[Openswan Users] x509 setup problems

James james at nttmcl.com
Tue May 29 13:09:12 EDT 2007 

James wrote:
> Hi guys i'm having problems with an x509 configuration.
> I keep getting the following message when running
> shell> ipsec auto --verbose -up roadwarrior
> 003 "roadwarrior" #1: received and ignored informational message
> 003 "roadwarrior" #1: discarding duplicate packet; already STATE_MAIN_I3
> 010 "roadwarrior" #1: STATE_MAIN_I3: retransmission; will wait 20s for 
> response
> 003 "roadwarrior" #1: ignoring informational payload, type 
> INVALID_KEY_INFORMATION
>
> I did the following to create certificates:
> shell> /usr/lib/ssl/misc/CA.sh -newreq
> files generated were newreq.pem newkey.pem
> shell> cat newkey.pem newreq.pem > newsomething.pem
> shell> mv newsomething.pem newreq.pem
> shell> /usr/lib/ssl/misc/CA.sh -sign
> resulted in newcert.pem
> shell> mv newreq.pem host.key
> shell> mv newcert.pem host.pem
>
> I renamed the certs as needed and placed them in the /etc/ipsec.d 
> folders as needed
> all key files were moved to /etc/ipsec.d/private
> all cert files were moved to /etc/ipsec.d/certs
> cacert was copied to /etc/ipsec.d/cacerts
> crl.pem was copies to /etc/ipsec.d/crls
>
> this was done for both client and host
> and yes the ipsec.secrets file is correctly formatted and no errors show 
> in syslog
>
> TIA
>
> *HOST CONFIGURATION*
> version 2.0
>
> config setup
>         interfaces=%defaultroute
>         nat_traversal=yes
>         virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
>         plutodebug=all
>
> conn %default
>         keyingtries=1
>         compress=yes
>         disablearrivalcheck=no
>         authby=rsasig
>         leftrsasigkey=%cert
>         rightrsasigkey=%cert
>
> conn roadwarrior
>         left=%defaultroute
>         leftcert=/etc/ipsec.d/certs/host.pem
>         right=%any
>         rightsubnet=vhost:%no,%priv
>         pfs=yes
>         leftsubnet=0.0.0.0/0
>         auto=add
>
> conn block
>         auto=ignore
>
> conn private
>         auto=ignore
>
> conn private-or-clear
>         auto=ignore
>
> conn clear-or-private
>         auto=ignore
>
> conn clear
>         auto=ignore
>
> conn packetdefault
>         auto=ignore
>
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
>
>
> *CLIENT CONFIGURATION
> *version 2
>
> config setup
>         interfaces=%defaultroute
>         nat_traversal=yes
>         plutodebug=all
>
> conn %default
>         keyingtries=1
>         compress=yes
>         authby=rsasig
>         leftrsasigkey=%cert
>         rightrsasigkey=%cert
>
> conn roadwarrior
>         right=%defaultroute
>         rightcert=/etc/ipsec.d/certs/client.pem
>         left=192.168.1.1
>         leftcert=/etc/ipsec.d/certs/host.pem
>         leftsubnet=0.0.0.0/0
>         pfs=yes
>         auto=add
>
> conn block
>         auto=ignore
>
> conn private
>         auto=ignore
>
> conn private-or-clear
>         auto=ignore
>
> conn clear-or-private
>         auto=ignore
>
> conn clear
>         auto=ignore
>
> conn packetdefault
>         auto=ignore*
>
> *
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>   
Oh small adjustment
the client should look like this:

conn roadwarrior
        left=%defaultroute
        leftcert=/etc/ipsec.d/certs/client.pem
        right=192.168.1.1
        rightcert=/etc/ipsec.d/certs/host.pem
        rightsubnet=0.0.0.0/0
        pfs=yes
        auto=add

still the same problem tho

More information about the Users mailing list