[Openswan Users] openswan-2 cvs x509 troubles
Dax Kelson
dax at gurulabs.com
Sat Apr 24 01:52:32 CEST 2004
Further debugging of my "no RSA public key known" problem.
I got rid of all other defined cons except for %default and the one I'm
trying to bring up.
This is the abridged pluto debug from the server side:
Any help greatly appreciated:
Apr 24 00:41:42 fw pluto[6021]: |
Apr 24 00:41:42 fw pluto[6021]: | *received 176 bytes from 67.161.218.32:500 on eth0
[snip]
Apr 24 00:41:42 fw pluto[6021]: | **parse ISAKMP Message:
Apr 24 00:41:42 fw pluto[6021]: | initiator cookie:
Apr 24 00:41:42 fw pluto[6021]: | 95 d2 45 fc 2c 52 3b 5d
Apr 24 00:41:42 fw pluto[6021]: | responder cookie:
Apr 24 00:41:42 fw pluto[6021]: | 00 00 00 00 00 00 00 00
Apr 24 00:41:42 fw pluto[6021]: | next payload type: ISAKMP_NEXT_SA
Apr 24 00:41:42 fw pluto[6021]: | ISAKMP version: ISAKMP Version 1.0
Apr 24 00:41:42 fw pluto[6021]: | exchange type: ISAKMP_XCHG_IDPROT
Apr 24 00:41:42 fw pluto[6021]: | flags: none
Apr 24 00:41:42 fw pluto[6021]: | message ID: 00 00 00 00
Apr 24 00:41:42 fw pluto[6021]: | length: 176
Apr 24 00:41:42 fw pluto[6021]: | ***parse ISAKMP Security Association Payload:
Apr 24 00:41:42 fw pluto[6021]: | next payload type: ISAKMP_NEXT_NONE
Apr 24 00:41:42 fw pluto[6021]: | length: 148
Apr 24 00:41:42 fw pluto[6021]: | DOI: ISAKMP_DOI_IPSEC
Apr 24 00:41:42 fw pluto[6021]: | instantiated "glhq-daxhome" for 67.161.218.32
Apr 24 00:41:42 fw pluto[6021]: | creating state object #1 at 0x80e7d08
Apr 24 00:41:42 fw pluto[6021]: | ICOOKIE: 95 d2 45 fc 2c 52 3b 5d
Apr 24 00:41:42 fw pluto[6021]: | RCOOKIE: 19 74 c6 ec 58 f1 ea 4f
Apr 24 00:41:42 fw pluto[6021]: | peer: 43 a1 da 20
Apr 24 00:41:42 fw pluto[6021]: | state hash entry 29
Apr 24 00:41:42 fw pluto[6021]: | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1
Apr 24 00:41:42 fw pluto[6021]: "glhq-daxhome"[1] 67.161.218.32 #1: responding to Main Mode from unknown peer 67.161.218.32
Apr 24 00:41:42 fw pluto[6021]: | **emit ISAKMP Message:
Apr 24 00:41:42 fw pluto[6021]: | initiator cookie:
Apr 24 00:41:42 fw pluto[6021]: | 95 d2 45 fc 2c 52 3b 5d
Apr 24 00:41:42 fw pluto[6021]: | responder cookie:
Apr 24 00:41:42 fw pluto[6021]: | 19 74 c6 ec 58 f1 ea 4f
Apr 24 00:41:42 fw pluto[6021]: | next payload type: ISAKMP_NEXT_SA
Apr 24 00:41:43 fw pluto[6021]: | ISAKMP version: ISAKMP Version 1.0
Apr 24 00:41:43 fw pluto[6021]: | exchange type: ISAKMP_XCHG_IDPROT
Apr 24 00:41:43 fw pluto[6021]: | flags: none
Apr 24 00:41:43 fw pluto[6021]: | message ID: 00 00 00 00
Apr 24 00:41:43 fw pluto[6021]: | ***emit ISAKMP Security Association Payload:
Apr 24 00:41:43 fw pluto[6021]: | next payload type: ISAKMP_NEXT_NONE
Apr 24 00:41:43 fw pluto[6021]: | DOI: ISAKMP_DOI_IPSEC
Apr 24 00:41:43 fw pluto[6021]: | ****parse IPsec DOI SIT:
