<div dir="ltr"><div><div><div><div><div><div><div><div><div><div>Hi folks,<br><br></div><div>I wonder if you could help me troubleshoot what I'm doing wrong here.  I've been able to follow this file to get a working configuration with x509 certs signed by a common CA in the past: /usr/share/doc/libreswan-3.15/README.nss. <br><br>So next I decided to follow the OpenSSL Cookbook by Ivan Ristic so I can learn a little about ocsp.  Using root/sub-CA was just a bonus.<br><br></div><div>Any help is of course appreciated.  For some reason it worked when I just had a single CA and now it's not working.<br></div></div></div><br></div>I thought I had everything set properly (I loaded both root and sub-CA into p12 file) but my tunnel gives me the following message when I try to bring it up (the message is always the OTHER side saying this).<br><br>Sep 23 09:41:43 right pluto[7337]: loading secrets from "/etc/ipsec.secrets"<br>Sep 23 09:41:43 right pluto[7337]: loading secrets from "/etc/ipsec.d/right.secrets"<br>Sep 23 09:41:43 right pluto[7337]: loaded private key for keyid: PPK_RSA:AwEAAb1Bx<br>Sep 23 09:41:57 right pluto[7337]: packet from <a href="http://192.168.122.7:500">192.168.122.7:500</a>: received Vendor ID payload [Dead Peer Detection]<br>Sep 23 09:41:57 right pluto[7337]: packet from <a href="http://192.168.122.7:500">192.168.122.7:500</a>: received Vendor ID payload [FRAGMENTATION]<br>Sep 23 09:41:57 right pluto[7337]: packet from <a href="http://192.168.122.7:500">192.168.122.7:500</a>: received Vendor ID payload [RFC 3947]<br>Sep 23 09:41:57 right pluto[7337]: packet from <a href="http://192.168.122.7:500">192.168.122.7:500</a>: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]<br>Sep 23 09:41:57 right pluto[7337]: packet from <a href="http://192.168.122.7:500">192.168.122.7:500</a>: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]<br>Sep 23 09:41:57 right pluto[7337]: packet from <a href="http://192.168.122.7:500">192.168.122.7:500</a>: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]<br>Sep 23 09:41:57 right pluto[7337]: "mytunnel" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)<br>Sep 23 09:41:57 right pluto[7337]: "mytunnel" #1: responding to Main Mode<br>Sep 23 09:41:57 right pluto[7337]: "mytunnel" #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br>Sep 23 09:41:57 right pluto[7337]: "mytunnel" #1: STATE_MAIN_R1: sent MR1, expecting MI2<br>Sep 23 09:41:57 right pluto[7337]: "mytunnel" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected<br>Sep 23 09:41:57 right pluto[7337]: "mytunnel" #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br>Sep 23 09:41:57 right pluto[7337]: "mytunnel" #1: STATE_MAIN_R2: sent MR2, expecting MI3<br>Sep 23 09:41:57 right pluto[7337]: "mytunnel" #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=GB, O=Example, CN=left'<br>Sep 23 09:41:57 right pluto[7337]: "mytunnel" #1: no RSA public key known for 'C=GB, O=Example, CN=left'<br>Sep 23 09:41:57 right pluto[7337]: "mytunnel" #1: sending encrypted notification INVALID_KEY_INFORMATION to <a href="http://192.168.122.7:500">192.168.122.7:500</a><br>Sep 23 09:41:58 right pluto[7337]: "mytunnel" #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=GB, O=Example, CN=left'<br>Sep 23 09:41:58 right pluto[7337]: "mytunnel" #1: no RSA public key known for 'C=GB, O=Example, CN=left'<br>Sep 23 09:41:58 right pluto[7337]: "mytunnel" #1: sending encrypted notification INVALID_KEY_INFORMATION to <a href="http://192.168.122.7:500">192.168.122.7:500</a><br>Sep 23 09:41:58 right pluto[7337]: "mytunnel" #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=GB, O=Example, CN=left'<br>Sep 23 09:41:58 right pluto[7337]: "mytunnel" #1: no RSA public key known for 'C=GB, O=Example, CN=left'<br><br></div>This is all on RHEL 6 and here are some of my configurations.  