[Openswan Users] Connection failed with x509 v1 CA certificate

Juan Pablo jp.espino at gmail.com
Wed Mar 14 20:33:48 EDT 2007


Hi,

I have a situation with a connection using x509 authentication. I have
an external CA and its certificate (x509 v1) already imported and
everything configured. When I start the connection I get the following
error:

2007:03:14-04:45:32 (none) pluto[4329]: "D_test002_0"[1]
192.168.117.12 #2: issuer cacert not found
2007:03:14-04:45:32 (none) pluto[4329]: "D_test002_0"[1]
192.168.117.12 #2: X.509 certificate rejected
2007:03:14-04:45:32 (none) pluto[4329]: "D_test002_0"[1]
192.168.117.12 #2: no RSA public key known for 'test002 at sclave.com'

I have tested the same connection with another CA (x509 v3
certificate) and it works perfectly. So I guess the problem is related
to the x509 version. I would like to know if there is a possiblity to
enable compatibility with x509 v1 or some workarounds. I am using
Openswan 2.4.6 with KLIPS. Thanks in advance.

The complete log:

2007:03:14-04:45:30 (none) pluto[4329]: "D_test002_0"[1]
192.168.117.12 #2: responding to Main Mode from unknown peer
192.168.117.12
2007:03:14-04:45:30 (none) pluto[4329]: "D_test002_0"[1]
192.168.117.12 #2: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
2007:03:14-04:45:30 (none) pluto[4329]: "D_test002_0"[1]
192.168.117.12 #2: STATE_MAIN_R1: sent MR1, expecting MI2
2007:03:14-04:45:31 (none) pluto[4329]: "D_test002_0"[1]
192.168.117.12 #2: ignoring unknown Vendor ID payload
[47bbe7c993f1fc13b4e6d0db565c68e501020101020101030f312e352e342028...]
2007:03:14-04:45:31 (none) pluto[4329]: "D_test002_0"[1]
192.168.117.12 #2: ignoring unknown Vendor ID payload
[da8e937880010000]
2007:03:14-04:45:31 (none) pluto[4329]: "D_test002_0"[1]
192.168.117.12 #2: received Vendor ID payload [Dead Peer Detection]
2007:03:14-04:45:31 (none) pluto[4329]: "D_test002_0"[1]
192.168.117.12 #2: received Vendor ID payload [XAUTH]
2007:03:14-04:45:31 (none) pluto[4329]: "D_test002_0"[1]
192.168.117.12 #2: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
2007:03:14-04:45:31 (none) pluto[4329]: "D_test002_0"[1]
192.168.117.12 #2: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
2007:03:14-04:45:31 (none) pluto[4329]: "D_test002_0"[1]
192.168.117.12 #2: STATE_MAIN_R2: sent MR2, expecting MI3
2007:03:14-04:45:32 (none) pluto[4329]: "D_test002_0"[1]
192.168.117.12 #2: ignoring informational payload, type
IPSEC_REPLAY_STATUS
2007:03:14-04:45:32 (none) pluto[4329]: "D_test002_0"[1]
192.168.117.12 #2: ignoring informational payload, type
IPSEC_INITIAL_CONTACT
2007:03:14-04:45:32 (none) pluto[4329]: | protocol/port in Phase 1 ID
Payload is 17/0. accepted with port_floating NAT-T
2007:03:14-04:45:32 (none) pluto[4329]: "D_test002_0"[1]
192.168.117.12 #2: Main mode peer ID is ID_USER_FQDN:
'test002 at sclave.com'
2007:03:14-04:45:32 (none) pluto[4329]: "D_test002_0"[1]
192.168.117.12 #2: no crl from issuer "E=acsub at ctc.com, C=PA, O=CTC,
OU=TEST, OU=VPN IPsec, CN=AC SUB" found (strict=no)
2007:03:14-04:45:32 (none) pluto[4329]: "D_test002_0"[1]
192.168.117.12 #2: issuer cacert not found
2007:03:14-04:45:32 (none) pluto[4329]: "D_test002_0"[1]
192.168.117.12 #2: X.509 certificate rejected
2007:03:14-04:45:32 (none) pluto[4329]: "D_test002_0"[1]
192.168.117.12 #2: no RSA public key known for 'test002 at sclave.com'
2007:03:14-04:45:32 (none) pluto[4329]: "D_test002_0"[1]
192.168.117.12 #2: sending encrypted notification
INVALID_KEY_INFORMATION to 192.168.117.12:500
-- 
Juan Pablo


More information about the Users mailing list