And I notice when I go back to my old certs that were working, I can see the RSA public key in the ipsec auto --listall output. I wonder, if anyone knows, why does the cert not come across the line when I'm using the new configuration? If I look at the logs, I see that it doesn't work, but I don't understand why.
At the end is output from back using old certs. Any ideas what I did wrong with new certs? V/r, Bryan [root@left:/home/blharris/old] $ ipsec auto --listall 000 000 List of RSA Public Keys: 000 000 Sep 23 11:54:58 2016, 2048 RSA Key AwEAAbF89 (no private key), until Sep 19 13:08:55 2018 ok 000 ID_DER_ASN1_DN 'C=US, ST=South Carolina, CN=right' 000 Issuer 'C=US, ST=South Carolina, O=Internet Widgits Pty Ltd, OU=TESTOU, CN=TESTCA' 000 Sep 23 11:54:45 2016, 2048 RSA Key AwEAAcjXy (has private key), until Sep 19 12:46:35 2018 ok 000 ID_DER_ASN1_DN 'C=US, ST=South Carolina, CN=left' 000 Issuer 'C=US, ST=South Carolina, O=Internet Widgits Pty Ltd, OU=TESTOU, CN=TESTCA' 000 000 List of Pre-shared secrets (from /etc/ipsec.secrets) 000 000 1: RSA (none) (none) 000 000 List of X.509 End Certificates: 000 000 End certificate "left" - SN: 0x00c3b4676c01b766f5 000 subject: C=US, ST=South Carolina, CN=left 000 issuer: C=US, ST=South Carolina, O=Internet Widgits Pty Ltd, OU=TESTOU, CN=TESTCA 000 not before: Mon Sep 19 16:46:35 2016 000 not after: Wed Sep 19 16:46:35 2018 000 2048 bit RSA: has private key 000 000 List of X.509 CA Certificates: 000 000 Root CA certificate "TESTCA - Internet Widgits Pty Ltd" - SN: 0x00aaed2e58bc4b16bc 000 subject: C=US, ST=South Carolina, O=Internet Widgits Pty Ltd, OU=TESTOU, CN=TESTCA 000 issuer: C=US, ST=South Carolina, O=Internet Widgits Pty Ltd, OU=TESTOU, CN=TESTCA 000 not before: Fri Sep 16 18:49:06 2016 000 not after: Sat Sep 16 18:49:06 2017 000 1024 bit RSA 000 000 List of CRLs: On Fri, Sep 23, 2016 at 10:32 AM, Bryan Harris <[email protected]> wrote: > Hi folks, > > I wonder if you could help me troubleshoot what I'm doing wrong here. > I've been able to follow this file to get a working configuration with x509 > certs signed by a common CA in the past: > /usr/share/doc/libreswan-3.15/README.nss. > > > So next I decided to follow the OpenSSL Cookbook by Ivan Ristic so I can > learn a little about ocsp. Using root/sub-CA was just a bonus. > > Any help is of course appreciated. For some reason it worked when I just > had a single CA and now it's not working. > > I thought I had everything set properly (I loaded both root and sub-CA > into p12 file) but my tunnel gives me the following message when I try to > bring it up (the message is always the OTHER side saying this). > > Sep 23 09:41:43 right pluto[7337]: loading secrets from > "/etc/ipsec.secrets" > Sep 23 09:41:43 right pluto[7337]: loading secrets from > "/etc/ipsec.d/right.secrets" > Sep 23 09:41:43 right