[Swan] authenticated Opportunistic Encryption !

Paul Wouters paul at nohats.ca
Fri Dec 1 06:42:56 UTC 2017 

On Fri, 1 Dec 2017, Kesava Vunnava (kesriniv) wrote:

> 1] Moved from self-signed certificates to CA-signed Certificates .
> 2] PFA Updated ipsec.conf.
>
> With this couple of changes , able to establish host-host (left-right) tunnel with Certificates as authentication mechanism.
>
> However now trying to bring up "authenticated OE" between these two hosts. PFA corresponding configuration for "authenticated OE" (oe-certificate.conf). Also ensured that 10.77.123.0/24 was added to "private-or-clear" under policies folder.
>
> Once after bringing UP ipsec, it was throwing following error (pluto.log) :
>
> Nov 30 23:14:21: loading group "/etc/ipsec.d/policies/private-or-clear"
> Nov 30 23:14:22: "private-or-clear#10.77.123.0/24"[1] ...10.77.123.171 #1: private-or-clear#10.77.123.0/24 IKE proposals for initial initiator (selecting KE): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128,HMAC_SHA1_96;DH=MODP2048,MODP3072,MODP1536 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128,HMAC_SHA1_96;DH=MODP2048,MODP3072,MODP1536 (default)
> Nov 30 23:14:22: "private-or-clear#10.77.123.0/24"[1] ...10.77.123.171 #1: Failed to find our RSA key

you can try adding to ipsec.secrets:

: RSA "CENTOS-171"

maybe also check ipsec auto --listall to see if the cert and "has
private key" show up properly?

Note that private-or-clear should have failureshunt=passthrough but that
is not your current problem.


> When trying to initiate traffic ., it was throwing the following error on console : -
> [root at CENTOS-172 ipsec.d]# ping 10.77.123.171
> connect: Operation not permitted

Because the missing failure shunt isnt installed, your packets are
getting blocked.

Paul

More information about the Swan mailing list