[Openswan Users]
the SA cann't establish, i using x.509 certification
=?GB2312?B?zLjQ3tbx?=
tanbamboo at gmail.com
Tue Jul 26 15:27:52 CEST 2005
dear openswan users and developers:
i am want make a vpn tunnel using openswan, but when i up the connnect, the
SA cann't establish, i using x.509 certification.
what's wrong with my config, can anybody tell me?
thanks for your help.
any articles or infomation to this problem are welcome.
the certs are all generated by others, and i have googled x.509, but there
seems not very much useful info.
the version of openswan:Openswan 2.3.1 X.509-1.5.4
the network:
====================================
192.168.0.1/24 <http://192.168.0.1/24> 202.106.1.1 <http://202.106.1.1>
202.106.1.33 <http://202.106.1.33> 192.168.1.0/24 <http://192.168.1.0/24>
net1============gw1-----------------------------gw2============net2
execute on the gw2:
$ipsec auto --up foo
104 "foo" #33: STATE_MAIN_I1: initiate
003 "foo" #33: received Vendor ID payload [Openswan (this version) 2.3.1
X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
003 "foo" #33: received Vendor ID payload [Dead Peer Detection]
106 "foo" #33: STATE_MAIN_I2: sent MI2, expecting MR2
108 "foo" #33: STATE_MAIN_I3: sent MI3, expecting MR3
003 "foo" #33: discarding duplicate packet; already STATE_MAIN_I3
010 "foo" #33: STATE_MAIN_I3: retransmission; will wait 20s for response
003 "foo" #33: discarding duplicate packet; already STATE_MAIN_I3
010 "foo" #33: STATE_MAIN_I3: retransmission; will wait 40s for response
all debug log file on gw1:
===================================
Jul 26 14:18:45 (none) pluto[1022]: | certificate signature (C=cn, ST=china,
L=hangzhou, O=junction, OU=soft1, CN=junction, E=cigant at yahoo.com.cn ->
C=cn, ST=china, L=hangzhou, O=junction, OU=soft1, CN=junction,
E=cigant at yahoo.com.cn) is valid
Jul 26 14:18:45 (none) pluto[1022]: | reached self-signed root ca
Jul 26 14:18:45 (none) pluto[1022]: | Public key validated
Jul 26 14:18:45 (none) pluto[1022]: | unreference key: 0x8104f78 C=cn,
ST=china, L=hangzhou, O=junction, OU=server, CN=server,
E=cigant at yahoo.com.cn cnt 1--
Jul 26 14:18:45 (none) pluto[1022]: | CR
Jul 26 14:18:45 (none) pluto[1022]: | requested CA: '%any'
Jul 26 14:18:45 (none) pluto[1022]: | refine_connection: starting with
road-conn
Jul 26 14:18:45 (none) pluto[1022]: | match_id a=C=cn, ST=china, L=hangzhou,
O=junction, OU=server, CN=server, E=cigant at yahoo.com.cn
Jul 26 14:18:45 (none) pluto[1022]: | b=202.106.1.33 <http://202.106.1.33>
Jul 26 14:18:45 (none) pluto[1022]: | results fail
Jul 26 14:18:45 (none) pluto[1022]: | trusted_ca called with a=C=cn,
ST=china, L=hangzhou, O=junction, OU=soft1, CN=junction,
E=cigant at yahoo.com.cn b=(empty)
Jul 26 14:18:45 (none) pluto[1022]: | refine_connection: checking road-conn
against road-conn, best=(none) with match=0(id=0/ca=1/reqca=1)
Jul 26 14:18:45 (none) pluto[1022]: | find_host_pair: comparing to
202.106.1.1:500 <http://202.106.1.1:500>
202.106.1.33:500<http://202.106.1.33:500>
Jul 26 14:18:45 (none) pluto[1022]: | find_host_pair: comparing to
202.106.1.1:500 <http://202.106.1.1:500> 0.0.0.0:500 <http://0.0.0.0:500>
Jul 26 14:18:45 (none) pluto[1022]: | find_host_pair_conn
(refine_host_connection): 202.106.1.1:500 <http://202.106.1.1:500> %any:500
-> hp:road-conn
Jul 26 14:18:45 (none) pluto[1022]: | match_id a=C=cn, ST=china, L=hangzhou,
