Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
379
Views
0
Helpful
1
Replies

Issues with OpenSWAN / Cisco 2911 IOS 15 and Digital Certitifcates!

joemadden1989
Level 1
Level 1

‎12-05-2014 05:53 AM

Hi all,

 

Currently working on a project that requires a site to site VPN using. We have chosen to authentication using Digital Certificates (rsasig on cisco).

 

Please see below for an outline of the cisco configuration:

 

crypto pki trustpoint ipsecvpn

enrollment terminal

fqdn gw.test.com

subject-name CN=gw.test.com,OU=TestOU,O=TestCompany,C=UK

revocation-check none

rsakeypair testrsapair

 

crypto pki certificate chain testrsapair

certificate 0A

certificate hash here ###

certificate ca 00E36E3DF10610AFEF

certitifcate hash here ###

 

crypto isakmp policy 10

encr aes 256

group 5

lifetime 3600

 

crypto ipsec transform-set IPSEC1 esp-aes 256 esp-sha-hmac

mode tunnel

 

crypto map test1 10 ipsec-isakmp

set peer 10.67.0.2

set transform-set IPSEC1

match address VPNTRAF1

 

interface GigabitEthernet0/0

ip address 10.67.0.1 255.255.255.0

duplex auto

speed auto

crypto map test1

 

I used the enroll terminal to generate a CSR and sign it and subsequently imported it back into the router. I believe this site of things is setup correctly.

 

openswan config is as follows:

 

conn tunnelipsec

                authby=         rsasig

                auto=             start

                type=             tunnel

#

                left=                10.67.0.2

                leftid=              "C=UK, O=testo2, OU=ou2, CN=gw.test1.org.uk"

                leftsubnets=     10.123.34.8/29,10.123.32.40/29,10.123.32.64/28

                leftcert=             gw.test1.org.uk               

                leftrsasigkey=    %cert

                leftca=                "/etc/ipsec.d/cacerts/masterca.pem"

#

                right=                  10.67.0.1

                rightid=        " OU=TestOU, O=TestCompany, C=UK, CN= gw.test.com "

                rightsubnet=    192.168.12.0/24

                rightca=                "/etc/ipsec.d/cacerts/masterca.pem"

                keyexchange=  ike

                ike=                       aes256-sha1;modp1536!

                #sha2_truncbug=            yes

                phase2=                               esp

                phase2alg=         aes256-sha1!

 

This configuration worked on Pre-Shared Keys (Minus the certificate part obviously) however does not work when you introduce the certificate based authentication OpenSWAN does authenticate with the router but the router fails to find the correct certificates to return. The router logs output looks like this:

 

Dec  5 11:24:47.819: ISAKMP (1044): received packet from 10.67.0.2 dport 500 sport 500 Global (R) MM_KEY_EXCH

*Dec  5 11:24:47.819: ISAKMP:(1044):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Dec  5 11:24:47.819: ISAKMP:(1044):Old State = IKE_R_MM4  New State = IKE_R_MM5

 

*Dec  5 11:24:47.819: ISAKMP:(1044): processing ID payload. message ID = 0

*Dec  5 11:24:47.819: ISAKMP (1044): ID payload

                next-payload : 6

                type         : 2

                FQDN name    : gw.test1.org.uk

                protocol     : 0

                port         : 0

                length       : 23

*Dec  5 11:24:47.819: ISAKMP:(0):: peer matches *none* of the profiles

*Dec  5 11:24:47.819: ISAKMP:(1044): processing CERT payload. message ID = 0

*Dec  5 11:24:47.819: ISAKMP:(1044): processing a CT_X509_SIGNATURE cert

*Dec  5 11:24:47.819: ISAKMP:(1044): IKE->PKI Add peer's certificate state (R) MM_KEY_EXCH (peer 10.67.0.2 )

*Dec  5 11:24:47.819: ISAKMP:(1044): PKI->IKE Added peer's certificate state (R) MM_KEY_EXCH (peer 10.67.0.2 )

*Dec  5 11:24:47.819: ISAKMP:(1044): IKE->PKI Get PeerCertificateChain state (R) MM_KEY_EXCH (peer 10.67.0.2 )

*Dec  5 11:24:47.823: ISAKMP:(1044): PKI->IKE Got PeerCertificateChain state (R) MM_KEY_EXCH (peer 10.67.0.2 )

