[Openswan Users] Certificate rejected but IPsec SA established
Toby Chamberlain
toby at webtechservices.com.au
Tue Mar 6 20:02:16 EST 2007
Hi,
Is this the expected result when dealing with a self-signed certificate?
Mar 7 10:06:19 left pluto[23382]: "left-right" #21: responding to Main Mode
Mar 7 10:06:19 left pluto[23382]: "left-right" #21: transition from state
(null) to state STATE_MAIN_R1
Mar 7 10:06:19 left pluto[23382]: "left-right" #21: NAT-Traversal: Result
using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
Mar 7 10:06:19 left pluto[23382]: "left-right" #21: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 7 10:06:19 left pluto[23382]: "left-right" #21: Peer ID is
ID_DER_ASN1_DN: 'C=xx, ST=xx, L=xx, O=xx, CN=xx, E=xx'
Mar 7 10:06:19 left pluto[23382]: "left-right" #21: end certificate with
identical subject and issuer not accepted
Mar 7 10:06:19 left pluto[23382]: "left-right" #21: X.509 certificate
rejected
Mar 7 10:06:19 left pluto[23382]: "left-right" #21: I am sending my cert
Mar 7 10:06:19 left pluto[23382]: "left-right" #21: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 7 10:06:19 left pluto[23382]: "left-right" #21: sent MR3, ISAKMP SA
established
Mar 7 10:06:19 left pluto[23382]: "left-right" #22: responding toQuick Mode
Mar 7 10:06:20 left pluto[23382]: "left-right" #22: transition from state
(null) to state STATE_QUICK_R1
Mar 7 10:06:20 left pluto[23382]: "left-right" #22: transition from state
STATE_QUICK_R1 to state STATE_QUICK_R2
Mar 7 10:06:20 left pluto[23382]: "left-right" #22: IPsec SA established
{ESP=>0x0xxxxxx <0x0xxxxxx}
I get the error message "X.509 certificate rejected" because the subject and
issuer are the same as the cacert, but the connection continues and a tunnel
is created. Shouldn't the connection be refused if the certificate is
rejected?
Toby
More information about the Users
mailing list