Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 26 subscribers
  • Views 8115 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec VPN X509 Remote Certificate

Holger Semjank

Hallo,

ich brauche ein wenig Unterstützung. Wir haben einen Industrie Router von Phoenix Contact (X500) und dieser soll erfolgreich per IPSec VPN mit der Sophos kommunzieren. 

Leider funktioniert das Ganze nicht. Ich habe am X500 nur die Authentifizierungsoption X.509 remote certificate. Was muss ich auf der Sophos einstellen? Wo liegt mein Fehler?

Folgendes wurde gemacht:

Auf der Sophos ein Zertifikat für den X500 erstellt (p12) und den öffentlichen Schlüssel des Local X509 Cert exportiert (pem), diese Zertifikate habe ich auf den X500 eingespielt. Die restliche Konfiguration ist eher Formsache. Lokal / Remote ID habe ich von frei lassen über IP / Hostname alles probiert.

In der Sophos haben wir X.509 local certificate gewählt. Als Zertifikat das Local X509 Cert und Testweise auch mal das Gegenstellenzertifikat vom X500. Zusätzlich habe ich im folgenden die Einstellungen Remote Certificate und RSA Schlüssel probiert. Ohne Erfolg.

Ich habe die Konfiguration in ähnlicher Form schon vielmals in einem Lancom Router abgebildet, ohne Probleme. Vielleicht ist es auch nur ein Verständnisproblem meinerseits. Vielleicht kann mir jemand behilflich sein.

 

Danke



This thread was automatically locked due to age.
Parents
  • 0

    Holger,

    what error do you see on the VPN tunnel?

    Can you share the VPN config?

    Thanks

  • 0 in reply to lferrara

    Danke für die Antwort.

    Edit: sorry, falsch formatiert. korrigiere ich noch mal

  • 0 in reply to Holger Semjank

    Hier die Logs der Geräte:

     

    Log X500:

     

    Oct 25 15:29:11 pluto[4457]: "vpn2"[1] X.X.X.X #74: discarding duplicate packet; already STATE_MAIN_I3

    Oct 25 15:29:11 pluto[4457]: "vpn2"[1] X.X.X.X #74: ignoring informational payload, type INVALID_ID_INFORMATION

    Oct 25 15:29:31 pluto[4457]: "vpn2"[1] X.X.X.X #74: ignoring informational payload, type INVALID_ID_INFORMATION

    Oct 25 15:29:31 pluto[4457]: "vpn2"[1] X.X.X.X #74: discarding duplicate packet; already STATE_MAIN_I3

    Oct 25 15:30:11 pluto[4457]: "vpn2"[1] X.X.X.X #74: max number of retransmissions (2) reached STATE_MAIN_I3.  Possible authentication failure: no acceptable response to our first encrypted message

    Oct 25 15:30:11 pluto[4457]: "vpn2"[1] X.X.X.X #74: starting keying attempt 4 of an unlimited number

    Oct 25 15:30:11 pluto[4457]: "vpn2"[1] X.X.X.X #75: initiating Main Mode to replace #74

    Oct 25 15:30:11 pluto[4457]: "vpn2"[1] X.X.X.X #75: ignoring Vendor ID payload [882fe56d6fd20dbc2251613b2ebe5beb]

    Oct 25 15:30:11 pluto[4457]: "vpn2"[1] X.X.X.X #75: ignoring Vendor ID payload [Cisco-Unity]

    Oct 25 15:30:11 pluto[4457]: "vpn2"[1] X.X.X.X #75: received Vendor ID payload [XAUTH]

    Oct 25 15:30:11 pluto[4457]: "vpn2"[1] X.X.X.X #75: received Vendor ID payload [Dead Peer Detection]

    Oct 25 15:30:11 pluto[4457]: "vpn2"[1] X.X.X.X #75: received Vendor ID payload [RFC 3947]

    Oct 25 15:30:11 pluto[4457]: "vpn2"[1] X.X.X.X #75: enabling possible NAT-traversal with method 3

    Oct 25 15:30:11 pluto[4457]: "vpn2"[1] X.X.X.X #75: NAT-Traversal: Result using RFC 3947: no NAT detected

    Oct 25 15:30:11 pluto[4457]: "vpn2"[1] X.X.X.X #75: we have a cert and are sending it

    Oct 25 15:30:11 pluto[4457]: "vpn2"[1] X.X.X.X #75: ignoring informational payload, type INVALID_ID_INFORMATION

     

    Log Sophos:

     

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | *received 1020 bytes from X.X.X.X:500 on eth1.501

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | ICOOKIE: 03 a8 95 ad 03 12 da 85

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | RCOOKIE: c5 16 46 02 ea 97 e6 5d

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | peer: 53 dd e4 fe

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | state hash entry 22

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | state object #54 found, in STATE_MAIN_R2

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: "S_Test"[17] X.X.X.X #54: Peer ID is ID_DER_ASN1_DN: 'C=DE, ST=SA, L=XXX, O=XXX, OU=XXX, CN=XXX'

