan using PSK. The config
conn test
authby=secret
type=tunnel
left=192.168.100.37
leftsubnet=10.2.0.0/24
right=192.168.100.38
rightsubnet=10.1.0.0/24
auto=start
esp=aes128-sha1
ike=aes128-sha1-modp2048
rekey=yes
dpdaction=clear
dpddelay=15
dpdtimeout=50
compress=no
However, after attempting to change this to work with RSA certs, I have
conn test
authby=rsasig
type=tunnel
left=192.168.100.37
leftsubnet=10.2.0.0/24
right=192.168.100.38
rightsubnet=10.1.0.0/24
auto=start
esp=aes128-sha1
ike=aes128-sha1-modp2048
rekey=yes
dpdaction=clear
dpddelay=15
dpdtimeout=50
compress=no
leftcert=/etc/ipsec.d/certs/covazfw.pem
rightcert=/etc/ipsec.d/certs/aspfw2.pem
leftid="C=CH, O=strongSwan, CN=covazfw"
rightid="C=CH, O=strongSwan, CN=aspfw2"
All the relevant public certs are in the ipsec.d subfolder hierarchy,
along with the private key for the OpenSwan side covazfw.pem.
: RSA /etc/ipsec.d/private/covazfw.pem
received Vendor ID payload [XAUTH]
received Vendor ID payload [Dead Peer Detection]
received Vendor ID payload [RFC 3947] method set to=109
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
but already using method 109
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: responding to Main Mode
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: STATE_MAIN_R1: sent MR1, expecting MI2
Result using RFC 3947 (NAT-Traversal): no NAT detected
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: transition from
state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: STATE_MAIN_R2: sent MR2, expecting MI3
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: Main mode peer ID is
ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: no suitable
connection for peer 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: sending encrypted
notification INVALID_ID_INFORMATION to 192.168.100.38:500
Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: Main mode peer ID is
ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: no suitable
connection for peer 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: sending encrypted
notification INVALID_ID_INFORMATION to 192.168.100.38:500
It seems that it cannot / will not authenticate the certificate from the
Strongswan side. Could someone tell me what Iâm doing wrong please?
Thanks
Matt
------------------------------------------------------------------------
Plum Software is a fully owned subsidiary of Praemium Limited.
This e-mail is confidential. It may also be legally privileged. If you
are not the addressee, you may not copy, forward, disclose or use any
part of it. If you have received this message in error, please delete it
and all copies from your system and notify the sender immediately by
return email. Internet communications cannot be guaranteed to be timely,
secure, or error or virus free. The sender does not accept liability for
any errors or omissions.
In the UK the Praemium Group is: Praemium Portfolio Services Ltd
05362153), Praemium Administration Ltd (Company Number: 06016828) and
Smartfund Nominees Ltd (Company Number: 07153417) each having its
registered office at 4th Floor, Suite 643-659, Salisbury House, London
Wall, London, EC2M 5QQ, United Kingdom. Praemium Administration Ltd is
authorised and regulated by the Financial Conduct Authority under
reference 463566. See http://www.fca.org.uk/register for more details.
In Jersey the Praemium Group is: Praemium International Ltd (Company
Number: 107624) which has its registered office at 3rd Floor East,
Salisbury House, 1-9 Union Street, St Helier, JE2 3RF and is regulated
under the Financial Service (Jersey) Law 1998 by the Jersey Financial
Services Commission for the conduct of investment business in Jersey.
See http://www.jerseyfsc.org for more details.
Thank you for your cooperation. Please contact us on +44 (0)207 5622 450
if you require assistance.
_______________________________________________
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Matt Killock

2017-07-05 07:09:59 UTC

Permalink

Hi, here you go:

-----BEGIN CERTIFICATE-----
MIIESTCCAjGgAwIBAgIIbrYZfTLP8nEwDQYJKoZIhvcNAQEFBQAwPzELMAkGA1UE
BhMCQ0gxEzARBgNVBAoTCnN0cm9uZ1N3YW4xGzAZBgNVBAMTElBsdW0gSVBTZWMg
Um9vdCBDQTAeFw0xNzA3MDQxMTAyMDhaFw0yNzA3MDIxMTAyMDhaMDMxCzAJBgNV
BAYTAkNIMRMwEQYDVQQKEwpzdHJvbmdTd2FuMQ8wDQYDVQQDEwZhc3BmdzIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMvnakEMwrkXbuF1ZEnIKQ6EH1
7ZM2bGoqD5zY/4uRCrrIgZoGxsP8rPU9J8bJz4C7IrefDaHfLeQhOqmQSPWaJfYg
0MBv7SRM1Jwzc1T0msQ/JURx+FR0phHWsHzr9elAlYCTqWEO+IaTrVQ3rEGCv3kS
UmkEzr1oGxq+PelN7GlfAhHFHxrPT7WXdqsfmvl+G7q9IOU2gwGLvBCufKxeYy4t
afcwyxTKvvm8rCIVM4OoL8sWPCFG6ZZf0tkcMSKDyxoqibEg+vvYn9zKp/zin4kK
xO5MzXp5bjkEIiRO1tycHDh92fySjG5UhACAj0zVVtMvDhTHyljgNrniyhcRAgMB
AAGjVTBTMB8GA1UdIwQYMBaAFOA/AvwW7WijMjOQWBlHnkffww69MBEGA1UdEQQK
MAiCBmFzcGZ3MjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUIAgIwDQYJKoZI
hvcNAQEFBQADggIBAGyaf3AQxFqFYXBgoRY+FFfOI+kVkJdeSSq7LLH+kD00knNs
SGlhlgR7T4BfjdJsPsuTngk650j4rgWMIlBULToCXTqGa80i6zNZx0Qod/bXJa5p
bkRsZpNUP2Whvw77B4YAaqkosRaYkYKV/bJisniLhs3HDzf3GBPEqYJn0pu101nL
1M3xW015ohe5h89E/X3y7xd32Hxc589fdBt6edbNazeRfSX1KiCBmF6gArxMMREU
G53Yye/yIn/WshkeJKlrGvM2UP9/tpS/Sbie4ZWteU+4AElRDB4eJHdEkI6Qxubm
AkwT6NBp7QOPEvbhD6+5LTRjYvFgl5cc1N3FC5Am2qjFR6nbo9xHCIfhkScIV2tm
14d15jItlyz7XNdsuL9UlkXbz15sXE1X+xId6InyFx0LNfF3B/mjHRFfxufQ+93Y
AaaGDtgymIcc/qQ1Kut/Gi5d6s4avx5zqKW0jQH6W7ktyTVPM7tUeEK1HJnv28QM
L7iKDmi+2joGJgWGQEjVaIbNEj052FM+Twj4eH2bHrpu3O/4kvL0nTFS4XnWy+/5
j2fcEjH++UmAnlnxRvFcTEWXkjP/HapNdrcnZ5GU850hCOWqE0vyl6kR1tBs+/A5
eQAAVgK/a9oQtkqjqp0PRhNRzo9rdPQX07BGr0mWVRnEu2EyBf8rdnpST5D9
-----END CERTIFICATE-----

Thanks
Matt

-----Original Message-----
From: Andreas Steffen [mailto:***@strongsec.net]
Sent: 04 July 2017 18:30
To: Matt Killock <***@praemium.com>; ***@lists.openswan.org
Subject: Re: [Openswan Users] OpenSwan to Strongswan RSA Problem

Hi Matt,

could you post the /etc/ipsec.d/certs/aspfw2.pem certificate?

