[Openswan Users] No suitable connection for peer message when using CA
Nicolas Bellido Y Ortega
ml at acolin.be
Thu Dec 11 05:53:40 EST 2008
On Thursday 11 December 2008 11:08:41 Nicolas Bellido Y Ortega wrote:
> I'm completely at loss, here. I must be doing something fundamentally
> wrong, but I don't know what... Possibly the spaces and the dots in the O=?
Replying to myself, I made some progress. the culprit here was the line:
pluto[27285]: "left-right-vpn"[2] 10.0.5.110 #10: no crl from issuer "C=BE, ST=BW, L=BA, O=Right S.A., OU=Right, CN=Right Root CA" found (strict=no)
If I generate a crl (even if no cert has been revoked), then pluto is
happy:
pluto[29300]: packet from 10.0.5.110:500: received Vendor ID payload [Openswan (this version) 2.6.19 ]
pluto[29300]: packet from 10.0.5.110:500: received Vendor ID payload [Dead Peer Detection]
pluto[29300]: packet from 10.0.5.110:500: received Vendor ID payload [RFC 3947] method set to=109
pluto[29300]: packet from 10.0.5.110:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
pluto[29300]: packet from 10.0.5.110:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
pluto[29300]: packet from 10.0.5.110:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
pluto[29300]: "left-right-vpn"[2] 10.0.5.110 #3: responding to Main Mode from unknown peer 10.0.5.110
pluto[29300]: "left-right-vpn"[2] 10.0.5.110 #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
pluto[29300]: "left-right-vpn"[2] 10.0.5.110 #3: STATE_MAIN_R1: sent MR1, expecting MI2
pluto[29300]: "left-right-vpn"[2] 10.0.5.110 #3: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
pluto[29300]: "left-right-vpn"[2] 10.0.5.110 #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
pluto[29300]: "left-right-vpn"[2] 10.0.5.110 #3: STATE_MAIN_R2: sent MR2, expecting MI3
pluto[29300]: "left-right-vpn"[2] 10.0.5.110 #3: Main mode peer ID is ID_DER_ASN1_DN: 'C=BE, ST=BW, L=BA, O=Right SA, OU=Right, CN=Right'
pluto[29300]: "left-right-vpn"[2] 10.0.5.110 #3: I am sending my cert
pluto[29300]: "left-right-vpn"[2] 10.0.5.110 #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
pluto[29300]: "left-right-vpn"[2] 10.0.5.110 #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
But then it sits there. On Right:
# ipsec auto --up left-right-vpn
104 "left-right-vpn" #3: STATE_MAIN_I1: initiate
003 "left-right-vpn" #3: received Vendor ID payload [Openswan (this version) 2.6.19 ]
003 "left-right-vpn" #3: received Vendor ID payload [Dead Peer Detection]
003 "left-right-vpn" #3: received Vendor ID payload [RFC 3947] method set to=109
106 "left-right-vpn" #3: STATE_MAIN_I2: sent MI2, expecting MR2
003 "left-right-vpn" #3: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
108 "left-right-vpn" #3: STATE_MAIN_I3: sent MI3, expecting MR3
003 "left-right-vpn" #3: received Vendor ID payload [CAN-IKEv2]
And ipsec does not return to the prompt.
setkey does not know of any SAD or SPD entry.
Any ideas?
Nicolas.
More information about the Users
mailing list