[Openswan Users] No suitable connection for peer message when using CA

Nicolas Bellido Y Ortega ml at acolin.be
Wed Dec 10 11:59:51 EST 2008 

Hi Paul,

On Wednesday 10 December 2008 16:06:38 Paul Wouters wrote:
> On Wed, 10 Dec 2008, Nicolas Bellido Y Ortega wrote:
> > Both are running Openswan 2.6.19.
> >
> > conn left-right-vpn
> >         left=10.0.5.83
> >         leftcert=/etc/ipsec.d/certs/leftCert.pem
> >         right=%any
> >         rightca=/etc/ipsec.d/cacerts/rightCaCert.pem
> >         auto=add
> > ## Left config -- end
>
> You shouldnt need to specify the ca. Or just use rightca=%any
> You might also want to add leftsendcert=yes

Ok, I put rightca=%any, and added leftsendcert=always ('yes' gave an error).

> > Left and Rigt have their own certificate and private key in
> > /etc/ipsec.d/{certs,private}, while they both have the CA certificate of
> > each other, plus their own, in /etC/ipsec.d/cacerts.
>
> check with ipsec auto --listall that all is well?

Strangely, the L= RDN is not listed. See below.

> > not seem to change anything. Also, rightid=%fromcert causes pluto to
> > constantly respawn itself.
>
> That used to happen when the cert you tried to load would not be there.
> Can you verify that? openswan 2.6.20rc1 has a fix for that.

I copied Right's cert over to Left, but that didn't help either.
In fact, it *seems* that pluto respawns as soon as any command from the
ipsec utility is issued. For example, an 'ipsec secrets' gives in
/var/log/messages:

ipsec__plutorun: /usr/lib/ipsec/_plutorun: line 232: 11913 	
	Aborted	    /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-netkey --uniqueids --nat_traversal
ipsec__plutorun: whack: is Pluto running?  connect() for "/var/run/pluto/pluto.ctl" failed (111 connection refused)
ipsec__plutorun: !pluto failure!:  exited with error status 134 (signal 6)

Signal 6 == SIGABRT.

> > pluto[6821]:   loaded CA cert file 'rightCaCert.pem' (1054 bytes)
> > pluto[6821]:   loaded CA cert file 'leftCaCert.pem' (1111 bytes)
>
> One cert is an old one?

Not sure I understand what you mean... Should all certs have the same
size?

> > pluto[7105]: "left-right-vpn"[2] 10.0.5.110 #2: Main mode peer ID is
> > ID_DER_ASN1_DN: 'C=BE, ST=BW, O=Right S.A., OU=Right, CN=Right'
> > pluto[7105]: "left-right-vpn"[2] 10.0.5.110 #2: no crl from issuer "C=BE,
> > ST=BW, L=BA, O=Right S.A., OU=Right Root CA" found (strict=no)
> > pluto[7105]: "left-right-vpn"[2] 10.0.5.110 #2: no suitable connection
> > for peer 'C=BE, ST=BW, O=Right S.A., OU=Right, CN=Right' pluto[7105]:
> > "left-right-vpn"[2] 10.0.5.110 #2: sending encrypted notification
> > INVALID_ID_INFORMATION to 10.0.5.110:500
>
> I am not sure if you anonymised this, but we cannot debug it if you do.

No I didn't. I can send the certs and keys, if you wish.
This is just a test setup.

> this part is very sensitive to certain characters being used.
> Do all certs (left,right and ca) have the L= RDN? I don't see it
> consistently.

Right's cert was indeed missing the L= RDN. Adding it didn't help,
though.

OpenSSL identifies Right's CA cert as:
  Issuer: C=BE, ST=BW, L=BA, O=Right S.A., OU=Right Root CA
  Subject: C=BE, ST=BW, L=BA, O=Right S.A., OU=Right Root CA
  X509v3 extensions:
      X509v3 Basic Constraints:
          CA:TRUE

Left's CA cert:
  Issuer: C=BE, ST=BW, L=BA, O=Left S.A., OU=Left, CN=Left Root CA
  Subject: C=BE, ST=BW, L=BA, O=Left S.A., OU=Left, CN=Left Root CA
  X509v3 extensions:
      X509v3 Basic Constraints:
          CA:TRUE

Right's cert:
  Issuer: C=BE, ST=BW, L=BA, O=Right S.A., OU=Right Root CA
  Subject: C=BE, ST=BW, O=Right S.A., OU=Right, CN=Right

Left's cert:
  Issuer: C=BE, ST=BW, L=BA, O=Left S.A., OU=Left, CN=Left Root CA
  Subject: C=BE, ST=BW, O=Left S.A., OU=Left, CN=Left

Notice that L= is not present is both Right and Left certs?
Is this something normal with openssl? Hum... Will have to look into
that.

