[Openswan Users] No suitable connection for peer message when using CA

Nicolas Bellido Y Ortega ml at acolin.be
Wed Dec 10 17:33:43 EST 2008 

On Wednesday 10 December 2008 20:50:11 Paul Wouters wrote:
> On Wed, 10 Dec 2008, Nicolas Bellido Y Ortega wrote:
> > I copied Right's cert over to Left, but that didn't help either.
> > In fact, it *seems* that pluto respawns as soon as any command from the
> > ipsec utility is issued. For example, an 'ipsec secrets' gives in
> > /var/log/messages:
>
> add dumpdir=/tmp to 'config setup' and please get us a gdb trace of the
> core dump in /tmp/

Will do that tomorrow... After quick scan of the Makefiles, I think I just have 
to add the -g flag to USERCOMPILE in Makefile.inc, right?
Do you prefer that I send the trace to the devel list?

> >> One cert is an old one?
> >
> > Not sure I understand what you mean... Should all certs have the same
> > size?
>
> You have two CA's, you only need one.

Well, yes, in this case, that's true (see below). But does it really matter?

> > 000 Dec 10 17:47:35 2008, count: 1
> > 000        subject: 'C=BE, ST=BW, O=Left S.A., OU=Left, CN=Left'
> > 000        issuer:  'C=BE, ST=BW, L=BA, O=Left S.A., OU=Left, CN=Left
> > Root CA'
>
> There is still a RDN mismatch here.

Yes, I still have to find out why L= is left out when the CSRs are signed.

> > 000        issuer:  'C=BE, ST=BW, L=BA, O=Right S.A., OU=Right Root CA'
>
> You ARE using two Root CA's???

Yes.

In fact, what I want to achieve is for Left and Right to verify each other's 
certificate based on their respective root CA.

Actually, I'd want Left to accept connections from any peer whose certificate 
is signed by any CA Left knows of. And I want the peer to authenticate Left 
based on the CA cert that signed Left's cert.

Currently, I'm testing with only one peer (Right).

Left and Right both have each other CA root cert.

But if I understand what you said correctly, Left only needs to have:
. its certificate and private key;
. the root CA cert that signed Right's cert.

Similarly, Right would only have to have, besides its own cert and priv key, 
the root CA cert that signed Left's cert.

Basically, Left and Right do *not* need to have their own CA root cert, do 
they? But would it hurt if they actually have it?

> I have no experiene with that. I guess it should work.
> But I don't think we have a testcase for that scenario yet.

Well, I'm testing it right now ;-)

Thanks again,

Nicolas.

More information about the Users mailing list