<div>dear openswan users and developers:</div>
<div> </div>
<div>i am want make a vpn tunnel using openswan, but when i up the connnect, the SA cann't establish, i using x.509 certification.</div>
<div>what's wrong with my config, can anybody tell me?</div>
<div>thanks for your help.</div>
<div>any articles or infomation to this problem are welcome.</div>
<div>the certs are all generated by others, and i have googled x.509, but there seems not very much useful info.</div>
<div>the version of openswan:Openswan 2.3.1 X.509-1.5.4</div>
<div>
<div> </div>
<div>the network:</div>
<div>====================================</div>
<div><a href="http://192.168.0.1/24"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.0.1" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.0.1/24</a> <a href="http://202.106.1.1"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "202.106.1.1" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 202.106.1.1</a> <a href="http://202.106.1.33"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "202.106.1.33" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 202.106.1.33</a> <a href="http://192.168.1.0/24"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious:
192.168.1.0/24</a></div>
<div> net1============gw1-----------------------------gw2============net2</div>
<div> </div>
<div>execute on the gw2:</div>
<div>$ipsec auto --up foo</div>
<div>104 "foo" #33: STATE_MAIN_I1: initiate<br>003 "foo" #33: received Vendor ID payload [Openswan (this version) 2.3.1 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]<br>003 "foo" #33: received Vendor ID payload [Dead Peer Detection]
<br>106 "foo" #33: STATE_MAIN_I2: sent MI2, expecting MR2<br>108 "foo" #33: STATE_MAIN_I3: sent MI3, expecting MR3<br>003 "foo" #33: discarding duplicate packet; already STATE_MAIN_I3<br>010 "foo" #33: STATE_MAIN_I3: retransmission; will wait 20s for response
<br>003 "foo" #33: discarding duplicate packet; already STATE_MAIN_I3<br>010 "foo" #33: STATE_MAIN_I3: retransmission; will wait 40s for response<br> </div></div>
<div>all debug log file on gw1:</div>
<div>===================================</div>
<div>Jul 26 14:18:45 (none) pluto[1022]: | certificate signature (C=cn, ST=china, L=hangzhou, O=junction, OU=soft1, CN=junction, <a href="mailto:E=cigant@yahoo.com.cn">E=cigant@yahoo.com.cn</a> -> C=cn, ST=china, L=hangzhou, O=junction, OU=soft1, CN=junction,
<a href="mailto:E=cigant@yahoo.com.cn">E=cigant@yahoo.com.cn</a>) is valid<br>Jul 26 14:18:45 (none) pluto[1022]: | reached self-signed root ca<br>Jul 26 14:18:45 (none) pluto[1022]: | Public key validated<br>Jul 26 14:18:45 (none) pluto[1022]: | unreference key: 0x8104f78 C=cn, ST=china, L=hangzhou, O=junction, OU=server, CN=server,
<a href="mailto:E=cigant@yahoo.com.cn">E=cigant@yahoo.com.cn</a> cnt 1--<br>Jul 26 14:18:45 (none) pluto[1022]: | CR<br>Jul 26 14:18:45 (none) pluto[1022]: | requested CA: '%any'<br>Jul 26 14:18:45 (none) pluto[1022]: | refine_connection: starting with road-conn
<br>Jul 26 14:18:45 (none) pluto[1022]: | match_id a=C=cn, ST=china, L=hangzhou, O=junction, OU=server, CN=server, <a href="mailto:E=cigant@yahoo.com.cn">E=cigant@yahoo.com.cn</a><br>Jul 26 14:18:45 (none) pluto[1022]: | b=
<a href="http://202.106.1.33"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "202.106.1.33" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 202.106.1.33</a><br>Jul 26 14:18:45 (none) pluto[1022]: | results fail<br>Jul 26 14:18:45 (none) pluto[1022]: | trusted_ca called with a=C=cn, ST=china, L=hangzhou, O=junction, OU=soft1, CN=junction,
