[Swan] authenticated Opportunistic Encryption !

Kesava Vunnava (kesriniv) kesriniv at cisco.com
Mon Dec 4 06:25:09 UTC 2017


Hi Paul,

Got rid of error mentioned in below mail. A new error popped up . Though peer's certificate (public key) was there in nss DB , log was saying "no RSA public key known for 10.77.123.171".
PFA "oe-certificate.conf" file for both hosts (CENTOS-171, CENTOS-172) .  Included the same configuration file in /etc/ipsec.conf.

Dec  4 00:38:10: "private-or-clear#10.77.123.0/24"[1] ...10.77.123.171 #1: private-or-clear#10.77.123.0/24 ESP/AH proposals for initiator: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED 5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED (default)
Dec  4 00:38:10: "private-or-clear#10.77.123.0/24"[1] ...10.77.123.171 #3: EXPECTATION FAILED: r != NULL (in ikev2_decode_peer_id_and_certs at ikev2.c:1390)
Dec  4 00:38:10: "private-or-clear#10.77.123.0/24"[1] ...10.77.123.171 #3: no RSA public key known for '10.77.123.171'
Dec  4 00:38:10: "private-or-clear#10.77.123.0/24"[1] ...10.77.123.171 #3: RSA authentication failed
Dec  4 00:38:10: "private-or-clear#10.77.123.0/24"[1] ...10.77.123.171 #3: sending unencrypted notification v2N_AUTHENTICATION_FAILED to 10.77.123.171:500
Dec  4 00:38:10: | ikev2_parent_inI2outR2_tail returned STF_FATAL
Dec  4 00:38:11: packet from 10.77.123.171:500: Received v2N_INVALID_IKE_SPI notify

O/P of "certutil -L -d sql:/etc/ipsec.d/" - This command was executed on "CENTOS-172" .  Can see that Certificate for "CENTOS-171" was lying in nss DB.
##############################################
Certificate Nickname                                      Trust Attributes
	                                                             SSL,S/MIME,JAR/XPI

CENTOS-CA 	                                	            CTu,u,u
CENTOS-172       	                                            pu,pu,pu
CENTOS-171                       	                            p,p,p
##############################################

Also, can you please confirm me the tested/stable build for "authenticated opportunistic encryption" !? Reason: The same certs/keys were working fine for host-host tunnel . It's unable to find the RSA public key after loading  configuration for "private-or-clear" . 

Also, from below O/P it looks for 171->172 an unique SPI identifier got generated but from 172->171 the same was NOT happening. It was 0X0 . 

[root at CENTOS-171 ipsec.d]# ip xfrm state
src 10.77.123.171 dst 10.77.123.172
        proto esp spi 0x66e5c871 reqid 16397 mode tunnel
        replay-window 0
        sel src 10.77.123.171/32 dst 10.77.123.172/32
src 10.77.123.172 dst 10.77.123.171
        proto esp spi 0x00000000 reqid 0 mode transport
        replay-window 0
        sel src 10.77.123.172/32 dst 10.77.123.171/32 proto udp sport 7946 dport 7946 dev ens32

Thank you a lot for all the help !!!

-Regards,
Kesav. 

-----Original Message-----
From: Paul Wouters [mailto:paul at nohats.ca] 
Sent: Friday, December 01, 2017 12:13 PM
To: Kesava Vunnava (kesriniv) <kesriniv at cisco.com>
Cc: swan at lists.libreswan.org
Subject: RE: [Swan] authenticated Opportunistic Encryption !

On Fri, 1 Dec 2017, Kesava Vunnava (kesriniv) wrote:

> 1] Moved from self-signed certificates to CA-signed Certificates .
> 2] PFA Updated ipsec.conf.
>
> With this couple of changes , able to establish host-host (left-right) tunnel with Certificates as authentication mechanism.
>
> However now trying to bring up "authenticated OE" between these two hosts. PFA corresponding configuration for "authenticated OE" (oe-certificate.conf). Also ensured that 10.77.123.0/24 was added to "private-or-clear" under policies folder.
>
> Once after bringing UP ipsec, it was throwing following error (pluto.log) :
>	
> Nov 30 23:14:21: loading group "/etc/ipsec.d/policies/private-or-clear"
> Nov 30 23:14:22: "private-or-clear#10.77.123.0/24"[1] ...10.77.123.171 
> #1: private-or-clear#10.77.123.0/24 IKE proposals for initial 
> initiator (selecting KE): 
> 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INT
> EG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192 
> 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INT
> EG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192 
> 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG
> =HMAC_SHA2_512_256,HMAC_SHA2_256_128,HMAC_SHA1_96;DH=MODP2048,MODP3072
> ,MODP1536 
> 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG
> =HMAC_SHA2_512_256,HMAC_SHA2_256_128,HMAC_SHA1_96;DH=MODP2048,MODP3072
> ,MODP1536 (default) Nov 30 23:14:22: 
> "private-or-clear#10.77.123.0/24"[1] ...10.77.123.171 #1: Failed to 
> find our RSA key

you can try adding to ipsec.secrets:

: RSA "CENTOS-171"

maybe also check ipsec auto --listall to see if the cert and "has private key" show up properly?

Note that private-or-clear should have failureshunt=passthrough but that is not your current problem.


> When trying to initiate traffic ., it was throwing the following error 
> on console : -
> [root at CENTOS-172 ipsec.d]# ping 10.77.123.171
> connect: Operation not permitted

Because the missing failure shunt isnt installed, your packets are getting blocked.

Paul
-------------- next part --------------
A non-text attachment was scrubbed...
Name: oe-certificate-171.conf
Type: application/octet-stream
Size: 378 bytes
Desc: oe-certificate-171.conf
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20171204/ddd355e6/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: oe-certificate-172.conf
Type: application/octet-stream
Size: 378 bytes
Desc: oe-certificate-172.conf
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20171204/ddd355e6/attachment-0001.obj>


More information about the Swan mailing list