IPSEC status on RUTX50

NETWORKING SOLUTIONS
1

HI There,

I have been trying to establish an ipsec link with certificates between a linux libreswan system on ubuntu:

The ubuntu side shows the link as being up:

ipsec whack --trafficstatus
006 #326: “vpntest-vpn/1x1”[1] 92.99.99.99, type=ESP, add_time=0, inBytes=0, outBytes=0, maxBytes=2^63B, id=‘adminXRUTX50XXX’

But on the RUTX50

ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.2, Linux 5.4.229, armv7l):
uptime: 13 minutes, since Feb 13 17:28:35 2024
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon aes des sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem openssl gmp xcbc hmac kernel-netlink socket-default stroke vici updown eap-identity eap-mschapv2 xauth-generic
Virtual IP pools (size/online/offline):
172.31.32.120/32: 1/0/0
Listening IP addresses:
192.168.1.1
fd6e:31f6:d0c4::1
10.136.230.89
Connections:
AWS-AWS_c: %any…XX.XX.XX.XX IKEv2, dpddelay=30s
AWS-AWS_c: local: [C=GB, ST=Middlesex, L=XXXX, O=XXXXX, OU=IPSEC CLIENT, CN=adminXRUTX50.XXX_co.uk, E=supportXXXX_co.uk] uses public key authentication
AWS-AWS_c: cert: “C=GB, ST=Middlesex, L=XXXX, O=XXXXX, OU=IPSEC CLIENT, CN=adminXRUTX50.XXX_co.uk, E=supportXXXX_co.uk”
AWS-AWS_c: remote: [C=GB, ST=Middlesex, L=XXXX, O=XXXXX, OU=IPSEC SERVER, CN=ip-172-31-32-120.XXXXX_com, E=supportXXXX_co.uk] uses public key authentication
AWS-AWS_c: cert: “C=GB, ST=Middlesex, L=XXXX, O=XXXXX, OU=IPSEC SERVER, CN=ip-172-31-32-120.XXXXX_com, E=supportXXXX_co.uk”
AWS-AWS_c: child: 192.168.1.0/24 === 172.31.32.0/20 TUNNEL, dpdaction=restart
Security Associations (0 up, 0 connecting):
none

The log shows:

Tue Feb 13 17:33:14 2024 daemon.info ipsec: 10[IKE] received end entity cert “C=GB, ST=Middlesex, L=XXXX, O=XXXXX, OU=IPSEC SERVER, CN=ip-172-31-32-120.XXX_com, E=supportXXXX_co.uk”
Tue Feb 13 17:33:14 2024 daemon.info ipsec: 10[IKE] no trusted RSA public key found for ‘CN=ip-172-31-32-120.XXX_com’
Tue Feb 13 17:33:14 2024 daemon.info ipsec: 10[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]

So I have used just the CN as the remote Identity. If Strongswan requires the ID to be the full cert then GUI interface restricts the number of characters I can use. The only copy of the ipsec.conf that I can find from the CLI resides under /var/ipsec but this is overwritten with an ipsec restart

ip xfrm pol hows now kernel route either:

ip xfrm pol

src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0

Could you please advise on how I can resolve this issue?

Thanks

Dek

2

I finally made some progress.

I recreated the certificate for the libreswan side with SANs : for the FQDN, email and IP I loaded the server cert onto the RUT for that incoming connections could match IDs

