Re: [Swan] authenticated Opportunistic Encryption !

Thu, 30 Nov 2017 22:44:05 -0800 

On Fri, 1 Dec 2017, Kesava Vunnava (kesriniv) wrote:


1] Moved from self-signed certificates to CA-signed Certificates .
2] PFA Updated ipsec.conf.

With this couple of changes , able to establish host-host (left-right) tunnel 
with Certificates as authentication mechanism.

However now trying to bring up "authenticated OE" between these two hosts. PFA corresponding 
configuration for "authenticated OE" (oe-certificate.conf). Also ensured that 10.77.123.0/24 was 
added to "private-or-clear" under policies folder.

Once after bringing UP ipsec, it was throwing following error (pluto.log) :

Nov 30 23:14:21: loading group "/etc/ipsec.d/policies/private-or-clear"
Nov 30 23:14:22: "private-or-clear#10.77.123.0/24"[1] ...10.77.123.171 #1: 
private-or-clear#10.77.123.0/24 IKE proposals for initial initiator (selecting KE): 
1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192
 
2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192
 
3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128,HMAC_SHA1_96;DH=MODP2048,MODP3072,MODP1536
 
4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128,HMAC_SHA1_96;DH=MODP2048,MODP3072,MODP1536
 (default)
Nov 30 23:14:22: "private-or-clear#10.77.123.0/24"[1] ...10.77.123.171 #1: 
Failed to find our RSA key


you can try adding to ipsec.secrets:

: RSA "CENTOS-171"

maybe also check ipsec auto --listall to see if the cert and "has
private key" show up properly?

Note that private-or-clear should have failureshunt=passthrough but that
is not your current problem.



When trying to initiate traffic ., it was throwing the following error on 
console : -
[root@CENTOS-172 ipsec.d]# ping 10.77.123.171
connect: Operation not permitted


Because the missing failure shunt isnt installed, your packets are
getting blocked.

Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to