[Openswan Users] Issue with Certificate?

Andreas Steffen andreas.steffen at strongsec.net
Thu Aug 25 08:54:46 CEST 2005


Authentication using the certs is ok:

 > "roadwarrior-l2tp-updatedwin"[1] 192.168.1.102 #1:
    sent MR3, ISAKMP SA established

But your connection definition in ipsec.conf does not match with
the IPsec SA request coming from the peer:

 > "roadwarrior-l2tp-updatedwin"[1] 192.168.1.102 #1:
    cannot respond to IPsec SA request because no connection is known for

 > 192.168.1.152[C=US, ST=Washington, L=Seattle, O=GTDS, OU=Support,
 > CN=gtds-vpnsrvr.gtdsolutions.net,
 > E=tim.porritt at gtdsolutions.com]:17/0...192.168.1.102[C=US,
 > ST=Washington, L=Seattle, O=GTDS, OU=Support, CN=lordvader,
 > E=tporritt at gmail.com]:17/1701

the connection definition listed by the command

   ipsec auto --status

should exactly match the IPsec SA request above. It might be that some
field in the distinguished names has changed.

Regards

Andreas

Tim P wrote:
> I can't seem to establish a connection to my openswan setup though it
> was working with old certs I had.  I re-issued my certificates for the
> gateway and for the users and am now getting errors for all clients
> attempting to connect.
> 
> Am I missing something simple?  This is on lan, no firewalls, routers
> or bridges between my connections.  I am using openswan + l2tpd to
> authenticate/connect users.
> 
> /var/log/secure
> 
> Aug 24 05:46:41 gtds-vpnserver pluto[3593]: packet from
> 192.168.1.102:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY
> 00000003]
> Aug 24 05:46:41 gtds-vpnserver pluto[3593]: "roadwarrior"[1]
> 192.168.1.102 #1: responding to Main Mode from unknown peer
> 192.168.1.102
> Aug 24 05:46:41 gtds-vpnserver pluto[3593]: "roadwarrior"[1]
> 192.168.1.102 #1: transition from state STATE_MAIN_R0 to state
> STATE_MAIN_R1
> Aug 24 05:46:41 gtds-vpnserver pluto[3593]: "roadwarrior"[1]
> 192.168.1.102 #1: transition from state STATE_MAIN_R1 to state
> STATE_MAIN_R2
> Aug 24 05:46:41 gtds-vpnserver pluto[3593]: "roadwarrior"[1]
> 192.168.1.102 #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=US,
> ST=Washington, L=Seattle, O=GTDS, OU=Support, CN=lordvader,
> E=tporritt at gmail.com'
> Aug 24 05:46:41 gtds-vpnserver pluto[3593]: "roadwarrior"[1]
> 192.168.1.102 #1: crl update for "C=US, ST=Washington, L=Seattle,
> O=GTD Solutions, LLC, OU=Support, CN=CA,
> E=tim.porritt at gtdsolutions.com" is overdue since Aug 18 07:35:33 UTC
> 2005
> Aug 24 05:46:41 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[1] 192.168.1.102 #1: deleting connection
> "roadwarrior" instance with peer 192.168.1.102 {isakmp=#0/ipsec=#0}
> Aug 24 05:46:41 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[1] 192.168.1.102 #1: I am sending my
> cert
> Aug 24 05:46:41 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[1] 192.168.1.102 #1: transition from
> state STATE_MAIN_R2 to state STATE_MAIN_R3
> Aug 24 05:46:41 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[1] 192.168.1.102 #1: sent MR3, ISAKMP SA
> established
> Aug 24 05:46:41 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[1] 192.168.1.102 #1: cannot respond to
> IPsec SA request because no connection is known for
> 192.168.1.152[C=US, ST=Washington, L=Seattle, O=GTDS, OU=Support,
> CN=gtds-vpnsrvr.gtdsolutions.net,
> E=tim.porritt at gtdsolutions.com]:17/0...192.168.1.102[C=US,
> ST=Washington, L=Seattle, O=GTDS, OU=Support, CN=lordvader,
> E=tporritt at gmail.com]:17/1701
> Aug 24 05:46:41 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[1] 192.168.1.102 #1: sending encrypted
> notification INVALID_ID_INFORMATION to 192.168.1.102:500
> Aug 24 05:46:41 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[1] 192.168.1.102 #1: failed to build
> notification for spisize=0
> Aug 24 05:46:42 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[1] 192.168.1.102 #1: Quick Mode I1
> message is unacceptable because it uses a previously used Message ID
> 0xd97a6a12 (perhaps this is a duplicated packet)
> Aug 24 05:46:42 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[1] 192.168.1.102 #1: sending encrypted