Apr 24 00:41:43 fw pluto[6021]: | IPsec DOI SIT: SIT_IDENTITY_ONLY
Apr 24 00:41:43 fw pluto[6021]: | ****parse ISAKMP Proposal Payload:
Apr 24 00:41:43 fw pluto[6021]: | next payload type: ISAKMP_NEXT_NONE
Apr 24 00:41:43 fw pluto[6021]: | length: 136
Apr 24 00:41:43 fw pluto[6021]: | proposal number: 0
Apr 24 00:41:43 fw pluto[6021]: | protocol ID: PROTO_ISAKMP
Apr 24 00:41:43 fw pluto[6021]: | SPI size: 0
Apr 24 00:41:43 fw pluto[6021]: | number of transforms: 4
Apr 24 00:41:43 fw pluto[6021]: | *****parse ISAKMP Transform Payload (ISAKMP):
Apr 24 00:41:43 fw pluto[6021]: | next payload type: ISAKMP_NEXT_T
Apr 24 00:41:43 fw pluto[6021]: | length: 32
Apr 24 00:41:43 fw pluto[6021]: | transform number: 0
Apr 24 00:41:43 fw pluto[6021]: | transform ID: KEY_IKE
Apr 24 00:41:43 fw pluto[6021]: | ******parse ISAKMP Oakley attribute:
Apr 24 00:41:43 fw pluto[6021]: | af+type: OAKLEY_LIFE_TYPE
Apr 24 00:41:43 fw pluto[6021]: | length/value: 1
Apr 24 00:41:43 fw pluto[6021]: | [1 is OAKLEY_LIFE_SECONDS]
Apr 24 00:41:43 fw pluto[6021]: | ******parse ISAKMP Oakley attribute:
Apr 24 00:41:43 fw pluto[6021]: | af+type: OAKLEY_LIFE_DURATION
Apr 24 00:41:43 fw pluto[6021]: | length/value: 3600
Apr 24 00:41:43 fw pluto[6021]: | ******parse ISAKMP Oakley attribute:
Apr 24 00:41:43 fw pluto[6021]: | af+type: OAKLEY_ENCRYPTION_ALGORITHM
Apr 24 00:41:43 fw pluto[6021]: | length/value: 5
Apr 24 00:41:43 fw pluto[6021]: | [5 is OAKLEY_3DES_CBC]
Apr 24 00:41:43 fw pluto[6021]: | ike_alg_enc_ok(ealg=5,key_len=0): blocksize=8, keyminlen=192, keydeflen=192, keymaxlen=192, ret=1
Apr 24 00:41:43 fw pluto[6021]: | ******parse ISAKMP Oakley attribute:
Apr 24 00:41:43 fw pluto[6021]: | af+type: OAKLEY_HASH_ALGORITHM
Apr 24 00:41:43 fw pluto[6021]: | length/value: 1
Apr 24 00:41:43 fw pluto[6021]: | [1 is OAKLEY_MD5]
Apr 24 00:41:43 fw pluto[6021]: | ******parse ISAKMP Oakley attribute:
Apr 24 00:41:43 fw pluto[6021]: | af+type: OAKLEY_AUTHENTICATION_METHOD
Apr 24 00:41:43 fw pluto[6021]: | length/value: 3
Apr 24 00:41:43 fw pluto[6021]: | [3 is OAKLEY_RSA_SIG]
Apr 24 00:41:43 fw pluto[6021]: | ******parse ISAKMP Oakley attribute:
Apr 24 00:41:43 fw pluto[6021]: | af+type: OAKLEY_GROUP_DESCRIPTION
Apr 24 00:41:43 fw pluto[6021]: | length/value: 5
Apr 24 00:41:43 fw pluto[6021]: | [5 is OAKLEY_GROUP_MODP1536]
Apr 24 00:41:43 fw pluto[6021]: | Oakley Transform 0 accepted
Apr 24 00:41:43 fw pluto[6021]: | ****emit IPsec DOI SIT:
Apr 24 00:41:43 fw pluto[6021]: | IPsec DOI SIT: SIT_IDENTITY_ONLY
Apr 24 00:41:43 fw pluto[6021]: | ****emit ISAKMP Proposal Payload:
Apr 24 00:41:43 fw pluto[6021]: | next payload type: ISAKMP_NEXT_NONE
Apr 24 00:41:43 fw pluto[6021]: | proposal number: 0
Apr 24 00:41:43 fw pluto[6021]: | protocol ID: PROTO_ISAKMP
Apr 24 00:41:43 fw pluto[6021]: | SPI size: 0
