[Openswan Users]
OS 2.1.2rc5: cannot identify ourselves with either end of this
connection.
Anatoly Ershov
age at hotbox.ru
Thu Jun 10 14:04:02 CEST 2004
When establishing a direct conn, everything goes right. The problem
appears when I (172.16.122.188) am sitting behind natting ISP
(213.251.198.222 is his public IP) and trying to initiate a host-host
connection to my security gw (212.12.66.230, same OpenSwan 2.1.2rc5 with
nat-t enabled). On my client side, I can't explain to ipsec who he is:
ipsec whack --name test1 --host 213.251.198.222 --id 'C=RU, ST=Russian
Federation, O=TTC Ostankino, OU=IPSec, CN=phantom.telecenter.ru' --cert
/etc/ipsec.d/certs/my --client 172.16.122.188/32 --to --host
212.12.66.230 --ca 'C=RU, ST=Russian Federation, L=Moscow, O=TTC
Ostankino, OU=Certificate Authority, CN=TTC Ostankino Root
CA/emailAddress=ca at ca.telecenter.ru' --encrypt --tunnel --compress
--rsasig --psk
002 loaded host cert file '/etc/ipsec.d/certs/my' (10612 bytes)
002 added connection description "test1"
ipsec whack --status
000 interface ipsec0/ppp0 172.16.122.188
000 interface ipsec0/ppp0 172.16.122.188
000 %myid = C=RU, ST=Russian Federation, O=TTC Ostankino, OU=IPSec,
CN=phantom.telecenter.ru
000 debug
raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal
000
000 "test1": 172.16.122.188/32===213.251.198.222[C=RU, ST=Russian
Federation, O=TTC Ostankino, OU=IPSec,
CN=phantom.telecenter.ru]...212.12.66.230; unrouted; eroute owner: #0
000 "test1": CAs: 'C=RU, ST=Russian Federation, L=Moscow, O=TTC
Ostankino, OU=Certificate Authority, CN=TTC Ostankino Root CA,
E=ca at ca.telecenter.ru'...'C=RU, ST=Russian Federation, L=Moscow, O=TTC
Ostankino, OU=Certificate Authority, CN=TTC Ostankino Root CA,
E=ca at ca.telecenter.ru'
000 "test1": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 3
000 "test1": policy: PSK+RSASIG+ENCRYPT+COMPRESS+TUNNEL; prio: 32,32;
interface: ;
000 "test1": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000
ipsec whack --initiate --name test1
022 "test1": We cannot identify ourselves with either end of this
connection.
===============
Neither local ip (172.16.122.188), nor hostname == CN
(phantom.telecenter.ru), nor my isp's public ip (213.251.198.222) as a
value of "myid" would help.
Here is my barf output: http://age.pp.ru/barf.phantom.os2.1.2rc5.bz2
I guess, I should upgrade to the release 2.1.2 version? :-)
Sincerely,
Anatoly
More information about the Users
mailing list