O=junction, OU=server, CN=server, E=cigant at yahoo.com.cn
Jul 26 14:18:45 (none) pluto[1022]: | b=(none)
Jul 26 14:18:45 (none) pluto[1022]: | results matched
Jul 26 14:18:45 (none) pluto[1022]: | trusted_ca called with a=C=cn,
ST=china, L=hangzhou, O=junction, OU=soft1, CN=junction,
E=cigant at yahoo.com.cn b=(empty)
Jul 26 14:18:45 (none) pluto[1022]: | refine_connection: checking road-conn
against road-conn, best=(none) with match=1(id=1/ca=1/reqca=1)
Jul 26 14:18:45 (none) pluto[1022]: | refine_connection: checked road-conn
against road-conn, now for see if best
Jul 26 14:18:45 (none) pluto[1022]: | started looking for secret for C=cn,
ST=china, L=shanghai, O=junction, OU=soft2, CN=joshua,
E=joshua at socix.com->(none) of kind PPK_RSA
Jul 26 14:18:45 (none) pluto[1022]: "road-conn"[22]
202.106.1.33<http://202.106.1.33>#25: no suitable connection for peer
'C=cn, ST=china, L=hangzhou,
O=junction,
OU=server, CN=server, E=cigant at yahoo.com.cn'
Jul 26 14:18:45 (none) pluto[1022]: | complete state transition with (null)
Jul 26 14:18:45 (none) pluto[1022]: "road-conn"[22]
202.106.1.33<http://202.106.1.33>#25: sending encrypted notification
INVALID_ID_INFORMATION to
202.106.1.33:50 <http://202.106.1.33:50>
0
ipsec.conf on the gw1:
====================================
[root@(none) cacerts]# cat /etc/ipsec.conf
version 2.0
config setup
klipsdebug=none
plutodebug=all
conn %default
compress=yes
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
left=202.106.1.1 <http://202.106.1.1>
leftcert=server.crt
leftnexthop=%defaultroute
auto=add
pfs=yes
conn block
auto=ignore
conn clear
auto=ignore
conn private
auto=ignore
conn clear-or-private
auto=ignore
conn private-or-clear
auto=ignore
conn packetdefault
auto=ignore
conn road-conn
right=%any
leftsubnet=192.168.0.0/24 <http://192.168.0.0/24>
certs on the gw1:
====================================
[root@(none) cacerts]# ipsec auto --listall
000
000 List of Public Keys:
000
000 Jul 26 13:58:02 2005, 1024 RSA Key AwEAAaaei, until May 12 14:26:24 2006
ok
000 ID_DER_ASN1_DN 'C=cn, ST=china, L=hangzhou, O=junction, OU=server,
CN=server, E=cigant at yahoo.com.cn'
000 Issuer 'C=cn, ST=china, L=hangzhou, O=junction, OU=soft1, CN=junction,
E=cigant at yahoo.com.cn'
000 Jul 26 13:49:52 2005, 1024 RSA Key AwEAAdNa1, until May 12 14:34:37 2006
ok
000 ID_DER_ASN1_DN 'C=cn, ST=china, L=shanghai, O=junction, OU=soft2,
CN=joshua, E=joshua at socix.com'
000 Issuer 'C=cn, ST=china, L=hangzhou, O=junction, OU=soft1, CN=junction,
E=cigant at yahoo.com.cn'
000
000 List of X.509 End Certificates:
000
000 Jul 26 13:49:52 2005, count: 2
000 subject: 'C=cn, ST=china, L=shanghai, O=junction, OU=soft2, CN=joshua,
E=joshua at socix.com'
000 issuer: 'C=cn, ST=china, L=hangzhou, O=junction, OU=soft1, CN=junction,
E=cigant at yahoo.com.cn'
000 serial: 02
000 pubkey: 1024 RSA Key AwEAAdNa1
000 validity: not before May 12 14:34:37 2005 ok
000 not after May 12 14:34:37 2006 ok
000 subjkey: db:a1:0a:d2:99:3d:28:ae:46:5c:a0:a1:66:51:94:52:c7:59:a7:28
000 authkey: c3:b5:b7:c0:2b:6e:15:cc:9e:15:8c:6f:5f:bf:70:6d:e0:ad:6b:bd
000 aserial: 00
000
000 List of X.509 CA Certificates:
000
000 Jul 26 13:49:52 2005, count: 1
000 subject: 'C=cn, ST=china, L=hangzhou, O=junction, OU=soft1, CN=junction,
E=cigant at yahoo.com.cn'
