Re: [Users] FreeS/WAN to FreeS/WAN x509

From: Phill Ashworth (admin_at_dwvc.org)
Date: Wed Nov 13 2002 - 17:50:17 CET

• Next message: Phill Ashworth: "Re: [Users] FreeS/WAN to FreeS/WAN x509"
• Previous message: Simon Matthews: "[Users] What's wrong with the lists -- can't subscribe!"
• Maybe in reply to: Phill Ashworth: "[Users] FreeS/WAN to FreeS/WAN x509"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

> Which connection definitions does
> ipsec auto --status
> show. Do you see smersh-dwvc?

Yes
goldfinger -

000 "smersh-dwvc":
192.168.200.0/24===192.168.201.2:4500[@goldfinger.smersh.casa]---
192.168.201.1...62.xx.xx.xx---62.
xx.xx.xx:4500[@txvpn.mydomain]===192.168.0.0/24
000 "smersh-dwvc": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "smersh-dwvc": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface:
eth0; unrouted
000 "smersh-dwvc": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute
owner: #0

txvpn -

000 "smersh-dwvc": 192.168.0.0/24===62. xx.xx.xx[@txvpn.mydomain]---62.
xx.xx.xx...81. xx.xx.xx[@goldfinger.smersh.casa]===192.168.200.0/24
000 "smersh-dwvc": ike_life: 14400s; ipsec_life: 3600s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 3
000 "smersh-dwvc": policy:
RSASIG+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK; interface: eth0; unrouted
000 "smersh-dwvc": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute
owner: #0
000 "rw_nat1": 192.168.0.0/24===62.
xx.xx.xx[C=.....E=vpnadmin_at_dwvc.org]---62. xx.xx.xx...%any
000 "rw_nat1": ike_life: 14400s; ipsec_life: 3600s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 1
000 "rw_nat1": policy: RSASIG+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK;
interface: eth0; unrouted
000 "rw_nat1": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute
owner: #0

