[Openswan Users] X.509 - cannot respond to SA

Antony Gelberg antony at antgel.co.uk
Wed Feb 2 14:48:43 CET 2005


Hi all,

I've got some sort of mental block over what I'm sure is a pretty 
obvious problem.  When I try to connect to my openswan host from either 
an openswan or Windows (Marcus Muller client) peer, I get the following 
(names / ip addresses munged etc):

Feb  2 14:34:14 vpnbox pluto[6874]: "rw"[1] a.b.c.d:4500 #1: cannot 
respond to IPsec SA request because no connection is known for 
e.f.g.h:4500[C=GB, ST=Dullsville, L=Location, O=John Smith (UK) Ltd, 
CN=VPN-Gateway]...a.b.c.d:4500[C=GB, ST=Dullsville, L=Location, O=John 
Smith (UK) Ltd, CN=Road Warrior]===192.168.168.10/32

I find this line a bit cryptic - what is the meaning of the ... and ===?

e.f.g.h is the public IP of the openswan host.  a.b.c.d is the public IP 
address of the peer's router.  192.168.168.10 is the private IP of the 
peer (using NAT of course).

I can see that the CNs are different - should they be the same?  Here's 
a snippet from ipsec.conf on the host:

config setup
         interfaces=%defaultroute
         nat_traversal=yes
      virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

conn %default
         keyingtries=1
         compress=yes
         disablearrivalcheck=no
         authby=rsasig
         leftrsasigkey=%cert
         rightrsasigkey=%cert

conn roadwarrior
         left=%defaultroute
         leftsubnet=192.168.0.0/24
         leftcert=/etc/ssl/certs/vpnbox_cert.pem
         right=%any
         rightcert=/etc/ssl/certs/rw_cert.pem
         auto=add
         pfs=yes

And on the peer:

config setup
         interfaces=%defaultroute
         nat_traversal=yes

# Add connections here
conn %default
         keyingtries=1
         compress=yes
         authby=rsasig
         leftrsasigkey=%cert
         rightrsasigkey=%cert

conn johnsmith
         left=82.70.62.108
         leftcert=/etc/ipsec.d/certs/vpnbox.johnsmith.co.uk_cert.pem
         right=%defaultroute
         rightcert=/etc/ipsec.d/certs/rw.vpnbox.johnsmith.co.uk_cert.pem
         auto=add
         pfs=yes

Any help would be much appreciated.

Antony


More information about the Users mailing list