[Openswan Users] cert problem with new 2.6.21 version

weirauch at checkmobile.de weirauch at checkmobile.de
Tue Apr 7 10:05:15 EDT 2009 

hi all,
i am not getting a CERT connection from my mac to my openswan linux box 
(trying since 3 months, various connection variants every once in a while 
- even read the great book from paul wouters and ken bantoft - but still 
not getting it to work :-(((
so every hint / help is warmly and greatly welcomed...

Openswan IPsec U2.6.21/K2.6.25.20-0.1

from the same mac book i have no problem to connect to my netgear router - 
so what is wrong on my openswan side??

/var/log/messages:
===============
Apr  7 15:52:08 vpn pluto[32746]: "l2tp-X.509"[1] 85.182.252.146 #1: 
responding to Main Mode from unknown peer 85.XXX.XXX.146
Apr  7 15:52:08 vpn pluto[32746]: "l2tp-X.509"[1] 85.182.252.146 #1: 
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Apr  7 15:52:08 vpn pluto[32746]: "l2tp-X.509"[1] 85.182.252.146 #1: 
STATE_MAIN_R1: sent MR1, expecting MI2
Apr  7 15:52:08 vpn pluto[32746]: "l2tp-X.509"[1] 85.182.252.146 #1: 
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr  7 15:52:08 vpn pluto[32746]: "l2tp-X.509"[1] 85.182.252.146 #1: 
STATE_MAIN_R2: sent MR2, expecting MI3
Apr  7 15:52:08 vpn pluto[32746]: "l2tp-X.509"[1] 85.182.252.146 #1: Main 
mode peer ID is ID_DER_ASN1_DN: 'C=XX, ST=XXX, O=XXXX, OU=Head, CN=abc'
Apr  7 15:52:08 vpn pluto[32746]: "l2tp-X.509"[1] 85.182.252.146 #1: I am 
sending my cert
Apr  7 15:52:08 vpn pluto[32746]: "l2tp-X.509"[1] 85.182.252.146 #1: 
unable to locate my private key for RSA Signature
Apr  7 15:52:08 vpn pluto[32746]: "l2tp-X.509"[1] 85.182.252.146 #1: 
sending encrypted notification AUTHENTICATION_FAILED to 85.XXX.XXX.146:500


ipsec.conf:
========

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        plutodebug="none"
        nat_traversal=yes
        forwardcontrol=yes
 
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.229.0/24
        #       dpdaction=hold
conn l2tp-X.509
        #
        # Configuration for one user with any type of IPsec/L2TP client
        # including the updated Windows 2000/XP (MS KB Q818043), but
        # excluding the non-updated Windows 2000/XP.
        #
        #
        # Use a certificate. Disable Perfect Forward Secrecy.
        #
        authby=rsasig
        pfs=no
        auto=add
        rekey=no
        ikelifetime=8h
        keylife=1h
        type=transport
        # ourselve
        left=87.XXX.XXX.140
        leftsubnet=192.168.229.0/24
        #leftrsasigkey=%cert
        leftcert=/etc/ipsec.d/certs/vpncm_mcert.pem
        leftprotoport=17/1701
        # right gateway
        right=%any
        rightprotoport=17/%any
        rightsubnet=vhost:%no,%priv
        rightcert=/etc/ipsec.d/certs/macpwneu.pem
        forceencaps=yes

content of /etc/ipsec.d/certs

-rw-r--r--  1 root root 1094 Apr  7 15:21 macpwneu.pem
-rw-r--r--  1 root root 1139 Mar  5 09:50 vpncm_mcert.pem

and in /etc/ipsec.d/cacerts
is the ca key with which those two keys were signed.
all help is wellcome.
thanks a lot

Philipp

More information about the Users mailing list