[Swan] Trying to troubleshhot IPSec connection with certificates

Tuomo Soini tis at foobar.fi
Tue Feb 2 07:07:30 UTC 2016 

On Mon, 1 Feb 2016 15:02:41 +0200
Noam Singer <noam at fortycloud.com> wrote:

> Hello
> 
> I am trying to set an IPSec connection with certificates (same CA for
> both certs), but my connection does not pass the STATE_MAIN_I3 state.
> 
> Is there a way to better troubleshoot the PKI failures
> Am I doing something wrong?
> 
> I would appreciate any help.
> 
> Thanks in advance
> 
> 
> 
> I have setup the following configuration
> 
> Using LibreSwan 3.15

Libreswan - No capital letters in word.
> 
> /etc/ipsec.secrets:
> -------------------
> 54.194.188.148 54.194.210.197 : RSA globalCertificate

This line is not needed or used with certificates, remove it to get rid
of warning about unused config option.
> 
> /etc/ipsec.conf:
> ----------------
> config setup
>     plutodebug = all

plutodebug=none is only sensible option. Do this first to get readable
and understandable logs. Those are debug options, enable those only if
somebody here requests you to enable debugging options.

Also note: "plutodebug = all" is not correct line. Spaces are not
allowed on random places in config file.

> include /etc/ipsec.d/*.conf
> 
> 
> /etc/ipsec.d/connST603.conf:
> ----------------------------

Config format issue here too. No " = ".

> conn connST603
>     authby = rsasig
>     auto = start
>     dpdaction = restart
>     dpddelay = 30
>     dpdtimeout = 120
>     esp = aes128-sha1

With libreswan, option name is phase2alg=

	phase2alg=aes128-sha1

>     forceencaps = yes

You don't want forceencaps=yes without very very good reason like
broken firewall rule blocking ESP (IP proto 50) traffic.

>     ike = aes128-sha1

Same about diffie-hellman group belongs to here.

>     ikelifetime  = 86400s
>     left = %defaultroute
>     leftcert = globalCertificate
>     leftid = 54.194.188.148
>     leftrsasigkey = %cert
>     leftsubnets = 172.24.128.0/24

Here is one subnet only. Do not use leftsubnets, use leftsubnet=

>     lifetime = 28800s

Unrecognized option, lifetime. We have ikelifetime= for phase1

>     pfs = no
>     right = 54.194.210.197
>     rightid = 54.194.210.197

This rightid only works if remote ceriticate has IP type subjectAtlName
in their certificate. I'm quite sure they don't hae anything like that
there. Usually rightid=%fromcert works if remote end offers certificate
subject as ID. So use rightid=%fromcert and leftid=%fromcert. And if
certificates are from same ca, I'd use rightca=%same for added security.

>     rightsubnets = 172.24.131.0/24

Again, rightsubnet= because you only have one subnet listed.

Below I can see from your cert there is no subjectAltName= specified so
your only possible ID type is ID_DER_ASN1_DN also known as ceritificate
subject.

>     type = tunnel
> 
> ** I also tried using leftid="CN=...", but got similar results
> The certificates look fine to me
> 
> The signed certificate:
> -----------------------

-- 
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>

More information about the Swan mailing list