<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.6944.0">
<TITLE>RE: [Openswan Users] need help with ipsec tunnel to iphone</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<BR>
<BR>
<BR>
<P><FONT SIZE=2>-----Original Message-----<BR>
From: Richard Pagotto<BR>
Sent: Thu 5/26/2011 1:27 AM<BR>
To: Richard Pagotto; Paul Wouters; users@openswan.org<BR>
Subject: RE: [Openswan Users] need help with ipsec tunnel to iphone<BR>
<BR>
<BR>
<BR>
<BR>
-----Original Message-----<BR>
From: Richard Pagotto<BR>
Sent: Thu 5/26/2011 1:14 AM<BR>
To: Paul Wouters<BR>
Subject: RE: [Openswan Users] need help with ipsec tunnel to iphone<BR>
<BR>
<BR>
<BR>
<BR>
-----Original Message-----<BR>
From: Paul Wouters [<A HREF="mailto:paul@xelerance.com">mailto:paul@xelerance.com</A>]<BR>
Sent: Thu 5/26/2011 12:21 AM<BR>
To: Richard Pagotto<BR>
Cc: users@openswan.org<BR>
Subject: RE: [Openswan Users] need help with ipsec tunnel to iphone<BR>
<BR>
On Wed, 25 May 2011, Richard Pagotto wrote:<BR>
<BR>
> I have reread the conf and secrets man pages and figured out what username and password i should be using.<BR>
> despite your help and a total rewrite of my ipsec.conf it still doesnt work but it does get to the XAUTH phase.<BR>
> <BR>
> Im also not using l2tp at all, im going for a pure ipsec tunnel.<BR>
<BR>
There might be proprietary xauth/cisco extensions involved with that, so you're in dangerous unknown waters.<BR>
<BR>
> im pretty sure ive done the cirtificates correctly, and put them in the correct location, theyve been signed, converted<BR>
> to p12, installed on the phone with the password and being used in the configuration.<BR>
<BR>
May 25 19:40:22 linuxserver pluto[10620]: "iphone"[1] 203.20.35.28 #1: end certificate with identical subject and<BR>
issuer not accepted<BR>
<BR>
You generated the CA with the same CN= as one of your host certs. This is rejected because that host could<BR>
pretend to be a CA to other hosts. My advise is to always add "CA" to the CN= for a CA, and never to add<BR>
it for a host.<BR>
<BR>
Paul<BR>
<BR>
Paul,<BR>
<BR>
i have re made and signed the cirts, ill tell you how i go :)<BR>
<BR>
Rich<BR>
<BR>
<BR>
Paul,<BR>
<BR>
Any help with this, i really appreciate your assistance<BR>
<BR>
openssl req -x509 -days 3650 -newkey rsa:2048 -keyout private/OpenswanKey.pem -out cacerts/OpenswanCert.pem<BR>
CN=CA<BR>
cp cacerts/OpenswanCert.pem certs/<BR>
change openssl.conf<BR>
openssl req -newkey rsa:2048 -keyout private/hostKey.pem -out reqs/hostReq.pem<BR>
CN=richard<BR>
openssl ca -in reqs/hostReq.pem -days 730 -out certs/hostCert.pem -notext<BR>
openssl pkcs12 -export -inkey private/hostKey.pem -in certs/hostCert.pem -name "newhost" -certfile cacerts/OpenswanCert.pem -caname "Openwan Root CA" -out host.p12<BR>
<BR>
May 26 00:18:02 linuxserver pluto[10620]: shutting down<BR>
May 26 00:18:02 linuxserver pluto[10620]: forgetting secrets<BR>
May 26 00:18:02 linuxserver pluto[10620]: "iphone": deleting connection<BR>
May 26 00:18:02 linuxserver pluto[10620]: shutting down interface lo/lo ::1:500<BR>
May 26 00:18:02 linuxserver pluto[10620]: shutting down interface lo/lo 127.0.0.1:4500<BR>
May 26 00:18:02 linuxserver pluto[10620]: shutting down interface lo/lo 127.0.0.1:500<BR>
May 26 00:18:02 linuxserver pluto[10620]: shutting down interface eth0/eth0 192.168.0.2:4500<BR>
May 26 00:18:02 linuxserver pluto[10620]: shutting down interface eth0/eth0 192.168.0.2:500<BR>
May 26 00:18:03 linuxserver pluto[10624]: pluto_crypto_helper: helper (0) is normal exiting<BR>
May 26 00:18:10 linuxserver ipsec__plutorun: Starting Pluto subsystem...<BR>
May 26 00:18:10 linuxserver pluto[11641]: Starting Pluto (Openswan Version 2.6.33; Vendor ID OEghI_w\134ALFy) pid:11641<BR>
