[Openswan Users] No suitable connection for peer message when using CA

Nicolas Bellido Y Ortega ml at acolin.be
Wed Dec 10 02:55:49 EST 2008 

Hi,

I'm trying to setup a VPN tunnel between two hosts using certificates
signed by their own CA. The setup is as simple as this:

Left [10.0.5.83] <--------> Right [10.0.5.110]

Both are running Openswan 2.6.19.

'Left' is configured as follows:

## Left config
version 2.0
config setup
        nat_traversal=yes
        OE=off
        protostack=netkey

conn left-right-vpn
        left=10.0.5.83
        leftcert=/etc/ipsec.d/certs/leftCert.pem
        right=%any
        rightca=/etc/ipsec.d/cacerts/rightCaCert.pem
        auto=add
## Left config -- end

'Right' configuration is:

## Right config
version 2.0

config setup
        nat_traversal=yes
        OE=off
        protostack=netkey

conn left-right-vpn
        left=10.0.5.83
        leftca=/etc/ipsec.d/cacerts/leftCaCert.pem
        right=%defaultroute
        rightcert=/etc/ipsec.d/certs/rightCert.pem
        auto=add

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

## Right config -- end

Left and Rigt have their own certificate and private key in
/etc/ipsec.d/{certs,private}, while they both have the CA certificate of
each other, plus their own, in /etC/ipsec.d/cacerts.

When up'ing the connection from 'Right', it is as if 'Left' can't match
the 'left-right-vpn' connection, although it has the CA certificate
which signed Right's certificate (see the logs below).

I tried inserting on 'Left' a matching
rightid="C=BE, ST=BW, O=Right S.A., OU=Right, CN=Right", but this does
not seem to change anything. Also, rightid=%fromcert causes pluto to
constantly respawn itself.

So, my question is simply: what do I need to specify in the connection
for pluto to match the DN in the certificates with the CA root ones?
Do I explicitely need to specify have some form of rightid=... on 'Left'
and a leftid=... on 'Right'? Isn't it sufficient to tell pluto which CA
cert to use?

Thanks in advance,

Nicolas Bellido.


PS1: 'Left' is running CentOs 5.2, and 'Right' is a debian testing.
     Both are x86_64.

PS2: Here are the logs...

'Left' logs:

pluto[7105]: Starting Pluto (Openswan Version 2.6.19; Vendor ID OEkqHLBPOfMD) pid:7105
pluto[7105]: Setting NAT-Traversal port-4500 floating to on
pluto[7105]:    port floating activation criteria nat_t=1/port_float=1
pluto[7105]:    including NAT-Traversal patch (Version 0.6c)
pluto[7105]: using /dev/urandom as source of random entropy
[SNIP]
pluto[7105]: Using Linux 2.6 IPsec interface code on 2.6.18-92.1.18.el5 (experimental code)
[SNIP]
pluto[6821]: Changed path to directory '/etc/ipsec.d/cacerts'
pluto[6821]:   loaded CA cert file 'rightCaCert.pem' (1054 bytes)
pluto[6821]:   loaded CA cert file 'leftCaCert.pem' (1111 bytes)
pluto[6821]: Could not change to directory '/etc/ipsec.d/aacerts': /etc/ipsec.d
pluto[6821]: Could not change to directory '/etc/ipsec.d/ocspcerts': /etc/ipsec.d
pluto[6821]: Could not change to directory '/etc/ipsec.d/crls'
pluto[6821]: Changing back to directory '/etc/ipsec.d' failed - (2 No such file or directory)
pluto[6821]: Changing back to directory '/etc/ipsec.d' failed - (2 No such file or directory)
pluto[6821]: loading certificate from /etc/ipsec.d/certs/leftCert.pem
pluto[6821]:   loaded host cert file '/etc/ipsec.d/certs/leftCert.pem' (969 bytes)
pluto[6821]: added connection description "left-right-vpn"
pluto[6821]: listening for IKE messages
pluto[6821]: adding interface eth0/eth0 10.0.5.83:500
pluto[6821]: adding interface eth0/eth0 10.0.5.83:4500
pluto[6821]: adding interface lo/lo 127.0.0.1:500
pluto[6821]: adding interface lo/lo 127.0.0.1:4500
[SNIP]
pluto[7105]: packet from 10.0.5.110:500: received Vendor ID payload [Openswan (this version) 2.6.19 ]                                                                               
pluto[7105]: packet from 10.0.5.110:500: received Vendor ID payload [Dead Peer Detection]                                                                                           
pluto[7105]: packet from 10.0.5.110:500: received Vendor ID payload [RFC 3947] method set to=109                                                                                    
pluto[7105]: packet from 10.0.5.110:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109                                          
pluto[7105]: packet from 10.0.5.110:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109                                        
pluto[7105]: packet from 10.0.5.110:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109                                          
pluto[7105]: "left-right-vpn"[2] 10.0.5.110 #2: responding to Main Mode from unknown peer 10.0.5.110                                                                                
pluto[7105]: "left-right-vpn"[2] 10.0.5.110 #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1                                                                          
pluto[7105]: "left-right-vpn"[2] 10.0.5.110 #2: STATE_MAIN_R1: sent MR1, expecting MI2                                                                                              
pluto[7105]: "left-right-vpn"[2] 10.0.5.110 #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected                                                               
pluto[7105]: "left-right-vpn"[2] 10.0.5.110 #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2                                                                          
pluto[7105]: "left-right-vpn"[2] 10.0.5.110 #2: STATE_MAIN_R2: sent MR2, expecting MI3                                                                                              
pluto[7105]: "left-right-vpn"[2] 10.0.5.110 #2: Main mode peer ID is ID_DER_ASN1_DN: 'C=BE, ST=BW, O=Right S.A., OU=Right, CN=Right'                                                
pluto[7105]: "left-right-vpn"[2] 10.0.5.110 #2: no crl from issuer "C=BE, ST=BW, L=BA, O=Right S.A., OU=Right Root CA" found (strict=no)                                            
pluto[7105]: "left-right-vpn"[2] 10.0.5.110 #2: no suitable connection for peer 'C=BE, ST=BW, O=Right S.A., OU=Right, CN=Right'                                                     
pluto[7105]: "left-right-vpn"[2] 10.0.5.110 #2: sending encrypted notification INVALID_ID_INFORMATION to 10.0.5.110:500

