racoon: "no remote configuration found" on openSUSE 13.2 using x509 certs

eak9000 · January 7, 2015, 9:59pm

I am attempting to get IPSEC working between two openSUSE
13.2 hosts with ipsec-tools 0.8.0 in transport mode using
x509 certificates for verification. I get “WARNING: No ID
match.” and “no remote configuration found” even though
there is clearly a remote configuration in racoon.conf. Am I
missing something, or is this a bug?

So first, I have IPSEC working with PSK and the following
config on system A:


remote 192.168.1.7
{
    exchange_mode main;
    my_identifier address;
    peers_identifier address;
    proposal {
        encryption_algorithm aes;
        hash_algorithm sha256;
        authentication_method pre_shared_key;
        dh_group modp1024;
    }
}

And this config on system B:


remote 192.168.1.21
{
    exchange_mode main;
    my_identifier address;
    peers_identifier address;
    proposal {
        encryption_algorithm aes;
        hash_algorithm sha256;
        authentication_method pre_shared_key;
        dh_group modp1024;
    }
}

If I change this to an x509 config, it no longer works. Here
is what is on A:


remote 192.168.1.7
{
    exchange_mode main;
    ca_type x509 "earlca2014.pem";
    certificate_type x509 "A.killian.com.pem" "A.killian.com.key";
    my_identifier asn1dn;
    peers_identifier asn1dn "C=US, ST=California, O=Killian.COM, CN=B.killian.com";
    verify_identifier on;
    verify_cert on;
    proposal {
        encryption_algorithm aes;
        hash_algorithm sha256;
        authentication_method rsasig;
        dh_group modp1024;
    }
}

and on B:


remote 192.168.1.21
{
    exchange_mode main;
    ca_type x509 "earlca2014.pem";
    certificate_type x509 "B.killian.com.pem" "B.killian.com.key";
    my_identifier asn1dn;
    peers_identifier asn1dn "C=US, ST=California, O=Killian.COM, CN=A.killian.com";
    verify_identifier on;
    verify_cert on;
    proposal {
        encryption_algorithm aes;
        hash_algorithm sha256;
        authentication_method rsasig;
        dh_group modp1024;
    }
}

where the certifications are both created using my own
self-signed CA, earlca2014.pem as specified above.

Here is what is in the certificates:


% openssl x509 -in cert/A.killian.com.pem -noout -subject
subject= /C=US/ST=California/O=Killian.COM/CN=A.killian.com
% openssl x509 -in cert/B.killian.com.pem -noout -subject
subject= /C=US/ST=California/O=Killian.COM/CN=B.killian.com

It seems like they match the peers_identifier asn1dn (I
presume that the slash versus comma thing is just syntax
between racoon and openssl).

The x509 config gives the following on B’s syslog during the
phase 1 connection attempt from A to B:


2015-01-05 11:24:51: [192.168.1.21] DEBUG: getrmconf_by_ph1: remote 192.168.1.21[500], identity C=US, ST=California, O=Killian.COM, CN=A.killian.com.
2015-01-05 11:24:51: WARNING: No ID match.
2015-01-05 11:24:51: [192.168.1.21] DEBUG: no remote configuration found

Any suggestions on what could be wrong?

I am running this on both systems with the command line

setkey -f setkey.conf && racoon -f racoon.conf -F -d > & racoon.log

for debugging.

Here is a the detailed output of racoon -F -d on B (with the hex dump lines removed).