Regards

Andreas

Post by Matt Killock
Hello,
I managed to make a working connection between two linux machines, one
running OpenSwan and the other running StrongSwan using PSK. The config
conn test
authby=secret
type=tunnel
left=192.168.100.37
leftsubnet=10.2.0.0/24
right=192.168.100.38
rightsubnet=10.1.0.0/24
auto=start
esp=aes128-sha1
ike=aes128-sha1-modp2048
rekey=yes
dpdaction=clear
dpddelay=15
dpdtimeout=50
compress=no
However, after attempting to change this to work with RSA certs, I have
conn test
authby=rsasig
type=tunnel
left=192.168.100.37
leftsubnet=10.2.0.0/24
right=192.168.100.38
rightsubnet=10.1.0.0/24
auto=start
esp=aes128-sha1
ike=aes128-sha1-modp2048
rekey=yes
dpdaction=clear
dpddelay=15
dpdtimeout=50
compress=no
leftcert=/etc/ipsec.d/certs/covazfw.pem
rightcert=/etc/ipsec.d/certs/aspfw2.pem
leftid="C=CH, O=strongSwan, CN=covazfw"
rightid="C=CH, O=strongSwan, CN=aspfw2"
All the relevant public certs are in the ipsec.d subfolder hierarchy,
along with the private key for the OpenSwan side covazfw.pem.
: RSA /etc/ipsec.d/private/covazfw.pem
received Vendor ID payload [XAUTH]
received Vendor ID payload [Dead Peer Detection]
received Vendor ID payload [RFC 3947] method set to=109
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
but already using method 109
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: responding to Main Mode
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: STATE_MAIN_R1: sent MR1, expecting MI2
Result using RFC 3947 (NAT-Traversal): no NAT detected
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: transition from
state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: STATE_MAIN_R2: sent MR2, expecting MI3
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: Main mode peer ID is
ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: no suitable
connection for peer 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: sending encrypted
notification INVALID_ID_INFORMATION to 192.168.100.38:500
Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: Main mode peer ID is
ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: no suitable
connection for peer 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: sending encrypted
notification INVALID_ID_INFORMATION to 192.168.100.38:500
It seems that it cannot / will not authenticate the certificate from the
Strongswan side. Could someone tell me what I’m doing wrong please?
Thanks
Matt
------------------------------------------------------------------------
Plum Software is a fully owned subsidiary of Praemium Limited.
This e-mail is confidential. It may also be legally privileged. If you
are not the addressee, you may not copy, forward, disclose or use any
part of it. If you have received this message in error, please delete it
and all copies from your system and notify the sender immediately by
return email. Internet communications cannot be guaranteed to be timely,
secure, or error or virus free. The sender does not accept liability for
any errors or omissions.
In the UK the Praemium Group is: Praemium Portfolio Services Ltd
05362153), Praemium Administration Ltd (Company Number: 06016828) and
Smartfund Nominees Ltd (Company Number: 07153417) each having its
registered office at 4th Floor, Suite 643-659, Salisbury House, London
Wall, London, EC2M 5QQ, United Kingdom. Praemium Administration Ltd is
authorised and regulated by the Financial Conduct Authority under
reference 463566. See http://www.fca.org.uk/register for more details.
In Jersey the Praemium Group is: Praemium International Ltd (Company
Number: 107624) which has its registered office at 3rd Floor East,
Salisbury House, 1-9 Union Street, St Helier, JE2 3RF and is regulated
under the Financial Service (Jersey) Law 1998 by the Jersey Financial
Services Commission for the conduct of investment business in Jersey.
See http://www.jerseyfsc.org for more details.
Thank you for your cooperation. Please contact us on +44 (0)207 5622 450
if you require assistance.
_______________________________________________
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

--
=======================================================================
Andreas Steffen e-mail: ***@strongsec.net
strongSec GmbH home: http://www.strongsec.net
Alter Zürichweg 20 phone: +41 44 730 80 64
CH-8952 Schlieren (Switzerland) fax: +41 44 730 80 65
==========================================[strong internet security]===

________________________________

Plum Software is a fully owned subsidiary of Praemium Limited.

This e-mail is confidential. It may also be legally privileged. If you are not the addressee, you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return email. Internet communications cannot be guaranteed to be timely, secure, or error or virus free. The sender does not accept liability for any errors or omissions.

In the UK the Praemium Group is: Praemium Portfolio Services Ltd (Company Number: 05362168), Praemium (UK) Ltd (Company Number: 05362153), Praemium Administration Ltd (Company Number: 06016828) and Smartfund Nominees Ltd (Company Number: 07153417) each having its registered office at 4th Floor, Suite 643-659, Salisbury House, London Wall, London, EC2M 5QQ, United Kingdom. Praemium Administration Ltd is authorised and regulated by the Financial Conduct Authority under reference 463566. See http://www.fca.org.uk/register for more details.

In Jersey the Praemium Group is: Praemium International Ltd (Company Number: 107624) which has its registered office at 3rd Floor East, Salisbury House, 1-9 Union Street, St Helier, JE2 3RF and is regulated under the Financial Service (Jersey) Law 1998 by the Jersey Financial Services Commission for the conduct of investment business in Jersey. See http://www.jerseyfsc.org for more details.

Thank you for your cooperation. Please contact us on +44 (0)207 5622 450 if you require assistance.
_______________________________________________
***@lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811

Matt Killock

2017-07-06 16:19:28 UTC

Permalink

Any ideas Andreas?

I read somewhere about a possible fragmentation issue with large certificates so I tried 1024 bit certificates and got nowhere, these don't seem to be accepted by Strongswan, so I reverted to the 2048 bit certs. The certificates seem to load OK both sides, ipsec auto --listall shows them, along with the correct 'has private key' notice. I am doubtful about fragmentation issues as these two machines are VMs on the same host machine on the same subnet, and tcpdump icmp shows no fragmentation notices.

As Andy noted, the ipsec auto --status seems to show long HEX values, instead of the DNs, is that expected?

000 "test": 10.2.0.0/24===192.168.100.37<192.168.100.37>[0x3068310B300906035504061302434831133011060355040A130A7374726F6E675377616E3110300E06035504031307636F76617A667700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,+S=C]...192.168.100.38<192.168.100.38>[0x3066310B300906035504061302434831133011060355040A130A7374726F6E675377616E310F300D06035504031306617370667732000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,+S=C]===10.1.0.0/24; prospective erouted; eroute owner: #0

Openswan doesn't seem to recognise the cert, is it trying to match 'C=CH, O=strongSwan, CN=aspfw2' against '0x3066310B300906035504061302434831133011060355040A130A7374726F6E675377616E310F300D06035504031306617370667732000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' ?

Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: responding to Main Mode
Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: STATE_MAIN_R1: sent MR1, expecting MI2
Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: STATE_MAIN_R2: sent MR2, expecting MI3
Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: Main mode peer ID is ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: no crl from issuer "C=CH, O=strongSwan, CN=Plum IPSec Root CA" found (strict=no)
Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: no suitable connection for peer 'C=CH, O=strongSwan, CN=aspfw2'
Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: sending encrypted notification INVALID_ID_INFORMATION to 192.168.100.38:500

Any clues might be helpful

Thanks

Matt

-----Original Message-----
From: Andreas Steffen [mailto:***@strongsec.net]
Sent: 04 July 2017 18:30
To: Matt Killock <***@praemium.com>; ***@lists.openswan.org
Subject: Re: [Openswan Users] OpenSwan to Strongswan RSA Problem

Hi Matt,

could you post the /etc/ipsec.d/certs/aspfw2.pem certificate?

Regards

Andreas

Post by Matt Killock
Hello,
I managed to make a working connection between two linux machines, one
running OpenSwan and the other running StrongSwan using PSK. The config
conn test
authby=secret
type=tunnel
left=192.168.100.37
leftsubnet=10.2.0.0/24
right=192.168.100.38
rightsubnet=10.1.0.0/24
auto=start
esp=aes128-sha1
ike=aes128-sha1-modp2048
rekey=yes
dpdaction=clear
dpddelay=15
dpdtimeout=50
compress=no
However, after attempting to change this to work with RSA certs, I have
conn test
authby=rsasig
type=tunnel
left=192.168.100.37
leftsubnet=10.2.0.0/24
right=192.168.100.38
rightsubnet=10.1.0.0/24
auto=start
esp=aes128-sha1
ike=aes128-sha1-modp2048
rekey=yes
dpdaction=clear
dpddelay=15
dpdtimeout=50
compress=no
leftcert=/etc/ipsec.d/certs/covazfw.pem
rightcert=/etc/ipsec.d/certs/aspfw2.pem
leftid="C=CH, O=strongSwan, CN=covazfw"
rightid="C=CH, O=strongSwan, CN=aspfw2"
All the relevant public certs are in the ipsec.d subfolder hierarchy,
along with the private key for the OpenSwan side covazfw.pem.
: RSA /etc/ipsec.d/private/covazfw.pem
received Vendor ID payload [XAUTH]
received Vendor ID payload [Dead Peer Detection]
received Vendor ID payload [RFC 3947] method set to=109
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
but already using method 109
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: responding to Main Mode
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: STATE_MAIN_R1: sent MR1, expecting MI2
Result using RFC 3947 (NAT-Traversal): no NAT detected
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: transition from
state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: STATE_MAIN_R2: sent MR2, expecting MI3
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: Main mode peer ID is
ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: no suitable
connection for peer 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: sending encrypted
notification INVALID_ID_INFORMATION to 192.168.100.38:500
Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: Main mode peer ID is
ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: no suitable
connection for peer 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: sending encrypted
notification INVALID_ID_INFORMATION to 192.168.100.38:500
It seems that it cannot / will not authenticate the certificate from the
Strongswan side. Could someone tell me what I’m doing wrong please?
Thanks
Matt
------------------------------------------------------------------------
Plum Software is a fully owned subsidiary of Praemium Limited.
This e-mail is confidential. It may also be legally privileged. If you
are not the addressee, you may not copy, forward, disclose or use any
part of it. If you have received this message in error, please delete it
and all copies from your system and notify the sender immediately by
return email. Internet communications cannot be guaranteed to be timely,
secure, or error or virus free. The sender does not accept liability for
any errors or omissions.
In the UK the Praemium Group is: Praemium Portfolio Services Ltd
05362153), Praemium Administration Ltd (Company Number: 06016828) and
Smartfund Nominees Ltd (Company Number: 07153417) each having its
registered office at 4th Floor, Suite 643-659, Salisbury House, London
Wall, London, EC2M 5QQ, United Kingdom. Praemium Administration Ltd is
authorised and regulated by the Financial Conduct Authority under
reference 463566. See http://www.fca.org.uk/register for more details.
In Jersey the Praemium Group is: Praemium International Ltd (Company
Number: 107624) which has its registered office at 3rd Floor East,
Salisbury House, 1-9 Union Street, St Helier, JE2 3RF and is regulated
under the Financial Service (Jersey) Law 1998 by the Jersey Financial
Services Commission for the conduct of investment business in Jersey.
See http://www.jerseyfsc.org for more details.
Thank you for your cooperation. Please contact us on +44 (0)207 5622 450
if you require assistance.
_______________________________________________
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

andy

2017-07-06 17:56:10 UTC

Permalink

A long shot - I see your CA cert has a 4096 bit key. There are some issues with Openswan to do with 4096 bit
*private* keys - I don't recall anyone mentioning any problem with a public key that long. But you never know...
So you might want to try with a 2048 bit key...

Another possibility - your version of Openswan is quite old, maybe worth upgrading?

- Andy

Post by Matt Killock
Any ideas Andreas?
I read somewhere about a possible fragmentation issue with large certificates so I tried 1024 bit certificates and got nowhere, these don't seem to be accepted by Strongswan, so I reverted to the 2048 bit certs. The certificates seem to load OK both sides, ipsec auto --listall shows them, along with the correct 'has private key' notice. I am doubtful about fragmentation issues as these two machines are VMs on the same host machine on the same subnet, and tcpdump icmp shows no fragmentation notices.
As Andy noted, the ipsec auto --status seems to show long HEX values, instead of the DNs, is that expected?
000 "test": 10.2.0.0/24===192.168.100.37<192.168.100.37>[0x3068310B300906035504061302434831133011060355040A130A7374726F6E675377616E3110300E06035504031307636F76617A667700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,+S=C]...192.168.100.38<192.168.100.38>[0x3066310B300906035504061302434831133011060355040A130A7374726F6E675377616E310F300D06035504031306617370667732000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,+S=C]===10.1.0.0/24; prospective erouted; eroute owner: #0
Openswan doesn't seem to recognise the cert, is it trying to match 'C=CH, O=strongSwan, CN=aspfw2' against '0x3066310B300906035504061302434831133011060355040A130A7374726F6E675377616E310F300D06035504031306617370667732000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' ?
Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: responding to Main Mode
Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: STATE_MAIN_R1: sent MR1, expecting MI2
Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: STATE_MAIN_R2: sent MR2, expecting MI3
Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: Main mode peer ID is ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: no crl from issuer "C=CH, O=strongSwan, CN=Plum IPSec Root CA" found (strict=no)
Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: no suitable connection for peer 'C=CH, O=strongSwan, CN=aspfw2'
Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: sending encrypted notification INVALID_ID_INFORMATION to 192.168.100.38:500
Any clues might be helpful
Thanks
Matt
-----Original Message-----
Sent: 04 July 2017 18:30
Subject: Re: [Openswan Users] OpenSwan to Strongswan RSA Problem
Hi Matt,
could you post the /etc/ipsec.d/certs/aspfw2.pem certificate?
Regards
Andreas

Post by Matt Killock
Hello,
I managed to make a working connection between two linux machines, one
running OpenSwan and the other running StrongSwan using PSK. The config
conn test
authby=secret
type=tunnel
left=192.168.100.37
leftsubnet=10.2.0.0/24
right=192.168.100.38
rightsubnet=10.1.0.0/24
auto=start
esp=aes128-sha1
ike=aes128-sha1-modp2048
rekey=yes
dpdaction=clear
dpddelay=15
dpdtimeout=50
compress=no
However, after attempting to change this to work with RSA certs, I have
conn test
authby=rsasig
type=tunnel
left=192.168.100.37
leftsubnet=10.2.0.0/24
right=192.168.100.38
rightsubnet=10.1.0.0/24
auto=start
esp=aes128-sha1
ike=aes128-sha1-modp2048
rekey=yes
dpdaction=clear
dpddelay=15
dpdtimeout=50
compress=no
leftcert=/etc/ipsec.d/certs/covazfw.pem
rightcert=/etc/ipsec.d/certs/aspfw2.pem
leftid="C=CH, O=strongSwan, CN=covazfw"
rightid="C=CH, O=strongSwan, CN=aspfw2"
All the relevant public certs are in the ipsec.d subfolder hierarchy,
along with the private key for the OpenSwan side covazfw.pem.
: RSA /etc/ipsec.d/private/covazfw.pem
received Vendor ID payload [XAUTH]
received Vendor ID payload [Dead Peer Detection]
received Vendor ID payload [RFC 3947] method set to=109
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
but already using method 109
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: responding to Main Mode
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: STATE_MAIN_R1: sent
MR1, expecting MI2
Result using RFC 3947 (NAT-Traversal): no NAT detected
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: transition from
state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: STATE_MAIN_R2: sent
MR2, expecting MI3
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: Main mode peer ID is
ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: no suitable
connection for peer 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: sending encrypted
notification INVALID_ID_INFORMATION to 192.168.100.38:500
Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: Main mode peer ID is
ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: no suitable
connection for peer 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: sending encrypted
notification INVALID_ID_INFORMATION to 192.168.100.38:500
It seems that it cannot / will not authenticate the certificate from the
Strongswan side. Could someone tell me what I’m doing wrong please?
Thanks
Matt
------------------------------------------------------------------------
Plum Software is a fully owned subsidiary of Praemium Limited.
This e-mail is confidential. It may also be legally privileged. If you
are not the addressee, you may not copy, forward, disclose or use any
part of it. If you have received this message in error, please delete it
and all copies from your system and notify the sender immediately by
return email. Internet communications cannot be guaranteed to be timely,
secure, or error or virus free. The sender does not accept liability for
any errors or omissions.
In the UK the Praemium Group is: Praemium Portfolio Services Ltd
05362153), Praemium Administration Ltd (Company Number: 06016828) and
Smartfund Nominees Ltd (Company Number: 07153417) each having its
registered office at 4th Floor, Suite 643-659, Salisbury House, London
Wall, London, EC2M 5QQ, United Kingdom. Praemium Administration Ltd is
authorised and regulated by the Financial Conduct Authority under
reference 463566. See http://www.fca.org.uk/register for more details.
In Jersey the Praemium Group is: Praemium International Ltd (Company
Number: 107624) which has its registered office at 3rd Floor East,
Salisbury House, 1-9 Union Street, St Helier, JE2 3RF and is regulated
under the Financial Service (Jersey) Law 1998 by the Jersey Financial
Services Commission for the conduct of investment business in Jersey.
See http://www.jerseyfsc.org for more details.
Thank you for your cooperation. Please contact us on +44 (0)207 5622 450
if you require assistance.
_______________________________________________
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

--
=======================================================================
strongSec GmbH home: http://www.strongsec.net
Alter Zürichweg 20 phone: +41 44 730 80 64
CH-8952 Schlieren (Switzerland) fax: +41 44 730 80 65
==========================================[strong internet security]===
________________________________
Plum Software is a fully owned subsidiary of Praemium Limited.
This e-mail is confidential. It may also be legally privileged. If you are not the addressee, you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return email. Internet communications cannot be guaranteed to be timely, secure, or error or virus free. The sender does not accept liability for any errors or omissions.
In the UK the Praemium Group is: Praemium Portfolio Services Ltd (Company Number: 05362168), Praemium (UK) Ltd (Company Number: 05362153), Praemium Administration Ltd (Company Number: 06016828) and Smartfund Nominees Ltd (Company Number: 07153417) each having its registered office at 4th Floor, Suite 643-659, Salisbury House, London Wall, London, EC2M 5QQ, United Kingdom. Praemium Administration Ltd is authorised and regulated by the Financial Conduct Authority under reference 463566. See http://www.fca.org.uk/register for more details.
In Jersey the Praemium Group is: Praemium International Ltd (Company Number: 107624) which has its registered office at 3rd Floor East, Salisbury House, 1-9 Union Street, St Helier, JE2 3RF and is regulated under the Financial Service (Jersey) Law 1998 by the Jersey Financial Services Commission for the conduct of investment business in Jersey. See http://www.jerseyfsc.org for more details.
Thank you for your cooperation. Please contact us on +44 (0)207 5622 450 if you require assistance.
_______________________________________________
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Matt Killock

2017-07-07 12:02:43 UTC

Permalink

I tried the 2048 bit CA, but it does the same thing.