May 26 00:18:10 linuxserver pluto[11641]: LEAK_DETECTIVE support [disabled]<BR>
May 26 00:18:10 linuxserver pluto[11641]: OCF support for IKE [disabled]<BR>
May 26 00:18:10 linuxserver pluto[11641]: SAref support [disabled]: Protocol not available<BR>
May 26 00:18:10 linuxserver pluto[11641]: SAbind support [disabled]: Protocol not available<BR>
May 26 00:18:10 linuxserver pluto[11641]: NSS support [disabled]<BR>
May 26 00:18:10 linuxserver pluto[11641]: HAVE_STATSD notification support not compiled in<BR>
May 26 00:18:10 linuxserver pluto[11641]: Setting NAT-Traversal port-4500 floating to on<BR>
May 26 00:18:10 linuxserver pluto[11641]: port floating activation criteria nat_t=1/port_float=1<BR>
May 26 00:18:10 linuxserver pluto[11641]: NAT-Traversal support [enabled]<BR>
May 26 00:18:10 linuxserver pluto[11641]: using /dev/urandom as source of random entropy<BR>
May 26 00:18:10 linuxserver pluto[11641]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)<BR>
May 26 00:18:10 linuxserver pluto[11641]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)<BR>
May 26 00:18:10 linuxserver pluto[11641]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)<BR>
May 26 00:18:10 linuxserver pluto[11641]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)<BR>
May 26 00:18:10 linuxserver pluto[11641]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)<BR>
May 26 00:18:10 linuxserver pluto[11641]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)<BR>
May 26 00:18:10 linuxserver pluto[11641]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)<BR>
May 26 00:18:10 linuxserver pluto[11641]: starting up 1 cryptographic helpers<BR>
May 26 00:18:10 linuxserver pluto[11645]: using /dev/urandom as source of random entropy<BR>
May 26 00:18:10 linuxserver pluto[11641]: started helper pid=11645 (fd:7)<BR>
May 26 00:18:10 linuxserver pluto[11641]: Using Linux 2.6 IPsec interface code on 2.6.21.5-smp (experimental code)<BR>
May 26 00:18:12 linuxserver pluto[11641]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)<BR>
May 26 00:18:12 linuxserver pluto[11641]: ike_alg_add(): ERROR: Algorithm already exists<BR>
May 26 00:18:12 linuxserver pluto[11641]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)<BR>
May 26 00:18:12 linuxserver pluto[11641]: ike_alg_add(): ERROR: Algorithm already exists<BR>
May 26 00:18:12 linuxserver pluto[11641]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)<BR>
May 26 00:18:12 linuxserver pluto[11641]: ike_alg_add(): ERROR: Algorithm already exists<BR>
May 26 00:18:12 linuxserver pluto[11641]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)<BR>
May 26 00:18:12 linuxserver pluto[11641]: ike_alg_add(): ERROR: Algorithm already exists<BR>
May 26 00:18:12 linuxserver pluto[11641]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)<BR>
May 26 00:18:12 linuxserver pluto[11641]: ike_alg_add(): ERROR: Algorithm already exists<BR>
May 26 00:18:12 linuxserver pluto[11641]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)<BR>
May 26 00:18:12 linuxserver pluto[11641]: Changed path to directory '/etc/ipsec.d/cacerts'<BR>
May 26 00:18:13 linuxserver pluto[11641]: loaded CA cert file 'OpenswanCert.pem' (1330 bytes)<BR>
May 26 00:18:13 linuxserver pluto[11641]: Changed path to directory '/etc/ipsec.d/aacerts'<BR>
May 26 00:18:13 linuxserver pluto[11641]: Changed path to directory '/etc/ipsec.d/ocspcerts'<BR>
May 26 00:18:13 linuxserver pluto[11641]: Changing to directory '/etc/ipsec.d/crls'<BR>
May 26 00:18:13 linuxserver pluto[11641]: Warning: empty directory<BR>
May 26 00:18:13 linuxserver pluto[11641]: loading certificate from /etc/ipsec.d/certs/OpenswanCert.pem<BR>
