IPSEC Site-to-Site x509 no public Key Known

Hi Support Forum,

I’m in a PoC and test the ipsec connection. We have made an IPsec with Preshared Keys Successfully and try now a IPsec with x509 authentication.

On the Initiator I have this logs

2019:11:21-11:08:26 firewall pluto[23675]: loading secrets from “/etc/ipsec.secrets”

2019:11:21-11:08:26 firewall pluto[23675]: loaded private key from ‘bernddausch.chickenkiller.com.pem’

2019:11:21-11:08:26 firewall pluto[23675]: listening for IKE messages

2019:11:21-11:08:26 firewall pluto[23675]: forgetting secrets

2019:11:21-11:08:26 firewall pluto[23675]: loading secrets from “/etc/ipsec.secrets”

2019:11:21-11:08:26 firewall pluto[23675]: loaded private key from ‘bernddausch.chickenkiller.com.pem’

2019:11:21-11:08:26 firewall pluto[23675]: loading ca certificates from ‘/etc/ipsec.d/cacerts’

2019:11:21-11:08:26 firewall pluto[23675]: loaded ca certificate from ‘/etc/ipsec.d/cacerts/VPN Signing CA (Fri Sep 16 16:40:48 2016).pem’

2019:11:21-11:08:26 firewall pluto[23675]: loaded ca certificate from ‘/etc/ipsec.d/cacerts/firewall.myhome.local Verification CA 1.pem’

2019:11:21-11:08:26 firewall pluto[23675]: loaded ca certificate from ‘/etc/ipsec.d/cacerts/Proxy-CA.pem’

2019:11:21-11:08:26 firewall pluto[23675]: loaded ca certificate from ‘/etc/ipsec.d/cacerts/bernddausch.chickenkiller.com Verification CA 1.pem’

2019:11:21-11:08:26 firewall pluto[23675]: loading aa certificates from ‘/etc/ipsec.d/aacerts’

2019:11:21-11:08:26 firewall pluto[23675]: loading ocsp certificates from ‘/etc/ipsec.d/ocspcerts’

2019:11:21-11:08:26 firewall pluto[23675]: loading attribute certificates from ‘/etc/ipsec.d/acerts’

2019:11:21-11:08:26 firewall pluto[23675]: Changing to directory ‘/etc/ipsec.d/crls’

2019:11:21-11:08:26 firewall pluto[23675]: loaded host certificate from ‘/etc/ipsec.d/certs/bernddausch.chickenkiller.com.pem’

2019:11:21-11:08:26 firewall pluto[23675]: added connection description “S_test2”

2019:11:21-11:08:26 firewall pluto[23675]: “S_test2” #20: initiating Main Mode

2019:11:21-11:08:26 firewall pluto[23675]: ERROR: “S_test2” #20: sendto on eth1 to 46.182.146.36:500 failed in main_outI1. Errno 1: Operation not permitted

2019:11:21-11:08:36 firewall pluto[23675]: “S_test2” #20: received Vendor ID payload [XAUTH]

2019:11:21-11:08:36 firewall pluto[23675]: “S_test2” #20: received Vendor ID payload [Dead Peer Detection]

2019:11:21-11:08:36 firewall pluto[23675]: “S_test2” #20: received Vendor ID payload [RFC 3947]

2019:11:21-11:08:36 firewall pluto[23675]: “S_test2” #20: enabling possible NAT-traversal with method 3

2019:11:21-11:08:36 firewall pluto[23675]: “S_test2” #20: NAT-Traversal: Result using RFC 3947: i am NATed

2019:11:21-11:08:36 firewall pluto[23675]: “S_test2” #20: we have a cert and are sending it

2019:11:21-11:08:36 firewall pluto[23675]: “S_test2” #20: Peer ID is ID_DER_ASN1_DN: ‘L=NBG, O=SchuWa, CN=vpn-gw02’

2019:11:21-11:08:36 firewall pluto[23675]: “S_test2” #20: no public key known for ‘L=NBG, O=SchuWa, CN=vpn-gw02’

2019:11:21-11:08:36 firewall pluto[23675]: “S_test2” #20: sending encrypted notification INVALID_KEY_INFORMATION to 46.182.146.36:4500

edit: with another vendor (lancom) on the other site, it worked with the same settings on the vyos site. with Sophos UTM I get this error on two sites.

have anyone a hint?

Kind Regards,

Bernd

Hello @bernd.dausch .
Can you provide firewall logs on side UTM in this time? Maybe UTM drop this packets.
Check that the port 500 is open on the UTM side.
From VyOS execute:
vyos# sudo nmap -sU -p 500 x.x.x.x
vyos# sudo nmap -sU -p 4500 x.x.x.x
Where x.x.x.x - UTM host.

Hello @Viacheslav,

I have disabled the firewall and get the same log entrys. In the meantime I have also connected the support.

@bernd.dausch
Show the output of the nmap command.

@Viacheslav which nmap command to you mean?

@bernd.dausch

sorry I have overread this

vyos@GW02:~$ sudo nmap -sU -p 4500 84.158.213.181

Starting Nmap 6.47 ( ) at 2019-11-25 10:13 CET
Nmap scan report for p549ED5B5.dip0.t-ipconnect.de (84.158.213.181)
Host is up (0.0055s latency).
PORT STATE SERVICE
4500/udp open|filtered nat-t-ike

Nmap done: 1 IP address (1 host up) scanned in 0.54 seconds
vyos@GW02:~$ sudo nmap -sU -p 500 84.158.213.181

Starting Nmap 6.47 ( ) at 2019-11-25 10:13 CET
Nmap scan report for p549ED5B5.dip0.t-ipconnect.de (84.158.213.181)
Host is up (0.0055s latency).
PORT STATE SERVICE
500/udp open|filtered isakmp

Nmap done: 1 IP address (1 host up) scanned in 0.54 seconds

So Nmap does not know for sure whether the port is open or being filtered.
Try to detect it in logs Firewall.

Must have looked like (open):

PORT    STATE SERVICE
500/udp open  isakmp

I have nothing in the firewall logs in the UTM site. and VPNs to another gateway with the same settings work without any problems. the only difference ist the Certificate of the remote site (same CA) and the ventor of the gateway, the running gateway is a lancom router.

from the lancom router a connection to the vyos router works (also with certificates) a vpn from the faulty gateway works with preshared key, to the vyos router, too.