Welcome to the Sophos User Bulletin Board.
If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Reply
 
LinkBack Thread Tools Display Modes
Junior Member
Join Date: Jan 2012
Posts: 24
#1 (permalink)  
Old 09-27-2012, 11:09 AM
Default IPSec Site-to-Site problem with X.509 Certs

Hello

On my test bench I am trying to configure a hub/spoke sort of arrangement with a UTM9 (9.002) at the centre. This needs to support L2TP/IPSec and SSL connections from road warriors, and pure IPSec tunnels between some branch offices (1 using an ASG v8 and the rest using Draytek Vigor 2830s).

I have successfully got a road-warrior Remote Access L2TP/IPSec configuration working using PSKs for authentication. When I try creating a Site-to-Site IPSec gateway I cannot select PSK again; is it the case that only one of RA/S2S can use PSK? Is that a StrongSwan limitation?

I figure, no worries, I could easily use X.509 certs for the branch office connections. I'm starting with the ASG v8 branch office. I followed the instructions in this PDF (http://sophserv.sophos.com/repo_kb/1...pn_x509_en.pdf) and created a certificate for my branch office on the UTM9 that I imported into the ASG8.

The connection will not authenticate, however.

My settings are:

Central office UTM9, hostname "utmTest"
IPSec/Advanced/Local cert: "Local X509 cert" (the auto-generated one)
Remote Gateway: Respond only, Auth type: local X509 cert, with the cert I created for the branch office selected. This cert is ID'd by e-mail, "myUser@myDomain.net".
IPSec connection created against this gateway.

Branch office ASG8, hostname "naira"
IPSec/Advanced/Local cert: "Branch office certificate" (same cert that I configured for the "Remote Gateway" on the UTM9 - imported to the ASG8)
Remote gateway: Initiate only, Auth type: Remote X509 cert, ID type e-mail address, with the address entered: "myUser@myDomain.net".
IPSec connection created against this gateway.

If I click on the "Site-to-Site" menu heading, the connection summary reports:

On the UTM9:
SA: 10.45.0.0/24=81.x.x.154 -> 178.x.x.65=172.16.0.0/21
VPN ID: utmTest
Error: No connection

On the ASG8:
SA: 172.16.0.0/21=178.x.x.65 -> 81.x.x.154=10.45.0.0/20
VPN ID: myUser@myDomain.net
Error: No connection


This connection does not work. The logfile on the ASG8 reports: "we require peer to have ID 'myUser@myDomain.net', but peer declares 'utmTest'". 'utmTest' is the hostname of my UTM9 machine.