*Dec  5 11:24:47.823: ISAKMP:(1044): peer's pubkey isn't cached

*Dec  5 11:24:47.823: ISAKMP:(0):: peer matches *none* of the profiles

*Dec  5 11:24:47.823: ISAKMP:(1044): IKE->PKI Validate certificate chain state (R) MM_KEY_EXCH (peer 10.67.0.2 )

*Dec  5 11:24:47.831: ISAKMP:(1044): PKI->IKE Validate certificate chain state (R) MM_KEY_EXCH (peer 10.67.0.2 )

*Dec  5 11:24:47.831: ISAKMP:(1044): processing CERT_REQ payload. message ID = 0

*Dec  5 11:24:47.831: ISAKMP:(1044): peer wants a CT_X509_SIGNATURE cert

*Dec  5 11:24:47.831: ISAKMP:(1044): issuer not specified in cert request

*Dec  5 11:24:47.831: ISAKMP:(1044): No issuer name in cert request.

*Dec  5 11:24:47.831: ISAKMP:(1044): processing SIG payload. message ID = 0

*Dec  5 11:24:47.839: ISAKMP:(1044):SA authentication status:

                authenticated

 

The router then goes on to get its owner certificate at which point it fails:

 

*Dec  5 11:24:47.839: ISAKMP:(1044):SA has been authenticated with 10.67.0.2

*Dec  5 11:24:47.839: ISAKMP:(1044):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Dec  5 11:24:47.839: ISAKMP:(1044):Old State = IKE_R_MM5  New State = IKE_R_MM5

 

*Dec  5 11:24:47.839: ISAKMP:(1044): IKE->PKI Get self CertificateChain state (R) MM_KEY_EXCH (peer 10.67.0.2 )

*Dec  5 11:24:47.839: ISAKMP:(1044): PKI->IKE Got self CertificateChain state (R) MM_KEY_EXCH (peer 10.67.0.2 )

*Dec  5 11:24:47.839: ISAKMP:(1044):Unable to get router cert or routerdoes not have a cert: needed to find DN!

*Dec  5 11:24:47.839: ISAKMP:(1044):SA is doing RSA signature authentication using id type ID_IPV4_ADDR

*Dec  5 11:24:47.839: ISAKMP (1044): ID payload

                next-payload : 6

                type         : 1

                address      : 10.67.0.1

                protocol     : 17

                port         : 500

                length       : 12

*Dec  5 11:24:47.839: ISAKMP:(1044):Total payload length: 12

*Dec  5 11:24:47.839: ISAKMP (1044): no cert chain to send to peer

*Dec  5 11:24:47.839: ISAKMP (1044): peer did not specify issuer and no suitable profile found

*Dec  5 11:24:47.839: ISAKMP (1044): FSM action returned error: 2

*Dec  5 11:24:47.839: ISAKMP:(1044):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Dec  5 11:24:47.839: ISAKMP:(1044):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

 

*Dec  5 11:24:57.831: ISAKMP (1044): received packet from 10.67.0.2  dport 500 sport 500 Global (R) MM_KEY_EXCH

*Dec  5 11:24:57.831: ISAKMP:(1044): phase 1 packet is a duplicate of a previous packet.

*Dec  5 11:24:57.831: ISAKMP:(1044): retransmitting due to retransmit phase 1

*Dec  5 11:24:57.831: ISAKMP:(1044): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH

*Dec  5 11:25:02.703: ISAKMP:(1041):purging node 1858511306

*Dec  5 11:25:02.703: ISAKMP:(1041):purging node -560727786

*Dec  5 11:25:02.703: ISAKMP:(1041):purging node 464479444

*Dec  5 11:25:02.707: ISAKMP: set new node 0 to QM_IDLE     

 


I assume the far end should include an issuer from the certificate in one of the requests but it is failing to do so. Is there a way to force the Cisco to send a specific certificate regardless of an issuer? Or indeed get the Cisco to read the peers certificate and therefore find its assigned certificate and return it?

 

The 2911 runs IOS 15.4 M5 (I think from memory)

 

Thanks for any assistance.

 

Joe.

Labels:
0 Helpful
1 Reply 1

joemadden1989
Level 1
Level 1

‎12-09-2014 05:41 AM

It would apppear that OpenSWAN is at fault. These configuration values work on router to router but not Router to OpenSWAN.

0 Helpful
Customers Also Viewed These Support Documents