[Openswan Users] certificate match failing

bob at computerisms.ca bob at computerisms.ca
Tue Nov 29 14:26:11 CET 2005


Hi:
I posted a day or so ago, regarding the fact that my certificates seem to
be failing when they are exchanged in an attempt to bring up my ipsec
tunnel.  I have gone back and reread all the documentation I started with,
and also I have read some additional documentation, so I now beleive I
have a better understanding of how certificates work.  I then re-setup my
whole CA, created new certificates, and adjusted my ipsec.conf and
ipsec.secrets accordingly.  When I do ipsec auto --listcerts, I get what I
expect to see, the private key, the certificate looks ok.  Of course it
may be a false assumption on my part, as I don't really know if what I
expect to see is what everyone else would expect to see.  I have scoured
the logs, to the point where I have deciphered almost everything I see,
and I am quite certain I have the problem event pinned down, even if I
can't seem to interpret it well enough to solve it.
Here is the event where it all fails, and begins over again at state MI3:

Nov 29 12:01:19 megareporting pluto[21388]: | requested CA: '%any'
Nov 29 12:01:19 megareporting pluto[21388]: | refine_connection: starting
with g
ate.to.mega
Nov 29 12:01:19 megareporting pluto[21388]: |    match_id a=C=CA,
ST=Yukon, L=Wh
itehorse, O=Computerisms, OU=NetworkAdministration,
CN=gatelian.computerisms.ca,
 E=bob at computerisms.ca
Nov 29 12:01:19 megareporting pluto[21388]: |             b=207.189.252.14
Nov 29 12:01:19 megareporting pluto[21388]: |    results  fail
Nov 29 12:01:19 megareporting pluto[21388]: |   trusted_ca called with
a=C=CA, S
T=Yukon, O=Computerisms, OU=NetworkAdministration,
CN=ComputerismsRootCertificat
e, E=bob at computerisms.ca b=(empty)

Obviously, the problem is in the matching b entry, one is empty, and one
is an IP address, therefor the certs do not match, and they fail.  this is
a good thing, it means security is working...
so, do I have an ipsec configuration problem, or a certificate problem?  I
can't find any reference to this mysterious b value in the man pages or in
online documentation, I am not sure if it takes its value from dns, or
ifconfig, or from a configuration setting elsewhere.  is it a setting
pluto is calling from an environment varialbe, or is it something pluto
should be able to pull right from the cacert?  Maybe I have not configured
IPsec to use the certs correctly?  Maybe my certs have been incorrectly
created???  perhaps the cacert is the problem, it is afterall the one
reporting the empty value for b.  Is there an additional configuration I
need to make to my root certificate to give it that b value?
Other details that may be relevant; My CA is a different computer than
either of the firewalls, and whichever firewall sends the cert, the other
fails the the exact same output in the logs.  One firewall will not
--listcerts until the connection is --up, the other firewall does
--listcerts after the connection is --added.  My Root cert has:
X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
and I suspect this should be TRUE, but nothing in any of the many
documents I have read mention this.  Other docs I have read though make me
question this.
I understand that there may be no "fix" for my problem, but if anyone
would take the time to think outloud in my direction, I would very much
appreciate that...
thanks

my ipsec.conf, if any other info would be useful please say so:
config setup
        interfaces="ipsec0=eth0"
        plutodebug="all"
        klipsdebug="all"
        # nat_traversal=yes
        # virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12


conn gate.to.mega
        authby=rsasig
        left=207.189.252.14
        leftsubnet=192.168.25.0/24
        leftnexthop=207.189.252.13
        # leftrsasigkey=%cert
        right=199.247.237.224
        rightsubnet=192.168.100.0/24
        rightnexthop=199.247.237.1
        rightrsasigkey=%cert
        rightcert=megareporting.computerisms.ca.pem
        # auto=start


include /etc/ipsec.d/examples/no_oe.conf







More information about the Users mailing list