[Openswan Users] Openswan - Windows native

Toman Arpad dss at sch.bme.hu
Fri Jun 10 22:52:10 CEST 2005 

Hi

I have some configuration difficulties. I would appreciate if someone
could help me.

I am trying to make a transport connection between a Linux box with
Openswan and a Windows with native stack using certificates.
The CA for this is on the Windows machine. (I was able to sign my request
and get a proper key back - so this is not the problem.)

I read the README.x509 file and found this:
 "rightrsasigkey parameter set to the magic value %cert , signifying that
  the public key will be extracted from a X.509 certificates sent by the
  peer"

So i used it, but it seems to me in this case it is totaly uneffective.
The output said:
 "issuer cacert not found
  X.509 certificate rejected
  we require peer to have ID 'a.b.c.d', but peer declares 'CN=k.l.m.n'"

Ok, i thought i change the rightid to CN=k.l.m.n, but as it turned out,
then i will need the peer public key despite the parameter above.
The output said:
 "issuer cacert not found
  X.509 certificate rejected
  no RSA public key known for 'CN=k.l.m.n'"

Config:

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        klipsdebug="none"
        plutodebug="none"
        plutostderrlog="/var/log/openswan.log"
        uniqueids="yes"

# add connections here
conn %default
        type="transport"
        authby="rsasig"
        rightrsasigkey="%cert"
        left="e.f.g.h"
        leftcert="a.pub"
        rightca="%same"
        auto="start"

conn k.l.m.n
        right="k.l.m.n"
        rightid="CN=k.l.m.n"

# disable opportunistic encryption
include /etc/ipsec.d/examples/no_oe.conf

Log:

Plutorun started on Fri Jun 10 21:49:29 CEST 2005
Starting Pluto (Openswan Version 2.3.1 X.509-1.5.4 PLUTO_SENDS_VENDORID
PLUTO_USES_KEYRR; Vendor ID OEExalF{_o`m)
Setting port floating to off
port floating activate 0/1
  including NAT-Traversal patch (Version 0.6c) [disabled]
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
starting up 1 cryptographic helpers
started helper pid=1654 (fd:4)
Using Linux 2.6 IPsec interface code
Changing to directory '/etc/ipsec.d/cacerts'
  loaded CA cert file 'k.ca.cert' (1301 bytes)
Changing to directory '/etc/ipsec.d/aacerts'
Changing to directory '/etc/ipsec.d/ocspcerts'
Changing to directory '/etc/ipsec.d/crls'
  Warning: empty directory
  loaded host cert file '/etc/ipsec.d/certs/e.pub' (2182 bytes)
added connection description "k.l.m.n"
listening for IKE messages
adding interface lo/lo 127.0.0.1:500
adding interface eth0/eth0 152.66.208.63:500
loading secrets from "/etc/ipsec.secrets"
  loaded private key file '/etc/ipsec.d/private/e.prv' (963 bytes)
"k.l.m.n" #1: initiating Main Mode
"k.l.m.n" #1: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY
00000004]
"k.l.m.n" #1: ignoring Vendor ID payload [FRAGMENTATION]
"k.l.m.n" #1: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
"k.l.m.n" #1: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2
"k.l.m.n" #1: I am sending my cert
"k.l.m.n" #1: I am sending a certificate request
"k.l.m.n" #1: transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3
"k.l.m.n" #1: Main mode peer ID is ID_DER_ASN1_DN:
'CN=k.l.m.n'
"k.l.m.n" #1: issuer cacert not found
"k.l.m.n" #1: X.509 certificate rejected
"k.l.m.n" #1: no RSA public key known for 'CN=k.l.m.n'
"k.l.m.n" #1: sending encrypted notification
INVALID_KEY_INFORMATION to k.l.m.n:500
"k.l.m.n" #1: failed to build notification for spisize=0

Bye

More information about the Users mailing list