I can send out more if needed.<br><br>[root@left:/home/blharris]<br>$ cat /etc/ipsec.d/left.secrets  ### The RIGHT side is similar<br>: RSA "left"<br><br>[root@left:/home/blharris]<br>$ cat /etc/ipsec.d/host2host.conf  ### The RIGHT side is similar<br><br>conn mytunnel<br>  left=192.168.122.7<br>  leftid="C=GB, O=Example, CN=left"<br>  leftrsasigkey=%cert<br>  leftcert="left"<br>  right=192.168.122.8<br>  rightid="C=GB, O=Example, CN=right"<br>  rightrsasigkey=%cert<br>  auto=add<br><br>[root@left:/home/blharris]<br>$ openssl x509 -in left.crt -noout -subject<br>subject= /C=GB/O=Example/CN=left<br><br>[root@left:/home/blharris]<br>$ certutil -L -d sql:/etc/ipsec.d/<br><br>Certificate Nickname                                         Trust Attributes<br>                                                             SSL,S/MIME,JAR/XPI<br><br>left                                                         u,u,u<br>Root CA - Example                                            CT,,<br>Sub CA - Example                                             CT,,<br><br></div>I'm not sure if this next one is supposed to list the x509 from the other side?<br><br>[root@left:/home/blharris]<br>$ ipsec auto --listall<br>000<br>000 List of RSA Public Keys:<br>000<br>000 Sep 23 10:16:17 2016, 2048 RSA Key AwEAAbNLY (has private key), until Sep 23 07:59:32 2017 ok<br>000        ID_DER_ASN1_DN 'C=GB, O=Example, CN=left'<br>000        Issuer 'C=GB, O=Example, CN=Sub CA'<br>000<br>000 List of Pre-shared secrets (from /etc/ipsec.secrets)<br>000<br>000     1: RSA (none) (none)<br>000<br>000 List of X.509 End Certificates:<br>000<br>000 End certificate "left" - SN: 0x008a878064b67f70a2e343f7d42d0ae365<br>000   subject: C=GB, O=Example, CN=left<br>000   issuer: C=GB, O=Example, CN=Sub CA<br>000   not before: Fri Sep 23 11:59:32 2016<br>000   not after: Sat Sep 23 11:59:32 2017<br>000   2048 bit RSA: has private key<br>000<br>000 List of X.509 CA Certificates:<br>000<br>000 Root CA certificate "Root CA - Example" - SN: 0x00ab3e40667df73692f3df545d9f01a9cf<br>000   subject: C=GB, O=Example, CN=Root CA<br>000   issuer: C=GB, O=Example, CN=Root CA<br>000   not before: Thu Sep 22 17:07:28 2016<br>000   not after: Sun Sep 20 17:07:28 2026<br>000   4096 bit RSA<br>000<br>000 CA certificate "Sub CA - Example" - SN: 0x00ab3e40667df73692f3df545d9f01a9d1<br>000   subject: C=GB, O=Example, CN=Sub CA<br>000   issuer: C=GB, O=Example, CN=Root CA<br>000   not before: Fri Sep 23 11:25:13 2016<br>000   not after: Mon Sep 21 11:25:13 2026<br>000   4096 bit RSA<br>000<br>000 List of CRLs:<br><br></div>And in case it helps here is what one of the text of the certs looks like.<br><br>[root@left:/home/blharris]<br>$ openssl x509 -in left.crt -noout -text<br>Certificate:<br>    Data:<br>        Version: 3 (0x2)<br>        Serial Number:<br>            8a:87:80:64:b6:7f:70:a2:e3:43:f7:d4:2d:0a:e3:65<br>    Signature Algorithm: sha256WithRSAEncryption<br>        Issuer: C=GB, O=Example, CN=Sub CA<br>        Validity<br>            Not Before: Sep 23 11:59:32 2016 GMT<br>            Not After : Sep 23 11:59:32 2017 GMT<br>        Subject: C=GB, O=Example, CN=left<br>        Subject Public Key Info:<br>            Public Key Algorithm: rsaEncryption<br>                Public-Key: (2048 bit)<br>                Modulus:<br>                    00:b3:4b:62:84:0a:21:12:4f:2a:2f:41:8e:f4:07:<br>                    0a:75:92:62:d8:44:4f:4d:42:b5:7f:c9:63:b7:55:<br>                    c3:d8:e6:ba:8b:07:af:cc:93:a6:a9:fc:91:d9:15:<br>                    4c:80:bc:94:1f:23:db:96:72:00:ce:5a:73:bf:23:<br>                    32:42:08:24:9b:bb:4a:0c:e1:34:e9:78:a3:05:03:<br>                    b8:cd:1c:61:37:4a:c2:d0:30:bc:22:21:8b:1b:b2:<br>                    d9:7b:42:92:c7:f8:8d:8f:dc:52:a0:4f:da:f1:f0:<br>                    