openswan ipsec newhostkey problem

datopdog · 03-14-2010, 01:44 AM

http://www.natecarlson.com/2007/07/3...clientopenswan to be more precise.

cecolong · 03-15-2010, 02:38 PM

I received this error from host log:

Mar 15 15:19:19 pluto[12210]: packet from 192.168.50.2:500: received Vendor ID payload [Openswan (this version) 2.6.21 ]
Mar 15 15:19:19 host-lx pluto[12210]: packet from 192.168.50.2:500: received Vendor ID payload [Dead Peer Detection]
Mar 15 15:19:19 host-lx pluto[12210]: "roadwarrior-net"[4] 192.168.50.2 #4: responding to Main Mode from unknown peer 192.168.50.2
Mar 15 15:19:19 host-lx pluto[12210]: "roadwarrior-net"[4] 192.168.50.2 #4: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 15 15:19:19 host-lx pluto[12210]: "roadwarrior-net"[4] 192.168.50.2 #4: STATE_MAIN_R1: sent MR1, expecting MI2
Mar 15 15:19:19 host-lx pluto[12210]: "roadwarrior-net"[4] 192.168.50.2 #4: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 15 15:19:19 host-lx pluto[12210]: "roadwarrior-net"[4] 192.168.50.2 #4: STATE_MAIN_R2: sent MR2, expecting MI3
Mar 15 15:19:19 host-lx pluto[12210]: "roadwarrior-net"[4] 192.168.50.2 #4: Main mode peer ID is ID_IPV4_ADDR: '192.168.50.2'
Mar 15 15:19:19 host-lx pluto[12210]: "roadwarrior-net"[4] 192.168.50.2 #4: issuer cacert not found
Mar 15 15:19:19 host-lx pluto[12210]: "roadwarrior-net"[4] 192.168.50.2 #4: X.509 certificate rejected

My host ipsec.conf:
version 2.0

config setup
interfaces=%defaultroute
nat_traversal=no

conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert

conn roadwarrior-net
leftsubnet=192.168.50.0/255.255.255.0
also=roadwarrior

conn roadwarrior
# left=%defaultroute
left=192.168.50.1
leftcert=host.example.com.pem
right=%any
rightsubnet=vhost:%no,%priv
auto=add
pfs=yes

Files on host machine:
/etc/ipsec.d/private/host.example.com.key
/etc/ipsec.d/crls/crl.pem
/etc/ipsec.d/certs/host.example.com.pem
/etc/ipsec.d/cacerts/cacert.pem

My client ipsec.conf:

version 2.0

config setup
interfaces=%defaultroute
nat_traversal=no

conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert

conn roadwarrior-net
leftsubnet=192.168.50.0/255.255.255.0
also=roadwarrior

conn roadwarrior
# left=%defaultroute
left=192.168.50.2
leftcert=clienthost.example.com.pem
right=192.168.50.1
rightsubnet=host.example.com.pem
auto=add
pfs=yes

Files on host machine:
/etc/ipsec.d/private/clienthost.example.com.key
/etc/ipsec.d/crls/crl.pem
/etc/ipsec.d/certs/host.example.com.pem
/etc/ipsec.d/certs/clienthost.example.com.pem
/etc/ipsec.d/cacerts/cacert.pem

where host.example.com.pem is copied from host. All other files are generated separately using CA.sh on client machine.

datopdog · 03-15-2010, 05:39 PM

The client certificate is being rejected because it was not issued by a CA the server trusts.

cecolong · 03-16-2010, 08:11 AM

Both client and server have Hardy Ubuntu 8.04. The client certificate was generated by the client CA. Since both client and server have the same Ubuntu installed from the same DVD, I expect CA.sh on the client is the same as the server. I wonder what else the server expects?

datopdog · 03-16-2010, 08:13 AM

That's not how it works, you need to create a CA then let the CA issue and sign certificates for both the server and the client.