[strongSwan] Fwd: error in establishing an ikev1 session on pluto using certs and ocsp server .
hi team , i m trying to establish an ikev1 session using pluto daemon tool between two users:user1 and user2 using certs and using ocsp server for certificate revocation status verification. topology: CA / \ user1 user2 I have configured CA and ocsp server on user 2 machine using commands: private key of CA -- openssl genrsa -out cakey.pem 4096 CA certificate --openssl req -new -x509 -days 1826 -key cakey.pem -out cacert.pem openssl commands for generating cert for user1 and getting it signed by CA's private key(cakey.pem): generating private key for user1 -- openssl genrsa -out user1.key 4096 generating cert request for user1 from CA-- openssl req -new -key user1.key -out user1cert.pem getting cert of user1 signed by CA using its private key -- openssl x509 -req -days 730 -in user1cert.pem -CA cacert.pem -CAkey cakey.pem -set_serial 01 -out user1cert.pem and similar commands for generating user2 cert and key and getting it signed by CA by setting -set_serial 02 in the above openssl commands. i have also made changes in the openssl.cnf file under the [usr_cert] section that are: on user2 in /usr/local/ssl/openssl.cnf extendedKeyUsage=OCSPSigning authorityInfoAccess=OCSP;URI:http://127.0.0.1:3456 on user 1 /etc/pki/tls/openssl.cnf only change i have made in the openssl.cnf is URI:http://10.76.91.60:3456 other is same as user2 .uri is user2's ip address through which user 1 is connected to user2. i have configured ocsp server on the user2 machine which i have configured to act as a CA using openssl command: starting the ocsp server : openssl ocsp -index index.txt -CA cacert.pem -port 3456 -rkey cakey.pem -rsigner cacert.pem My cacert is in the /usr/local/etc/ipsec.d/cacerts and /usr/local/etc/ipsec.d/ocspcerts and user1 and user2 certs are in the ipsec.d/certs and user 1 and user2 keys are in the ipsec.d/private/ i have also made changes in the ipsec.secrets file: on user1: : RSA user1.key passphrase and similarly for user2 on user2 machine . when i run ipsec.conf using ipsec start command which calls ipsec starter which in turn starts pluto and ipsec up 59--60 which tells pluto daemon to start the 59--60 connection name and check the status of ikev1 session using ipsec statusall cmd. it shows up an error: Status of IKEv1 pluto daemon (strongSwan 4.3.2): 000 interface lo/lo ::1:500 000 interface lo/lo 127.0.0.1:500 000 interface eth0/eth0 10.76.91.59:500 000 %myid = (none) 000 loaded plugins: aes des sha1 sha2 md5 random pubkey hmac gmp 000 debug options: raw+crypt+parsing+emitting+control+lifecycle+klips+dns+natt+oppo+controlmore 000 59--60: 10.76.91.0/24===10.76.91.59[C=IN, ST=KA, L=BLR, O=CISCO, OU=STG-IOS, CN=USER1, e=deol.depin...@gmail.com]...10.76.91.60[c=in, ST=KA, L=BLR, O=CISCO, OU=STG-IOS, CN=USER2, e=deol.depin...@gmail.com]===10.76.91.0/24; unrouted; eroute owner: #0 000 59--60: CAs: 'C=IN, ST=KA, O=CISCO, OU=STG-IOS, CN=CA, e=deol.depin...@gmail.com'...'C=IN, ST=KA, O=CISCO, OU=STG-IOS, CN=CA, e=deol.depin...@gmail.com' 000 59--60: ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1 000 59--60: policy: PUBKEY+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth0; 000 59--60: newest ISAKMP SA: #0; newest IPsec SA: #0; 000 Please help me to resolve this error. Please find the user1 and user2 IPSEC configuration files in the attachments. Regards Depinder config setup plutodebug=all plutostderrlog=yes crlcheckinterval=180 strictcrlpolicy=yes cachecrls=no nat_traversal=no charonstart=no plutostart=yes conn %default ike=3des-sha1-modp1536! esp=3des-sha1! authby=rsasig keyexchange=ikev1 ikelifetime=60m keylife=20m keyingtries=1 ca rootca cacert=/usr/local/etc/ipsec.d/cacerts/cacert.pem ocspuri=http://10.76.91.60:3456 auto=add conn 59--60 left=10.76.91.59 leftsubnet=10.76.91.0/24 leftrsasigkey=%cert leftcert=/usr/local/etc/ipsec.d/certs/user1cert.pem leftid=C=IN,ST=KA,O=CISCO,OU=STG-IOS,CN=USER1 right=10.76.91.60 rightsubnet=10.76.91.0/24 rightrsasigkey=%cert rightcert=/usr/local/etc/ipsec.d/certs/user2cert.pem rightid=C=IN,ST=KA,O=CISCO,OU=STG-IOS,CN=USER2 auto=startconfig setup plutodebug=all plutostderrlog=yes crlcheckinterval=180 strictcrlpolicy=yes cachecrls=no nat_traversal=no charonstart=no plutostart=yes conn %default ike=3des-sha1-modp1536! esp=3des-sha1! authby=rsasig keyexchange=ikev1 ikelifetime=60m keylife=20m keyingtries=1 ca rootca cacert=/usr/local/etc/ipsec.d/cacerts/cacert.pem ocspuri=http://127.0.0.1:3456 auto=add conn 59--60 left=10.76.91.60
Re: [strongSwan] Fwd: error in establishing an ikev1 session on pluto using certs and ocsp server .