I'll look into compiling the latest version, Debian 7 doesn't seem to have the very latest version in their repositories.

I just signed up to the Strongswan mailing list, and noticed that Andreas runs it. May I ask whether there could be an issue on the Strongswan side?

-----Original Message-----
From: andy [mailto:***@andynet.net]
Sent: 06 July 2017 18:56
To: Matt Killock <***@praemium.com>
Cc: Andreas Steffen <***@strongsec.net>; ***@lists.openswan.org
Subject: Re: [Openswan Users] OpenSwan to Strongswan RSA Problem

A long shot - I see your CA cert has a 4096 bit key. There are some issues with Openswan to do with 4096 bit
*private* keys - I don't recall anyone mentioning any problem with a public key that long. But you never know...
So you might want to try with a 2048 bit key...

Another possibility - your version of Openswan is quite old, maybe worth upgrading?

- Andy

Post by Matt Killock
Hello,
I managed to make a working connection between two linux machines, one
running OpenSwan and the other running StrongSwan using PSK. The config
conn test
authby=secret
type=tunnel
left=192.168.100.37
leftsubnet=10.2.0.0/24
right=192.168.100.38
rightsubnet=10.1.0.0/24
auto=start
esp=aes128-sha1
ike=aes128-sha1-modp2048
rekey=yes
dpdaction=clear
dpddelay=15
dpdtimeout=50
compress=no
However, after attempting to change this to work with RSA certs, I have
conn test
authby=rsasig
type=tunnel
left=192.168.100.37
leftsubnet=10.2.0.0/24
right=192.168.100.38
rightsubnet=10.1.0.0/24
auto=start
esp=aes128-sha1
ike=aes128-sha1-modp2048
rekey=yes
dpdaction=clear
dpddelay=15
dpdtimeout=50
compress=no
leftcert=/etc/ipsec.d/certs/covazfw.pem
rightcert=/etc/ipsec.d/certs/aspfw2.pem
leftid="C=CH, O=strongSwan, CN=covazfw"
rightid="C=CH, O=strongSwan, CN=aspfw2"
All the relevant public certs are in the ipsec.d subfolder hierarchy,
along with the private key for the OpenSwan side covazfw.pem.
: RSA /etc/ipsec.d/private/covazfw.pem
received Vendor ID payload [XAUTH]
received Vendor ID payload [Dead Peer Detection]
received Vendor ID payload [RFC 3947] method set to=109
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
but already using method 109
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: responding to Main Mode
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: STATE_MAIN_R1: sent
MR1, expecting MI2
Result using RFC 3947 (NAT-Traversal): no NAT detected
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: transition from
state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: STATE_MAIN_R2: sent
MR2, expecting MI3
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: Main mode peer ID is
ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: no suitable
connection for peer 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: sending encrypted
notification INVALID_ID_INFORMATION to 192.168.100.38:500
Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: Main mode peer ID is
ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: no suitable
connection for peer 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: sending encrypted
notification INVALID_ID_INFORMATION to 192.168.100.38:500
It seems that it cannot / will not authenticate the certificate from the
Strongswan side. Could someone tell me what I’m doing wrong please?
Thanks
Matt
------------------------------------------------------------------------
Plum Software is a fully owned subsidiary of Praemium Limited.
This e-mail is confidential. It may also be legally privileged. If you
are not the addressee, you may not copy, forward, disclose or use any
part of it. If you have received this message in error, please delete it
and all copies from your system and notify the sender immediately by
return email. Internet communications cannot be guaranteed to be timely,
secure, or error or virus free. The sender does not accept liability for
any errors or omissions.
In the UK the Praemium Group is: Praemium Portfolio Services Ltd
05362153), Praemium Administration Ltd (Company Number: 06016828) and
Smartfund Nominees Ltd (Company Number: 07153417) each having its
registered office at 4th Floor, Suite 643-659, Salisbury House, London
Wall, London, EC2M 5QQ, United Kingdom. Praemium Administration Ltd is
authorised and regulated by the Financial Conduct Authority under
reference 463566. See http://www.fca.org.uk/register for more details.
In Jersey the Praemium Group is: Praemium International Ltd (Company
Number: 107624) which has its registered office at 3rd Floor East,
Salisbury House, 1-9 Union Street, St Helier, JE2 3RF and is regulated
under the Financial Service (Jersey) Law 1998 by the Jersey Financial
Services Commission for the conduct of investment business in Jersey.
See http://www.jerseyfsc.org for more details.
Thank you for your cooperation. Please contact us on +44 (0)207 5622 450
if you require assistance.
_______________________________________________
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Matt Killock

2017-07-07 12:08:26 UTC

Permalink

Sorry I hit send too soon.

The Strongswan side seems to receive the cert from the Openswan side OK, (2nd line) but then it can't match the config on it's own side? Is that right? What does the 'invalid ID_DER_AS1_DN' refer to? The covazfw cert or it's own cert (aspfw2)?

Then it seems to say there is no config that matches the request, and sends back a failure message.

Jul 7 13:05:26 covtestvpn2 charon: 08[IKE] received cert request for 'C=CH, O=strongSwan2, CN=Plum IPSec Root CA'
Jul 7 13:05:26 covtestvpn2 charon: 08[IKE] received end entity cert "C=CH, O=strongSwan2, CN=covazfw"
Jul 7 13:05:26 covtestvpn2 charon: 08[CFG] looking for RSA signature peer configs matching 192.168.100.38...192.168.100.37[C=CH, O=strongSwan2, CN=covazfw, (invalid ID_DER_ASN1_DN)]
Jul 7 13:05:26 covtestvpn2 charon: 08[IKE] no peer config found
Jul 7 13:05:26 covtestvpn2 charon: 08[ENC] generating INFORMATIONAL_V1 request 3812851300 [ HASH N(AUTH_FAILED) ]

So is the problem on the Strongswan side?

Matt

-----Original Message-----
From: andy [mailto:***@andynet.net]
Sent: 06 July 2017 18:56
To: Matt Killock <***@praemium.com>
Cc: Andreas Steffen <***@strongsec.net>; ***@lists.openswan.org
Subject: Re: [Openswan Users] OpenSwan to Strongswan RSA Problem

A long shot - I see your CA cert has a 4096 bit key. There are some issues with Openswan to do with 4096 bit
*private* keys - I don't recall anyone mentioning any problem with a public key that long. But you never know...
So you might want to try with a 2048 bit key...

Another possibility - your version of Openswan is quite old, maybe worth upgrading?

