[Openswan Users] Host Certifcate

Thu May 11 11:11:38 CEST 2006

Sorry,

I should probably make this clearer.

I don't think the certificate had actually expired.  I noticed the date 
on the hosts certificate was exactly 1 year old yesterday and made 2 + 2 
= 5.

No configuration changes were made to the ipsec machine yesterday but as 
of a certain point yesterday I start to see this in /var/log/secure for 
our non-NAT clients:

max number of retransmissions (2) reached STATE_MAIN_I3.  Possible 
authentication failure: no acceptable response to our first encrypted 
message

Eventually the tunnels went down and they were unable to reconnect.

Clients trying to reconnect afterwards failed with the messages below.

Thanks,

Olly.

Oliver Tomkins wrote:
> Hello all,
> 
> The host certificate on the Openswan machine turned 1 year old today and 
>  understandably stopped people from being able to connect.
> 
> My windows XP clients started failing with the error:
> 
> "The l2tp connection attempt failed because there is no valid machine 
> certificate on your computer for security authentication."
> 
> I revoked the current certificate on the host and created new ones for 
> the server.
> 
> When I connect now I get the same error from the client machine and this 
> in /var/log/secure/
> 
> May 10 17:35:56 host pluto[1581]: packet from XX.XX.XX.XX:500: ignoring 
> Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
> May 10 17:35:56 host pluto[1581]: packet from XX.XX.XX.XX:500: ignoring 
> Vendor ID payload [FRAGMENTATION]
> May 10 17:35:56 host pluto[1581]: packet from XX.XX.XX.XX:500: received 
> Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
> May 10 17:35:56 host pluto[1581]: packet from XX.XX.XX.XX:500: ignoring 
> Vendor ID payload [Vid-Initial-Contact]
> May 10 17:35:56 host pluto[1581]: "conn"[2] XX.XX.XX.XX #2: responding 
> to Main Mode from unknown peer XX.XX.XX.XX
> May 10 17:35:56 host pluto[1581]: "conn"[2] XX.XX.XX.XX #2: transition 
> from state STATE_MAIN_R0 to state STATE_MAIN_R1
> May 10 17:35:56 host pluto[1581]: "conn"[2] XX.XX.XX.XX #2: 
> STATE_MAIN_R1: sent MR1, expecting MI2
> May 10 17:35:57 host pluto[1581]: "conn"[2] XX.XX.XX.XX #2: 
> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
> May 10 17:35:57 host pluto[1581]: "conn"[2] XX.XX.XX.XX #2: transition 
> from state STATE_MAIN_R1 to state STATE_MAIN_R2
> May 10 17:35:57 host pluto[1581]: "conn"[2] XX.XX.XX.XX #2: 
> STATE_MAIN_R2: sent MR2, expecting MI3
> May 10 17:35:57 host pluto[1581]: "conn"[2] XX.XX.XX.XX #2: next payload 
> type of ISAKMP Hash Payload has an unknown value: 36
> May 10 17:35:57 host pluto[1581]: "conn"[2] XX.XX.XX.XX #2: malformed 
> payload in packet
> May 10 17:35:57 host pluto[1581]: "conn"[2] XX.XX.XX.XX #2: sending 
> notification PAYLOAD_MALFORMED to XX.XX.XX.XX:500
> May 10 17:35:57 host pluto[1581]: "conn"[2] XX.XX.XX.XX #2: byte 2 of 
> ISAKMP Hash Payload must be zero, but is not
> May 10 17:35:57 host pluto[1581]: "conn"[2] XX.XX.XX.XX #2: malformed 
> payload in packet
> 
> 
> Any thoughts?
> 
> Thanks,
> 
> Olly.
> 
> The information in this e-mail is confidential. The contents may not be 
> disclosed or used by anyone other than the addressee. If you are not the 
> intended recipient, please notify the sender immediately by reply e-mail 
> and delete this message. Allied Vehicles cannot accept any 
> responsibility for the accuracy or completeness of this message as it 
> has been transmitted over a public network.
> For details of our products and services please visit our website at 
> www.alliedvehicles.co.uk
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 

The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient, please notify the sender immediately by reply e-mail and delete this message. Allied Vehicles cannot accept any responsibility for the accuracy or completeness of this message as it has been transmitted over a public network.
For details of our products and services please visit our website at www.alliedvehicles.co.uk