[Openswan Users] Nortel interoperability questions
David Mattes
david.mattes at boeing.com
Tue May 4 11:09:47 CEST 2004
Ken Bantoft wrote:
>If you're using 2.1.x, you can use
>
>leftsourceip=130.42.160.12
>
>and it will do the routing magic for you. (assign IP to lo interface, and
>do source routing). I do this myself between two Openswan boxes.
>
>
>
I just upgraded from FreeS/WAN 2.04 to OpenS/WAN 2.1.1 (in order to try the above configuration changes) and did not change ipsec.conf or any of my certificates or connection material, but I'm now getting INVALID_CERTIFICATE errors from the Nortel box. From the output it seems that pluto is deciding how to sign the hash, and it looks like it's deciding between 2 private keys (PPK_RSA:AwEAAe919 vs PPK_RSA:AwEAAe919)! But on the next line, pluto signs with *AwEAAe919, so it seems like there is some inconsistency here...
Pertinent output:
May 4 10:00:55 gandalf pluto[22635]: | my identity 30 68 31 0b 30 09 06 03 55 04 06 13 02 55 53 31
May 4 10:00:55 gandalf pluto[22635]: | 0f 30 0d 06 03 55 04 0a 13 06 42 6f 65 69 6e 67
May 4 10:00:55 gandalf pluto[22635]: | 31 0f 30 0d 06 03 55 04 0b 13 06 70 65 6f 70 6c
May 4 10:00:55 gandalf pluto[22635]: | 65 31 0f 30 0d 06 03 55 04 03 13 06 35 30 35 34
May 4 10:00:55 gandalf pluto[22635]: | 30 39 31 26 30 24 06 09 2a 86 48 86 f7 0d 01 09
May 4 10:00:55 gandalf pluto[22635]: | 01 16 17 64 61 76 69 64 2e 6d 61 74 74 65 73 40
May 4 10:00:55 gandalf pluto[22635]: | 62 6f 65 69 6e 67 2e 63 6f 6d
May 4 10:00:55 gandalf pluto[22635]: | emitting length of ISAKMP Identification Payload (IPsec DOI): 114
May 4 10:00:55 gandalf pluto[22635]: | hashing 80 bytes of SA
May 4 10:00:55 gandalf pluto[22635]: | looking for secret for C=US, O=Boeing, OU=people, CN=505409, E=david.mattes at boeing.com->C=US, O=Boeing, CN=Nortel-Tempcert-Pilot-Cert of kind PPK_RSA
May 4 10:00:55 gandalf pluto[22635]: | searching for certificate PPK_RSA:AwEAAe919 vs PPK_RSA:AwEAAe919
May 4 10:00:55 gandalf pluto[22635]: | signing hash with RSA Key *AwEAAe919
May 4 10:00:55 gandalf pluto[22635]: | ***emit ISAKMP Signature Payload:
May 4 10:00:55 gandalf pluto[22635]: | next payload type: ISAKMP_NEXT_NONE
May 4 10:00:55 gandalf pluto[22635]: | emitting 128 raw bytes of SIG_I into ISAKMP Signature Payload
Thanks,
David
More information about the Users
mailing list