- Andy

Post by Matt Killock
Hello,
I managed to make a working connection between two linux machines, one
running OpenSwan and the other running StrongSwan using PSK. The config
conn test
authby=secret
type=tunnel
left=192.168.100.37
leftsubnet=10.2.0.0/24
right=192.168.100.38
rightsubnet=10.1.0.0/24
auto=start
esp=aes128-sha1
ike=aes128-sha1-modp2048
rekey=yes
dpdaction=clear
dpddelay=15
dpdtimeout=50
compress=no
However, after attempting to change this to work with RSA certs, I have
conn test
authby=rsasig
type=tunnel
left=192.168.100.37
leftsubnet=10.2.0.0/24
right=192.168.100.38
rightsubnet=10.1.0.0/24
auto=start
esp=aes128-sha1
ike=aes128-sha1-modp2048
rekey=yes
dpdaction=clear
dpddelay=15
dpdtimeout=50
compress=no
leftcert=/etc/ipsec.d/certs/covazfw.pem
rightcert=/etc/ipsec.d/certs/aspfw2.pem
leftid="C=CH, O=strongSwan, CN=covazfw"
rightid="C=CH, O=strongSwan, CN=aspfw2"
All the relevant public certs are in the ipsec.d subfolder hierarchy,
along with the private key for the OpenSwan side covazfw.pem.
: RSA /etc/ipsec.d/private/covazfw.pem
received Vendor ID payload [XAUTH]
received Vendor ID payload [Dead Peer Detection]
received Vendor ID payload [RFC 3947] method set to=109
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
but already using method 109
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: responding to Main Mode
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: STATE_MAIN_R1: sent
MR1, expecting MI2
Result using RFC 3947 (NAT-Traversal): no NAT detected
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: transition from
state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: STATE_MAIN_R2: sent
MR2, expecting MI3
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: Main mode peer ID is
ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: no suitable
connection for peer 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: sending encrypted
notification INVALID_ID_INFORMATION to 192.168.100.38:500
Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: Main mode peer ID is
ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: no suitable
connection for peer 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: sending encrypted
notification INVALID_ID_INFORMATION to 192.168.100.38:500
It seems that it cannot / will not authenticate the certificate from the
Strongswan side. Could someone tell me what I’m doing wrong please?
Thanks
Matt
------------------------------------------------------------------------
Plum Software is a fully owned subsidiary of Praemium Limited.
This e-mail is confidential. It may also be legally privileged. If you
are not the addressee, you may not copy, forward, disclose or use any
part of it. If you have received this message in error, please delete it
and all copies from your system and notify the sender immediately by
return email. Internet communications cannot be guaranteed to be timely,
secure, or error or virus free. The sender does not accept liability for
any errors or omissions.
In the UK the Praemium Group is: Praemium Portfolio Services Ltd
05362153), Praemium Administration Ltd (Company Number: 06016828) and
Smartfund Nominees Ltd (Company Number: 07153417) each having its
registered office at 4th Floor, Suite 643-659, Salisbury House, London
Wall, London, EC2M 5QQ, United Kingdom. Praemium Administration Ltd is
authorised and regulated by the Financial Conduct Authority under
reference 463566. See http://www.fca.org.uk/register for more details.
In Jersey the Praemium Group is: Praemium International Ltd (Company
Number: 107624) which has its registered office at 3rd Floor East,
Salisbury House, 1-9 Union Street, St Helier, JE2 3RF and is regulated
under the Financial Service (Jersey) Law 1998 by the Jersey Financial
Services Commission for the conduct of investment business in Jersey.
See http://www.jerseyfsc.org for more details.
Thank you for your cooperation. Please contact us on +44 (0)207 5622 450
if you require assistance.
_______________________________________________
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Matt Killock

2017-07-07 14:27:39 UTC

Permalink

OK, I got this working…

BUT - it makes no sense to me. My OpenSwan config now looks like this:

conn test
authby=rsasig
type=tunnel
left=192.168.100.37
leftsubnet=10.2.0.0/24
right=192.168.100.38
rightsubnet=10.1.0.0/24
auto=start
esp=aes128-sha1
ike=aes128-sha1-modp2048
rekey=yes
dpdaction=clear
dpddelay=15
dpdtimeout=50
compress=no
leftcert=/etc/ipsec.d/certs/covazfw.pem
rightcert=/etc/ipsec.d/certs/aspfw2.pem
leftid="aaaaaaaaaaaaaaaaaaaa"
rightid="bbbbbbbbbbbbbbbbbbb"

So what made it work was adding those bogus leftid/rightid lines.

Ipsec auto --status now shows the expected values:

000 "test": 10.2.0.0/24===192.168.100.37<192.168.100.37>[C=CH, O=strongSwan2, CN=covazfw,+S=C]...192.168.100.38<192.168.100.38>[C=CH, O=strongSwan2, CN=aspfw2,+S=C]===10.1.0.0/24; erouted; eroute owner: #2

When I changed just the leftid, I saw this in the logs:

Jul 7 15:11:03 covtestvpn pluto[20554]: "test" #1: we require peer to have ID '0x3068310B300906035504061302434831143012060355040A130B7374726F6E675377616E32310F300D0603550403130661737066773200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000', but peer declares 'C=CH, O=strongSwan2, CN=aspfw2'

Which seems to confirm the theory that OpenSwan was trying to match the long HEX value to the DN.

So... Huh? Hope that makes sense to someone!

Anyway, thanks for your help, it helped me narrow down what things to experiment with to find a solution.

Matt

-----Original Message-----
From: Users [mailto:users-***@lists.openswan.org] On Behalf Of Matt Killock
Sent: 07 July 2017 13:08
To: andy <***@andynet.net>
Cc: ***@lists.openswan.org
Subject: Re: [Openswan Users] OpenSwan to Strongswan RSA Problem

Sorry I hit send too soon.

The Strongswan side seems to receive the cert from the Openswan side OK, (2nd line) but then it can't match the config on it's own side? Is that right? What does the 'invalid ID_DER_AS1_DN' refer to? The covazfw cert or it's own cert (aspfw2)?

Then it seems to say there is no config that matches the request, and sends back a failure message.

Jul 7 13:05:26 covtestvpn2 charon: 08[IKE] received cert request for 'C=CH, O=strongSwan2, CN=Plum IPSec Root CA'
Jul 7 13:05:26 covtestvpn2 charon: 08[IKE] received end entity cert "C=CH, O=strongSwan2, CN=covazfw"
Jul 7 13:05:26 covtestvpn2 charon: 08[CFG] looking for RSA signature peer configs matching 192.168.100.38...192.168.100.37[C=CH, O=strongSwan2, CN=covazfw, (invalid ID_DER_ASN1_DN)] Jul 7 13:05:26 covtestvpn2 charon: 08[IKE] no peer config found Jul 7 13:05:26 covtestvpn2 charon: 08[ENC] generating INFORMATIONAL_V1 request 3812851300 [ HASH N(AUTH_FAILED) ]

So is the problem on the Strongswan side?

Matt

-----Original Message-----
From: andy [mailto:***@andynet.net]
Sent: 06 July 2017 18:56
To: Matt Killock <***@praemium.com>
Cc: Andreas Steffen <***@strongsec.net>; ***@lists.openswan.org
Subject: Re: [Openswan Users] OpenSwan to Strongswan RSA Problem

A long shot - I see your CA cert has a 4096 bit key. There are some issues with Openswan to do with 4096 bit
*private* keys - I don't recall anyone mentioning any problem with a public key that long. But you never know...
So you might want to try with a 2048 bit key...

Another possibility - your version of Openswan is quite old, maybe worth upgrading?

- Andy

Post by Matt Killock
Any ideas Andreas?
I read somewhere about a possible fragmentation issue with large certificates so I tried 1024 bit certificates and got nowhere, these don't seem to be accepted by Strongswan, so I reverted to the 2048 bit certs. The certificates seem to load OK both sides, ipsec auto --listall shows them, along with the correct 'has private key' notice. I am doubtful about fragmentation issues as these two machines are VMs on the same host machine on the same subnet, and tcpdump icmp shows no fragmentation notices.
As Andy noted, the ipsec auto --status seems to show long HEX values, instead of the DNs, is that expected?
10.2.0.0/24===192.168.100.37<192.168.100.37>[0x3068310B300906035504061
302434831133011060355040A130A7374726F6E675377616E3110300E0603550403130
7636F76617A66770000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000,+S=C]...192.168.100.
38<192.168.100.38>[0x3066310B300906035504061302434831133011060355040A1
30A7374726F6E675377616E310F300D060355040313066173706677320000000000000
0000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000,+S=C]===10.1.0.0/24; prospective erouted; eroute
owner: #0
Openswan doesn't seem to recognise the cert, is it trying to match 'C=CH, O=strongSwan, CN=aspfw2' against '0x3066310B300906035504061302434831133011060355040A130A7374726F6E675377616E310F300D06035504031306617370667732000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' ?
Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: responding to Main
Mode Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: transition
from state STATE_MAIN_R0 to state STATE_MAIN_R1 Jul 6 17:15:02
covtestvpn pluto[13386]: "test" #2: STATE_MAIN_R1: sent MR1, expecting
Result using RFC 3947 (NAT-Traversal): no NAT detected Jul 6 17:15:02
covtestvpn pluto[13386]: "test" #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: STATE_MAIN_R2: sent MR2, expecting MI3 Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: Main mode peer ID is ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: no crl from issuer
"C=CH, O=strongSwan, CN=Plum IPSec Root CA" found (strict=no) Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: no suitable connection for peer 'C=CH, O=strongSwan, CN=aspfw2'
Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: sending encrypted
notification INVALID_ID_INFORMATION to 192.168.100.38:500
Any clues might be helpful
Thanks
Matt
-----Original Message-----
Sent: 04 July 2017 18:30
Subject: Re: [Openswan Users] OpenSwan to Strongswan RSA Problem
Hi Matt,
could you post the /etc/ipsec.d/certs/aspfw2.pem certificate?
Regards
Andreas

