[strongSwan] Fwd: error in establishing an ikev1 session on pluto using certs and ocsp server .

depinder singh deol deol.depinder at gmail.com
Thu Jul 22 13:56:21 CEST 2010 

hi team ,

i m trying to establish an ikev1 session using pluto daemon tool
between two users:user1 and user2 using certs and using ocsp server
for certificate revocation status verification.

topology:
                CA
              /      \
        user1     user2
I have configured CA and ocsp server on user 2 machine using commands:

private key of CA -- openssl genrsa -out cakey.pem  4096
CA certificate --openssl req -new -x509 -days 1826 -key cakey.pem -out
cacert.pem

openssl commands for generating cert for user1 and getting it signed
by CA's private key(cakey.pem):
generating private key for user1 -- openssl genrsa -out user1.key 4096
generating cert request for user1 from CA-- openssl req -new -key
user1.key -out user1cert.pem
getting cert of user1 signed by CA using its private key --  openssl
x509 -req -days 730 -in user1cert.pem -CA cacert.pem -CAkey cakey.pem
-set_serial 01 -out user1cert.pem

and similar commands for generating user2 cert and key and getting it
signed by CA by setting -set_serial 02 in the above openssl commands.
i have also made changes in the openssl.cnf file under the [usr_cert] section
that are:
on user2 in /usr/local/ssl/openssl.cnf
extendedKeyUsage=OCSPSigning
authorityInfoAccess=OCSP;URI:http://127.0.0.1:3456
on user 1 /etc/pki/tls/openssl.cnf
only change i have made in the openssl.cnf is URI:http://10.76.91.60:3456
other is same as user2 .uri is user2's ip address through which user 1
is connected to user2.

i have configured ocsp server on the user2 machine which i have
configured to act as a CA using openssl command:
starting the ocsp server : openssl ocsp -index index.txt -CA
cacert.pem -port 3456 -rkey cakey.pem -rsigner cacert.pem

My cacert is in the /usr/local/etc/ipsec.d/cacerts and
/usr/local/etc/ipsec.d/ocspcerts and user1 and user2 certs are in the
ipsec.d/certs and user 1 and user2 keys are in the ipsec.d/private/
i have also made changes in the ipsec.secrets file:
on user1:
: RSA user1.key "passphrase"
and similarly for user2 on user2 machine .

when i run ipsec.conf using ipsec start command which calls ipsec
starter which in turn starts pluto and ipsec up 59--60 which tells
pluto daemon to start the 59--60 <connection name> and check the
status of ikev1 session using ipsec statusall cmd. it shows up an
error:

Status of IKEv1 pluto daemon (strongSwan 4.3.2):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 10.76.91.59:500
000 %myid = (none)
000 loaded plugins: aes des sha1 sha2 md5 random pubkey hmac gmp
000 debug options:
raw+crypt+parsing+emitting+control+lifecycle+klips+dns+natt+oppo+controlmore
000 "59--60": 10.76.91.0/24===10.76.91.59[C=IN, ST=KA, L=BLR, O=CISCO,
OU=STG-IOS, CN=USER1, E=deol.depinder at gmail.com]...10.76.91.60[C=IN,
ST=KA, L=BLR, O=CISCO, OU=STG-IOS, CN=USER2,
E=deol.depinder at gmail.com]===10.76.91.0/24; unrouted; eroute owner: #0
000 "59--60":   CAs: 'C=IN, ST=KA, O=CISCO, OU=STG-IOS, CN=CA,
E=deol.depinder at gmail.com'...'C=IN, ST=KA, O=CISCO, OU=STG-IOS, CN=CA,
E=deol.depinder at gmail.com'
000 "59--60":   ike_life: 3600s; ipsec_life: 1200s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 1
000 "59--60":   policy: PUBKEY+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24;
interface: eth0;
000 "59--60":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000

Please help me to resolve this error.
Please find the user1 and user2 IPSEC configuration files in the attachments.

Regards
Depinder
-------------- next part --------------
config setup
         plutodebug=all
         plutostderrlog=yes
         crlcheckinterval=180
         strictcrlpolicy=yes
         cachecrls=no
         nat_traversal=no
         charonstart=no
         plutostart=yes

conn %default
         ike=3des-sha1-modp1536!
         esp=3des-sha1!
         authby=rsasig
         keyexchange=ikev1
         ikelifetime=60m
         keylife=20m
         keyingtries=1

ca  rootca
         cacert=/usr/local/etc/ipsec.d/cacerts/cacert.pem
         ocspuri=http://10.76.91.60:3456
         auto=add
conn 59--60
         left=10.76.91.59
         leftsubnet=10.76.91.0/24
         leftrsasigkey=%cert
         leftcert=/usr/local/etc/ipsec.d/certs/user1cert.pem
         leftid="C=IN,ST=KA,O=CISCO,OU=STG-IOS,CN=USER1"
         right=10.76.91.60
         rightsubnet=10.76.91.0/24
         rightrsasigkey=%cert
         rightcert=/usr/local/etc/ipsec.d/certs/user2cert.pem
         rightid="C=IN,ST=KA,O=CISCO,OU=STG-IOS,CN=USER2"
         auto=start
-------------- next part --------------
config setup
         plutodebug=all
         plutostderrlog=yes
         crlcheckinterval=180
         strictcrlpolicy=yes
         cachecrls=no
         nat_traversal=no
         charonstart=no
         plutostart=yes

conn %default
         ike=3des-sha1-modp1536!
         esp=3des-sha1!
         authby=rsasig
         keyexchange=ikev1
         ikelifetime=60m
         keylife=20m
         keyingtries=1

ca  rootca
         cacert=/usr/local/etc/ipsec.d/cacerts/cacert.pem
         ocspuri=http://127.0.0.1:3456
         auto=add
conn 59--60
         left=10.76.91.60
         leftsubnet=10.76.91.0/24
         leftrsasigkey=%cert
         leftcert=/usr/local/etc/ipsec.d/certs/user1cert.pem
         leftid="C=IN,ST=KA,O=CISCO,OU=STG-IOS,CN=USER2"
         right=10.76.91.59
         rightsubnet=10.76.91.0/24
         rightrsasigkey=%cert
         rightcert=/usr/local/etc/ipsec.d/certs/user2cert.pem
         rightid="C=IN,ST=KA,O=CISCO,OU=STG-IOS,CN=USER1"
         auto=start

More information about the Users mailing list