[Openswan Users] openswan 2.1.0rc1 and crls

Desai, Jason jase at sensis.com
Tue Mar 9 13:52:54 CET 2004 

> > Will just moving the crl file out of the clrs directory do this, or is
this
> > an ipsec.conf option?
> 
> Yes, I think that should do it. It will complain about not finding
> the CRL but it should work.

OK, I've removed the crl and tried to connect.  You're correct that pluto
complains about it.  But for some reason (probably a config error on my
part) I get a "no suitable connection for peer" error message.  Can someone
show me what I'm doing wrong?  Thanks!

>From the pluto logs:

Mar  9 13:40:02 ppcsec pluto[20471]: Starting Pluto (FreeS/WAN Version
2.1.0rc1 X.509-1.4.8 PLUTO_USES_KEYRR)
Mar  9 13:40:02 ppcsec pluto[20471]:   including NAT-Traversal patch
(Version 0.6c)
Mar  9 13:40:02 ppcsec pluto[20471]: Using Linux 2.6 IPsec interface code
Mar  9 13:40:03 ppcsec pluto[20471]: Changing to directory
'/etc/ipsec.d/cacerts'
Mar  9 13:40:03 ppcsec pluto[20471]:   loaded cacert file
'Sensis2-cacert.pem' (1842 bytes)
Mar  9 13:40:03 ppcsec pluto[20471]: Changing to directory
'/etc/ipsec.d/crls'
Mar  9 13:40:03 ppcsec pluto[20471]:   loaded crl file 'core' (200704 bytes)
Mar  9 13:40:03 ppcsec pluto[20471]:   file coded in unknown format,
discarded
Mar  9 13:40:03 ppcsec pluto[20471]:   loaded host cert file
'/etc/ipsec.d/certs/ppcsec.crt' (5395 bytes)
Mar  9 13:40:03 ppcsec pluto[20471]: added connection description
"L2TP-PSK-orgWIN2KXP"
Mar  9 13:40:03 ppcsec pluto[20471]: listening for IKE messages
Mar  9 13:40:03 ppcsec pluto[20471]: adding interface eth0/eth0
199.105.164.15
Mar  9 13:40:03 ppcsec pluto[20471]: adding interface eth0/eth0
199.105.164.15:4500
Mar  9 13:40:03 ppcsec pluto[20471]: adding interface lo/lo 127.0.0.1
Mar  9 13:40:03 ppcsec pluto[20471]: adding interface lo/lo 127.0.0.1:4500
Mar  9 13:40:03 ppcsec pluto[20471]: loading secrets from
"/etc/ipsec.secrets"
Mar  9 13:40:03 ppcsec pluto[20471]:   loaded private key file
'/etc/ipsec.d/private/ppcsec.key' (1679 bytes)Mar  9 13:40:33 ppcsec
pluto[20471]: packet from 67.20.62.114:500: ignoring Vendor ID payload [MS
NT5 ISAKMPOAKLEY 00000004]
Mar  9 13:40:33 ppcsec pluto[20471]: packet from 67.20.62.114:500: ignoring
Vendor ID payload [FRAGMENTATION]
Mar  9 13:40:33 ppcsec pluto[20471]: packet from 67.20.62.114:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Mar  9 13:40:33 ppcsec pluto[20471]: packet from 67.20.62.114:500: ignoring
Vendor ID payload [26244d38eddb61b3...]
Mar  9 13:40:33 ppcsec pluto[20471]: "L2TP-PSK-orgWIN2KXP"[1] 67.20.62.114
#1: responding to Main Mode from unknown peer 67.20.62.114
Mar  9 13:40:33 ppcsec pluto[20471]: "L2TP-PSK-orgWIN2KXP"[1] 67.20.62.114
#1: transition from state (null) to state STATE_MAIN_R1
Mar  9 13:40:34 ppcsec pluto[20471]: "L2TP-PSK-orgWIN2KXP"[1] 67.20.62.114
#1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is
NATed
Mar  9 13:40:34 ppcsec pluto[20471]: "L2TP-PSK-orgWIN2KXP"[1] 67.20.62.114
#1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar  9 13:40:35 ppcsec pluto[20471]: "L2TP-PSK-orgWIN2KXP"[1] 67.20.62.114
#1: Peer ID is ID_DER_ASN1_DN: 'C=US, ST=New York, L=DeWitt, O=Sensis
Corporation, CN=Jase PPC, E=jase at sensis.com'
Mar  9 13:40:35 ppcsec pluto[20471]: "L2TP-PSK-orgWIN2KXP"[1] 67.20.62.114
#1: issuer crl not found
Mar  9 13:40:35 ppcsec pluto[20471]: "L2TP-PSK-orgWIN2KXP"[1] 67.20.62.114
#1: issuer crl not found
Mar  9 13:40:35 ppcsec pluto[20471]: "L2TP-PSK-orgWIN2KXP"[1] 67.20.62.114
#1: no suitable connection for peer 'C=US, ST=New York, L=DeWitt, O=Sensis
Corporation, CN=Jase PPC, E=jase at sensis.com'

I also noticed this in my syslog:

Mar  9 13:40:33 ppcsec kernel: udp_encap_rcv(): Unhandled UDP encap type: 1
Mar  9 13:40:34 ppcsec kernel: udp_encap_rcv(): Unhandled UDP encap type: 1

I'm running the Debian 2.4.25 kernel from backports.org, which has the 2.6
ipsec stack backported to it.

***********
*ipsec.conf:
***********

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=all
        # plutodebug=dns
        nat_traversal=yes
        dumpdir=/tmp


# Add connections here.

conn %default
        #
        # Use a Preshared Key. Disable Perfect Forward Secrecy.
        #
        authby=rsasig
        rightrsasigkey=%cert
        leftrsasigkey=%cert
        pfs=no
        #
        left=199.105.164.15
        leftcert=ppcsec.crt

conn L2TP-PSK-orgWIN2KXP
        #
        # Required for original (non-updated) Windows 2000/XP clients.
        leftprotoport=17/1701
        leftnexthop=%defaultroute
        #
        # The remote user.
        #
        right=%any
        rightprotoport=17/1701
        rightsubnetwithin=0/0
        #
        # Authorize this connection, and wait for connection from user.
        #
        auto=add
        keyingtries=3

#  Disable OE
conn block
    auto=ignore

conn private
    auto=ignore

conn private-or-clear
    auto=ignore

conn clear-or-private
    auto=ignore

conn clear
    auto=ignore

conn packetdefault
    auto=ignore

**************
*ipsec.secrets
**************

: RSA /etc/ipsec.d/private/ppcsec.key

More information about the Users mailing list