<a href="mailto:E=cigant@yahoo.com.cn">E=cigant@yahoo.com.cn</a> b=(empty)<br>Jul 26 14:18:45 (none) pluto[1022]: | refine_connection: checking road-conn against road-conn, best=(none) with match=0(id=0/ca=1/reqca=1)<br>Jul 26 14:18:45 (none) pluto[1022]: | find_host_pair: comparing to
<a href="http://202.106.1.1:500"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "202.106.1.1:500" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 202.106.1.1:500</a> <a href="http://202.106.1.33:500"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "202.106.1.33:500" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 202.106.1.33:500</a><br>Jul 26 14:18:45 (none) pluto[1022]: | find_host_pair: comparing to <a href="http://202.106.1.1:500"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "202.106.1.1:500" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 202.106.1.1:500
</a> <a href="http://0.0.0.0:500"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "0.0.0.0:500" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 0.0.0.0:500</a><br>Jul 26 14:18:45 (none) pluto[1022]: | find_host_pair_conn (refine_host_connection): <a href="http://202.106.1.1:500"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "202.106.1.1:500" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 202.106.1.1:500</a> %any:500 -> hp:road-conn<br>
Jul 26 14:18:45 (none) pluto[1022]: | match_id a=C=cn, ST=china, L=hangzhou, O=junction, OU=server, CN=server, <a href="mailto:E=cigant@yahoo.com.cn">E=cigant@yahoo.com.cn</a><br>Jul 26 14:18:45 (none) pluto[1022]: | b=(none)
<br>Jul 26 14:18:45 (none) pluto[1022]: | results matched<br>Jul 26 14:18:45 (none) pluto[1022]: | trusted_ca called with a=C=cn, ST=china, L=hangzhou, O=junction, OU=soft1, CN=junction, <a href="mailto:E=cigant@yahoo.com.cn">
E=cigant@yahoo.com.cn</a> b=(empty)<br>Jul 26 14:18:45 (none) pluto[1022]: | refine_connection: checking road-conn against road-conn, best=(none) with match=1(id=1/ca=1/reqca=1)<br>Jul 26 14:18:45 (none) pluto[1022]: | refine_connection: checked road-conn against road-conn, now for see if best
<br>Jul 26 14:18:45 (none) pluto[1022]: | started looking for secret for C=cn, ST=china, L=shanghai, O=junction, OU=soft2, CN=joshua, <a href="mailto:E=joshua@socix.com->(none">E=joshua@socix.com->(none</a>) of kind PPK_RSA
<br>Jul 26 14:18:45 (none) pluto[1022]: "road-conn"[22] <a href="http://202.106.1.33"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "202.106.1.33" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 202.106.1.33</a> #25: no suitable connection for peer 'C=cn, ST=china, L=hangzhou, O=junction,<br> OU=server, CN=server, <a href="mailto:E=cigant@yahoo.com.cn'">
E=cigant@yahoo.com.cn'</a><br>Jul 26 14:18:45 (none) pluto[1022]: | complete state transition with (null)<br>Jul 26 14:18:45 (none) pluto[1022]: "road-conn"[22] <a href="http://202.106.1.33"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "202.106.1.33" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 202.106.1.33</a> #25: sending encrypted notification INVALID_ID_INFORMATION to
<a href="http://202.106.1.33:50"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "202.106.1.33:50" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 202.106.1.33:50</a><br>0<br> </div>
<div> </div>
<div> </div>
<div>ipsec.conf on the gw1:</div>
<div>====================================</div>
<div>[root@(none) cacerts]# cat /etc/ipsec.conf <br>version 2.0<br>config setup<br> klipsdebug=none<br> plutodebug=all<br>conn %default<br> compress=yes<br> authby=rsasig<br> leftrsasigkey=%cert
