[Users] Help FreeSWAN, x509, and SSH Sentinel 1.4

From: Bruce A. Black (bruceablk_at_ida.net)
Date: Wed Dec 11 2002 - 07:41:29 CET

• Next message: tian.xuenong_at_zte.com.cn: "[Users] How to measure the performance of freeswan?"
• Previous message: llee_at_battalion.nexxis.net: "[Users] destination packet size is half of source"
• Next in thread: Andreas Steffen: "Re: [Users] Help FreeSWAN, x509, and SSH Sentinel 1.4"
• Reply: Andreas Steffen: "Re: [Users] Help FreeSWAN, x509, and SSH Sentinel 1.4"
• Reply: Ken Bantoft: "Re: [Users] Help FreeSWAN, x509, and SSH Sentinel 1.4"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Dear List,

I have been searching through all of the posts to this list and have read a
number of documents on getting FreeSWAN to work with SSH Sentinel. I have
both set up and when I click the "Diagnostic" button in SSH Sentinel all is
well. However when I try to actually connect I get the following:

/var/log/secure

Dec 10 18:44:02 warrior pluto[14997]: packet from 206.206.30.31:500:
ignoring Vendor ID payload
Dec 10 18:44:02 warrior pluto[14997]: "rw-bblack"[2] 206.206.30.31 #5:
responding to Main Mode from unknown peer 206.206.30.31
Dec 10 18:44:04 warrior pluto[14997]: "rw-bblack"[2] 206.206.30.31 #5:
ignoring informational payload, type IPSEC_INITIAL_CONTACT
Dec 10 18:44:04 warrior pluto[14997]: "rw-bblack"[2] 206.206.30.31 #5: Peer
ID is ID_DER_ASN1_DN: 'CN=me_at_domain.com'
Dec 10 18:44:04 warrior pluto[14997]: "rw-bblack"[2] 206.206.30.31 #5:
Issuer CA certificate not found
Dec 10 18:44:04 warrior pluto[14997]: "rw-bblack"[2] 206.206.30.31 #5: X.509
certificate rejected
Dec 10 18:44:04 warrior pluto[14997]: "rw-bblack"[2] 206.206.30.31 #5: sent
MR3, ISAKMP SA established
Dec 10 18:44:05 warrior pluto[14997]: "rw-bblack"[2] 206.206.30.31 #5:
retransmitting in response to duplicate packet; already STATE_MAIN_R3
Dec 10 18:44:05 warrior pluto[14997]: "rw-bblack"[2] 206.206.30.31 #5:
Informational Exchange message for an established ISAKMP SA must be
encrypted

Dec 10 18:45:23 warrior pluto[14997]: packet from 206.206.30.31:500:
ignoring Vendor ID payload
Dec 10 18:45:23 warrior pluto[14997]: "rw-bblack"[2] 206.206.30.31 #6:
responding to Main Mode from unknown peer 206.206.30.31
Dec 10 18:45:26 warrior pluto[14997]: "rw-bblack"[2] 206.206.30.31 #6:
ignoring informational payload, type IPSEC_INITIAL_CONTACT
Dec 10 18:45:26 warrior pluto[14997]: "rw-bblack"[2] 206.206.30.31 #6: Peer
ID is ID_DER_ASN1_DN: 'CN=me_at_domain.com'
Dec 10 18:45:26 warrior pluto[14997]: "rw-bblack"[2] 206.206.30.31 #6:
Issuer CA certificate not found
Dec 10 18:45:26 warrior pluto[14997]: "rw-bblack"[2] 206.206.30.31 #6: X.509
certificate rejected
Dec 10 18:45:26 warrior pluto[14997]: "rw-bblack"[2] 206.206.30.31 #6: sent
MR3, ISAKMP SA established
Dec 10 18:45:27 warrior pluto[14997]: "rw-bblack"[2] 206.206.30.31 #6:
retransmitting in response to duplicate packet; already STATE_MAIN_R3
Dec 10 18:45:27 warrior pluto[14997]: "rw-bblack"[2] 206.206.30.31 #6:
Informational Exchange message for an established ISAKMP SA must be
encrypted

Sentinel IKE log (lots of stuff snipped):

DEBUG: 0.0.0.0:500 (Initiator) <-> 111.112.113.114:500 { 5f8300df 3c000003 -
73d326d1 1d12ae36 [-1] / 0x00000000 } IP; Decoded ID =
fqdn(any:0,[0..19]=warrior.domain.com)
: SPD: Can not determine per-rule trusted CA root set for remote identity
fqdn(any:0,[0..19]=warrior.domain.com). Using only globally trusted roots.
DEBUG: 0.0.0.0:500 (Initiator) <-> 111.112.113.114:500 { 5f8300df 3c000003 -
73d326d1 1d12ae36 [-1] / 0x00000000 } IP; No public key found
: Phase-1 [initiator] between der_asn1_dn(udp:500,[0..27]=CN=me_at_domain.com)
and ipv4(udp:500,[0..3]=111.112.113.114) failed; Authentication failed.
DEBUG: 0.0.0.0:500 (Initiator) <-> 111.112.113.114:500 { 5f8300df 3c000003 -
73d326d1 1d12ae36 [-1] / 0x00000000 } IP; Error = Authentication failed (24)

I have followed the instructions from the SSH Sentinel FreeSWAN documents as
well as the HOWTO by Nadeem Hasan

  http://www.nadmm.com/show.php?story=articles/vpn.inc

My current set-up is based on Nadeem's work except that I kept the certs in
PEM format

I have a copy of the FreeSWAN Gateway certificate in /etc/x509cert.der
I have the cacert.pem in /etc/ipsec.d/cacerts
I have the FreeSWAN cert in /etc/ipsec.d/certs/ <-- should this be in
/etc/ipsec.d/???
I have a CRL in /etc/ipsec.d/crls/
I have the FreeSWAN private key in /etc/ipsec.d/private
I even tried putting the cert for me_at_domain.com (the cert I requested in
SSH) in /etc/ipsec.d/certs. When I run the #ipsec auto --listall it shows up
in the available certs and private keys.

When I restart ipsec and view /var/log/secure it all starts up great

I have checked rp_filter and ip_forward they are in order

I created a key with SSH Sentinel and signed it with my CA then provided the
CA cert and signed SSH Sentinel cert back to SSH Sentinel per Nadeem's
HOWTO.

I would like to complete this project and move on with life! This is cool
stuff though. Does anyone have advise to get the SA working my ipsec.config
is set up according to Nadeem's info as well, like I said the diagnostics in
SSH Sentinel all check out, it craps out when I try to establish a real
connection.

Bruce

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: tian.xuenong_at_zte.com.cn: "[Users] How to measure the performance of freeswan?"
• Previous message: llee_at_battalion.nexxis.net: "[Users] destination packet size is half of source"
• Next in thread: Andreas Steffen: "Re: [Users] Help FreeSWAN, x509, and SSH Sentinel 1.4"
• Reply: Andreas Steffen: "Re: [Users] Help FreeSWAN, x509, and SSH Sentinel 1.4"
• Reply: Ken Bantoft: "Re: [Users] Help FreeSWAN, x509, and SSH Sentinel 1.4"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Thu Dec 12 2002 - 05:21:05 CET