[Openswan Users] D-link to OpenSWAN certification problem [SOLVED]
Marcus Carlson
marcus at mejlamej.nu
Fri Sep 29 17:28:48 EDT 2006
Hi again,
Sorry to bother you guys. A firmware upgrade of the D-link solved the
problem.
Marcus
Marcus Carlson skrev:
> Hi all,
>
> I've been having trouble with this d-link (dfl700) for a couple of days
> now. I've set up certificates alright on the server (openswan <->
> openswan OK, netscreen <-> openswan OK) but the D-Link fails and says
> Authentication failed. D-Link is behind NAT.
>
> I've uploaded the CA, private/public key for the D-Link, (even tried the
> openswan cert - but same error). The D-Link initiates the connection and
> the logs from D-Link are here;
>
> Sep 28 23:13:33 192.168.100.150 EFW: IPSEC: prio=1 Phase-1 [initiator]
> between der_asn1_dn(udp:500,[0..115]=C=SE, O=MyORG, OU=MyOU,
> CN=dlinktest, MAILTO=nospamforme at bla.org) and
> ipv4(udp:500,[0..3]=XX.XX.XX.XX) failed; Authentication failed.
>
> From OpenSWAN;
> Sep 28 23:19:39 localhost pluto[14433]: "dlink"[1] YY.YY.YY.YY #763:
> responding to Main Mode from unknown peer YY.YY.YY.YY
> Sep 28 23:19:39 localhost pluto[14433]: "dlink"[1] YY.YY.YY.YY #763:
> transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Sep 28 23:19:39 localhost pluto[14433]: "dlink"[1] YY.YY.YY.YY #763:
> STATE_MAIN_R1: sent MR1, expecting MI2
> Sep 28 23:19:40 localhost pluto[14433]: "dlink"[1] YY.YY.YY.YY #763:
> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
> Sep 28 23:19:40 localhost pluto[14433]: "dlink"[1] YY.YY.YY.YY #763:
> transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Sep 28 23:19:40 localhost pluto[14433]: "dlink"[1] YY.YY.YY.YY #763:
> STATE_MAIN_R2: sent MR2, expecting MI3
> Sep 28 23:19:40 localhost pluto[14433]: "dlink"[1] YY.YY.YY.YY #763:
> ignoring informational payload, type IPSEC_INITIAL_CONTACT
> Sep 28 23:19:40 localhost pluto[14433]: "dlink"[1] YY.YY.YY.YY #763:
> Main mode peer ID is ID_DER_ASN1_DN: 'C=SE, O=MyORG, OU=MyOU,
> CN=dlinktest, MAILTO=nospamforme at bla.org'
> Sep 28 23:19:40 localhost pluto[14433]: "dlink"[1] YY.YY.YY.YY #763: I
> am sending my cert
> Sep 28 23:19:40 localhost pluto[14433]: "dlink"[1] YY.YY.YY.YY #763:
> transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> Sep 28 23:19:40 localhost pluto[14433]: | NAT-T: new mapping
> YY.YY.YY.YY:500/1024)
> Sep 28 23:19:40 localhost pluto[14433]: "dlink"[1] YY.YY.YY.YY #763:
> STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
> cipher=aes_128 prf=oakley_sha group=modp1024}
>
>
> It seems to me that OpenSWAN send its ID as the IP address
> ipv4(udp:500,[0..3]=XX.XX.XX.XX) or is this some problem of the D-Link?
>
> OpenSWAN config;
> conn dlink
> also=cert
> rightsubnet=192.168.10.0/24
> right=%any
> rightid="C=SE,... bla bla"
> auto=add
>
> conn cert
> authby=rsasig
> left=XX.XX.XX.XX
> leftsubnet=10.1.231.0/24
> leftrsasigkey=%cert
> leftcert=servercert.crt
> rightrsasigkey=%cert
>
>
> Any idea? Have gone thru the D-link options many times but can't find
> any useful setting that sets the peer identification to cert instead of
> IP (Yes - I've selected the CA and also the peer cert but with no luck)
>
> Thanks in advance
> Marcus
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list