[Openswan Users] X-509 in openswan

kumar nani kumar_lists at yahoo.co.in
Fri Aug 5 13:53:36 CEST 2005


Hi Toby,

Thanks for the help.I found out that the problem is
with my configuration of ipsec.secrets.I have given
the wrong passphrase in that file.I changed that
password and it is able to load the secrets.But when
initiated the connection some other problem is coming
as shown below

104 "naveen" #2: STATE_MAIN_I1: initiate
003 "naveen" #2: received Vendor ID payload [Dead Peer
Detection]
106 "naveen" #2: STATE_MAIN_I2: sent MI2, expecting
MR2
108 "naveen" #2: STATE_MAIN_I3: sent MI3, expecting
MR3
003 "naveen" #2: ignoring informational payload, type
INVALID_ID_INFORMATION

003 "naveen" #2: received and ignored informational
message
010 "naveen" #2: STATE_MAIN_I3: retransmission; will
wait 20s for response
003 "naveen" #2: ignoring informational payload, type
INVALID_ID_INFORMATION
003 "naveen" #2: received and ignored informational
message
003 "naveen" #2: discarding duplicate packet; already
STATE_MAIN_I3
010 "naveen" #2: STATE_MAIN_I3: retransmission; will
wait 40s for response
003 "naveen" #2: discarding duplicate packet; already
STATE_MAIN_I3
003 "naveen" #2: ignoring informational payload, type
INVALID_ID_INFORMATION
003 "naveen" #2: received and ignored informational
message
031 "naveen" #2: max number of retransmissions (2)
reached STATE_MAIN_I3.  Possible authentication
failure: no acceptable response to our first encrypted
message
000 "naveen" #2: starting keying attempt 2 of an
unlimited number, but releasing whack

Is there anything wrong in my ipsec.conf file.

ipsec.conf
----------
conn naveen
        type=tunnel
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        left=192.168.1.124
        leftcert=naveen.com.pem
        right=192.168.1.144
        rightcert=nitin.com.pem
        auto=add
        pfs=yes

Thanks 
Kumar

--- Toby Chamberlain <toby at webtechservices.com.au>
wrote:

> 
> That looks exactly like what I have, but maybe just
> check the spaces - I 
> have none before the ":" and one after it. The only
> other things I can 
> suggest are to double check the password is correct,
> double check the .key 
> file is in /etc/ipsec.d/private, double check it's
> filename is the same as 
> what you have ("kumar.com.key") and double check
> that the directory and file 
> permission allow reading/listing by root... (does
> 'cat 
> /etc/ipsec.d/private/kumar.com.key' as root work?)
> 
> I also have the certificate file itself (xxx.pem in
> my case) in the 
> ipsec.d/certs directory, but I don't know if this is
> necessary - it 
> certainly doesn't seem to be what openswan is
> complaining about.
> 
> 
> > Hi Toby,
> >
> > Yes I have the key file in /etc/ipsec.d/private.I
> am
> > thinking that it may be the problem with
> configuring
> > the ipsec.secrets file.
> >
> > my ipsec.secrets file
> > ------------------------------
> > : RSA kumar.com.key "kumar123"
> >
> > ------------------------------
> >
> > Thanks
> > Kumar
> >
> > --- Toby Chamberlain <toby at webtechservices.com.au>
> > wrote:
> >
> >> You do have the key file in /etc/ipsec.d/private
> >> don't you?
> >>
> >> >
> >> > Hi Andreas,
> >> >
> >> > I have added the newline character at the end
> but
> >> stil
> >> > the same problem is coming.The
> /var/log/messages
> >> are
> >> > showing like this
> >> >
> >> > Aug  5 15:31:22 buick ipsec_setup: ...Openswan
> >> IPsec
> >> > started
> >> > Aug  5 15:31:22 buick ipsec_setup: Starting
> >> Openswan
> >> > IPsec cvs2002Mar12_05:49:03...
> >> > Aug  5 15:31:22 buick ipsec__plutorun: 003
> >> > "/etc/ipsec.secrets" line 2: error loading RSA
> >> private
> >> > key file
> >> >
> >> > Thanks
> >> > Kumar
> >> >
> >> > --- Andreas Steffen
> >> <andreas.steffen at strongsec.net>
> >> > wrote:
> >> >
> >> >> The line
> >> >>
> >> >> : RSA kumar.com.key "kumar123"
> >> >>
> >> >> must be terminated with a newline character,
> i.e.
> >> >> a line feed to the next line.
> >> >>
> >> >> Andreas
> >> >>
> >> >> kumar nani wrote:
> >> >> > Hi Andreas,
> >> >> >
> >> >> > I have checked my log messages.I think there
> is
> >> >> some
> >> >> > error while loading my private key.See below
> >> the
> >> >> dump
> >> >> > of /var/log/messages
> >> >> >
> >> >> > Aug  5 12:24:31 buick ipsec_setup: KLIPS
> ipsec0
> >> on
> >> >> > eth0 192.168.1.124/255.255.255.0 broadcast
> >> >> > 192.168.1.255
> >> >> > Aug  5 12:24:31 buick ipsec_setup:
> ...Openswan
> >> >> IPsec
> >> >> > started
> >> >> > Aug  5 12:24:31 buick ipsec_setup: Starting
> >> >> Openswan
> >> >> > IPsec cvs2002Mar12_05:49:03...
> >> >> > Aug  5 12:24:31 buick ipsec__plutorun: 003
> >> >> > "/etc/ipsec.secrets" line 1: error loading
> RSA
> >> >> private
> >> >> > key file
> >> >> >
> >> >> > 2.When I am executing the command
> >> >> >  "ipsec auto --rereadsecrets" then also same
> >> >> message
> >> >> > is coming.
> >> >> >
> >> >> > 003 "/etc/ipsec.secrets" line 1: error
> loading
> >> RSA
> >> >> > private key file
> >> >> >
> >> >> > My ipsec.secrets is given below.
> >> >> > --------------------------------
> >> >> > : RSA kumar.com.key "kumar123"
> >> >> >
> >> >> > Is there any thing still I have to do.
> >> >> >
> >> >> > Thanks
> >> >> > Kumar
> >> >> >
> >> >> > --- Andreas Steffen
> >> >> <andreas.steffen at strongsec.net>
> >> >> > wrote:
> >> >> >
> >> >> >
> >> >> >>Check your logs for error messages while
> >> loading
> >> >> the
> >> >> >>private key file. You can repeat the loading
> >> >> process
> >> >> >>by typing
> >> >> >>
> >> >> >>   ipsec auto --rereadsecrets
> >> >> >>
> >> >> >>If the private key is loaded correctly but
> the
> >> >> >>command
> >> >> >>
> >> >> >>   ipsec auto --listcerts
> >> >> >>
> >> >> >>list your certificate without the comment
> >> >> >>
> >> >> >>   ..., has private key
> >> >> >>
> >> >> >>then the public key contained in the
> >> certificate
> >> >> >>does
> >> >> >>not match the private key.
> >> >> >>
> >> >> >>Regards
> >> >> >>
> >> >> >>Andreas
> >> >> >>
> >> >> >>kumar nani wrote:
> >> >> >>
> >> >> >>>Hello Everybody,
> >> >> >>>
> >> >> >>> I have installed openswan-2.3.0 on two
> Redhat
> >> >> >>
> >> >> >>Linux
> >> >> >>
> >> >> >>>machines and preshared keys are working
> >> fine.I'm
> >> >> >>>trying to setup IPSec tunnel in openswan
> using
> >> >> >>
> >> >> >>x509
> >> >> >>
> >> >> >>>certificates, but keep getting told by
> >> openswan
> >> >> >>
> >> >> >>that
> >> >> >>
> >> >> >>>it can't find my private RSA key.
> >> >> >>>
> >> >> >>>I have used openssl for generating
> >> certificates
> >> >> by
> >> >> >>>following the instructions given in this
> >> webpage
> >> >> >>>
> >> >> >>>
> >> >> >>
> >> >> >
> >> >>
> >> >
> >>
> 
=== message truncated ===



	

	
		
__________________________________________________________
Free antispam, antivirus and 1GB to save all your messages
Only in Yahoo! Mail: http://in.mail.yahoo.com


More information about the Users mailing list