[Openswan Users] one side config problem

david david2005.p at gmail.com
Mon Jun 13 15:02:20 CEST 2005 

--------------------------------------------------------------------------------

 hi all, 

I have got a config problem on only one side of my VPN and this mail
is not the first one about it and it is quiet long, sorry :(

with the following config  the VPN from userA ===============>to userB goes up :
---------------------------------userB ipsec.conf---------------
config setup
klipsdebug=none
plutodebug=all
crlcheckinterval=600

conn %default
keyingtries=0
authby=rsasig

conn testvpnda
left=195.212.109.202
leftcert=user01desuri.crt
right=%any
auto=add
---------------------------------------------------------


---------------------------------userA ipsec.conf---------------

config setup
klipsdebug=none
plutodebug=none
crlcheckinterval=600

conn %default
keyingtries=0
authby=rsasig

conn testvpnda
left=195.212.109.203
leftcert=user02desuri.crt
right=195.212.109.202
rightid="C=fr, ST=ile-de-france, L=paris, O=toto, CN=user01desuri,
E=ngc1976.m42 at caramail.com"
auto=add
---------------------------------------------------------

BUT when I change the conn testvpnda ,in the userA ipsec.conf file, like this 

---------------------------------------------------------
conn testvpnda
left=195.212.109.203
leftcert=user02desuri.crt
right=195.212.109.202
rightcert=user01desuri.crt
auto=add
---------------------------------------------------------
or 
---------------------------------------------------------
conn testvpnda
left=195.212.109.203
leftcert=user02desuri.crt
right=195.212.109.202
rightcert=%cert
auto=add
---------------------------------------------------------

it give this error on userA

[root at dhcp203 private]# ipsec auto --up testvpnda
104 "testvpnda" #1: STATE_MAIN_I1: initiate
106 "testvpnda" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "testvpnda" #1: STATE_MAIN_I3: sent MI3, expecting MR3
010 "testvpnda" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
003 "testvpnda" #1: we require peer to have ID '195.212.109.202', but
peer declares 'C=fr, ST=ile-de-france, L=paris, O=toto,
CN=user01desuri, E=ngc1976.m42 at caramail.com'
218 "testvpnda" #1: STATE_MAIN_I3: INVALID_ID_INFORMATION


though I think all certificates load properly :

-------------------listall on userA-----------------

000 List of Public Keys:
000
000 Jun 08 10:39:25 2005, 1024 RSA Key AwEAAeCQ9, until May 26 12:15:11 2006
ok
000        ID_USER_FQDN 'ngc1976.m42 at caramail.com'
000        Issuer 'C=fr, ST=ile-de-france, L=paris, O=toto, CN=rootca1024'
000 Jun 08 10:39:25 2005, 1024 RSA Key AwEAAeCQ9, until May 26 12:15:11 2006
ok
000        ID_DER_ASN1_DN 'C=fr, ST=ile-de-france, L=paris, O=toto,
CN=user01desuri, E=ngc1976.m42 at caramail.com'
000        Issuer 'C=fr, ST=ile-de-france, L=paris, O=toto, CN=rootca1024'
000 Jun 08 10:31:07 2005, 1024 RSA Key AwEAAeqR4, until May 25 15:12:27 2006
ok
000        ID_DER_ASN1_DN 'C=fr, ST=ile-de-france, L=paris, O=toto,
CN=user02desuri, E=ngc1976.m42 at caramail.com'
000        Issuer 'C=fr, ST=ile-de-france, L=paris, O=toto, CN=rootca1024'
000 Jun 08 10:31:03 2005, 2192 RSA Key AQNeVYs83, until --- -- --:--:-- ----
ok (expires never)
000        ID_IPV4_ADDR '195.212.109.204'
000 Jun 08 10:31:03 2005, 2192 RSA Key AQOvVgRGm, until --- -- --:--:-- ----
ok (expires never)
000        ID_IPV4_ADDR '195.212.109.203'
000
000 List of X.509 End Certificates:
000
000 Jun 08 10:31:07 2005, count: 1
000        subject: 'C=fr, ST=ile-de-france, L=paris, O=toto,
CN=user02desuri, E=ngc1976.m42 at caramail.com'
000        issuer:  'C=fr, ST=ile-de-france, L=paris, O=toto, CN=rootca1024'
000        serial:   07
000        pubkey:   1024 RSA Key AwEAAeqR4, has private key
000        validity: not before May 25 15:12:27 2005 ok
000                  not after  May 25 15:12:27 2006 ok
000        subjkey: a6:0a:2c:41:7b:8b:4d:6d:75:6b:b5:a2:ec:25:95:81:e7:12:d1:bc
000        authkey: 28:99:32:6e:71:23:3d:5d:d8:9a:c2:2a:be:18:bf:98:94:76:29:76
000
000 List of X.509 CA Certificates:
000
000 Jun 08 10:31:02 2005, count: 1
000        subject: 'C=fr, ST=ile-de-france, L=paris, O=toto, CN=rootca1024'
000        issuer:  'C=fr, ST=ile-de-france, L=paris, O=toto, CN=rootca1024'
000        serial:   00
000        pubkey:   1024 RSA Key AwEAAcKtB
000        validity: not before May 03 13:11:24 2005 ok
000                  not after  May 03 13:11:24 2025 ok
000        subjkey: 28:99:32:6e:71:23:3d:5d:d8:9a:c2:2a:be:18:bf:98:94:76:29:76
-----------------------------------------------------------------------------------