Thanks
Phill

On Mercoledì, nov 13, 2002, at 17:18 Europe/Rome, Andreas Steffen wrote:
>
> Phill Ashworth wrote:
>> Thanks for the suggestions. I've placed the raw RSA key first in
>> ipsec.secrets, however I'm still experiencing the same problem.
>> Nov 13 15:23:29 txvpn pluto[2788]: "rw_nat1"[1] 81.xx.xx.xx #1: Peer
>> ID is ID_FQDN: '@goldfinger.smersh.casa'
>> Nov 13 15:23:29 txvpn pluto[2788]: "rw_nat1"[1] 81.xx.xx.xx #1: no
>> suitable connection for peer '@goldfinger.smersh.casa'
>> Nov 13 15:23:29 txvpn pluto[2788]: | state transition function for
>> STATE_MAIN_R2 failed: INVALID_ID_INFORMATION
>>>> I'm having some problems getting a standard FreeS/WAN install to
>>>> talk to x509 (0.9.14) enabled FreeS/WAN.
>>>> I've added 'nocrsend=yes' to the x509 enabled gateway and I have 2
>>>> host keys in ipsec.secrets, one in PKCS#1 file format loaded with :
>>>> RSA <my keyfile> and the other as a raw rsa key.
>>>> : RSA {
>>>> # RSA 2192 bits txvpn.mydomain .......
>>>
>>> Both keys will be loaded, but the raw RSA key must be loaded first,
>>> because
>>> otherwise the connection based on the raw key won't find its private
>>> key.
>>> Certificate based connections will always find their matching private
>>> key.
>> My full setup is as follows:
>> LAN 192.168.200.0/24
>> |
>> FreeS/WAN NAT-T (goldfinger) 192.168.200.1 / 192.168.201.2
>> |
>> ADSL Router (NAT) 81.xx.xx.xx
>> |
>> FreeS/WAN x509 NAT-T (txvpn) 62.xx.xx / 192.168.0.240
>> |
>> LAN 192.168.0.0/24
>> I have tested the same setup using FreeS/WAN + NAT-T <-> FreeS/WAN
>> NAT-T (without x509) and everything works fine. But I need to support
>> SSH-Sentinel RWs on txvpn hence the x509. RWs can currently connect
>> in fine, it's just the raw rsa bit I can't get right.
>> I still can't work out why I'm getting INVALID_ID_INFORMATION, I've
>> double checked the raw key entries in ipsec.conf with 'ipsec
>> showhostkey --left/right' and the IDs and public keys are correct.
>> ipsec.confs and log output pasted below.
>> Once again any more suggestions would be greatly appreciated.
>> Thanks
>> Phill Ashworth
>> goldfinger:
>> config setup
>> interfaces=%defaultroute
>> klipsdebug=none
>> plutodebug=none
>> plutoload=%search
>> plutostart=%search
>> uniqueids=yes
>> nat_traversal=yes
>> conn %default
>> keyingtries=0
>> disablearrivalcheck=no
>> authby=rsasig
>> leftrsasigkey=%dnsondemand
>> rightrsasigkey=%dnsondemand
>> conn smersh-dwvc
>> right=%defaultroute
>> rightsubnet=192.168.200.0/24
>> rightid=@goldfinger.smersh.casa
>> rightrsasigkey=0sAQOWOpYm53........
>> left=62.xx.xx.xx
>> leftnexthop=62.xx.xx.xx
>> leftsubnet=192.168.0.0/24
>> leftid=@txvpn.mydomain
>> leftrsasigkey=0sAQOg6BBCrvM.......
>> auto=add
>> txvpn:
>> config setup
>> interfaces=%defaultroute
>> klipsdebug=none
>> plutodebug=none
>> plutoload=%search
>> plutostart=%search
>> uniqueids=yes
>> nat_traversal=yes
>> nocrsend=yes
>> conn %default
>> type=tunnel
>> authby=rsasig
>> # txvpn ip addr
>> left=62.xx.xx.xx
>> leftsubnet=192.168.0.0/24
>> leftnexthop=62.xx.xx.xx
>> leftrsasigkey=0sAQOg6BBCrvMoiSw......
>> ikelifetime=240m
>> keylife=60m
>> pfs=yes
>> auto=add
>> conn smersh-dwvc
>> # goldfinger ADSL router IP
>> right=81.xx.xx.xx
>> rightsubnet=192.168.200.0/24
>> rightid=@goldfinger.smersh.casa
>> rightrsasigkey=0sAQOWOpYm53/......
>> left=62.xx.xx.xx
>> leftid=@txvpn.xx.xx
>> leftsubnet=192.168.0.0/24
>> leftrsasigkey=0sAQOg6BBCrvMoi.....
>> auto=add
>> conn rw_nat1
>> right=%any
>> leftcert=freeswan_cert.pem
>> leftid="@/C=......."
>> leftrsasigkey=%cert
>> rightrsasigkey=%cert
>> keyingtries=1
>> Connections seen to load fine on txvpn:
>> pluto[5338]: Starting Pluto (FreeS/WAN Version 1.99)
>> pluto[5338]: including X.509 patch (Version 0.9.15)
>> pluto[5338]: including NAT-Traversal patch (Version 0.4)
>> pluto[5338]: Changing to directory '/etc/ipsec.d/cacerts'
>> pluto[5338]: loaded cacert file 'cacert.bin' (891 bytes)
>> pluto[5338]: Changing to directory '/etc/ipsec.d/crls'
>> pluto[5338]: loaded crl file 'crl.pem' (512 bytes)
>> pluto[5338]: loaded my default X.509 cert file '/etc/x509cert.der'
>> (931 bytes)
>> pluto[5338]: loaded host cert file '/etc/ipsec.d/freeswan_cert.pem'
>> (3591 bytes)
>> pluto[5338]: added connection description "rw_nat1"
>> pluto[5338]: added connection description "smersh-dwvc"
>> pluto[5338]: listening for IKE messages
>> pluto[5338]: adding interface ipsec0/eth0 62.xx.xx.xx
>> pluto[5338]: adding interface ipsec0/eth0 62.xx.xx.xx:4500
>> pluto[5338]: loading secrets from "/etc/ipsec.secrets"
>> pluto[5338]: loaded private key file
>> '/etc/ipsec.d/private/freeswan_privkey.pem' (891 bytes)
>
>
> --
> ======================================================================
> Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
> strongSec GmbH phone: +41 76 340 25 56
> Alter Zürichweg 20 home: http://www.strongsec.com
> CH-8952 Schlieren (Switzerland)
> ==========================================[strong internet security]==
>
>

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Phill Ashworth: "Re: [Users] FreeS/WAN to FreeS/WAN x509"
• Previous message: Simon Matthews: "[Users] What's wrong with the lists -- can't subscribe!"
• Maybe in reply to: Phill Ashworth: "[Users] FreeS/WAN to FreeS/WAN x509"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Fri Nov 15 2002 - 05:20:49 CET