pluto[7337]: loaded private key for keyid: > PPK_RSA:AwEAAb1Bx > Sep 23 09:41:57 right pluto[7337]: packet from 192.168.122.7:500: > received Vendor ID payload [Dead Peer Detection] > Sep 23 09:41:57 right pluto[7337]: packet from 192.168.122.7:500: > received Vendor ID payload [FRAGMENTATION] > Sep 23 09:41:57 right pluto[7337]: packet from 192.168.122.7:500: > received Vendor ID payload [RFC 3947] > Sep 23 09:41:57 right pluto[7337]: packet from 192.168.122.7:500: > ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] > Sep 23 09:41:57 right pluto[7337]: packet from 192.168.122.7:500: > ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] > Sep 23 09:41:57 right pluto[7337]: packet from 192.168.122.7:500: > ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] > Sep 23 09:41:57 right pluto[7337]: "mytunnel" #1: enabling possible > NAT-traversal with method RFC 3947 (NAT-Traversal) > Sep 23 09:41:57 right pluto[7337]: "mytunnel" #1: responding to Main Mode > Sep 23 09:41:57 right pluto[7337]: "mytunnel" #1: transition from state > STATE_MAIN_R0 to state STATE_MAIN_R1 > Sep 23 09:41:57 right pluto[7337]: "mytunnel" #1: STATE_MAIN_R1: sent MR1, > expecting MI2 > Sep 23 09:41:57 right pluto[7337]: "mytunnel" #1: NAT-Traversal: Result > using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected > Sep 23 09:41:57 right pluto[7337]: "mytunnel" #1: transition from state > STATE_MAIN_R1 to state STATE_MAIN_R2 > Sep 23 09:41:57 right pluto[7337]: "mytunnel" #1: STATE_MAIN_R2: sent MR2, > expecting MI3 > Sep 23 09:41:57 right pluto[7337]: "mytunnel" #1: Main mode peer ID is > ID_DER_ASN1_DN: 'C=GB, O=Example, CN=left' > Sep 23 09:41:57 right pluto[7337]: "mytunnel" #1: no RSA public key known > for 'C=GB, O=Example, CN=left' > Sep 23 09:41:57 right pluto[7337]: "mytunnel" #1: sending encrypted > notification INVALID_KEY_INFORMATION to 192.168.122.7:500 > Sep 23 09:41:58 right pluto[7337]: "mytunnel" #1: Main mode peer ID is > ID_DER_ASN1_DN: 'C=GB, O=Example, CN=left' > Sep 23 09:41:58 right pluto[7337]: "mytunnel" #1: no RSA public key known > for 'C=GB, O=Example, CN=left' > Sep 23 09:41:58 right pluto[7337]: "mytunnel" #1: sending encrypted > notification INVALID_KEY_INFORMATION to 192.168.122.7:500 > Sep 23 09:41:58 right pluto[7337]: "mytunnel" #1: Main mode peer ID is > ID_DER_ASN1_DN: 'C=GB, O=Example, CN=left' > Sep 23 09:41:58 right pluto[7337]: "mytunnel" #1: no RSA public key known > for 'C=GB, O=Example, CN=left' > > This is all on RHEL 6 and here are some of my configurations. I can send > out more if needed. > > [root@left:/home/blharris] > $ cat /etc/ipsec.d/left.secrets ### The RIGHT side is similar > : RSA "left" > > [root@left:/home/blharris] > $ cat /etc/ipsec.d/host2host.conf ### The RIGHT side is similar > > conn mytunnel > left=192.168.122.7 > leftid="C=GB, O=Example, CN=left" > leftrsasigkey=%cert > leftcert="left" > right=192.168.122.8 > rightid="C=GB, O=Example, CN=right" > rightrsasigkey=%cert > auto=add > > [root@left:/home/blharris] > $ openssl x509 -in left.crt -noout -subject > subject= /C=GB/O=Example/CN=left > > [root@left:/home/blharris] > $ certutil -L -d sql:/etc/ipsec.d/ > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > left u,u,u > Root CA - Example CT,, > Sub CA - Example CT,, > > I'm not sure if this next one is supposed to list the x509 from the other > side? > > [root@left:/home/blharris] > $ ipsec auto --listall > 000 > 000 List of RSA Public Keys: > 000 > 000 Sep 23 10:16:17 2016, 2048 RSA Key AwEAAbNLY (has private key), until > Sep 23 07:59:32 2017 ok > 000 ID_DER_ASN1_DN 'C=GB, O=Example, CN=left' > 000 Issuer 'C=GB, O=Example, CN=Sub CA' > 000 > 000 List of Pre-shared secrets (from /etc/ipsec.secrets) > 000 > 000 1: RSA (none) (none) > 000 > 000 List of X.509 End Certificates: > 000 > 000 End certificate "left" - SN: 0x008a878064b67f70a2e343f7d42d0ae365 > 000 subject: C=GB, O=Example, CN=left > 000 issuer: C=GB, O=Example, CN=Sub CA > 000 not before: Fri Sep 23 11:59:32 2016 > 000 not after: Sat Sep 23 11:59:32 2017 > 000 2048 bit RSA: has private key > 000 > 000 List of X.509 CA Certificates: > 000 > 000 Root CA certificate "Root CA - Example" - SN: > 0x00ab3e40667df73692f3df545d9f01a9cf > 000 subject: C=GB, O=Example, CN=Root CA > 000 issuer: C=GB, O=Example, CN=Root CA > 000 not before: Thu Sep 22 17:07:28 2016 > 000 not after: Sun Sep 20 17:07:28 2026 > 000 4096 bit RSA > 000 > 000 CA certificate "Sub CA - Example" - SN: 0x00ab3e40667df73692f3df545d9f > 01a9d1 > 000 subject: C=GB, O=Example, CN=Sub CA > 000 issuer: C=GB, O=Example, CN=Root CA > 000 not before: Fri Sep 23 11:25:13 2016 > 000 not after: Mon Sep 21 11:25:13 2026 > 000 4096 bit RSA > 000 > 000 List of CRLs: > > And in case it helps here is what one of the text of the certs looks like. > > [root@left:/home/blharris] > $ openssl x509 -in left.crt -noout -text > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > 8a:87:80:64:b6:7f:70:a2:e3:43:f7:d4:2d:0a:e3:65 > Signature Algorithm: sha256WithRSAEncryption > Issuer: C=GB, O=Example, CN=Sub CA > Validity > Not Before: Sep 23 11:59:32 2016 GMT > Not After : Sep 23 11:59:32 2017 GMT > Subject: C=GB, O=Example, CN=left > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (2048 bit) > Modulus: > 00:b3:4b:62:84:0a:21:12:4f:2a:2f:41:8e:f4:07: > 0a:75:92:62:d8:44:4f:4d:42:b5:7f:c9:63:b7:55: > c3:d8:e6:ba:8b:07:af:cc:93:a6:a9:fc:91:d9:15: > 4c:80:bc:94:1f:23:db:96:72:00:ce:5a:73:bf:23: > 32:42:08:24:9b:bb:4a:0c:e1:34:e9:78:a3:05:03: > b8:cd:1c:61:37:4a:c2:d0:30:bc:22:21:8b:1b:b2: > d9:7b:42:92:c7:f8:8d:8f:dc:52:a0:4f:da:f1:f0: > 99:f0:27:71:84:2b:a5:a3:4e:c2:7e:e8:16:c2:de: > 4a:a6:b5:66:ec:d2:b5:01:b5:f3:f8:23:6c:d6:5d: > 