[Openswan Users] weird cert reject but can connect? anyone?

Wed Jun 30 21:46:22 CEST 2004

hello all -

I see this weird message...... about Issuer cert CA not found and reject 
your x509 cert but still I'm able to connect and ping/map dirve etc......  
This is very peculiar........ and wondering... why is this happening... 
anyone seen this before?

thanks
hallian

--------- barf last output ----------------
Jun 30 19:32:30 gateway pluto[2993]: packet from 209.135.133.92:500: 
Informational Exchange is for an unknown (expired?) SA
Jun 30 19:32:35 gateway pluto[2993]: packet from 209.135.133.92:500: 
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000003]
Jun 30 19:32:35 gateway pluto[2993]: "pdesai-net"[1] 209.135.133.92 #1: 
responding to Main Mode from unknown peer 209.135.133.92
Jun 30 19:32:35 gateway pluto[2993]: "pdesai-net"[1] 209.135.133.92 #1: Main 
mode peer ID is ID_DER_ASN1_DN: 'C=US, ST=NW, O=Consulting, OU=Information 
Technology, CN=pdesai, E=supportvpn at v.com'
Jun 30 19:32:35 gateway pluto[2993]: "pdesai-net"[1] 209.135.133.92 #1: 
Issuer CA certificate not found
Jun 30 19:32:35 gateway pluto[2993]: "pdesai-net"[1] 209.135.133.92 #1: 
X.509 certificate rejected
Jun 30 19:32:35 gateway pluto[2993]: "pdesai-net"[1] 209.135.133.92 #1: sent 
MR3, ISAKMP SA established
Jun 30 19:32:36 gateway pluto[2993]: "pdesai-net"[1] 209.135.133.92 #2: 
responding to Quick Mode
Jun 30 19:32:36 gateway pluto[2993]: "pdesai-net"[1] 209.135.133.92 #2: 
prepare-client output: SIOCDELRT: No such process
Jun 30 19:32:36 gateway pluto[2993]: "pdesai-net"[1] 209.135.133.92 #2: 
prepare-client command exited with status 7
Jun 30 19:32:36 gateway pluto[2993]: "pdesai-net"[1] 209.135.133.92 #2: 
IPsec SA established

----------- ipsec auto --status ------------

000 #5: "pdesai-net"[1] 209.135.133.92 STATE_MAIN_R3 (sent MR3, ISAKMP SA 
established); EVENT_SA_REPLACE in 3325s; newest ISAKMP
000 #4: "pdesai-net"[1] 209.135.133.92 STATE_QUICK_R2 (IPsec SA 
established); EVENT_SA_REPLACE in 1353s
000 #4: "pdesai-net"[1] 209.135.133.92 esp.a21195c4 at 209.135.133.92 
esp.15289549 at 68.108.105.34 tun.1004 at 209.135.133.92 tun.1003 at 68.108.105.34

---my /etc/ipsec.conf
config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        uniqueids=yes
        nat_traversal=no

virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!10.0.0.0/24

conn %default
        keyingtries=0
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        left=%defaultroute
        leftcert=office-network-pub.pem
        leftupdown=/usr/local/lib/ipsec/v_updown
        pfs=yes

conn pdesai
        right=%any
        rightcert=pdesai-pub.pem
        keyingtries=2
        keylife=30m
        leftsubnet=10.0.0.0/24
        auto=add

conn pdesai-net
        right=%any
        rightcert=pdesai-pub.pem
        rightsubnet=vhost:%no,%priv
        keyingtries=2
        keylife=30m
        leftsubnet=10.0.0.0/24
        auto=add

_________________________________________________________________
MSN 9 Dial-up Internet Access fights spam and pop-ups – now 3 months FREE! 
http://join.msn.click-url.com/go/onm00200361ave/direct/01/