[Openswan Users] certificate failing
Bob Miller
bob at computerisms.ca
Mon Nov 28 07:48:59 CET 2005
Hello:
trying to set up a basic ipsec tunnel using x509 certificates across the internet using two linux boxes running openswan. All appears to be good as far as communication goes, the two computers bounce information back and forth and I can watch that fine in the logs. but then, when it comes time to send certificates, that is when things fail. Seems to fail on both sides the same, as I have seen this in both sets of logs...
It occurs to me I may have set things up wrong. I followed Nate Carlson's page at first, then another, and both times when I created the certificates, I ended up with three files, newreq.pem, newkey.pem, and newcert.pem. according to the instructions, newreq is the private key, and newcert is the certificate, put them in their spot and they should work - no mention of the third file. for me, I got problems doing that, errors about the private key, so using newkey instead of newreq as the private key fixed that. But I admit I don't really understand why what I see is different from what the instructions imply. Perhaps this is related, but kind of don't think so. Also, I have my CA behind one of the firewalls, so if communication between the CA and the computer who wants to check is necessary, I would think one would succeed and one would fail, not both fail. I don't think that communication is necessary, but seems like a reasonable thing to consider.
here is an excerpt from the log where it fails out:
Nov 27 18:11:05 megareporting pluto[19068]: | certificate signature (C=CA, ST=Yuko
n, O=Computerisms, CN=Bob Miller, E=bob at computerisms.ca -> C=CA, ST=Yukon, O=Compu
terisms, CN=Bob Miller, E=bob at computerisms.ca) is valid
Nov 27 18:11:05 megareporting pluto[19068]: | reached self-signed root ca
Nov 27 18:11:05 megareporting pluto[19068]: | Public key validated
Nov 27 18:11:05 megareporting pluto[19068]: | unreference key: 0x8147450 C=CA, ST=
Yukon, L=Whitehorse, O=Computerisms, CN=Bob Miller, E=bob at computerisms.ca cnt 1--
Nov 27 18:11:06 megareporting pluto[19068]: | CR
Nov 27 18:11:06 megareporting pluto[19068]: | requested CA: '%any'
Nov 27 18:11:06 megareporting pluto[19068]: | refine_connection: starting with gat
e.to.mega
Nov 27 18:11:06 megareporting pluto[19068]: | match_id a=C=CA, ST=Yukon, L=Whit
ehorse, O=Computerisms, CN=Bob Miller, E=bob at computerisms.ca
Nov 27 18:11:06 megareporting pluto[19068]: | b=207.189.252.14
Nov 27 18:11:06 megareporting pluto[19068]: | results fail
Nov 27 18:11:06 megareporting pluto[19068]: | trusted_ca called with a=C=CA, ST=
Yukon, O=Computerisms, CN=Bob Miller, E=bob at computerisms.ca b=(empty)
Nov 27 18:11:06 megareporting pluto[19068]: | refine_connection: checking gate.to.
mega against gate.to.mega, best=(none) with match=0(id=0/ca=1/reqca=1)
Nov 27 18:11:06 megareporting pluto[19068]: | find_host_pair: comparing to 199.247
.237.224:500 207.189.252.14:500
Nov 27 18:11:06 megareporting pluto[19068]: | find_host_pair_conn (refine_host_con
nection): 199.247.237.224:500 %any:500 -> hp:none
Nov 27 18:11:06 megareporting pluto[19068]: "gate.to.mega" #391: no suitable conne
ction for peer 'C=CA, ST=Yukon, L=Whitehorse, O=Computerisms, CN=Bob Miller, E=bob
@computerisms.ca'
Nov 27 18:11:06 megareporting pluto[19068]: | complete state transition with (null
)
Nov 27 18:11:06 megareporting pluto[19068]: "gate.to.mega" #391: sending encrypted
notification INVALID_ID_INFORMATION to 207.189.252.14:500
>From this, it appears to be the value of b that is conflicting, but I am not sure how to rectify that, or where it takes that value from. Can anyone give me a hint as to what I missed here? or even better, point me at some documentation that will explain how/why this happened?
your time is much appreciated :)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20051128/c6348726/attachment-0001.htm
More information about the Users
mailing list