[Openswan Users] problems with INVALID_KEY_INFORMATION on Debian

Jim Blake jim at blakes.homeip.net
Wed May 23 04:17:46 EDT 2007 

Let me set the scene: I'm Linux experienced, but an OpenSWAN Newbie:

I have two Debian Etch systems back to back across an Ethernet switch. No
basic networking problems. No Firewalls. No NAT. I Installed OpenSWAN on
both systems using Synaptic, and took the default answers to the questions
it asked. I then tried to configure /etc/ipsec.conf, but when finding the
"left" and "right" keys, I got:

input: ipsec showhostkey --left
output: ipsec showhostkey: no default key in "/etc/ipsec.secrets"

So I googled about (a lot), and found that someone advised:

input: ipsec newhostkey --output /root/tmpkey
input: cat /root/tmpkey >> /etc/ipsec.secrets
input: rm /root/tmpkey

so I did that that, and now have left and right keys, so I put them in
ipsec.conf...Great! Now when I start up ipsec and try to initiate the
tunnel, I see the following:

swan# ipsec auto --up left-to-right
104 "left-to-right" #35: STATE_MAIN_I1: initiate
003 "left-to-right" #35: received Vendor ID payload [Openswan (this
version) 2.4.4 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
003 "left-to-right" #35: received Vendor ID payload [Dead Peer Detection]
106 "left-to-right" #35: STATE_MAIN_I2: sent MI2, expecting MR2
108 "left-to-right" #35: STATE_MAIN_I3: sent MI3, expecting MR3
003 "left-to-right" #35: ignoring informational payload, type
INVALID_KEY_INFORMATION
003 "left-to-right" #35: received and ignored informational message
010 "left-to-right" #35: STATE_MAIN_I3: retransmission; will wait 20s for
response
003 "left-to-right" #35: ignoring informational payload, type
INVALID_KEY_INFORMATION
003 "left-to-right" #35: received and ignored informational message
010 "left-to-right" #35: STATE_MAIN_I3: retransmission; will wait 40s for
response
003 "left-to-right" #35: ignoring informational payload, type
INVALID_KEY_INFORMATION
003 "left-to-right" #35: received and ignored informational message
031 "left-to-right" #35: max number of retransmissions (2) reached
STATE_MAIN_I3. Possible authentication failure: no acceptable response to
our first encrypted message
000 "left-to-right" #35: starting keying attempt 2 of an unlimited number,
but releasing whack

Now I've googled this lot, and got nowhere, but I saw Paul's email
recently where he said:

"ipsec showhostkey shows the public key of a raw RSA key, not the public
key within an X.509 certificate."

This looks like it could be where I'm going wrong, but I'm not sure how to
fix it....Any suggestions?


Also, what is this "releasing whack"???? what does that mean????


Any/All help gratefully accepted!

Regards
Jim Blake

More information about the Users mailing list