May 26 00:18:13 linuxserver pluto[11641]: loaded host cert file '/etc/ipsec.d/certs/OpenswanCert.pem' (1330 bytes)<BR>
May 26 00:18:13 linuxserver pluto[11641]: added connection description "iphone"<BR>
May 26 00:18:13 linuxserver pluto[11641]: listening for IKE messages<BR>
May 26 00:18:13 linuxserver pluto[11641]: adding interface eth0/eth0 192.168.0.2:500<BR>
May 26 00:18:13 linuxserver pluto[11641]: adding interface eth0/eth0 192.168.0.2:4500<BR>
May 26 00:18:13 linuxserver pluto[11641]: adding interface lo/lo 127.0.0.1:500<BR>
May 26 00:18:13 linuxserver pluto[11641]: adding interface lo/lo 127.0.0.1:4500<BR>
May 26 00:18:13 linuxserver pluto[11641]: adding interface lo/lo ::1:500<BR>
May 26 00:18:13 linuxserver pluto[11641]: loading secrets from "/etc/ipsec.secrets"<BR>
May 26 00:18:13 linuxserver pluto[11641]: loaded private key file '/etc/ipsec.d/private/hostKey.pem' (1743 bytes)<BR>
May 26 00:18:13 linuxserver pluto[11641]: loaded private key for keyid: PPK_RSA:AwEAAb3qE<BR>
May 26 00:18:44 linuxserver pluto[11641]: packet from 203.20.35.28:12596: received Vendor ID payload [RFC 3947] method set to=109<BR>
May 26 00:18:44 linuxserver pluto[11641]: packet from 203.20.35.28:12596: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110<BR>
May 26 00:18:44 linuxserver pluto[11641]: packet from 203.20.35.28:12596: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]<BR>
May 26 00:18:44 linuxserver pluto[11641]: packet from 203.20.35.28:12596: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]<BR>
May 26 00:18:44 linuxserver pluto[11641]: packet from 203.20.35.28:12596: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]<BR>
May 26 00:18:44 linuxserver pluto[11641]: packet from 203.20.35.28:12596: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]<BR>
May 26 00:18:44 linuxserver pluto[11641]: packet from 203.20.35.28:12596: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]<BR>
May 26 00:18:44 linuxserver pluto[11641]: packet from 203.20.35.28:12596: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110<BR>
May 26 00:18:44 linuxserver pluto[11641]: packet from 203.20.35.28:12596: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110<BR>
May 26 00:18:44 linuxserver pluto[11641]: packet from 203.20.35.28:12596: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110<BR>
May 26 00:18:44 linuxserver pluto[11641]: packet from 203.20.35.28:12596: received Vendor ID payload [XAUTH]<BR>
May 26 00:18:44 linuxserver pluto[11641]: packet from 203.20.35.28:12596: received Vendor ID payload [Cisco-Unity]<BR>
May 26 00:18:44 linuxserver pluto[11641]: packet from 203.20.35.28:12596: received Vendor ID payload [Dead Peer Detection]<BR>
May 26 00:18:44 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: responding to Main Mode from unknown peer 203.20.35.28<BR>
May 26 00:18:44 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<BR>
May 26 00:18:44 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: STATE_MAIN_R1: sent MR1, expecting MI2<BR>
May 26 00:18:45 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed<BR>
May 26 00:18:45 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<BR>
May 26 00:18:45 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: STATE_MAIN_R2: sent MR2, expecting MI3<BR>
May 26 00:18:47 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000<BR>
May 26 00:18:47 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: Main mode peer ID is ID_KEY_ID: '@#0x70736b'<BR>
May 26 00:18:47 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: no crl from issuer "C=AU, ST=Victoria, O=vspec.net, CN=CA" found (strict=no)<BR>
May 26 00:18:47 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: no suitable connection for peer '@#0x70736b'<BR>