> notification INVALID_MESSAGE_ID to 192.168.1.102:500
> Aug 24 05:46:42 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[1] 192.168.1.102 #1: failed to build
> notification for spisize=0
> Aug 24 05:46:44 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[1] 192.168.1.102 #1: Quick Mode I1
> message is unacceptable because it uses a previously used Message ID
> 0xd97a6a12 (perhaps this is a duplicated packet)
> Aug 24 05:46:44 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[1] 192.168.1.102 #1: sending encrypted
> notification INVALID_MESSAGE_ID to 192.168.1.102:500
> Aug 24 05:46:44 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[1] 192.168.1.102 #1: failed to build
> notification for spisize=0
> Aug 24 05:46:48 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[1] 192.168.1.102 #1: Quick Mode I1
> message is unacceptable because it uses a previously used Message ID
> 0xd97a6a12 (perhaps this is a duplicated packet)
> Aug 24 05:46:48 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[1] 192.168.1.102 #1: sending encrypted
> notification INVALID_MESSAGE_ID to 192.168.1.102:500
> Aug 24 05:46:48 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[1] 192.168.1.102 #1: failed to build
> notification for spisize=0
> Aug 24 05:46:56 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[1] 192.168.1.102 #1: Quick Mode I1
> message is unacceptable because it uses a previously used Message ID
> 0xd97a6a12 (perhaps this is a duplicated packet)
> Aug 24 05:46:56 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[1] 192.168.1.102 #1: sending encrypted
> notification INVALID_MESSAGE_ID to 192.168.1.102:500
> Aug 24 05:46:56 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[1] 192.168.1.102 #1: failed to build
> notification for spisize=0
> Aug 24 05:47:12 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[1] 192.168.1.102 #1: Quick Mode I1
> message is unacceptable because it uses a previously used Message ID
> 0xd97a6a12 (perhaps this is a duplicated packet)
> Aug 24 05:47:12 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[1] 192.168.1.102 #1: sending encrypted
> notification INVALID_MESSAGE_ID to 192.168.1.102:500
> Aug 24 05:47:12 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[1] 192.168.1.102 #1: failed to build
> notification for spisize=0
> Aug 24 05:47:44 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[1] 192.168.1.102 #1: received Delete SA
> payload: deleting ISAKMP State #1
> Aug 24 05:47:44 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[1] 192.168.1.102: deleting connection
> "roadwarrior-l2tp-updatedwin" instance with peer 192.168.1.102
> {isakmp=#0/ipsec=#0}
> Aug 24 05:47:44 gtds-vpnserver pluto[3593]: packet from
> 192.168.1.102:500: received and ignored informational message
> Aug 24 05:48:44 gtds-vpnserver pluto[3593]: packet from
> 192.168.1.102:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY
> 00000003]
> Aug 24 05:48:44 gtds-vpnserver pluto[3593]: "roadwarrior"[2]
> 192.168.1.102 #2: responding to Main Mode from unknown peer
> 192.168.1.102
> Aug 24 05:48:44 gtds-vpnserver pluto[3593]: "roadwarrior"[2]
> 192.168.1.102 #2: transition from state STATE_MAIN_R0 to state
> STATE_MAIN_R1
> Aug 24 05:48:44 gtds-vpnserver pluto[3593]: "roadwarrior"[2]
> 192.168.1.102 #2: transition from state STATE_MAIN_R1 to state
> STATE_MAIN_R2
> Aug 24 05:48:44 gtds-vpnserver pluto[3593]: "roadwarrior"[2]
> 192.168.1.102 #2: Main mode peer ID is ID_DER_ASN1_DN: 'C=US,
> ST=Washington, L=Seattle, O=GTDS, OU=Support, CN=lordvader,
> E=tporritt at gmail.com'
> Aug 24 05:48:44 gtds-vpnserver pluto[3593]: "roadwarrior"[2]
> 192.168.1.102 #2: crl update for "C=US, ST=Washington, L=Seattle,
> O=GTD Solutions, LLC, OU=Support, CN=CA,
> E=tim.porritt at gtdsolutions.com" is overdue since Aug 18 07:35:33 UTC
> 2005
> Aug 24 05:48:44 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[2] 192.168.1.102 #2: deleting connection
> "roadwarrior" instance with peer 192.168.1.102 {isakmp=#0/ipsec=#0}
> Aug 24 05:48:44 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[2] 192.168.1.102 #2: I am sending my
