[Openswan Users] Site to Site using X.509
Mervyn Yeo
mervyn at asgent-tech.com
Thu Sep 29 18:42:11 CEST 2005
Hi,
I'm trying to establish a site to site connection. During ipsec startup,
left looks fine, but right has 2 lines of error(missing file). The CA is
the left machine. Here's some pastebins,
Right's log during ipsec startup - http://pastebin.com/377542
Left's log during ipsec startup - http://pastebin.com/377568
Config file - http://pastebin.com/377544
Network topology is simple,
192.168.100.0/24 <-> Uzumaki (192.0.2.9) <-> Shukaku (192.0.2.2) <->
192.168.234.0/24
I've created 2 different certificates and distributed them to Uzumaki
and Shukaki respectively. pem, key, and crl file.
When I try establishing a connection from left(Uzumaki), I get this,
uzumaki ~ # ipsec auto --up u2s
104 "u2s" #1: STATE_MAIN_I1: initiate
003 "u2s" #1: ignoring unknown Vendor ID payload [4f45637944777451505a404f]
003 "u2s" #1: received Vendor ID payload [Dead Peer Detection]
106 "u2s" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "u2s" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "u2s" #1: ignoring informational payload, type INVALID_ID_INFORMATION
003 "u2s" #1: received and ignored informational message
In the logs it shows,
Sep 29 17:35:33 uzumaki pluto[14269]: "u2s" #1: initiating Main Mode
Sep 29 17:35:33 uzumaki pluto[14269]: "u2s" #1: ignoring unknown Vendor
ID payload [4f45637944777451505a404f]
Sep 29 17:35:33 uzumaki pluto[14269]: "u2s" #1: received Vendor ID
payload [Dead Peer Detection]
Sep 29 17:35:33 uzumaki pluto[14269]: "u2s" #1: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Sep 29 17:35:33 uzumaki pluto[14269]: "u2s" #1: STATE_MAIN_I2: sent MI2,
expecting MR2
Sep 29 17:35:33 uzumaki pluto[14269]: "u2s" #1: I am sending my cert
Sep 29 17:35:33 uzumaki pluto[14269]: "u2s" #1: I am sending a
certificate request
Sep 29 17:35:33 uzumaki pluto[14269]: "u2s" #1: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Sep 29 17:35:33 uzumaki pluto[14269]: "u2s" #1: STATE_MAIN_I3: sent MI3,
expecting MR3
Sep 29 17:35:33 uzumaki pluto[14269]: "u2s" #1: ignoring informational
payload, type INVALID_ID_INFORMATION
Sep 29 17:35:33 uzumaki pluto[14269]: "u2s" #1: received and ignored
informational message
And the logs on the right(Shukaku) shows,
Sep 29 17:35:20 shukaku pluto[4197]: packet from 192.0.2.9:500: ignoring
unknown Vendor ID payload [4f456b63686f4261747f4844]
Sep 29 17:35:20 shukaku pluto[4197]: packet from 192.0.2.9:500: received
Vendor ID payload [Dead Peer Detection]
Sep 29 17:35:20 shukaku pluto[4197]: "u2s" #1: responding to Main Mode
Sep 29 17:35:20 shukaku pluto[4197]: "u2s" #1: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1
Sep 29 17:35:20 shukaku pluto[4197]: "u2s" #1: STATE_MAIN_R1: sent MR1,
expecting MI2
Sep 29 17:35:21 shukaku pluto[4197]: "u2s" #1: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
Sep 29 17:35:21 shukaku pluto[4197]: "u2s" #1: STATE_MAIN_R2: sent MR2,
expecting MI3
Sep 29 17:35:21 shukaku pluto[4197]: "u2s" #1: Main mode peer ID is
ID_DER_ASN1_DN: 'C=AU, ST=Some-State, O=Internet Widgits Pty Ltd,
CN=uzumaki.com'
Sep 29 17:35:21 shukaku pluto[4197]: "u2s" #1: issuer cacert not found
Sep 29 17:35:21 shukaku pluto[4197]: "u2s" #1: X.509 certificate rejected
Sep 29 17:35:21 shukaku pluto[4197]: "u2s" #1: no suitable connection
for peer 'C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=uzumaki.com'
Sep 29 17:35:21 shukaku pluto[4197]: "u2s" #1: sending encrypted
notification INVALID_ID_INFORMATION to 192.0.2.9:500
Sep 29 17:35:31 shukaku pluto[4197]: "u2s" #1: Main mode peer ID is
ID_DER_ASN1_DN: 'C=AU, ST=Some-State, O=Internet Widgits Pty Ltd,
CN=uzumaki.com'
I hope someone can point me in the right direction if I'm doing
something wrong. Or a good tutorial for a beginner in ipsec and
certificates. Thank you.
Mervyn
More information about the Users
mailing list