Hello, you only show the configuration files and the output of ipsec statusall but I need the log file in order to see why the connection doesn't come up. Regards Andreas On 07/22/2010 01:47 PM, depinder singh deol wrote: -- Forwarded message -- From: depinder singh deoldeol.depin...@gmail.com Date: Thu, 22 Jul 2010 17:13:28 +0530 Subject: error in establishing an ikev1 session on pluto using certs and ocsp server . To: openssl-us...@openssl.org hi team , i m trying to establish an ikev1 session using pluto daemon tool between two users:user1 and user2 using certs and using ocsp server for certificate revocation status verification. topology: CA / \ user1 user2 I have configured CA and ocsp server on user 2 machine using commands: private key of CA -- openssl genrsa -out cakey.pem 4096 CA certificate --openssl req -new -x509 -days 1826 -key cakey.pem -out cacert.pem openssl commands for generating cert for user1 and getting it signed by CA's private key(cakey.pem): generating private key for user1 -- openssl genrsa -out user1.key 4096 generating cert request for user1 from CA-- openssl req -new -key user1.key -out user1cert.pem getting cert of user1 signed by CA using its private key -- openssl x509 -req -days 730 -in user1cert.pem -CA cacert.pem -CAkey cakey.pem -set_serial 01 -out user1cert.pem and similar commands for generating user2 cert and key and getting it signed by CA by setting -set_serial 02 in the above openssl commands. i have also made changes in the openssl.cnf file under the [usr_cert] section that are: on user2 in /usr/local/ssl/openssl.cnf extendedKeyUsage=OCSPSigning authorityInfoAccess=OCSP;URI:http://127.0.0.1:3456 on user 1 /etc/pki/tls/openssl.cnf only change i have made in the openssl.cnf is URI:http://10.76.91.60:3456 other is same as user2 .uri is user2's ip address through which user 1 is connected to user2. i have configured ocsp server on the user2 machine which i have configured to act as a CA using openssl command: starting the ocsp server : openssl ocsp -index index.txt -CA cacert.pem -port 3456 -rkey cakey.pem -rsigner cacert.pem My cacert is in the /usr/local/etc/ipsec.d/cacerts and /usr/local/etc/ipsec.d/ocspcerts and user1 and user2 certs are in the ipsec.d/certs and user 1 and user2 keys are in the ipsec.d/private/ i have also made changes in the ipsec.secrets file: on user1: : RSA user1.key passphrase and similarly for user2 on user2 machine . when i run ipsec.conf using ipsec start command which calls ipsec starter which in turn starts pluto and ipsec up 59--60 which tells pluto daemon to start the 59--60connection name and check the status of ikev1 session using ipsec statusall cmd. it shows up an error: Status of IKEv1 pluto daemon (strongSwan 4.3.2): 000 interface lo/lo ::1:500 000 interface lo/lo 127.0.0.1:500 000 interface eth0/eth0 10.76.91.59:500 000 %myid = (none) 000 loaded plugins: aes des sha1 sha2 md5 random pubkey hmac gmp 000 debug options: raw+crypt+parsing+emitting+control+lifecycle+klips+dns+natt+oppo+controlmore 000 59--60: 10.76.91.0/24===10.76.91.59[C=IN, ST=KA, L=BLR, O=CISCO, OU=STG-IOS, CN=USER1, e=deol.depin...@gmail.com]...10.76.91.60[c=in, ST=KA, L=BLR, O=CISCO, OU=STG-IOS, CN=USER2, e=deol.depin...@gmail.com]===10.76.91.0/24; unrouted; eroute owner: #0 000 59--60: CAs: 'C=IN, ST=KA, O=CISCO, OU=STG-IOS, CN=CA, e=deol.depin...@gmail.com'...'C=IN, ST=KA, O=CISCO, OU=STG-IOS, CN=CA, e=deol.depin...@gmail.com' 000 59--60: ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1 000 59--60: policy: PUBKEY+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth0; 000 59--60: newest ISAKMP SA: #0; newest IPsec SA: #0; 000 Please help me to resolve this error. Please find the user1 and user2 IPSEC configuration files in the attachments. Regards Depinder -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Fwd: error in establishing an ikev1 session on pluto using certs and ocsp server .