I set leftid on the linux box and remote id on the RUTX50 to the libreswan IP

I rebooted again today and logread | grep ipsec showed

Wed Feb 14 11:23:13 2024 daemon.info ipsec: 14[CFG] checking certificate status of “C=GB, ST=Middlesex, L=XXXXXX, O=XXXXX, OU=IPSECSVR, CN=IP-172-31-32-120.XXXcom, E=support@XXXXX.couk”
Wed Feb 14 11:23:13 2024 daemon.info ipsec: 14[CFG] certificate status is not available
Wed Feb 14 11:23:13 2024 daemon.info ipsec: 14[CFG] reached self-signed root ca with a path length of 0
Wed Feb 14 11:23:13 2024 daemon.info ipsec: 14[CFG] using trusted certificate “C=GB, ST=Middlesex, L=XXXXX, O=XXXXX, OU=IPSECSVR, CN=IP-172-31-32-120.XXXcom, E=support@XXXXX.couk”
Wed Feb 14 11:23:13 2024 daemon.info ipsec: 14[IKE] authentication of ‘172.31.32.120’ with RSA_EMSA_PKCS1_SHA2_256 successful
Wed Feb 14 11:23:13 2024 daemon.info ipsec: 14[IKE] IKE_SA AWS-AWS_c[1] established between 192.168.0.101[C=GB, ST=Middlesex, L=XXXXX, O=XXXXXX, OU=IPSEC CLIENT, CN=admin@RUTX50.XXX.couk, E=support@XXXXXcouk]…3.11.30.136[172.31.32.120]
Wed Feb 14 11:23:13 2024 daemon.info ipsec: 14[IKE] scheduling reauthentication in 85511s
Wed Feb 14 11:23:13 2024 daemon.info ipsec: 14[IKE] maximum IKE_SA lifetime 86051s
Wed Feb 14 11:23:13 2024 daemon.info ipsec: 14[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Wed Feb 14 11:23:13 2024 daemon.info ipsec: 14[IKE] CHILD_SA AWS-AWS_c{1} established with SPIs ca030b3b_i 0608b770_o and TS 192.168.1.0/24 === 172.31.32.0/20
Wed Feb 14 11:23:33 2024 daemon.info ipsec: 07[IKE] sending keep alive to 3.11.30.136[4500]
Wed Feb 14 11:23:43 2024 daemon.info ipsec: 12[IKE] sending DPD request

So now the RUTX shows:

ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.2, Linux 5.4.229, armv7l):
uptime: 56 minutes, since Feb 14 11:23:11 2024
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
loaded plugins: charon aes des sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem openssl gmp xcbc hmac kernel-netlink socket-default stroke vici updown eap-identity eap-mschapv2 xauth-generic
Virtual IP pools (size/online/offline):
172.31.32.120/32: 1/0/0
Listening IP addresses:
192.168.0.101
2a02:c7c:66a2:3d00:2297:27ff:fe00:513e
fd99:2367:d49a:0:2297:27ff:fe00:513e
192.168.1.1
fd6e:31f6:d0c4::1
Connections:
AWS-AWS_c: %any…XXXXX IKEv2, dpddelay=30s

AWS-AWS_c[1]: IKEv2 SPIs: 71fe07cafd180338_i* a7c04777632f81cb_r, public key reauthentication in 22 hours
AWS-AWS_c[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_4096
AWS-AWS_c{2}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c1dbbe7d_i b45bf4ae_o
AWS-AWS_c{2}: AES_CBC_256/HMAC_SHA1_96/MODP_4096, 0 bytes_i, 0 bytes_o, rekeying in 35 minutes
AWS-AWS_c{2}: 192.168.1.0/24 === 172.31.32.0/20

And now the kernel policy for routing

ip xfrm pol
src 192.168.1.0/24 dst 172.31.32.0/20
dir out priority 377471
tmpl src 192.168.0.101 dst XX.XX.XX.XX
proto esp spi 0xb45bf4ae reqid 1 mode tunnel
src 172.31.32.0/20 dst 192.168.1.0/24
dir fwd priority 377471
tmpl src XX.XX.XX.XX dst 192.168.0.101
proto esp reqid 1 mode tunnel
src 172.31.32.0/20 dst 192.168.1.0/24
dir in priority 377471
tmpl src XX.XX.XX.XX dst 192.168.0.101
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0

So when using certs for auth the GUI interface restricts the number of characters that can be used for the remote id, when strongswan ideally wants to use the full SN to match against the local copy of the remote cert, such as:

“C=XX, ST=XXXXX, L=XXXXX, O=XXXXX, OU=XXXXX, CN=NAME-XX-XX-XX-XXcom, E=support@XXXXX.couk”

creating the cert with SANs with much shorter names , can be used for ID

SAN was of the form:

email@XXX_XX_uk, FQDN_XX_com, IPXX.XX.XX.XX

I hope that this helps

Thanks

DeK

3

This topic was automatically closed after 15 days. New replies are no longer allowed.