[Swan] Question/troubleshooting x509 w/ intermediate & root CA

Bryan Harris bryanlharris at gmail.com
Fri Sep 23 14:32:18 UTC 2016


Hi folks,

I wonder if you could help me troubleshoot what I'm doing wrong here.  I've
been able to follow this file to get a working configuration with x509
certs signed by a common CA in the past:
/usr/share/doc/libreswan-3.15/README.nss.

So next I decided to follow the OpenSSL Cookbook by Ivan Ristic so I can
learn a little about ocsp.  Using root/sub-CA was just a bonus.

Any help is of course appreciated.  For some reason it worked when I just
had a single CA and now it's not working.

I thought I had everything set properly (I loaded both root and sub-CA into
p12 file) but my tunnel gives me the following message when I try to bring
it up (the message is always the OTHER side saying this).

Sep 23 09:41:43 right pluto[7337]: loading secrets from "/etc/ipsec.secrets"
Sep 23 09:41:43 right pluto[7337]: loading secrets from
"/etc/ipsec.d/right.secrets"
Sep 23 09:41:43 right pluto[7337]: loaded private key for keyid:
PPK_RSA:AwEAAb1Bx
Sep 23 09:41:57 right pluto[7337]: packet from 192.168.122.7:500: received
Vendor ID payload [Dead Peer Detection]
Sep 23 09:41:57 right pluto[7337]: packet from 192.168.122.7:500: received
Vendor ID payload [FRAGMENTATION]
Sep 23 09:41:57 right pluto[7337]: packet from 192.168.122.7:500: received
Vendor ID payload [RFC 3947]
Sep 23 09:41:57 right pluto[7337]: packet from 192.168.122.7:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Sep 23 09:41:57 right pluto[7337]: packet from 192.168.122.7:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Sep 23 09:41:57 right pluto[7337]: packet from 192.168.122.7:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Sep 23 09:41:57 right pluto[7337]: "mytunnel" #1: enabling possible
NAT-traversal with method RFC 3947 (NAT-Traversal)
Sep 23 09:41:57 right pluto[7337]: "mytunnel" #1: responding to Main Mode
Sep 23 09:41:57 right pluto[7337]: "mytunnel" #1: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1
Sep 23 09:41:57 right pluto[7337]: "mytunnel" #1: STATE_MAIN_R1: sent MR1,
expecting MI2
Sep 23 09:41:57 right pluto[7337]: "mytunnel" #1: NAT-Traversal: Result
using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
Sep 23 09:41:57 right pluto[7337]: "mytunnel" #1: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
Sep 23 09:41:57 right pluto[7337]: "mytunnel" #1: STATE_MAIN_R2: sent MR2,
expecting MI3
Sep 23 09:41:57 right pluto[7337]: "mytunnel" #1: Main mode peer ID is
ID_DER_ASN1_DN: 'C=GB, O=Example, CN=left'
Sep 23 09:41:57 right pluto[7337]: "mytunnel" #1: no RSA public key known
for 'C=GB, O=Example, CN=left'
Sep 23 09:41:57 right pluto[7337]: "mytunnel" #1: sending encrypted
notification INVALID_KEY_INFORMATION to 192.168.122.7:500
Sep 23 09:41:58 right pluto[7337]: "mytunnel" #1: Main mode peer ID is
ID_DER_ASN1_DN: 'C=GB, O=Example, CN=left'
Sep 23 09:41:58 right pluto[7337]: "mytunnel" #1: no RSA public key known
for 'C=GB, O=Example, CN=left'
Sep 23 09:41:58 right pluto[7337]: "mytunnel" #1: sending encrypted
notification INVALID_KEY_INFORMATION to 192.168.122.7:500
Sep 23 09:41:58 right pluto[7337]: "mytunnel" #1: Main mode peer ID is
ID_DER_ASN1_DN: 'C=GB, O=Example, CN=left'
Sep 23 09:41:58 right pluto[7337]: "mytunnel" #1: no RSA public key known
for 'C=GB, O=Example, CN=left'

This is all on RHEL 6 and here are some of my configurations.  I can send
out more if needed.

[root at left:/home/blharris]
$ cat /etc/ipsec.d/left.secrets ### The RIGHT side is similar
: RSA "left"

[root at left:/home/blharris]
$ cat /etc/ipsec.d/host2host.conf  ### The RIGHT side is similar

conn mytunnel
  left=192.168.122.7
  leftid="C=GB, O=Example, CN=left"
  leftrsasigkey=%cert
  leftcert="left"
  right=192.168.122.8
  rightid="C=GB, O=Example, CN=right"
  rightrsasigkey=%cert
  auto=add

[root at left:/home/blharris]
$ openssl x509 -in left.crt -noout -subject
subject= /C=GB/O=Example/CN=left

[root at left:/home/blharris]
$ certutil -L -d sql:/etc/ipsec.d/

Certificate Nickname                                         Trust
Attributes

SSL,S/MIME,JAR/XPI

left                                                         u,u,u
Root CA - Example                                            CT,,
Sub CA - Example                                             CT,,

I'm not sure if this next one is supposed to list the x509 from the other
side?

[root at left:/home/blharris]
$ ipsec auto --listall
000
000 List of RSA Public Keys:
000
000 Sep 23 10:16:17 2016, 2048 RSA Key AwEAAbNLY (has private key), until
Sep 23 07:59:32 2017 ok
000        ID_DER_ASN1_DN 'C=GB, O=Example, CN=left'
000        Issuer 'C=GB, O=Example, CN=Sub CA'
000
000 List of Pre-shared secrets (from /etc/ipsec.secrets)
000
000     1: RSA (none) (none)
000
000 List of X.509 End Certificates:
000
000 End certificate "left" - SN: 0x008a878064b67f70a2e343f7d42d0ae365
000   subject: C=GB, O=Example, CN=left
000   issuer: C=GB, O=Example, CN=Sub CA
000   not before: Fri Sep 23 11:59:32 2016
000   not after: Sat Sep 23 11:59:32 2017
000   2048 bit RSA: has private key
000
000 List of X.509 CA Certificates:
000
000 Root CA certificate "Root CA - Example" - SN:
0x00ab3e40667df73692f3df545d9f01a9cf
000   subject: C=GB, O=Example, CN=Root CA
000   issuer: C=GB, O=Example, CN=Root CA
000   not before: Thu Sep 22 17:07:28 2016
000   not after: Sun Sep 20 17:07:28 2026
000   4096 bit RSA
000
000 CA certificate "Sub CA - Example" - SN:
0x00ab3e40667df73692f3df545d9f01a9d1
000   subject: C=GB, O=Example, CN=Sub CA
000   issuer: C=GB, O=Example, CN=Root CA
000   not before: Fri Sep 23 11:25:13 2016
000   not after: Mon Sep 21 11:25:13 2026
000   4096 bit RSA
000
000 List of CRLs:

And in case it helps here is what one of the text of the certs looks like.

[root at left:/home/blharris]
$ openssl x509 -in left.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            8a:87:80:64:b6:7f:70:a2:e3:43:f7:d4:2d:0a:e3:65
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=GB, O=Example, CN=Sub CA
        Validity
            Not Before: Sep 23 11:59:32 2016 GMT
            Not After : Sep 23 11:59:32 2017 GMT
        Subject: C=GB, O=Example, CN=left
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b3:4b:62:84:0a:21:12:4f:2a:2f:41:8e:f4:07:
                    0a:75:92:62:d8:44:4f:4d:42:b5:7f:c9:63:b7:55:
                    c3:d8:e6:ba:8b:07:af:cc:93:a6:a9:fc:91:d9:15:
                    4c:80:bc:94:1f:23:db:96:72:00:ce:5a:73:bf:23:
                    32:42:08:24:9b:bb:4a:0c:e1:34:e9:78:a3:05:03:
                    b8:cd:1c:61:37:4a:c2:d0:30:bc:22:21:8b:1b:b2:
                    d9:7b:42:92:c7:f8:8d:8f:dc:52:a0:4f:da:f1:f0:
                    99:f0:27:71:84:2b:a5:a3:4e:c2:7e:e8:16:c2:de:
                    4a:a6:b5:66:ec:d2:b5:01:b5:f3:f8:23:6c:d6:5d:
                    75:40:89:65:d3:91:52:11:41:2f:54:1e:fc:be:33:
                    55:5e:48:d7:00:0a:c0:d7:cb:97:69:c6:f4:95:d1:
                    55:36:fd:95:1a:db:ab:ae:a4:13:df:a5:f0:db:12:
                    9a:53:e6:ac:06:d0:0d:28:15:0a:dd:14:17:0c:62:
                    08:d7:2e:2b:f7:46:0a:bd:a0:f4:84:dd:07:72:77:
                    8c:3c:d7:a1:42:6f:95:52:9a:4e:3f:36:41:20:0f:
                    79:cb:7e:b7:c4:39:e1:32:3a:67:cd:24:62:cb:8b:
                    33:ae:ef:ea:4e:f1:4c:ca:e1:78:3e:09:a4:b2:6d:
                    5e:01
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Authority Information Access:
                CA Issuers - URI:http://sub-ca.example.com/sub-ca.crt
                OCSP - URI:http://ocsp.sub-ca.example.com:9081

            X509v3 Authority Key Identifier:

keyid:49:F8:A3:3D:60:FE:5B:75:17:C3:30:EC:C3:A7:36:0F:40:B1:EC:08

            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://sub-ca.example.com/sub-ca.crl

            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Subject Key Identifier:
                DC:EE:FF:E0:4F:E9:8E:D8:0F:06:E7:A0:D4:AF:6B:24:3C:60:5B:2E
    Signature Algorithm: sha256WithRSAEncryption
         3d:b0:ce:2b:9d:80:83:4f:2d:aa:a3:22:61:3d:60:87:00:73:
         b3:32:dc:58:b1:19:14:70:8c:9e:74:f1:22:4f:f1:15:ff:54:
         9d:53:bf:c3:23:05:53:77:0e:fd:7b:50:b8:58:a9:06:72:5b:
         40:02:d8:f4:26:32:c4:6f:56:1d:6b:22:8d:e4:1d:76:6c:05:
         a0:64:7c:69:32:23:b1:08:57:17:44:61:4e:40:45:0d:13:f0:
         6b:4e:12:81:a9:09:47:58:4c:fa:54:b2:ab:b9:41:78:58:b8:
         88:14:dc:e8:ae:95:f7:d3:e1:02:f8:51:60:ac:7f:f7:10:43:
         6f:17:39:33:41:e2:1c:9b:a7:a5:32:c2:23:37:6c:b2:fe:c3:
         03:4a:87:3f:77:1b:f7:da:26:84:c4:00:48:d1:f8:67:1e:3c:
         26:8e:75:a5:81:b2:c0:65:e5:24:b5:75:a6:8b:fe:e8:45:f6:
         d5:5a:80:c3:65:9b:73:96:77:5b:5c:8b:9a:e8:08:6c:a8:79:
         9d:b1:6b:3a:d2:a2:b5:c1:35:15:54:39:b3:19:3e:59:57:96:
         f7:0c:5c:a1:5e:0c:5d:ec:87:72:67:81:8f:75:c3:c7:f9:41:
         12:08:96:6b:9d:dc:c0:3e:fc:3c:26:14:d7:fc:cf:5a:aa:92:
         d1:28:b2:16:b6:4b:5f:c8:2e:b6:bd:7b:b6:d3:72:34:01:a3:
         ae:3f:1e:34:f4:a1:9d:14:22:8c:c8:88:94:e8:19:19:ed:b4:
         ea:69:96:0b:83:f2:80:45:e9:eb:40:23:bb:a8:b5:d5:f3:08:
         56:b1:ba:b9:c9:e8:82:82:0a:86:bb:12:7d:49:a0:48:e7:a4:
         6d:c8:07:87:ef:b2:8b:e3:4c:3c:f5:d2:4b:74:c3:5d:2c:10:
         45:f2:66:ba:44:b6:fc:88:76:1a:96:77:a8:e4:c9:91:ed:71:
         00:90:05:91:cf:0f:b3:24:a6:76:85:2c:e5:6e:31:de:a1:00:
         fc:34:b4:cf:f4:04:0d:34:df:92:f4:a6:1e:c8:89:7d:d2:1e:
         60:ae:a5:2a:ab:59:1e:d5:b9:e6:0a:38:51:7e:1b:85:2c:e6:
         fb:5c:9d:fb:bc:9d:5e:52:c3:fb:4c:cf:47:4e:0e:c8:58:eb:
         95:77:83:b1:60:69:32:3b:cb:21:f0:1c:05:67:fc:d1:05:1d:
         46:cb:6b:6a:5f:d6:e4:15:9c:27:e4:a5:f8:74:79:c3:5c:8b:
         b6:dd:44:47:a8:ee:44:64:64:ee:6f:9d:8b:0b:79:77:49:5e:
         a5:d8:b9:be:19:d0:d4:a5:36:c8:e7:b1:20:05:f9:1a:9a:1d:
         e5:8d:43:4b:b7:c2:73:48

Thanks in advance.

V/r,
Bryan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20160923/693b4270/attachment-0001.html>


More information about the Swan mailing list