75:40:89:65:d3:91:52:11:41:2f:54:1e:fc:be:33: > 55:5e:48:d7:00:0a:c0:d7:cb:97:69:c6:f4:95:d1: > 55:36:fd:95:1a:db:ab:ae:a4:13:df:a5:f0:db:12: > 9a:53:e6:ac:06:d0:0d:28:15:0a:dd:14:17:0c:62: > 08:d7:2e:2b:f7:46:0a:bd:a0:f4:84:dd:07:72:77: > 8c:3c:d7:a1:42:6f:95:52:9a:4e:3f:36:41:20:0f: > 79:cb:7e:b7:c4:39:e1:32:3a:67:cd:24:62:cb:8b: > 33:ae:ef:ea:4e:f1:4c:ca:e1:78:3e:09:a4:b2:6d: > 5e:01 > Exponent: 65537 (0x10001) > X509v3 extensions: > Authority Information Access: > CA Issuers - URI:http://sub-ca.example.com/sub-ca.crt > OCSP - URI:http://ocsp.sub-ca.example.com:9081 > > X509v3 Authority Key Identifier: > keyid:49:F8:A3:3D:60:FE:5B:75: > 17:C3:30:EC:C3:A7:36:0F:40:B1:EC:08 > > X509v3 Basic Constraints: critical > CA:FALSE > X509v3 CRL Distribution Points: > > Full Name: > URI:http://sub-ca.example.com/sub-ca.crl > > X509v3 Extended Key Usage: > TLS Web Client Authentication, TLS Web Server > Authentication > X509v3 Key Usage: critical > Digital Signature, Key Encipherment > X509v3 Subject Key Identifier: > DC:EE:FF:E0:4F:E9:8E:D8:0F:06: > E7:A0:D4:AF:6B:24:3C:60:5B:2E > Signature Algorithm: sha256WithRSAEncryption > 3d:b0:ce:2b:9d:80:83:4f:2d:aa:a3:22:61:3d:60:87:00:73: > b3:32:dc:58:b1:19:14:70:8c:9e:74:f1:22:4f:f1:15:ff:54: > 9d:53:bf:c3:23:05:53:77:0e:fd:7b:50:b8:58:a9:06:72:5b: > 40:02:d8:f4:26:32:c4:6f:56:1d:6b:22:8d:e4:1d:76:6c:05: > a0:64:7c:69:32:23:b1:08:57:17:44:61:4e:40:45:0d:13:f0: > 6b:4e:12:81:a9:09:47:58:4c:fa:54:b2:ab:b9:41:78:58:b8: > 88:14:dc:e8:ae:95:f7:d3:e1:02:f8:51:60:ac:7f:f7:10:43: > 6f:17:39:33:41:e2:1c:9b:a7:a5:32:c2:23:37:6c:b2:fe:c3: > 03:4a:87:3f:77:1b:f7:da:26:84:c4:00:48:d1:f8:67:1e:3c: > 26:8e:75:a5:81:b2:c0:65:e5:24:b5:75:a6:8b:fe:e8:45:f6: > d5:5a:80:c3:65:9b:73:96:77:5b:5c:8b:9a:e8:08:6c:a8:79: > 9d:b1:6b:3a:d2:a2:b5:c1:35:15:54:39:b3:19:3e:59:57:96: > f7:0c:5c:a1:5e:0c:5d:ec:87:72:67:81:8f:75:c3:c7:f9:41: > 12:08:96:6b:9d:dc:c0:3e:fc:3c:26:14:d7:fc:cf:5a:aa:92: > d1:28:b2:16:b6:4b:5f:c8:2e:b6:bd:7b:b6:d3:72:34:01:a3: > ae:3f:1e:34:f4:a1:9d:14:22:8c:c8:88:94:e8:19:19:ed:b4: > ea:69:96:0b:83:f2:80:45:e9:eb:40:23:bb:a8:b5:d5:f3:08: > 56:b1:ba:b9:c9:e8:82:82:0a:86:bb:12:7d:49:a0:48:e7:a4: > 6d:c8:07:87:ef:b2:8b:e3:4c:3c:f5:d2:4b:74:c3:5d:2c:10: > 45:f2:66:ba:44:b6:fc:88:76:1a:96:77:a8:e4:c9:91:ed:71: > 00:90:05:91:cf:0f:b3:24:a6:76:85:2c:e5:6e:31:de:a1:00: > fc:34:b4:cf:f4:04:0d:34:df:92:f4:a6:1e:c8:89:7d:d2:1e: > 60:ae:a5:2a:ab:59:1e:d5:b9:e6:0a:38:51:7e:1b:85:2c:e6: > fb:5c:9d:fb:bc:9d:5e:52:c3:fb:4c:cf:47:4e:0e:c8:58:eb: > 95:77:83:b1:60:69:32:3b:cb:21:f0:1c:05:67:fc:d1:05:1d: > 46:cb:6b:6a:5f:d6:e4:15:9c:27:e4:a5:f8:74:79:c3:5c:8b: > b6:dd:44:47:a8:ee:44:64:64:ee:6f:9d:8b:0b:79:77:49:5e: > a5:d8:b9:be:19:d0:d4:a5:36:c8:e7:b1:20:05:f9:1a:9a:1d: > e5:8d:43:4b:b7:c2:73:48 > > Thanks in advance. > > V/r, > Bryan >
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
