[Openswan Users] STATE_MAIN_I3: INVALID_ID_INFORMATION using X.509 certificates
Manuel Urueña
muruenya at it.uc3m.es
Fri May 25 09:15:53 EDT 2007
Hello,
I'm having a quite weird error message from openswan when trying to set up a tunnel with X.509 certificates' authentication:
openswan:/etc# ipsec auto --up teldat
104 "teldat" #1: STATE_MAIN_I1: initiate
106 "teldat" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "teldat" #1: ignoring unknown Vendor ID payload [6768911ab607368a5654656c646174]
003 "teldat" #1: received Vendor ID payload [Cisco-Unity]
003 "teldat" #1: received Vendor ID payload [XAUTH]
003 "teldat" #1: received Vendor ID payload [Dead Peer Detection]
108 "teldat" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "teldat" #1: we require peer to have ID 'C=ES, ST=Madrid, L=Leganes, O=UC3M, OU=IPSec, CN=atlas150.ipsec.uc3m.es', but peer declares 'C=ES, ST=Madrid, L=Leganes, O=UC3M, OU=IPSec, CN=atlas150.ipsec.uc3m.es'
218 "teldat" #1: STATE_MAIN_I3: INVALID_ID_INFORMATION
I've checked and it does not seem to be a typo, as the openswan box pre-loads the cert from the other side:
openswan:/etc# ipsec auto --listall
000
000 List of Public Keys:
000
000 May 25 13:44:32 2007, 1024 RSA Key AwEAAZPWL, until May 21 11:50:55 2008 ok
000 ID_DER_ASN1_DN 'C=ES, ST=Madrid, L=Leganes, O=UC3M, OU=IPSec, CN=atlas150.ipsec.uc3m.es'
000 Issuer 'C=ES, ST=Madrid, O=Universidad Carlos III de Madrid, OU=IPSec, CN=CA, E=ca at ipsec.uc3m.es'
000 May 25 13:44:07 2007, 1024 RSA Key AwEAAdSNW, until Jan 02 12:52:35 2008 ok
000 ID_DER_ASN1_DN 'C=ES, ST=Madrid, L=Leganes, O=Universidad Carlos III de Madrid, OU=IPSec, CN=openswan.ipsec.uc3m.es, E=root at openswan.ipsec.uc3m.es'
000 Issuer 'C=ES, ST=Madrid, O=Universidad Carlos III de Madrid, OU=IPSec, CN=CA, E=ca at ipsec.uc3m.es'
000
000 List of X.509 End Certificates:
000
000 May 25 13:44:07 2007, count: 1
000 subject: 'C=ES, ST=Madrid, L=Leganes, O=Universidad Carlos III de Madrid, OU=IPSec, CN=openswan.ipsec.uc3m.es, E=root at openswan.ipsec.uc3m.es'
000 issuer: 'C=ES, ST=Madrid, O=Universidad Carlos III de Madrid, OU=IPSec, CN=CA, E=ca at ipsec.uc3m.es'
000 serial: 01
000 pubkey: 1024 RSA Key AwEAAdSNW, has private key
000 validity: not before Jan 02 12:52:35 2007 ok
000 not after Jan 02 12:52:35 2008 ok
000 subjkey: 58:fb:c2:02:c6:44:e9:94:88:01:92:d2:3c:bc:16:ae:de:8e:a7:95
000 authkey: 7e:2e:9d:7e:79:46:86:3a:df:42:d9:8c:13:bc:8e:46:97:e9:e1:9f
000 May 25 13:44:07 2007, count: 1
000 subject: 'C=ES, ST=Madrid, L=Leganes, O=UC3M, OU=IPSec, CN=atlas150.ipsec.uc3m.es'
000 issuer: 'C=ES, ST=Madrid, O=Universidad Carlos III de Madrid, OU=IPSec, CN=CA, E=ca at ipsec.uc3m.es'
000 serial: 0e
000 pubkey: 1024 RSA Key AwEAAZPWL
000 validity: not before May 22 11:50:55 2007 ok
000 not after May 21 11:50:55 2008 ok
000 subjkey: 0f:1b:74:d6:1e:18:be:e0:5c:cb:7c:46:e2:6a:e8:df:04:ed:89:16
000 authkey: 7e:2e:9d:7e:79:46:86:3a:df:42:d9:8c:13:bc:8e:46:97:e9:e1:9f
000
000 List of X.509 CA Certificates:
000
000 May 25 13:44:06 2007, count: 1
000 subject: 'C=ES, ST=Madrid, O=Universidad Carlos III de Madrid, OU=IPSec, CN=CA, E=ca at ipsec.uc3m.es'
000 issuer: 'C=ES, ST=Madrid, O=Universidad Carlos III de Madrid, OU=IPSec, CN=CA, E=ca at ipsec.uc3m.es'
000 serial: 00
000 pubkey: 1024 RSA Key AwEAAdHC6
000 validity: not before Jan 02 12:48:08 2007 ok
000 not after Jan 01 12:48:08 2010 ok
000 subjkey: 7e:2e:9d:7e:79:46:86:3a:df:42:d9:8c:13:bc:8e:46:97:e9:e1:9f
