[Openswan Users] D-link to OpenSWAN certification problem

Marcus Carlson marcus at mejlamej.nu
Thu Sep 28 17:25:21 EDT 2006 

Hi all,

I've been having trouble with this d-link (dfl700) for a couple of days 
now. I've set up certificates alright on the server (openswan <-> 
openswan OK, netscreen <-> openswan OK) but the D-Link fails and says 
Authentication failed. D-Link is behind NAT.

I've uploaded the CA, private/public key for the D-Link, (even tried the 
openswan cert - but same error). The D-Link initiates the connection and 
the logs from D-Link are here;

Sep 28 23:13:33 192.168.100.150 EFW: IPSEC: prio=1 Phase-1 [initiator] 
between der_asn1_dn(udp:500,[0..115]=C=SE, O=MyORG, OU=MyOU, 
CN=dlinktest, MAILTO=nospamforme at bla.org) and 
ipv4(udp:500,[0..3]=XX.XX.XX.XX) failed; Authentication failed.

 From OpenSWAN;
Sep 28 23:19:39 localhost pluto[14433]: "dlink"[1] YY.YY.YY.YY #763: 
responding to Main Mode from unknown peer YY.YY.YY.YY
Sep 28 23:19:39 localhost pluto[14433]: "dlink"[1] YY.YY.YY.YY #763: 
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Sep 28 23:19:39 localhost pluto[14433]: "dlink"[1] YY.YY.YY.YY #763: 
STATE_MAIN_R1: sent MR1, expecting MI2
Sep 28 23:19:40 localhost pluto[14433]: "dlink"[1] YY.YY.YY.YY #763: 
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Sep 28 23:19:40 localhost pluto[14433]: "dlink"[1] YY.YY.YY.YY #763: 
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Sep 28 23:19:40 localhost pluto[14433]: "dlink"[1] YY.YY.YY.YY #763: 
STATE_MAIN_R2: sent MR2, expecting MI3
Sep 28 23:19:40 localhost pluto[14433]: "dlink"[1] YY.YY.YY.YY #763: 
ignoring informational payload, type IPSEC_INITIAL_CONTACT
Sep 28 23:19:40 localhost pluto[14433]: "dlink"[1] YY.YY.YY.YY #763: 
Main mode peer ID is ID_DER_ASN1_DN: 'C=SE, O=MyORG, OU=MyOU, 
CN=dlinktest, MAILTO=nospamforme at bla.org'
Sep 28 23:19:40 localhost pluto[14433]: "dlink"[1] YY.YY.YY.YY #763: I 
am sending my cert
Sep 28 23:19:40 localhost pluto[14433]: "dlink"[1] YY.YY.YY.YY #763: 
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Sep 28 23:19:40 localhost pluto[14433]: | NAT-T: new mapping 
YY.YY.YY.YY:500/1024)
Sep 28 23:19:40 localhost pluto[14433]: "dlink"[1] YY.YY.YY.YY #763: 
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG 
cipher=aes_128 prf=oakley_sha group=modp1024}


It seems to me that OpenSWAN send its ID as the IP address 
ipv4(udp:500,[0..3]=XX.XX.XX.XX) or is this some problem of the D-Link?

OpenSWAN config;
conn dlink
         also=cert
         rightsubnet=192.168.10.0/24
         right=%any
         rightid="C=SE,... bla bla"
         auto=add

conn cert
         authby=rsasig
         left=XX.XX.XX.XX
         leftsubnet=10.1.231.0/24
         leftrsasigkey=%cert
         leftcert=servercert.crt
         rightrsasigkey=%cert


Any idea? Have gone thru the D-link options many times but can't find 
any useful setting that sets the peer identification to cert instead of 
IP (Yes - I've selected the CA and also the peer cert but with no luck)

Thanks in advance
Marcus

More information about the Users mailing list