[Swan] Help configuring libreswan with XAUTH, NSS and remote clients (road warriors)
Enrico Brunetta
enrico at bitproductions.com
Wed Sep 17 16:31:32 EEST 2014
On Sep 17, 2014, at 12:10 AM, Paul Wouters <paul at nohats.ca> wrote:
> On Tue, 16 Sep 2014, Enrico Brunetta wrote:
>
>> /etc/ipsec.secrets:
>> : RSA enrico
>
> That should be the "friendly name" as used in the pkcs#12 export. On the
> server that would not be "enrico".
>
>
>>> Did your certificates load? run ipsec auto --listall and look for the
>>> CAcert and the vpn.bitproductions.com cert.
>>
>> root at ip-172-31-48-104:~# ipsec auto --listall
>> 000
>> 000 List of RSA Public Keys:
>> 000
>> 000 Sep 17 01:24:23 2014, 1024 RSA Key AwEAAdS9l (no private key), until Sep 16 22:04:08 2024 ok
>> 000 ID_FQDN '@vpn.bitproductions.com'
>
> More likely, the friendly name is vpn.bitproductions.com?
> Note the "no private key", which shows that libreswan does not know how
> to find the private key of the certificate it is told to use.
>
>> 000 Issuer 'C=US, ST=TX, L=Austin, O=bitProductions Inc., CN=bitProductions VPN Certification Authority'
>> 000 Sep 17 01:24:23 2014, 1024 RSA Key AwEAAdS9l (no private key), until Sep 16 22:04:08 2024 ok
>
> Here "no private key" is fine, because it is the CA and the vpn server
> does not need to have the CA key :)
>
> I think you might need:
>
> : RSA "vpn.bitproductions.com"
>
> or:
>
> : RSA "VPN Server"
>
> But you know best what you used as the friendly_name for the export :)
>
I switched /etc/ipsec.secrets to use vpn.bitproductions.com (now ipsec auto —listall shows finding the private key), but I’m still getting the same error.
root at ip-172-31-48-104:~# cat /etc/ipsec.secrets
: RSA vpn.bitproductions.com
root at ip-172-31-48-104:~#
root at ip-172-31-48-104:~# certutil -L -d /etc/ipsec.d/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
rootca Cu,Cu,Cu
vpn.bitproductions.com u,u,u
enrico u,u,u
root at ip-172-31-48-104:~# /usr/sbin/service ipsec restart
root at ip-172-31-48-104:~# ipsec auto --listall
000
000 List of RSA Public Keys:
000
000 Sep 17 13:03:17 2014, 1024 RSA Key AwEAAdS9l (has private key), until Sep 16 22:04:08 2024 ok
000 ID_FQDN '@vpn.bitproductions.com'
000 Issuer 'C=US, ST=TX, L=Austin, O=bitProductions Inc., CN=bitProductions VPN Certification Authority'
000 Sep 17 13:03:17 2014, 1024 RSA Key AwEAAdS9l (has private key), until Sep 16 22:04:08 2024 ok
000 ID_DER_ASN1_DN 'C=US, ST=TX, L=Austin, O=bitProductions Inc., CN=VPN Server'
000 Issuer 'C=US, ST=TX, L=Austin, O=bitProductions Inc., CN=bitProductions VPN Certification Authority'
000 List of Pre-shared secrets (from /etc/ipsec.secrets)
000 1: RSA (none) (none)
000
000 List of X.509 End Certificates:
000 Sep 17 13:03:17 2014, count: 1
000 subject: 'C=US, ST=TX, L=Austin, O=bitProductions Inc., CN=VPN Server'
000 issuer: 'C=US, ST=TX, L=Austin, O=bitProductions Inc., CN=bitProductions VPN Certification Authority'
000 serial: 00:a0:66:bd:bf
000 pubkey: 1024 RSA Key AwEAAdS9l, has private key
000 validity: not before Sep 16 22:04:08 2014 ok
000 not after Sep 16 22:04:08 2024 ok
000
000 List of X.509 CA Certificates:
000 Sep 17 13:03:16 2014, count: 1
000 subject: 'C=US, ST=TX, L=Austin, O=bitProductions Inc., CN=bitProductions VPN Certification Authority'
000 issuer: 'C=US, ST=TX, L=Austin, O=bitProductions Inc., CN=bitProductions VPN Certification Authority'
000 serial: 00:a0:66:bd:a5
000 pubkey: 1024 RSA Key AwEAAco/Y
000 validity: not before Sep 16 22:03:58 2014 ok
000 not after Sep 16 22:03:58 2024 ok
000
000 List of X.509 CRLs:
root at ip-172-31-48-104:~# cat /etc/ipsec.conf
version 2.0
config setup
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!172.31.48.129/25
oe=off
protostack=netkey
nhelpers=0
interfaces=%defaultroute
conn xauth-rsa
connaddrfamily=ipv4
auto=add
authby=rsasig
pfs=no
rekey=no
leftxauthserver=yes
rightxauthclient=yes
modecfgpull=yes
left=172.31.28.183
leftcert=vpn.bitproductions.com
leftid=@vpn.bitproductions.com
leftsendcert=always
# leftnexthop=%defaultroute
leftsubnet=0.0.0.0/0
right=%any
rightid=%fromcert
rightrsasigkey=%cert
rightaddresspool=172.31.48.130-172.31.48.254
forceencaps=yes
xauthby=alwaysok
ike_frag=yes
dpddelay=30
dpdtimeout=120
dpdaction=clear
root at ip-172-31-48-104:~# tail -f /var/log/auth.log
Sep 17 13:03:16 ip-172-31-48-104 pluto[30851]: Starting Pluto (Libreswan Version 3.10 XFRM(netkey) KLIPS NSS DNSSEC LIBCAP_NG XAUTH_PAM NETWORKMANAGER KLIPS_MAST CURL(non-NSS)) pid:30851
Sep 17 13:03:16 ip-172-31-48-104 pluto[30851]: core dump dir: /var/run/pluto/
Sep 17 13:03:16 ip-172-31-48-104 pluto[30851]: secrets file: /etc/ipsec.secrets
Sep 17 13:03:16 ip-172-31-48-104 pluto[30851]: leak-detective disabled
Sep 17 13:03:16 ip-172-31-48-104 pluto[30851]: SAref support [disabled]: Protocol not available
Sep 17 13:03:16 ip-172-31-48-104 pluto[30851]: SAbind support [disabled]: Protocol not available
Sep 17 13:03:16 ip-172-31-48-104 pluto[30851]: NSS crypto [enabled]
Sep 17 13:03:16 ip-172-31-48-104 pluto[30851]: XAUTH PAM support [enabled]
Sep 17 13:03:16 ip-172-31-48-104 pluto[30851]: NAT-Traversal support [enabled]
Sep 17 13:03:16 ip-172-31-48-104 pluto[30851]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Sep 17 13:03:16 ip-172-31-48-104 pluto[30851]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Sep 17 13:03:16 ip-172-31-48-104 pluto[30851]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Sep 17 13:03:16 ip-172-31-48-104 pluto[30851]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Sep 17 13:03:16 ip-172-31-48-104 pluto[30851]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Sep 17 13:03:16 ip-172-31-48-104 pluto[30851]: ike_alg_register_hash(): Activating OAKLEY_SHA2_384: Ok (ret=0)
Sep 17 13:03:16 ip-172-31-48-104 pluto[30851]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Sep 17 13:03:16 ip-172-31-48-104 pluto[30851]: no crypto helpers will be started; all cryptographic operations will be done inline
Sep 17 13:03:16 ip-172-31-48-104 pluto[30851]: Using Linux XFRM/NETKEY IPsec interface code on 3.13.0-29-generic
Sep 17 13:03:16 ip-172-31-48-104 pluto[30851]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Sep 17 13:03:16 ip-172-31-48-104 pluto[30851]: Warning: failed to register algo_aes_ccm_8 for IKE
Sep 17 13:03:16 ip-172-31-48-104 pluto[30851]: ike_alg_register_enc(): Activating aes_ccm_12: Ok (ret=0)
Sep 17 13:03:16 ip-172-31-48-104 pluto[30851]: Warning: failed to register algo_aes_ccm_12 for IKE
Sep 17 13:03:16 ip-172-31-48-104 pluto[30851]: ike_alg_register_enc(): Activating aes_ccm_16: Ok (ret=0)
Sep 17 13:03:16 ip-172-31-48-104 pluto[30851]: Warning: failed to register algo_aes_ccm_16 for IKE
Sep 17 13:03:16 ip-172-31-48-104 pluto[30851]: ike_alg_register_enc(): Activating aes_gcm_8: Ok (ret=0)
Sep 17 13:03:16 ip-172-31-48-104 pluto[30851]: Warning: failed to register algo_aes_gcm_8 for IKE
Sep 17 13:03:16 ip-172-31-48-104 pluto[30851]: ike_alg_register_enc(): Activating aes_gcm_12: Ok (ret=0)
Sep 17 13:03:16 ip-172-31-48-104 pluto[30851]: Warning: failed to register algo_aes_gcm_12 for IKE
Sep 17 13:03:16 ip-172-31-48-104 pluto[30851]: ike_alg_register_enc(): Activating aes_gcm_16: Ok (ret=0)
Sep 17 13:03:16 ip-172-31-48-104 pluto[30851]: Warning: failed to register algo_aes_gcm_16 for IKE
Sep 17 13:03:17 ip-172-31-48-104 pluto[30851]: added connection description "xauth-rsa"
Sep 17 13:03:17 ip-172-31-48-104 pluto[30851]: listening for IKE messages
Sep 17 13:03:17 ip-172-31-48-104 pluto[30851]: adding interface eth0/eth0 172.31.48.104:500
Sep 17 13:03:17 ip-172-31-48-104 pluto[30851]: adding interface eth0/eth0 172.31.48.104:4500
Sep 17 13:03:17 ip-172-31-48-104 pluto[30851]: adding interface lo/lo 127.0.0.1:500
Sep 17 13:03:17 ip-172-31-48-104 pluto[30851]: adding interface lo/lo 127.0.0.1:4500
Sep 17 13:03:17 ip-172-31-48-104 pluto[30851]: loading secrets from "/etc/ipsec.secrets"
Sep 17 13:03:17 ip-172-31-48-104 pluto[30851]: loaded private key for keyid: PPK_RSA:AwEAAdS9l
Sep 17 13:04:57 ip-172-31-48-104 pluto[30851]: packet from 70.117.100.63:500: received Vendor ID payload [RFC 3947]
Sep 17 13:04:57 ip-172-31-48-104 pluto[30851]: packet from 70.117.100.63:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike]
Sep 17 13:04:57 ip-172-31-48-104 pluto[30851]: packet from 70.117.100.63:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-08]
Sep 17 13:04:57 ip-172-31-48-104 pluto[30851]: packet from 70.117.100.63:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-07]
Sep 17 13:04:57 ip-172-31-48-104 pluto[30851]: packet from 70.117.100.63:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-06]
Sep 17 13:04:57 ip-172-31-48-104 pluto[30851]: packet from 70.117.100.63:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-05]
Sep 17 13:04:57 ip-172-31-48-104 pluto[30851]: packet from 70.117.100.63:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-04]
Sep 17 13:04:57 ip-172-31-48-104 pluto[30851]: packet from 70.117.100.63:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Sep 17 13:04:57 ip-172-31-48-104 pluto[30851]: packet from 70.117.100.63:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Sep 17 13:04:57 ip-172-31-48-104 pluto[30851]: packet from 70.117.100.63:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Sep 17 13:04:57 ip-172-31-48-104 pluto[30851]: packet from 70.117.100.63:500: received Vendor ID payload [XAUTH]
Sep 17 13:04:57 ip-172-31-48-104 pluto[30851]: packet from 70.117.100.63:500: received Vendor ID payload [Cisco-Unity]
Sep 17 13:04:57 ip-172-31-48-104 pluto[30851]: packet from 70.117.100.63:500: received Vendor ID payload [FRAGMENTATION 80000000]
Sep 17 13:04:57 ip-172-31-48-104 pluto[30851]: packet from 70.117.100.63:500: received Vendor ID payload [Dead Peer Detection]
Sep 17 13:04:57 ip-172-31-48-104 pluto[30851]: packet from 70.117.100.63:500: initial Main Mode message received on 172.31.48.104:500 but no connection has been authorized with policy=RSASIG+XAUTH
More information about the Swan
mailing list