[Openswan Users]

Paul Wouters paul at xelerance.com
Mon Jan 30 01:36:35 CET 2006

On Mon, 30 Jan 2006, Alon Swartz wrote:

> I am not an expert in checkpoint, so I may have missed an important configuration somewhere...
> Here are the configurations I suspect are related to "NO_PROPOSAL_CHOSEN", but I may be wrong.

> 002 "cptest" #1: initiating Main Mode
> 104 "cptest" #1: STATE_MAIN_I1: initiate
> 003 "cptest" #1: received Vendor ID payload [RFC 3947] method set to=109
> 002 "cptest" #1: enabling possible NAT-traversal with method 3
> 002 "cptest" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> 106 "cptest" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> 002 "cptest" #1: I did not send a certificate because I do not have one.
> 003 "cptest" #1: NAT-Traversal: Result using 3: i am NATed
> 002 "cptest" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> 108 "cptest" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> 002 "cptest" #1: Main mode peer ID is ID_IPV4_ADDR: ''
> 002 "cptest" #1: no crl from issuer "O=win2ksrv..yyzenm" found (strict=no)
> 002 "cptest" #1: end certificate with identical subject and issuer not accepted
> 002 "cptest" #1: X.509 certificate rejected

The certificate has been rejected, therefor you have no valid RSA key left for
the connection. You have used an identical CN= for both the Certificate Agency
X509 certificate and the client X.509 certificate. This is a security risk, if
the client could pretend to be a CA and sign certificates with its non-CA cert.

Generate another certificate with a different CN= to test this. For production,
always use the string "CA" within the CN= of the Certificate Agency's certificate.


More information about the Users mailing list