Foreground mode.
ERROR: racoon: MLS support is not enabled.
INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
INFO: @(#)This product linked OpenSSL 1.0.1j-fips 15 Oct 2014 (http://www.openssl.org/)
INFO: Reading configuration from "racoon.conf"
DEBUG: call pfkey_send_register for AH
DEBUG: call pfkey_send_register for ESP
DEBUG: call pfkey_send_register for IPCOMP
DEBUG: reading config file racoon.conf
DEBUG: filename: /etc/racoon/cert/earlca2014.pem
DEBUG: filename: /etc/racoon/cert/B.killian.com.pem
DEBUG: DN: C=US
DEBUG: DN: ST=California
DEBUG: DN: O=Killian.COM
DEBUG: DN: CN=A.killian.com
DEBUG: Parsed DN: C=US, ST=California, O=Killian.COM, CN=A.killian.com
DEBUG: no check of compression algorithm; not supported in sadb message.
DEBUG: getsainfo params: loc='192.168.1.7' rmt='192.168.1.21' peer='NULL' client='NULL' id=0
DEBUG: no check of compression algorithm; not supported in sadb message.
DEBUG: getsainfo params: loc='192.168.1.21' rmt='192.168.1.7' peer='NULL' client='NULL' id=0
DEBUG: evaluating sainfo: loc='192.168.1.7', rmt='192.168.1.21', peer='ANY', id=0
DEBUG: check and compare ids : value mismatch (IPv4_address)
DEBUG: cmpid target: '192.168.1.21'
DEBUG: cmpid source: '192.168.1.7'
DEBUG: no check of compression algorithm; not supported in sadb message.
DEBUG: getsainfo params: loc='192.168.1.7' rmt='192.168.2.63' peer='NULL' client='NULL' id=0
DEBUG: evaluating sainfo: loc='192.168.1.7', rmt='192.168.1.21', peer='ANY', id=0
DEBUG: check and compare ids : values matched (IPv4_address)
DEBUG: cmpid target: '192.168.1.7'
DEBUG: cmpid source: '192.168.1.7'
DEBUG: check and compare ids : value mismatch (IPv4_address)
DEBUG: cmpid target: '192.168.2.63'
DEBUG: cmpid source: '192.168.1.21'
DEBUG: evaluating sainfo: loc='192.168.1.21', rmt='192.168.1.7', peer='ANY', id=0
DEBUG: check and compare ids : value mismatch (IPv4_address)
DEBUG: cmpid target: '192.168.1.7'
DEBUG: cmpid source: '192.168.1.21'
DEBUG: no check of compression algorithm; not supported in sadb message.
DEBUG: getsainfo params: loc='192.168.2.63' rmt='192.168.1.7' peer='NULL' client='NULL' id=0
DEBUG: evaluating sainfo: loc='192.168.1.7', rmt='192.168.1.21', peer='ANY', id=0
DEBUG: check and compare ids : value mismatch (IPv4_address)
DEBUG: cmpid target: '192.168.2.63'
DEBUG: cmpid source: '192.168.1.7'
DEBUG: evaluating sainfo: loc='192.168.1.21', rmt='192.168.1.7', peer='ANY', id=0
DEBUG: check and compare ids : value mismatch (IPv4_address)
DEBUG: cmpid target: '192.168.2.63'
DEBUG: cmpid source: '192.168.1.21'
