[strongSwan] Fwd: error in establishing an ikev1 session on pluto using certs and ocsp server .
depinder singh deol
deol.depinder at gmail.com
Thu Jul 22 13:47:17 CEST 2010
---------- Forwarded message ----------
From: depinder singh deol <deol.depinder at gmail.com>
Date: Thu, 22 Jul 2010 17:13:28 +0530
Subject: error in establishing an ikev1 session on pluto using certs
and ocsp server .
To: openssl-users at openssl.org
hi team ,
i m trying to establish an ikev1 session using pluto daemon tool
between two users:user1 and user2 using certs and using ocsp server
for certificate revocation status verification.
topology:
CA
/ \
user1 user2
I have configured CA and ocsp server on user 2 machine using commands:
private key of CA -- openssl genrsa -out cakey.pem 4096
CA certificate --openssl req -new -x509 -days 1826 -key cakey.pem -out
cacert.pem
openssl commands for generating cert for user1 and getting it signed
by CA's private key(cakey.pem):
generating private key for user1 -- openssl genrsa -out user1.key 4096
generating cert request for user1 from CA-- openssl req -new -key
user1.key -out user1cert.pem
getting cert of user1 signed by CA using its private key -- openssl
x509 -req -days 730 -in user1cert.pem -CA cacert.pem -CAkey cakey.pem
-set_serial 01 -out user1cert.pem
and similar commands for generating user2 cert and key and getting it
signed by CA by setting -set_serial 02 in the above openssl commands.
i have also made changes in the openssl.cnf file under the [usr_cert] section
that are:
on user2 in /usr/local/ssl/openssl.cnf
extendedKeyUsage=OCSPSigning
authorityInfoAccess=OCSP;URI:http://127.0.0.1:3456
on user 1 /etc/pki/tls/openssl.cnf
only change i have made in the openssl.cnf is URI:http://10.76.91.60:3456
other is same as user2 .uri is user2's ip address through which user 1
is connected to user2.
i have configured ocsp server on the user2 machine which i have
configured to act as a CA using openssl command:
starting the ocsp server : openssl ocsp -index index.txt -CA
cacert.pem -port 3456 -rkey cakey.pem -rsigner cacert.pem
My cacert is in the /usr/local/etc/ipsec.d/cacerts and
/usr/local/etc/ipsec.d/ocspcerts and user1 and user2 certs are in the
ipsec.d/certs and user 1 and user2 keys are in the ipsec.d/private/
i have also made changes in the ipsec.secrets file:
on user1:
: RSA user1.key "passphrase"
and similarly for user2 on user2 machine .
when i run ipsec.conf using ipsec start command which calls ipsec
starter which in turn starts pluto and ipsec up 59--60 which tells
pluto daemon to start the 59--60 <connection name> and check the
status of ikev1 session using ipsec statusall cmd. it shows up an
error:
Status of IKEv1 pluto daemon (strongSwan 4.3.2):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 10.76.91.59:500
000 %myid = (none)
000 loaded plugins: aes des sha1 sha2 md5 random pubkey hmac gmp
000 debug options:
raw+crypt+parsing+emitting+control+lifecycle+klips+dns+natt+oppo+controlmore
000 "59--60": 10.76.91.0/24===10.76.91.59[C=IN, ST=KA, L=BLR, O=CISCO,
OU=STG-IOS, CN=USER1, E=deol.depinder at gmail.com]...10.76.91.60[C=IN,
ST=KA, L=BLR, O=CISCO, OU=STG-IOS, CN=USER2,
E=deol.depinder at gmail.com]===10.76.91.0/24; unrouted; eroute owner: #0
000 "59--60": CAs: 'C=IN, ST=KA, O=CISCO, OU=STG-IOS, CN=CA,
E=deol.depinder at gmail.com'...'C=IN, ST=KA, O=CISCO, OU=STG-IOS, CN=CA,
E=deol.depinder at gmail.com'
000 "59--60": ike_life: 3600s; ipsec_life: 1200s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 1
000 "59--60": policy: PUBKEY+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24;
interface: eth0;
000 "59--60": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
Please help me to resolve this error.
Please find the user1 and user2 IPSEC configuration files in the attachments.
Regards
Depinder
-------------- next part --------------
config setup
plutodebug=all
plutostderrlog=yes
crlcheckinterval=180
strictcrlpolicy=yes
cachecrls=no
nat_traversal=no
charonstart=no
plutostart=yes
conn %default
ike=3des-sha1-modp1536!
esp=3des-sha1!
authby=rsasig
keyexchange=ikev1
ikelifetime=60m
keylife=20m
keyingtries=1
ca rootca
cacert=/usr/local/etc/ipsec.d/cacerts/cacert.pem
ocspuri=http://10.76.91.60:3456
auto=add
conn 59--60
left=10.76.91.59
leftsubnet=10.76.91.0/24
leftrsasigkey=%cert
leftcert=/usr/local/etc/ipsec.d/certs/user1cert.pem
leftid="C=IN,ST=KA,O=CISCO,OU=STG-IOS,CN=USER1"
right=10.76.91.60
rightsubnet=10.76.91.0/24
rightrsasigkey=%cert
rightcert=/usr/local/etc/ipsec.d/certs/user2cert.pem
rightid="C=IN,ST=KA,O=CISCO,OU=STG-IOS,CN=USER2"
auto=start
-------------- next part --------------
config setup
plutodebug=all
plutostderrlog=yes
crlcheckinterval=180
strictcrlpolicy=yes
cachecrls=no
nat_traversal=no
charonstart=no
plutostart=yes
conn %default
ike=3des-sha1-modp1536!
esp=3des-sha1!
authby=rsasig
keyexchange=ikev1
ikelifetime=60m
keylife=20m
keyingtries=1
ca rootca
cacert=/usr/local/etc/ipsec.d/cacerts/cacert.pem
ocspuri=http://127.0.0.1:3456
auto=add
conn 59--60
left=10.76.91.60
leftsubnet=10.76.91.0/24
leftrsasigkey=%cert
leftcert=/usr/local/etc/ipsec.d/certs/user1cert.pem
leftid="C=IN,ST=KA,O=CISCO,OU=STG-IOS,CN=USER2"
right=10.76.91.59
rightsubnet=10.76.91.0/24
rightrsasigkey=%cert
rightcert=/usr/local/etc/ipsec.d/certs/user2cert.pem
rightid="C=IN,ST=KA,O=CISCO,OU=STG-IOS,CN=USER1"
auto=start
More information about the Users
mailing list