[Openswan Users] Road warrior x509 question

Joost Kraaijeveld J.Kraaijeveld at Askesis.nl
Mon Feb 28 16:10:32 CET 2005 

Hi all,

I am trying to set up a roadwarrior with Debian Openswan U2.3.0/K2.6.3-1-386 (netkey) and Windows 2000. The tunnel is not working (hence this mail ;-)) and the Linux machine has the following in the /var/log/auth.log:


Feb 28 14:08:36 localhost pluto[18310]: packet from 82.161.125.16:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000002]
Feb 28 14:08:36 localhost pluto[18310]: packet from 82.161.125.16:500: ignoring Vendor ID payload [FRAGMENTATION]
Feb 28 14:08:36 localhost pluto[18310]: packet from 82.161.125.16:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Feb 28 14:08:36 localhost pluto[18310]: "obc-roadwarriors"[7] 82.161.125.16 #12: responding to Main Mode from unknown peer 82.161.125.16
Feb 28 14:08:36 localhost pluto[18310]: "obc-roadwarriors"[7] 82.161.125.16 #12: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Feb 28 14:08:37 localhost pluto[18310]: "obc-roadwarriors"[7] 82.161.125.16 #12: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Feb 28 14:08:37 localhost pluto[18310]: "obc-roadwarriors"[7] 82.161.125.16 #12: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Feb 28 14:08:37 localhost pluto[18310]: "obc-roadwarriors"[7] 82.161.125.16 #12: next payload type of ISAKMP Hash Payload has an unknown value: 159
Feb 28 14:08:37 localhost pluto[18310]: "obc-roadwarriors"[7] 82.161.125.16 #12: malformed payload in packet
Feb 28 14:08:37 localhost pluto[18310]: "obc-roadwarriors"[7] 82.161.125.16 #12: sending notification PAYLOAD_MALFORMED to 82.161.125.16:500

Below is the procedure I followed to create the certificates.

Anyone any idea where to look for any misconfiguration?


Groeten,

Joost Kraaijeveld
Askesis B.V.
Molukkenstraat 14
6524NB Nijmegen
tel: 024-3888063 / 06-51855277
fax: 024-3608416
e-mail: J.Kraaijeveld at Askesis.nl
web: www.askesis.nl 




touch /etc/ipsec.d/ca/index.txt
touch /etc/ipsec.d/ca/serial
echo '01' > /etc/ipsec.d/ca/serial

# creation of the CA
/usr/bin/openssl req \
	-x509 \
	-days 1460 \
	-newkey rsa:1024 \
	-keyout /etc/ipsec.d/private/ca.key \
	-out /etc/ipsec.d/cacerts/cacert.pem \
	-passin pass:my_password  \
	-passout pass:my_password

# Request and certificate for vpnserver.mydomain.nl
/usr/bin/openssl req \
	-newkey rsa:1024 \
	-keyout /etc/ipsec.d/private/vpnserver.mydomain.nl.key \
	-out /etc/ipsec.d/certs/vpnserver.mydomain.nl.req \
	-passin pass:my_password \
	-passout pass:my_password

/usr/bin/openssl ca \
	-in /etc/ipsec.d/certs/vpnserver.mydomain.nl.req \
	-days 730 -out /etc/ipsec.d/certs/vpnserver.mydomain.nl.cert \
	-passin pass:my_password \
	-notext \
	-cert /etc/ipsec.d/cacerts/cacert.pem \
	-keyfile /etc/ipsec.d/private/ca.key

# Request and certificate for roadwarrior.mydomain.nl
/usr/bin/openssl req \
	-newkey rsa:1024 \
	-keyout /etc/ipsec.d/private/roadwarrior.mydomain.nl.key \
	-out /etc/ipsec.d/certs/roadwarrior.mydomain.nl.req \
	-passin pass:my_password \
	-passout pass:my_password

/usr/bin/openssl ca \
	-in /etc/ipsec.d/certs/roadwarrior.mydomain.nl.req \
	-days 730 -out /etc/ipsec.d/certs/roadwarrior.mydomain.nl.cert \
	-passin pass:my_password \
	-notext \
	-cert /etc/ipsec.d/cacerts/cacert.pem \
	-keyfile /etc/ipsec.d/private/ca.key

/usr/bin/openssl pkcs12 \
	-export \
	-inkey /etc/ipsec.d/private/roadwarrior.mydomain.nl.key \
	-in /etc/ipsec.d/certs/roadwarrior.mydomain.nl.cert \
	-name roadwarrior.mydomain.nl \
	-certfile /etc/ipsec.d/cacerts/cacert.pem \
	-caname "OBC" \
	-out roadwarrior.mydomain.nl.p12 \
	-passin pass:my_password \
	-passout pass:my_password

More information about the Users mailing list