[Openswan Users] the SA cann't establish, i using x.509 certification

=?GB2312?B?zLjQ3tbx?= tanbamboo at gmail.com
Tue Jul 26 16:34:18 CEST 2005


dear openswan users and developers:
 i am want make a vpn tunnel using openswan, but when i up the connnect, the 
SA cann't establish, i using x.509 certification.
what's wrong with my config, can anybody tell me?
thanks for your help.
any articles or infomation to this problem are welcome.
the certs are all generated by others, and i have googled x.509, but there 
seems not very much useful info.
the version of openswan:Openswan 2.3.1 X.509-1.5.4
  the network:
====================================
192.168.0.1/24 <http://192.168.0.1/24> 202.106.1.1 <http://202.106.1.1/> 
202.106.1.33 <http://202.106.1.33/> 192.168.1.0/24 <http://192.168.1.0/24>
 net1============gw1-----------------------------gw2============net2
 execute on the gw2:
====================================
$ipsec auto --up foo
104 "foo" #33: STATE_MAIN_I1: initiate
003 "foo" #33: received Vendor ID payload [Openswan (this version) 2.3.1 
X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
003 "foo" #33: received Vendor ID payload [Dead Peer Detection] 
106 "foo" #33: STATE_MAIN_I2: sent MI2, expecting MR2
108 "foo" #33: STATE_MAIN_I3: sent MI3, expecting MR3
003 "foo" #33: discarding duplicate packet; already STATE_MAIN_I3
010 "foo" #33: STATE_MAIN_I3: retransmission; will wait 20s for response 
003 "foo" #33: discarding duplicate packet; already STATE_MAIN_I3
010 "foo" #33: STATE_MAIN_I3: retransmission; will wait 40s for response 
 all debug log file on gw1:
===================================
Jul 26 14:18:45 (none) pluto[1022]: | certificate signature (C=cn, ST=china, 
L=hangzhou, O=junction, OU=soft1, CN=junction, E=cigant at yahoo.com.cn -> 
C=cn, ST=china, L=hangzhou, O=junction, OU=soft1, CN=junction, 
E=cigant at yahoo.com.cn) is valid
Jul 26 14:18:45 (none) pluto[1022]: | reached self-signed root ca
Jul 26 14:18:45 (none) pluto[1022]: | Public key validated
Jul 26 14:18:45 (none) pluto[1022]: | unreference key: 0x8104f78 C=cn, 
ST=china, L=hangzhou, O=junction, OU=server, CN=server, 
E=cigant at yahoo.com.cn cnt 1--
Jul 26 14:18:45 (none) pluto[1022]: | CR
Jul 26 14:18:45 (none) pluto[1022]: | requested CA: '%any'
Jul 26 14:18:45 (none) pluto[1022]: | refine_connection: starting with 
road-conn 
Jul 26 14:18:45 (none) pluto[1022]: | match_id a=C=cn, ST=china, L=hangzhou, 
O=junction, OU=server, CN=server, E=cigant at yahoo.com.cn
Jul 26 14:18:45 (none) pluto[1022]: | b= 202.106.1.33 <http://202.106.1.33/>
Jul 26 14:18:45 (none) pluto[1022]: | results fail
Jul 26 14:18:45 (none) pluto[1022]: | trusted_ca called with a=C=cn, 
ST=china, L=hangzhou, O=junction, OU=soft1, CN=junction, 
E=cigant at yahoo.com.cn b=(empty)
Jul 26 14:18:45 (none) pluto[1022]: | refine_connection: checking road-conn 
against road-conn, best=(none) with match=0(id=0/ca=1/reqca=1) 
Jul 26 14:18:45 (none) pluto[1022]: | find_host_pair: comparing to 
202.106.1.1:500 <http://202.106.1.1:500/>
202.106.1.33:500<http://202.106.1.33:500/>
Jul 26 14:18:45 (none) pluto[1022]: | find_host_pair: comparing to
202.106.1.1:500
<http://202.106.1.1:500/>0.0.0.0:500 <http://0.0.0.0:500/>
Jul 26 14:18:45 (none) pluto[1022]: | find_host_pair_conn 
(refine_host_connection): 202.106.1.1:500 <http://202.106.1.1:500/> %any:500 
-> hp:road-conn
Jul 26 14:18:45 (none) pluto[1022]: | match_id a=C=cn, ST=china, L=hangzhou, 
O=junction, OU=server, CN=server, E=cigant at yahoo.com.cn
Jul 26 14:18:45 (none) pluto[1022]: | b=(none) 
Jul 26 14:18:45 (none) pluto[1022]: | results matched
