[Openswan Users] openswan-2 CVS x509/cert issue? (no RSA public
key known)
Ken Bantoft
ken at xelerance.com
Fri Apr 23 22:45:49 CEST 2004
Your left/right ID's are wrong. Should be in the X.509 CN format, not
RSASig style. eg:
leftid="C=CA, ST=Ontario, L=Toronto, O=Xelerance, OU=North America, CN=Ken Bantoft/emailAddress=ken at xelerance.com"
And rightid= probably removed on the 'server' side if this is a RW.
On Fri, 23 Apr 2004, Dax Kelson wrote:
> I have two boxes running openswan-2 CVS (from yesterday).
>
> fw.gurulabs.com
> * RHEL3
> * RH's 2.4 kernel + 2.6 ipsec
> * static IP
>
> intruder.gurulabs.com
> * Debian Sarge
> * 2.6.3+ kernel
> * dynamic IP
>
> I generated a CA cert, crl, and two host certs signed by that CA and
> deployed them to each machine.
>
> Each box's pluto sees the CA cert, the command:
>
> ipsec auto --listcacerts
>
> produces identical output on each box.
>
> the static ip box (fw) has:
>
> conn %default
> left=66.62.77.2
> leftnexthop=66.62.77.1
> leftid=@fw.gurulabs.com
> leftcert=fw.gurulabs.com-hostCert.pem
> leftrsasigkey=%cert
> rightrsasigkey=%cert
> authby=rsasig
> compress=yes
> keyingtries=0
> auto=add
>
> conn glhq-daxhome
> rightid=@intruder.gurulabs.com
> right=%any
> rightsubnet=10.200.1.0/24
> leftsubnet=10.1.0.0/16
> auto=add
>
> the dynamic ip box (intruder) has:
>
> conn %default
> left=%defaultroute
> leftid=@intruder.gurulabs.com
> leftcert=intruder.gurulabs.com-hostCert.pem
> leftsubnet=10.200.1.0/24
> leftrsasigkey=%cert
> rightrsasigkey=%cert
> authby=rsasig
> compress=yes
> keyingtries=0
> auto=add
>
> conn glhq-daxhome
> rightid=@fw.gurulabs.com
> right=fw.gurulabs.com
> rightsubnet=10.1.0.0/16
> auto=start
>
> When I run /etc/init.d/ipsec start on each machine, on the static ip
> (fw) box I get:
>
> Apr 23 13:31:49 fw pluto[11153]: "gldmz-daxhome"[1] 67.161.218.32 #1: responding to Main Mode from unknown peer 67.161.218.32
> Apr 23 13:31:49 fw pluto[11153]: "gldmz-daxhome"[1] 67.161.218.32 #1: transition from state (null) to state STATE_MAIN_R1
> Apr 23 13:31:50 fw pluto[11153]: "gldmz-daxhome"[1] 67.161.218.32 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Apr 23 13:31:50 fw pluto[11153]: "gldmz-daxhome"[1] 67.161.218.32 #1: Peer ID is ID_FQDN: '@intruder.gurulabs.com'
> Apr 23 13:31:50 fw pluto[11153]: "gldmz-daxhome"[1] 67.161.218.32 #1: no RSA public key known for '@intruder.gurulabs.com'
> Apr 23 13:32:00 fw pluto[11153]: "gldmz-daxhome"[1] 67.161.218.32 #1: Peer ID is ID_FQDN: '@intruder.gurulabs.com'
> Apr 23 13:32:00 fw pluto[11153]: "gldmz-daxhome"[1] 67.161.218.32 #1: no RSA public key known for '@intruder.gurulabs.com'
>
> On the dynamic ip (intruder) box I get:
>
> Apr 23 13:31:49 intruder pluto[13243]: "glhq-daxhome" #1: initiating Main Mode
> Apr 23 13:31:50 intruder pluto[13243]: "glhq-daxhome" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> Apr 23 13:31:50 intruder pluto[13243]: "glhq-daxhome" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> Apr 23 13:32:00 intruder pluto[13243]: "glhq-daxhome" #1: discarding duplicate packet; already STATE_MAIN_I3
>
> Looks to me like it should be working, but it isn't. Any ideas?
>
> Dax Kelson
--
Ken Bantoft VP Business Development
ken at xelerance.com Xelerance Corporation
sip://toronto.xelerance.com http://www.xelerance.com
The future is here. It's just not evenly distributed yet.
-- William Gibson
More information about the Users
mailing list