Hi,
On 12/31/2020 4:14 AM, Alex wrote:
Hi,
certutil -S -c "Example CA" -n "win10client.example.com" \
-s "O=Example,CN=win10client.example.com" -k rsa \
-g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," -1 -6 -8
"win10client.example.com"
I see that the options -1 and -6 have no argument. Apparently this
triggers an interactive loop to specify the respective properties.
I think the client options should be:
-1 "digitalSignature,keyEncipherment"
-6 "clientAuth"
For the server:
-1 "digitalSignature,keyEncipherment"
-6 "serverAuth,ipsecIKEIntermediate"
I believe it was either the first or second message on this thread I
asked if it was a problem that I was testing on the same network I was
located on, but perhaps that got overlooked :-)
That's possible, I was not sure about that either, and eventually ended
up giving the wrong answer! Sorry about that.
I recalled it being a
problem when I did this like fifteen years ago, lol. I've since
connected through my phone.
Anyway, it was either that or a combination of changes I made to the
certutil command that got me a bit further.
Probably both.
After seeing your commands I'd say --extKeyUsage for the client cert had
a role too.
Dec 30 22:06:47.568952: "ikev2-cp"[2] 172.58.238.215: local IKE
proposals (IKE SA responder matching remote proposals):
Dec 30 22:06:47.569014: "ikev2-cp"[2] 172.58.238.215:
1:IKE=AES_GCM_C_256-HMAC_SHA2_512+HMAC_SHA2_256-NONE-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
Dec 30 22:06:47.569029: "ikev2-cp"[2] 172.58.238.215:
2:IKE=AES_GCM_C_128-HMAC_SHA2_512+HMAC_SHA2_256-NONE-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
Dec 30 22:06:47.569041: "ikev2-cp"[2] 172.58.238.215:
3:IKE=AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
Dec 30 22:06:47.569052: "ikev2-cp"[2] 172.58.238.215:
4:IKE=AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
Dec 30 22:06:47.569083: "ikev2-cp"[2] 172.58.238.215 #3: proposal
2:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from
r
emote proposals
1:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP2048
2:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP2048[first-match]
3:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP2048
Dec 30 22:06:47.573387: "ikev2-cp"[2] 172.58.238.215 #3: sent
IKE_SA_INIT reply {auth=IKEv2 cipher=AES_CBC_256
integ=HMAC_SHA2_256_128 prf
=HMAC_SHA2_256 group=MODP2048}
OK, so phase 1 passes.
However, it still looks like Windows is sending multiple proposals,
while when using Set-VpnConnectionIPsecConfiguration I think only one
should be sent.
Moreover:
The relevant parameters of Set-VpnConnectionIPsecConfiguration at this
stage (phase 1) are:
-EncryptionMethod AES256
-IntegrityCheckMethod SHA384
-DHGroup Group14
(The relevant part in the libreswan config is the ike=... line or its
default value if not present.)
-IntegrityCheckMethod SHA384 (as in you command below) does not match
INTEG=HMAC_SHA2_256_128 which appears to be sent by Windows and logged
as the accepted proposal by libreswan.
Dec 30 22:06:47.702497: "ikev2-cp"[2] 172.58.238.215 #3: processing
decrypted IKE_AUTH request: SK{IDi,CERT,CERTREQ,AUTH,CP,SA,TSi,TSr}
Dec 30 22:06:47.704044: "ikev2-cp"[2] 172.58.238.215 #3: certificate
verified OK: O=Example,CN=win10client.example.com
Dec 30 22:06:47.704103: "ikev2-cp"[2] 172.58.238.215 #3: IKEv2 mode
peer ID is ID_DER_ASN1_DN: 'CN=win10client.example.com, O=Example'
Dec 30 22:06:47.704669: "ikev2-cp"[2] 172.58.238.215 #3: authenticated
using RSA with SHA1
Client authentication passes too. It says "RSA with SHA1", which should
map to authby=rsasig in your conf file.
Dec 30 22:06:47.718096: "ikev2-cp"[2] 172.58.238.215 #4: no local
proposal matches remote proposals
1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED
Dec 30 22:06:47.718122: "ikev2-cp"[2] 172.58.238.215 #4: IKE_AUTH
responder matching remote ESP/AH proposals failed, responder SA
processing returned STF_FAIL+v2N_NO_PROPOSAL_CHOSEN
This is phase 2 which fails.
The relevant parameters of Set-VpnConnectionIPsecConfiguration at this
stage are:
-AuthenticationTransformConstants SHA256128
-CipherTransformConstants AES256
(The relevant part in the libreswan config is the esp=... line or its
default value if not present.)
The log shows that the (failing) proposal sent by Windows is
1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED
This does not match the parameters of Set-VpnConnectionIPsecConfiguration.
It appears that Windows is not sending the proposals as required by
Set-VpnConnectionIPsecConfiguration.
From the strongswan thread you posted earlier I remember the last
comment about the manually tweaked registry entry overriding some
parametres of Set-VpnConnectionIPsecConfiguration. Do you still have
that registry entry in place?
On the libreswan side do you have an esp=... line in your config? If so
compare that with the proposal sent by Windows. It looks like the phase
2 proposal sent by Windows has weak ciphers, though - meaning you may
really want to change the registry rather than the esp=... line. Paul
might be more specific on this.
Dec 30 22:06:47.718134: "ikev2-cp"[2] 172.58.238.215 #4: responding to
IKE_AUTH message (ID 1) from 172.58.238.215:43186 with encrypted
notification NO_PROPOSAL_CHOSEN
Dec 30 22:06:47.718209: "ikev2-cp"[2] 172.58.238.215 #4: state
transition 'Responder: process IKE_AUTH request' failed
Dec 30 22:06:47.718250: "ikev2-cp"[2] 172.58.238.215 #4: deleting
state (STATE_V2_IKE_AUTH_CHILD_R0) aged 0.00017s and NOT sending
notification
Windows reports the same "policy match error".
Here are the certutil commands I am now using:
# generate CA certificate
echo "Generating CA certificate...."
certutil -z <(head -c 1024 /dev/urandom) \
-S -x -n "Example CA" -s "O=Example,CN=Example CA" -k rsa \
-g 4096 -v 36 -t "CT,," -2 -d /var/lib/ipsec/nss
# generate orion client certificate
echo "Generating orion client certificate..."
certutil -z <(head -c 1024 /dev/urandom) \
-S -c "Example CA" -n "orion.example.com" -s
"O=Example,CN=orion.example.com" \
-k rsa -g 4096 -v 120 -t ",," -1 -6 -8 "orion.example.com" -d
/var/lib/ipsec/nss \
--extSAN "ip:68.195.111.42" --keyUsage
"digitalSignature,keyEncipherment" \
--extKeyUsage "serverAuth,ipsecIKEIntermediate"
Option -1 is an alias for --keyUsage, since you are using --keyUsage
with an explicit argument I would drop -1
Same for option -6 and --extKeyUsage
By adding -8 "orion.example.com" and --extSAN "ip:68.195.111.42" I
believe you are adding two entries to the subjectAltName extension,
resulting in something like:
subjectAltName = "dns:orion.example.com,ip:68.195.111.42"
This is technically correct, /if/ 68.195.111.42 is the IP address of the
VPN gatweay as seen by the Windows client, however it might be more
complicated that it needs be.
You may verify that this is the actual result with
certutil -L -d sql:/var/lib/ipsec/nss -n "orion.example.com"
I'd drop the "ip:68.195.111.42" part anyway because you have to
configure this IP address in Windows or DNS anyway[*], and this is best
set in one place only.
# generate Windows certificate
echo "Generating Windows certificate..."
certutil -z <(head -c 1024 /dev/urandom) \
-S -c "Example CA" -n "win10client.example.com" \
-s "O=Example,CN=win10client.example.com" -k rsa \
-g 4096 -v 120 -t ",," -8 "win10client.example.com" -d
/var/lib/ipsec/nss \
--extSAN "ip:68.195.111.42" --keyUsage
digitalSignature,keyEncipherment \
--extKeyUsage "clientAuth"
Same story about
-8 "win10client.example.com"
--extSAN "ip:68.195.111.42"
However, this time the "ip:68.195.111.42" part is most probably wrong,
because it should contain the IP address of the client, that can't be
the same as the server's.
Considering that the client may be a roadwarrior with dynamic IP, I
would drop this part (--extSAN "ip:68.195.111.42") altogether.
certutil -L -d /var/lib/ipsec/nss
pk12util -o win10client.example.com.p12 -n "win10client.example.com"
-d /var/lib/ipsec/nss
The first comment below is about the following two lines.
pk12util -o orion.example.com.p12 -n "orion.example.com" -d /var/lib/ipsec/nss
ipsec import orion.example.com.p12
Two comments about -d /var/lib/ipsec/nss - only informational, don't let
them confuse you:
1) If /var/lib/ipsec/nss is the default database path used by ipsec,
then since you generate the server certificate in that database I think
you don't need to export to p12 and import again in the same database.
Take this with a grain of salt since I don't use certutil to create my
certs.
2) creating the client certificate in /var/lib/ipsec/nss means you'll
have that certificate in the default ipsec database too. This is not
needed by libreswan. The client certificate is meant to be sent by the
initiator(client) to the responder(server) which will validate it
according to its trusted CA and requirements on client identity.
The example in the libreswan page uses ${HOME}/tmpdb (IIRC) which is a
private location in the user's home directory. Note that in this
scenario the commands given take care of importing the applicable CA(s)
together with the certificate - the server cert and CA in the ipsec
database, and the client cert and CA to the Windows client.
I'm not saying the way you're doing this above is wrong, just pointing
out a couple of differences with the example in the libreswan page.
Some of this is adapted from
https://github.com/hwdsl2/setup-ipsec-vpn
Here is the set-vpnconnection command:
Set-VpnConnectionIPsecConfiguration -ConnectionName ikev2-cp
-EncryptionMethod AES256 -DHGroup Group14 -IntegrityCheckMethod SHA384
-PfsGroup PFS2048 -AuthenticationTransformConstants SHA256128
-CipherTransformConstants AES256
Recalling from the above, I'd change -IntegrityCheckMethod SHA384 into
-IntegrityCheckMethod SHA256 unless you configure your ike=... line
accordingly.
But first of all I would check the registry if it still contains the
tweaked entry and restore that to default state (which might mean
removing the entry).
Thank you again for your help.
[*] Your cert uses the FQDN in CN, so in Windows you need to use the VPN
responder hostname, giving it means to resolve it to an IP address.
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
