[Openswan Users] No suitable connection for peer message when using CA

Paul Wouters paul at xelerance.com
Wed Dec 10 14:50:11 EST 2008


On Wed, 10 Dec 2008, Nicolas Bellido Y Ortega wrote:

> I copied Right's cert over to Left, but that didn't help either.
> In fact, it *seems* that pluto respawns as soon as any command from the
> ipsec utility is issued. For example, an 'ipsec secrets' gives in
> /var/log/messages:

add dumpdir=/tmp to 'config setup' and please get us a gdb trace of the
core dump in /tmp/

>> One cert is an old one?
>
> Not sure I understand what you mean... Should all certs have the same
> size?

You have two CA's, you only need one.

> Right's cert was indeed missing the L= RDN. Adding it didn't help,
> though.
>
> OpenSSL identifies Right's CA cert as:
>  Issuer: C=BE, ST=BW, L=BA, O=Right S.A., OU=Right Root CA
>  Subject: C=BE, ST=BW, L=BA, O=Right S.A., OU=Right Root CA
>  X509v3 extensions:
>      X509v3 Basic Constraints:
>          CA:TRUE
>
> Left's CA cert:
>  Issuer: C=BE, ST=BW, L=BA, O=Left S.A., OU=Left, CN=Left Root CA
>  Subject: C=BE, ST=BW, L=BA, O=Left S.A., OU=Left, CN=Left Root CA
>  X509v3 extensions:
>      X509v3 Basic Constraints:
>          CA:TRUE

Normally O= is matched between CA and clients. Now you might indeed
have to do additional tricky matching.

> 000 Dec 10 17:47:35 2008, count: 1
> 000        subject: 'C=BE, ST=BW, O=Left S.A., OU=Left, CN=Left'
> 000        issuer:  'C=BE, ST=BW, L=BA, O=Left S.A., OU=Left, CN=Left Root CA'

There is still a RDN mismatch here.

> 000        issuer:  'C=BE, ST=BW, L=BA, O=Right S.A., OU=Right Root CA'

You ARE using two Root CA's???

I have no experiene with that. I guess it should work.
But I don't think we have a testcase for that scenario yet.

Paul


More information about the Users mailing list