000 authkey: 7e:2e:9d:7e:79:46:86:3a:df:42:d9:8c:13:bc:8e:46:97:e9:e1:9f
000 aserial: 00
openswan:/etc# ipsec auto --status
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 10.0.0.2
000 interface eth0:0/eth0:0 192.168.0.2
000 interface eth1/eth1 163.117.149.230
000 %myid = (none)
000 debug raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=1, name=OAKLEY_GROUP_MODP768, bits=768
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,1,64} trans={0,1,672} attrs={0,1,224}
000
000 "teldat": 10.0.0.2/32===10.0.0.2[C=ES, ST=Madrid, L=Leganes, O=Universidad Carlos III de Madrid, OU=IPSec, CN=openswan.ipsec.uc3m.es, E=root at openswan.ipsec.uc3m.es]...10.0.0.1[C=ES, ST=Madrid, L=Leganes, O=UC3M, OU=IPSec, CN=atlas150.ipsec.uc3m.es]===10.0.0.1/32; unrouted; eroute owner: #0
000 "teldat": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "teldat": CAs: 'C=ES, ST=Madrid, O=Universidad Carlos III de Madrid, OU=IPSec, CN=CA, E=ca at ipsec.uc3m.es'...'C=ES, ST=Madrid, O=Universidad Carlos III de Madrid, OU=IPSec, CN=CA, E=ca at ipsec.uc3m.es'
000 "teldat": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "teldat": policy: RSASIG+ENCRYPT+TUNNEL; prio: 32,32; interface: eth0; encap: esp;
000 "teldat": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "teldat": IKE algorithms wanted: IDEA(5)_000-MD5(1)-2, flags=strict
000 "teldat": IKE algorithms found: IDEA(5)_192-MD5(1)_128-2,
000 "teldat": ESP algorithms wanted: AES(12)_128-SHA1(2), flags=strict
000 "teldat": ESP algorithms loaded: AES(12)_128-SHA1(2), flags=strict
000
000
Some other info that may be useful is attached:
- ipsec.conf
- auth.log (excerpt)
Any thoughs why this error is happening?
Many thanks,
--Manuel
--
Manuel Uruen~a - Universidad Carlos III de Madrid
GPG FP: C20B 7F07 09E3 FB95 7AD9 D03A DA93 AA09 4EE2 675B
-------------- next part --------------
A non-text attachment was scrubbed...
Name: auth.log
Type: text/x-log
Size: 181098 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20070525/932638f5/attachment-0002.bin
-------------- next part --------------
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 private"
# eg:
# plutodebug="control parsing"
#
# Only enable klipsdebug=all if you are a developer
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=no
# virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
plutodebug=all
#klipsdebug=all
interfaces="ipsec0=eth0"
conn teldat
# Left security gateway, subnet behind it, nexthop toward right.
left=10.0.0.1
leftsubnet=10.0.0.1/32
leftnexthop=%direct
leftca=%same
#leftca=cacert.pem
leftcert=atlas150.ipsec.uc3m.es.pem
leftrsasigkey=%cert
#leftid=10.0.0.1
#leftid=@atlas150.ipsec.uc3m.es
#leftid="C=ES, ST=Madrid, L=Leganes, O=UC3M, OU=IPSec, CN=atlas150.ipsec.uc3m.es"
# Right security gateway, subnet behind it, nexthop toward left.
right=10.0.0.2
rightsubnet=10.0.0.2/32
rightnexthop=%direct
#rightca=cacert.pem
rightcert=openswan.ipsec.uc3m.es.pem
rightrsasigkey=%cert
#rightid=10.0.0.2
#rightid=@openswan.ipsec.uc3m.es
#rightid="C=ES, ST=Madrid, L=Leganes, O=Universidad Carlos III de Madrid, OU=IPSec, CN=openswan.ipsec.uc3m.es"
# To authorize this connection, but not actually start it,
# at startup, uncomment this.
#auto=start
auto=add
keyexchange=ike
ike=3des-md5-modp1024
keylife=3600s
auth=esp
authby=rsasig
#authby=secret
esp=aes128-sha1
aggrmode=no
pfs=no
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20070525/932638f5/attachment-0003.bin
More information about the Users
mailing list