[Openswan Users] weird cert reject but can connect? anyone?

Andreas Steffen andreas.steffen at strongsec.net
Thu Jul 1 08:24:30 CEST 2004 

The reason for this apparently strange behaviour is the fact that you
load the peer's certificate locally:

 >   rightcert=pdesai-pub.pem

By doing this you put direct trust into the host certificate without
the need of a CA certificate. The peer's public key is extracted from
the host certificate and put into the cache of public keys:

    ipsec auto --listpubkeys

During IKE negotiation the peer also sends its certificate  as part
of Main Mode protocol. Since no matching CA certificate can be found
the received certificate is rejected:

 > Issuer CA certificate not found
 > X.509 certificate rejected

Nevertheless a connection is successfully established because you
already provided the public key locally.

Regards

Andreas

hallian hallian wrote:
> hello all -
> 
> I see this weird message...... about Issuer cert CA not found and reject 
> your x509 cert but still I'm able to connect and ping/map dirve 
> etc......  This is very peculiar........ and wondering... why is this 
> happening... anyone seen this before?
> 
> thanks
> hallian
> 
> --------- barf last output ----------------
> Jun 30 19:32:30 gateway pluto[2993]: packet from 209.135.133.92:500: 
> Informational Exchange is for an unknown (expired?) SA
> Jun 30 19:32:35 gateway pluto[2993]: packet from 209.135.133.92:500: 
> ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000003]
> Jun 30 19:32:35 gateway pluto[2993]: "pdesai-net"[1] 209.135.133.92 #1: 
> responding to Main Mode from unknown peer 209.135.133.92
> Jun 30 19:32:35 gateway pluto[2993]: "pdesai-net"[1] 209.135.133.92 #1: 
> Main mode peer ID is ID_DER_ASN1_DN: 'C=US, ST=NW, O=Consulting, 
> OU=Information Technology, CN=pdesai, E=supportvpn at v.com'
> Jun 30 19:32:35 gateway pluto[2993]: "pdesai-net"[1] 209.135.133.92 #1: 
> Issuer CA certificate not found
> Jun 30 19:32:35 gateway pluto[2993]: "pdesai-net"[1] 209.135.133.92 #1: 
> X.509 certificate rejected
> Jun 30 19:32:35 gateway pluto[2993]: "pdesai-net"[1] 209.135.133.92 #1: 
> sent MR3, ISAKMP SA established
> Jun 30 19:32:36 gateway pluto[2993]: "pdesai-net"[1] 209.135.133.92 #2: 
> responding to Quick Mode
> Jun 30 19:32:36 gateway pluto[2993]: "pdesai-net"[1] 209.135.133.92 #2: 
> prepare-client output: SIOCDELRT: No such process
> Jun 30 19:32:36 gateway pluto[2993]: "pdesai-net"[1] 209.135.133.92 #2: 
> prepare-client command exited with status 7
> Jun 30 19:32:36 gateway pluto[2993]: "pdesai-net"[1] 209.135.133.92 #2: 
> IPsec SA established
> 
> 
> ----------- ipsec auto --status ------------
> 
> 000 #5: "pdesai-net"[1] 209.135.133.92 STATE_MAIN_R3 (sent MR3, ISAKMP 
> SA established); EVENT_SA_REPLACE in 3325s; newest ISAKMP
> 000 #4: "pdesai-net"[1] 209.135.133.92 STATE_QUICK_R2 (IPsec SA 
> established); EVENT_SA_REPLACE in 1353s
> 000 #4: "pdesai-net"[1] 209.135.133.92 esp.a21195c4 at 209.135.133.92 
> esp.15289549 at 68.108.105.34 tun.1004 at 209.135.133.92 tun.1003 at 68.108.105.34
> 
> ---my /etc/ipsec.conf
> config setup
>        interfaces=%defaultroute
>        klipsdebug=none
>        plutodebug=none
>        plutoload=%search
>        plutostart=%search
>        uniqueids=yes
>        nat_traversal=no
>        
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!10.0.0.0/24 
> 
> 
> conn %default
>        keyingtries=0
>        compress=yes
>        disablearrivalcheck=no
>        authby=rsasig
>        leftrsasigkey=%cert
>        rightrsasigkey=%cert
>        left=%defaultroute
>        leftcert=office-network-pub.pem
>        leftupdown=/usr/local/lib/ipsec/v_updown
>        pfs=yes
> 
> conn pdesai
>        right=%any
>        rightcert=pdesai-pub.pem
>        keyingtries=2
>        keylife=30m
>        leftsubnet=10.0.0.0/24
>        auto=add
> 
> conn pdesai-net
>        right=%any
>        rightcert=pdesai-pub.pem
>        rightsubnet=vhost:%no,%priv
>        keyingtries=2
>        keylife=30m
>        leftsubnet=10.0.0.0/24
>        auto=add

=======================================================================
Andreas Steffen                   e-mail: andreas.steffen at strongsec.com
strongSec GmbH                    home:   http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===

More information about the Users mailing list