[Openswan Users] SuperFreeS/Wan and SafeNet High Assurance Remote
Lists CC
lists at itcserra.net
Wed Dec 8 10:48:33 CET 2004
Hello,
since i am working happily with Linux latest SuperFReeS/Wan version and
SafeNet HIGH Assurance Remote Windows clients with preshared keys, now i
am experiencing some problems by connecting with X509 certificates.
I have setup, with CA.sh script, my certification Authority and created
the server certificate.
I have then made a certificate request from the Windows Client and signed
into the Linux machine by the CA Authority.
conn certificati
authby=rsasig
left=xxx.xxx.xxx.xxx
leftnexthop=xxx.xxx.xxx.xxx
leftcert=hub.XXX.lan.pem
leftsubnet=192.168.1.0/24
right=%any
rightsubnetwithin=10.10.10.0/24
rightcert=lapconsulting.pem
auto=add
pfs=yes
I then have setup the ipsec.secrets file by putting the serverkey : RSA
and i have setup the roadwarriors connection in ipsec.conf in this way.
I connect from the client (i have tried both under NAT and from a static
internet IP address) and after some negotiation it result an error called
"ignoring informational payload, type INVALID_ID_INFORMATION".
Here is the output of ipsec barf:
Dec 5 14:42:41 flashstart pluto[22602]: "certificati"[3] xx.xx.xx.xx #30:
responding to Main Mode from unknown peer xx.xx.xx.xx
Dec 5 14:42:42 flashstart pluto[22602]: "certificati"[3] xx.xx.xx.xx #30:
ignoring Vendor ID payload [47bbe7c993f1fc13...]
Dec 5 14:42:42 flashstart pluto[22602]: "certificati"[3] xx.xx.xx.xx #30:
ignoring Vendor ID payload [da8e937880010000]
Dec 5 14:42:42 flashstart pluto[22602]: "certificati"[3] xx.xx.xx.xx #30:
received Vendor ID payload [Dead Peer Detection]
Dec 5 14:42:42 flashstart pluto[22602]: "certificati"[3] xx.xx.xx.xx #30:
ignoring Vendor ID payload [XAUTH]
Dec 5 14:42:42 flashstart pluto[22602]: "certificati"[3] xx.xx.xx.xx #30:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is
NATed
Dec 5 14:42:43 flashstart pluto[22602]: "certificati"[3] xx.xx.xx.xx #30:
ignoring informational payload, type IPSEC_REPLAY_STATUS
Dec 5 14:42:43 flashstart pluto[22602]: "certificati"[3] xx.xx.xx.xx #30:
ignoring informational payload, type IPSEC_INITIAL_CONTACT
Dec 5 14:42:43 flashstart pluto[22602]: | protocol/port in Phase 1 ID
Payload is 17/0. accepted with port_floating NAT-T
Dec 5 14:42:43 flashstart pluto[22602]: "certificati"[3] xx.xx.xx.xx #30:
Main mode peer ID is ID_DER_ASN1_DN: 'C=IT, ST=Italy, O=CC Sas,
OU=MyConsulting, CN=Francesco Consulting'
Dec 5 14:42:43 flashstart pluto[22602]: "certificati"[3] xx.xx.xx.xx #30:
deleting connection "certificati" instance with peer xx.xx.xx.xx
Dec 5 14:42:43 flashstart pluto[22602]: "certificati" #27: deleting state
(STATE_MAIN_R3)
Dec 5 14:42:43 flashstart pluto[22602]: | NAT-T: new mapping
xx.xx.xx.xx:500/4500)
Dec 5 14:42:43 flashstart pluto[22602]: "certificati"[3] xx.xx.xx.xx:4500
#30: sent MR3, ISAKMP SA established
Dec 5 14:42:44 flashstart pluto[22602]: "certificati"[3] xx.xx.xx.xx:4500
#30: ignoring informational payload, type INVALID_ID_INFORMATION
Dec 5 14:42:44 flashstart pluto[22602]: "certificati"[3] xx.xx.xx.xx:4500
#30: received and ignored informational message
Perhaps the Windows Client pass a malformed IT type?
Thank you in advance for your kind interest, best regards!
Francesco
More information about the Users
mailing list