[Openswan Users] Help with certificates (Please, oh pretty please)

Don Himelrick dch at fidlar.com
Tue Nov 15 12:36:08 CET 2005 

Trying to set up an l2tp/ipsec tunnel, I've followed Nate Carlson's and
Jacco's Howtos and my windows boxes still give me an "Error 786: No
valid machine certificate is on your computer for security
authorization.."

Can anyone help me on debugging this?  Thanks!

Here are a few things that you should know:

- Windows 2k and XP built-in clients are over dial-up modem.
- openswan-2.3.1-2 server on Fedora Core 4 box (which is firewall for my
	internal network).
- PSK's work fine, but I have road warriors with dynamic ips.
- FC4 generates a default 2192 bit (raw ?) hostkey which is included
	by /etc/ipsec.secrets from /etc/ipsec.d/hostkey.secrets
- I created my own CA and generated and signed my own certificates
	( with subjectALtName DNS:) according to the howto and put them
	 in /etc/ipsec.d/ subdirectories.
- /var/log secure shows all of my .pem and .key files loading correctly.
- windows mmc indicates that windows "does not have enough information
	to authenticate the certificate" that I installed, but that it
	does have a private key associated with it.
- From the howtos, I am unclear if editing the windows conn's
	configuration is necessary.  It seems from reading that others
	have just imported the certificate and set up the "new
	connection" and it works.  Not for me :(

I have a full barf that I will post if necessary, but for now, here is
my ipsec conf and secrets file and a few lines from the log...

--------- conf -----------
conn roadwarrior-net
    leftsubnet=10.2.0.0/16
    also=roadwarrior

conn roadwarrior-all
    leftsubnet=0.0.0.0/0
    also=roadwarrior
    
conn roadwarrior
    left=%defaultroute
    leftcert=lyra.fidlardoubleday.biz.pem
    rightca=%same
    right=%any
    rightsubnet=vhost:%no,%priv
    auto=add
    pfs=yes

conn roadwarrior-l2tp
    type=transport
    left=%defaultroute
    leftcert=lyra.fidlardoubleday.biz.pem
    rightca=%same
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/1701
    pfs=no
    auto=add

conn roadwarrior-l2tp-oldwin
    left=%defaultroute
    leftcert=lyra.fidlardoubleday.biz.pem
    rightca=%same
    leftprotoport=17/0
    right=%any
    rightprotoport=17/1701
    rightsubnet=vhost:%no,%priv
    pfs=no
    auto=add

---------------- secrets -----------------------
: RSA lyra.fidlardoubleday.biz.key "secret_passphrase"