Jul 26 14:18:45 (none) pluto[1022]: | trusted_ca called with a=C=cn, 
ST=china, L=hangzhou, O=junction, OU=soft1, CN=junction, 
E=cigant at yahoo.com.cn b=(empty)
Jul 26 14:18:45 (none) pluto[1022]: | refine_connection: checking road-conn 
against road-conn, best=(none) with match=1(id=1/ca=1/reqca=1)
Jul 26 14:18:45 (none) pluto[1022]: | refine_connection: checked road-conn 
against road-conn, now for see if best 
Jul 26 14:18:45 (none) pluto[1022]: | started looking for secret for C=cn, 
ST=china, L=shanghai, O=junction, OU=soft2, CN=joshua, 
E=joshua at socix.com->(none <E=joshua at socix.com-%3E(none>) of kind PPK_RSA 
Jul 26 14:18:45 (none) pluto[1022]: "road-conn"[22]
202.106.1.33<http://202.106.1.33/>#25: no suitable connection for peer
'C=cn, ST=china, L=hangzhou,
O=junction,
OU=server, CN=server, E=cigant at yahoo.com.cn'
Jul 26 14:18:45 (none) pluto[1022]: | complete state transition with (null)
Jul 26 14:18:45 (none) pluto[1022]: "road-conn"[22]
202.106.1.33<http://202.106.1.33/>#25: sending encrypted notification
INVALID_ID_INFORMATION to
202.106.1.33:50 <http://202.106.1.33:50/>
0
   ipsec.conf on the gw1:
====================================
[root@(none) cacerts]# cat /etc/ipsec.conf 
version 2.0
config setup
klipsdebug=none
plutodebug=all
conn %default
compress=yes
authby=rsasig
leftrsasigkey=%cert 
rightrsasigkey=%cert
left=202.106.1.1 <http://202.106.1.1/>
leftcert=server.crt
leftnexthop=%defaultroute
auto=add
pfs=yes
conn block
auto=ignore 
conn clear
auto=ignore
conn private
auto=ignore
conn clear-or-private
auto=ignore
conn private-or-clear
auto=ignore
conn packetdefault
auto=ignore
conn road-conn
right=%any
leftsubnet=192.168.0.0/24 <http://192.168.0.0/24>
 certs on the gw1:
============================== ======
[root@(none) cacerts]# ipsec auto --listall
000 
000 List of Public Keys:
000 
000 Jul 26 13:58:02 2005, 1024 RSA Key AwEAAaaei, until May 12 14:26:24 2006 
ok
000 ID_DER_ASN1_DN 'C=cn, ST=china, L=hangzhou, O=junction, OU=server, 
CN=server, E=cigant at yahoo.com.cn'
000 Issuer 'C=cn, ST=china, L=hangzhou, O=junction, OU=soft1, CN=junction, 
E=cigant at yahoo.com.cn'
000 Jul 26 13:49:52 2005, 1024 RSA Key AwEAAdNa1, until May 12 14:34:37 2006 
ok
000 ID_DER_ASN1_DN 'C=cn, ST=china, L=shanghai, O=junction, OU=soft2, 
CN=joshua, E=joshua at socix.com' 
000 Issuer 'C=cn, ST=china, L=hangzhou, O=junction, OU=soft1, CN=junction, 
E=cigant at yahoo.com.cn'
000 
000 List of X.509 End Certificates:
000 
000 Jul 26 13:49:52 2005, count: 2 
000 subject: 'C=cn, ST=china, L=shanghai, O=junction, OU=soft2, CN=joshua, 
E=joshua at socix.com'
000 issuer: 'C=cn, ST=china, L=hangzhou, O=junction, OU=soft1, CN=junction, 
E=cigant at yahoo.com.cn'
000 serial: 02
000 pubkey: 1024 RSA Key AwEAAdNa1
000 validity: not before May 12 14:34:37 2005 ok
000 not after May 12 14:34:37 2006 ok 
000 subjkey: db:a1:0a:d2:99:3d:28:ae:46:5c:a0:a1:66:51:94:52:c7:59:a7:28
000 authkey: c3:b5:b7:c0:2b:6e:15:cc:9e:15 :8c:6f:5f:bf:70:6d:e0:ad:6b:bd
000 aserial: 00
000 
000 List of X.509 CA Certificates:
000 
000 Jul 26 13:49:52 2005, count: 1
000 subject: 'C=cn, ST=china, L=hangzhou, O=junction, OU=soft1, CN=junction, 
E=cigant at yahoo.com.cn'
000 issuer: 'C=cn, ST=china, L=hangzhou, O=junction, OU=soft1, CN=junction, 
E=cigant at yahoo.com.cn'
000 serial: 00
000 pubkey: 1024 RSA Key AwEAAcrMM 
000 validity: not before May 12 14:26:24 2005 ok
000 not after May 12 14:26:24 2006 ok
000 subjkey: c3:b5:b7:c0:2b:6e:15:cc:9e:15:8c:6f:5f:bf:70:6d:e0:ad:6b:bd
000 authkey: c3:b5:b7:c0:2b:6e:15:cc:9e:15:8c:6f:5f:bf:70:6d:e0:ad:6b:bd 
000 aserial: 00
 ipsec.conf on the gw2:
===================================
 
