[Swan] authenticated Opportunistic Encryption !
Paul Wouters
paul at nohats.ca
Mon Dec 4 16:03:41 UTC 2017
On Mon, 4 Dec 2017, Kesava Vunnava (kesriniv) wrote:
> Subject: RE: [Swan] authenticated Opportunistic Encryption !
> Got rid of error mentioned in below mail. A new error popped up . Though peer's certificate (public key) was there in nss DB , log was saying "no RSA public key known for 10.77.123.171".
> PFA "oe-certificate.conf" file for both hosts (CENTOS-171, CENTOS-172) . Included the same configuration file in /etc/ipsec.conf.
>
> Dec 4 00:38:10: "private-or-clear#10.77.123.0/24"[1] ...10.77.123.171 #1: private-or-clear#10.77.123.0/24 ESP/AH proposals for initiator: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED 5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED (default)
> Dec 4 00:38:10: "private-or-clear#10.77.123.0/24"[1] ...10.77.123.171 #3: EXPECTATION FAILED: r != NULL (in ikev2_decode_peer_id_and_certs at ikev2.c:1390)
This expectation shows that you are not running 3.22. Can you use 3.22 ?
> Dec 4 00:38:10: "private-or-clear#10.77.123.0/24"[1] ...10.77.123.171 #3: no RSA public key known for '10.77.123.171'
If that is the remote IP then it seems you might be missing
rightrsasigkey=%fromcert or the remote is not sending a CERT
payload? (maybe try leftsendcert=always on the remote?)
If you are using intermediate certs, perhaps you need sendca=all to send
the intermediate CA's over IKE as well.
> O/P of "certutil -L -d sql:/etc/ipsec.d/" - This command was executed on "CENTOS-172" . Can see that Certificate for "CENTOS-171" was lying in nss DB.
> ##############################################
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> CENTOS-CA CTu,u,u
> CENTOS-172 pu,pu,pu
> CENTOS-171 p,p,p
I've never seen the p flag set/used ?
> Also, can you please confirm me the tested/stable build for "authenticated opportunistic encryption" !? Reason: The same certs/keys were working fine for host-host tunnel . It's unable to find the RSA public key after loading configuration for "private-or-clear" .
That's odd. We recommend using 3.22 or 3.23rc1.
> Also, from below O/P it looks for 171->172 an unique SPI identifier got generated but from 172->171 the same was NOT happening. It was 0X0 .
>
> [root at CENTOS-171 ipsec.d]# ip xfrm state
> src 10.77.123.171 dst 10.77.123.172
> proto esp spi 0x66e5c871 reqid 16397 mode tunnel
> replay-window 0
> sel src 10.77.123.171/32 dst 10.77.123.172/32
> src 10.77.123.172 dst 10.77.123.171
> proto esp spi 0x00000000 reqid 0 mode transport
> replay-window 0
> sel src 10.77.123.172/32 dst 10.77.123.171/32 proto udp sport 7946 dport 7946 dev ens32
That should never happen. Can you run with plutodebug=all and see what's
going on?
Paul
More information about the Swan
mailing list