[Swan] authenticated Opportunistic Encryption !

Paul Wouters paul at nohats.ca
Mon Dec 4 16:03:41 UTC 2017 

On Mon, 4 Dec 2017, Kesava Vunnava (kesriniv) wrote:

> Subject: RE: [Swan] authenticated Opportunistic Encryption !

> Got rid of error mentioned in below mail. A new error popped up . Though peer's certificate (public key) was there in nss DB , log was saying "no RSA public key known for 10.77.123.171".
> PFA "oe-certificate.conf" file for both hosts (CENTOS-171, CENTOS-172) .  Included the same configuration file in /etc/ipsec.conf.
>
> Dec  4 00:38:10: "private-or-clear#10.77.123.0/24"[1] ...10.77.123.171 #1: private-or-clear#10.77.123.0/24 ESP/AH proposals for initiator: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED 5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED (default)
> Dec  4 00:38:10: "private-or-clear#10.77.123.0/24"[1] ...10.77.123.171 #3: EXPECTATION FAILED: r != NULL (in ikev2_decode_peer_id_and_certs at ikev2.c:1390)

This expectation shows that you are not running 3.22. Can you use 3.22 ?

> Dec  4 00:38:10: "private-or-clear#10.77.123.0/24"[1] ...10.77.123.171 #3: no RSA public key known for '10.77.123.171'

If that is the remote IP then it seems you might be missing
rightrsasigkey=%fromcert or the remote is not sending a CERT
payload? (maybe try leftsendcert=always on the remote?)

If you are using intermediate certs, perhaps you need sendca=all to send
the intermediate CA's over IKE as well.

> O/P of "certutil -L -d sql:/etc/ipsec.d/" - This command was executed on "CENTOS-172" .  Can see that Certificate for "CENTOS-171" was lying in nss DB.
> ##############################################
> Certificate Nickname                                      Trust Attributes
> 	                                                             SSL,S/MIME,JAR/XPI
>
> CENTOS-CA 	                                	            CTu,u,u
> CENTOS-172       	                                            pu,pu,pu
> CENTOS-171                       	                            p,p,p

I've never seen the p flag set/used ?

> Also, can you please confirm me the tested/stable build for "authenticated opportunistic encryption" !? Reason: The same certs/keys were working fine for host-host tunnel . It's unable to find the RSA public key after loading  configuration for "private-or-clear" .

That's odd. We recommend using 3.22 or 3.23rc1.

> Also, from below O/P it looks for 171->172 an unique SPI identifier got generated but from 172->171 the same was NOT happening. It was 0X0 .
>
> [root at CENTOS-171 ipsec.d]# ip xfrm state
> src 10.77.123.171 dst 10.77.123.172
>        proto esp spi 0x66e5c871 reqid 16397 mode tunnel
>        replay-window 0
>        sel src 10.77.123.171/32 dst 10.77.123.172/32
> src 10.77.123.172 dst 10.77.123.171
>        proto esp spi 0x00000000 reqid 0 mode transport
>        replay-window 0
>        sel src 10.77.123.172/32 dst 10.77.123.171/32 proto udp sport 7946 dport 7946 dev ens32

That should never happen. Can you run with plutodebug=all and see what's
going on?

Paul

More information about the Swan mailing list