[Swan] Question/troubleshooting x509 w/ intermediate & root CA
Bryan Harris
bryanlharris at gmail.com
Fri Sep 23 14:32:18 UTC 2016
Hi folks,
I wonder if you could help me troubleshoot what I'm doing wrong here. I've
been able to follow this file to get a working configuration with x509
certs signed by a common CA in the past:
/usr/share/doc/libreswan-3.15/README.nss.
So next I decided to follow the OpenSSL Cookbook by Ivan Ristic so I can
learn a little about ocsp. Using root/sub-CA was just a bonus.
Any help is of course appreciated. For some reason it worked when I just
had a single CA and now it's not working.
I thought I had everything set properly (I loaded both root and sub-CA into
p12 file) but my tunnel gives me the following message when I try to bring
it up (the message is always the OTHER side saying this).
Sep 23 09:41:43 right pluto[7337]: loading secrets from "/etc/ipsec.secrets"
Sep 23 09:41:43 right pluto[7337]: loading secrets from
"/etc/ipsec.d/right.secrets"
Sep 23 09:41:43 right pluto[7337]: loaded private key for keyid:
PPK_RSA:AwEAAb1Bx
Sep 23 09:41:57 right pluto[7337]: packet from 192.168.122.7:500: received
Vendor ID payload [Dead Peer Detection]
Sep 23 09:41:57 right pluto[7337]: packet from 192.168.122.7:500: received
Vendor ID payload [FRAGMENTATION]
Sep 23 09:41:57 right pluto[7337]: packet from 192.168.122.7:500: received
Vendor ID payload [RFC 3947]
Sep 23 09:41:57 right pluto[7337]: packet from 192.168.122.7:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Sep 23 09:41:57 right pluto[7337]: packet from 192.168.122.7:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Sep 23 09:41:57 right pluto[7337]: packet from 192.168.122.7:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Sep 23 09:41:57 right pluto[7337]: "mytunnel" #1: enabling possible
NAT-traversal with method RFC 3947 (NAT-Traversal)
Sep 23 09:41:57 right pluto[7337]: "mytunnel" #1: responding to Main Mode
Sep 23 09:41:57 right pluto[7337]: "mytunnel" #1: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1
Sep 23 09:41:57 right pluto[7337]: "mytunnel" #1: STATE_MAIN_R1: sent MR1,
expecting MI2
Sep 23 09:41:57 right pluto[7337]: "mytunnel" #1: NAT-Traversal: Result
using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
Sep 23 09:41:57 right pluto[7337]: "mytunnel" #1: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
Sep 23 09:41:57 right pluto[7337]: "mytunnel" #1: STATE_MAIN_R2: sent MR2,
expecting MI3
Sep 23 09:41:57 right pluto[7337]: "mytunnel" #1: Main mode peer ID is
ID_DER_ASN1_DN: 'C=GB, O=Example, CN=left'
Sep 23 09:41:57 right pluto[7337]: "mytunnel" #1: no RSA public key known
for 'C=GB, O=Example, CN=left'
Sep 23 09:41:57 right pluto[7337]: "mytunnel" #1: sending encrypted
notification INVALID_KEY_INFORMATION to 192.168.122.7:500
Sep 23 09:41:58 right pluto[7337]: "mytunnel" #1: Main mode peer ID is
ID_DER_ASN1_DN: 'C=GB, O=Example, CN=left'
Sep 23 09:41:58 right pluto[7337]: "mytunnel" #1: no RSA public key known
for 'C=GB, O=Example, CN=left'
Sep 23 09:41:58 right pluto[7337]: "mytunnel" #1: sending encrypted
notification INVALID_KEY_INFORMATION to 192.168.122.7:500
Sep 23 09:41:58 right pluto[7337]: "mytunnel" #1: Main mode peer ID is
ID_DER_ASN1_DN: 'C=GB, O=Example, CN=left'
Sep 23 09:41:58 right pluto[7337]: "mytunnel" #1: no RSA public key known
for 'C=GB, O=Example, CN=left'
This is all on RHEL 6 and here are some of my configurations. I can send
out more if needed.
