Re: [Swan] private key for cert Thor not found in local cache; loading from NSS DB

2018-10-08 Thread rayv33n 
oad
(39:ISAKMP_NEXT_v2AUTH)
Oct  8 11:04:08.128688: | *emit IKEv2 Authentication Payload:
Oct  8 11:04:08.128694: |auth method: IKEv2_AUTH_RSA (0x1)
Oct  8 11:04:08.128697: | next payload type: saving payload location 'IKEv2
Authentication Payload'.'next payload type'
Oct  8 11:04:08.128818: | private key for cert ipsechost1 not found in
local cache; loading from NSS DB
Oct  8 11:04:08.132511: | emitting 256 raw bytes of rsa signature into
IKEv2 Authentication Payload
Oct  8 11:04:08.132565: | emitting length of IKEv2 Authentication Payload:
264
Oct  8 11:04:08.132619: | next payload type: previous 'IKEv2 Authentication
Payload'.'next payload type' matches 'IKEv2 Security Association Payload'
(33:ISAKMP_NEXT_v2SA)
Oct  8 11:04:08.132835: |IKEv2 transform ID: AUTH_HMAC_SHA2_512_256
(0xe)
Oct  8 11:04:08.132852: |IKEv2 transform ID: AUTH_HMAC_SHA2_256_128
(0xc)
Oct  8 11:04:08.132980: |IKEv2 transform ID: AUTH_HMAC_SHA2_512_256
(0xe)
Oct  8 11:04:08.132997: |IKEv2 transform ID: AUTH_HMAC_SHA2_256_128
(0xc)
Oct  8 11:04:08.133097: |IKEv2 transform ID: AUTH_HMAC_SHA1_96 (0x2)
Oct  8 11:04:08.133277: |exchange type: ISAKMP_v2_AUTH (0x23)
Oct  8 11:04:08.133515: | out calculated auth:
Oct  8 11:04:08.133542: |exchange type: ISAKMP_v2_AUTH (0x23)
Oct  8 11:04:08.133773: | out calculated auth:
Oct  8 11:04:08.133800: |exchange type: ISAKMP_v2_AUTH (0x23)
Oct  8 11:04:08.134027: | out calculated auth:
Oct  8 11:04:08.134054: |exchange type: ISAKMP_v2_AUTH (0x23)
Oct  8 11:04:08.134226: | out calculated auth:
Oct  8 11:04:08.134267: | established-authenticated-ike states: 0
Oct  8 11:04:08.134272: | authenticated-ipsec states: 0
Oct  8 11:04:08.166428: |exchange type: ISAKMP_v2_AUTH (0x23)
Oct  8 11:04:08.166439: |  processing version=2.0 packet with exchange
type=ISAKMP_v2_AUTH (35)
Oct  8 11:04:08.166441: | I am receiving an IKEv2 Response ISAKMP_v2_AUTH
Oct  8 11:04:08.166456: | v2 state object #2 found, in STATE_PARENT_I2
Oct  8 11:04:08.166459: | found state #2
Oct  8 11:04:08.166489: | Unpacking clear payload for svm: Initiator:
process INVALID_SYNTAX AUTH notification
Oct  8 11:04:08.166654: | calculated auth:  4a b3 f9 8a  22 3d 39 7d  c6 16
5c 1a
Oct  8 11:04:08.166656: |   provided auth:  4a b3 f9 8a  22 3d 39 7d  c6 16
5c 1a
Oct  8 11:04:08.166659: | authenticator matched
Oct  8 11:04:08.166671: | #2 ikev2 ISAKMP_v2_AUTH decrypt success
Oct  8 11:04:08.166691: |Notify Message Type: v2N_AUTHENTICATION_FAILED
(0x18)
Oct  8 11:04:08.166696: | selected state microcode Initiator: process
AUTHENTICATION_FAILED AUTH notification
Oct  8 11:04:08.166701: | calling processor Initiator: process
AUTHENTICATION_FAILED AUTH notification
Oct  8 11:04:08.166706: "private#0.0.0.0/0"[1] ...13.57.200.87 #2: IKE SA
authentication request rejected: AUTHENTICATION_FAILED
Oct  8 11:04:08.166830: | v2 state object #1 found, in STATE_PARENT_I2
Oct  8 11:04:08.166836: | found state #1
Oct  8 11:04:08.166854: | no useful state microcode entry found
Oct  8 11:04:08.166976: | out calculated auth:
Oct  8 11:04:09.025208: | parent_init v2 state object not found
Oct  8 11:04:09.025506: | found policy =
RSASIG+ENCRYPT+TUNNEL+PFS+FAIL1+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
(private#0.0.0.0/0)



On Mon, Oct 8, 2018 at 12:10 AM Nick Howitt  wrote:

> A bit of a sideways jump, but have you done the AWS set up for elastic
> IP's -
> https://libreswan.org/wiki/Interoperability#The_elastic_IP_and_the_RFC1918_native_IP_address
>
> Nick
>
> On 08/10/2018 01:12, rayv33n wrote:
>
>
> Yes, sir. That actually helps me understand and confirm a few things. My
> lab setup has two hosts. Each host is in a different network routed through
> a firewall with no NAT. They work perfectly creating SA and having no
> problems. But when ipsechost01 tries to talk to the AWS instances check out
> ipsechost01 to Thor(AWS). Which is AWS NAT with ipsechost behind a
> firewall, also NAT.
>
> Feel free to give me example configs or anything else you want me to try
> this is all lab stuff and I have time so I can be your lab monkey.
>
> * This is ipsechost01 and ejbca working in OE action*
> 000 #1: "private#0.0.0.0/0"[1] ...192.168.57.3:500 STATE_PARENT_R2
> (received v2I2, PARENT SA established); EVENT_v2_SA_REPLACE_IF_USED_IKE in
> 3328s; newest ISAKMP; idle;
> 000 #2: "private#0.0.0.0/0"[1] ...192.168.57.3:500 STATE_V2_IPSEC_R
> (IPsec SA established); EVENT_v2_SA_REPLACE_IF_USED in 28528s; newest
> IPSEC; eroute owner; isakmp#1; idle;
> 000 #2: "private#0.0.0.0/0"[1] ...192.168.57.3 esp.84f01efa@192.168.57.3
> esp.67e30a4c@192.168.56.109 tun.0@192.168.57.3 tun.0@192.168.56.109 ref=0
> refhim=0 Traffic: ESPin=84B ESPout=84B! ESPmax=0B
> 000
>  logs from ejbca with ipsechost01 as source of connection
> Oct  7 17:02:27.658858: | returning

Re: [Swan] private key for cert Thor not found in local cache; loading from NSS DB

2018-10-07 Thread rayv33n 
r: process
AUTHENTICATION_FAILED AUTH notification
Oct  7 16:42:43.310129: "private#0.0.0.0/0"[2] ...13.57.200.87 #4: IKE SA
authentication request rejected: AUTHENTICATION_FAILED
Oct  7 16:42:43.310241: | v2 state object #3 found, in STATE_PARENT_I2
Oct  7 16:42:43.310249: | found state #3
Oct  7 16:42:43.310266: | no useful state microcode entry found
Oct  7 16:42:46.289302: "private#0.0.0.0/0"[2] ...13.57.200.87 #4:
STATE_PARENT_I2: 3 second timeout exceeded after 0 retransmits.  Possible
authentication failure: no acceptable response to our first encrypted
message
Oct  7 16:42:46.289344: | OE: delete_state orphaning hold with failureshunt
drop (negotiation shunt would have been trap)
Oct  7 16:42:46.289346: | failureshunt == negotiationshunt, no replace
needed
Oct  7 16:42:46.289363: | add bare shunt 0x55f75a704a58 172.16.1.61/32:0
--0--> 13.57.200.87/32:0 => %drop 0oe-failing
Oct  7 16:42:46.289378: | No need to replace negotiation_shunt with
failure_shunt - they are the same
Oct  7 16:42:48.526882: | keeping recent bare shunt 0x55f75a704a58
172.16.1.61/32:0 --0--> 13.57.200.87/32:0 => %drop 0oe-failing

On Sun, Oct 7, 2018 at 2:50 PM Paul Wouters  wrote:

> On Sun, 7 Oct 2018, rayv33n wrote:
>
> > Followed all your suggestions and the connection information shows the
> that the oppo sees that IP addresses across
> > the connection down to the %fromcert. What's different this time is the
> +MS+S=C which I have no idea what that is.
> > I blew away the /etc/ipsec.d/*.db and when back to the instruction on
> how to create it.
>
> That string is a clumpsy way to show identifications used, ignore it.
>
> > Oct  7 18:54:28.198237: | private key for cert Thor not found in local
> cache; loading from NSS DB
>
> I am still very confused about this. It is abnormal and other people
> don't run into this issue at all. So I am really trying to see what
> is different in your setup. Can you configure a static ip to ip
> connection with the same certificates? Does that work?
>
> Maybe try adding leftsendca=all ? Although the intermediary should
> not be needed since it appears in your NSS and is marked as trusted
> already. Perhaps you are missing some expected flags in the EKU or KU
> for NSS?
>
> > The regular config I have work if there is not NAT involved.
>
> So whether or not there is NAT should not affect the authentication at
> all?
>
> Paul
>


-- 
You are FREE to become a slave

Key ID: 9A452ABAA4593489
Finger Print: 7A8A 5849 ED44 52B1 0D8A EDAC 9A45 2ABA A459 3489
*Pub Key: *
http://pgp.mit.edu:11371/pks/lookup?search=rayv33n%40gmail.com=index
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan