[Swan] Certificate confusion (fwd)

Matt Rogers mrogers at redhat.com
Fri May 29 23:53:34 EEST 2015


> Date: Thu, 28 May 2015 12:32:30
> From: John Crisp <jcrisp at safeandsoundit.co.uk>
> To: Paul Wouters <paul at nohats.ca>
> Subject: LibreSwan list
> 
> 
> Certificate confusion
> 
> Hi,
> 
> I'm trying to move from using PSK authent to certificates.
> 
> Have read the Libreswan/NSS howto but seem to be tripping up somewhere.
> Certificate hell :-)
> 
> I have an Endian test box that I want to connect to Libreswan. Libreswan
> is in 'add' (receive only) mode currently. It is currently behind
> another router for testing. ipsec with PSK works OK.
> 
> It seems that Libreswan cannot find the correct certificate
> 
> From secure.log
> 
> "HomeToVoip" #1: no suitable connection for peer 'C=IT, O=efw,
> CN=192.168.200.11'
> 
> Quite frankly, having tried so many combinations I am not sure what is
> what any more !
> 
> 
> IP of Endian 192.168.201.11
> IP of ADSL router 192.168.201.1
> WAN IP of router 1.2.3.4
> IP of Libreswan 5.6.7.8
> 
> (Note that I have two WAN links and the original cert in Endian was
> generated during install when it only had one WAN interface up with an
> IP of 192.168.200.11 - this WAN link is not used for VPNs)
> 
> 
> From the Howto I did :
> 
> 
> ipsec initnss
> 
> # Generate CA
> 
> certutil -S -k rsa -n "TestBox" -s "CN=Test-Box-CA" -v 12 -t "C,C,C" -x
> -d /etc/ipsec.d
> 
> 
> # Generate a cert
> 
> certutil -S -k rsa -c "TestBox" -n "Endian" -s "CN=Endian-Cert" -v 12 -t
> "u,u,u" -d /etc/ipsec.d
> 
> 
> Export the cert (Endian didn't like this file)
> certutil -L -n "Endian" -d /etc/ipsec.d/ -a > Endian.crt
> 
> Export the pk12 cert (Imported to Endian)
> pk12util -o Endiancacert1.p12 -n Endian -d /etc/ipsec.d
> 
> 
> Import Endiancacert into Endian
> 
> Exported all 3 certificates from Endian and imported to Libreswan
> (details below)
> 
> No matter what I have tried and whatever combinations I just cannot
> quite get it right and I am clearly missing something insanely simple
> but cannot figure out what.
> 
> These are both test boxes so I am happy to destroy and rebuild.
> 
> Any help gratefully appreciated !
> 
> B. Rgds
> John
> 
> 
> Secure log (debug - x509):
> 
>  | processing connection HomeToVoip
>  "HomeToVoip" #1: enabling possible NAT-traversal with method RFC 3947
> (NAT-Traversal)
>  "HomeToVoip" #1: responding to Main Mode
>  "HomeToVoip" #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
>  "HomeToVoip" #1: STATE_MAIN_R1: sent MR1, expecting MI2
>  | processing connection HomeToVoip
>  "HomeToVoip" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal)
> sender port 500: peer behind NAT
>  | processing connection HomeToVoip
>  "HomeToVoip" #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
>  "HomeToVoip" #1: STATE_MAIN_R2: sent MR2, expecting MI3
>  | processing connection HomeToVoip
>  | processing connection HomeToVoip
>  "HomeToVoip" #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=IT, O=efw,
> CN=192.168.200.11'
>  |   trusted_ca called with a=C=IT, O=efw, CN=efw CA b=(empty)
>  |   trusted_ca called with a=C=IT, O=efw, CN=efw CA b=C=IT, O=efw,
> CN=efw CA
>  "HomeToVoip" #1: no suitable connection for peer 'C=IT, O=efw,
> CN=192.168.200.11'
>  "HomeToVoip" #1: sending encrypted notification INVALID_ID_INFORMATION
> to 1.2.3.4:500
> 
> 
> conn HomeToVoip
>     authby=rsasig
>     leftid=%fromcert
>     leftcert=192.168.200.11
>     leftrsasigkey=%cert
>     auto=add
>     type=tunnel
>     ikelifetime=28800s
>     salifetime=28800s
>     pfs=yes
>     left=%defaultroute
>     leftsourceip=192.168.97.1
>     leftsubnet=192.168.97.0/24
>     rightsubnet=192.168.10.0/24
>     right=1.2.3.4
>     rightrsasigkey=%cert
>     leftsendcert=always
>     leftrsasigkey2=EFW-main
> 

> 
> Endian uses weakswan I think.
> 
> leftcert is picked automatically. rightcert can be changed in the config
> - have tried all permutations.
> 
> /etc/ipsec.conf :
> 
> config setup
>     cachecrls=yes
>     uniqueids=yes
>     charondebug="dmn 4, knl 4"
> 
> conn %default
>     keyingtries=%forever
>     dpddelay=30s
>     dpdtimeout=120s
> 
> 
> conn Test
>     dpdaction=restart
>     left=192.168.201.11
>     leftnexthop=192.168.201.1
>     leftsubnet=192.168.10.0/24
>     right=5.6.7.8
>     rightsubnet=192.168.97.0/24
>     leftcert=192.168.200.11cert.pem
>     rightcert=Endian-Certcert.pem
>     authby=pubkey
>     leftsigkey=%cert
>     rightsigkey=%cert
>     leftid="192.168.200.11"
>     rightid="5.6.7.8"
>     ikelifetime=1h
>     keylife=8h

I think your assignment of left/right is mixed up here. You should
designate one side as left and one side as right for both
configurations. If, for example, you pick the libreswan host as the left
side, your cert options on the libreswan config should be:

leftcert=<libreswan host cert nickname>
leftid=%fromcert
rightid=%fromcert

You'll be omitting the rightcert option as leftcert/rightcert is for
specifying a local cert, and right is the remote peer.

Then on the Endian host, assuming this weakswan or whatever it is using
works similarly, you should reverse that.

Omit leftcert
leftid=%fromcert
rightcert=192.168.200.11cert.pem
rightid=%fromcert

If it cannot use %fromcert then you can set the IDs to the DN of the
certificates.

Regards,
Matt

> 


More information about the Swan mailing list