'Right' logs:

pluto[30251]: Starting Pluto (Openswan Version 2.6.19; Vendor ID OEkqHLBPOfMD) pid:30251
pluto[30251]: Setting NAT-Traversal port-4500 floating to on
pluto[30251]:    port floating activation criteria nat_t=1/port_float=1
pluto[30251]:    including NAT-Traversal patch (Version 0.6c)
pluto[30251]: using /dev/urandom as source of random entropy
[SNIP]
pluto[30251]: Using Linux 2.6 IPsec interface code on 2.6.26-1-amd64 (experimental code)
[SNIP]
pluto[30251]: Changed path to directory '/etc/ipsec.d/cacerts'
pluto[30251]:   loaded CA cert file 'rightCaCert.pem' (1054 bytes)
pluto[30251]:   loaded CA cert file 'leftCaCert.pem' (1111 bytes)
pluto[30251]: Changed path to directory '/etc/ipsec.d/aacerts'
pluto[30251]: Changed path to directory '/etc/ipsec.d/ocspcerts'
pluto[30251]: Changing to directory '/etc/ipsec.d/crls'
pluto[30251]:   Warning: empty directory
pluto[30251]: Changing back to directory '/etc/ipsec.d' failed - (2 No such file or directory)
pluto[30251]: Changing back to directory '/etc/ipsec.d' failed - (2 No such file or directory)
pluto[30251]: loading certificate from /etc/ipsec.d/certs/rightCert.pem
pluto[30251]:   loaded host cert file '/etc/ipsec.d/certs/rightCert.pem' (956 bytes)
pluto[30251]: added connection description "left-right-vpn"
pluto[30251]: listening for IKE messages
pluto[30251]: adding interface eth0/eth0 10.0.5.110:500
pluto[30251]: adding interface eth0/eth0 10.0.5.110:4500
pluto[30251]: adding interface lo/lo 127.0.0.1:500
pluto[30251]: adding interface lo/lo 127.0.0.1:4500
pluto[30251]: adding interface lo/lo ::1:500
pluto[30251]: loading secrets from "/etc/ipsec.secrets"
pluto[30251]:   loaded private key file '/etc/ipsec.d/private/rightKey.pem' (963 bytes)
pluto[30251]:   invalid passphrase
pluto[30251]: "/etc/ipsec.secrets" line 9: error loading RSA private key file
pluto[30251]: loading secrets from "/etc/ipsec.secrets"
pluto[30251]:   loaded private key file '/etc/ipsec.d/private/rightKey.pem' (963 bytes)
pluto[30251]: loaded private key for keyid: PPK_RSA:AwEAAe7I3
pluto[30251]: initiating all conns with alias='left-rght-vpn'
pluto[30251]: "left-right-vpn" #1: initiating Main Mode
pluto[30251]: "left-right-vpn" #1: received Vendor ID payload [Openswan (this version) 2.6.19 ]
pluto[30251]: "left-right-vpn" #1: received Vendor ID payload [Dead Peer Detection]
pluto[30251]: "left-right-vpn" #1: received Vendor ID payload [RFC 3947] method set to=109
pluto[30251]: "left-right-vpn" #1: enabling possible NAT-traversal with method 4
pluto[30251]: "left-right-vpn" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
pluto[30251]: "left-right-vpn" #1: STATE_MAIN_I2: sent MI2, expecting MR2
pluto[30251]: "left-right-vpn" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
pluto[30251]: "left-right-vpn" #1: I am sending my cert
pluto[30251]: "left-right-vpn" #1: I am sending a certificate request
pluto[30251]: "left-right-vpn" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
pluto[30251]: "left-right-vpn" #1: STATE_MAIN_I3: sent MI3, expecting MR3
pluto[30251]: "left-right-vpn" #1: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000
pluto[30251]: "left-right-vpn" #1: received and ignored informational message

More information about the Users mailing list