[Openswan Users] problems with INVALID_KEY_INFORMATION on Debian

Peter McGill petermcgill at goco.net
Wed May 23 10:29:58 EDT 2007 

> -----Original Message-----
> Date: Wed, 23 May 2007 09:17:46 +0100 (BST)
> From: "Jim Blake" <jim at blakes.homeip.net>
> Subject: [Openswan Users] problems with INVALID_KEY_INFORMATION on
> 	Debian
> To: users at openswan.org
> 
> Let me set the scene: I'm Linux experienced, but an OpenSWAN Newbie:
> 
> I have two Debian Etch systems back to back across an 
> Ethernet switch. No
> basic networking problems. No Firewalls. No NAT. I Installed 
> OpenSWAN on
> both systems using Synaptic, and took the default answers to 
> the questions
> it asked. I then tried to configure /etc/ipsec.conf, but when 
> finding the
> "left" and "right" keys, I got:
> 
> input: ipsec showhostkey --left
> output: ipsec showhostkey: no default key in "/etc/ipsec.secrets"
> 
> So I googled about (a lot), and found that someone advised:
> 
> input: ipsec newhostkey --output /root/tmpkey
> input: cat /root/tmpkey >> /etc/ipsec.secrets
> input: rm /root/tmpkey

Did you do this once for each of the two machines?

> so I did that that, and now have left and right keys, so I put them in
> ipsec.conf...Great! Now when I start up ipsec and try to initiate the
> tunnel, I see the following:
> 
> swan# ipsec auto --up left-to-right
> 104 "left-to-right" #35: STATE_MAIN_I1: initiate
> 003 "left-to-right" #35: received Vendor ID payload [Openswan (this
> version) 2.4.4 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
> 003 "left-to-right" #35: received Vendor ID payload [Dead 
> Peer Detection]
> 106 "left-to-right" #35: STATE_MAIN_I2: sent MI2, expecting MR2
> 108 "left-to-right" #35: STATE_MAIN_I3: sent MI3, expecting MR3
> 003 "left-to-right" #35: ignoring informational payload, type
> INVALID_KEY_INFORMATION
> 003 "left-to-right" #35: received and ignored informational message
> 010 "left-to-right" #35: STATE_MAIN_I3: retransmission; will 
> wait 20s for
> response
> 003 "left-to-right" #35: ignoring informational payload, type
> INVALID_KEY_INFORMATION
> 003 "left-to-right" #35: received and ignored informational message
> 010 "left-to-right" #35: STATE_MAIN_I3: retransmission; will 
> wait 40s for
> response
> 003 "left-to-right" #35: ignoring informational payload, type
> INVALID_KEY_INFORMATION
> 003 "left-to-right" #35: received and ignored informational message
> 031 "left-to-right" #35: max number of retransmissions (2) reached
> STATE_MAIN_I3. Possible authentication failure: no acceptable 
> response to
> our first encrypted message
> 000 "left-to-right" #35: starting keying attempt 2 of an 
> unlimited number,
> but releasing whack
> 
> Now I've googled this lot, and got nowhere, but I saw Paul's email
> recently where he said:
> 
> "ipsec showhostkey shows the public key of a raw RSA key, not 
> the public
> key within an X.509 certificate."
> 
> This looks like it could be where I'm going wrong, but I'm 
> not sure how to
> fix it....Any suggestions?

This isn't your problem, openswan just uses plain rsa keys
By default, no certs, there is nothing wrong with plain rsa keys.
Whack is just part of the ipsec process.

Your two confs, should be nearly the same, something like this...
(But using your own keys, ips and subnets, etc...)

Host A:
/etc/ipsec.conf
conn stmarys-office-net-to-london-office-net
        left=66...
        leftnexthop=%defaultroute
        leftid=@sheridan.london.goco.net
        # RSA 2192 bits   sheridan.london.goco.net
        leftrsasigkey=0sAQNd...
        leftsubnet=172.21.3.0/24
        leftsourceip=172.21.3.101
        right=69...
        rightnexthop=%defaultroute
        rightid=@delenn.stmarys.goco.net
        # RSA 2192 bits   delenn.stmarys.goco.net
        rightsasigkey=0sAQNs...
        rightsubnet=172.21.1.0/24
        rightsourceip=172.21.1.49
        auto=start
/etc/ipsec.secrets
        : RSA   {
        # RSA 2192 bits   sheridan.london.goco.net
        # for signatures only, UNSAFE FOR ENCRYPTION
        #pubkey=0sAQNd...
        ...
        }
# do not change the indenting of that "}"

Host B:
/etc/ipsec.conf
conn stmarys-office-net-to-london-office-net
        left=69...
        leftnexthop=%defaultroute
        leftid=@delenn.stmarys.goco.net
        # RSA 2192 bits   delenn.stmarys.goco.net
        leftsasigkey=0sAQNs...
        leftsubnet=172.21.1.0/24
        leftsourceip=172.21.1.49
        right=66...
        rightnexthop=%defaultroute
        rightid=@sheridan.london.goco.net
        # RSA 2192 bits   sheridan.london.goco.net
        rightrsasigkey=0sAQNd...
        rightsubnet=172.21.3.0/24
        rightsourceip=172.21.3.101
        auto=start
/etc/ipsec.secrets
        : RSA   {
        # RSA 2192 bits   delenn.stmarys.goco.net
        # for signatures only, UNSAFE FOR ENCRYPTION
        #pubkey=0sAQNs...
        ...
        }
# do not change the indenting of that "}"

Make sure your keys copied into your confs are one big line, they will wrap
a few times on an 80 column terminal, and all conn lines are indented with a tab.

A good place to start is the doc/config.html file in the distribution.

If you still can't get connected send us your conf files and new logs.
Try looking in both logs, in case one gives a more detailed error.

Peter

More information about the Users mailing list