-------------- log file -----------------------

Nov 15 10:39:58 lyra ipsec__plutorun: Starting Pluto subsystem...
Nov 15 10:39:58 lyra pluto[14249]: Starting Pluto (Openswan Version 2.3.1 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEExalF{_o`m)
Nov 15 10:39:58 lyra pluto[14249]: Setting port floating to on
Nov 15 10:39:58 lyra pluto[14249]: port floating activate 1/1
Nov 15 10:39:58 lyra pluto[14249]:   including NAT-Traversal patch (Version 0.6c)
Nov 15 10:39:58 lyra pluto[14249]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Nov 15 10:39:58 lyra pluto[14249]: starting up 1 cryptographic helpers
Nov 15 10:39:59 lyra pluto[14249]: started helper pid=14254 (fd:5)
Nov 15 10:39:59 lyra pluto[14249]: Using Linux 2.6 IPsec interface code
Nov 15 10:39:59 lyra pluto[14249]: Changing to directory '/etc/ipsec.d/cacerts'
Nov 15 10:39:59 lyra pluto[14249]:   loaded CA cert file 'cacert.pem' (1261 bytes)
Nov 15 10:39:59 lyra pluto[14249]: Could not change to directory '/etc/ipsec.d/aacerts'
Nov 15 10:39:59 lyra pluto[14249]: Could not change to directory '/etc/ipsec.d/ocspcerts'
Nov 15 10:39:59 lyra pluto[14249]: Changing to directory '/etc/ipsec.d/crls'
Nov 15 10:39:59 lyra pluto[14249]:   loaded crl file 'crl.pem' (503 bytes)
Nov 15 10:40:00 lyra pluto[14249]:   loaded host cert file '/etc/ipsec.d/certs/lyra.fidlardoubleday.biz.pem' (3771 bytes)
Nov 15 10:40:00 lyra pluto[14249]: added connection description "roadwarrior-l2tp"
Nov 15 10:40:00 lyra pluto[14249]:   loaded host cert file '/etc/ipsec.d/certs/lyra.fidlardoubleday.biz.pem' (3771 bytes)
Nov 15 10:40:00 lyra pluto[14249]: added connection description "roadwarrior"
Nov 15 10:40:00 lyra pluto[14249]:   loaded host cert file '/etc/ipsec.d/certs/lyra.fidlardoubleday.biz.pem' (3771 bytes)
Nov 15 10:40:00 lyra pluto[14249]: added connection description "roadwarrior-all"
Nov 15 10:40:00 lyra pluto[14249]:   loaded host cert file '/etc/ipsec.d/certs/lyra.fidlardoubleday.biz.pem' (3771 bytes)
Nov 15 10:40:00 lyra pluto[14249]: added connection description "roadwarrior-l2tp-oldwin"
Nov 15 10:40:00 lyra pluto[14249]:   loaded host cert file '/etc/ipsec.d/certs/lyra.fidlardoubleday.biz.pem' (3771 bytes)
Nov 15 10:40:00 lyra pluto[14249]: added connection description "roadwarrior-net"
Nov 15 10:40:00 lyra pluto[14249]: listening for IKE messages
Nov 15 10:40:00 lyra pluto[14249]: adding interface eth1/eth1 208.178.38.164:500
Nov 15 10:40:00 lyra pluto[14249]: adding interface eth1/eth1 208.178.38.164:4500
Nov 15 10:40:00 lyra pluto[14249]: adding interface eth0/eth0 10.2.0.3:500
Nov 15 10:40:00 lyra pluto[14249]: adding interface eth0/eth0 10.2.0.3:4500
Nov 15 10:40:00 lyra pluto[14249]: adding interface lo/lo 127.0.0.1:500
Nov 15 10:40:00 lyra pluto[14249]: adding interface lo/lo 127.0.0.1:4500
Nov 15 10:40:00 lyra pluto[14249]: adding interface lo/lo ::1:500
Nov 15 10:40:00 lyra pluto[14249]: loading secrets from "/etc/ipsec.secrets"
Nov 15 10:40:00 lyra pluto[14249]: loading secrets from "/etc/ipsec.d/psk_host2host.secrets"
Nov 15 10:40:00 lyra pluto[14249]:   loaded private key file '/etc/ipsec.d/private/lyra.fidlardoubleday.biz.key' (1720 bytes)
Nov 15 10:41:10 lyra pluto[14249]: packet from 4.225.247.75:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Nov 15 10:41:10 lyra pluto[14249]: packet from 4.225.247.75:500: ignoring Vendor ID payload [FRAGMENTATION]
Nov 15 10:41:10 lyra pluto[14249]: packet from 4.225.247.75:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Nov 15 10:41:10 lyra pluto[14249]: packet from 4.225.247.75:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Nov 15 10:41:10 lyra pluto[14249]: "roadwarrior-l2tp"[1] 4.225.247.75 #1: responding to Main Mode from unknown peer 4.225.247.75
Nov 15 10:41:10 lyra pluto[14249]: "roadwarrior-l2tp"[1] 4.225.247.75 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Nov 15 10:41:11 lyra pluto[14249]: "roadwarrior-l2tp"[1] 4.225.247.75 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
Nov 15 10:41:11 lyra pluto[14249]: "roadwarrior-l2tp"[1] 4.225.247.75 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Nov 15 10:41:11 lyra pluto[14249]: "roadwarrior-l2tp"[1] 4.225.247.75 #1: next payload type of ISAKMP Hash Payload has an unknown value: 192
Nov 15 10:41:11 lyra pluto[14249]: "roadwarrior-l2tp"[1] 4.225.247.75 #1: malformed payload in packet
Nov 15 10:41:11 lyra pluto[14249]: "roadwarrior-l2tp"[1] 4.225.247.75 #1: sending notification PAYLOAD_MALFORMED to 4.225.247.75:500
Nov 15 10:41:11 lyra pluto[14249]: "roadwarrior-l2tp"[1] 4.225.247.75 #1: failed to build notification for spisize=0
Nov 15 10:41:11 lyra pluto[14249]: "roadwarrior-l2tp"[1] 4.225.247.75 #1: next payload type of ISAKMP Hash Payload has an unknown value: 124
Nov 15 10:41:11 lyra pluto[14249]: "roadwarrior-l2tp"[1] 4.225.247.75 #1: malformed payload in packet
Nov 15 10:42:21 lyra pluto[14249]: "roadwarrior-l2tp"[1] 4.225.247.75 #1: max number of retransmissions (2) reached STATE_MAIN_R2
Nov 15 10:42:21 lyra pluto[14249]: "roadwarrior-l2tp"[1] 4.225.247.75: deleting connection "roadwarrior-l2tp" instance with peer 4.225.247.75 {isakmp=#0/ipsec=#0}

More information about the Users mailing list