[Openswan Users] OS 2.1.2rc5: cannot identify ourselves with either end of this connection.

Anatoly Ershov ershov at nice.ru
Thu Jun 10 16:36:21 CEST 2004


When establishing a direct conn, everything goes right. The problem
appears when I (172.16.122.188) am sitting behind natting ISP
(213.251.198.222 is his public IP) and trying to initiate a host-host
connection to my security gw (212.12.66.230, same OpenSwan 2.1.2rc5 with
nat-t enabled). On my client side, I can't explain to ipsec who he is:


ipsec whack --name test1 --host 213.251.198.222 --id 'C=RU, ST=Russian
Federation, O=TTC Ostankino, OU=IPSec, CN=phantom.telecenter.ru' --cert
/etc/ipsec.d/certs/my --client 172.16.122.188/32 --to --host
212.12.66.230 --ca 'C=RU, ST=Russian Federation, L=Moscow, O=TTC
Ostankino, OU=Certificate Authority, CN=TTC Ostankino Root
CA/emailAddress=ca at ca.telecenter.ru' --encrypt --tunnel --compress
--rsasig --psk
002   loaded host cert file '/etc/ipsec.d/certs/my' (10612 bytes)
002 added connection description "test1"

ipsec whack --status
000 interface ipsec0/ppp0 172.16.122.188
000 interface ipsec0/ppp0 172.16.122.188
000 %myid = C=RU, ST=Russian Federation, O=TTC Ostankino, OU=IPSec,
CN=phantom.telecenter.ru
000 debug
raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal
000
000 "test1": 172.16.122.188/32===213.251.198.222[C=RU, ST=Russian
Federation, O=TTC Ostankino, OU=IPSec,
CN=phantom.telecenter.ru]...212.12.66.230; unrouted; eroute owner: #0
000 "test1":   CAs: 'C=RU, ST=Russian Federation, L=Moscow, O=TTC
Ostankino, OU=Certificate Authority, CN=TTC Ostankino Root CA,
E=ca at ca.telecenter.ru'...'C=RU, ST=Russian Federation, L=Moscow, O=TTC
Ostankino, OU=Certificate Authority, CN=TTC Ostankino Root CA,
E=ca at ca.telecenter.ru'
000 "test1":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 3
000 "test1":   policy: PSK+RSASIG+ENCRYPT+COMPRESS+TUNNEL; prio: 32,32;
interface: ;
000 "test1":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000

ipsec whack --initiate --name test1
022 "test1": We cannot identify ourselves with either end of this
connection.


===============
Neither local ip (172.16.122.188), nor hostname == CN
(phantom.telecenter.ru), nor my isp's public ip (213.251.198.222) as a
value of "myid" would help.


Here is my barf output: http://age.pp.ru/barf.phantom.os2.1.2rc5.bz2
Any idea? I guess, I should upgrade to the release 2.1.2 version? :-)

Sincerely,
Anatoly



More information about the Users mailing list