[root at left:/home/blharris]
$ cat /etc/ipsec.d/left.secrets ### The RIGHT side is similar
: RSA "left"
[root at left:/home/blharris]
$ cat /etc/ipsec.d/host2host.conf ### The RIGHT side is similar
conn mytunnel
left=192.168.122.7
leftid="C=GB, O=Example, CN=left"
leftrsasigkey=%cert
leftcert="left"
right=192.168.122.8
rightid="C=GB, O=Example, CN=right"
rightrsasigkey=%cert
auto=add
[root at left:/home/blharris]
$ openssl x509 -in left.crt -noout -subject
subject= /C=GB/O=Example/CN=left
[root at left:/home/blharris]
$ certutil -L -d sql:/etc/ipsec.d/
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
left u,u,u
Root CA - Example CT,,
Sub CA - Example CT,,
I'm not sure if this next one is supposed to list the x509 from the other
side?
[root at left:/home/blharris]
$ ipsec auto --listall
000
000 List of RSA Public Keys:
000
000 Sep 23 10:16:17 2016, 2048 RSA Key AwEAAbNLY (has private key), until
Sep 23 07:59:32 2017 ok
000 ID_DER_ASN1_DN 'C=GB, O=Example, CN=left'
000 Issuer 'C=GB, O=Example, CN=Sub CA'
000
000 List of Pre-shared secrets (from /etc/ipsec.secrets)
000
000 1: RSA (none) (none)
000
000 List of X.509 End Certificates:
000
000 End certificate "left" - SN: 0x008a878064b67f70a2e343f7d42d0ae365
000 subject: C=GB, O=Example, CN=left
000 issuer: C=GB, O=Example, CN=Sub CA
000 not before: Fri Sep 23 11:59:32 2016
000 not after: Sat Sep 23 11:59:32 2017
000 2048 bit RSA: has private key
000
000 List of X.509 CA Certificates:
000
000 Root CA certificate "Root CA - Example" - SN:
0x00ab3e40667df73692f3df545d9f01a9cf
000 subject: C=GB, O=Example, CN=Root CA
000 issuer: C=GB, O=Example, CN=Root CA
000 not before: Thu Sep 22 17:07:28 2016
000 not after: Sun Sep 20 17:07:28 2026
000 4096 bit RSA
000
000 CA certificate "Sub CA - Example" - SN:
0x00ab3e40667df73692f3df545d9f01a9d1
000 subject: C=GB, O=Example, CN=Sub CA
000 issuer: C=GB, O=Example, CN=Root CA
000 not before: Fri Sep 23 11:25:13 2016
000 not after: Mon Sep 21 11:25:13 2026
000 4096 bit RSA
000
000 List of CRLs:
And in case it helps here is what one of the text of the certs looks like.
[root at left:/home/blharris]
$ openssl x509 -in left.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
8a:87:80:64:b6:7f:70:a2:e3:43:f7:d4:2d:0a:e3:65
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=GB, O=Example, CN=Sub CA
Validity
Not Before: Sep 23 11:59:32 2016 GMT
Not After : Sep 23 11:59:32 2017 GMT
Subject: C=GB, O=Example, CN=left
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b3:4b:62:84:0a:21:12:4f:2a:2f:41:8e:f4:07:
0a:75:92:62:d8:44:4f:4d:42:b5:7f:c9:63:b7:55:
c3:d8:e6:ba:8b:07:af:cc:93:a6:a9:fc:91:d9:15:
4c:80:bc:94:1f:23:db:96:72:00:ce:5a:73:bf:23:
32:42:08:24:9b:bb:4a:0c:e1:34:e9:78:a3:05:03:
b8:cd:1c:61:37:4a:c2:d0:30:bc:22:21:8b:1b:b2:
d9:7b:42:92:c7:f8:8d:8f:dc:52:a0:4f:da:f1:f0:
99:f0:27:71:84:2b:a5:a3:4e:c2:7e:e8:16:c2:de:
4a:a6:b5:66:ec:d2:b5:01:b5:f3:f8:23:6c:d6:5d:
75:40:89:65:d3:91:52:11:41:2f:54:1e:fc:be:33:
55:5e:48:d7:00:0a:c0:d7:cb:97:69:c6:f4:95:d1:
55:36:fd:95:1a:db:ab:ae:a4:13:df:a5:f0:db:12:
9a:53:e6:ac:06:d0:0d:28:15:0a:dd:14:17:0c:62:
08:d7:2e:2b:f7:46:0a:bd:a0:f4:84:dd:07:72:77:
8c:3c:d7:a1:42:6f:95:52:9a:4e:3f:36:41:20:0f:
79:cb:7e:b7:c4:39:e1:32:3a:67:cd:24:62:cb:8b:
33:ae:ef:ea:4e:f1:4c:ca:e1:78:3e:09:a4:b2:6d:
5e:01
Exponent: 65537 (0x10001)
X509v3 extensions:
Authority Information Access:
CA Issuers - URI:http://sub-ca.example.com/sub-ca.crt
OCSP - URI:http://ocsp.sub-ca.example.com:9081
X509v3 Authority Key Identifier:
keyid:49:F8:A3:3D:60:FE:5B:75:17:C3:30:EC:C3:A7:36:0F:40:B1:EC:08
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 CRL Distribution Points:
Full Name:
URI:http://sub-ca.example.com/sub-ca.crl
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Subject Key Identifier:
DC:EE:FF:E0:4F:E9:8E:D8:0F:06:E7:A0:D4:AF:6B:24:3C:60:5B:2E
Signature Algorithm: sha256WithRSAEncryption
3d:b0:ce:2b:9d:80:83:4f:2d:aa:a3:22:61:3d:60:87:00:73:
b3:32:dc:58:b1:19:14:70:8c:9e:74:f1:22:4f:f1:15:ff:54:
9d:53:bf:c3:23:05:53:77:0e:fd:7b:50:b8:58:a9:06:72:5b:
40:02:d8:f4:26:32:c4:6f:56:1d:6b:22:8d:e4:1d:76:6c:05:
a0:64:7c:69:32:23:b1:08:57:17:44:61:4e:40:45:0d:13:f0:
6b:4e:12:81:a9:09:47:58:4c:fa:54:b2:ab:b9:41:78:58:b8:
88:14:dc:e8:ae:95:f7:d3:e1:02:f8:51:60:ac:7f:f7:10:43:
6f:17:39:33:41:e2:1c:9b:a7:a5:32:c2:23:37:6c:b2:fe:c3:
03:4a:87:3f:77:1b:f7:da:26:84:c4:00:48:d1:f8:67:1e:3c:
26:8e:75:a5:81:b2:c0:65:e5:24:b5:75:a6:8b:fe:e8:45:f6:
d5:5a:80:c3:65:9b:73:96:77:5b:5c:8b:9a:e8:08:6c:a8:79:
9d:b1:6b:3a:d2:a2:b5:c1:35:15:54:39:b3:19:3e:59:57:96:
f7:0c:5c:a1:5e:0c:5d:ec:87:72:67:81:8f:75:c3:c7:f9:41:
12:08:96:6b:9d:dc:c0:3e:fc:3c:26:14:d7:fc:cf:5a:aa:92:
d1:28:b2:16:b6:4b:5f:c8:2e:b6:bd:7b:b6:d3:72:34:01:a3:
ae:3f:1e:34:f4:a1:9d:14:22:8c:c8:88:94:e8:19:19:ed:b4:
ea:69:96:0b:83:f2:80:45:e9:eb:40:23:bb:a8:b5:d5:f3:08:
56:b1:ba:b9:c9:e8:82:82:0a:86:bb:12:7d:49:a0:48:e7:a4:
6d:c8:07:87:ef:b2:8b:e3:4c:3c:f5:d2:4b:74:c3:5d:2c:10:
45:f2:66:ba:44:b6:fc:88:76:1a:96:77:a8:e4:c9:91:ed:71:
00:90:05:91:cf:0f:b3:24:a6:76:85:2c:e5:6e:31:de:a1:00:
fc:34:b4:cf:f4:04:0d:34:df:92:f4:a6:1e:c8:89:7d:d2:1e:
60:ae:a5:2a:ab:59:1e:d5:b9:e6:0a:38:51:7e:1b:85:2c:e6:
fb:5c:9d:fb:bc:9d:5e:52:c3:fb:4c:cf:47:4e:0e:c8:58:eb:
95:77:83:b1:60:69:32:3b:cb:21:f0:1c:05:67:fc:d1:05:1d:
46:cb:6b:6a:5f:d6:e4:15:9c:27:e4:a5:f8:74:79:c3:5c:8b:
b6:dd:44:47:a8:ee:44:64:64:ee:6f:9d:8b:0b:79:77:49:5e:
a5:d8:b9:be:19:d0:d4:a5:36:c8:e7:b1:20:05:f9:1a:9a:1d:
e5:8d:43:4b:b7:c2:73:48
Thanks in advance.
V/r,
Bryan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20160923/693b4270/attachment-0001.html>
More information about the Swan
mailing list