[Openswan Users] No suitable connection for peer message when using CA
Paul Wouters
paul at xelerance.com
Wed Dec 10 14:50:11 EST 2008
On Wed, 10 Dec 2008, Nicolas Bellido Y Ortega wrote:
> I copied Right's cert over to Left, but that didn't help either.
> In fact, it *seems* that pluto respawns as soon as any command from the
> ipsec utility is issued. For example, an 'ipsec secrets' gives in
> /var/log/messages:
add dumpdir=/tmp to 'config setup' and please get us a gdb trace of the
core dump in /tmp/
>> One cert is an old one?
>
> Not sure I understand what you mean... Should all certs have the same
> size?
You have two CA's, you only need one.
> Right's cert was indeed missing the L= RDN. Adding it didn't help,
> though.
>
> OpenSSL identifies Right's CA cert as:
> Issuer: C=BE, ST=BW, L=BA, O=Right S.A., OU=Right Root CA
> Subject: C=BE, ST=BW, L=BA, O=Right S.A., OU=Right Root CA
> X509v3 extensions:
> X509v3 Basic Constraints:
> CA:TRUE
>
> Left's CA cert:
> Issuer: C=BE, ST=BW, L=BA, O=Left S.A., OU=Left, CN=Left Root CA
> Subject: C=BE, ST=BW, L=BA, O=Left S.A., OU=Left, CN=Left Root CA
> X509v3 extensions:
> X509v3 Basic Constraints:
> CA:TRUE
Normally O= is matched between CA and clients. Now you might indeed
have to do additional tricky matching.
> 000 Dec 10 17:47:35 2008, count: 1
> 000 subject: 'C=BE, ST=BW, O=Left S.A., OU=Left, CN=Left'
> 000 issuer: 'C=BE, ST=BW, L=BA, O=Left S.A., OU=Left, CN=Left Root CA'
There is still a RDN mismatch here.
> 000 issuer: 'C=BE, ST=BW, L=BA, O=Right S.A., OU=Right Root CA'
You ARE using two Root CA's???
I have no experiene with that. I guess it should work.
But I don't think we have a testcase for that scenario yet.
Paul
More information about the Users
mailing list