Re: [Ipsec-tools-users] help, about linux host connect to cisco router with ipsec?
Brought to you by:
mit_warlord,
netbsd
From: Mick <mic...@gm...> - 2012-04-01 08:25:52
|
On Sunday 01 Apr 2012 01:31:35 lin jia wrote: > i want to encrypt the connection between a linux host and a cisco router, > by using x509 certification, > they all get certification from a middle CA server like this > host ------- CA --------- router > > |____________________| I am not aware that racoon can obtain its certificate through a 3rd party CA server, like Cisco can with its certificate enrolling process. Unless someone else advises differently, I suggest you add manually the client, CA, router certificate and client key to the host running racoon. You place them all under /etc/racoon/cert/ and also create a link in the same directory of the CA certificate hash like so: ln -s cacert.pem `openssl x509 -hash -noout -in cacert.pem`.0 (use back ticks in the command above, not single quotes). Then set up a cron-job on the racoon linux host to fetch the CRL from the CA server and a script to create a necessary hash symlink in this fashion: ln -s ca.crl `openssl crl -hash -noout -in ca.crl`.r0 NOTE: Careful with access rights for the client key. It should only be accessible by the racoon host machine: -r-------- 1 root root 1704 Feb 12 19:51 VPN_key.pem > Getting certification from CA is successful, but they cannot > establish connection, so I open the debug option on ‘racoon’ and found > such log: > …… > 2012-03-31 15:21:38: DEBUG: begin. > 2012-03-31 15:21:38: DEBUG: seen nptype=5(id) > 2012-03-31 15:21:38: DEBUG: seen nptype=9(sig) > 2012-03-31 15:21:38: DEBUG: seen nptype=11(notify) > 2012-03-31 15:21:38: DEBUG: succeed. > 2012-03-31 15:21:38: [192.168.5.254] DEBUG: getrmconf_by_ph1: remote > 192.168.5.254[500], identity 192.168.5.254. 2012-03-31 15:21:38: > [192.168.5.254] DEBUG: configuration "anonymous" selected. 2012-03-31 > 15:21:38: [192.168.5.254] DEBUG: getrmconf_by_ph1: remote > 192.168.5.254[500], identity 192.168.5.254. 2012-03-31 15:21:38: > [192.168.5.254] DEBUG: configuration "anonymous" selected. 2012-03-31 > 15:21:38: DEBUG: SIGN passed: > 2012-03-31 15:21:38: DEBUG: > 77632995 4605a2e3 45e0f4e4 cd0e8c21 33d4484f cfc81f27 be78790f ba876dae > 2012-03-31 15:21:38: ERROR: no peer's CERT payload found. <---- why? Last time I tried a Cisco router I discovered that it does not follow RFC-5596 with respect to CERTREQ. http://tools.ietf.org/html/rfc5996#page-93 In particular, instead of sending its CA hash to the peer (so that the peer can compare against its own list of CA hash values to select the one that matches) Cisco was sending the Issuer field details (from the router certificate). If the peer is a Cisco router this will work, because the Cisco peer will parse the Issuer field and read the CA certificate CN, but other peers will likely fail. This RFC non-compliant behaviour introduces a security vulnerability because unlike a hash, an Issuer field can be edited to say anything, but a hash cannot. Anyway, the way to find out if this is the cause of this "no peer's CERT payload found" error, is to run tcpdump on the linux host to capture packets of the transaction. Something like this will work: tcpdump -i eth0 -e -l -p -U -vvv -s 0 -w tcpdump_cap.txt -XX Then replace -w with -r to read the packets. If you see a packet at the start of the sequence sent from Cisco with: cr: len=85 type=x509sign that has the Issuer field as a payload, then that will confirm the router is sending the Issuer field of the router certificate, instead of the hash of the CA certificate. > Is there some error on my configuration on cisco router? > crypto pki trustpoint 192.168.5.148 > enrollment mode ra > enrollment url http://192.168.5.148:80/certsrv/mscep/mscep.dll > revocation-check crl > ! > ! > crypto pki certificate chain 192.168.5.148 > certificate ca 59AE4EE19D22ED96425DAE4EB95AE798 > 30820455 3082033D A0030201 02021059 AE4EE19D 22ED9642 5DAE4EB9 > 5AE79830 …… > quit > crypto isakmp policy 1 > encr 3des Note that you say 3des here ... > ! > crypto ipsec transform-set linjia esp-3des esp-sha-hmac > mode transport > ! > crypto map linjiamap 1 ipsec-isakmp > set peer 192.168.5.147 > set transform-set linjia > match address 101 > !! > interface FastEthernet0/1 > ip address 192.168.5.254 255.255.255.0 > duplex auto > speed auto > crypto map linjiamap > > Or some error on the ‘racoon.conf’? > path include "/etc/racoon"; > path certificate "/etc/racoon/cert"; > > remote anonymous > { > exchange_mode main; > lifetime time 32 hour; > my_identifier asn1dn; > certificate_type x509 "example.pem" "example.key"; I assume that you have replaced "example.pem" and "example.key" above with the appropriate names of the racoon host certificate and private key? > proposal { > encryption_algorithm des; Here you say des; shouldn't this be 3des to match the router algo? > hash_algorithm sha1; > authentication_method rsasig; > dh_group 1; > } > proposal { > encryption_algorithm des; > hash_algorithm sha1; > authentication_method rsasig; > dh_group 1; > } > } Why do you have a duplicate proposal? Is this a cut 'n paste error? > sainfo anonymous > { > lifetime time 32 hour ; > encryption_algorithm des; You need to be consistent here with the encryption algo between the router and the peer. Set both either to des or preferably 3des or aes256. > authentication_algorithm hmac_sha1; > compression_algorithm deflate ; > } Hope this helps. -- Regards, Mick |