Issue Details - J

advertisement
Issue Summary:
Juniper is not sending its complete Trust Chain certificates in IKE_AUTH Message(RFC 4306) while
establishing IKEv2 Tunnel.
Juniper Box Details: (Tech output provided along with Debug Logs)
HW: Juniper Netscreen 5400
SW: Firmware Version: 6.3.0r17.0 (Firewall+VPN)
Issue Details:
Configuration:
-
We are using Juniper Netscreen 5400 Device as our Security Gateway which is connected to a
Linux Box running Strongswan IKEv2 Stack.
We are trying to establish and IKEv2 Tunnel between the 2 Nodes (LinuxJuniper Netscreen).
The IKEv2 Auth Method being used is “rsa-sig” on both ends.
We have configured a X.509 certificate chain on both ends:
o
o
o
As seen in diagram above, both Trust Chains are signed by same Root CA.
On Juniper we have installed only its own trust chain. i.e. Root CASub-CA-2JunDev
Cert
On Linux as well only its own trust chain is installed. i.e. Root CASub-CA-1Dev Cert
Juniper VPN Configuration:
Gateway being used:
Gateway Settings:
Gateway SettingsPreferred Certificate:
In Preferred Certificates we provided the Juniper Device Certificate (amit_13) as “Local Cert” and in
“Peer CA” we provided Issuer’s Certificate of Juniper (i.e. Sub-CA2)
Issue Logs:
It is seen that When Linux Box initiates the IKE SA:
1. Linux Sends IKE_INIT Message
2. To this as expected Juniper Responds with an IKE_INIT
3. In IKE_INIT we see Juniper is sending the a [CERTREQUEST] payload with Sub-CA2
Certificate (Juniper Device Cert Issuer) info.
4. After this Linux responds with IKE_AUTH Message, in this message it sends its complete
Trust Chain Certificates.
5. Since Juniper gets complete trust chain certificates from Linux, as a result it is able to
validate the Linux Certificates and bring the IKE Tunnel up on its own end.
6. After this as expected Juniper sends and IKE_AUTH Reply to Linux Box:
7. It is expected that in this IKE_AUTH Response Juniper will be sending its own Trust Chain
Certificates in the [CERT] Payload. However it only sends its own Device Certificate and
not the complete Trust Chain.
8. Due to this reason Linux is not able to validate the Juniper Device Certificate because it
is not able to finds its Issuer certificate and Rejects the IKE_AUTH Response from
Juniper.
sending end entity cert "C=GB, ST=Berkshire, L=Newbury, O=My Company Ltd"
sending issuer cert "C=Sub1CA1, O=Sub1CA1, CN=Sub1CA1"
establishing CHILD_SA IpSecMPlane
generating IKE_AUTH request 1 [ IDi CERT CERT CERTREQ AUTH SA TSi TSr N(EAP_ONLY) ]
sending packet: from 37.37.37.37[500] to 12.12.12.2[500] (2316 bytes)
received packet: from 12.12.12.2[500] to 37.37.37.37[500] (1484 bytes)
parsed IKE_AUTH response 1 [ IDr CERT AUTH SA N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) TSi TSr ]
received end entity cert "C=sd, ST=amit_13, L=amit_13, O=amit_13, OU=amit_13,
CN=0047092009000003, CN=amit_13, CN=rsa-key, CN=ns54030.juniper.net, CN=amit_13"
using certificate "C=sd, ST=amit_13, L=amit_13, O=amit_13, OU=amit_13, CN=0047092009000003,
CN=amit_13, CN=rsa-key, CN=ns54030.juniper.net, CN=amit_13"
no issuer certificate found for "C=sd, ST=amit_13, L=amit_13, O=amit_13, OU=amit_13,
CN=0047092009000003, CN=amit_13, CN=rsa-key, CN=ns54030.juniper.net, CN=amit_13"
no trusted RSA public key found for 'ns54030.juniper.net
9. CONFIG 2: We also tried changing the “Peer CA” configuration on Juniper end. We tried
setting it to “ALL”
10. However on selecting this configuration issue is observed in IKE_INIT Message itself
which is sent by Juniper:
It seems Juniper is sending all CA Certificates installed on it in [CERTREQUEST] Payload
however the “Certificate Type” field is set as “0-RESERVED” which is an invalid value as
per RFC and hence Linux Box rejects it.
11. Thereafter in IKE_AUTH Phase again, juniper sends only its own Device Certificate and
not the complete Trust Chain as a result of which SA does not come-up again.
Logs Provided:
Config 1: “Peer CA” configured as “Sub-CA2” on juniper
-
Wireshark Capture: “TrustChainFailure.pcap”
Juniper Config File: “_cfg_feb_peer_ca_subca.txt”
Debug IKE Detail Capture from Juniper: “debug_ike_detail.txt”
Config 2: “Peer CA” configured as “ALL” on juniper
-
Wireshark Capture: “TrustChainFailure_PeerCA_All.pcap”
Juniper Config File: “_cfg_peer_ca_all.txt”
Debug IKE Detail Capture from Juniper: “debug_ike_detail_peer_cert_is_all.txt”
Other Logs:
-
Event Logs from Juniper: _evt_log.txt
Techoutput from Juniper: _tech.txt
Linux Box Logs.txt
Download