[strongSwan] Fwd: error in establishing an ikev1 session on pluto using certs and ocsp server .

Andreas Steffen andreas.steffen at strongswan.org
Thu Jul 22 19:06:49 CEST 2010


Hello,

you only show the configuration files and the output of ipsec statusall
but I need the log file in order to see why the connection doesn't
come up.

Regards

Andreas

On 07/22/2010 01:47 PM, depinder singh deol wrote:
> ---------- Forwarded message ----------
> From: depinder singh deol<deol.depinder at gmail.com>
> Date: Thu, 22 Jul 2010 17:13:28 +0530
> Subject: error in establishing an ikev1 session on pluto using certs
> and ocsp server .
> To: openssl-users at openssl.org
>
> hi team ,
>
> i m trying to establish an ikev1 session using pluto daemon tool
> between two users:user1 and user2 using certs and using ocsp server
> for certificate revocation status verification.
>
> topology:
>                  CA
>                /      \
>          user1     user2
> I have configured CA and ocsp server on user 2 machine using commands:
>
> private key of CA -- openssl genrsa -out cakey.pem  4096
> CA certificate --openssl req -new -x509 -days 1826 -key cakey.pem -out
> cacert.pem
>
> openssl commands for generating cert for user1 and getting it signed
> by CA's private key(cakey.pem):
> generating private key for user1 -- openssl genrsa -out user1.key 4096
> generating cert request for user1 from CA-- openssl req -new -key
> user1.key -out user1cert.pem
> getting cert of user1 signed by CA using its private key --  openssl
> x509 -req -days 730 -in user1cert.pem -CA cacert.pem -CAkey cakey.pem
> -set_serial 01 -out user1cert.pem
>
> and similar commands for generating user2 cert and key and getting it
> signed by CA by setting -set_serial 02 in the above openssl commands.
> i have also made changes in the openssl.cnf file under the [usr_cert] section
> that are:
> on user2 in /usr/local/ssl/openssl.cnf
> extendedKeyUsage=OCSPSigning
> authorityInfoAccess=OCSP;URI:http://127.0.0.1:3456
> on user 1 /etc/pki/tls/openssl.cnf
> only change i have made in the openssl.cnf is URI:http://10.76.91.60:3456
> other is same as user2 .uri is user2's ip address through which user 1
> is connected to user2.
>
> i have configured ocsp server on the user2 machine which i have
> configured to act as a CA using openssl command:
> starting the ocsp server : openssl ocsp -index index.txt -CA
> cacert.pem -port 3456 -rkey cakey.pem -rsigner cacert.pem
>
> My cacert is in the /usr/local/etc/ipsec.d/cacerts and
> /usr/local/etc/ipsec.d/ocspcerts and user1 and user2 certs are in the
> ipsec.d/certs and user 1 and user2 keys are in the ipsec.d/private/
> i have also made changes in the ipsec.secrets file:
> on user1:
> : RSA user1.key "passphrase"
> and similarly for user2 on user2 machine .
>
> when i run ipsec.conf using ipsec start command which calls ipsec
> starter which in turn starts pluto and ipsec up 59--60 which tells
> pluto daemon to start the 59--60<connection name>  and check the
> status of ikev1 session using ipsec statusall cmd. it shows up an
> error:
>
> Status of IKEv1 pluto daemon (strongSwan 4.3.2):
> 000 interface lo/lo ::1:500
> 000 interface lo/lo 127.0.0.1:500
> 000 interface eth0/eth0 10.76.91.59:500
> 000 %myid = (none)
> 000 loaded plugins: aes des sha1 sha2 md5 random pubkey hmac gmp
> 000 debug options:
> raw+crypt+parsing+emitting+control+lifecycle+klips+dns+natt+oppo+controlmore
> 000 "59--60": 10.76.91.0/24===10.76.91.59[C=IN, ST=KA, L=BLR, O=CISCO,
> OU=STG-IOS, CN=USER1, E=deol.depinder at gmail.com]...10.76.91.60[C=IN,
> ST=KA, L=BLR, O=CISCO, OU=STG-IOS, CN=USER2,
> E=deol.depinder at gmail.com]===10.76.91.0/24; unrouted; eroute owner: #0
> 000 "59--60":   CAs: 'C=IN, ST=KA, O=CISCO, OU=STG-IOS, CN=CA,
> E=deol.depinder at gmail.com'...'C=IN, ST=KA, O=CISCO, OU=STG-IOS, CN=CA,
> E=deol.depinder at gmail.com'
> 000 "59--60":   ike_life: 3600s; ipsec_life: 1200s; rekey_margin:
> 540s; rekey_fuzz: 100%; keyingtries: 1
> 000 "59--60":   policy: PUBKEY+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24;
> interface: eth0;
> 000 "59--60":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000
>
> Please help me to resolve this error.
> Please find the user1 and user2 IPSEC configuration files in the attachments.
>
> Regards
> Depinder

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list