[Openswan Users] Road warrior x509 question
Joost Kraaijeveld
J.Kraaijeveld at Askesis.nl
Mon Feb 28 16:10:32 CET 2005
Hi all,
I am trying to set up a roadwarrior with Debian Openswan U2.3.0/K2.6.3-1-386 (netkey) and Windows 2000. The tunnel is not working (hence this mail ;-)) and the Linux machine has the following in the /var/log/auth.log:
Feb 28 14:08:36 localhost pluto[18310]: packet from 82.161.125.16:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000002]
Feb 28 14:08:36 localhost pluto[18310]: packet from 82.161.125.16:500: ignoring Vendor ID payload [FRAGMENTATION]
Feb 28 14:08:36 localhost pluto[18310]: packet from 82.161.125.16:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Feb 28 14:08:36 localhost pluto[18310]: "obc-roadwarriors"[7] 82.161.125.16 #12: responding to Main Mode from unknown peer 82.161.125.16
Feb 28 14:08:36 localhost pluto[18310]: "obc-roadwarriors"[7] 82.161.125.16 #12: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Feb 28 14:08:37 localhost pluto[18310]: "obc-roadwarriors"[7] 82.161.125.16 #12: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Feb 28 14:08:37 localhost pluto[18310]: "obc-roadwarriors"[7] 82.161.125.16 #12: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Feb 28 14:08:37 localhost pluto[18310]: "obc-roadwarriors"[7] 82.161.125.16 #12: next payload type of ISAKMP Hash Payload has an unknown value: 159
Feb 28 14:08:37 localhost pluto[18310]: "obc-roadwarriors"[7] 82.161.125.16 #12: malformed payload in packet
Feb 28 14:08:37 localhost pluto[18310]: "obc-roadwarriors"[7] 82.161.125.16 #12: sending notification PAYLOAD_MALFORMED to 82.161.125.16:500
Below is the procedure I followed to create the certificates.
Anyone any idea where to look for any misconfiguration?
Groeten,
Joost Kraaijeveld
Askesis B.V.
Molukkenstraat 14
6524NB Nijmegen
tel: 024-3888063 / 06-51855277
fax: 024-3608416
e-mail: J.Kraaijeveld at Askesis.nl
web: www.askesis.nl
touch /etc/ipsec.d/ca/index.txt
touch /etc/ipsec.d/ca/serial
echo '01' > /etc/ipsec.d/ca/serial
# creation of the CA
/usr/bin/openssl req \
-x509 \
-days 1460 \
-newkey rsa:1024 \
-keyout /etc/ipsec.d/private/ca.key \
-out /etc/ipsec.d/cacerts/cacert.pem \
-passin pass:my_password \
-passout pass:my_password
# Request and certificate for vpnserver.mydomain.nl
/usr/bin/openssl req \
-newkey rsa:1024 \
-keyout /etc/ipsec.d/private/vpnserver.mydomain.nl.key \
-out /etc/ipsec.d/certs/vpnserver.mydomain.nl.req \
-passin pass:my_password \
-passout pass:my_password
/usr/bin/openssl ca \
-in /etc/ipsec.d/certs/vpnserver.mydomain.nl.req \
-days 730 -out /etc/ipsec.d/certs/vpnserver.mydomain.nl.cert \
-passin pass:my_password \
-notext \
-cert /etc/ipsec.d/cacerts/cacert.pem \
-keyfile /etc/ipsec.d/private/ca.key
# Request and certificate for roadwarrior.mydomain.nl
/usr/bin/openssl req \
-newkey rsa:1024 \
-keyout /etc/ipsec.d/private/roadwarrior.mydomain.nl.key \
-out /etc/ipsec.d/certs/roadwarrior.mydomain.nl.req \
-passin pass:my_password \
-passout pass:my_password
/usr/bin/openssl ca \
-in /etc/ipsec.d/certs/roadwarrior.mydomain.nl.req \
-days 730 -out /etc/ipsec.d/certs/roadwarrior.mydomain.nl.cert \
-passin pass:my_password \
-notext \
-cert /etc/ipsec.d/cacerts/cacert.pem \
-keyfile /etc/ipsec.d/private/ca.key
/usr/bin/openssl pkcs12 \
-export \
-inkey /etc/ipsec.d/private/roadwarrior.mydomain.nl.key \
-in /etc/ipsec.d/certs/roadwarrior.mydomain.nl.cert \
-name roadwarrior.mydomain.nl \
-certfile /etc/ipsec.d/cacerts/cacert.pem \
-caname "OBC" \
-out roadwarrior.mydomain.nl.p12 \
-passin pass:my_password \
-passout pass:my_password
More information about the Users
mailing list