[strongSwan] Setting upp strongSwan U5.1.2 <-> Openswan IPsec U2.6.37

Noel Kuntze noel at familie-kuntze.de
Wed May 27 23:10:44 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Abi,

Yep.

And that's X509, not RSA here. Different standards.

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 27.05.2015 um 23:10 schrieb abi:
> Hello Noel.
>
> Looks like I replied to wrong thread, just a misclick. Thank you, I'll read some theory about RSA fields then.
>
> On 27/05/2015 23:14, Noel Kuntze wrote:
> Hello abi,
>
> "key usage" and "extended key usage" are not the same thing.
> They are different fields. The pki utility does not have the a setting
> to set that field to a value, as far as I can remember.
> Openssl itself can do that though. I think the ASA complains about
> a missing value in the "key usage" field, not a problem with the
> "extended key usage" field.
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 27.05.2015 um 20:53 schrieb abi:
> >>> The following flags used for client
> >>>
> >>>          X509v3 extensions:
> >>>              X509v3 Authority Key Identifier:
> >>> keyid:9F:65:08:93:F3:CC:4E:32:78:37:47:4C:8B:9C:13:DA:A3:94:0D:B0
> >>>
> >>>              X509v3 Subject Alternative Name:
> >>>                  DNS:XXXXXXXXXXX
> >>>              X509v3 Extended Key Usage:
> >>>                  TLS Web Server Authentication, 1.3.6.1.5.5.8.2.2
> >>>
> >>> Thia one for server
> >>>          X509v3 extensions:
> >>>              X509v3 Authority Key Identifier:
> >>> keyid:9F:65:08:93:F3:CC:4E:32:78:37:47:4C:8B:9C:13:DA:A3:94:0D:B0
> >>>
> >>>              X509v3 Subject Alternative Name:
> >>>                  DNS:XXXXXXXXXXXX
> >>>              X509v3 Extended Key Usage:
> >>>                  TLS Web Server Authentication, 1.3.6.1.5.5.8.2.2
> >>>
> >>> Still no luck without ignore-ipsec-keyusage, but now I suspect server cert. ASA is complaining about       Certificate validation failed. Peer certificate key usage is invalid, serial number: 1577E3E8F6F3AD90, subject name: cn=xxxxxxxxxx,o=xxxxxxxx,c=RU.
> >>>
> >>> Server is generated with --flag serverAuth --flag ikeIntermediate --san xxxxxxxxx options. I took them from StrongSwan wiki
> >>>
> >>> On 27/05/2015 00:10, Richard Huber wrote:
> >>>> Hello,
> >>>>
> >>>> I am trying to connect strongswan with openswan.
> >>>> It works for 60 seconds, then it all dies until I restart ipsec, then it works for another 60 seconds...
> >>>>
> >>>> $ sudo ipsec status
> >>>> Security Associations (1 up, 0 connecting):
> >>>>           hub[1]: ESTABLISHED 17 seconds ago, x[x]...y[y]
> >>>>           hub{1}:  INSTALLED, TUNNEL, ESP SPIs: ca70896d_i 1d4e67fe_o
> >>>>           hub{1}:   192.168.45.0/24 === 10.193.160.0/23
> >>>>
> >>>> Fine, connection is up and running!
> >>>>
> >>>> After one minute this happens:
> >>>>
> >>>> $ sudo ipsec status
> >>>> Security Associations (2 up, 0 connecting):
> >>>>           hub[2]: ESTABLISHED 11 seconds ago, x[x]...y[y]
> >>>>           hub[1]: DELETING, x[x]...y[y]
> >>>>           hub{1}:  INSTALLED, TUNNEL, ESP SPIs: ca70896d_i 1d4e67fe_o
> >>>>           hub{1}:   192.168.45.0/24 === 10.193.160.0/23
> >>>>
