[Openswan Users] STATE_MAIN_I3: INVALID_ID_INFORMATION using X.509 certificates

Manuel Urueña muruenya at it.uc3m.es
Fri May 25 09:15:53 EDT 2007


Hello,

I'm having a quite weird error message from openswan when trying to set up a tunnel with X.509 certificates' authentication:


openswan:/etc# ipsec auto --up teldat
104 "teldat" #1: STATE_MAIN_I1: initiate
106 "teldat" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "teldat" #1: ignoring unknown Vendor ID payload [6768911ab607368a5654656c646174]
003 "teldat" #1: received Vendor ID payload [Cisco-Unity]
003 "teldat" #1: received Vendor ID payload [XAUTH]
003 "teldat" #1: received Vendor ID payload [Dead Peer Detection]
108 "teldat" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "teldat" #1: we require peer to have ID 'C=ES, ST=Madrid, L=Leganes, O=UC3M, OU=IPSec, CN=atlas150.ipsec.uc3m.es', but peer declares 'C=ES, ST=Madrid, L=Leganes, O=UC3M, OU=IPSec, CN=atlas150.ipsec.uc3m.es'
218 "teldat" #1: STATE_MAIN_I3: INVALID_ID_INFORMATION



I've checked and it does not seem to be a typo, as the openswan box pre-loads the cert from the other side:



openswan:/etc# ipsec auto --listall
000
000 List of Public Keys:
000
000 May 25 13:44:32 2007, 1024 RSA Key AwEAAZPWL, until May 21 11:50:55 2008 ok
000        ID_DER_ASN1_DN 'C=ES, ST=Madrid, L=Leganes, O=UC3M, OU=IPSec, CN=atlas150.ipsec.uc3m.es'
000        Issuer 'C=ES, ST=Madrid, O=Universidad Carlos III de Madrid, OU=IPSec, CN=CA, E=ca at ipsec.uc3m.es'
000 May 25 13:44:07 2007, 1024 RSA Key AwEAAdSNW, until Jan 02 12:52:35 2008 ok
000        ID_DER_ASN1_DN 'C=ES, ST=Madrid, L=Leganes, O=Universidad Carlos III de Madrid, OU=IPSec, CN=openswan.ipsec.uc3m.es, E=root at openswan.ipsec.uc3m.es'
000        Issuer 'C=ES, ST=Madrid, O=Universidad Carlos III de Madrid, OU=IPSec, CN=CA, E=ca at ipsec.uc3m.es'
000
000 List of X.509 End Certificates:
000
000 May 25 13:44:07 2007, count: 1
000        subject: 'C=ES, ST=Madrid, L=Leganes, O=Universidad Carlos III de Madrid, OU=IPSec, CN=openswan.ipsec.uc3m.es, E=root at openswan.ipsec.uc3m.es'
000        issuer:  'C=ES, ST=Madrid, O=Universidad Carlos III de Madrid, OU=IPSec, CN=CA, E=ca at ipsec.uc3m.es'
000        serial:   01
000        pubkey:   1024 RSA Key AwEAAdSNW, has private key
000        validity: not before Jan 02 12:52:35 2007 ok
000                  not after  Jan 02 12:52:35 2008 ok
000        subjkey:  58:fb:c2:02:c6:44:e9:94:88:01:92:d2:3c:bc:16:ae:de:8e:a7:95
000        authkey:  7e:2e:9d:7e:79:46:86:3a:df:42:d9:8c:13:bc:8e:46:97:e9:e1:9f
000 May 25 13:44:07 2007, count: 1
000        subject: 'C=ES, ST=Madrid, L=Leganes, O=UC3M, OU=IPSec, CN=atlas150.ipsec.uc3m.es'
000        issuer:  'C=ES, ST=Madrid, O=Universidad Carlos III de Madrid, OU=IPSec, CN=CA, E=ca at ipsec.uc3m.es'
000        serial:   0e
000        pubkey:   1024 RSA Key AwEAAZPWL
000        validity: not before May 22 11:50:55 2007 ok
000                  not after  May 21 11:50:55 2008 ok
000        subjkey:  0f:1b:74:d6:1e:18:be:e0:5c:cb:7c:46:e2:6a:e8:df:04:ed:89:16
000        authkey:  7e:2e:9d:7e:79:46:86:3a:df:42:d9:8c:13:bc:8e:46:97:e9:e1:9f
000
000 List of X.509 CA Certificates:
000
000 May 25 13:44:06 2007, count: 1
000        subject: 'C=ES, ST=Madrid, O=Universidad Carlos III de Madrid, OU=IPSec, CN=CA, E=ca at ipsec.uc3m.es'
000        issuer:  'C=ES, ST=Madrid, O=Universidad Carlos III de Madrid, OU=IPSec, CN=CA, E=ca at ipsec.uc3m.es'
000        serial:   00
000        pubkey:   1024 RSA Key AwEAAdHC6
000        validity: not before Jan 02 12:48:08 2007 ok
000                  not after  Jan 01 12:48:08 2010 ok
000        subjkey:  7e:2e:9d:7e:79:46:86:3a:df:42:d9:8c:13:bc:8e:46:97:e9:e1:9f
000        authkey:  7e:2e:9d:7e:79:46:86:3a:df:42:d9:8c:13:bc:8e:46:97:e9:e1:9f
000        aserial:  00


