[Openswan Users] x509 setup problems

James james at nttmcl.com
Tue May 29 13:01:55 EDT 2007 

Hi guys i'm having problems with an x509 configuration.
I keep getting the following message when running
shell> ipsec auto --verbose -up roadwarrior
003 "roadwarrior" #1: received and ignored informational message
003 "roadwarrior" #1: discarding duplicate packet; already STATE_MAIN_I3
010 "roadwarrior" #1: STATE_MAIN_I3: retransmission; will wait 20s for 
response
003 "roadwarrior" #1: ignoring informational payload, type 
INVALID_KEY_INFORMATION

I did the following to create certificates:
shell> /usr/lib/ssl/misc/CA.sh -newreq
files generated were newreq.pem newkey.pem
shell> cat newkey.pem newreq.pem > newsomething.pem
shell> mv newsomething.pem newreq.pem
shell> /usr/lib/ssl/misc/CA.sh -sign
resulted in newcert.pem
shell> mv newreq.pem host.key
shell> mv newcert.pem host.pem

I renamed the certs as needed and placed them in the /etc/ipsec.d 
folders as needed
all key files were moved to /etc/ipsec.d/private
all cert files were moved to /etc/ipsec.d/certs
cacert was copied to /etc/ipsec.d/cacerts
crl.pem was copies to /etc/ipsec.d/crls

this was done for both client and host
and yes the ipsec.secrets file is correctly formatted and no errors show 
in syslog

TIA

*HOST CONFIGURATION*
version 2.0

config setup
        interfaces=%defaultroute
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
        plutodebug=all

conn %default
        keyingtries=1
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn roadwarrior
        left=%defaultroute
        leftcert=/etc/ipsec.d/certs/host.pem
        right=%any
        rightsubnet=vhost:%no,%priv
        pfs=yes
        leftsubnet=0.0.0.0/0
        auto=add

conn block
        auto=ignore

conn private
        auto=ignore

conn private-or-clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn clear
        auto=ignore

conn packetdefault
        auto=ignore

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf


*CLIENT CONFIGURATION
*version 2

config setup
        interfaces=%defaultroute
        nat_traversal=yes
        plutodebug=all

conn %default
        keyingtries=1
        compress=yes
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn roadwarrior
        right=%defaultroute
        rightcert=/etc/ipsec.d/certs/client.pem
        left=192.168.1.1
        leftcert=/etc/ipsec.d/certs/host.pem
        leftsubnet=0.0.0.0/0
        pfs=yes
        auto=add

conn block
        auto=ignore

conn private
        auto=ignore

conn private-or-clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn clear
        auto=ignore

conn packetdefault
        auto=ignore*

*

More information about the Users mailing list