Possible bug in web gui for ipsec

drakkan · Jun 30, 2006, 5:15 PM

I'm trying to configure an ipsec site to site vpn (tunnel mode) between a linux box (ipsec-tools) and a pfsense box. If I use preshared-key all works fine. However I was not able to establish a vpn using x509 certificates and pfsense webgui. I have this in my racoon log:

ERROR: failed to get subjectAltName

to solve the problem I have to set this parameter:

my_identifier asn1dn;

however this isn't possible using pfsense web gui.

So I configured the tunnel using cli in pfsense and all works fine, here are my config file:

linux box (kernel-2.6.16-19, ipsec-tools-0.6.2)

cat /etc/ipsec.conf

#!/usr/sbin/setkey -f

Flush SAD and SPD

flush;
spdflush;

Create policies for racoon

spdadd 192.168.66.0/24 172.16.57.0/24 any -P out ipsec esp tunnel/172.16.157.159-172.16.157.171/require;
spdadd 172.16.57.0/24 192.168.66.0/24 any -P in ipsec esp/tunnel/172.16.157.171-172.16.157.159/require;

cat /etc/racoon/racoon.conf

path certificate "/etc/certs";

listen
{
isakmp 172.16.157.159;
}

remote 172.16.157.171 {
exchange_mode main;
certificate_type x509 "ipsec.theorematica.it_cert.pem" "ipsec.theorematica.it_key.pem";
verify_cert on;
my_identifier asn1dn;
peers_identifier asn1dn;
verify_identifier on;
lifetime time 20 min;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig;
dh_group modp1024;
}
}

sainfo address 192.168.66.0/24 any address 172.16.57.0/24 any {
pfs_group modp1024;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}

pfsense config using cli interface

cat /root/racoon/ipsec.conf

#!/sbin/setkey -f

Flush SAD and SPD

flush;
spdflush;

Create policies for racoon

spdadd 172.16.57.0/24 192.168.66.0/24 any -P out ipsec esp/tunnel/172.16.157.171-172.16.157.159/require;
spdadd 192.168.66.0/24 172.16.57.0/24 any -P in ipsec esp/tunnel/172.16.157.159-172.16.157.171/require;

cat /root/racoon/racoon.conf
path certificate "/root/racoon/certs";

listen
{
isakmp 172.16.157.171;
}

remote 172.16.157.159 {
exchange_mode main;
certificate_type x509 "ipsec1.theorematica.it_cert.pem" "ipsec1.theorematica.it_key.pem";
verify_cert on;
my_identifier asn1dn;
peers_identifier asn1dn;
verify_identifier on;
lifetime time 20 min;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig;
dh_group modp1024;
}
}

sainfo address 172.16.57.0/24 any address 192.168.66.0/24 any {
pfs_group modp1024;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}

after starting racoon with this config files all works fine:

from linux box:

setkey -D

172.16.157.171 172.16.157.159
esp mode=tunnel spi=178965679(0x0aaaccaf) reqid=0(0x00000000)
E: 3des-cbc 2d255be2 6cbbc101 ffe7b3d8 f429583d 90e34b3e 5912f9ae
A: hmac-sha1 765c585e a98ff604 6493526e 07cf2ec1 574ff989
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Jun 30 02:50:30 2006 current: Jun 30 02:56:18 2006
diff: 348(s) hard: 28800(s) soft: 23040(s)
last: Jun 30 02:50:30 2006 hard: 0(s) soft: 0(s)
current: 110208(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 1312 hard: 0 soft: 0
sadb_seq=1 pid=13278 refcnt=0
172.16.157.159 172.16.157.171
esp mode=tunnel spi=42427474(0x02876452) reqid=0(0x00000000)
E: 3des-cbc d570290a 92caf618 ea7e9383 243fe9ed bb054ee3 8d676a92
A: hmac-sha1 250852e1 6f20e3e4 393b0e41 a2cff35b 31517971
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Jun 30 02:50:30 2006 current: Jun 30 02:56:18 2006
diff: 348(s) hard: 28800(s) soft: 23040(s)
last: Jun 30 02:50:30 2006 hard: 0(s) soft: 0(s)
current: 178432(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 1312 hard: 0 soft: 0
sadb_seq=0 pid=13278 refcnt=0

