[Openswan Users] No suitable connection for peer message when using CA
Nicolas Bellido Y Ortega
ml at acolin.be
Thu Dec 11 05:08:41 EST 2008
On Thursday 11 December 2008 01:21:14 Paul Wouters wrote:
> On Wed, 10 Dec 2008, Nicolas Bellido Y Ortega wrote:
> >> add dumpdir=/tmp to 'config setup' and please get us a gdb trace of the
> >> core dump in /tmp/
>
> > Do you prefer that I send the trace to the devel list?
>
> Either the devel list or onto a new bug report on bugs.openswan.org please.
Done, on the devel list.
> > In fact, what I want to achieve is for Left and Right to verify each
> > other's certificate based on their respective root CA.
> >
> > Actually, I'd want Left to accept connections from any peer whose
> > certificate is signed by any CA Left knows of. And I want the peer to
> > authenticate Left based on the CA cert that signed Left's cert.
>
> It should work.
Great. I now know why the L= RDN was not included in the certs: my openssl
policy for the CA did not have a 'localityName = optional' directive.
BTW: does it matter if its not set to 'match'?
The situation now is that Left has: rightCaCert.pem, leftCert.pem and leftKey.pem. On Right: leftCaCert.pem, rightCert.pem and rightKey.pem.
Connection config on left:
conn left-right-vpn
left=10.0.5.83
leftcert=/etc/ipsec.d/certs/leftCert.pem
leftsendcert=always
right=%any
rightca=%any
auto=add
Still on Left, ipsec auto --listall gives:
000
000 List of Public Keys:
000
000 Dec 11 11:02:20 2008, 1024 RSA Key AwEAAbwJ+ (no private key), until Dec 11 10:24:34 2009 ok
000 ID_DER_ASN1_DN 'C=BE, ST=BW, L=BA, O=Right S.A., OU=Right, CN=Right'
000 Issuer 'C=BE, ST=BW, L=BA, O=Right S.A., OU=Right, CN=Right Root CA'
000 Dec 11 10:49:50 2008, 1024 RSA Key AwEAAbBsm (has private key), until Dec 11 10:12:43 2009 ok
000 ID_IPV4_ADDR '10.0.5.83'
000 Issuer 'C=BE, ST=BW, L=BA, O=Left S.A., OU=Left, CN=Left Root CA'
000 Dec 11 10:49:50 2008, 1024 RSA Key AwEAAbBsm (has private key), until Dec 11 10:12:43 2009 ok
000 ID_DER_ASN1_DN 'C=BE, ST=BW, L=BA, O=Left S.A., OU=Left, CN=Left'
000 Issuer 'C=BE, ST=BW, L=BA, O=Left S.A., OU=Left, CN=Left Root CA'
000 List of Pre-shared secrets (from /etc/ipsec.secrets)
000 1: RSA (none) (none)
000
000 List of X.509 End Certificates:
000
000 Dec 11 10:49:50 2008, count: 2
000 subject: 'C=BE, ST=BW, L=BA, O=Left S.A., OU=Left, CN=Left'
000 issuer: 'C=BE, ST=BW, L=BA, O=Left S.A., OU=Left, CN=Left Root CA'
000 serial: 01
000 pubkey: 1024 RSA Key AwEAAbBsm, has private key
000 validity: not before Dec 11 10:12:43 2008 ok
000 not after Dec 11 10:12:43 2009 ok
000 subjkey: 21:3b:7e:09:10:57:a1:da:88:42:e2:f5:85:b6:23:01:2c:b3:66:e1
000 authkey: 1f:b5:03:94:51:1f:8d:b3:9a:aa:8c:ff:0c:18:ca:30:ed:72:7b:81
000
000 List of X.509 CA Certificates:
000
000 Dec 11 10:49:50 2008, count: 1
000 subject: 'C=BE, ST=BW, L=BA, O=Right S.A., OU=Right, CN=Right Root CA'
000 issuer: 'C=BE, ST=BW, L=BA, O=Right S.A., OU=Right, CN=Right Root CA'
000 serial: 00:ec:1b:28:04:38:b9:e6:33
000 pubkey: 1024 RSA Key AwEAAeiq5
000 validity: not before Dec 11 10:21:28 2008 ok
000 not after Dec 09 10:21:28 2018 ok
000 subjkey: 53:91:67:4c:72:7f:27:c8:85:21:c9:4b:37:b9:68:f3:30:78:7e:c0
