[Openswan Users] weird cert reject but can connect? anyone?
hallian hallian
hallian at hotmail.com
Wed Jun 30 22:36:57 CEST 2004
hello all -
I see this weird message...... about Issuer cert CA not found and reject
your x509 cert but still I'm able to connect and ping/map dirve etc......
This is very peculiar........ and wondering... why is this happening...
anyone seen this before?
thanks
hallian
--------- barf last output ----------------
Jun 30 19:32:30 gateway pluto[2993]: packet from 209.135.133.92:500:
Informational Exchange is for an unknown (expired?) SA
Jun 30 19:32:35 gateway pluto[2993]: packet from 209.135.133.92:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000003]
Jun 30 19:32:35 gateway pluto[2993]: "pdesai-net"[1] 209.135.133.92 #1:
responding to Main Mode from unknown peer 209.135.133.92
Jun 30 19:32:35 gateway pluto[2993]: "pdesai-net"[1] 209.135.133.92 #1: Main
mode peer ID is ID_DER_ASN1_DN: 'C=US, ST=NW, O=Consulting, OU=Information
Technology, CN=pdesai, E=supportvpn at v.com'
Jun 30 19:32:35 gateway pluto[2993]: "pdesai-net"[1] 209.135.133.92 #1:
Issuer CA certificate not found
Jun 30 19:32:35 gateway pluto[2993]: "pdesai-net"[1] 209.135.133.92 #1:
X.509 certificate rejected
Jun 30 19:32:35 gateway pluto[2993]: "pdesai-net"[1] 209.135.133.92 #1: sent
MR3, ISAKMP SA established
Jun 30 19:32:36 gateway pluto[2993]: "pdesai-net"[1] 209.135.133.92 #2:
responding to Quick Mode
Jun 30 19:32:36 gateway pluto[2993]: "pdesai-net"[1] 209.135.133.92 #2:
prepare-client output: SIOCDELRT: No such process
Jun 30 19:32:36 gateway pluto[2993]: "pdesai-net"[1] 209.135.133.92 #2:
prepare-client command exited with status 7
Jun 30 19:32:36 gateway pluto[2993]: "pdesai-net"[1] 209.135.133.92 #2:
IPsec SA established
----------- ipsec auto --status ------------
000 #5: "pdesai-net"[1] 209.135.133.92 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 3325s; newest ISAKMP
000 #4: "pdesai-net"[1] 209.135.133.92 STATE_QUICK_R2 (IPsec SA
established); EVENT_SA_REPLACE in 1353s
000 #4: "pdesai-net"[1] 209.135.133.92 esp.a21195c4 at 209.135.133.92
esp.15289549 at 68.108.105.34 tun.1004 at 209.135.133.92 tun.1003 at
68.108.105.34
---my /etc/ipsec.conf
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
nat_traversal=no
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!10.0.0.0/24
conn %default
keyingtries=0
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
left=%defaultroute
leftcert=office-network-pub.pem
leftupdown=/usr/local/lib/ipsec/v_updown
pfs=yes
conn pdesai
right=%any
rightcert=pdesai-pub.pem
keyingtries=2
keylife=30m
leftsubnet=10.0.0.0/24
auto=add
conn pdesai-net
right=%any
rightcert=pdesai-pub.pem
rightsubnet=vhost:%no,%priv
keyingtries=2
keylife=30m
leftsubnet=10.0.0.0/24
auto=add
_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar – get it now!
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
More information about the Users
mailing list