<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<tt>Dear all OpenSwan users,</tt><tt><br>
</tt><tt><br>
</tt><tt>I used the following environment : OS Debian 6.0 / Kernel
2.6.32 / Openswan 2.6.28</tt><tt><br>
</tt><tt>I used X509 certificate to secure VPN tunnels and when I
start IPSec Openswan service, I've got the following error :</tt><tt><br>
</tt>
<blockquote><tt>Changing to directory '/etc/ipsec.d/crls'</tt><tt><br>
</tt><tt> loaded crl file 'XXXXX_root-crl.pem' (2145 bytes)</tt><tt><br>
</tt><tt> digest algorithm not supported</tt><tt><br>
</tt><tt><br>
</tt><tt>This CRL was generated using SHA256 algorithm.</tt><tt><br>
</tt><tt><br>
</tt></blockquote>
<tt>You will find the list of public keys used by this service (
ipsec auto listall ) :</tt><tt><br>
</tt>
<blockquote><tt>000</tt><tt><br>
</tt><tt>000 List of Public Keys:</tt><tt><br>
</tt><tt>000</tt><tt><br>
</tt><tt>000 Jul 08 02:12:38 2014, 512 RSA Key AwEAAdclA (has
private key), until Aug 03 14:54:05 2015 ok</tt><tt><br>
</tt><tt>000 ID_DER_ASN1_DN 'C=FR, ST=XXXXX, L=XXXXX,
O=YYYY, OU=IT, CN=ZZZZ, <a class="moz-txt-link-abbreviated" href="mailto:E=support@xxxxx.fr">E=support@xxxxx.fr</a>'</tt><tt><br>
</tt><tt>000 Issuer 'C=FR, O=XXXXX, OU=CA Trust center,
CN=XXXXXCA Root, <a class="moz-txt-link-abbreviated" href="mailto:E=support@xxxxx.fr">E=support@xxxxx.fr</a>'</tt><tt><br>
</tt><tt>000 List of Pre-shared secrets (from /etc/ipsec.secrets)</tt><tt><br>
</tt><tt>000 12: RSA (none) (none)</tt><tt><br>
</tt><tt>000</tt><tt><br>
</tt><tt>000 List of X.509 End Certificates:</tt><tt><br>
</tt><tt>000</tt><tt><br>
</tt><tt>000 Jul 08 02:12:38 2014, count: 2</tt><tt><br>
</tt><tt>000 subject: 'C=FR, ST=XXXXX, L=XXXXX, O=YYYY,
OU=IT, CN=ZZZZ, <a class="moz-txt-link-abbreviated" href="mailto:E=support@xxxxx.fr">E=support@xxxxx.fr</a>'</tt><tt><br>
</tt><tt>000 issuer: 'C=FR, O=XXXXX, OU=CA Trust center,
CN=XXXXXCA Root, <a class="moz-txt-link-abbreviated" href="mailto:E=support@xxxxx.fr">E=support@xxxxx.fr</a>'</tt><tt><br>
</tt><tt>000 serial: 0b:c7</tt><tt><br>
</tt><tt>000 pubkey: 512 RSA Key AwEAAdclA, has private
key</tt><tt><br>
</tt><tt>000 validity: not before Jun 29 14:54:05 2014 ok</tt><tt><br>
</tt><tt>000 not after Aug 03 14:54:05 2015 ok</tt><tt><br>
</tt><tt>000 subjkey:
a3:0b:dc:30:0c:90:e5:b5:a5:7e:66:ac:d6:65:03:bc:72:21:c5:ed</tt><tt><br>
</tt><tt>000 authkey:
4e:67:68:24:66:58:5c:de:8d:de:e2:f2:3a:60:cc:44:70:15:f4:b6</tt><tt><br>
</tt><tt>000</tt><tt><br>
</tt><tt>000 List of X.509 CA Certificates:</tt><tt><br>
</tt><tt>000</tt><tt><br>
</tt><tt>000 Jul 08 02:12:38 2014, count: 1</tt><tt><br>
</tt><tt>000 subject: 'C=FR, O=XXXXX, OU=CA Trust center,
CN=XXXXX CA Root, <a class="moz-txt-link-abbreviated" href="mailto:E=support@xxxxx.fr">E=support@xxxxx.fr</a>'</tt><tt><br>
</tt><tt>000 issuer: 'C=FR, O=XXXXX, OU=CA Trust center,