------------------listall on userB ----------------------------
000 List of Public Keys:
000
000 Jun 08 10:39:13 2005, 1024 RSA Key AwEAAeqR4, until Jul 03 15:40:10 2005 ok
000        ID_USER_FQDN 'ngc1976.m42 at caramail.com'
000        Issuer 'C=fr, ST=ile-de-france, L=paris, O=toto, CN=rootca1024'
000 Jun 08 10:39:13 2005, 1024 RSA Key AwEAAeqR4, until Jul 03 15:40:10 2005 ok
000        ID_DER_ASN1_DN 'C=fr, ST=ile-de-france, L=paris, O=toto,
CN=user02desuri, E=ngc1976.m42 at caramail.com'
000        Issuer 'C=fr, ST=ile-de-france, L=paris, O=toto, CN=rootca1024'
000 Jun 08 10:30:52 2005, 1024 RSA Key AwEAAeCQ9, until May 26 12:15:11 2006 ok
000        ID_DER_ASN1_DN 'C=fr, ST=ile-de-france, L=paris, O=toto,
CN=user01desuri, E=ngc1976.m42 at caramail.com'
000        Issuer 'C=fr, ST=ile-de-france, L=paris, O=toto, CN=rootca1024'
000 Jun 08 10:30:48 2005, 2192 RSA Key AQO1ealTo, until --- --
--:--:-- ---- ok (expires never)
000        ID_IPV4_ADDR '195.212.109.202'
000 Jun 08 10:30:48 2005, 2192 RSA Key AQNeVYs83, until --- --
--:--:-- ---- ok (expires never)
000        ID_IPV4_ADDR '195.212.109.204'
000
000 List of X.509 End Certificates:
000
000 Jun 08 10:30:52 2005, count: 1
000        subject: 'C=fr, ST=ile-de-france, L=paris, O=toto,
CN=user01desuri, E=ngc1976.m42 at caramail.com'
000        issuer:  'C=fr, ST=ile-de-france, L=paris, O=toto, CN=rootca1024'
000        serial:   08
000        pubkey:   1024 RSA Key AwEAAeCQ9, has private key
000        validity: not before May 26 12:15:11 2005 ok
000                  not after  May 26 12:15:11 2006 ok
000        subjkey:  27:76:38:36:d2:21:47:92:68:2a:58:42:7e:ed:68:86:18:a9:1e:32
000        authkey:  28:99:32:6e:71:23:3d:5d:d8:9a:c2:2a:be:18:bf:98:94:76:29:76
000
000 List of X.509 CA Certificates:
000
000 Jun 08 10:30:48 2005, count: 1
000        subject: 'C=fr, ST=ile-de-france, L=paris, O=toto, CN=rootca1024'
000        issuer:  'C=fr, ST=ile-de-france, L=paris, O=toto, CN=rootca1024'
000        serial:   00
000        pubkey:   1024 RSA Key AwEAAcKtB
000        validity: not before May 03 13:11:24 2005 ok
000                  not after  May 03 13:11:24 2025 ok
000        subjkey:  28:99:32:6e:71:23:3d:5d:d8:9a:c2:2a:be:18:bf:98:94:76:29:76
000
000 List of X.509 CRLs:
000
000 Jun 08 10:32:23 2005, revoked certs: 2
000        issuer:  'C=fr, ST=ile-de-france, L=paris, O=toto, CN=rootca1024'
000        distPts: 'http://195.212.109.205/ca.crl'
000        updates:  this Jun 03 15:40:10 2005
000                  next Jul 03 15:40:10 2005 ok
------------------------------------------------------------------
here we can see the CRL, cause it is already in memory (downloaded
from the distPts).

so :
Why I have to specify the "rightid" on userA to make the VPN up ?
why  specify a certificat by "rightcert" on userA does not work ?

what should I have to change in the ipsec.conf files ??

thx 
david

More information about the Users mailing list