Apr 24 00:41:43 fw pluto[6021]: | number of transforms: 1
Apr 24 00:41:43 fw pluto[6021]: | *****emit ISAKMP Transform Payload (ISAKMP):
Apr 24 00:41:43 fw pluto[6021]: | next payload type: ISAKMP_NEXT_NONE
Apr 24 00:41:43 fw pluto[6021]: | transform number: 0
Apr 24 00:41:43 fw pluto[6021]: | transform ID: KEY_IKE
Apr 24 00:41:43 fw pluto[6021]: | emitting 24 raw bytes of attributes into ISAKMP Transform Payload (ISAKMP)
Apr 24 00:41:43 fw pluto[6021]: | attributes 80 0b 00 01 80 0c 0e 10 80 01 00 05 80 02 00 01
Apr 24 00:41:43 fw pluto[6021]: | 80 03 00 03 80 04 00 05
Apr 24 00:41:43 fw pluto[6021]: | emitting length of ISAKMP Transform Payload (ISAKMP): 32
Apr 24 00:41:43 fw pluto[6021]: | emitting length of ISAKMP Proposal Payload: 40
Apr 24 00:41:43 fw pluto[6021]: | emitting length of ISAKMP Security Association Payload: 52
Apr 24 00:41:43 fw pluto[6021]: | sender checking NAT-t: 0 and 0
Apr 24 00:41:43 fw pluto[6021]: | emitting length of ISAKMP Message: 80
Apr 24 00:41:43 fw pluto[6021]: "glhq-daxhome"[1] 67.161.218.32 #1: transition from state (null) to state STATE_MAIN_R1
Apr 24 00:41:43 fw pluto[6021]: | sending 80 bytes for STATE_MAIN_R0 through eth0 to 67.161.218.32:500:
[snip]
Apr 24 00:41:43 fw pluto[6021]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
Apr 24 00:41:43 fw pluto[6021]: | next event EVENT_RETRANSMIT in 10 seconds for #1
Apr 24 00:41:43 fw pluto[6021]: |
Apr 24 00:41:43 fw pluto[6021]: | *received 244 bytes from 67.161.218.32:500 on eth0
[snip]
Apr 24 00:41:43 fw pluto[6021]: | **parse ISAKMP Message:
Apr 24 00:41:43 fw pluto[6021]: | initiator cookie:
Apr 24 00:41:43 fw pluto[6021]: | 95 d2 45 fc 2c 52 3b 5d
Apr 24 00:41:43 fw pluto[6021]: | responder cookie:
Apr 24 00:41:43 fw pluto[6021]: | 19 74 c6 ec 58 f1 ea 4f
Apr 24 00:41:43 fw pluto[6021]: | next payload type: ISAKMP_NEXT_KE
Apr 24 00:41:43 fw pluto[6021]: | ISAKMP version: ISAKMP Version 1.0
Apr 24 00:41:43 fw pluto[6021]: | exchange type: ISAKMP_XCHG_IDPROT
Apr 24 00:41:43 fw pluto[6021]: | flags: none
Apr 24 00:41:43 fw pluto[6021]: | message ID: 00 00 00 00
Apr 24 00:41:43 fw pluto[6021]: | length: 244
Apr 24 00:41:43 fw pluto[6021]: | ICOOKIE: 95 d2 45 fc 2c 52 3b 5d
Apr 24 00:41:43 fw pluto[6021]: | RCOOKIE: 19 74 c6 ec 58 f1 ea 4f
Apr 24 00:41:43 fw pluto[6021]: | peer: 43 a1 da 20
Apr 24 00:41:43 fw pluto[6021]: | state hash entry 29
Apr 24 00:41:43 fw pluto[6021]: | peer and cookies match on #1, provided msgid 00000000 vs 00000000
Apr 24 00:41:43 fw pluto[6021]: | state object #1 found, in STATE_MAIN_R1
Apr 24 00:41:43 fw pluto[6021]: | ***parse ISAKMP Key Exchange Payload:
Apr 24 00:41:43 fw pluto[6021]: | next payload type: ISAKMP_NEXT_NONCE
Apr 24 00:41:43 fw pluto[6021]: | length: 196
Apr 24 00:41:43 fw pluto[6021]: | ***parse ISAKMP Nonce Payload:
Apr 24 00:41:43 fw pluto[6021]: | next payload type: ISAKMP_NEXT_NONE
Apr 24 00:41:43 fw pluto[6021]: | length: 20
Apr 24 00:41:43 fw pluto[6021]: | **emit ISAKMP Message:
Apr 24 00:41:43 fw pluto[6021]: | initiator cookie:
Apr 24 00:41:43 fw pluto[6021]: | 95 d2 45 fc 2c 52 3b 5d
Apr 24 00:41:43 fw pluto[6021]: | responder cookie:
Apr 24 00:41:43 fw pluto[6021]: | 19 74 c6 ec 58 f1 ea 4f
Apr 24 00:41:43 fw pluto[6021]: | next payload type: ISAKMP_NEXT_KE
Apr 24 00:41:43 fw pluto[6021]: | ISAKMP version: ISAKMP Version 1.0
Apr 24 00:41:43 fw pluto[6021]: | exchange type: ISAKMP_XCHG_IDPROT
Apr 24 00:41:43 fw pluto[6021]: | flags: none
Apr 24 00:41:43 fw pluto[6021]: | message ID: 00 00 00 00
Apr 24 00:41:43 fw pluto[6021]: | DH public value received:
[snip]
Apr 24 00:41:43 fw pluto[6021]: | inI2: checking NAT-t: 0 and 0
Apr 24 00:41:43 fw pluto[6021]: | Local DH secret:
[snip]
Apr 24 00:41:43 fw pluto[6021]: | Public DH value sent:
[snip]
Apr 24 00:41:43 fw pluto[6021]: | ***emit ISAKMP Key Exchange Payload:
Apr 24 00:41:43 fw pluto[6021]: | next payload type: ISAKMP_NEXT_NONCE
Apr 24 00:41:43 fw pluto[6021]: | emitting 192 raw bytes of keyex value into ISAKMP Key Exchange Payload
[snip]
Apr 24 00:41:43 fw pluto[6021]: | emitting length of ISAKMP Key Exchange Payload: 196
Apr 24 00:41:43 fw pluto[6021]: | ***emit ISAKMP Nonce Payload:
Apr 24 00:41:43 fw pluto[6021]: | next payload type: ISAKMP_NEXT_NONE
Apr 24 00:41:43 fw pluto[6021]: | emitting 16 raw bytes of Nr into ISAKMP Nonce Payload
Apr 24 00:41:43 fw pluto[6021]: | Nr 20 c3 c2 cf c9 86 2c a0 3b 63 8d 6c 02 ef 59 e4
Apr 24 00:41:43 fw pluto[6021]: | emitting length of ISAKMP Nonce Payload: 20
Apr 24 00:41:43 fw pluto[6021]: | emitting length of ISAKMP Message: 244
Apr 24 00:41:43 fw pluto[6021]: | compute_dh_shared(): time elapsed (OAKLEY_GROUP_MODP1536): 8063 usec
Apr 24 00:41:43 fw pluto[6021]: | DH shared secret:
[snip]
Apr 24 00:41:43 fw pluto[6021]: "glhq-daxhome"[1] 67.161.218.32 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr 24 00:41:43 fw pluto[6021]: | sending 244 bytes for STATE_MAIN_R1 through eth0 to 67.161.218.32:500:
[snip]
Apr 24 00:41:43 fw pluto[6021]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
Apr 24 00:41:43 fw pluto[6021]: | next event EVENT_RETRANSMIT in 10 seconds for #1
Apr 24 00:41:43 fw pluto[6021]: |
Apr 24 00:41:43 fw pluto[6021]: | *received 396 bytes from 67.161.218.32:500 on eth0
[snip]
Apr 24 00:41:43 fw pluto[6021]: | **parse ISAKMP Message:
Apr 24 00:41:43 fw pluto[6021]: | initiator cookie:
Apr 24 00:41:43 fw pluto[6021]: | 95 d2 45 fc 2c 52 3b 5d
Apr 24 00:41:43 fw pluto[6021]: | responder cookie:
Apr 24 00:41:43 fw pluto[6021]: | 19 74 c6 ec 58 f1 ea 4f
Apr 24 00:41:43 fw pluto[6021]: | next payload type: ISAKMP_NEXT_ID
Apr 24 00:41:43 fw pluto[6021]: | ISAKMP version: ISAKMP Version 1.0
