Mailinglist Archive: opensuse-security (145 mails)

< Previous Next >
Problem with RightID
  • From: Markus_Kaefer@xxxxxx
  • Date: Thu, 25 Nov 2004 18:40:39 +0100
  • Message-id: <OFDEF297CB.CE44B18F-ONC1256F57.00369D8F-C1256F57.006100B5@xxxxxx>
Dear Mailinglist Users,

I have been working with freeswan 1.xx under debian woody for more than a
year now.
As roadwarrior client i used ssh sentinel ... all worked fine.

now i was forced to use a 2.xx so i used the newest with an x509 patch
2.05.

now i am having problems converting my ipsec.conf to the new version to
work properly.

I am using virtual ips to stay independent to the way the client is
connected.
For authentication I use openssl x509 certs, I use no subjectAltname ... I
tried but it also didn't work

Here is my ipsec.conf

gate:/etc# cat ipsec.conf
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.11 2003/06/13 23:28:41 sam Exp $

# This file: /usr/local/share/doc/freeswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
#
# Help:
# http://www.strongsec.com/freeswan/install.htm

version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for
lots.
# klipsdebug=all
# plutodebug=all
# crlcheckinterval=600
# strictcrlpolicy=yes
interfaces=%defaultroute
klipsdebug=none
plutodebug=control
uniqueids=yes

conn %default
keyingtries=1
authby=rsasig
left=80.120.177.66
leftnexthop=80.120.177.65
leftcert=gate.akras.at.pem
leftrsasigkey=%cert
rightrsasigkey=%cert
auto=add

# OE policy groups are disabled by default
conn block
auto=ignore

conn clear
auto=ignore

conn private
auto=ignore

conn private-or-clear
auto=ignore

conn clear-or-private
auto=ignore

conn packetdefault
auto=ignore

# Add connections here.

# sample VPN connection
conn virt
right=%any
leftsubnet=192.168.1.0/24
rightid="C=AT, L=Biedermannsdorf, O=AKRAS Flavours AG, CN=Robert
Machaczek"
rightsubnetwithin=192.168.2.0/24
auto=add

# Left security gateway, subnet behind it, next hop toward right.
#left=80.120.177.66
#leftsubnet=192.168.1.0/24
#leftnexthop=80.120.177.65
#leftrsasigkey=%cert
#leftcert=gate.akras.at.pem
# Right security gateway, subnet behind it, next hop toward left.
#right=%any
#rightid=@xxxxxxxxxxxx
#rightrsasigkey=%cert
#rightsubnetwithin=192.168.2.0/24
#auto=add

# sample VPN connection
#sample# conn sample
#sample# # Left security gateway, subnet behind it, next
hop toward right.
#sample# left=%defaultroute
#sample# leftcert=gate.akras.at.pem
#sample# leftsubnet=192.168.1.0/24
#sample# # Right security gateway, subnet behind it, next
hop toward left.
#sample# right=%any
#sample# rightid="<Distinguished name of right security
gateway>"
#sample# rightsubnet=192.168.167.0/24
#sample# # To authorize this connection, but not actually
start it, at startup,
#sample# # uncomment this.
#sample# #auto=start

Here is the error in the log:

Nov 25 10:45:36 akrasvbox pluto[5203]: |
Nov 25 10:45:36 akrasvbox pluto[5203]: | *received 1564 bytes from
10.10.10.9:500 on eth0
Nov 25 10:45:36 akrasvbox pluto[5203]: | ICOOKIE: ff ee 3a 26 f8 00 00
0e
Nov 25 10:45:36 akrasvbox pluto[5203]: | RCOOKIE: 6e 7e fe ff eb dc 64
47
Nov 25 10:45:36 akrasvbox pluto[5203]: | peer: 0a 0a 0a 09
Nov 25 10:45:36 akrasvbox pluto[5203]: | state hash entry 13
Nov 25 10:45:36 akrasvbox pluto[5203]: | peer and cookies match, provided
msgid 00000000 vs 00000000
Nov 25 10:45:36 akrasvbox pluto[5203]: | state object #5 found, in
STATE_MAIN_R2
Nov 25 10:45:36 akrasvbox pluto[5203]: "virt"[3] 10.10.10.9 #5: ignoring
informational payload, type IPSEC_INITIAL_CONTACT
Nov 25 10:45:36 akrasvbox pluto[5203]: "virt"[3] 10.10.10.9 #5: Peer ID is
ID_DER_ASN1_DN: 'C=AT, L=Biedermannsdorf, O=AKRAS Flavours AG, CN=Robert
Machaczek'
Nov 25 10:45:36 akrasvbox pluto[5203]: | subject: 'C=AT,
L=Biedermannsdorf, O=AKRAS Flavours AG, CN=Robert Machaczek'
Nov 25 10:45:36 akrasvbox pluto[5203]: | issuer: 'C=AT,
L=Biedermannsdorf, O=AKRAS Flavours AG, CN=AKRAS CA,
E=robert.machaczek@xxxxxxxx'
Nov 25 10:45:36 akrasvbox pluto[5203]: | authkey:
c7:b1:4c:dc:97:cb:66:36:95:76:a8:77:32:0e:50:fc:2d:84:01:72
Nov 25 10:45:36 akrasvbox pluto[5203]: | not before : Dec 04 15:50:42
UTC 2003
Nov 25 10:45:36 akrasvbox pluto[5203]: | current time: Nov 25 09:45:36
UTC 2004
Nov 25 10:45:36 akrasvbox pluto[5203]: | not after : Dec 01 15:50:42
UTC 2013
Nov 25 10:45:36 akrasvbox pluto[5203]: | certificate is valid
Nov 25 10:45:36 akrasvbox pluto[5203]: | issuer cacert found
Nov 25 10:45:36 akrasvbox pluto[5203]: | signature algorithm:
'md5WithRSAEncryption'
Nov 25 10:45:36 akrasvbox pluto[5203]: | certificate signature is valid
Nov 25 10:45:36 akrasvbox pluto[5203]: | issuer crl found
Nov 25 10:45:36 akrasvbox pluto[5203]: | signature algorithm:
'md5WithRSAEncryption'
Nov 25 10:45:36 akrasvbox pluto[5203]: | crl signature is valid
Nov 25 10:45:36 akrasvbox pluto[5203]: | serial number: 07
Nov 25 10:45:36 akrasvbox pluto[5203]: | certificate not revoked
Nov 25 10:45:36 akrasvbox pluto[5203]: "virt"[3] 10.10.10.9 #5: crl update
is overdue since Dec 19 12:16:58 UTC 2003
Nov 25 10:45:36 akrasvbox pluto[5203]: | subject: 'C=AT,
L=Biedermannsdorf, O=AKRAS Flavours AG, CN=AKRAS CA,
E=robert.machaczek@xxxxxxxx'
Nov 25 10:45:36 akrasvbox pluto[5203]: | issuer: 'C=AT,
L=Biedermannsdorf, O=AKRAS Flavours AG, CN=AKRAS CA,
E=robert.machaczek@xxxxxxxx'
Nov 25 10:45:36 akrasvbox pluto[5203]: | authkey:
c7:b1:4c:dc:97:cb:66:36:95:76:a8:77:32:0e:50:fc:2d:84:01:72
Nov 25 10:45:36 akrasvbox pluto[5203]: | not before : Nov 19 11:08:25
UTC 2003
Nov 25 10:45:36 akrasvbox pluto[5203]: | current time: Nov 25 09:45:36
UTC 2004
Nov 25 10:45:36 akrasvbox pluto[5203]: | not after : Nov 17 11:08:25
UTC 2013
Nov 25 10:45:36 akrasvbox pluto[5203]: | certificate is valid
Nov 25 10:45:36 akrasvbox pluto[5203]: | issuer cacert found
Nov 25 10:45:36 akrasvbox pluto[5203]: | signature algorithm:
'md5WithRSAEncryption'
Nov 25 10:45:36 akrasvbox pluto[5203]: | certificate signature is valid
Nov 25 10:45:36 akrasvbox pluto[5203]: | reached self-signed root ca
Nov 25 10:45:36 akrasvbox pluto[5203]: "virt"[3] 10.10.10.9 #5: no
suitable connection for peer 'C=AT, L=Biedermannsdorf, O=AKRAS Flavours
AG, CN=Robert Machaczek'
Nov 25 10:45:36 akrasvbox pluto[5203]: "virt"[3] 10.10.10.9 #5: sending
encrypted notification INVALID_ID_INFORMATION to 10.10.10.9:500
Nov 25 10:45:36 akrasvbox pluto[5203]: | state transition function for
STATE_MAIN_R2 failed: INVALID_ID_INFORMATION
Nov 25 10:45:36 akrasvbox pluto[5203]: | next event EVENT_RETRANSMIT in 7
seconds for #5

As you can see i also tried to put in the excact Distinguished name into
the ipsec.conf to autheticate the user cert.
I tried to use the fixed IP-Address but this would fit my need to stay as
a road warrior as i understand it.

another very strange thing is that the ipsec whack --status command
outputs that ipsec connection as established

gate:/etc# ipsec whack --status
000 interface ipsec0/eth0 80.120.177.66
000 %myid = (none)
000 debug control
000
000 "virt": 192.168.1.0/24===80.120.177.66[C=AT, ST=Some-State,
L=Biedermannsdorf, O=AKRAS Flavours AG,
CN=gate.akras.at]---80.120.177.65...%any[C=AT, L=Biedermannsdorf, O=AKRAS
Flavours AG, CN=Robert Machaczek]==={192.168.2.0/24}; unrouted; eroute
owner: #0
000 "virt": CAs: 'C=AT, L=Biedermannsdorf, O=AKRAS Flavours AG, CN=AKRAS
CA, E=robert.machaczek@xxxxxxxx'...'%any'
000 "virt": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 1
000 "virt": policy: RSASIG+ENCRYPT+TUNNEL+PFS; prio: 24,24; interface:
eth0;
000 "virt": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000

but the eroute for the virtual ip is missing....



I am really at the end of my ideas ... google also didn't helped me much.

If any1 can help me I would be very appreciated.
If you have further questions please ask i will provide you with any
information if you can help

greetings markus

*******************************************************
Käfer Markus
LOGIN Ges.m.b.H -Software Beratung Training
Gumpendorferstraße 65
A-1060 Wien
Mail: markus_kaefer@xxxxxx
Web: www.log.at
Tel: 0043 1 586 58 97
Fax: 0043 1 586 58 97 50
*******************************************************
< Previous Next >
This Thread
  • No further messages