<br> rightrsasigkey=%cert<br> left=<a href="http://202.106.1.1"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "202.106.1.1" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 202.106.1.1</a><br> leftcert=server.crt<br> leftnexthop=%defaultroute<br> auto=add<br> pfs=yes<br>conn block<br> auto=ignore
<br>conn clear<br> auto=ignore<br>conn private<br> auto=ignore<br>conn clear-or-private<br> auto=ignore<br>conn private-or-clear<br> auto=ignore<br>conn packetdefault<br> auto=ignore<br>
conn road-conn<br> right=%any<br> leftsubnet=<a href="http://192.168.0.0/24"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.0.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.0.0/24</a></div>
<div> </div>
<div>certs on the gw1:</div>
<div>====================================</div>
<div>[root@(none) cacerts]# ipsec auto --listall<br>000 <br>000 List of Public Keys:<br>000 <br>000 Jul 26 13:58:02 2005, 1024 RSA Key AwEAAaaei, until May 12 14:26:24 2006 ok<br>000 ID_DER_ASN1_DN 'C=cn, ST=china, L=hangzhou, O=junction, OU=server, CN=server,
<a href="mailto:E=cigant@yahoo.com.cn'">E=cigant@yahoo.com.cn'</a><br>000 Issuer 'C=cn, ST=china, L=hangzhou, O=junction, OU=soft1, CN=junction, <a href="mailto:E=cigant@yahoo.com.cn'">E=cigant@yahoo.com.cn'</a><br>
000 Jul 26 13:49:52 2005, 1024 RSA Key AwEAAdNa1, until May 12 14:34:37 2006 ok<br>000 ID_DER_ASN1_DN 'C=cn, ST=china, L=shanghai, O=junction, OU=soft2, CN=joshua, <a href="mailto:E=joshua@socix.com'">E=joshua@socix.com'
</a><br>000 Issuer 'C=cn, ST=china, L=hangzhou, O=junction, OU=soft1, CN=junction, <a href="mailto:E=cigant@yahoo.com.cn'">E=cigant@yahoo.com.cn'</a><br>000 <br>000 List of X.509 End Certificates:<br>000 <br>000 Jul 26 13:49:52 2005, count: 2
<br>000 subject: 'C=cn, ST=china, L=shanghai, O=junction, OU=soft2, CN=joshua, <a href="mailto:E=joshua@socix.com'">E=joshua@socix.com'</a><br>000 issuer: 'C=cn, ST=china, L=hangzhou, O=junction, OU=soft1, CN=junction,
<a href="mailto:E=cigant@yahoo.com.cn'">E=cigant@yahoo.com.cn'</a><br>000 serial: 02<br>000 pubkey: 1024 RSA Key AwEAAdNa1<br>000 validity: not before May 12 14:34:37 2005 ok<br>000 not after May 12 14:34:37 2006 ok
<br>000 subjkey: db:a1:0a:d2:99:3d:28:ae:46:5c:a0:a1:66:51:94:52:c7:59:a7:28<br>000 authkey: c3:b5:b7:c0:2b:6e:15:cc:9e:15:8c:6f:5f:bf:70:6d:e0:ad:6b:bd<br>000 aserial: 00<br>000 <br>000 List of X.509
CA Certificates:<br>000 <br>000 Jul 26 13:49:52 2005, count: 1<br>000 subject: 'C=cn, ST=china, L=hangzhou, O=junction, OU=soft1, CN=junction, <a href="mailto:E=cigant@yahoo.com.cn'">E=cigant@yahoo.com.cn'</a><br>
000 issuer: 'C=cn, ST=china, L=hangzhou, O=junction, OU=soft1, CN=junction, <a href="mailto:E=cigant@yahoo.com.cn'">E=cigant@yahoo.com.cn'</a><br>000 serial: 00<br>000 pubkey: 1024 RSA Key AwEAAcrMM
<br>000 validity: not before May 12 14:26:24 2005 ok<br>000 not after May 12 14:26:24 2006 ok<br>000 subjkey: c3:b5:b7:c0:2b:6e:15:cc:9e:15:8c:6f:5f:bf:70:6d:e0:ad:6b:bd<br>000 authkey: c3:b5:b7:c0:2b:6e:15:cc:9e:15:8c:6f:5f:bf:70:6d:e0:ad:6b:bd
<br>000 aserial: 00</div>
<div> </div>
<div>ipsec.conf on the gw2:</div>
<div>===================================</div>
<div>
<p><a href="mailto:root@vpn:/etc/ipsec.d/cacerts">root@vpn:/etc/ipsec.d/cacerts</a># cat /etc/ipsec.conf<br>#/etc/ipsec.conf - FreeS/WAN IPsec configuration file</p>
<p>version 2.0</p>
<p>config setup<br> klipsdebug=all<br> plutodebug=all</p>
<p>conn %default<br> compress=yes<br> authby=rsasig<br> leftrsasigkey=%cert<br> rightrsasigkey=%cert<br> left=<a href="http://202.106.1.33"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "202.106.1.33" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 202.106.1.33</a><br> leftcert=server.crt