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | subject: 'C=DE, ST=SA, L=XXX, O=XXX, OU=XXX, CN=XXX'

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | issuer: 'C=DE, ST=SA, L=XXX, O=XXX, OU=XXX, CN=CA_XXX'

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | certificate is valid

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | authcert list locked by 'verify_x509cert'

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | issuer cacert found

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | certificate signature is valid

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | authcert list unlocked by 'verify_x509cert'

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | crl list locked by 'verify_by_crl'

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | crl list unlocked by 'verify_by_crl'

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: "S_Test"[17] X.X.X.X #54: crl not found

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: "S_Test"[17] X.X.X.X #54: certificate status unknown

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | subject: 'C=DE, ST=SA, L=XXX, O=XXX, OU=XXX, CN=CA_XXX'

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | issuer: 'C=DE, ST=SA, L=XXX, O=XXX, OU=XXX, CN=CA_XXX'

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | certificate is valid

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | authcert list locked by 'verify_x509cert'

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | issuer cacert found

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | certificate signature is valid

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | authcert list unlocked by 'verify_x509cert'

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | reached self-signed root ca with a path length of 0

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | unref key: 0x86c9d60 0x86c1a50 cnt 2 'C=DE, ST=SA, L=XXX, O=XXX, OU=XXX, CN=XXX'

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | ref key: 0x86cbb00 0x86cae08 cnt 0 'C=DE, ST=SA, L=XXX, O=XXX, OU=XXX, CN=XXX'

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | RSA signature check passed with keyid ec:2a:ee:9d:79:e2:05:a6:26:76:c9:11:6a:2d:04:4f:9d:33:6c:bc

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | unref key: 0x86c9d60 0x86c1a50 cnt 1 'C=DE, ST=SA, L=XXX, O=XXX, OU=XXX, CN=XXX'

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | ref key: 0x86cbb00 0x86cae08 cnt 1 'C=DE, ST=SA, L=XXX, O=XXX, OU=XXX, CN=XXX'

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | peer CA: "C=DE, ST=SA, L=XXX, O=XXX, OU=XXX, CN=CA_XXX"

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | requested CA: "C=DE, ST=SA, L=XXX, O=XXX, OU=XXX, CN=CA_XXX"

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | S_Test: no match (id: no, auth: ok, trust: ok, request: ok, prio: 2048)

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | S_Test: no match (id: no, auth: ok, trust: ok, request: ok, prio: 2048)

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | S_NAME: no match (id: ok, auth: no, trust: ok, request: no, prio: 2048)

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | S_NAME: no match (id: ok, auth: no, trust: ok, request: no, prio: 2048)

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: "S_Test"[17] X.X.X.X #54: no suitable connection for peer 'C=DE, ST=SA, L=XXX, O=XXX, OU=XXX, CN=XXX'

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: "S_Test"[17] X.X.X.X #54: sending encrypted notification INVALID_ID_INFORMATION to X.X.X.X:500

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | state transition function for STATE_MAIN_R2 failed: INVALID_ID_INFORMATION

     

    Es wird immer Invalid_ID ausgegeben. Allerdings habe ich schon alle möglichen Varianten durchprobiert ohne Zählbare Erfolge. Ich habe außerdem Zertifikate mit xca selbst erstellt, gleiches Ergebnis. 

Reply
  • 0 in reply to Holger Semjank

    Hier die Logs der Geräte:

     

    Log X500:

     

    Oct 25 15:29:11 pluto[4457]: "vpn2"[1] X.X.X.X #74: discarding duplicate packet; already STATE_MAIN_I3

    Oct 25 15:29:11 pluto[4457]: "vpn2"[1] X.X.X.X #74: ignoring informational payload, type INVALID_ID_INFORMATION

    Oct 25 15:29:31 pluto[4457]: "vpn2"[1] X.X.X.X #74: ignoring informational payload, type INVALID_ID_INFORMATION

    Oct 25 15:29:31 pluto[4457]: "vpn2"[1] X.X.X.X #74: discarding duplicate packet; already STATE_MAIN_I3

    Oct 25 15:30:11 pluto[4457]: "vpn2"[1] X.X.X.X #74: max number of retransmissions (2) reached STATE_MAIN_I3.  Possible authentication failure: no acceptable response to our first encrypted message

    Oct 25 15:30:11 pluto[4457]: "vpn2"[1] X.X.X.X #74: starting keying attempt 4 of an unlimited number

    Oct 25 15:30:11 pluto[4457]: "vpn2"[1] X.X.X.X #75: initiating Main Mode to replace #74

    Oct 25 15:30:11 pluto[4457]: "vpn2"[1] X.X.X.X #75: ignoring Vendor ID payload [882fe56d6fd20dbc2251613b2ebe5beb]

    Oct 25 15:30:11 pluto[4457]: "vpn2"[1] X.X.X.X #75: ignoring Vendor ID payload [Cisco-Unity]

    Oct 25 15:30:11 pluto[4457]: "vpn2"[1] X.X.X.X #75: received Vendor ID payload [XAUTH]

    Oct 25 15:30:11 pluto[4457]: "vpn2"[1] X.X.X.X #75: received Vendor ID payload [Dead Peer Detection]

    Oct 25 15:30:11 pluto[4457]: "vpn2"[1] X.X.X.X #75: received Vendor ID payload [RFC 3947]

    Oct 25 15:30:11 pluto[4457]: "vpn2"[1] X.X.X.X #75: enabling possible NAT-traversal with method 3

    Oct 25 15:30:11 pluto[4457]: "vpn2"[1] X.X.X.X #75: NAT-Traversal: Result using RFC 3947: no NAT detected

    Oct 25 15:30:11 pluto[4457]: "vpn2"[1] X.X.X.X #75: we have a cert and are sending it

    Oct 25 15:30:11 pluto[4457]: "vpn2"[1] X.X.X.X #75: ignoring informational payload, type INVALID_ID_INFORMATION

     

    Log Sophos:

     

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | *received 1020 bytes from X.X.X.X:500 on eth1.501

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | ICOOKIE: 03 a8 95 ad 03 12 da 85

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | RCOOKIE: c5 16 46 02 ea 97 e6 5d

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | peer: 53 dd e4 fe

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | state hash entry 22

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | state object #54 found, in STATE_MAIN_R2

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: "S_Test"[17] X.X.X.X #54: Peer ID is ID_DER_ASN1_DN: 'C=DE, ST=SA, L=XXX, O=XXX, OU=XXX, CN=XXX'

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | subject: 'C=DE, ST=SA, L=XXX, O=XXX, OU=XXX, CN=XXX'

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | issuer: 'C=DE, ST=SA, L=XXX, O=XXX, OU=XXX, CN=CA_XXX'

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | certificate is valid

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | authcert list locked by 'verify_x509cert'

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | issuer cacert found

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | certificate signature is valid

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | authcert list unlocked by 'verify_x509cert'

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | crl list locked by 'verify_by_crl'

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | crl list unlocked by 'verify_by_crl'

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: "S_Test"[17] X.X.X.X #54: crl not found

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: "S_Test"[17] X.X.X.X #54: certificate status unknown

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | subject: 'C=DE, ST=SA, L=XXX, O=XXX, OU=XXX, CN=CA_XXX'

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | issuer: 'C=DE, ST=SA, L=XXX, O=XXX, OU=XXX, CN=CA_XXX'

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | certificate is valid

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | authcert list locked by 'verify_x509cert'

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | issuer cacert found

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | certificate signature is valid

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | authcert list unlocked by 'verify_x509cert'

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | reached self-signed root ca with a path length of 0

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | unref key: 0x86c9d60 0x86c1a50 cnt 2 'C=DE, ST=SA, L=XXX, O=XXX, OU=XXX, CN=XXX'

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | ref key: 0x86cbb00 0x86cae08 cnt 0 'C=DE, ST=SA, L=XXX, O=XXX, OU=XXX, CN=XXX'

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | RSA signature check passed with keyid ec:2a:ee:9d:79:e2:05:a6:26:76:c9:11:6a:2d:04:4f:9d:33:6c:bc

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | unref key: 0x86c9d60 0x86c1a50 cnt 1 'C=DE, ST=SA, L=XXX, O=XXX, OU=XXX, CN=XXX'

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | ref key: 0x86cbb00 0x86cae08 cnt 1 'C=DE, ST=SA, L=XXX, O=XXX, OU=XXX, CN=XXX'

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | peer CA: "C=DE, ST=SA, L=XXX, O=XXX, OU=XXX, CN=CA_XXX"

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | requested CA: "C=DE, ST=SA, L=XXX, O=XXX, OU=XXX, CN=CA_XXX"

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | S_Test: no match (id: no, auth: ok, trust: ok, request: ok, prio: 2048)

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | S_Test: no match (id: no, auth: ok, trust: ok, request: ok, prio: 2048)

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | S_NAME: no match (id: ok, auth: no, trust: ok, request: no, prio: 2048)

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | S_NAME: no match (id: ok, auth: no, trust: ok, request: no, prio: 2048)

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: "S_Test"[17] X.X.X.X #54: no suitable connection for peer 'C=DE, ST=SA, L=XXX, O=XXX, OU=XXX, CN=XXX'

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: "S_Test"[17] X.X.X.X #54: sending encrypted notification INVALID_ID_INFORMATION to X.X.X.X:500

    2017:10:25-15:41:12 sophos_a-1 pluto[22170]: | state transition function for STATE_MAIN_R2 failed: INVALID_ID_INFORMATION

     

    Es wird immer Invalid_ID ausgegeben. Allerdings habe ich schon alle möglichen Varianten durchprobiert ohne Zählbare Erfolge. Ich habe außerdem Zertifikate mit xca selbst erstellt, gleiches Ergebnis. 

Children
No Data