[Openswan Users] weird cert reject but can connect? anyone?

hallian hallian hallian at hotmail.com
Wed Jun 30 22:36:57 CEST 2004


hello all -

I see this weird message...... about Issuer cert CA not found and reject
your x509 cert but still I'm able to connect and ping/map dirve etc......
This is very peculiar........ and wondering... why is this happening...
anyone seen this before?

thanks
hallian

--------- barf last output ----------------
Jun 30 19:32:30 gateway pluto[2993]: packet from 209.135.133.92:500:
Informational Exchange is for an unknown (expired?) SA
Jun 30 19:32:35 gateway pluto[2993]: packet from 209.135.133.92:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000003]
Jun 30 19:32:35 gateway pluto[2993]: "pdesai-net"[1] 209.135.133.92 #1:
responding to Main Mode from unknown peer 209.135.133.92
Jun 30 19:32:35 gateway pluto[2993]: "pdesai-net"[1] 209.135.133.92 #1: Main
mode peer ID is ID_DER_ASN1_DN: 'C=US, ST=NW, O=Consulting, OU=Information
Technology, CN=pdesai, E=supportvpn at v.com'
Jun 30 19:32:35 gateway pluto[2993]: "pdesai-net"[1] 209.135.133.92 #1:
Issuer CA certificate not found
Jun 30 19:32:35 gateway pluto[2993]: "pdesai-net"[1] 209.135.133.92 #1:
X.509 certificate rejected
Jun 30 19:32:35 gateway pluto[2993]: "pdesai-net"[1] 209.135.133.92 #1: sent
MR3, ISAKMP SA established
Jun 30 19:32:36 gateway pluto[2993]: "pdesai-net"[1] 209.135.133.92 #2:
responding to Quick Mode
Jun 30 19:32:36 gateway pluto[2993]: "pdesai-net"[1] 209.135.133.92 #2:
prepare-client output: SIOCDELRT: No such process
Jun 30 19:32:36 gateway pluto[2993]: "pdesai-net"[1] 209.135.133.92 #2:
prepare-client command exited with status 7
Jun 30 19:32:36 gateway pluto[2993]: "pdesai-net"[1] 209.135.133.92 #2:
IPsec SA established


----------- ipsec auto --status ------------

000 #5: "pdesai-net"[1] 209.135.133.92 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 3325s; newest ISAKMP
000 #4: "pdesai-net"[1] 209.135.133.92 STATE_QUICK_R2 (IPsec SA
established); EVENT_SA_REPLACE in 1353s
000 #4: "pdesai-net"[1] 209.135.133.92 esp.a21195c4 at 209.135.133.92
esp.15289549 at 68.108.105.34 tun.1004 at 209.135.133.92 tun.1003 at 
68.108.105.34

---my /etc/ipsec.conf
config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        uniqueids=yes
        nat_traversal=no

virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!10.0.0.0/24

conn %default
        keyingtries=0
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        left=%defaultroute
        leftcert=office-network-pub.pem
        leftupdown=/usr/local/lib/ipsec/v_updown
        pfs=yes

conn pdesai
        right=%any
        rightcert=pdesai-pub.pem
        keyingtries=2
        keylife=30m
        leftsubnet=10.0.0.0/24
        auto=add

conn pdesai-net
        right=%any
        rightcert=pdesai-pub.pem
        rightsubnet=vhost:%no,%priv
        keyingtries=2
        keylife=30m
        leftsubnet=10.0.0.0/24
        auto=add

_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar – get it now! 
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/



More information about the Users mailing list