[Openswan Users] SuperFreeS/Wan and SafeNet High Assurance Remote

Lists CC lists at itcserra.net
Wed Dec 8 10:48:33 CET 2004


Hello, 

since i am working happily with Linux latest SuperFReeS/Wan version and
SafeNet HIGH Assurance Remote Windows clients with preshared keys, now i
am experiencing some problems by connecting with X509 certificates. 

I have setup, with CA.sh script, my certification Authority and created
the server certificate.
I have then made a certificate request from the Windows Client and signed
into the Linux machine by the CA Authority. 

conn certificati
   authby=rsasig
   left=xxx.xxx.xxx.xxx
   leftnexthop=xxx.xxx.xxx.xxx
   leftcert=hub.XXX.lan.pem
   leftsubnet=192.168.1.0/24
   right=%any
   rightsubnetwithin=10.10.10.0/24
   rightcert=lapconsulting.pem
   auto=add
   pfs=yes 

I then have setup the ipsec.secrets file by putting the serverkey : RSA
and i have setup the roadwarriors connection in ipsec.conf in this way. 

I connect from the client (i have tried both under NAT and from a static
internet IP address) and after some negotiation it result an error called
"ignoring informational payload, type INVALID_ID_INFORMATION". 

Here is the output of ipsec barf: 

Dec  5 14:42:41 flashstart pluto[22602]: "certificati"[3] xx.xx.xx.xx #30:
responding to Main Mode from unknown peer xx.xx.xx.xx
Dec  5 14:42:42 flashstart pluto[22602]: "certificati"[3] xx.xx.xx.xx #30:
ignoring Vendor ID payload [47bbe7c993f1fc13...]
Dec  5 14:42:42 flashstart pluto[22602]: "certificati"[3] xx.xx.xx.xx #30:
ignoring Vendor ID payload [da8e937880010000]
Dec  5 14:42:42 flashstart pluto[22602]: "certificati"[3] xx.xx.xx.xx #30:
received Vendor ID payload [Dead Peer Detection]
Dec  5 14:42:42 flashstart pluto[22602]: "certificati"[3] xx.xx.xx.xx #30:
ignoring Vendor ID payload [XAUTH]
Dec  5 14:42:42 flashstart pluto[22602]: "certificati"[3] xx.xx.xx.xx #30:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is
NATed
Dec  5 14:42:43 flashstart pluto[22602]: "certificati"[3] xx.xx.xx.xx #30:
ignoring informational payload, type IPSEC_REPLAY_STATUS
Dec  5 14:42:43 flashstart pluto[22602]: "certificati"[3] xx.xx.xx.xx #30:
ignoring informational payload, type IPSEC_INITIAL_CONTACT
Dec  5 14:42:43 flashstart pluto[22602]: | protocol/port in Phase 1 ID
Payload is 17/0. accepted with port_floating NAT-T
Dec  5 14:42:43 flashstart pluto[22602]: "certificati"[3] xx.xx.xx.xx #30:
Main mode peer ID is ID_DER_ASN1_DN: 'C=IT, ST=Italy, O=CC Sas,
OU=MyConsulting, CN=Francesco Consulting'
Dec  5 14:42:43 flashstart pluto[22602]: "certificati"[3] xx.xx.xx.xx #30:
deleting connection "certificati" instance with peer xx.xx.xx.xx
Dec  5 14:42:43 flashstart pluto[22602]: "certificati" #27: deleting state
(STATE_MAIN_R3)
Dec  5 14:42:43 flashstart pluto[22602]: | NAT-T: new mapping
xx.xx.xx.xx:500/4500)
Dec  5 14:42:43 flashstart pluto[22602]: "certificati"[3] xx.xx.xx.xx:4500
#30: sent MR3, ISAKMP SA established
Dec  5 14:42:44 flashstart pluto[22602]: "certificati"[3] xx.xx.xx.xx:4500
#30: ignoring informational payload, type INVALID_ID_INFORMATION
Dec  5 14:42:44 flashstart pluto[22602]: "certificati"[3] xx.xx.xx.xx:4500
#30: received and ignored informational message 

Perhaps the Windows Client pass a malformed IT type? 

Thank you in advance for your kind interest, best regards! 

Francesco


More information about the Users mailing list