Apr 24 00:41:43 fw pluto[6021]: | exchange type: ISAKMP_XCHG_IDPROT
Apr 24 00:41:43 fw pluto[6021]: | flags: ISAKMP_FLAG_ENCRYPTION
Apr 24 00:41:43 fw pluto[6021]: | message ID: 00 00 00 00
Apr 24 00:41:43 fw pluto[6021]: | length: 396
Apr 24 00:41:43 fw pluto[6021]: | ICOOKIE: 95 d2 45 fc 2c 52 3b 5d
Apr 24 00:41:43 fw pluto[6021]: | RCOOKIE: 19 74 c6 ec 58 f1 ea 4f
Apr 24 00:41:43 fw pluto[6021]: | peer: 43 a1 da 20
Apr 24 00:41:43 fw pluto[6021]: | state hash entry 29
Apr 24 00:41:43 fw pluto[6021]: | peer and cookies match on #1, provided msgid 00000000 vs 00000000
Apr 24 00:41:43 fw pluto[6021]: | state object #1 found, in STATE_MAIN_R2
Apr 24 00:41:43 fw pluto[6021]: | received encrypted packet from 67.161.218.32:500
Apr 24 00:41:43 fw pluto[6021]: | decrypting 368 bytes using algorithm OAKLEY_3DES_CBC
Apr 24 00:41:43 fw pluto[6021]: | decrypted:
[snip]
Apr 24 00:41:44 fw pluto[6021]: | ***parse ISAKMP Identification Payload:
Apr 24 00:41:44 fw pluto[6021]: | next payload type: ISAKMP_NEXT_SIG
Apr 24 00:41:44 fw pluto[6021]: | length: 90
Apr 24 00:41:44 fw pluto[6021]: | ID type: ID_DER_ASN1_DN
Apr 24 00:41:44 fw pluto[6021]: | DOI specific A: 0
Apr 24 00:41:44 fw pluto[6021]: | DOI specific B: 0
Apr 24 00:41:44 fw pluto[6021]: | ***parse ISAKMP Signature Payload:
Apr 24 00:41:44 fw pluto[6021]: | next payload type: ISAKMP_NEXT_NONE
Apr 24 00:41:44 fw pluto[6021]: | length: 278
Apr 24 00:41:44 fw pluto[6021]: | DER ASN1 DN: 30 50 31 0b 30 09 06 03 55 04 06 13 02 55 53 31
Apr 24 00:41:44 fw pluto[6021]: | 0d 30 0b 06 03 55 04 08 13 04 55 74 61 68 31 12
Apr 24 00:41:44 fw pluto[6021]: | 30 10 06 03 55 04 0a 13 09 47 75 72 75 20 4c 61
Apr 24 00:41:44 fw pluto[6021]: | 62 73 31 1e 30 1c 06 03 55 04 03 13 15 69 6e 74
Apr 24 00:41:44 fw pluto[6021]: | 72 75 64 65 72 2e 67 75 72 75 6c 61 62 73 2e 63
Apr 24 00:41:44 fw pluto[6021]: | 6f 6d
Apr 24 00:41:44 fw pluto[6021]: "glhq-daxhome"[1] 67.161.218.32 #1: Peer ID is ID_DER_ASN1_DN: 'C=US, ST=Utah, O=Guru Labs, CN=intruder.gurulabs.com'
Apr 24 00:41:44 fw pluto[6021]: | refine_connection: starting with glhq-daxhome
Apr 24 00:41:44 fw pluto[6021]: | offered CA: 'C=US, ST=Utah, L=West Bountiful, O=Guru Labs, OU=Guru Labs IPSec CA'
Apr 24 00:41:44 fw pluto[6021]: | hashing 144 bytes of SA
Apr 24 00:41:44 fw pluto[6021]: | required CA is '%any'
Apr 24 00:41:44 fw pluto[6021]: "glhq-daxhome"[1] 67.161.218.32 #1: no RSA public key known for 'C=US, ST=Utah, O=Guru Labs, CN=intruder.gurulabs.com'
Apr 24 00:41:44 fw pluto[6021]: | state transition function for STATE_MAIN_R2 failed: INVALID_KEY_INFORMATION
Apr 24 00:41:44 fw pluto[6021]: | next event EVENT_RETRANSMIT in 9 seconds for #1
Apr 24 00:41:53 fw pluto[6021]: |
Apr 24 00:41:53 fw pluto[6021]: | *time to handle event
[snip]
More information about the Users
mailing list