UTM9 log:
Code:
2012:09:27-12:02:08 utmTest pluto[21264]: "S_TestBranchOffice"[7] 178.x.x.65 #98: responding to Main Mode from unknown peer 178.x.x.65
2012:09:27-12:02:08 utmTest pluto[21264]: "S_TestBranchOffice"[7] 178.x.x.65 #98: NAT-Traversal: Result using RFC 3947: no NAT detected
2012:09:27-12:02:08 utmTest pluto[21264]: "S_TestBranchOffice"[7] 178.x.x.65 #98: Peer ID is ID_USER_FQDN: 'myUser@myDomain.net'
2012:09:27-12:02:08 utmTest pluto[21264]: "S_TestBranchOffice"[7] 178.x.x.65 #98: crl not found
2012:09:27-12:02:08 utmTest pluto[21264]: "S_TestBranchOffice"[7] 178.x.x.65 #98: certificate status unknown
2012:09:27-12:02:08 utmTest pluto[21264]: "S_TestBranchOffice"[7] 178.x.x.65 #98: we have a cert and are sending it
2012:09:27-12:02:08 utmTest pluto[21264]: "S_TestBranchOffice"[7] 178.x.x.65 #98: Dead Peer Detection (RFC 3706) enabled
2012:09:27-12:02:08 utmTest pluto[21264]: "S_TestBranchOffice"[7] 178.x.x.65 #98: sent MR3, ISAKMP SA established
2012:09:27-12:02:08 utmTest pluto[21264]: "S_TestBranchOffice"[7] 178.x.x.65 #98: ignoring informational payload, type INVALID_ID_INFORMATION
ASG8 log:
Code:
2012:09:27-12:02:08 naira pluto[11139]: "S_BranchOffice TEST" #54: initiating Main Mode to replace #52
2012:09:27-12:02:08 naira pluto[11139]: "S_BranchOffice TEST" #54: received Vendor ID payload [strongSwan]
2012:09:27-12:02:08 naira pluto[11139]: "S_BranchOffice TEST" #54: ignoring Vendor ID payload [Cisco-Unity]
2012:09:27-12:02:08 naira pluto[11139]: "S_BranchOffice TEST" #54: received Vendor ID payload [XAUTH]
2012:09:27-12:02:08 naira pluto[11139]: "S_BranchOffice TEST" #54: received Vendor ID payload [Dead Peer Detection]
2012:09:27-12:02:08 naira pluto[11139]: "S_BranchOffice TEST" #54: received Vendor ID payload [RFC 3947]
2012:09:27-12:02:08 naira pluto[11139]: "S_BranchOffice TEST" #54: enabling possible NAT-traversal with method 3
2012:09:27-12:02:08 naira pluto[11139]: "S_BranchOffice TEST" #54: NAT-Traversal: Result using RFC 3947: no NAT detected
2012:09:27-12:02:08 naira pluto[11139]: "S_BranchOffice TEST" #54: we have a cert and are sending it
2012:09:27-12:02:08 naira pluto[11139]: "S_BranchOffice TEST" #54: Peer ID is ID_FQDN: 'utmTest'
2012:09:27-12:02:08 naira pluto[11139]: "S_BranchOffice TEST" #54: crl not found
2012:09:27-12:02:08 naira pluto[11139]: "S_BranchOffice TEST" #54: certificate status unknown
2012:09:27-12:02:08 naira pluto[11139]: "S_BranchOffice TEST" #54: we require peer to have ID 'myUser@myDomain.net', but peer declares 'utmTest'
2012:09:27-12:02:08 naira pluto[11139]: "S_BranchOffice TEST" #54: sending encrypted notification INVALID_ID_INFORMATION to 81.x.x.154:500
2012:09:27-12:02:09 naira pluto[11139]: packet from 81.x.x.154:500: Informational Exchange is for an unknown (expired?) SA
2012:09:27-12:02:18 naira pluto[11139]: "S_BranchOffice TEST" #54: Peer ID is ID_FQDN: 'utmTest'
2012:09:27-12:02:18 naira pluto[11139]: "S_BranchOffice TEST" #54: crl not found
2012:09:27-12:02:18 naira pluto[11139]: "S_BranchOffice TEST" #54: certificate status unknown
2012:09:27-12:02:18 naira pluto[11139]: "S_BranchOffice TEST" #54: we require peer to have ID 'myUser@myDomain.net', but peer declares 'utmTest'
2012:09:27-12:02:18 naira pluto[11139]: "S_BranchOffice TEST" #54: sending encrypted notification INVALID_ID_INFORMATION to 81.x.x.154:500
2012:09:27-12:02:22 naira pluto[11139]: packet from 81.x.x.154:500: Informational Exchange is for an unknown (expired?) SA
It looks like I've got the certificates wrong but I can't work it out. Help?

Thanks,
Giles.

Last edited by gilester; 09-27-2012 at 11:11 AM.
Reply With Quote
BAlfson's Avatar
Grandis Professorem Astaro
Join Date: Mar 2007
Location: Oklahoma City
Posts: 20,852
#2 (permalink)  
Old 09-27-2012, 11:33 AM
Default

Giles, I see a several potential issues.

First, does your UTM have a hostname that is resolvable in public DNS to the public IP you want to use for the VPN? If not, that can cause problems in several places. If you have to change that, then you will need to generate new CAs and new certificates. If you want to just put a bandaid on this, I think you can just generate a replacement for your "Local X509 Cert" using a valid FQDN for hostname and use that new cert on the 'Advanced' tab of 'IPsec'.

At the bottom of the IPsec 'Advanced' tab is a selection allowing probing of pre-shared keys. Without that option selected, you can have only a single PSK for respond-only gateways. If you're using L2TP/IPsec already, then that PSK would be the only one you could use.

Best practice is to change site-to-site PSKs monthly, or at least quarterly. RSA-based and certificate-based tunnels are really the only approaches that should be used for a long-term connection.

In any case, you probably don't want "Respond-only" Remote Gateways for your connections. If the branches don't have fixed IPs, you can get a DynDNS account for a few dollars a month.

In the example you showed, you had 10.45.0.0/24 on the UTM9, but 10.45.0.0/20 on the ASG8.

Cheers - Bob
__________________
ACE V7 - Astaro Preferred Partner since V3
SCA/UTM - Sophos Gold Solution Partner
www.MediaSoftUSA.com
Addicted to my iPhone!
Reply With Quote
Junior Member
Join Date: Jan 2012
Posts: 24
#3 (permalink)  
Old 09-30-2012, 05:50 PM
Default

Thanks for the reply, Bob.

I'm getting somewhere, albeit using PSKs for the moment. My branches do have static IPs so I can set their tunnels to 'initiate' instead of 'respond only'. Also, good spot on my subnet mismatch, that stopped the PSK from working until I'd corrected it.

Your pointer to the "probing" option was very useful in case I need to have other respond-only connections.

I have also configured the UTM with a publicly resolvable FQDN and re-generated the certificates that seemed to need it. If I get everything working with the PSKs I may try the certs again as a 'best practice' solution.

Thanks again,
Giles.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT. The time now is 04:02 AM.


Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2015, Jelsoft Enterprises Ltd.

These pages are specifically maintained for the discussion of firewall issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases.