[Openswan Users] Problems with certificates, OpenSWAN 2.4.9

Piotr Zawadzki pzawadzki at polsl.pl
Thu Dec 27 10:12:29 EST 2007 

Dear OpenSWAN users,
I'm looking for help in setting up realtively simple setup

net 10.2.2.0/24 - gate left - 192.168.1.102 - router - 192.168.1.226 - gate 
right - net 10.1.1.0/24
Gates left and right should verify their identities based on certificates
issued by the same CA.
The CA and ceritificates I prepared based on the 
http://www.natecarlson.com/linux/ipsec-x509.php#installing
Unfortunately, during identity validation step I see the following
messages (on the left gate)
***
pluto[9609]: | reached self-signed root ca
pluto[9609]: | Public key validated
pluto[9609]: | unreference key: 0x80fab60 C=PL, L=Gliwice, O=ipsec CA, 
CN=192.168.1.226, E=right at ipsec.ca cn
pluto[9609]: | CR  30 00
pluto[9609]: | requested CA: 'X\253\017\010\017'
pluto[9609]: | refine_connection: starting with net2net-cert
pluto[9609]: |   trusted_ca called with a=C=PL, L=Gliwice, O=ipsec CA, CN=CA, 
E=pzawadzki at polsl.pl b=TC\351\
pluto[9609]: |   trusted_ca returning with failed
pluto[9609]: |    match_id a=C=PL, L=Gliwice, O=ipsec CA, CN=192.168.1.226, 
E=right at ipsec.ca
pluto[9609]: |             b=C=PL, L=Gliwice, O=ipsec CA, CN=192.168.1.226, 
E=right at ipsec.ca
pluto[9609]: |    results  matched
pluto[9609]: |   trusted_ca called with a=C=PL, L=Gliwice, O=ipsec CA, CN=CA, 
E=pzawadzki at polsl.pl b=C=PL, L=Gliwice, O=ipsec CA, CN=192.168.1.226, 
E=right at ipsec.ca
pluto[9609]: |   trusted_ca returning with failed
pluto[9609]: |   trusted_ca called with 
a=\204u\315\277pu\315\277\330u\315\277\324l\005\010\310\212\014\010\
pluto[9609]: | refine_connection: checking net2net-cert against net2net-cert, 
best=(none) with match=0(id=1/
pluto[9609]: | find_host_pair: comparing to 192.168.1.102:500 
192.168.1.226:500
pluto[9609]: | find_host_pair_conn (refine_host_connection): 
192.168.1.102:500 %any:500 -> hp:none
pluto[9609]: "net2net-cert" #1: no suitable connection for peer 'C=PL, 
L=Gliwice, O=ipsec CA, CN=192.168.1.2
pluto[9609]: | complete state transition with (null)
pluto[9609]: "net2net-cert" #1: sending encrypted notification 
INVALID_ID_INFORMATION to 192.168.1.226:500
***
Similar configuration based on PSK works well.
Te entire ,,ipsec barf'' you can download from
http://minibo.aei.polsl.pl/~pz/ipsec/ipsec.log

Thanks in advance,
-- 
Piotr Zawadzki, Silesian University of Technology
PGP: KeyID 738DCF4E, http://pgp.mit.edu/
google-earth: 50 17'18.60' N, 18 40'38.30" E

More information about the Users mailing list