[Openswan Users] path to madness

Eric S. Johansson esj at harvee.org
Fri Dec 17 17:58:17 CET 2004 

Paul Wouters wrote:

> Okay, then the problem must be in certificates and/or ca?
> You can check with ipsec auto --listall to see all the information
> on the certificates. Check to see that your server has a private key
> loaded for its certificates.

verified that all of the keys exist, the issuer and subject field match. 
  I have certificates for rootca, host, and road warrior target.

> Also, at startup it might be rejecting the conn rjagetit, which would
> at least make me understand the error message better. If so, it is
> probably telling you why it failed to load the conn. (or --add it 
> again to see the error again)

all I get on every connection attempt is 3 messages.

Dec 17 11:56:42 t2cop pluto[662]: packet from 68.194.142.248:500: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00
]
Dec 17 11:56:42 t2cop pluto[662]: packet from 68.194.142.248:500: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02
_n]
Dec 17 11:56:42 t2cop pluto[662]: packet from 68.194.142.248:500: 
initial Main Mode message received on 69.18.163.107:500 b
ut no connection has been authorized with policy=RSASIG

which brings me back to the original query which is "how do I get IPSec 
to tell me more about why it's failing", what is it looking for in the 
connection that it is not seeing (looking for Mr. GoodVPN? ;-).

Also, I'm not sure I understand what you mean by --add.  if you meant 
ipsec auto --add rjagerlt, it gave me a message about attempt to 
redefine the connection.  If you use replace instead of add, you get the 
following log messages:

Dec 17 17:54:02 t2cop pluto[662]: attempt to redefine connection "rjagerlt"
Dec 17 17:54:30 t2cop pluto[662]: "rjagerlt": deleting connection
Dec 17 17:54:30 t2cop pluto[662]: | from whack: got --esp=3des
Dec 17 17:54:30 t2cop pluto[662]: | from whack: got --ike=3des
Dec 17 17:54:30 t2cop pluto[662]:   loaded host cert file 
'/var/ipcop/certs/hostcert.pem' (1489 bytes)
Dec 17 17:54:30 t2cop pluto[662]:   loaded host cert file 
'/var/ipcop/certs/rjagerltcert.pem' (1468 bytes)
Dec 17 17:54:30 t2cop pluto[662]: added connection description "rjagerlt"


thanks again for the help.  Let me know if you need any additional 
information like the rather verbose output of --listall.

---eric

-- 
http://www.salon.com/mwt/feature/2004/12/15/williams/index.html

But if that's what we rely on [private and home schools], we
rely on something less than a notion of universal access and something
other than a system that unsettles a class system. If private schools
and home schooling are all we have, we have a much more static
society, rooted in generational class stasis.

More information about the Users mailing list