Anyway, after an 'ipsec setup start && ipsec secrets' on Left,
'ipsec auto --listall' gives:

000
000 List of Public Keys:
000
000 Dec 10 17:47:35 2008, 1024 RSA Key AwEAAcFbX (has private key), until Dec 09 15:40:52 2009 ok
000        ID_IPV4_ADDR '10.0.5.83'
000        Issuer 'C=BE, ST=BW, L=BA, O=Left S.A., OU=Left, CN=Left Root CA'
000 Dec 10 17:47:35 2008, 1024 RSA Key AwEAAcFbX (has private key), until Dec 09 15:40:52 2009 ok
000        ID_DER_ASN1_DN 'C=BE, ST=BW, O=Left S.A., OU=Left, CN=Left'
000        Issuer 'C=BE, ST=BW, L=BA, O=Left S.A., OU=Left, CN=Left Root CA'
000 List of Pre-shared secrets (from /etc/ipsec.secrets)
000     1: RSA (none) (none)
000
000 List of X.509 End Certificates:
000
000 Dec 10 17:47:35 2008, count: 1
000        subject: 'C=BE, ST=BW, O=Left S.A., OU=Left, CN=Left'
000        issuer:  'C=BE, ST=BW, L=BA, O=Left S.A., OU=Left, CN=Left Root CA'
000        serial:   01
000        pubkey:   1024 RSA Key AwEAAcFbX, has private key
000        validity: not before Dec 09 15:40:52 2008 ok
000                  not after  Dec 09 15:40:52 2009 ok
000        subjkey:  3f:cc:02:fb:17:82:0a:93:ec:f7:4a:5e:c1:5f:58:91:47:40:14:76
000        authkey:  8d:2d:63:e5:de:79:b0:93:0c:fc:6c:ad:9a:a1:c0:9e:2c:da:89:f2
000
000 List of X.509 CA Certificates:
000
000 Dec 10 17:47:35 2008, count: 1
000        subject: 'C=BE, ST=BW, L=BA, O=Left S.A., OU=Left, CN=Left Root CA'
000        issuer:  'C=BE, ST=BW, L=BA, O=Left S.A., OU=Left, CN=Left Root CA'
000        serial:   00:c7:14:4f:38:5d:b6:65:4f
000        pubkey:   1024 RSA Key AwEAAcRTu
000        validity: not before Dec 09 15:37:55 2008 ok
000                  not after  Dec 07 15:37:55 2018 ok
000        subjkey:  8d:2d:63:e5:de:79:b0:93:0c:fc:6c:ad:9a:a1:c0:9e:2c:da:89:f2
000        authkey:  8d:2d:63:e5:de:79:b0:93:0c:fc:6c:ad:9a:a1:c0:9e:2c:da:89:f2
000        aserial:  00:c7:14:4f:38:5d:b6:65:4f
000 Dec 10 17:47:35 2008, count: 1
000        subject: 'C=BE, ST=BW, L=BA, O=Right S.A., OU=Right Root CA'
000        issuer:  'C=BE, ST=BW, L=BA, O=Right S.A., OU=Right Root CA'
000        serial:   00:ed:c9:b7:db:88:c2:44:30
000        pubkey:   1024 RSA Key AwEAAcjDx
000        validity: not before Dec 09 15:54:04 2008 ok
000                  not after  Dec 07 15:54:04 2018 ok
000        subjkey:  79:8e:34:55:40:fa:79:45:c2:1b:37:23:4d:25:ac:bf:d8:5f:1f:89
000        authkey:  79:8e:34:55:40:fa:79:45:c2:1b:37:23:4d:25:ac:bf:d8:5f:1f:89
000        aserial:  00:ed:c9:b7:db:88:c2:44:30