-- Forwarded message -- From: depinder singh deol deol.depin...@gmail.com Date: Thu, 22 Jul 2010 17:13:28 +0530 Subject: error in establishing an ikev1 session on pluto using certs and ocsp server . To: openssl-us...@openssl.org hi team , i m trying to establish an ikev1 session using pluto daemon tool between two users:user1 and user2 using certs and using ocsp server for certificate revocation status verification. topology: CA / \ user1 user2 I have configured CA and ocsp server on user 2 machine using commands: private key of CA -- openssl genrsa -out cakey.pem 4096 CA certificate --openssl req -new -x509 -days 1826 -key cakey.pem -out cacert.pem openssl commands for generating cert for user1 and getting it signed by CA's private key(cakey.pem): generating private key for user1 -- openssl genrsa -out user1.key 4096 generating cert request for user1 from CA-- openssl req -new -key user1.key -out user1cert.pem getting cert of user1 signed by CA using its private key -- openssl x509 -req -days 730 -in user1cert.pem -CA cacert.pem -CAkey cakey.pem -set_serial 01 -out user1cert.pem and similar commands for generating user2 cert and key and getting it signed by CA by setting -set_serial 02 in the above openssl commands. i have also made changes in the openssl.cnf file under the [usr_cert] section that are: on user2 in /usr/local/ssl/openssl.cnf extendedKeyUsage=OCSPSigning authorityInfoAccess=OCSP;URI:http://127.0.0.1:3456 on user 1 /etc/pki/tls/openssl.cnf only change i have made in the openssl.cnf is URI:http://10.76.91.60:3456 other is same as user2 .uri is user2's ip address through which user 1 is connected to user2. i have configured ocsp server on the user2 machine which i have configured to act as a CA using openssl command: starting the ocsp server : openssl ocsp -index index.txt -CA cacert.pem -port 3456 -rkey cakey.pem -rsigner cacert.pem My cacert is in the /usr/local/etc/ipsec.d/cacerts and /usr/local/etc/ipsec.d/ocspcerts and user1 and user2 certs are in the ipsec.d/certs and user 1 and user2 keys are in the ipsec.d/private/ i have also made changes in the ipsec.secrets file: on user1: : RSA user1.key passphrase and similarly for user2 on user2 machine . when i run ipsec.conf using ipsec start command which calls ipsec starter which in turn starts pluto and ipsec up 59--60 which tells pluto daemon to start the 59--60 connection name and check the status of ikev1 session using ipsec statusall cmd. it shows up an error: Status of IKEv1 pluto daemon (strongSwan 4.3.2): 000 interface lo/lo ::1:500 000 interface lo/lo 127.0.0.1:500 000 interface eth0/eth0 10.76.91.59:500 000 %myid = (none) 000 loaded plugins: aes des sha1 sha2 md5 random pubkey hmac gmp 000 debug options: raw+crypt+parsing+emitting+control+lifecycle+klips+dns+natt+oppo+controlmore 000 59--60: 10.76.91.0/24===10.76.91.59[C=IN, ST=KA, L=BLR, O=CISCO, OU=STG-IOS, CN=USER1, e=deol.depin...@gmail.com]...10.76.91.60[c=in, ST=KA, L=BLR, O=CISCO, OU=STG-IOS, CN=USER2, e=deol.depin...@gmail.com]===10.76.91.0/24; unrouted; eroute owner: #0 000 59--60: CAs: 'C=IN, ST=KA, O=CISCO, OU=STG-IOS, CN=CA, e=deol.depin...@gmail.com'...'C=IN, ST=KA, O=CISCO, OU=STG-IOS, CN=CA, e=deol.depin...@gmail.com' 000 59--60: ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1 000 59--60: policy: PUBKEY+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth0; 000 59--60: newest ISAKMP SA: #0; newest IPsec SA: #0; 000 Please help me to resolve this error. Please find the user1 and user2 IPSEC configuration files in the attachments. Regards Depinder config setup plutodebug=all plutostderrlog=yes crlcheckinterval=180 strictcrlpolicy=yes cachecrls=no nat_traversal=no charonstart=no plutostart=yes conn %default ike=3des-sha1-modp1536! esp=3des-sha1! authby=rsasig keyexchange=ikev1 ikelifetime=60m keylife=20m keyingtries=1 ca rootca cacert=/usr/local/etc/ipsec.d/cacerts/cacert.pem ocspuri=http://10.76.91.60:3456 auto=add conn 59--60 left=10.76.91.59 leftsubnet=10.76.91.0/24 leftrsasigkey=%cert leftcert=/usr/local/etc/ipsec.d/certs/user1cert.pem leftid=C=IN,ST=KA,O=CISCO,OU=STG-IOS,CN=USER1 right=10.76.91.60 rightsubnet=10.76.91.0/24 rightrsasigkey=%cert rightcert=/usr/local/etc/ipsec.d/certs/user2cert.pem rightid=C=IN,ST=KA,O=CISCO,OU=STG-IOS,CN=USER2 auto=startconfig setup plutodebug=all plutostderrlog=yes crlcheckinterval=180 strictcrlpolicy=yes cachecrls=no nat_traversal=no charonstart=no plutostart=yes conn %default ike=3des-sha1-modp1536! esp=3des-sha1! authby=rsasig