openswan:/etc# ipsec auto --status
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 10.0.0.2
000 interface eth0:0/eth0:0 192.168.0.2
000 interface eth1/eth1 163.117.149.230
000 %myid = (none)
000 debug raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=1, name=OAKLEY_GROUP_MODP768, bits=768
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,1,64} trans={0,1,672} attrs={0,1,224}
000
000 "teldat": 10.0.0.2/32===10.0.0.2[C=ES, ST=Madrid, L=Leganes, O=Universidad Carlos III de Madrid, OU=IPSec, CN=openswan.ipsec.uc3m.es, E=root at openswan.ipsec.uc3m.es]...10.0.0.1[C=ES, ST=Madrid, L=Leganes, O=UC3M, OU=IPSec, CN=atlas150.ipsec.uc3m.es]===10.0.0.1/32; unrouted; eroute owner: #0
000 "teldat":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "teldat":   CAs: 'C=ES, ST=Madrid, O=Universidad Carlos III de Madrid, OU=IPSec, CN=CA, E=ca at ipsec.uc3m.es'...'C=ES, ST=Madrid, O=Universidad Carlos III de Madrid, OU=IPSec, CN=CA, E=ca at ipsec.uc3m.es'
000 "teldat":   ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "teldat":   policy: RSASIG+ENCRYPT+TUNNEL; prio: 32,32; interface: eth0; encap: esp;
000 "teldat":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "teldat":   IKE algorithms wanted: IDEA(5)_000-MD5(1)-2, flags=strict
000 "teldat":   IKE algorithms found:  IDEA(5)_192-MD5(1)_128-2,
000 "teldat":   ESP algorithms wanted: AES(12)_128-SHA1(2), flags=strict
000 "teldat":   ESP algorithms loaded: AES(12)_128-SHA1(2), flags=strict
000
000



Some other info that may be useful is attached:
- ipsec.conf
- auth.log (excerpt)

Any thoughs why this error is happening?

Many thanks,
--Manuel

-- 
Manuel Uruen~a - Universidad Carlos III de Madrid
GPG FP: C20B 7F07 09E3 FB95 7AD9  D03A DA93 AA09 4EE2 675B
-------------- next part --------------
A non-text attachment was scrubbed...
Name: auth.log
Type: text/x-log
Size: 181098 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20070525/932638f5/attachment-0002.bin 
-------------- next part --------------
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $
#
# Manual:     ipsec.conf.5


version	2.0	# conforms to second version of ipsec.conf specification

# basic configuration
config setup
	# plutodebug / klipsdebug = "all", "none" or a combation from below:
	# "raw crypt parsing emitting control klips pfkey natt x509 private"
	# eg:
	# plutodebug="control parsing"
	#
	# Only enable klipsdebug=all if you are a developer
	#
	# NAT-TRAVERSAL support, see README.NAT-Traversal
	nat_traversal=no
	# virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
        plutodebug=all
	#klipsdebug=all
        interfaces="ipsec0=eth0"

conn teldat
	# Left security gateway, subnet behind it, nexthop toward right.
	left=10.0.0.1
	leftsubnet=10.0.0.1/32
	leftnexthop=%direct
	leftca=%same
	#leftca=cacert.pem
	leftcert=atlas150.ipsec.uc3m.es.pem
	leftrsasigkey=%cert
	#leftid=10.0.0.1
	#leftid=@atlas150.ipsec.uc3m.es
	#leftid="C=ES, ST=Madrid, L=Leganes, O=UC3M, OU=IPSec, CN=atlas150.ipsec.uc3m.es"
	# Right security gateway, subnet behind it, nexthop toward left.
	right=10.0.0.2
	rightsubnet=10.0.0.2/32
	rightnexthop=%direct
	#rightca=cacert.pem
	rightcert=openswan.ipsec.uc3m.es.pem
	rightrsasigkey=%cert
	#rightid=10.0.0.2
	#rightid=@openswan.ipsec.uc3m.es
	#rightid="C=ES, ST=Madrid, L=Leganes, O=Universidad Carlos III de Madrid, OU=IPSec, CN=openswan.ipsec.uc3m.es"
	# To authorize this connection, but not actually start it, 
	# at startup, uncomment this.
	#auto=start
	auto=add
	keyexchange=ike
	ike=3des-md5-modp1024
	keylife=3600s
	auth=esp
	authby=rsasig
	#authby=secret
	esp=aes128-sha1
	aggrmode=no
	pfs=no

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20070525/932638f5/attachment-0003.bin 


More information about the Users mailing list