On Right:

000
000 List of Public Keys:
000
000 Dec 10 17:48:46 2008, 1024 RSA Key AwEAAe7I3 (no private key), until Dec 10 17:12:39 2009 ok
000        ID_DER_ASN1_DN 'C=BE, ST=BW, O=Right S.A., OU=Right, CN=Right'
000        Issuer 'C=BE, ST=BW, L=BA, O=Right S.A., OU=Right Root CA'
000 List of Pre-shared secrets (from /etc/ipsec.secrets)
000
000 List of X.509 End Certificates:
000
000 Dec 10 17:48:46 2008, count: 1
000        subject: 'C=BE, ST=BW, O=Right S.A., OU=Right, CN=Right'
000        issuer:  'C=BE, ST=BW, L=BA, O=Right S.A., OU=Right Root CA'
000        serial:   02
000        pubkey:   1024 RSA Key AwEAAe7I3
000        validity: not before Dec 10 17:12:39 2008 ok
000                  not after  Dec 10 17:12:39 2009 ok
000        subjkey:  c9:e7:3b:8a:8c:b5:c4:49:05:1b:39:1b:5c:f7:5c:f5:39:75:f3:90
000        authkey:  79:8e:34:55:40:fa:79:45:c2:1b:37:23:4d:25:ac:bf:d8:5f:1f:89
000
000 List of X.509 CA Certificates:
000
000 Dec 10 17:48:46 2008, count: 1
000        subject: 'C=BE, ST=BW, L=BA, O=Left S.A., OU=Left, CN=Left Root CA'
000        issuer:  'C=BE, ST=BW, L=BA, O=Left S.A., OU=Left, CN=Left Root CA'
000        serial:   00:c7:14:4f:38:5d:b6:65:4f
000        pubkey:   1024 RSA Key AwEAAcRTu
000        validity: not before Dec 09 15:37:55 2008 ok
000                  not after  Dec 07 15:37:55 2018 ok
000        subjkey:  8d:2d:63:e5:de:79:b0:93:0c:fc:6c:ad:9a:a1:c0:9e:2c:da:89:f2
000        authkey:  8d:2d:63:e5:de:79:b0:93:0c:fc:6c:ad:9a:a1:c0:9e:2c:da:89:f2
000        aserial:  00:c7:14:4f:38:5d:b6:65:4f
000 Dec 10 17:48:46 2008, count: 1
000        subject: 'C=BE, ST=BW, L=BA, O=Right S.A., OU=Right Root CA'
000        issuer:  'C=BE, ST=BW, L=BA, O=Right S.A., OU=Right Root CA'
000        serial:   00:ed:c9:b7:db:88:c2:44:30
000        pubkey:   1024 RSA Key AwEAAcjDx
000        validity: not before Dec 09 15:54:04 2008 ok
000                  not after  Dec 07 15:54:04 2018 ok
000        subjkey:  79:8e:34:55:40:fa:79:45:c2:1b:37:23:4d:25:ac:bf:d8:5f:1f:89
000        authkey:  79:8e:34:55:40:fa:79:45:c2:1b:37:23:4d:25:ac:bf:d8:5f:1f:89
000        aserial:  00:ed:c9:b7:db:88:c2:44:30


So they both seem to load their own cert and the CA certs, don't they?

Starting the connection from Right gives in Left's logs:

responding to Main Mode from unknown peer 10.0.5.110
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
STATE_MAIN_R1: sent MR1, expecting MI2
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
STATE_MAIN_R2: sent MR2, expecting MI3
Main mode peer ID is ID_DER_ASN1_DN: 'C=BE, ST=BW, O=Right S.A., OU=Right, CN=Right'
no crl from issuer "C=BE, ST=BW, L=BA, O=Right S.A., OU=Right Root CA" found (strict=no)
no suitable connection for peer 'C=BE, ST=BW, O=Right S.A., OU=Right, CN=Right'
sending encrypted notification INVALID_ID_INFORMATION to 10.0.5.110:500
max number of retransmissions (2) reached STATE_MAIN_R2

Thanks for your help,

Nicolas.

More information about the Users mailing list