Possible bug in web gui for ipsec



  • I'm trying to configure an ipsec site to site vpn (tunnel mode) between a linux box (ipsec-tools) and a pfsense box. If I use preshared-key all works fine. However I was not able to establish a vpn using x509 certificates and pfsense webgui. I have this in my racoon log:

    ERROR: failed to get subjectAltName

    to solve the problem I have to set this parameter:

    my_identifier asn1dn;

    however this isn't possible using pfsense web gui.

    So I configured the tunnel using cli in pfsense and all works fine, here are my config file:

    linux box (kernel-2.6.16-19, ipsec-tools-0.6.2)

    cat /etc/ipsec.conf

    #!/usr/sbin/setkey -f

    Flush SAD and SPD

    flush;
    spdflush;

    Create policies for racoon

    spdadd 192.168.66.0/24 172.16.57.0/24 any -P out ipsec esp tunnel/172.16.157.159-172.16.157.171/require;
    spdadd 172.16.57.0/24 192.168.66.0/24 any -P in ipsec esp/tunnel/172.16.157.171-172.16.157.159/require;

    cat /etc/racoon/racoon.conf

    path certificate "/etc/certs";

    listen
    {
            isakmp 172.16.157.159;
    }

    remote 172.16.157.171 {
            exchange_mode main;
            certificate_type x509 "ipsec.theorematica.it_cert.pem" "ipsec.theorematica.it_key.pem";
            verify_cert on;
            my_identifier asn1dn;
            peers_identifier asn1dn;
            verify_identifier on;
            lifetime time 20 min;
            proposal {
                    encryption_algorithm 3des;
                    hash_algorithm sha1;
                    authentication_method rsasig;
                    dh_group modp1024;
                    }
            }

    sainfo address 192.168.66.0/24 any address 172.16.57.0/24 any {
            pfs_group modp1024;
            encryption_algorithm 3des;
            authentication_algorithm hmac_sha1;
            compression_algorithm deflate;
    }

    pfsense config using cli interface

    cat /root/racoon/ipsec.conf

    #!/sbin/setkey -f

    Flush SAD and SPD

    flush;
    spdflush;

    Create policies for racoon

    spdadd 172.16.57.0/24 192.168.66.0/24 any -P out ipsec esp/tunnel/172.16.157.171-172.16.157.159/require;
    spdadd 192.168.66.0/24 172.16.57.0/24 any -P in ipsec esp/tunnel/172.16.157.159-172.16.157.171/require;

    cat /root/racoon/racoon.conf
    path certificate "/root/racoon/certs";

    listen
    {
            isakmp 172.16.157.171;
    }

    remote 172.16.157.159 {
            exchange_mode main;
            certificate_type x509 "ipsec1.theorematica.it_cert.pem" "ipsec1.theorematica.it_key.pem";
            verify_cert on;
            my_identifier asn1dn;
            peers_identifier asn1dn;
            verify_identifier on;
            lifetime time 20 min;
            proposal {
                    encryption_algorithm 3des;
                    hash_algorithm sha1;
                    authentication_method rsasig;
                    dh_group modp1024;
                    }
            }

    sainfo address 172.16.57.0/24 any address 192.168.66.0/24 any {
            pfs_group modp1024;
            encryption_algorithm 3des;
            authentication_algorithm hmac_sha1;
            compression_algorithm deflate;
    }

    after starting racoon with this config files all works fine:

    from linux box:

    setkey -D

    172.16.157.171 172.16.157.159
            esp mode=tunnel spi=178965679(0x0aaaccaf) reqid=0(0x00000000)
            E: 3des-cbc  2d255be2 6cbbc101 ffe7b3d8 f429583d 90e34b3e 5912f9ae
            A: hmac-sha1  765c585e a98ff604 6493526e 07cf2ec1 574ff989
            seq=0x00000000 replay=4 flags=0x00000000 state=mature
            created: Jun 30 02:50:30 2006  current: Jun 30 02:56:18 2006
            diff: 348(s)    hard: 28800(s)  soft: 23040(s)
            last: Jun 30 02:50:30 2006      hard: 0(s)      soft: 0(s)
            current: 110208(bytes)  hard: 0(bytes)  soft: 0(bytes)
            allocated: 1312 hard: 0 soft: 0
            sadb_seq=1 pid=13278 refcnt=0
    172.16.157.159 172.16.157.171
            esp mode=tunnel spi=42427474(0x02876452) reqid=0(0x00000000)
            E: 3des-cbc  d570290a 92caf618 ea7e9383 243fe9ed bb054ee3 8d676a92
            A: hmac-sha1  250852e1 6f20e3e4 393b0e41 a2cff35b 31517971
            seq=0x00000000 replay=4 flags=0x00000000 state=mature
            created: Jun 30 02:50:30 2006  current: Jun 30 02:56:18 2006
            diff: 348(s)    hard: 28800(s)  soft: 23040(s)
            last: Jun 30 02:50:30 2006      hard: 0(s)      soft: 0(s)
            current: 178432(bytes)  hard: 0(bytes)  soft: 0(bytes)
            allocated: 1312 hard: 0 soft: 0
            sadb_seq=0 pid=13278 refcnt=0

