+Subject Change Thanks Paul for the response.
1] Moved from self-signed certificates to CA-signed Certificates . 2] PFA Updated ipsec.conf. With this couple of changes , able to establish host-host (left-right) tunnel with Certificates as authentication mechanism. However now trying to bring up "authenticated OE" between these two hosts. PFA corresponding configuration for "authenticated OE" (oe-certificate.conf). Also ensured that 10.77.123.0/24 was added to "private-or-clear" under policies folder. Once after bringing UP ipsec, it was throwing following error (pluto.log) : Nov 30 23:14:21: loading group "/etc/ipsec.d/policies/private-or-clear" Nov 30 23:14:22: "private-or-clear#10.77.123.0/24"[1] ...10.77.123.171 #1: private-or-clear#10.77.123.0/24 IKE proposals for initial initiator (selecting KE): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128,HMAC_SHA1_96;DH=MODP2048,MODP3072,MODP1536 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128,HMAC_SHA1_96;DH=MODP2048,MODP3072,MODP1536 (default) Nov 30 23:14:22: "private-or-clear#10.77.123.0/24"[1] ...10.77.123.171 #1: Failed to find our RSA key Nov 30 23:14:29: packet from 10.77.123.171:500: sending unencrypted notification v2N_INVALID_IKE_SPI to 10.77.123.171:500 Nov 30 23:14:29: packet from 10.77.123.171:500: sending unencrypted notification v2N_INVALID_IKE_SPI to 10.77.123.171:500 Nov 30 23:14:29: packet from 10.77.123.171:500: sending unencrypted notification v2N_INVALID_IKE_SPI to 10.77.123.171:500 When trying to initiate traffic ., it was throwing the following error on console : - [root@CENTOS-172 ipsec.d]# ping 10.77.123.171 connect: Operation not permitted [root@CENTOS-172 ipsec.d]# ssh 10.77.123.171 ssh: connect to host 10.77.123.171 port 22: Operation not permitted Can you please validate oe-certificate.conf and let us know for any needed changes !!!? BTW, we were still using libreswan 3.20 -Regards, Kesav. -----Original Message----- From: Paul Wouters [mailto:[email protected]] Sent: Thursday, November 30, 2017 7:28 PM To: Kesava Vunnava (kesriniv) <[email protected]> Cc: [email protected] Subject: Re: [Swan] host-host tunnel using Certificates ! On Thu, 30 Nov 2017, Kesava Vunnava (kesriniv) wrote: > Trying to UP host-host tunnel using libreswan (Linux Libreswan 3.20 > (netkey) on 3.10.0-514.26.2.el7.x86_64 ) over CENTOS using > Certificates as authentication mechanism . Before this able to test > “preshared key”, > “unauthenticated OE” and both of them works fine. I didn't know PSK worked. We don't really test/recommend it because sharing your key with all nodes basically gives the same security as authnull (in case of a single node compromise that leaks the PSK) > With Certificates ., pluto was throwing following error : - > 133 "test" #2: STATE_PARENT_I1: sent v2I1, expected v2R1 > 003 "test" #2: Failed to find our RSA key” We had a few releases where there was confusion about the ipsec.secret entry being needed or not in the for RSA/certs. Could you re-test this with 3.22. You can find rpms on download.libreswan.org/binaries/rhel/7/ > 1] Generated self-signed certificates on both the hosts . There was also a bug introduced a few versions ago that would cause NSS to reject all self-signed certs without a CA. So please do try 3.22. But note, the whole idea of using certificates is that you don't hardcode any certs, and use a common CA for trust, so you should really noy be using selfsigned certs for this, but generate these from a single CA and install the CA everywhere. The easiest is to generate PKCS#12 (.p12) files and import these using "ipsec import". Paul
oe-certificate.conf
Description: oe-certificate.conf
ipsec.conf
Description: ipsec.conf
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