setkey -DP

172.16.57.0/24[any] 192.168.66.0/24[any] any
in prio def ipsec
esp/tunnel/172.16.157.171-172.16.157.159/require
created: Jun 30 02:50:28 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1416 seq=4 pid=13279
refcnt=1
192.168.66.0/24[any] 172.16.57.0/24[any] any
out prio def ipsec
esp/tunnel/172.16.157.159-172.16.157.171/require
created: Jun 30 02:50:28 2006 lastused: Jun 30 02:56:20 2006
lifetime: 0(s) validtime: 0(s)
spid=1409 seq=3 pid=13279
refcnt=3
172.16.57.0/24[any] 192.168.66.0/24[any] any
fwd prio def ipsec
esp/tunnel/172.16.157.171-172.16.157.159/require
created: Jun 30 02:50:28 2006 lastused: Jun 30 02:56:20 2006
lifetime: 0(s) validtime: 0(s)
spid=1426 seq=2 pid=13279
refcnt=3
(per-socket policy)
in none
created: Jun 30 02:50:29 2006 lastused: Jun 30 02:50:30 2006
lifetime: 0(s) validtime: 0(s)
spid=1435 seq=1 pid=13279
refcnt=1
(per-socket policy)
out none
created: Jun 30 02:50:29 2006 lastused: Jun 30 02:50:30 2006
lifetime: 0(s) validtime: 0(s)
spid=1444 seq=0 pid=13279
refcnt=1

from pfsense box:

setkey -D

172.16.157.171 172.16.157.159
esp mode=tunnel spi=178965679(0x0aaaccaf) reqid=0(0x00000000)
E: 3des-cbc 2d255be2 6cbbc101 ffe7b3d8 f429583d 90e34b3e 5912f9ae
A: hmac-sha1 765c585e a98ff604 6493526e 07cf2ec1 574ff989
seq=0x00000539 replay=4 flags=0x00000000 state=mature
created: Jun 30 15:53:44 2006 current: Jun 30 16:07:32 2006
diff: 828(s) hard: 28800(s) soft: 23040(s)
last: Jun 30 16:07:31 2006 hard: 0(s) soft: 0(s)
current: 181832(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 1337 hard: 0 soft: 0
sadb_seq=1 pid=1588 refcnt=2
172.16.157.159 172.16.157.171
esp mode=tunnel spi=42427474(0x02876452) reqid=0(0x00000000)
E: 3des-cbc d570290a 92caf618 ea7e9383 243fe9ed bb054ee3 8d676a92
A: hmac-sha1 250852e1 6f20e3e4 393b0e41 a2cff35b 31517971
seq=0x00000539 replay=4 flags=0x00000000 state=mature
created: Jun 30 15:53:44 2006 current: Jun 30 16:07:32 2006
diff: 828(s) hard: 28800(s) soft: 23040(s)
last: Jun 30 16:07:31 2006 hard: 0(s) soft: 0(s)
current: 139048(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 1337 hard: 0 soft: 0
sadb_seq=0 pid=1588 refcnt=1

setkey -DP

192.168.66.0/24[any] 172.16.57.0/24[any] any
in ipsec
esp/tunnel/172.16.157.159-172.16.157.171/require
spid=6 seq=1 pid=1590
refcnt=1
172.16.57.0/24[any] 192.168.66.0/24[any] any
out ipsec
esp/tunnel/172.16.157.171-172.16.157.159/require
spid=5 seq=0 pid=1590
refcnt=1

here are racoon logs:

2006-06-30 02:50:29: INFO: initiate new phase 1 negotiation: 172.16.157.159[500]<=>172.16.157.171[500]
2006-06-30 02:50:29: INFO: begin Identity Protection mode.
2006-06-30 02:50:29: INFO: received Vendor ID: DPD
2006-06-30 02:50:29: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/C=IT/ST=Lazio/L=Roma/O=Theorematica SpA/OU=Sistemisti/CN=ipsec1.theorematica.it/emailAddress=n.murino@theorematica.it
2006-06-30 02:50:29: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/C=IT/ST=Lazio/L=Roma/O=Theorematica SpA/OU=Sistemisti/CN=ipsec.theorematica.it/emailAddress=n.murino@theorematica.it
2006-06-30 02:50:29: INFO: ISAKMP-SA established 172.16.157.159[500]-172.16.157.171[500] spi:c4f89a52b9f409ac:78d63b4d17e55aae
2006-06-30 02:50:30: INFO: initiate new phase 2 negotiation: 172.16.157.159[500]<=>172.16.157.171[500]
2006-06-30 02:50:30: INFO: IPsec-SA established: ESP/Tunnel 172.16.157.171[0]->172.16.157.159[0] spi=178965679(0xaaaccaf)
2006-06-30 02:50:30: INFO: IPsec-SA established: ESP/Tunnel 172.16.157.159[0]->172.16.157.171[0] spi=42427474(0x2876452)

is this a bug?

thanks
drakkan

sullrich · Jun 30, 2006, 5:26 PM

It may or may not be. Our IPSEC implementation is straight from m0n0wall.

If you have a fix please submit a patch.

drakkan · Jul 1, 2006, 7:23 PM

@sullrich:

It may or may not be.

Try to setup an ipsec tunnel using x509 certificates (preshared key works fine), if it works for you is a my misconfiguration, if not is a bug