[Openswan Users] SuperFreeS/Wan and SafeNet High Assurance Remote (fwd)

Lists CC lists at itcserra.net
Sun Dec 5 13:45:43 CET 2004 

Hello, 

since i am working happily with Linux latest SuperFReeS/Wan version and 
SafeNet HIGH Assurance Remote Windows clients with preshared keys, now i am 
experiencing some problems by connecting with X509 certificates. 

I have setup, with CA.sh script, my certification Authority and created the 
server certificate.
I have then made a certificate request from the Windows Client and signed 
into the Linux machine by the CA Authority. 

conn certificati
     authby=rsasig
     left=xxx.xxx.xxx.xxx
     leftnexthop=xxx.xxx.xxx.xxx
     leftcert=hub.XXX.lan.pem
     leftsubnet=192.168.1.0/24
     right=%any
     rightsubnetwithin=10.10.10.0/24
     rightcert=lapconsulting.pem
     auto=add
     pfs=yes 

I then have setup the ipsec.secrets file by putting the serverkey : RSA and 
i have setup the roadwarriors connection in ipsec.conf in this way. 

I connect from the client (i have tried both under NAT and from a static 
internet IP address) and after some negotiation it result an error called 
"ignoring informational payload, type INVALID_ID_INFORMATION". 

Here is the output of ipsec barf: 

Dec  5 14:42:41 flashstart pluto[22602]: "certificati"[3] xx.xx.xx.xx #30: 
responding to Main Mode from unknown peer xx.xx.xx.xx
Dec  5 14:42:42 flashstart pluto[22602]: "certificati"[3] xx.xx.xx.xx #30: 
ignoring Vendor ID payload [47bbe7c993f1fc13...]
Dec  5 14:42:42 flashstart pluto[22602]: "certificati"[3] xx.xx.xx.xx #30: 
ignoring Vendor ID payload [da8e937880010000]
Dec  5 14:42:42 flashstart pluto[22602]: "certificati"[3] xx.xx.xx.xx #30: 
received Vendor ID payload [Dead Peer Detection]
Dec  5 14:42:42 flashstart pluto[22602]: "certificati"[3] xx.xx.xx.xx #30: 
ignoring Vendor ID payload [XAUTH]
Dec  5 14:42:42 flashstart pluto[22602]: "certificati"[3] xx.xx.xx.xx #30: 
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Dec  5 14:42:43 flashstart pluto[22602]: "certificati"[3] xx.xx.xx.xx #30: 
ignoring informational payload, type IPSEC_REPLAY_STATUS
Dec  5 14:42:43 flashstart pluto[22602]: "certificati"[3] xx.xx.xx.xx #30: 
ignoring informational payload, type IPSEC_INITIAL_CONTACT
Dec  5 14:42:43 flashstart pluto[22602]: | protocol/port in Phase 1 ID 
Payload is 17/0. accepted with port_floating NAT-T
Dec  5 14:42:43 flashstart pluto[22602]: "certificati"[3] xx.xx.xx.xx #30: 
Main mode peer ID is ID_DER_ASN1_DN: 'C=IT, ST=Italy, O=CC Sas, 
OU=MyConsulting, CN=Francesco Consulting'
Dec  5 14:42:43 flashstart pluto[22602]: "certificati"[3] xx.xx.xx.xx #30: 
deleting connection "certificati" instance with peer xx.xx.xx.xx
Dec  5 14:42:43 flashstart pluto[22602]: "certificati" #27: deleting state 
(STATE_MAIN_R3)
Dec  5 14:42:43 flashstart pluto[22602]: | NAT-T: new mapping 
xx.xx.xx.xx:500/4500)
Dec  5 14:42:43 flashstart pluto[22602]: "certificati"[3] xx.xx.xx.xx:4500 
#30: sent MR3, ISAKMP SA established
Dec  5 14:42:44 flashstart pluto[22602]: "certificati"[3] xx.xx.xx.xx:4500 
#30: ignoring informational payload, type INVALID_ID_INFORMATION
Dec  5 14:42:44 flashstart pluto[22602]: "certificati"[3] xx.xx.xx.xx:4500 
#30: received and ignored informational message 

Perhaps the Windows Client pass a malformed IT type? 

Thank you in advance for your kind interest, best regards!

More information about the Users mailing list