> cert
> Aug 24 05:48:44 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[2] 192.168.1.102 #2: transition from
> state STATE_MAIN_R2 to state STATE_MAIN_R3
> Aug 24 05:48:44 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[2] 192.168.1.102 #2: sent MR3, ISAKMP SA
> established
> Aug 24 05:48:44 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[2] 192.168.1.102 #2: cannot respond to
> IPsec SA request because no connection is known for
> 192.168.1.152[C=US, ST=Washington, L=Seattle, O=GTDS, OU=Support,
> CN=gtds-vpnsrvr.gtdsolutions.net,
> E=tim.porritt at gtdsolutions.com]:17/0...192.168.1.102[C=US,
> ST=Washington, L=Seattle, O=GTDS, OU=Support, CN=lordvader,
> E=tporritt at gmail.com]:17/1701
> Aug 24 05:48:44 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[2] 192.168.1.102 #2: sending encrypted
> notification INVALID_ID_INFORMATION to 192.168.1.102:500
> Aug 24 05:48:44 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[2] 192.168.1.102 #2: failed to build
> notification for spisize=0
> Aug 24 05:48:45 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[2] 192.168.1.102 #2: Quick Mode I1
> message is unacceptable because it uses a previously used Message ID
> 0x4dcc678d (perhaps this is a duplicated packet)
> Aug 24 05:48:45 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[2] 192.168.1.102 #2: sending encrypted
> notification INVALID_MESSAGE_ID to 192.168.1.102:500
> Aug 24 05:48:45 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[2] 192.168.1.102 #2: failed to build
> notification for spisize=0
> Aug 24 05:48:47 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[2] 192.168.1.102 #2: Quick Mode I1
> message is unacceptable because it uses a previously used Message ID
> 0x4dcc678d (perhaps this is a duplicated packet)
> Aug 24 05:48:47 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[2] 192.168.1.102 #2: sending encrypted
> notification INVALID_MESSAGE_ID to 192.168.1.102:500
> Aug 24 05:48:47 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[2] 192.168.1.102 #2: failed to build
> notification for spisize=0
> Aug 24 05:48:51 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[2] 192.168.1.102 #2: Quick Mode I1
> message is unacceptable because it uses a previously used Message ID
> 0x4dcc678d (perhaps this is a duplicated packet)
> Aug 24 05:48:51 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[2] 192.168.1.102 #2: sending encrypted
> notification INVALID_MESSAGE_ID to 192.168.1.102:500
> Aug 24 05:48:51 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[2] 192.168.1.102 #2: failed to build
> notification for spisize=0
> Aug 24 05:48:59 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[2] 192.168.1.102 #2: Quick Mode I1
> message is unacceptable because it uses a previously used Message ID
> 0x4dcc678d (perhaps this is a duplicated packet)
> Aug 24 05:48:59 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[2] 192.168.1.102 #2: sending encrypted
> notification INVALID_MESSAGE_ID to 192.168.1.102:500
> Aug 24 05:48:59 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[2] 192.168.1.102 #2: failed to build
> notification for spisize=0
> Aug 24 05:49:15 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[2] 192.168.1.102 #2: Quick Mode I1
> message is unacceptable because it uses a previously used Message ID
> 0x4dcc678d (perhaps this is a duplicated packet)
> Aug 24 05:49:15 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[2] 192.168.1.102 #2: sending encrypted
> notification INVALID_MESSAGE_ID to 192.168.1.102:500
> Aug 24 05:49:15 gtds-vpnserver pluto[3593]:
> "roadwarrior-l2tp-updatedwin"[2] 192.168.1.102 #2: failed to build
> notification for spisize=0
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users


-- 
=======================================================================
Andreas Steffen                   e-mail: andreas.steffen at strongsec.com
strongSec GmbH                    home:   http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===


More information about the Users mailing list