Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

Re: Re: [Users] Freeswan (x509) <-> SSH Sentinel Prob

From: killhead_at_pandora.be
Date: Wed May 29 2002 - 15:15:20 CEST

Next message: Michael Fenski: "[Users] X.509 and RSA???"
Previous message: Jussi Torhonen: "Re: [Users] Freeswan (x509) <-> SSH Sentinel Prob"
Maybe in reply to: killhead_at_pandora.be: "Re: Re: [Users] Freeswan (x509) <-> SSH Sentinel Prob"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi, for the CN names i use this:

CA cert hermes.ignl.be
FreeSWAN client cert gateway.ignl.be
Sentinel client cert calin.ignl.be

My ipsec.conf file:

[root_at_hermes ssl]# cat /etc/ipsec.conf
config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        uniqueids=yes

conn %default
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        left=%defaultroute
        leftsubnet=192.168.0.0/24

conn roadwarrior
right=%any
auto=add

Now, what i tested:

When my ipsec.conf file has the line:
leftid="C=BE, O=Cameleon Projects Int, CN=hermes.ignl.be"

I get this error in IKE Log:
SPD: Can not determine per-rule trusted CA root set for remote identity der_asn1_dn(any:0,[0..71]=C=BE, O=Cameleon Projects Int, CN=hermes.ignl.be). Using only globally trusted roots.
Phase-1 [initiator] between der_asn1_dn(udp:500,[0..70]=C=BE, O=Cameleon Projects Int, CN=calin.ignl.be) and ipv4(udp:500,[0..3]=213.224.16.200) failed; Authentication failed.

And in the secure log:
May 29 15:07:27 hermes Pluto[1268]: "roadwarrior" 192.168.0.1 #2: responding to Main Mode from unknown peer 192.168.0.1
May 29 15:07:27 hermes Pluto[1268]: "roadwarrior" 192.168.0.1 #2: ignoring informational payload, type IPSEC_INITIAL_CONTACT
May 29 15:07:27 hermes Pluto[1268]: "roadwarrior" 192.168.0.1 #2: Peer ID is ID_DER_ASN1_DN: 'C=BE, O=Cameleon Projects Int, CN=calin.ignl.be'
May 29 15:07:27 hermes Pluto[1268]: "roadwarrior" 192.168.0.1 #2: deleting connection "roadwarrior" instance with peer 192.168.0.1
May 29 15:07:27 hermes Pluto[1268]: "roadwarrior" 192.168.0.1 #2: sent MR3, ISAKMP SA established
May 29 15:07:27 hermes Pluto[1268]: "roadwarrior" 192.168.0.1 #2: Informational Exchange message for an established ISAKMP SA must be encrypted

I tried then this in ipsec.conf:
leftid="C=BE, O=Cameleon Projects Int, CN=gateway.ignl.be"

I get this error in IKE Log:
SPD: Can not determine per-rule trusted CA root set for remote identity der_asn1_dn(any:0,[0..72]=C=BE, O=Cameleon Projects Int, CN=gateway.ignl.be). Using only globally trusted roots.
Phase-1 [initiator] between der_asn1_dn(udp:500,[0..70]=C=BE, O=Cameleon Projects Int, CN=calin.ignl.be) and der_asn1_dn(any:0,[0..72]=C=BE, O=Cameleon Projects Int, CN=gateway.ignl.be) done.

