[Swan] Trying to troubleshhot IPSec connection with certificates
Noam Singer
noam at fortycloud.com
Tue Feb 2 12:39:01 UTC 2016
Thank you all for all your help
My hunch is that the failure relates to subjectAltName
I'll be taking all comments into account and update you as soon as I have
something working
Thank you all
Noam Singer
On Tue, Feb 2, 2016 at 9:07 AM, Tuomo Soini <tis at foobar.fi> wrote:
> On Mon, 1 Feb 2016 15:02:41 +0200
> Noam Singer <noam at fortycloud.com> wrote:
>
> > Hello
> >
> > I am trying to set an IPSec connection with certificates (same CA for
> > both certs), but my connection does not pass the STATE_MAIN_I3 state.
> >
> > Is there a way to better troubleshoot the PKI failures
> > Am I doing something wrong?
> >
> > I would appreciate any help.
> >
> > Thanks in advance
> >
> >
> >
> > I have setup the following configuration
> >
> > Using LibreSwan 3.15
>
> Libreswan - No capital letters in word.
> >
> > /etc/ipsec.secrets:
> > -------------------
> > 54.194.188.148 54.194.210.197 : RSA globalCertificate
>
> This line is not needed or used with certificates, remove it to get rid
> of warning about unused config option.
> >
> > /etc/ipsec.conf:
> > ----------------
> > config setup
> > plutodebug = all
>
> plutodebug=none is only sensible option. Do this first to get readable
> and understandable logs. Those are debug options, enable those only if
> somebody here requests you to enable debugging options.
>
> Also note: "plutodebug = all" is not correct line. Spaces are not
> allowed on random places in config file.
>
> > include /etc/ipsec.d/*.conf
> >
> >
> > /etc/ipsec.d/connST603.conf:
> > ----------------------------
>
> Config format issue here too. No " = ".
>
> > conn connST603
> > authby = rsasig
> > auto = start
> > dpdaction = restart
> > dpddelay = 30
> > dpdtimeout = 120
> > esp = aes128-sha1
>
> With libreswan, option name is phase2alg=
>
> phase2alg=aes128-sha1
>
> > forceencaps = yes
>
> You don't want forceencaps=yes without very very good reason like
> broken firewall rule blocking ESP (IP proto 50) traffic.
>
> > ike = aes128-sha1
>
> Same about diffie-hellman group belongs to here.
>
> > ikelifetime = 86400s
> > left = %defaultroute
> > leftcert = globalCertificate
> > leftid = 54.194.188.148
> > leftrsasigkey = %cert
> > leftsubnets = 172.24.128.0/24
>
> Here is one subnet only. Do not use leftsubnets, use leftsubnet=
>
> > lifetime = 28800s
>
> Unrecognized option, lifetime. We have ikelifetime= for phase1
>
> > pfs = no
> > right = 54.194.210.197
> > rightid = 54.194.210.197
>
> This rightid only works if remote ceriticate has IP type subjectAtlName
> in their certificate. I'm quite sure they don't hae anything like that
> there. Usually rightid=%fromcert works if remote end offers certificate
> subject as ID. So use rightid=%fromcert and leftid=%fromcert. And if
> certificates are from same ca, I'd use rightca=%same for added security.
>
> > rightsubnets = 172.24.131.0/24
>
> Again, rightsubnet= because you only have one subnet listed.
>
> Below I can see from your cert there is no subjectAltName= specified so
> your only possible ID type is ID_DER_ASN1_DN also known as ceritificate
> subject.
>
> > type = tunnel
> >
> > ** I also tried using leftid="CN=...", but got similar results
> > The certificates look fine to me
> >
> > The signed certificate:
> > -----------------------
>
> --
> Tuomo Soini <tis at foobar.fi>
> Foobar Linux services
> +358 40 5240030
> Foobar Oy <http://foobar.fi/>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20160202/bf1a912a/attachment.html>
More information about the Swan
mailing list