CN=XXXXX CA Root, <a class="moz-txt-link-abbreviated" href="mailto:E=support@xxxxx.fr">E=support@xxxxx.fr</a>'</tt><tt><br>
</tt><tt>000 serial: 00</tt><tt><br>
</tt><tt>000 pubkey: 2048 RSA Key AwEAAaliX</tt><tt><br>
</tt><tt>000 validity: not before Jun 12 11:04:22 2014 ok</tt><tt><br>
</tt><tt>000 not after Jan 11 10:04:22 2038 ok</tt><tt><br>
</tt><tt>000 subjkey:
4e:67:68:24:66:58:5c:de:8d:de:e2:f2:3a:60:cc:44:70:15:f4:b6</tt><tt><br>
</tt><tt>000 authkey:
4e:67:68:24:66:58:5c:de:8d:de:e2:f2:3a:60:cc:44:70:15:f4:b6</tt><tt><br>
</tt><tt>000 aserial: 00</tt><tt><br>
</tt></blockquote>
<tt>And when I tried to established a VPN IPSec tunnel using a X509
certificate signed by our CA ROOT, I've got the following error :</tt><tt><br>
</tt><tt><br>
</tt>
<blockquote><tt>packet from 88.174.245.115:500: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-00]</tt><tt><br>
</tt><tt>packet from 88.174.245.115:500: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106</tt><tt><br>
</tt><tt>packet from 88.174.245.115:500: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108</tt><tt><br>
</tt><tt>packet from 88.174.245.115:500: received Vendor ID
payload [RFC 3947] method set to=109</tt><tt><br>
</tt><tt>packet from 88.174.245.115:500: received Vendor ID
payload [Dead Peer Detection]</tt><tt><br>
</tt><tt>"nomades_wan"[1] 88.174.245.115 #1: responding to Main
Mode from unknown peer 88.174.245.115</tt><tt><br>
</tt><tt>"nomades_wan"[1] 88.174.245.115 #1: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1</tt><tt><br>
</tt><tt>"nomades_wan"[1] 88.174.245.115 #1: STATE_MAIN_R1: sent
MR1, expecting MI2</tt><tt><br>
</tt><tt>"nomades_wan"[1] 88.174.245.115 #1: NAT-Traversal: Result
using RFC 3947 (NAT-Traversal): peer is NATed</tt><tt><br>
</tt><tt>"nomades_wan"[1] 88.174.245.115 #1: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2</tt><tt><br>
</tt><tt>"nomades_wan"[1] 88.174.245.115 #1: STATE_MAIN_R2: sent
MR2, expecting MI3</tt><tt><br>
</tt><tt>"nomades_wan"[1] 88.174.245.115 #1: ignoring
informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000</tt><tt><br>
</tt><tt>"nomades_wan"[1] 88.174.245.115 #1: Main mode peer ID is
ID_DER_ASN1_DN: 'C=FR, O=ZZZZZ, OU=NOMADES, CN=1'</tt><tt><br>
</tt><tt>"nomades_wan"[1] 88.174.245.115 #1: no crl from issuer
"C=FR, O=XXXXX, OU=CA Trust center, CN=XXXXX CA Root,
<a class="moz-txt-link-abbreviated" href="mailto:E=support@XXXXX.fr">E=support@XXXXX.fr</a>" found (strict=no)</tt><tt><br>
</tt><tt>"nomades_wan"[1] 88.174.245.115 #1: </tt><tt><b>digest
algorithm not supported</b></tt><tt><br>
</tt><tt>"nomades_wan"[1] 88.174.245.115 #1: invalid certificate
signature from "C=FR, O=XXXXX, OU=CA Trust center, CN=XXXXX CA
Root, <a class="moz-txt-link-abbreviated" href="mailto:E=support@XXXXX.fr">E=support@XXXXX.fr</a>" on "C=FR, O=XXXXX, OU=CA Trust center,
