[Openswan Users] openswan-2 CVS x509/cert issue? (no RSA public key known)

Dax Kelson dax at gurulabs.com
Fri Apr 23 14:35:08 CEST 2004 

I have two boxes running openswan-2 CVS (from yesterday).

fw.gurulabs.com
* RHEL3
* RH's 2.4 kernel + 2.6 ipsec
* static IP

intruder.gurulabs.com
* Debian Sarge
* 2.6.3+ kernel
* dynamic IP

I generated a CA cert, crl, and two host certs signed by that CA and
deployed them to each machine.

Each box's pluto sees the CA cert, the command:

ipsec auto --listcacerts

produces identical output on each box.

the static ip box (fw) has:

conn %default
        left=66.62.77.2
        leftnexthop=66.62.77.1
        leftid=@fw.gurulabs.com
        leftcert=fw.gurulabs.com-hostCert.pem
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        authby=rsasig
        compress=yes
        keyingtries=0
        auto=add

conn glhq-daxhome
        rightid=@intruder.gurulabs.com
        right=%any
        rightsubnet=10.200.1.0/24
        leftsubnet=10.1.0.0/16
        auto=add

the dynamic ip box (intruder) has:

conn %default
        left=%defaultroute
        leftid=@intruder.gurulabs.com
        leftcert=intruder.gurulabs.com-hostCert.pem
        leftsubnet=10.200.1.0/24
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        authby=rsasig
        compress=yes
        keyingtries=0
        auto=add

conn glhq-daxhome
        rightid=@fw.gurulabs.com
        right=fw.gurulabs.com
        rightsubnet=10.1.0.0/16
        auto=start

When I run /etc/init.d/ipsec start on each machine, on the static ip
(fw) box I get:

Apr 23 13:31:49 fw pluto[11153]: "gldmz-daxhome"[1] 67.161.218.32 #1: responding to Main Mode from unknown peer 67.161.218.32
Apr 23 13:31:49 fw pluto[11153]: "gldmz-daxhome"[1] 67.161.218.32 #1: transition from state (null) to state STATE_MAIN_R1
Apr 23 13:31:50 fw pluto[11153]: "gldmz-daxhome"[1] 67.161.218.32 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr 23 13:31:50 fw pluto[11153]: "gldmz-daxhome"[1] 67.161.218.32 #1: Peer ID is ID_FQDN: '@intruder.gurulabs.com'
Apr 23 13:31:50 fw pluto[11153]: "gldmz-daxhome"[1] 67.161.218.32 #1: no RSA public key known for '@intruder.gurulabs.com'
Apr 23 13:32:00 fw pluto[11153]: "gldmz-daxhome"[1] 67.161.218.32 #1: Peer ID is ID_FQDN: '@intruder.gurulabs.com'
Apr 23 13:32:00 fw pluto[11153]: "gldmz-daxhome"[1] 67.161.218.32 #1: no RSA public key known for '@intruder.gurulabs.com'

On the dynamic ip (intruder) box I get:

Apr 23 13:31:49 intruder pluto[13243]: "glhq-daxhome" #1: initiating Main Mode
Apr 23 13:31:50 intruder pluto[13243]: "glhq-daxhome" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Apr 23 13:31:50 intruder pluto[13243]: "glhq-daxhome" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Apr 23 13:32:00 intruder pluto[13243]: "glhq-daxhome" #1: discarding duplicate packet; already STATE_MAIN_I3

Looks to me like it should be working, but it isn't. Any ideas?

Dax Kelson

More information about the Users mailing list