Post by Matt Killock
Hello,
I managed to make a working connection between two linux machines,
one running OpenSwan and the other running StrongSwan using PSK. The
conn test
authby=secret
type=tunnel
left=192.168.100.37
leftsubnet=10.2.0.0/24
right=192.168.100.38
rightsubnet=10.1.0.0/24
auto=start
esp=aes128-sha1
ike=aes128-sha1-modp2048
rekey=yes
dpdaction=clear
dpddelay=15
dpdtimeout=50
compress=no
However, after attempting to change this to work with RSA certs, I
conn test
authby=rsasig
type=tunnel
left=192.168.100.37
leftsubnet=10.2.0.0/24
right=192.168.100.38
rightsubnet=10.1.0.0/24
auto=start
esp=aes128-sha1
ike=aes128-sha1-modp2048
rekey=yes
dpdaction=clear
dpddelay=15
dpdtimeout=50
compress=no
leftcert=/etc/ipsec.d/certs/covazfw.pem
rightcert=/etc/ipsec.d/certs/aspfw2.pem
leftid="C=CH, O=strongSwan, CN=covazfw"
rightid="C=CH, O=strongSwan, CN=aspfw2"
All the relevant public certs are in the ipsec.d subfolder
hierarchy, along with the private key for the OpenSwan side covazfw.pem.
: RSA /etc/ipsec.d/private/covazfw.pem
received Vendor ID payload [XAUTH]
received Vendor ID payload [Dead Peer Detection]
received Vendor ID payload [RFC 3947] method set to=109
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
meth=106, but already using method 109
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: responding to Main Mode
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
sent MR1, expecting MI2
Result using RFC 3947 (NAT-Traversal): no NAT detected
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: transition from
state STATE_MAIN_R1 to state STATE_MAIN_R2
sent MR2, expecting MI3
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: Main mode peer ID is
ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: no suitable
connection for peer 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: sending
encrypted notification INVALID_ID_INFORMATION to 192.168.100.38:500
Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: Main mode peer ID is
ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: no suitable
connection for peer 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: sending
encrypted notification INVALID_ID_INFORMATION to 192.168.100.38:500
It seems that it cannot / will not authenticate the certificate from
the Strongswan side. Could someone tell me what I’m doing wrong please?
Thanks
Matt
--------------------------------------------------------------------
----
Plum Software is a fully owned subsidiary of Praemium Limited.
This e-mail is confidential. It may also be legally privileged. If
you are not the addressee, you may not copy, forward, disclose or
use any part of it. If you have received this message in error,
please delete it and all copies from your system and notify the
sender immediately by return email. Internet communications cannot
be guaranteed to be timely, secure, or error or virus free. The
sender does not accept liability for any errors or omissions.
In the UK the Praemium Group is: Praemium Portfolio Services Ltd
05362153), Praemium Administration Ltd (Company Number: 06016828)
and Smartfund Nominees Ltd (Company Number: 07153417) each having
its registered office at 4th Floor, Suite 643-659, Salisbury House,
London Wall, London, EC2M 5QQ, United Kingdom. Praemium
Administration Ltd is authorised and regulated by the Financial
Conduct Authority under reference 463566. See http://www.fca.org.uk/register for more details.
In Jersey the Praemium Group is: Praemium International Ltd (Company
Number: 107624) which has its registered office at 3rd Floor East,
Salisbury House, 1-9 Union Street, St Helier, JE2 3RF and is
regulated under the Financial Service (Jersey) Law 1998 by the
Jersey Financial Services Commission for the conduct of investment business in Jersey.
See http://www.jerseyfsc.org for more details.
Thank you for your cooperation. Please contact us on +44 (0)207 5622
450 if you require assistance.
_______________________________________________
https://lists.openswan.org/mailman/listinfo/users
https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=28
3155

--
=======================================================================
strongSec GmbH home: http://www.strongsec.net
Alter Zürichweg 20 phone: +41 44 730 80 64
CH-8952 Schlieren (Switzerland) fax: +41 44 730 80 65
==========================================[strong internet
security]===
________________________________
Plum Software is a fully owned subsidiary of Praemium Limited.
This e-mail is confidential. It may also be legally privileged. If you are not the addressee, you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return email. Internet communications cannot be guaranteed to be timely, secure, or error or virus free. The sender does not accept liability for any errors or omissions.
In the UK the Praemium Group is: Praemium Portfolio Services Ltd (Company Number: 05362168), Praemium (UK) Ltd (Company Number: 05362153), Praemium Administration Ltd (Company Number: 06016828) and Smartfund Nominees Ltd (Company Number: 07153417) each having its registered office at 4th Floor, Suite 643-659, Salisbury House, London Wall, London, EC2M 5QQ, United Kingdom. Praemium Administration Ltd is authorised and regulated by the Financial Conduct Authority under reference 463566. See http://www.fca.org.uk/register for more details.
In Jersey the Praemium Group is: Praemium International Ltd (Company Number: 107624) which has its registered office at 3rd Floor East, Salisbury House, 1-9 Union Street, St Helier, JE2 3RF and is regulated under the Financial Service (Jersey) Law 1998 by the Jersey Financial Services Commission for the conduct of investment business in Jersey. See http://www.jerseyfsc.org for more details.
Thank you for your cooperation. Please contact us on +44 (0)207 5622 450 if you require assistance.
_______________________________________________
https://lists.openswan.org/mailman/listinfo/users
https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=2831
55
--
This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.

________________________________

Plum Software is a fully owned subsidiary of Praemium Limited.

This e-mail is confidential. It may also be legally privileged. If you are not the addressee, you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return email. Internet communications cannot be guaranteed to be timely, secure, or error or virus free. The sender does not accept liability for any errors or omissions.

In the UK the Praemium Group is: Praemium Portfolio Services Ltd (Company Number: 05362168), Praemium (UK) Ltd (Company Number: 05362153), Praemium Administration Ltd (Company Number: 06016828) and Smartfund Nominees Ltd (Company Number: 07153417) each having its registered office at 4th Floor, Suite 643-659, Salisbury House, London Wall, London, EC2M 5QQ, United Kingdom. Praemium Administration Ltd is authorised and regulated by the Financial Conduct Authority under reference 463566. See http://www.fca.org.uk/register for more details.

In Jersey the Praemium Group is: Praemium International Ltd (Company Number: 107624) which has its registered office at 3rd Floor East, Salisbury House, 1-9 Union Street, St Helier, JE2 3RF and is regulated under the Financial Service (Jersey) Law 1998 by the Jersey Financial Services Commission for the conduct of investment business in Jersey. See http://www.jerseyfsc.org for more details.

Thank you for your cooperation. Please contact us on +44 (0)207 5622 450 if you require assistance.
_______________________________________________
***@lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

________________________________

Plum Software is a fully owned subsidiary of Praemium Limited.

This e-mail is confidential. It may also be legally privileged. If you are not the addressee, you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return email. Internet communications cannot be guaranteed to be timely, secure, or error or virus free. The sender does not accept liability for any errors or omissions.

In the UK the Praemium Group is: Praemium Portfolio Services Ltd (Company Number: 05362168), Praemium (UK) Ltd (Company Number: 05362153), Praemium Administration Ltd (Company Number: 06016828) and Smartfund Nominees Ltd (Company Number: 07153417) each having its registered office at 4th Floor, Suite 643-659, Salisbury House, London Wall, London, EC2M 5QQ, United Kingdom. Praemium Administration Ltd is authorised and regulated by the Financial Conduct Authority under reference 463566. See http://www.fca.org.uk/register for more details.

In Jersey the Praemium Group is: Praemium International Ltd (Company Number: 107624) which has its registered office at 3rd Floor East, Salisbury House, 1-9 Union Street, St Helier, JE2 3RF and is regulated under the Financial Service (Jersey) Law 1998 by the Jersey Financial Services Commission for the conduct of investment business in Jersey. See http://www.jerseyfsc.org for more details.

Thank you for your cooperation. Please contact us on +44 (0)207 5622 450 if you require assistance.
_______________________________________________
***@lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-309959

andy

2017-07-07 17:06:31 UTC

Permalink

Post by Matt Killock
OK, I got this working…

Cool!

