[Openswan Users] why does openswan complain INVALID_ID_INFORMATION? please help

sean dai sean_dai at yahoo.com
Sat Apr 29 23:47:50 CEST 2006 

I am following Paul Wouters & Ken Bantoft's "Building
and integrating Virtual Private Networks with
Openswan" to set up a simple IPsec connection between
two Linux boxes that run Fedora Core 4.  The following
shows the network setup.

  -----------
 |   WEST    |
  -----------
       | 10.0.1.20
       |
       | 10.0.1.1
  -----------
 |   EAST    |
  -----------   

I was able to bring up X.509-based (w/o using CA)
IPsec connection between the two linux boxes.  But
when I started to use a certificate authority, after
doing "service ipsec start" on the west, and "service
ipsec start; ipsec auto --up west-east" on the east, I
got the following error message on the east (similar
error message in west too, I think):

108 "west-east" #1: START_MAIN_I3: expecting MR3
010 "west-east" #1: STATE_MAIN_I3: retransmission;
will wait 20s for response
003 "west-east" #1: discarding duplicate package;
already STATE_MAIN_I3

The except of ipsec barf output on west node:
=============================================

Apr 30 00:24:30 localhost pluto[9790]: "west-east"[1]
10.0.1.1 #1: Main mode peer ID is ID_DER_ASN1_DN:
'C=ca, ST=ontario, O=xelerance, OU=support staff,
CN=east, E=east at xelerance.com'
Apr 30 00:24:30 localhost pluto[9790]: "west-east"[1]
10.0.1.1 #1: no crl from issuer "C=ca, ST=ontario,
L=toronto, O=xelerance, OU=support staff, CN=xelerance
root ca, E=ca at xelerance.com" found (strict=no)
Apr 30 00:24:30 localhost pluto[9790]: "west-east"[1]
10.0.1.1 #1: no suitable connection for peer 'C=ca,
ST=ontario, O=xelerance, OU=support staff, CN=east,
E=east at xelerance.com'
Apr 30 00:24:30 localhost pluto[9790]: "west-east"[1]
10.0.1.1 #1: sending encrypted notification
INVALID_ID_INFORMATION to 10.0.1.1:500
Apr 30 00:24:30 localhost pluto[9790]: "west-east"[1]
10.0.1.1 #1: failed to build notification for
spisize=0 


I am thinking that something may be wrong with my
configuration.  After spending fair amount of time
checking ipsec.secrets and ipsec.conf, I just can not
tell what's wrong.  Can somebody help me out?  The
followings are the configurations I used.

On both east and west side, I put the same root CA,
caCert.pem, in /etc/ipsec.d/cacerts.  The following is
the dump of the ipsec.secrets and ipsec.conf on the
west side.

/etc/ipsec.secrets
==================
: RSA /etc/ipsec.d/private/west.key "1234"

/etc/ipsec.conf
===============
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/
ending in .conf

version	2.0	# conforms to second version of ipsec.conf
specification

# basic configuration
config setup
        interfaces=%defaultroute
	# Debug-logging controls:  "none" for (almost) none,
"all" for lots.
	# klipsdebug=none
	# plutodebug="control parsing"

conn %default
        authby=rsasig

conn west-east
        left=10.0.1.20
        leftcert=/etc/ipsec.d/certs/westcert.pem
        rightrsasigkey=%cert
        right=%any
        rightid="C=ca, ST=ontario, L=toronto,
O=xelerance, OU=support staff, CN=east,
e=east at xelerance.com"
        type=tunnel
        auto=add

The following is the dump of ipsec.secrets and
ipsec.conf on the east side.

etc/ipsec.secrets
==================
: RSA /etc/ipsec.d/private/east.key "1234"

/etc/ipsec.conf
===============
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/
ending in .conf

version	2.0	# conforms to second version of ipsec.conf
specification

# basic configuration
config setup
        interfaces=%defaultroute
	# Debug-logging controls:  "none" for (almost) none,
"all" for lots.
	# klipsdebug=none
	# plutodebug="control parsing"

conn %default
        authby=rsasig
conn west-east
        left=10.0.1.1
        leftcert=/etc/ipsec.d/certs/eastcert.pem
        rightrsasigkey=%cert
        right=10.0.1.20
        rightid="C=ca, st=ontario, L=toronto,
O=xelerance, OU=support staff, CN=west,
e=west at xelerance.com"
        type=tunnel
        auto=start
 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam
protection around 
http://mail.yahoo.com 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the Users mailing list