<br> leftnexthop=%defaultroute<br> auto=add<br> pfs=yes</p>
<p>conn clear<br> auto=ignore<br>conn private<br> auto=ignore<br>conn clear-or-private<br> auto=ignore<br>conn private-or-clear<br> auto=ignore<br>conn packetdefault<br> auto=ignore</p>
<p>conn foo<br> right=<a href="http://202.106.1.1"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "202.106.1.1" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 202.106.1.1</a><br> rightid="<a>/C=cn/ST=china/L=shanghai/O=junction/OU=soft2/CN=joshua/emailAddress=joshua@socix.com</a>"</p>
<p>conn net<br> leftsubnet=<a href="http://192.168.1.0/24"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.1.0/24</a><br> right=<a href="http://202.106.1.1"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "202.106.1.1" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 202.106.1.1</a><br> rightsubnet=<a href="http://192.168.0.0/24"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.0.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.0.0/24</a>
<br> rightid="<a>/C=cn/ST=china/L=shanghai/O=junction/OU=soft2/CN=joshua/emailAddress=joshua@socix.com</a>"<br></p></div>
<div>certs on the gw2:</div>
<div>===================================</div>
<div><a href="mailto:root@vpn:/etc/ipsec.d/cacerts">root@vpn:/etc/ipsec.d/cacerts</a># ipsec auto --listall<br>000 <br>000 List of Public Keys:<br>000 <br>000 Jul 26 13:40:42 2005, 1024 RSA Key AwEAAaaei, until May 12 14:43:12 2006 ok
<br>000 ID_DER_ASN1_DN 'C=cn, ST=china, L=hangzhou, O=junction, OU=server, CN=server, <a href="mailto:E=cigant@yahoo.com.cn'">E=cigant@yahoo.com.cn'</a><br>000 Issuer 'C=cn, ST=china, L=hangzhou, O=junction, OU=soft1, CN=junction,
<a href="mailto:E=cigant@yahoo.com.cn'">E=cigant@yahoo.com.cn'</a><br>000 <br>000 List of X.509 End Certificates:<br>000 <br>000 Jul 26 13:40:42 2005, count: 2<br>000 subject: 'C=cn, ST=china, L=hangzhou, O=junction, OU=server, CN=server,
<a href="mailto:E=cigant@yahoo.com.cn'">E=cigant@yahoo.com.cn'</a><br>000 issuer: 'C=cn, ST=china, L=hangzhou, O=junction, OU=soft1, CN=junction, <a href="mailto:E=cigant@yahoo.com.cn'">E=cigant@yahoo.com.cn'</a><br>
000 serial: 03<br>000 pubkey: 1024 RSA Key AwEAAaaei, has private key<br>000 validity: not before May 12 14:43:12 2005 ok<br>000 not after May 12 14:43:12 2006 ok<br>000 subjkey: eb:b1:a3:7f:2e:cb:69:da:0c:b0:5a:0f:a9:c9:a4:5f:b9:e8:ab:f8
<br>000 authkey: c3:b5:b7:c0:2b:6e:15:cc:9e:15:8c:6f:5f:bf:70:6d:e0:ad:6b:bd<br>000 aserial: 00<br>000 <br>000 List of X.509 CA Certificates:<br>000 <br>000 Jul 26 13:40:41 2005, count: 1<br>000 subject: 'C=cn, ST=china, L=hangzhou, O=junction, OU=soft1, CN=junction,
<a href="mailto:E=cigant@yahoo.com.cn'">E=cigant@yahoo.com.cn'</a><br>000 issuer: 'C=cn, ST=china, L=hangzhou, O=junction, OU=soft1, CN=junction, <a href="mailto:E=cigant@yahoo.com.cn'">E=cigant@yahoo.com.cn'</a><br>
000 serial: 00<br>000 pubkey: 1024 RSA Key AwEAAcrMM<br>000 validity: not before May 12 14:26:24 2005 ok<br>000 not after May 12 14:26:24 2006 ok<br>000 subjkey: c3:b5:b7:c0:2b:6e:15:cc:9e:15:8c:6f:5f:bf:70:6d:e0:ad:6b:bd
<br>000 authkey: c3:b5:b7:c0:2b:6e:15:cc:9e:15:8c:6f:5f:bf:70:6d:e0:ad:6b:bd<br>000 aserial: 00<br>000 <br>000 List of X.509 CRLs:<br>000 <br>000 Jul 26 13:40:41 2005, revoked certs: 0<br>000 issuer: 'C=cn, ST=china, L=hangzhou, O=junction, OU=soft1, CN=junction,
<a href="mailto:E=cigant@yahoo.com.cn'">E=cigant@yahoo.com.cn'</a><br>000 updates: this May 12 14:30:04 2005<br>000 next Jun 11 14:30:04 2005 warning (expired)</div>
<div><br> </div>