Post by Matt Killock
conn test
authby=rsasig
type=tunnel
left=192.168.100.37
leftsubnet=10.2.0.0/24
right=192.168.100.38
rightsubnet=10.1.0.0/24
auto=start
esp=aes128-sha1
ike=aes128-sha1-modp2048
rekey=yes
dpdaction=clear
dpddelay=15
dpdtimeout=50
compress=no
leftcert=/etc/ipsec.d/certs/covazfw.pem
rightcert=/etc/ipsec.d/certs/aspfw2.pem
leftid="aaaaaaaaaaaaaaaaaaaa"
rightid="bbbbbbbbbbbbbbbbbbb"
So what made it work was adding those bogus leftid/rightid lines.

Weird indeed.

Just comparing with a similar setup that's working for me:
In my case I have
leftcert=xxx.pem
leftid=%fromcert
rightid="DN from peer cert"

and I have no rightcert entry - shouldn't be needed as the peer sends its cert.

None of that seems to explain what you're seeing! But may be something else to try.

Post by Matt Killock
000 "test": 10.2.0.0/24===192.168.100.37<192.168.100.37>[C=CH, O=strongSwan2, CN=covazfw,+S=C]...192.168.100.38<192.168.100.38>[C=CH, O=strongSwan2, CN=aspfw2,+S=C]===10.1.0.0/24; erouted; eroute owner: #2
Jul 7 15:11:03 covtestvpn pluto[20554]: "test" #1: we require peer to have ID '0x3068310B300906035504061302434831143012060355040A130B7374726F6E675377616E32310F300D0603550403130661737066773200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000', but peer declares 'C=CH, O=strongSwan2, CN=aspfw2'
Which seems to confirm the theory that OpenSwan was trying to match the long HEX value to the DN.
So... Huh? Hope that makes sense to someone!
Anyway, thanks for your help, it helped me narrow down what things to experiment with to find a solution.
Matt
-----Original Message-----
Sent: 07 July 2017 13:08
Subject: Re: [Openswan Users] OpenSwan to Strongswan RSA Problem
Sorry I hit send too soon.
The Strongswan side seems to receive the cert from the Openswan side OK, (2nd line) but then it can't match the config on it's own side? Is that right? What does the 'invalid ID_DER_AS1_DN' refer to? The covazfw cert or it's own cert (aspfw2)?
Then it seems to say there is no config that matches the request, and sends back a failure message.
Jul 7 13:05:26 covtestvpn2 charon: 08[IKE] received cert request for 'C=CH, O=strongSwan2, CN=Plum IPSec Root CA'
Jul 7 13:05:26 covtestvpn2 charon: 08[IKE] received end entity cert "C=CH, O=strongSwan2, CN=covazfw"
Jul 7 13:05:26 covtestvpn2 charon: 08[CFG] looking for RSA signature peer configs matching 192.168.100.38...192.168.100.37[C=CH, O=strongSwan2, CN=covazfw, (invalid ID_DER_ASN1_DN)] Jul 7 13:05:26 covtestvpn2 charon: 08[IKE] no peer config found Jul 7 13:05:26 covtestvpn2 charon: 08[ENC] generating INFORMATIONAL_V1 request 3812851300 [ HASH N(AUTH_FAILED) ]
So is the problem on the Strongswan side?
Matt
-----Original Message-----
Sent: 06 July 2017 18:56
Subject: Re: [Openswan Users] OpenSwan to Strongswan RSA Problem
A long shot - I see your CA cert has a 4096 bit key. There are some issues with Openswan to do with 4096 bit
*private* keys - I don't recall anyone mentioning any problem with a public key that long. But you never know...
So you might want to try with a 2048 bit key...
Another possibility - your version of Openswan is quite old, maybe worth upgrading?
- Andy

Post by Matt Killock
Any ideas Andreas?
I read somewhere about a possible fragmentation issue with large certificates so I tried 1024 bit certificates and got nowhere, these don't seem to be accepted by Strongswan, so I reverted to the 2048 bit certs. The certificates seem to load OK both sides, ipsec auto --listall shows them, along with the correct 'has private key' notice. I am doubtful about fragmentation issues as these two machines are VMs on the same host machine on the same subnet, and tcpdump icmp shows no fragmentation notices.
As Andy noted, the ipsec auto --status seems to show long HEX values, instead of the DNs, is that expected?
10.2.0.0/24===192.168.100.37<192.168.100.37>[0x3068310B300906035504061
302434831133011060355040A130A7374726F6E675377616E3110300E0603550403130
7636F76617A66770000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000,+S=C]...192.168.100.
38<192.168.100.38>[0x3066310B300906035504061302434831133011060355040A1
30A7374726F6E675377616E310F300D060355040313066173706677320000000000000
0000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000,+S=C]===10.1.0.0/24; prospective erouted; eroute
owner: #0
Openswan doesn't seem to recognise the cert, is it trying to match 'C=CH, O=strongSwan, CN=aspfw2' against '0x3066310B300906035504061302434831133011060355040A130A7374726F6E675377616E310F300D06035504031306617370667732000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' ?
Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: responding to Main
Mode Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: transition
from state STATE_MAIN_R0 to state STATE_MAIN_R1 Jul 6 17:15:02
covtestvpn pluto[13386]: "test" #2: STATE_MAIN_R1: sent MR1, expecting
Result using RFC 3947 (NAT-Traversal): no NAT detected Jul 6 17:15:02
covtestvpn pluto[13386]: "test" #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: STATE_MAIN_R2: sent MR2, expecting MI3 Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: Main mode peer ID is ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: no crl from issuer
"C=CH, O=strongSwan, CN=Plum IPSec Root CA" found (strict=no) Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: no suitable connection for peer 'C=CH, O=strongSwan, CN=aspfw2'
Jul 6 17:15:02 covtestvpn pluto[13386]: "test" #2: sending encrypted
notification INVALID_ID_INFORMATION to 192.168.100.38:500
Any clues might be helpful
Thanks
Matt
-----Original Message-----
Sent: 04 July 2017 18:30
Subject: Re: [Openswan Users] OpenSwan to Strongswan RSA Problem
Hi Matt,
could you post the /etc/ipsec.d/certs/aspfw2.pem certificate?
Regards
Andreas

Post by Matt Killock
Hello,
I managed to make a working connection between two linux machines,
one running OpenSwan and the other running StrongSwan using PSK. The
conn test
authby=secret
type=tunnel
left=192.168.100.37
leftsubnet=10.2.0.0/24
right=192.168.100.38
rightsubnet=10.1.0.0/24
auto=start
esp=aes128-sha1
ike=aes128-sha1-modp2048
rekey=yes
dpdaction=clear
dpddelay=15
dpdtimeout=50
compress=no
However, after attempting to change this to work with RSA certs, I
conn test
authby=rsasig
type=tunnel
left=192.168.100.37
leftsubnet=10.2.0.0/24
right=192.168.100.38
rightsubnet=10.1.0.0/24
auto=start
esp=aes128-sha1
ike=aes128-sha1-modp2048
rekey=yes
dpdaction=clear
dpddelay=15
dpdtimeout=50
compress=no
leftcert=/etc/ipsec.d/certs/covazfw.pem
rightcert=/etc/ipsec.d/certs/aspfw2.pem
leftid="C=CH, O=strongSwan, CN=covazfw"
rightid="C=CH, O=strongSwan, CN=aspfw2"
All the relevant public certs are in the ipsec.d subfolder
hierarchy, along with the private key for the OpenSwan side covazfw.pem.
: RSA /etc/ipsec.d/private/covazfw.pem
received Vendor ID payload [XAUTH]
received Vendor ID payload [Dead Peer Detection]
received Vendor ID payload [RFC 3947] method set to=109
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
meth=106, but already using method 109
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: responding to Main Mode
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
sent MR1, expecting MI2
Result using RFC 3947 (NAT-Traversal): no NAT detected
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: transition from
state STATE_MAIN_R1 to state STATE_MAIN_R2
sent MR2, expecting MI3
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: Main mode peer ID is
ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: no suitable
connection for peer 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:43 covtestvpn pluto[7623]: "test" #14: sending
encrypted notification INVALID_ID_INFORMATION to 192.168.100.38:500
Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: Main mode peer ID is
ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: no suitable
connection for peer 'C=CH, O=strongSwan, CN=aspfw2'
Jul 4 16:37:47 covtestvpn pluto[7623]: "test" #14: sending
encrypted notification INVALID_ID_INFORMATION to 192.168.100.38:500
It seems that it cannot / will not authenticate the certificate from
the Strongswan side. Could someone tell me what I’m doing wrong please?
Thanks
Matt
--------------------------------------------------------------------
----
Plum Software is a fully owned subsidiary of Praemium Limited.
This e-mail is confidential. It may also be legally privileged. If
you are not the addressee, you may not copy, forward, disclose or
use any part of it. If you have received this message in error,
please delete it and all copies from your system and notify the
sender immediately by return email. Internet communications cannot
be guaranteed to be timely, secure, or error or virus free. The
sender does not accept liability for any errors or omissions.
In the UK the Praemium Group is: Praemium Portfolio Services Ltd
05362153), Praemium Administration Ltd (Company Number: 06016828)
and Smartfund Nominees Ltd (Company Number: 07153417) each having
its registered office at 4th Floor, Suite 643-659, Salisbury House,
London Wall, London, EC2M 5QQ, United Kingdom. Praemium
Administration Ltd is authorised and regulated by the Financial
Conduct Authority under reference 463566. See http://www.fca.org.uk/register for more details.
In Jersey the Praemium Group is: Praemium International Ltd (Company
Number: 107624) which has its registered office at 3rd Floor East,
Salisbury House, 1-9 Union Street, St Helier, JE2 3RF and is
regulated under the Financial Service (Jersey) Law 1998 by the
Jersey Financial Services Commission for the conduct of investment business in Jersey.
See http://www.jerseyfsc.org for more details.
Thank you for your cooperation. Please contact us on +44 (0)207 5622
450 if you require assistance.
_______________________________________________
https://lists.openswan.org/mailman/listinfo/users
https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=28
3155

