[strongSwan] Setting upp strongSwan U5.1.2 <-> Openswan IPsec U2.6.37
Noel Kuntze
noel at familie-kuntze.de
Wed May 27 22:14:51 CEST 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello abi,
"key usage" and "extended key usage" are not the same thing.
They are different fields. The pki utility does not have the a setting
to set that field to a value, as far as I can remember.
Openssl itself can do that though. I think the ASA complains about
a missing value in the "key usage" field, not a problem with the
"extended key usage" field.
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 27.05.2015 um 20:53 schrieb abi:
> The following flags used for client
>
> X509v3 extensions:
> X509v3 Authority Key Identifier:
> keyid:9F:65:08:93:F3:CC:4E:32:78:37:47:4C:8B:9C:13:DA:A3:94:0D:B0
>
> X509v3 Subject Alternative Name:
> DNS:XXXXXXXXXXX
> X509v3 Extended Key Usage:
> TLS Web Server Authentication, 1.3.6.1.5.5.8.2.2
>
> Thia one for server
> X509v3 extensions:
> X509v3 Authority Key Identifier:
> keyid:9F:65:08:93:F3:CC:4E:32:78:37:47:4C:8B:9C:13:DA:A3:94:0D:B0
>
> X509v3 Subject Alternative Name:
> DNS:XXXXXXXXXXXX
> X509v3 Extended Key Usage:
> TLS Web Server Authentication, 1.3.6.1.5.5.8.2.2
>
> Still no luck without ignore-ipsec-keyusage, but now I suspect server cert. ASA is complaining about Certificate validation failed. Peer certificate key usage is invalid, serial number: 1577E3E8F6F3AD90, subject name: cn=xxxxxxxxxx,o=xxxxxxxx,c=RU.
>
> Server is generated with --flag serverAuth --flag ikeIntermediate --san xxxxxxxxx options. I took them from StrongSwan wiki
>
> On 27/05/2015 00:10, Richard Huber wrote:
>> Hello,
>>
>> I am trying to connect strongswan with openswan.
>> It works for 60 seconds, then it all dies until I restart ipsec, then it works for another 60 seconds...
>>
>> $ sudo ipsec status
>> Security Associations (1 up, 0 connecting):
>> hub[1]: ESTABLISHED 17 seconds ago, x[x]...y[y]
>> hub{1}: INSTALLED, TUNNEL, ESP SPIs: ca70896d_i 1d4e67fe_o
>> hub{1}: 192.168.45.0/24 === 10.193.160.0/23
>>
>> Fine, connection is up and running!
>>
>> After one minute this happens:
>>
>> $ sudo ipsec status
>> Security Associations (2 up, 0 connecting):
>> hub[2]: ESTABLISHED 11 seconds ago, x[x]...y[y]
>> hub[1]: DELETING, x[x]...y[y]
>> hub{1}: INSTALLED, TUNNEL, ESP SPIs: ca70896d_i 1d4e67fe_o
>> hub{1}: 192.168.45.0/24 === 10.193.160.0/23
>>
>> Log entry in auth.log
>> May 26 22:49:27 toto charon: 08[IKE] y is initiating a Main Mode IKE_SA
>> May 26 22:49:27 toto charon: 15[IKE] deleting IKE_SA hub[1] between x[x]...y[y]
>>
>> Then all trafic is dead:
>>
>> $ sudo ipsec status
>> Security Associations (1 up, 0 connecting):
>> hub[2]: ESTABLISHED 2 minutes ago, x[x]...y[y]
>>
>> Here are the logs from the openswan server:
>>
>> $ sudo ipsec auto --status | grep hub
>> 000 "hub": 10.193.160.0/23===y<y>[+S=C]...x<x>[+S=C]===192.168.45.0/24; erouted; eroute owner: #76
>> 000 "hub": myip=unset; hisip=unset;
>> 000 "hub": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
>> 000 "hub": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 23,24; interface: eth0;
>> 000 "hub": newest ISAKMP SA: #77; newest IPsec SA: #76;
>> 000 "hub": IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
>> 000 "hub": ESP algorithms wanted: 3DES(3)_000-MD5(1)_1024; flags=-strict
>> 000 "hub": ESP algorithms loaded: 3DES(3)_192-MD5(1)_1024
>> 000 "hub": ESP algorithm newest: 3DES_192-HMAC_MD5; pfsgroup=<Phase1>
>> 000 #98: "hub":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 6s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
>> 000 #77: "hub":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 1907s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
>> 000 #76: "hub":500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REPLACE in 27535s; newest IPSEC; eroute owner; nodpd; idle; import:respond to stranger
>>
>> conn hub
>> right=y
>> rightsubnet=10.193.160.0/23
>> left=x
>> leftsubnet=192.168.45.0/24
>> auto=start
>> authby=secret
>> esp=3des-md5-1024
>> pfs=yes
>> #keyexchange = ike
>>
>> What have I done wrong? :-)
>>
>> /Richard
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJVZiW5AAoJEDg5KY9j7GZYDboP+wTRs+eUiIV0tzpREhdRFUi8
qR5wJnJhjxSMwF1QLuZSr0lZ6yr17e34SCNxv0mD1BOM9qENPetYEwFA7pj4B+Rt
nLUCgG4AbFGArmPvXop4tOcuzfRuPjgRq2+rTqIe5LI01gCif3JFKullV3nwtYdP
9B/BUAZMxznY0uSSNBkqRj2hlwLyvACqRRb0LkkzQCewRIHJ92qkAY9yJrcye2hd
tvpih7VnINdx+yGfwblvqMZvWPlAMJ7VA7DDikM+RGYdB/etcGcmNcxhZCenuntw
SeWB4NFQOYOqS8bPcgelnbo08iZev5I85Gh8zy7yJGv9Mg3PjHjSAwgIA4riKO/0
TnKNSp3CWIueP/UH3vIg1vOJIzrmeHWuR9wELjbksZsojmreD3HrawxbBLW7ktnC
aHbZJzgE1uzjKO2eIexNNDz/syAc9RTNQdRt+19Mav0J3Duo1+1jEOgFiBsIow0D
59BYW5tQcbaycDB23dhTuh5KWefRr6F0lXCHkcD5mSa1hE0BYunWRP2bzQMOjBM5
P3vKlPwlMoQx7oxY++o+Fnl5wmMAltlWbH0oxvD0YplzNjbk3GFsS8caASpFG+Xk
oGl/1P6ARTAeBFOahp/Ht/868mmAxWHo3mHoa9T0F7o8nNrwdEpEcqHH+qH/L8vv
1FGZ3V+uM+VFguzvAuLP
=Cbpf
-----END PGP SIGNATURE-----
More information about the Users
mailing list