IKEv2 S2S PKI LE and Commercial CA's

Started by joelmnz, February 22, 2022, 04:22:16 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 22, 2022, 04:22:16 AM
Hi all

I have a strange one I am trying to work my way through.  I have previously been able to create an IKEv2 S2S IPSEC using LetsEncrypt certs created using the acme module and it works great.

I now have an OPNsense 21.7.8 that I am trying to connect to a Cisco FirePower with Digicert CA that I don't have access to.

I have loaded the intermediate and root CA's for LE and Digicert and it appears the phase 1 authenticates fine. Then this happens:

Code Select

[ENC] parsed IKE_AUTH response 1 [ V IDr CERT AUTH SA TSi TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
[IKE] received end entity cert "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
[CFG]   using certificate "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
[CFG]   using trusted intermediate ca certificate "C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1"
[CFG] checking certificate status of "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
[CFG]   requesting ocsp status from 'http://ocsp.digicert.com' ...
[LIB] unable to fetch from http://ocsp.digicert.com, no capable fetcher found
[CFG] ocsp request to http://ocsp.digicert.com failed
[CFG] ocsp check failed, fallback to crl
[CFG]   fetching crl from 'http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1.crl' ...
[LIB] unable to fetch from http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1.crl, no capable fetcher found
[CFG] crl fetching failed
[CFG]   fetching crl from 'http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1.crl' ...
[LIB] unable to fetch from http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1.crl, no capable fetcher found
[CFG] crl fetching failed
[CFG] certificate status is not available
[CFG]   using trusted ca certificate "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA"
[CFG] checking certificate status of "C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1"
[CFG]   requesting ocsp status from 'http://ocsp.digicert.com' ...
[LIB] unable to fetch from http://ocsp.digicert.com, no capable fetcher found
[CFG] ocsp request to http://ocsp.digicert.com failed
[CFG] ocsp check failed, fallback to crl
[CFG]   fetching crl from 'http://crl3.digicert.com/DigiCertGlobalRootCA.crl' ...
[LIB] unable to fetch from http://crl3.digicert.com/DigiCertGlobalRootCA.crl, no capable fetcher found
[CFG] crl fetching failed
[CFG] certificate status is not available
[CFG] certificate policy 2.23.140.1.2.2 for 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' not allowed by trustchain, ignored
[CFG]   reached self-signed root ca with a path length of 1
[IKE] signature validation failed, looking for another key
[CFG]   using certificate "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
[CFG]   using trusted intermediate ca certificate "C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1"
[CFG] checking certificate status of "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
[CFG]   requesting ocsp status from 'http://ocsp.digicert.com' ...
[LIB] unable to fetch from http://ocsp.digicert.com, no capable fetcher found
[CFG] ocsp request to http://ocsp.digicert.com failed
[CFG] ocsp check failed, fallback to crl
[CFG]   fetching crl from 'http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1.crl' ...
[LIB] unable to fetch from http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1.crl, no capable fetcher found
[CFG] crl fetching failed
[CFG]   fetching crl from 'http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1.crl' ...
[LIB] unable to fetch from http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1.crl, no capable fetcher found
[CFG] crl fetching failed
[CFG] certificate status is not available
[CFG]   using trusted ca certificate "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA"
[CFG] checking certificate status of "C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1"
[CFG]   requesting ocsp status from 'http://ocsp.digicert.com' ...
[LIB] unable to fetch from http://ocsp.digicert.com, no capable fetcher found
[CFG] ocsp request to http://ocsp.digicert.com failed
[CFG] ocsp check failed, fallback to crl
[CFG]   fetching crl from 'http://crl3.digicert.com/DigiCertGlobalRootCA.crl' ...
[LIB] unable to fetch from http://crl3.digicert.com/DigiCertGlobalRootCA.crl, no capable fetcher found
[CFG] crl fetching failed
[CFG] certificate status is not available
[CFG] certificate policy 2.23.140.1.2.2 for 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' not allowed by trustchain, ignored
[CFG]   reached self-signed root ca with a path length of 1
[IKE] signature validation failed, looking for another key
[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
[NET] sending packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (65 bytes)
initiate failed: establishing CHILD_SA 'con5' failed


and it falls on it's face :(

The Phase one is 256 bit AES-GCM with 128 bit ICV + SHA384,SHA512 + DH Group 21
Phase 2 is    aes192gcm16, aes256gcm16 + + off

My hunting lead me to a couple of Strongswan posts:
https://wiki.strongswan.org/issues/3343
https://wiki.strongswan.org/issues/2473
Am I maybe hitting this?  Should I ask the other network team to enable SHA1? Although based on my reading of the second post, both systems should be using method 14?

So has anyone run across this before and got a gem they could share with me please? I've spent more than a dozen hours trying to sort it out and can't seem to get anywhere.

Also... Is there a way we can resolve the fetching errors for the OCSP and CRLs?

Any help or suggestions very much appreciated.
Print
Go Up Pages1
User actions