    setkey -DP

    172.16.57.0/24[any] 192.168.66.0/24[any] any
            in prio def ipsec
            esp/tunnel/172.16.157.171-172.16.157.159/require
            created: Jun 30 02:50:28 2006  lastused:
            lifetime: 0(s) validtime: 0(s)
            spid=1416 seq=4 pid=13279
            refcnt=1
    192.168.66.0/24[any] 172.16.57.0/24[any] any
            out prio def ipsec
            esp/tunnel/172.16.157.159-172.16.157.171/require
            created: Jun 30 02:50:28 2006  lastused: Jun 30 02:56:20 2006
            lifetime: 0(s) validtime: 0(s)
            spid=1409 seq=3 pid=13279
            refcnt=3
    172.16.57.0/24[any] 192.168.66.0/24[any] any
            fwd prio def ipsec
            esp/tunnel/172.16.157.171-172.16.157.159/require
            created: Jun 30 02:50:28 2006  lastused: Jun 30 02:56:20 2006
            lifetime: 0(s) validtime: 0(s)
            spid=1426 seq=2 pid=13279
            refcnt=3
    (per-socket policy)
            in none
            created: Jun 30 02:50:29 2006  lastused: Jun 30 02:50:30 2006
            lifetime: 0(s) validtime: 0(s)
            spid=1435 seq=1 pid=13279
            refcnt=1
    (per-socket policy)
            out none
            created: Jun 30 02:50:29 2006  lastused: Jun 30 02:50:30 2006
            lifetime: 0(s) validtime: 0(s)
            spid=1444 seq=0 pid=13279
            refcnt=1

    from pfsense box:

    setkey -D

    172.16.157.171 172.16.157.159
            esp mode=tunnel spi=178965679(0x0aaaccaf) reqid=0(0x00000000)
            E: 3des-cbc  2d255be2 6cbbc101 ffe7b3d8 f429583d 90e34b3e 5912f9ae
            A: hmac-sha1  765c585e a98ff604 6493526e 07cf2ec1 574ff989
            seq=0x00000539 replay=4 flags=0x00000000 state=mature
            created: Jun 30 15:53:44 2006  current: Jun 30 16:07:32 2006
            diff: 828(s)    hard: 28800(s)  soft: 23040(s)
            last: Jun 30 16:07:31 2006      hard: 0(s)      soft: 0(s)
            current: 181832(bytes)  hard: 0(bytes)  soft: 0(bytes)
            allocated: 1337 hard: 0 soft: 0
            sadb_seq=1 pid=1588 refcnt=2
    172.16.157.159 172.16.157.171
            esp mode=tunnel spi=42427474(0x02876452) reqid=0(0x00000000)
            E: 3des-cbc  d570290a 92caf618 ea7e9383 243fe9ed bb054ee3 8d676a92
            A: hmac-sha1  250852e1 6f20e3e4 393b0e41 a2cff35b 31517971
            seq=0x00000539 replay=4 flags=0x00000000 state=mature
            created: Jun 30 15:53:44 2006  current: Jun 30 16:07:32 2006
            diff: 828(s)    hard: 28800(s)  soft: 23040(s)
            last: Jun 30 16:07:31 2006      hard: 0(s)      soft: 0(s)
            current: 139048(bytes)  hard: 0(bytes)  soft: 0(bytes)
            allocated: 1337 hard: 0 soft: 0
            sadb_seq=0 pid=1588 refcnt=1

    setkey -DP

    192.168.66.0/24[any] 172.16.57.0/24[any] any
            in ipsec
            esp/tunnel/172.16.157.159-172.16.157.171/require
            spid=6 seq=1 pid=1590
            refcnt=1
    172.16.57.0/24[any] 192.168.66.0/24[any] any
            out ipsec
            esp/tunnel/172.16.157.171-172.16.157.159/require
            spid=5 seq=0 pid=1590
            refcnt=1

    here are racoon logs:

    2006-06-30 02:50:29: INFO: initiate new phase 1 negotiation: 172.16.157.159[500]<=>172.16.157.171[500]
    2006-06-30 02:50:29: INFO: begin Identity Protection mode.
    2006-06-30 02:50:29: INFO: received Vendor ID: DPD
    2006-06-30 02:50:29: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/C=IT/ST=Lazio/L=Roma/O=Theorematica SpA/OU=Sistemisti/CN=ipsec1.theorematica.it/emailAddress=n.murino@theorematica.it
    2006-06-30 02:50:29: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/C=IT/ST=Lazio/L=Roma/O=Theorematica SpA/OU=Sistemisti/CN=ipsec.theorematica.it/emailAddress=n.murino@theorematica.it
    2006-06-30 02:50:29: INFO: ISAKMP-SA established 172.16.157.159[500]-172.16.157.171[500] spi:c4f89a52b9f409ac:78d63b4d17e55aae
    2006-06-30 02:50:30: INFO: initiate new phase 2 negotiation: 172.16.157.159[500]<=>172.16.157.171[500]
    2006-06-30 02:50:30: INFO: IPsec-SA established: ESP/Tunnel 172.16.157.171[0]->172.16.157.159[0] spi=178965679(0xaaaccaf)
    2006-06-30 02:50:30: INFO: IPsec-SA established: ESP/Tunnel 172.16.157.159[0]->172.16.157.171[0] spi=42427474(0x2876452)

    is this a bug?

    thanks
    drakkan



  • It may or may not be.  Our IPSEC implementation is straight from m0n0wall.

    If you have a fix please submit a patch.



  • @sullrich:

    It may or may not be.

    Try to setup an ipsec tunnel using x509 certificates (preshared key works fine), if it works for you is a my misconfiguration, if not is a bug


Log in to reply