Hosting Provided By

[Users] FreeS/WAN 2.00-rc2 with X.509-1.2.2 -patch, x.509 authentication want not work

From: Tino Glatzel <tino.glatzel(at)bbvb.de>
Date: Mon Mar 31 2003 - 00:49:16 EST

hello,

my systems are Debian 3.0 woody with kernel 2.4.20, FreeS/Wan 2.00-rc2 and X.509-1.2.2 patch. Ipsec works with shared secrets and with raw RSA public keys, ipsec with x.509 certificates would not work. I have create a CA and the certificates for the gateway (vpn) and the client (client) like in the Installation Guide described.

vpn:/opt/ca/# openssl req -x509 -days 1460 -newkey rsa:2048 -keyout cakey.pem -out cacert.pem
vpn:/opt/ca/# openssl req -newkey rsa:1024 -keyout vpn.test.key.pem -out vpn.test.req.pem 
vpn:/opt/ca/# openssl ca -in vpn.test.req.pem -days 730 -out vpn.test.cert.pem -notext
vpn:/opt/ca/# openssl req -newkey rsa:1024 -keyout client.test.key.pem -out client.test.req.pem
vpn:/opt/ca/# openssl ca -in client.test.req.pem -days 730 -out client.test.cert.pem -notext
vpn:/opt/ca/# cp cacert.pem /etc/ipsec.d/cacerts/
vpn:/opt/ca/# cp vpn.test.key.pem /etc/ipsec.d/private
vpn:/opt/ca/# echo ":RSA vpn.test.key.pem \"vpnpasswd\"" >> /etc/ipsec.secrets
vpn:/opt/ca/# cp vpn.test.cert.pem /etc/ipsec.d/certs/
vpn:/opt/ca/# cp client.test.cert.pem /etc/ipsec.d/certs/
vpn:/opt/ca/# openssl ca -gencrl -crldays 15 -out crl.pem
vpn:/opt/ca/# cp crl.pem /etc/ipsec.d/crls/
vpn:/opt/ca/# openssl x509 -in vpn.test.cert.pem -noout -subject

subject= /C=DE/ST=Baden/O=Testnetz/OU=EDV/CN=vpn.test vpn:/opt/ca/# openssl x509 -in client.test.cert.pem -noout -subject subject= /C=DE/ST=Baden/O=Testnetz/OU=EDV/CN=client.test

at the client:

client:/floppy/# cp cacert.pem /etc/ipsec.d/cacerts/ 
client:/floppy/# cp client.test.key.pem /etc/ipsec.d/private
client:/floppy/# echo ":RSA client.test.key.pem \"clientpasswd\"" >> /etc/ipsec.secrets 
client:/floppy/# cp client.test.cert.pem /etc/ipsec.d/certs/
client:/floppy/# cp vpn.test.cert.pem /etc/ipsec.d/certs/

here is the config of the gateway:
version 2.0
config setup

        klipsdebug=all
        plutodebug=all


        #myid=


        interfaces="ipsec0=eth0"
        forwardcontrol=no
        rp_filter=0
        syslog=daemon.error

        #plutoopts=

        #plutostderrlog=

        #dumpdir=


        #manualstart=none


        pluto=yes
        plutowait=no


        #prepluto=


        #postpluto=


        fragicmp=yes
        packetdefault=drop
        hidetos=yes
        uniqueids=yes


        #overridemtu


        #nocrsend=yes


conn road
        type=tunnel
        left=192.168.50.5
        leftcert=vpn.test.cert.pem
        leftid="C=DE, ST=Baden, O=Testnetz, OU=EDV, CN=vpn.test"
Do you need help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related lists.freeswan.org Links
1998-fall
1998-spring
1998-summer
1998-winter
1999-winter
announce
briefs
bugs
design
freeswan-list
hipsec
ietf-sectest
users
users-admin
Request more information about Pantek
        right=192.168.50.6
        rightid="C=DE, ST=Baden, O=Testnetz, OU=EDV, CN=client.test"
        keyexchange=ike
        auto=add
        auth=esp
        authby=rsasig
        rightrsasigkey=%cert
        leftrsasigkey=%cert
        pfs=yes
        keylife=8h
        rekey=yes
        rekeymargin=9m
        rekeyfuzz=25%
        keyingtries=0
        ikelifetime=8h
        compress=no
        disablearrivalcheck=no
        failureshunt=none

here is the config of the client:

version 2.0 # conforms to second version of ipsec.conf specification config setup

        klipsdebug=all
        plutodebug=all


        #myid=


        interfaces="ipsec0=eth0"
        forwardcontrol=no
        rp_filter=0
        syslog=daemon.error

        #plutoopts=

        #plutostderrlog=

        #dumpdir=


        #manualstart=none


        pluto=yes
        plutowait=no


        #prepluto=


        #postpluto=


        fragicmp=yes
        packetdefault=drop
        hidetos=yes
        uniqueids=yes


        #overridemtu


        #nocrsend=yes


conn road
        type=tunnel
        left=192.168.50.6
        leftcert=client.test.cert.pem
        leftid="C=DE, ST=Baden, O=Testnetz, OU=EDV, CN=client.test"
        right=192.168.50.5
        rightcert=vpn.test.cert.pem
        rightid="C=DE, ST=Baden, O=Testnetz, OU=EDV, CN=vpn.test"
        keyexchange=ike
        auto=start
        auth=esp
        authby=rsasig
        rightrsasigkey=%cert
        leftrsasigkey=%cert
        pfs=yes
        keylife=8h
        rekey=yes
        rekeymargin=9m
        rekeyfuzz=25%
        keyingtries=0
        ikelifetime=8h
        compress=no
        disablearrivalcheck=no
        failureshunt=none

when i ping the gateway, with tcpdump -i ipsec0 i see the requests but no answers. Is the problem at the gateway? Can anyone help me?

tino

Users mailing list
Users@lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users Received on Sun Apr 6 06:51:54 2003

Do you need more help?

This message: [ Message body ]
Next message: Andreas Steffen: "[Users] Re: [sfs-dev] ANNOUNCE: Patriot S/WAN 1.0 Released!"
Previous message: John D. Hardin: "Re: [Users] Interoperability problem, 1.99 vs. Sonicwall - DH5/MODP1536 in IKE but not in ESP"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:01:14 EDT