And in the secure log:
May 29 15:08:48 hermes Pluto[1461]: packet from 192.168.0.1:500: ignoring Vendor ID payload
May 29 15:08:48 hermes Pluto[1461]: "roadwarrior" 192.168.0.1 #1: responding to Main Mode from unknown peer 192.168.0.1
May 29 15:08:49 hermes Pluto[1461]: "roadwarrior" 192.168.0.1 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
May 29 15:08:49 hermes Pluto[1461]: "roadwarrior" 192.168.0.1 #1: Peer ID is ID_DER_ASN1_DN: 'C=BE, O=Cameleon Projects Int, CN=calin.ignl.be'
May 29 15:08:49 hermes Pluto[1461]: "roadwarrior" 192.168.0.1 #1: deleting connection "roadwarrior" instance with peer 192.168.0.1
May 29 15:08:49 hermes Pluto[1461]: "roadwarrior" 192.168.0.1 #1: sent MR3, ISAKMP SA established
May 29 15:08:49 hermes Pluto[1461]: "roadwarrior" 192.168.0.1 #2: cannot respond to IPsec SA request because no connection is known for 192.168.0.0/16===213.224.16.200[C=BE, O=Cameleon Projects Int, CN=gateway.ignl.be]...192.168.0.1[C=BE, O=Cameleon Projects Int, CN=calin.ignl.be]
May 29 15:08:50 hermes Pluto[1461]: "roadwarrior" 192.168.0.1 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x33c4ed5e (perhaps this is a duplicated packet)
May 29 15:09:10 hermes last message repeated 3 times
May 29 15:09:19 hermes Pluto[1461]: packet from 192.168.0.1:500: ignoring Vendor ID payload
May 29 15:09:19 hermes Pluto[1461]: "roadwarrior" 192.168.0.1 #3: responding to Main Mode from unknown peer 192.168.0.1
May 29 15:09:19 hermes Pluto[1461]: "roadwarrior" 192.168.0.1 #3: ignoring informational payload, type AUTHENTICATION_FAILED
May 29 15:09:19 hermes Pluto[1461]: "roadwarrior" 192.168.0.1 #3: received and ignored informational message
May 29 15:09:29 hermes Pluto[1461]: "roadwarrior" 192.168.0.1 #3: ignoring informational payload, type AUTHENTICATION_FAILED
May 29 15:09:29 hermes Pluto[1461]: "roadwarrior" 192.168.0.1 #3: received and ignored informational message

Seems to me now (with changing to gateway.ignl.be in config) i'll get some ip errors...

Searching some more , and help is welcome ;)

Greetz,
Tom
------------------------
Jussi Torhonen <jt_at_ssh.com> wrote:
------------------------

>killhead_at_pandora.be wrote:
>>
>> May 29 13:16:50 hermes Pluto[29627]: "roadwarrior" 192.168.0.1 #9: Peer ID is ID_DER_ASN1_DN: 'C=BE, O=Cameleon Projects Int, CN=calin.ignl.be'
>
>Hmm, I'll get back to the Common Names. So the Common Name of of the SSH
>Sentinel client cert is calin.ignl.be? And CN for OpenSSL CA was
>hermes.ignl.be. What's then the CN for FreeSWAN client certificate?
>
>You could try setting up certificate Common Names as
>
>------------------------------------------------
>cert
> CN=
>------------------------------------------------
>CA cert freeswan-ca.ignl.be
>FreeSWAN client cert freeswan-gw.ignl.be
>Sentinel client cert sentinel-client.ignl.be
>------------------------------------------------
>
>Now, reading both FreeSWAN and SSH Sentinel logfiles comes much easier.
>also clean up all those old .ignl.be certs from SSH Sentinel -> Trusted
>certs -> CA, as well as from Trusted Certs -> Remote Hosts and sure
>from My Keys.
>
>Then install freeswan-ca.ignl.be root CA cert under Trusted certs -> CA.
>Create a PKCS#12 formatted cert file including your SSH Sentinel client
>cert with CN=sentinel-client.ignl.be under OpenSSL CA, and import the
>file into SSH Sentinel -> My Keys.
>
>Please check our document for quite a comprehensive configuration
>informatio about the similar case:
>http://www.ssh.com/products/sentinel/SSH-Sentinel-1.3-FreeSWAN.pdf
>
>In addition to taht please follow the documentation of x509-patch. You
>must have root CA certificate, FreeSWAN client certificate, FreeSWAN
>private keys as well as SSH Sentinel client certificate installed in
>proper format under proper directories to get the whole thing working.
>The documentation of x509-patch is available at
>http://www.strongsec.com/freeswan/install.htm
>
>> If you want i'll will give you a detailled mail about my ipsec config/setup.
>> Need to get this VPN to work :)
>
>Please do that, if you won't get it working with our document. The
>document says it all and we've got a lot of feedback that it really says
>it all.
>
>Regards,
>Jussi
>
>--
>______________________________________________________________
>Jussi Törhönen, Kuopio R&D unit, e-mail jussi.torhonen_at_ssh.com
>SSH Communications Security Corp, http://www.ssh.com
>SSH Sentinel VPN Client, http://www.ipsec.com
>
>
>
>_______________________________________________
>Users mailing list
>Users_at_lists.freeswan.org
>http://lists.freeswan.org/mailman/listinfo/users
>

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: Michael Fenski: "[Users] X.509 and RSA???"
Previous message: Jussi Torhonen: "Re: [Users] Freeswan (x509) <-> SSH Sentinel Prob"
Maybe in reply to: killhead_at_pandora.be: "Re: Re: [Users] Freeswan (x509) <-> SSH Sentinel Prob"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:07 CEST