[Openswan Users] server certificate problem (ID_DER_ASN1_DN, subjectAltName, INVALID_ID_INFORMATION)
Laurentiu Lazar
lazar.laurentiu at gmail.com
Sat Apr 4 15:41:10 EDT 2009
Hello,
I have the following problem, and I'll be more than grateful if
someone will give me a hint:
My connection, as a client, fails with "sending encrypted notification
INVALID_ID_INFORMATION to SERVERIP:4500". Looking up in log I think
its caused by the server's certificate. From top to bottom, I'll list
the noteworthy lines:
Starting Pluto (Openswan Version 2.6.20; Vendor ID OECqBqWLdKzA) pid:...
Setting NAT-Traversal port-4500 floating to on
port floating activation criteria nat_t=1/port_float=1
including NAT-Traversal patch (Version 0.6c)
Using Linux 2.6 IPsec interface code on 2.6.29-1-amd64 (experimental code)
- Experimental? Hm! It was more than stable for me until now.
ike_alg_add(): ERROR: Algorithm already exists
- I hope I did understand correctly that this is not an error.
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
ignoring Vendor ID payload [FRAGMENTATION]
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
enabling possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-05
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
I am sending my cert
- I think these lines are OK.
I am sending a certificate request
- I don't know how to skip this, as a workaround to my problem, and if
my server will allow it.
transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
NAT-T: floating to port 4500
NAT-T connection has wrong interface definition IP:4500 vs IP:500
NAT-T: using interface IFACE:4500
received encrypted packet from SERVERIP:4500
decrypting 1544 bytes using algorithm OAKLEY_3DES_CBC
Main mode peer ID is ID_DER_ASN1_DN: '|'
- This '|' seems strange to me. Now the server's certificate is
listed. It has a "L2 - subject:" line that seeams OK, and after that:
L4 - extension:
L5 - extnID:
'subjectAltName'
L5 - critical:
ff
TRUE
I see a good "L8 - dnsName:" line followed by:
L6 - authorityInfoAccess:
L7 - accessDescription:
L8 - accessMethod:
...
L8 - accessLocation:
L7 - accessDescription:
L8 - accessMethod:
...
L8 - accessLocation:
L1 - signatureAlgorithm:
L2 - algorithmIdentifier:
L3 - algorithm:
'sha-1WithRSAEncryption'
L1 - signatureValue:
...
subject: ''
- Now this seems strange to me. An empty subject?
issuer: ... (OK)
authkey: ... (OK)
not before: ...
current time: ...
not after: ...
valid certificate for ""
- Empty again? After this follows the signature checking ended with:
Public key validated
we require peer to have ID 'CN=...', but peer declares 'P\016\303'
complete state transition with (null)
sending encrypted notification INVALID_ID_INFORMATION to SERVERIP:4500
What the peer declares is "random", different on every certificate request.
Listing the server certificate with "openssl x509 -text" I see that it has:
- a good "Subject" line (what I have in rightid=CN=x.y.z)
- X509v3 Subject Alternative Name: DNS: x.y.z (the same x.y.z)
The same error happens with Linux 2.6.26.
"Help, I need somebody,
Help, not just anybody,
Help, you know I need someone, help."
More information about the Users
mailing list