--
=======================================================================
strongSec GmbH home: http://www.strongsec.net
Alter Zürichweg 20 phone: +41 44 730 80 64
CH-8952 Schlieren (Switzerland) fax: +41 44 730 80 65
==========================================[strong internet
security]===
________________________________
Plum Software is a fully owned subsidiary of Praemium Limited.
This e-mail is confidential. It may also be legally privileged. If you are not the addressee, you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return email. Internet communications cannot be guaranteed to be timely, secure, or error or virus free. The sender does not accept liability for any errors or omissions.
In the UK the Praemium Group is: Praemium Portfolio Services Ltd (Company Number: 05362168), Praemium (UK) Ltd (Company Number: 05362153), Praemium Administration Ltd (Company Number: 06016828) and Smartfund Nominees Ltd (Company Number: 07153417) each having its registered office at 4th Floor, Suite 643-659, Salisbury House, London Wall, London, EC2M 5QQ, United Kingdom. Praemium Administration Ltd is authorised and regulated by the Financial Conduct Authority under reference 463566. See http://www.fca.org.uk/register for more details.
In Jersey the Praemium Group is: Praemium International Ltd (Company Number: 107624) which has its registered office at 3rd Floor East, Salisbury House, 1-9 Union Street, St Helier, JE2 3RF and is regulated under the Financial Service (Jersey) Law 1998 by the Jersey Financial Services Commission for the conduct of investment business in Jersey. See http://www.jerseyfsc.org for more details.
Thank you for your cooperation. Please contact us on +44 (0)207 5622 450 if you require assistance.
_______________________________________________
https://lists.openswan.org/mailman/listinfo/users
https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=2831
55
--
This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.

________________________________
Plum Software is a fully owned subsidiary of Praemium Limited.
This e-mail is confidential. It may also be legally privileged. If you are not the addressee, you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return email. Internet communications cannot be guaranteed to be timely, secure, or error or virus free. The sender does not accept liability for any errors or omissions.
In the UK the Praemium Group is: Praemium Portfolio Services Ltd (Company Number: 05362168), Praemium (UK) Ltd (Company Number: 05362153), Praemium Administration Ltd (Company Number: 06016828) and Smartfund Nominees Ltd (Company Number: 07153417) each having its registered office at 4th Floor, Suite 643-659, Salisbury House, London Wall, London, EC2M 5QQ, United Kingdom. Praemium Administration Ltd is authorised and regulated by the Financial Conduct Authority under reference 463566. See http://www.fca.org.uk/register for more details.
In Jersey the Praemium Group is: Praemium International Ltd (Company Number: 107624) which has its registered office at 3rd Floor East, Salisbury House, 1-9 Union Street, St Helier, JE2 3RF and is regulated under the Financial Service (Jersey) Law 1998 by the Jersey Financial Services Commission for the conduct of investment business in Jersey. See http://www.jerseyfsc.org for more details.
Thank you for your cooperation. Please contact us on +44 (0)207 5622 450 if you require assistance.
_______________________________________________
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
________________________________
Plum Software is a fully owned subsidiary of Praemium Limited.
This e-mail is confidential. It may also be legally privileged. If you are not the addressee, you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return email. Internet communications cannot be guaranteed to be timely, secure, or error or virus free. The sender does not accept liability for any errors or omissions.
In the UK the Praemium Group is: Praemium Portfolio Services Ltd (Company Number: 05362168), Praemium (UK) Ltd (Company Number: 05362153), Praemium Administration Ltd (Company Number: 06016828) and Smartfund Nominees Ltd (Company Number: 07153417) each having its registered office at 4th Floor, Suite 643-659, Salisbury House, London Wall, London, EC2M 5QQ, United Kingdom. Praemium Administration Ltd is authorised and regulated by the Financial Conduct Authority under reference 463566. See http://www.fca.org.uk/register for more details.
In Jersey the Praemium Group is: Praemium International Ltd (Company Number: 107624) which has its registered office at 3rd Floor East, Salisbury House, 1-9 Union Street, St Helier, JE2 3RF and is regulated under the Financial Service (Jersey) Law 1998 by the Jersey Financial Services Commission for the conduct of investment business in Jersey. See http://www.jerseyfsc.org for more details.
Thank you for your cooperation. Please contact us on +44 (0)207 5622 450 if you require assistance.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Matt Killock

2017-07-10 08:53:23 UTC

Permalink

Hi,

Yes some of that works, but some doesn't. The %fromcert directive looks better in the config

These configs work:

leftcert=/etc/ipsec.d/certs/covazfw.pem
rightcert=/etc/ipsec.d/certs/aspfw2.pem
leftid=%fromcert
rightid="bbbbbbbbbbbbbbbbbbb"

leftcert=/etc/ipsec.d/certs/covazfw.pem
rightcert=/etc/ipsec.d/certs/aspfw2.pem
leftid=%fromcert
rightid=%fromcert

leftcert=/etc/ipsec.d/certs/covazfw.pem
leftid=%fromcert
rightid=%fromcert

(Last one seems to be saying to allow any cert from peer)

And this config doesn't work:

leftcert=/etc/ipsec.d/certs/covazfw.pem
leftid=%fromcert
rightid="C=CH, O=strongSwan2, CN=aspfw2"

So it seems that for me, the rightcert needs to be there but it might not be having any effect at all!

Matt

-----Original Message-----

Just comparing with a similar setup that's working for me:
In my case I have
leftcert=xxx.pem
leftid=%fromcert
rightid="DN from peer cert"

and I have no rightcert entry - shouldn't be needed as the peer sends its cert.

None of that seems to explain what you're seeing! But may be something else to try.

________________________________

Plum Software is a fully owned subsidiary of Praemium Limited.

This e-mail is confidential. It may also be legally privileged. If you are not the addressee, you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return email. Internet communications cannot be guaranteed to be timely, secure, or error or virus free. The sender does not accept liability for any errors or omissions.

In the UK the Praemium Group is: Praemium Portfolio Services Ltd (Company Number: 05362168), Praemium (UK) Ltd (Company Number: 05362153), Praemium Administration Ltd (Company Number: 06016828) and Smartfund Nominees Ltd (Company Number: 07153417) each having its registered office at 4th Floor, Suite 643-659, Salisbury House, London Wall, London, EC2M 5QQ, United Kingdom. Praemium Administration Ltd is authorised and regulated by the Financial Conduct Authority under reference 463566. See http://www.fca.org.uk/register for more details.

In Jersey the Praemium Group is: Praemium International Ltd (Company Number: 107624) which has its registered office at 3rd Floor East, Salisbury House, 1-9 Union Street, St Helier, JE2 3RF and is regulated under the Financial Service (Jersey) Law 1998 by the Jersey Financial Services Commission for the conduct of investment business in Jersey. See http://www.jerseyfsc.org for more details.

Thank you for your cooperation. Please contact us on +44 (0)207 5622 450 if you require assistance.
_______________________________________________
***@lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/