May 26 00:18:47 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: sending encrypted notification INVALID_ID_INFORMATION to 203.20.35.28:12596<BR>
May 26 00:18:50 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000<BR>
May 26 00:18:50 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: Main mode peer ID is ID_KEY_ID: '@#0x70736b'<BR>
May 26 00:18:50 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: no crl from issuer "C=AU, ST=Victoria, O=vspec.net, CN=CA" found (strict=no)<BR>
May 26 00:18:50 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: no suitable connection for peer '@#0x70736b'<BR>
May 26 00:18:50 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: sending encrypted notification INVALID_ID_INFORMATION to 203.20.35.28:12596<BR>
May 26 00:18:52 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000<BR>
May 26 00:18:52 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: Main mode peer ID is ID_KEY_ID: '@#0x70736b'<BR>
May 26 00:18:52 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: no crl from issuer "C=AU, ST=Victoria, O=vspec.net, CN=CA" found (strict=no)<BR>
May 26 00:18:52 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: no suitable connection for peer '@#0x70736b'<BR>
May 26 00:18:52 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: sending encrypted notification INVALID_ID_INFORMATION to 203.20.35.28:12596<BR>
May 26 00:18:56 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000<BR>
May 26 00:18:56 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: Main mode peer ID is ID_KEY_ID: '@#0x70736b'<BR>
May 26 00:18:56 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: no crl from issuer "C=AU, ST=Victoria, O=vspec.net, CN=CA" found (strict=no)<BR>
May 26 00:18:56 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: no suitable connection for peer '@#0x70736b'<BR>
May 26 00:18:56 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: sending encrypted notification INVALID_ID_INFORMATION to 203.20.35.28:12596<BR>
May 26 00:18:57 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000<BR>
May 26 00:18:57 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: Main mode peer ID is ID_KEY_ID: '@#0x70736b'<BR>
May 26 00:18:57 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: no crl from issuer "C=AU, ST=Victoria, O=vspec.net, CN=CA" found (strict=no)<BR>
May 26 00:18:57 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: no suitable connection for peer '@#0x70736b'<BR>
May 26 00:18:57 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: sending encrypted notification INVALID_ID_INFORMATION to 203.20.35.28:12596<BR>
May 26 00:19:09 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000<BR>
May 26 00:19:09 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: Main mode peer ID is ID_KEY_ID: '@#0x70736b'<BR>
May 26 00:19:09 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: no crl from issuer "C=AU, ST=Victoria, O=vspec.net, CN=CA" found (strict=no)<BR>
May 26 00:19:09 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: no suitable connection for peer '@#0x70736b'<BR>
May 26 00:19:09 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: sending encrypted notification INVALID_ID_INFORMATION to 203.20.35.28:12596<BR>
May 26 00:19:55 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28 #1: max number of retransmissions (2) reached STATE_MAIN_R2<BR>
May 26 00:19:55 linuxserver pluto[11641]: "iphone"[1] 203.20.35.28: deleting connection "iphone" instance with peer 203.20.35.28 {isakmp=#0/ipsec=#0}<BR>
<BR>
i have also tryed adding rightid="@#0x70736b" to ipsec.conf, did ipsec setup reload, exactly the same error<BR>
<BR>
Rich<BR>
</FONT>
</P>
</BODY>
</HTML>