[Openswan Users] No suitable connection for peer message when using CA

Paul Wouters paul at xelerance.com
Wed Dec 10 10:06:38 EST 2008


On Wed, 10 Dec 2008, Nicolas Bellido Y Ortega wrote:

> Both are running Openswan 2.6.19.

> conn left-right-vpn
>         left=10.0.5.83
>         leftcert=/etc/ipsec.d/certs/leftCert.pem
>         right=%any
>         rightca=/etc/ipsec.d/cacerts/rightCaCert.pem
>         auto=add
> ## Left config -- end

You shouldnt need to specify the ca. Or just use rightca=%any
You might also want to add leftsendcert=yes

> Left and Rigt have their own certificate and private key in
> /etc/ipsec.d/{certs,private}, while they both have the CA certificate of
> each other, plus their own, in /etC/ipsec.d/cacerts.

check with ipsec auto --listall that all is well?

> not seem to change anything. Also, rightid=%fromcert causes pluto to
> constantly respawn itself.

That used to happen when the cert you tried to load would not be there.
Can you verify that? openswan 2.6.20rc1 has a fix for that.

> pluto[6821]:   loaded CA cert file 'rightCaCert.pem' (1054 bytes)
> pluto[6821]:   loaded CA cert file 'leftCaCert.pem' (1111 bytes)

One cert is an old one?

> pluto[7105]: "left-right-vpn"[2] 10.0.5.110 #2: Main mode peer ID is ID_DER_ASN1_DN: 'C=BE, ST=BW, O=Right S.A., OU=Right, CN=Right'                                                
> pluto[7105]: "left-right-vpn"[2] 10.0.5.110 #2: no crl from issuer "C=BE, ST=BW, L=BA, O=Right S.A., OU=Right Root CA" found (strict=no)                                            
> pluto[7105]: "left-right-vpn"[2] 10.0.5.110 #2: no suitable connection for peer 'C=BE, ST=BW, O=Right S.A., OU=Right, CN=Right'                                                     
> pluto[7105]: "left-right-vpn"[2] 10.0.5.110 #2: sending encrypted notification INVALID_ID_INFORMATION to 10.0.5.110:500

I am not sure if you anonymised this, but we cannot debug it if you do. this
part is very sensitive to certain characters being used.
Do all certs (left,right and ca) have the L= RDN? I don't see it consistently.

Paul


More information about the Users mailing list