<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div><div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; color:rgba(127, 127, 127, 1.0);"><b>Rescued from the Spam bucket. Please remember to subscribe to the mailing list before posting to it.</b></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; color:rgba(127, 127, 127, 1.0);"><b><br></b></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; color:rgba(127, 127, 127, 1.0);"><b><br></b></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; color:rgba(127, 127, 127, 1.0);"><b>From: </b></span><span style="font-family:'Helvetica';">Mario Hommel <<a href="mailto:mario@hommel-net.de">mario@hommel-net.de</a>><br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; color:rgba(127, 127, 127, 1.0);"><b>Subject: </b></span><span style="font-family:'Helvetica';"><b>Problem with X.509 Certificates since Update</b><br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; color:rgba(127, 127, 127, 1.0);"><b>Date: </b></span><span style="font-family:'Helvetica';">April 9, 2014 at 4:02:17 PM EDT<br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; color:rgba(127, 127, 127, 1.0);"><b>To: </b></span><span style="font-family:'Helvetica';"><a href="mailto:users@lists.openswan.org">users@lists.openswan.org</a><br></span></div><br><br>Hi all.<br><br>I have a VPN-Gateway wich worked with self-signed X.509 certificates for<br>a long time. Since i updated my Debian Wheezy there are Problems with<br>the certificates.<br><br>auth.log says:<br><br>Apr 9 21:56:52 vpngate pluto[3716]: "hommel_XP2N"[83] 87.168.144.XX<br>#129: Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, L=Kassel, O=Wagner und<br>Koerdel, CN=soellner'<br>Apr 9 21:56:52 vpngate pluto[3716]: "hommel_XP2N"[83] 87.168.144.XX<br>#129: no suitable connection for peer 'C=DE, L=Kassel, O=Wagner und<br>Koerdel, CN=soellner'<br>Apr 9 21:56:52 vpngate pluto[3716]: "hommel_XP2N"[83] 87.168.144.XX<br>#129: sending encrypted notification INVALID_ID_INFORMATION to<br>87.168.144.XX:500<br><br>It doesn't recognice the right connection.<br><br>In ipsec auto --status there are strange numbers instead of the<br>certificate-data from the remote gateways:<br><br>000 "hommel_XP2N"[86]: 192.168.10.0/24===217.237.XXX.XXX<%eth0>[C=DE,<br>L=Kassel, O=Wagner und Koerdel,<br>CN=VPN-Gate,+S=C]...87.139.XXX.XXX[0x308198310B3009060355040613024445310F300<br>D060355040713064B617373656C311B3019060355040A13125761676E657220756E64<br>204B6F657264656C310F300D06035504031306686F6D6D656C0000000000000000000<br>000000000000000000000000000000000000000000000000000000000000000000000<br>0000000000000000000000000000000000000000000000000000000000000000,<br>+S=C]===?; unrouted; eroute owner: #0<br>000 "hommel_XP2N"[86]: myip=unset; hisip=unset; myup=ipsec<br>_updown.netkey.x509 --route yes; mycert=VPN-GateCert.pem;<br>000 "hommel_XP2N"[86]: CAs: 'C=DE, L=Kassel, O=Wagner und Koerdel,<br>CN=CA-WGKOE'...'%any'<br>000 "hommel_XP2N"[86]: ike_life: 3600s; ipsec_life: 28800s;<br>rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0<br>000 "hommel_XP2N"[86]: policy:<br>RSASIG+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+rKOD; prio: 24,32;<br>interface: eth0;<br>000 "hommel_XP2N"[86]: newest ISAKMP SA: #0; newest IPsec SA: #0;<br><br>What is going on here?<br><br>Regards<br>Mario Hommel<br><br><br></div></div><br></body></html>