000 authkey: 53:91:67:4c:72:7f:27:c8:85:21:c9:4b:37:b9:68:f3:30:78:7e:c0
000 aserial: 00:ec:1b:28:04:38:b9:e6:33
This all looks correct, doesn't it?? But still, when upping the
connection from Right, Left tells me:
pluto[27285]: packet from 10.0.5.110:500: ignoring unknown Vendor ID payload [4f456b71484c42504f664d44]
pluto[27285]: packet from 10.0.5.110:500: received Vendor ID payload [Dead Peer Detection]
pluto[27285]: packet from 10.0.5.110:500: received Vendor ID payload [RFC 3947] method set to=109
pluto[27285]: packet from 10.0.5.110:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
pluto[27285]: packet from 10.0.5.110:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
pluto[27285]: packet from 10.0.5.110:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
pluto[27285]: "left-right-vpn"[2] 10.0.5.110 #10: responding to Main Mode from unknown peer 10.0.5.110
pluto[27285]: "left-right-vpn"[2] 10.0.5.110 #10: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
pluto[27285]: "left-right-vpn"[2] 10.0.5.110 #10: STATE_MAIN_R1: sent MR1, expecting MI2
pluto[27285]: "left-right-vpn"[2] 10.0.5.110 #10: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
pluto[27285]: "left-right-vpn"[2] 10.0.5.110 #10: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
pluto[27285]: "left-right-vpn"[2] 10.0.5.110 #10: STATE_MAIN_R2: sent MR2, expecting MI3
pluto[27285]: "left-right-vpn"[2] 10.0.5.110 #10: Main mode peer ID is ID_DER_ASN1_DN: 'C=BE, ST=BW, L=BA, O=Right S.A., OU=Right, CN=Right'
pluto[27285]: "left-right-vpn"[2] 10.0.5.110 #10: no crl from issuer "C=BE, ST=BW, L=BA, O=Right S.A., OU=Right, CN=Right Root CA" found (strict=no)
pluto[27285]: "left-right-vpn"[2] 10.0.5.110 #10: no suitable connection for peer 'C=BE, ST=BW, L=BA, O=Right S.A., OU=Right, CN=Right'
pluto[27285]: "left-right-vpn"[2] 10.0.5.110 #10: sending encrypted notification INVALID_ID_INFORMATION to 10.0.5.110:500
pluto[27285]: "left-right-vpn"[2] 10.0.5.110 #10: Main mode peer ID is ID_DER_ASN1_DN: 'C=BE, ST=BW, L=BA, O=Right S.A., OU=Right, CN=Right'
pluto[27285]: "left-right-vpn"[2] 10.0.5.110 #10: no crl from issuer "C=BE, ST=BW, L=BA, O=Right S.A., OU=Right, CN=Right Root CA" found (strict=no)
pluto[27285]: "left-right-vpn"[2] 10.0.5.110 #10: no suitable connection for peer 'C=BE, ST=BW, L=BA, O=Right S.A., OU=Right, CN=Right'
pluto[27285]: "left-right-vpn"[2] 10.0.5.110 #10: sending encrypted notification INVALID_ID_INFORMATION to 10.0.5.110:500
pluto[27285]: "left-right-vpn"[2] 10.0.5.110 #10: Main mode peer ID is ID_DER_ASN1_DN: 'C=BE, ST=BW, L=BA, O=Right S.A., OU=Right, CN=Right'
pluto[27285]: "left-right-vpn"[2] 10.0.5.110 #10: no crl from issuer "C=BE, ST=BW, L=BA, O=Right S.A., OU=Right, CN=Right Root CA" found (strict=no)
pluto[27285]: "left-right-vpn"[2] 10.0.5.110 #10: no suitable connection for peer 'C=BE, ST=BW, L=BA, O=Right S.A., OU=Right, CN=Right'
pluto[27285]: "left-right-vpn"[2] 10.0.5.110 #10: sending encrypted notification INVALID_ID_INFORMATION to 10.0.5.110:500
I'm completely at loss, here. I must be doing something fundamentally
wrong, but I don't know what... Possibly the spaces and the dots in the O=?
Nicolas.
More information about the Users
mailing list