root at vpn:/etc/ipsec.d/cacerts# cat /etc/ipsec.conf
#/etc/ipsec.conf - FreeS/WAN IPsec configuration file

version 2.0

config setup
klipsdebug=all
plutodebug=all

conn %default
compress=yes
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
left=202.106.1.33 <http://202.106.1.33/>
leftcert=server.crt 
leftnexthop=%defaultroute
auto=add
pfs=yes

conn clear
auto=ignore
conn private
auto=ignore
conn clear-or-private
auto=ignore
conn private-or-clear
auto=ignore
conn packetdefault
auto=ignore 

conn foo
right=202.106.1.1 <http://202.106.1.1/>
rightid="
/C=cn/ST=china/L=shanghai/O=junction/OU=soft2/CN=joshua/emailAddress=joshua at socix.com
"

conn net
leftsubnet=192.168.1.0/24 <http://192.168.1.0/24>
right=202.106.1.1 <http://202.106.1.1/>
rightsubnet=192.168.0.0/24 <http://192.168.0.0/24> 
rightid="
/C=cn/ST=china/L=shanghai/O=junction/OU=soft2/CN=joshua/emailAddress=joshua at socix.com
"
certs on the gw2:
===================================
root at vpn:/etc/ipsec.d/cacerts# ipsec auto --listall
000 
000 List of Public Keys:
000 
000 Jul 26 13:40:42 2005, 1024 RSA Key AwEAAaaei, until May 12 14:43:12 2006 
ok 
000 ID_DER_ASN1_DN 'C=cn, ST=china, L=hangzhou, O=junction, OU=server, 
CN=server, E=cigant at yahoo.com.cn'
000 Issuer 'C=cn, ST=china, L=hangzhou, O=junction, OU=soft1, CN=junction, 
E=cigant at yahoo.com.cn'
000 
000 List of X.509 End Certificates:
000 
000 Jul 26 13:40:42 2005, count: 2
000 subject: 'C=cn, ST=china, L=hangzhou, O=junction, OU=server, CN=server, 
E=cigant at yahoo.com.cn'
000 issuer: 'C=cn, ST=china, L=hangzhou, O=junction, OU=soft1, CN=junction, 
E=cigant at yahoo.com.cn'
000 serial: 03
000 pubkey: 1024 RSA Key AwEAAaaei, has private key
000 validity: not before May 12 14:43:12 2005 ok
000 not after May 12 14:43:12 2006 ok
000 subjkey: eb:b1:a3:7f:2e:cb:69:da:0c:b0:5a:0f:a9:c9:a4:5f:b9:e8:ab:f8 
000 authkey: c3:b5:b7:c0:2b:6e:15:cc:9e:15:8c:6f:5f:bf:70:6d:e0:ad:6b:bd
000 aserial: 00
000 
000 List of X.509 CA Certificates:
000 
000 Jul 26 13:40:41 2005, count: 1
000 subject: 'C=cn, ST=china, L=hangzhou, O=junction, OU=soft1, CN=junction, 
E=cigant at yahoo.com.cn'
000 issuer: 'C=cn, ST=china, L=hangzhou, O=junction, OU=soft1, CN=junction, 
E=cigant at yahoo.com.cn'
000 serial: 00
000 pubkey: 1024 RSA Key AwEAAcrMM
000 validity: not before May 12 14:26:24 2005 ok
000 not after May 12 14:26:24 2006 ok
000 subjkey: c3:b5:b7:c0:2b:6e:15:cc:9e:15:8c:6f:5f:bf:70:6d:e0:ad:6b:bd 
000 authkey: c3:b5:b7:c0:2b:6e:15:cc:9e:15:8c:6f:5f:bf:70:6d:e0:ad:6b:bd
000 aserial: 00
000 
000 List of X.509 CRLs:
000 
000 Jul 26 13:40:41 2005, revoked certs: 0
000 issuer: 'C=cn, ST=china, L=hangzhou, O=junction, OU=soft1, CN=junction, 
E=cigant at yahoo.com.cn'
000 updates: this May 12 14:30:04 2005
000 next Jun 11 14:30:04 2005 warning (expired)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050726/59cac777/attachment-0001.htm


More information about the Users mailing list