Hi,<br><br>I have 2 Openswan devices that I'm attempting to establish a tunnel between. I have assigned certificates to both of them and have followed a combination of instructions from the Openswan book and from those found online. Right now I'm at the point where it appears from the logs that they're attempting to auth by PSK and failing. <br>
<br>Here's one end of the connection:<br><br>conn peer-test-tunnel-1<br> left=192.168.150.209<br> leftcert=/etc/ipsec.d/certs/vyatta-1cert.pem<br> right=%any<br> rightrsasigkey=%cert<br> rightid="C=ES, ST=Tarifa, L=Cadiz, O=Test, CN=vyatta-2, emailAddress=<a href="mailto:test@test.com">test@test.com</a>"<br>
rightca=%same<br> rekey=no<br> leftsubnet=<a href="http://10.100.120.0/24">10.100.120.0/24</a><br> rightsubnet=<a href="http://10.224.0.1/32">10.224.0.1/32</a><br> ike=3des-md5-modp1536<br>
ikelifetime=28800s<br> aggrmode=yes<br> dpddelay=30s<br> dpdtimeout=60s<br> dpdaction=clear<br> esp=3des-md5<br> keylife=1200s<br> rekeymargin=540s<br> type=tunnel<br>
authby=rsasig<br> pfs=yes<br> compress=no<br> auto=add<br><br>Secrets file:<br><br>: RSA /etc/ipsec.d/private/vyatta-1key.key "test"<br><br>Here's the other end:<br><br>conn peer-192.168.150.209-tunnel-1<br>
left=%defaultroute<br> leftcert=/etc/ipsec.d/certs/vyatta-2cert.pem<br> right=88.2.150.209<br> rightrsasigkey=%cert<br> rightid="C=ES, ST=Tarifa, L=Cadiz, O=Test, CN=vyatta-1, emailAddress=<a href="mailto:test@test.com">test@test.com</a>"<br>
rightca=%same<br> leftsubnet=<a href="http://10.224.0.1/32">10.224.0.1/32</a><br> rightsubnet=<a href="http://10.100.120.0/24">10.100.120.0/24</a><br> ike=3des-md5-modp1536<br> ikelifetime=28800s<br>
aggrmode=yes<br> esp=3des-md5<br> keylife=3600s<br> rekeymargin=540s<br> type=tunnel<br> pfs=yes<br> authby=rsasig<br> compress=no<br> auto=start<br><br>Secrets file:<br>
<br>: RSA /etc/ipsec.d/private/vyatta-2key.key "Test"<br><br>This connection, with mostly all the same settings works when using a PSK.<br><br>Here's the message I'm seeing on the server side:<br><br>Apr 29 20:12:37 vyattatar pluto[10906]: "peer-test-tunnel-1"[2] 192.168.103.8 #2: Aggressive mode peer ID is ID_DER_ASN1_DN: 'C=ES, ST=Tarifa, L=Cadiz, O=Test, CN=vyatta-2, E=<a href="mailto:test@test.com">test@test.com</a>'<br>
Apr 29 20:12:37 vyattatar pluto[10906]: | refine_connection: starting with peer-test-tunnel-1<br>Apr 29 20:12:37 vyattatar pluto[10906]: | trusted_ca called with a=(empty) b=C=ES, ST=Tarifa, O=Test, CN=vyatta, E=<a href="mailto:test@test.com">test@test.com</a><br>
Apr 29 20:12:37 vyattatar pluto[10906]: | started looking for secret for C=ES, ST=Tarifa, L=Cadiz, O=Test, CN=vyatta-1, E=test@test.com->C=ES, ST=Tarifa, L=Cadiz, O=Test, CN=vyatta-2, E=<a href="mailto:test@test.com">test@test.com</a> of kind PPK_PSK<br>
Apr 29 20:12:37 vyattatar pluto[10906]: | actually looking for secret for C=ES, ST=Tarifa, L=Cadiz, O=Test, CN=vyatta-1, E=test@test.com->C=ES, ST=Tarifa, L=Cadiz, O=Test, CN=vyatta-2, E=<a href="mailto:test@test.com">test@test.com</a> of kind PPK_PSK<br>
Apr 29 20:12:37 vyattatar pluto[10906]: | concluding with best_match=0 best=(nil) (lineno=-1)<br>Apr 29 20:12:37 vyattatar pluto[10906]: "peer-test-tunnel-1"[2] 192.168.103.8 #2: no suitable connection for peer 'C=ES, ST=Tarifa, L=Cadiz, O=Test, CN=vyatta-2, E=<a href="mailto:test@test.com">test@test.com</a>'<br>
Apr 29 20:12:37 vyattatar pluto[10906]: "peer-test-tunnel-1"[2] 192.168.103.8 #2: initial Aggressive Mode packet claiming to be from C=ES, ST=Tarifa, L=Cadiz, O=Test, CN=vyatta-2, E=<a href="mailto:test@test.com">test@test.com</a> on 192.168.103.8 but no connection has been authorized<br>
Apr 29 20:12:37 vyattatar pluto[10906]: | complete state transition with (null)<br>Apr 29 20:12:37 vyattatar pluto[10906]: "peer-test-tunnel-1"[2] 192.168.103.8 #2: sending notification INVALID_ID_INFORMATION to <a href="http://192.168.103.8:500">192.168.103.8:500</a><br>
<br>Any idea what could be causing this? I'm sure I have something configured incorrectly. I'm just trying to verify that this connection will work with x509 certs and then need to run this test with another vendor's equipment.<br>
<br>Thanks!<br><br>Robyn<br>