> >>>> Log entry in auth.log
> >>>> May 26 22:49:27 toto charon: 08[IKE] y is initiating a Main Mode IKE_SA
> >>>> May 26 22:49:27 toto charon: 15[IKE] deleting IKE_SA hub[1] between x[x]...y[y]
> >>>>
> >>>> Then all trafic is dead:
> >>>>
> >>>> $ sudo ipsec status
> >>>> Security Associations (1 up, 0 connecting):
> >>>>           hub[2]: ESTABLISHED 2 minutes ago, x[x]...y[y]
> >>>>
> >>>> Here are the logs from the openswan server:
> >>>>
> >>>> $ sudo ipsec auto --status | grep hub
> >>>> 000 "hub": 10.193.160.0/23===y<y>[+S=C]...x<x>[+S=C]===192.168.45.0/24; erouted; eroute owner: #76
> >>>> 000 "hub":     myip=unset; hisip=unset;
> >>>> 000 "hub":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
> >>>> 000 "hub":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 23,24; interface: eth0;
> >>>> 000 "hub":   newest ISAKMP SA: #77; newest IPsec SA: #76;
> >>>> 000 "hub":   IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
> >>>> 000 "hub":   ESP algorithms wanted: 3DES(3)_000-MD5(1)_1024; flags=-strict
> >>>> 000 "hub":   ESP algorithms loaded: 3DES(3)_192-MD5(1)_1024
> >>>> 000 "hub":   ESP algorithm newest: 3DES_192-HMAC_MD5; pfsgroup=<Phase1>
> >>>> 000 #98: "hub":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 6s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
> >>>> 000 #77: "hub":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 1907s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
> >>>> 000 #76: "hub":500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REPLACE in 27535s; newest IPSEC; eroute owner; nodpd; idle; import:respond to stranger
> >>>>
> >>>> conn hub
> >>>>         right=y
> >>>>         rightsubnet=10.193.160.0/23
> >>>>         left=x
> >>>>         leftsubnet=192.168.45.0/24
> >>>>         auto=start
> >>>>         authby=secret
> >>>>         esp=3des-md5-1024
> >>>>         pfs=yes
> >>>>         #keyexchange = ike
> >>>>
> >>>> What have I done wrong? :-)
> >>>>
> >>>> /Richard
> >>>> _______________________________________________
> >>>> Users mailing list
> >>>> Users at lists.strongswan.org
> >>>> https://lists.strongswan.org/mailman/listinfo/users
> >>> _______________________________________________
> >>> Users mailing list
> >>> Users at lists.strongswan.org
> >>> https://lists.strongswan.org/mailman/listinfo/users
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVZjLUAAoJEDg5KY9j7GZYVhAP/1q+rbMZvfXpeOT6BOliZg9W
V4noTfHZ3l+TRG4pOipAgvowCINaF2u+MT9LZzza8rdgkNq9Mhfg/6g4YKAnpg5e
uaxIJsKNZTQYSe/dQ/IfvlLK1CWE2qFQkMw1XGl4u+16n60MD0CJ9+YSRFSrGjTl
FGPaUOdbcY5VmVntD/1TgHVFhdcRJFKh8cHNnsVfM1HzzE+sutFQjbTC0mUkxTUY
aGWNe8M8jXbxKfbMd1OidrpTKYSMg4bimjDZAEzYgMcQMpy9P9sx0x/0GCZQm034
RD10JAEXymvJsUYs+yqWZpf7A98lxfgpRfaJpSM+HP8woHM3neDVBWbgDTbDpR0t
8rX5yBK3sbSw5OHqFn3dCzVpVvIe10CJTdIOXwT8Ck/4/2dk57G/CDIYI0E8enJc
kU2vKqrZiJbp3+38kmLrv+7NOYKlO3SZJilOxzhDD1VeAp8n0lSsGYnDfkDC13oF
0fodprB2RlmoHkZJL+9X0l2O7jIFccEXDY1yWvYen8QNbHO8wy5H1GJxb8FE4Ob9
5+VnTddYM0paEbI0oDyRIFMyKuysM5tXcV0s/wLLHLl/UQuO9rbB3MHSSJeKUXSg
W9JfO/ZSmA2hWb4o1PDQoKHmIfCirLUC71Xoam4y0F11m9Q2xDR8VKKhCpYV/w3Q
rf0lC0arDYN0NFcC9Y2x
=S2qQ
-----END PGP SIGNATURE-----



More information about the Users mailing list