[Openswan Users] Nortel interoperability questions

David Mattes david.mattes at boeing.com
Tue May 4 11:09:47 CEST 2004 

Ken Bantoft wrote:

>If you're using 2.1.x, you can use 
>
>leftsourceip=130.42.160.12
>
>and it will do the routing magic for you. (assign IP to lo interface, and 
>do source routing).  I do this myself between two Openswan boxes.
>
>  
>
I just upgraded from FreeS/WAN 2.04 to OpenS/WAN 2.1.1 (in order to try the above configuration changes) and did not change ipsec.conf or any of my certificates or connection material, but I'm now getting INVALID_CERTIFICATE errors from the Nortel box.  From the output it seems that pluto is deciding how to sign the hash, and it looks like it's deciding between 2 private keys (PPK_RSA:AwEAAe919 vs PPK_RSA:AwEAAe919)!  But on the next line, pluto signs with *AwEAAe919, so it seems like there is some inconsistency here...

Pertinent output:
May  4 10:00:55 gandalf pluto[22635]: | my identity  30 68 31 0b  30 09 06 03  55 04 06 13  02 55 53 31
May  4 10:00:55 gandalf pluto[22635]: |   0f 30 0d 06  03 55 04 0a  13 06 42 6f  65 69 6e 67
May  4 10:00:55 gandalf pluto[22635]: |   31 0f 30 0d  06 03 55 04  0b 13 06 70  65 6f 70 6c
May  4 10:00:55 gandalf pluto[22635]: |   65 31 0f 30  0d 06 03 55  04 03 13 06  35 30 35 34
May  4 10:00:55 gandalf pluto[22635]: |   30 39 31 26  30 24 06 09  2a 86 48 86  f7 0d 01 09
May  4 10:00:55 gandalf pluto[22635]: |   01 16 17 64  61 76 69 64  2e 6d 61 74  74 65 73 40
May  4 10:00:55 gandalf pluto[22635]: |   62 6f 65 69  6e 67 2e 63  6f 6d
May  4 10:00:55 gandalf pluto[22635]: | emitting length of ISAKMP Identification Payload (IPsec DOI): 114
May  4 10:00:55 gandalf pluto[22635]: | hashing 80 bytes of SA
May  4 10:00:55 gandalf pluto[22635]: | looking for secret for C=US, O=Boeing, OU=people, CN=505409, E=david.mattes at boeing.com->C=US, O=Boeing, CN=Nortel-Tempcert-Pilot-Cert of kind PPK_RSA
May  4 10:00:55 gandalf pluto[22635]: | searching for certificate PPK_RSA:AwEAAe919 vs PPK_RSA:AwEAAe919
May  4 10:00:55 gandalf pluto[22635]: | signing hash with RSA Key *AwEAAe919
May  4 10:00:55 gandalf pluto[22635]: | ***emit ISAKMP Signature Payload:
May  4 10:00:55 gandalf pluto[22635]: |    next payload type: ISAKMP_NEXT_NONE
May  4 10:00:55 gandalf pluto[22635]: | emitting 128 raw bytes of SIG_I into ISAKMP Signature Payload


Thanks,
David

More information about the Users mailing list