000 issuer: 'C=cn, ST=china, L=hangzhou, O=junction, OU=soft1, CN=junction,
E=cigant at yahoo.com.cn'
000 serial: 00
000 pubkey: 1024 RSA Key AwEAAcrMM
000 validity: not before May 12 14:26:24 2005 ok
000 not after May 12 14:26:24 2006 ok
000 subjkey: c3:b5:b7:c0:2b:6e:15:cc:9e:15:8c:6f:5f:bf:70:6d:e0:ad:6b:bd
000 authkey: c3:b5:b7:c0:2b:6e:15:cc:9e:15:8c:6f:5f:bf:70:6d:e0:ad:6b:bd
000 aserial: 00
ipsec.conf on the gw2:
===================================
root at vpn:/etc/ipsec.d/cacerts# cat /etc/ipsec.conf
#/etc/ipsec.conf - FreeS/WAN IPsec configuration file
version 2.0
config setup
klipsdebug=all
plutodebug=all
conn %default
compress=yes
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
left=202.106.1.33 <http://202.106.1.33>
leftcert=server.crt
leftnexthop=%defaultroute
auto=add
pfs=yes
conn clear
auto=ignore
conn private
auto=ignore
conn clear-or-private
auto=ignore
conn private-or-clear
auto=ignore
conn packetdefault
auto=ignore
conn foo
right=202.106.1.1 <http://202.106.1.1>
rightid="
/C=cn/ST=china/L=shanghai/O=junction/OU=soft2/CN=joshua/emailAddress=joshua at socix.com
"
conn net
leftsubnet=192.168.1.0/24 <http://192.168.1.0/24>
right=202.106.1.1 <http://202.106.1.1>
rightsubnet=192.168.0.0/24 <http://192.168.0.0/24>
rightid="
/C=cn/ST=china/L=shanghai/O=junction/OU=soft2/CN=joshua/emailAddress=joshua at socix.com
"
certs on the gw2:
===================================
root at vpn:/etc/ipsec.d/cacerts# ipsec auto --listall
000
000 List of Public Keys:
000
000 Jul 26 13:40:42 2005, 1024 RSA Key AwEAAaaei, until May 12 14:43:12 2006
ok
000 ID_DER_ASN1_DN 'C=cn, ST=china, L=hangzhou, O=junction, OU=server,
CN=server, E=cigant at yahoo.com.cn'
000 Issuer 'C=cn, ST=china, L=hangzhou, O=junction, OU=soft1, CN=junction,
E=cigant at yahoo.com.cn'
000
000 List of X.509 End Certificates:
000
000 Jul 26 13:40:42 2005, count: 2
000 subject: 'C=cn, ST=china, L=hangzhou, O=junction, OU=server, CN=server,
E=cigant at yahoo.com.cn'
000 issuer: 'C=cn, ST=china, L=hangzhou, O=junction, OU=soft1, CN=junction,
E=cigant at yahoo.com.cn'
000 serial: 03
000 pubkey: 1024 RSA Key AwEAAaaei, has private key
000 validity: not before May 12 14:43:12 2005 ok
000 not after May 12 14:43:12 2006 ok
000 subjkey: eb:b1:a3:7f:2e:cb:69:da:0c:b0:5a:0f:a9:c9:a4:5f:b9:e8:ab:f8
000 authkey: c3:b5:b7:c0:2b:6e:15:cc:9e:15:8c:6f:5f:bf:70:6d:e0:ad:6b:bd
000 aserial: 00
000
000 List of X.509 CA Certificates:
000
000 Jul 26 13:40:41 2005, count: 1
000 subject: 'C=cn, ST=china, L=hangzhou, O=junction, OU=soft1, CN=junction,
E=cigant at yahoo.com.cn'
000 issuer: 'C=cn, ST=china, L=hangzhou, O=junction, OU=soft1, CN=junction,
E=cigant at yahoo.com.cn'
000 serial: 00
000 pubkey: 1024 RSA Key AwEAAcrMM
000 validity: not before May 12 14:26:24 2005 ok
000 not after May 12 14:26:24 2006 ok
000 subjkey: c3:b5:b7:c0:2b:6e:15:cc:9e:15:8c:6f:5f:bf:70:6d:e0:ad:6b:bd
000 authkey: c3:b5:b7:c0:2b:6e:15:cc:9e:15:8c:6f:5f:bf:70:6d:e0:ad:6b:bd
000 aserial: 00
000
000 List of X.509 CRLs:
000
000 Jul 26 13:40:41 2005, revoked certs: 0
000 issuer: 'C=cn, ST=china, L=hangzhou, O=junction, OU=soft1, CN=junction,
E=cigant at yahoo.com.cn'
000 updates: this May 12 14:30:04 2005
000 next Jun 11 14:30:04 2005 warning (expired)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050726/fc592a37/attachment-0001.htm
More information about the Users
mailing list