CN=XXXXX CA Root, <a class="moz-txt-link-abbreviated" href="mailto:E=support.vpn@XXXXX.fr">E=support.vpn@XXXXX.fr</a>"</tt><tt><br>
</tt><tt>"nomades_wan"[1] 88.174.245.115 #1: </tt><tt><b>X.509
certificate rejected</b></tt><tt><br>
</tt><tt>"nomades_wan"[1] 88.174.245.115 #1: while comparing
A='C=FR, O=ZZZZZ, OU=NOMADES,
CN=1'<=>'0x3076310B300906035504061302465
2310E300C060355040A130553544556413110300E060355040B13074E4F4D41444553310A3008060355040314012A00000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'=B
with a wildcard count of 1, A had
too few RDNs</tt><tt><br>
</tt><tt>"nomades_wan"[1] 88.174.245.115 #1: while comparing
A='C=FR, O=ZZZZZ, OU=NOMADES,
CN=1'<=>'0x3076310B300906035504061302465
2310E300C060355040A130553544556413110300E060355040B13074E4F4D41444553310A3008060355040314012A00000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'=B
with a wildcard count of 1, A had
too few RDNs</tt><tt><br>
</tt><tt>"nomades_wan"[1] 88.174.245.115 #1: while comparing
A='C=FR, O=ZZZZZ, OU=NOMADES,
CN=1'<=>'0x306A310B300906035504061302465
2310E300C060355040A13055354455641310A3008060355040B14012A310A3008060355040314012A00000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000'=B
with a wildcard count of 2, A had too few RDNs</tt><tt><br>
</tt><tt>"nomades_wan"[1] 88.174.245.115 #1: no suitable
connection for peer 'C=FR, O=ZZZZZ, OU=NOMADES, CN=1'</tt><tt><br>
</tt><tt>"nomades_wan"[1] 88.174.245.115 #1: sending encrypted
notification INVALID_ID_INFORMATION to 88.174.245.115:500</tt><tt><br>
</tt></blockquote>
<tt>You will find the VPN profil about this :</tt><tt><br>
</tt>
<blockquote><tt>conn nomades_wan</tt><tt><br>
</tt><tt> left=5.56.44.105</tt><tt><br>
</tt><tt> leftrsasigkey=%cert</tt><tt><br>
</tt><tt> leftcert=XXXXXXXXX.pem</tt><tt><br>
</tt><tt> leftid=%fromcert</tt><tt><br>
</tt><tt> leftsubnet=192.168.0.0/18</tt><tt><br>
</tt><tt> right=%any</tt><tt><br>
</tt><tt> #rightsubnet=vhost:%priv</tt><tt><br>
</tt><tt> rightsubnet=192.168.250.0/24</tt><tt><br>
</tt><tt> rightid="C=FR, O=ZZZZZ, OU=NOMADES, CN=*"</tt><tt><br>
</tt><tt> keyingtries=2</tt><tt><br>
</tt></blockquote>
<tt>Any suggestions or help would be appreciate !</tt><tt><br>
</tt><tt><br>
</tt><tt>Kind regards</tt><br>
<br>
<br>
<br /><br />
<hr style='border:none; color:#909090; background-color:#B0B0B0; height: 1px; width: 99%;' />
<table style='border-collapse:collapse;border:none;'>
<tr>
<td style='border:none;padding:0px 15px 0px 8px'>
<a href="http://www.avast.com/">
<img border=0 src="http://static.avast.com/emails/avast-mail-stamp.png" />
</a>
</td>
<td>
<p style='color:#3d4d5a; font-family:"Calibri","Verdana","Arial","Helvetica"; font-size:12pt;'>
Ce courrier électronique ne contient aucun virus ou logiciel malveillant parce que la protection <a href="http://www.avast.com/">Antivirus avast!</a> est active.
</p>
</td>
</tr>
</table>
<br />
</body>
</html>