99:f0:27:71:84:2b:a5:a3:4e:c2:7e:e8:16:c2:de:<br>                    4a:a6:b5:66:ec:d2:b5:01:b5:f3:f8:23:6c:d6:5d:<br>                    75:40:89:65:d3:91:52:11:41:2f:54:1e:fc:be:33:<br>                    55:5e:48:d7:00:0a:c0:d7:cb:97:69:c6:f4:95:d1:<br>                    55:36:fd:95:1a:db:ab:ae:a4:13:df:a5:f0:db:12:<br>                    9a:53:e6:ac:06:d0:0d:28:15:0a:dd:14:17:0c:62:<br>                    08:d7:2e:2b:f7:46:0a:bd:a0:f4:84:dd:07:72:77:<br>                    8c:3c:d7:a1:42:6f:95:52:9a:4e:3f:36:41:20:0f:<br>                    79:cb:7e:b7:c4:39:e1:32:3a:67:cd:24:62:cb:8b:<br>                    33:ae:ef:ea:4e:f1:4c:ca:e1:78:3e:09:a4:b2:6d:<br>                    5e:01<br>                Exponent: 65537 (0x10001)<br>        X509v3 extensions:<br>            Authority Information Access:<br>                CA Issuers - URI:<a href="http://sub-ca.example.com/sub-ca.crt">http://sub-ca.example.com/sub-ca.crt</a><br>                OCSP - URI:<a href="http://ocsp.sub-ca.example.com:9081">http://ocsp.sub-ca.example.com:9081</a><br><br>            X509v3 Authority Key Identifier:<br>                keyid:49:F8:A3:3D:60:FE:5B:75:17:C3:30:EC:C3:A7:36:0F:40:B1:EC:08<br><br>            X509v3 Basic Constraints: critical<br>                CA:FALSE<br>            X509v3 CRL Distribution Points:<br><br>                Full Name:<br>                  URI:<a href="http://sub-ca.example.com/sub-ca.crl">http://sub-ca.example.com/sub-ca.crl</a><br><br>            X509v3 Extended Key Usage:<br>                TLS Web Client Authentication, TLS Web Server Authentication<br>            X509v3 Key Usage: critical<br>                Digital Signature, Key Encipherment<br>            X509v3 Subject Key Identifier:<br>                DC:EE:FF:E0:4F:E9:8E:D8:0F:06:E7:A0:D4:AF:6B:24:3C:60:5B:2E<br>    Signature Algorithm: sha256WithRSAEncryption<br>         3d:b0:ce:2b:9d:80:83:4f:2d:aa:a3:22:61:3d:60:87:00:73:<br>         b3:32:dc:58:b1:19:14:70:8c:9e:74:f1:22:4f:f1:15:ff:54:<br>         9d:53:bf:c3:23:05:53:77:0e:fd:7b:50:b8:58:a9:06:72:5b:<br>         40:02:d8:f4:26:32:c4:6f:56:1d:6b:22:8d:e4:1d:76:6c:05:<br>         a0:64:7c:69:32:23:b1:08:57:17:44:61:4e:40:45:0d:13:f0:<br>         6b:4e:12:81:a9:09:47:58:4c:fa:54:b2:ab:b9:41:78:58:b8:<br>         88:14:dc:e8:ae:95:f7:d3:e1:02:f8:51:60:ac:7f:f7:10:43:<br>         6f:17:39:33:41:e2:1c:9b:a7:a5:32:c2:23:37:6c:b2:fe:c3:<br>         03:4a:87:3f:77:1b:f7:da:26:84:c4:00:48:d1:f8:67:1e:3c:<br>         26:8e:75:a5:81:b2:c0:65:e5:24:b5:75:a6:8b:fe:e8:45:f6:<br>         d5:5a:80:c3:65:9b:73:96:77:5b:5c:8b:9a:e8:08:6c:a8:79:<br>         9d:b1:6b:3a:d2:a2:b5:c1:35:15:54:39:b3:19:3e:59:57:96:<br>         f7:0c:5c:a1:5e:0c:5d:ec:87:72:67:81:8f:75:c3:c7:f9:41:<br>         12:08:96:6b:9d:dc:c0:3e:fc:3c:26:14:d7:fc:cf:5a:aa:92:<br>         d1:28:b2:16:b6:4b:5f:c8:2e:b6:bd:7b:b6:d3:72:34:01:a3:<br>         ae:3f:1e:34:f4:a1:9d:14:22:8c:c8:88:94:e8:19:19:ed:b4:<br>         ea:69:96:0b:83:f2:80:45:e9:eb:40:23:bb:a8:b5:d5:f3:08:<br>         56:b1:ba:b9:c9:e8:82:82:0a:86:bb:12:7d:49:a0:48:e7:a4:<br>         6d:c8:07:87:ef:b2:8b:e3:4c:3c:f5:d2:4b:74:c3:5d:2c:10:<br>         45:f2:66:ba:44:b6:fc:88:76:1a:96:77:a8:e4:c9:91:ed:71:<br>         00:90:05:91:cf:0f:b3:24:a6:76:85:2c:e5:6e:31:de:a1:00:<br>         fc:34:b4:cf:f4:04:0d:34:df:92:f4:a6:1e:c8:89:7d:d2:1e:<br>         60:ae:a5:2a:ab:59:1e:d5:b9:e6:0a:38:51:7e:1b:85:2c:e6:<br>         fb:5c:9d:fb:bc:9d:5e:52:c3:fb:4c:cf:47:4e:0e:c8:58:eb:<br>         95:77:83:b1:60:69:32:3b:cb:21:f0:1c:05:67:fc:d1:05:1d:<br>         46:cb:6b:6a:5f:d6:e4:15:9c:27:e4:a5:f8:74:79:c3:5c:8b:<br>         b6:dd:44:47:a8:ee:44:64:64:ee:6f:9d:8b:0b:79:77:49:5e:<br>         a5:d8:b9:be:19:d0:d4:a5:36:c8:e7:b1:20:05:f9:1a:9a:1d:<br>         e5:8d:43:4b:b7:c2:73:48<br><br></div>Thanks in advance.<br><br></div>V/r,<br></div>Bryan<br></div>