DEBUG: evaluating sainfo: loc='192.168.1.7', rmt='192.168.2.63', peer='ANY', id=0
DEBUG: check and compare ids : value mismatch (IPv4_address)
DEBUG: cmpid target: '192.168.2.63'
DEBUG: cmpid source: '192.168.1.7'
DEBUG: open /run/racoon/racoon.sock as racoon management.
DEBUG: Netlink: address 127.0.0.0 added
DEBUG: Netlink: address 127.0.0.1 added
DEBUG: Netlink: address 192.168.1.7 added
INFO: 192.168.1.7[500] used for NAT-T
INFO: 192.168.1.7[500] used as isakmp port (fd=7)
DEBUG: Netlink: address ::1 added
DEBUG: Netlink: address fe80::2b0:d0ff:feaa:eb3d%enp0s2 added
DEBUG: pk_recv: retry[0] recv() 
DEBUG: got pfkey X_SPDDUMP message
DEBUG: pk_recv: retry[0] recv() 
DEBUG: got pfkey X_SPDDUMP message
DEBUG: sub:0xbfaab6d0: 192.168.2.63/32[0] 192.168.1.7/32[0] proto=any dir=fwd
DEBUG: db :0x8606e40: 192.168.1.7/32[0] 192.168.2.63/32[0] proto=any dir=out
DEBUG: pk_recv: retry[0] recv() 
DEBUG: got pfkey X_SPDDUMP message
DEBUG: sub:0xbfaab6d0: 192.168.2.63/32[0] 192.168.1.7/32[0] proto=any dir=in
DEBUG: db :0x8606e40: 192.168.1.7/32[0] 192.168.2.63/32[0] proto=any dir=out
DEBUG: sub:0xbfaab6d0: 192.168.2.63/32[0] 192.168.1.7/32[0] proto=any dir=in
DEBUG: db :0x8607860: 192.168.2.63/32[0] 192.168.1.7/32[0] proto=any dir=fwd
DEBUG: pk_recv: retry[0] recv() 
DEBUG: got pfkey X_SPDDUMP message
DEBUG: sub:0xbfaab6d0: 192.168.1.7/32[0] 192.168.1.21/32[0] proto=any dir=out
DEBUG: db :0x8606e40: 192.168.1.7/32[0] 192.168.2.63/32[0] proto=any dir=out
DEBUG: sub:0xbfaab6d0: 192.168.1.7/32[0] 192.168.1.21/32[0] proto=any dir=out
DEBUG: db :0x8607860: 192.168.2.63/32[0] 192.168.1.7/32[0] proto=any dir=fwd
DEBUG: sub:0xbfaab6d0: 192.168.1.7/32[0] 192.168.1.21/32[0] proto=any dir=out
DEBUG: db :0x8607c00: 192.168.2.63/32[0] 192.168.1.7/32[0] proto=any dir=in
DEBUG: pk_recv: retry[0] recv() 
DEBUG: got pfkey X_SPDDUMP message
DEBUG: sub:0xbfaab6d0: 192.168.1.21/32[0] 192.168.1.7/32[0] proto=any dir=fwd
DEBUG: db :0x8606e40: 192.168.1.7/32[0] 192.168.2.63/32[0] proto=any dir=out
DEBUG: sub:0xbfaab6d0: 192.168.1.21/32[0] 192.168.1.7/32[0] proto=any dir=fwd
DEBUG: db :0x8607860: 192.168.2.63/32[0] 192.168.1.7/32[0] proto=any dir=fwd
DEBUG: sub:0xbfaab6d0: 192.168.1.21/32[0] 192.168.1.7/32[0] proto=any dir=fwd
DEBUG: db :0x8607c00: 192.168.2.63/32[0] 192.168.1.7/32[0] proto=any dir=in
DEBUG: sub:0xbfaab6d0: 192.168.1.21/32[0] 192.168.1.7/32[0] proto=any dir=fwd
DEBUG: db :0x8607fa0: 192.168.1.7/32[0] 192.168.1.21/32[0] proto=any dir=out
DEBUG: pk_recv: retry[0] recv() 
DEBUG: got pfkey X_SPDDUMP message
DEBUG: sub:0xbfaab6d0: 192.168.1.21/32[0] 192.168.1.7/32[0] proto=any dir=in
DEBUG: db :0x8606e40: 192.168.1.7/32[0] 192.168.2.63/32[0] proto=any dir=out
DEBUG: sub:0xbfaab6d0: 192.168.1.21/32[0] 192.168.1.7/32[0] proto=any dir=in
DEBUG: db :0x8607860: 192.168.2.63/32[0] 192.168.1.7/32[0] proto=any dir=fwd
DEBUG: sub:0xbfaab6d0: 192.168.1.21/32[0] 192.168.1.7/32[0] proto=any dir=in
DEBUG: db :0x8607c00: 192.168.2.63/32[0] 192.168.1.7/32[0] proto=any dir=in
DEBUG: sub:0xbfaab6d0: 192.168.1.21/32[0] 192.168.1.7/32[0] proto=any dir=in
DEBUG: db :0x8607fa0: 192.168.1.7/32[0] 192.168.1.21/32[0] proto=any dir=out
DEBUG: sub:0xbfaab6d0: 192.168.1.21/32[0] 192.168.1.7/32[0] proto=any dir=in
DEBUG: db :0x8601ac8: 192.168.1.21/32[0] 192.168.1.7/32[0] proto=any dir=fwd
DEBUG: ===
DEBUG: 104 bytes message received from 192.168.1.21[500] to 192.168.1.7[500]
DEBUG: 
DEBUG: ===
INFO: respond new phase 1 negotiation: 192.168.1.7[500]<=>192.168.1.21[500]
INFO: begin Identity Protection mode.
DEBUG: begin.
DEBUG: seen nptype=1(sa)
DEBUG: seen nptype=13(vid)
DEBUG: succeed.
INFO: received Vendor ID: DPD
DEBUG: remote supports DPD
DEBUG: total SA len=52
DEBUG: 
DEBUG: begin.
DEBUG: seen nptype=2(prop)
DEBUG: succeed.
DEBUG: proposal #1 len=44
DEBUG: begin.
DEBUG: seen nptype=3(trns)
DEBUG: succeed.
DEBUG: transform #1 len=36
DEBUG: type=Life Type, flag=0x8000, lorv=seconds
DEBUG: type=Life Duration, flag=0x8000, lorv=28800
DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
DEBUG: encryption(aes)
DEBUG: type=Key Length, flag=0x8000, lorv=128
DEBUG: type=Authentication Method, flag=0x8000, lorv=RSA signatures
DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA256
DEBUG: hash(sha2_256)
DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
DEBUG: hmac(modp1024)
DEBUG: pair 1:
DEBUG:  0x86009e8: next=(nil) tnext=(nil)
DEBUG: proposal #1: 1 transform
DEBUG: type=Life Type, flag=0x8000, lorv=seconds
DEBUG: type=Life Duration, flag=0x8000, lorv=28800
DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
DEBUG: type=Key Length, flag=0x8000, lorv=128
DEBUG: type=Authentication Method, flag=0x8000, lorv=RSA signatures
DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA256
DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
DEBUG: prop#=1, prot-id=ISAKMP, spi-size=0, #trns=1
DEBUG: trns#=1, trns-id=IKE
DEBUG:   lifetime = 28800
DEBUG:   lifebyte = 0
DEBUG:   enctype = AES-CBC
DEBUG:   encklen = 128
DEBUG:   hashtype = SHA256
DEBUG:   authmethod = RSA signatures
DEBUG:   dh_group = 1024-bit MODP group
DEBUG: an acceptable proposal found.
DEBUG: hmac(modp1024)
DEBUG: agreed on RSA signatures auth.
DEBUG: ===
DEBUG: new cookie:

DEBUG: add payload of len 52, next type 13
DEBUG: add payload of len 16, next type 0
DEBUG: 104 bytes from 192.168.1.7[500] to 192.168.1.21[500]
DEBUG: sockname 192.168.1.7[500]
DEBUG: send packet from 192.168.1.7[500]
DEBUG: send packet to 192.168.1.21[500]
DEBUG: src4 192.168.1.7[500]
DEBUG: dst4 192.168.1.21[500]
DEBUG: 1 times of 104 bytes message will be sent to 192.168.1.21[500]
DEBUG: 
DEBUG: resend phase1 packet 0b22d7aeeb6167d7:c8a376ca9f86be8b
DEBUG: ===
DEBUG: 180 bytes message received from 192.168.1.21[500] to 192.168.1.7[500]
DEBUG: 
DEBUG: begin.
DEBUG: seen nptype=4(ke)
DEBUG: seen nptype=10(nonce)
DEBUG: succeed.
DEBUG: ===
DEBUG: compute DH's private.
DEBUG: 
DEBUG: compute DH's public.
DEBUG: 
[192.168.1.21] DEBUG: appending CR: X.509 Certificate Signature
DEBUG: 
DEBUG: add payload of len 128, next type 10
DEBUG: add payload of len 16, next type 7
DEBUG: add payload of len 173, next type 0
DEBUG: 357 bytes from 192.168.1.7[500] to 192.168.1.21[500]
DEBUG: sockname 192.168.1.7[500]
DEBUG: send packet from 192.168.1.7[500]
DEBUG: send packet to 192.168.1.21[500]
DEBUG: src4 192.168.1.7[500]
DEBUG: dst4 192.168.1.21[500]
DEBUG: 1 times of 357 bytes message will be sent to 192.168.1.21[500]
DEBUG: 
DEBUG: resend phase1 packet 0b22d7aeeb6167d7:c8a376ca9f86be8b
DEBUG: compute DH's shared.
DEBUG: 
DEBUG: nonce1: 2015-01-07 12:30:41: DEBUG: 
DEBUG: nonce2: 2015-01-07 12:30:41: DEBUG: 
DEBUG: hmac(hmac_sha2_256)
DEBUG: SKEYID computed:
DEBUG: 
DEBUG: hmac(hmac_sha2_256)
DEBUG: SKEYID_d computed:
DEBUG: 
DEBUG: hmac(hmac_sha2_256)
DEBUG: SKEYID_a computed:
DEBUG: 
DEBUG: hmac(hmac_sha2_256)
DEBUG: SKEYID_e computed:
DEBUG: 
DEBUG: encryption(aes)
DEBUG: hash(sha2_256)
DEBUG: final encryption key computed:
DEBUG: 
DEBUG: hash(sha2_256)
DEBUG: encryption(aes)
DEBUG: IV computed:
DEBUG: 
DEBUG: ===
DEBUG: 2460 bytes message received from 192.168.1.21[500] to 192.168.1.7[500]
DEBUG: 
DEBUG: begin decryption.
DEBUG: encryption(aes)
DEBUG: IV was saved for next processing:
DEBUG: 
DEBUG: encryption(aes)
DEBUG: with key:
DEBUG: 
DEBUG: decrypted payload by IV:
DEBUG: 
DEBUG: decrypted payload, but not trimed.
DEBUG: 
DEBUG: padding len=14
DEBUG: skip to trim padding.
DEBUG: decrypted.
DEBUG: 
DEBUG: begin.
DEBUG: seen nptype=5(id)
DEBUG: seen nptype=6(cert)
DEBUG: seen nptype=9(sig)
DEBUG: seen nptype=7(cr)
DEBUG: succeed.
[192.168.1.21] DEBUG: getrmconf_by_ph1: remote 192.168.1.21[500], identity C=US, ST=California, O=Killian.COM, CN=A.killian.com.
WARNING: No ID match.
[192.168.1.21] DEBUG: no remote configuration found

eak9000 · January 11, 2015, 12:05am

I downloaded the ipsec-tools-0.8.2 source code and compiled it, and using the resulting racoon binary on the receiving end of the IPSEC transport connection caused the connection to be set up correctly (the “no remote configuration found” went away). Thus it appears that there is a bug in openSUSE’s ipsec-tools-0.8.0 port that could be fixed by just upgrading to 0.8.2.

For the record, my configure command line was:

./configure --with-kernel-headers=/usr/include --enable-security-context=no

tsu2 · January 12, 2015, 8:44pm

Be sure to submit a detailed bug report to http://bugzilla.opensuse.org.

Someone will take a look at your solution and possibly implement so that it becomes standard.

And, you’ll be on record for contributing!

TSU