[Openswan dev] Interop Bug: Windows XP + Openswan 2.1.2_20040427

Matthew Callaway matt-openswan-dev at kindjal.net
Thu Apr 29 20:38:49 CEST 2004 

I found a problem with interoperability between openswan-2.1.2 CVS HEAD
on 20040427 and Windows XP.

The symptoms:

Windows initiates a connection with Openswan.  Openswan sets up ISAKMP SA
without problems, but does not proceed to phase 2.  Openswan reports no
errors, it just stops.

pluto[18177]: packet from 192.168.0.100:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000003]
pluto[18177]: "rw-net"[1] 192.168.0.100 #1: responding to Main Mode from unknown peer 192.168.0.100
pluto[18177]: "rw-net"[1] 192.168.0.100 #1: transition from state (null) to state STATE_MAIN_R1
pluto[18177]: "rw-net"[1] 192.168.0.100 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
pluto[18177]: "rw-net"[1] 192.168.0.100 #1: Peer ID is ID_DER_ASN1_DN: '.....'
pluto[18177]: "rw-net"[2] 192.168.0.100 #1: deleting connection "rw-net" instance with peer 192.168.0.100 {isakmp=#0/ipsec=#0}
pluto[18177]: "rw-net"[2] 192.168.0.100 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
pluto[18177]: "rw-net"[2] 192.168.0.100 #1: sent MR3, ISAKMP SA established
(stops here, no more logs)

If you put pluto in debug=all mode, you'll see this interesting tidbit:

thinking about whether to send my certificate:
I have RSA key: OAKLEY_RSA_SIG cert.type: CERT_X509_SIGNATURE sendcert: CERT_SENDIFASKED
and I did not get a certificate request, so do not send cert.

On the windows side, in oakley.log, you get:

#---- begin ---- #
Source IP Address Mask 255.255.255.255
Destination IP Address 192.168.0.5
Destination IP Address Mask 255.255.255.255
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr
IKE Peer Addr

 4-29: 18:53:11:129:7bc Certificate based Identity.  
Peer Subject ......  (DN clipped)
Peer SHA Thumbprint 0000000000000000000000000000000000000000
Peer Issuing Certificate Authority
Root Certificate Authority
My Subject  (clipped)
My SHA Thumbprint e502551f76e443284d5ea3b5b89184f83fcb861f
Peer IP Address: 192.168.0.5

 4-29: 18:53:11:129:7bc Me

 4-29: 18:53:11:129:7bc Peer failed to send valid machine certificate

 4-29: 18:53:11:129:7bc 0x0 0x0
 4-29: 18:53:11:129:7bc ProcessFailure: sa:000CEAA0 centry:00000000 status:3617
 4-29: 18:53:11:129:7bc Not creating notify.

#---- end ---- #

So, the windows:

"Peer SHA Thumbprint 0000000000000000000000000000000000000000"

And the swan:

"and I did not get a certificate request, so do not send cert."

Some googling for: CERT_SENDIFASKED

Yields the CVS commits for openswan:

* programs/pluto/connections.c (1.220): only set cert 
policy to "ifasked" if it isn't already set.  
show cert policy in --status output.

Michael Richardson mcr at brock.xelerance.com
Sun Mar 21 05:23:37 CET 2004

RCS file: /xelerance/master/openswan-2/programs/pluto/ipsec_doi.c,v
retrieving revision 1.230.2.2
retrieving revision 1.230.2.3
diff -u -d -r1.230.2.2 -r1.230.2.3

2004-04-25 23:12  mcr

  * programs/pluto/connections.c (1.220):  only set cert
  policy to "ifasked" if it isn't already set.
  show cert policy in --status output.


Sure enough.  I reverted back to 2.1.2rc3 and all works like a champ.

There is more recent work committed to CVS which I haven't checked, but
I wanted to report this anyway.

Matt

More information about the Dev mailing list