[Openswan Users] Unable to establish connection using certificates
Robyn Orosz
rorosz at gmail.com
Wed Apr 29 16:23:18 EDT 2009
Hi,
I have 2 Openswan devices that I'm attempting to establish a tunnel
between. I have assigned certificates to both of them and have followed a
combination of instructions from the Openswan book and from those found
online. Right now I'm at the point where it appears from the logs that
they're attempting to auth by PSK and failing.
Here's one end of the connection:
conn peer-test-tunnel-1
left=192.168.150.209
leftcert=/etc/ipsec.d/certs/vyatta-1cert.pem
right=%any
rightrsasigkey=%cert
rightid="C=ES, ST=Tarifa, L=Cadiz, O=Test, CN=vyatta-2,
emailAddress=test at test.com"
rightca=%same
rekey=no
leftsubnet=10.100.120.0/24
rightsubnet=10.224.0.1/32
ike=3des-md5-modp1536
ikelifetime=28800s
aggrmode=yes
dpddelay=30s
dpdtimeout=60s
dpdaction=clear
esp=3des-md5
keylife=1200s
rekeymargin=540s
type=tunnel
authby=rsasig
pfs=yes
compress=no
auto=add
Secrets file:
: RSA /etc/ipsec.d/private/vyatta-1key.key "test"
Here's the other end:
conn peer-192.168.150.209-tunnel-1
left=%defaultroute
leftcert=/etc/ipsec.d/certs/vyatta-2cert.pem
right=88.2.150.209
rightrsasigkey=%cert
rightid="C=ES, ST=Tarifa, L=Cadiz, O=Test, CN=vyatta-1,
emailAddress=test at test.com"
rightca=%same
leftsubnet=10.224.0.1/32
rightsubnet=10.100.120.0/24
ike=3des-md5-modp1536
ikelifetime=28800s
aggrmode=yes
esp=3des-md5
keylife=3600s
rekeymargin=540s
type=tunnel
pfs=yes
authby=rsasig
compress=no
auto=start
Secrets file:
: RSA /etc/ipsec.d/private/vyatta-2key.key "Test"
This connection, with mostly all the same settings works when using a PSK.
Here's the message I'm seeing on the server side:
Apr 29 20:12:37 vyattatar pluto[10906]: "peer-test-tunnel-1"[2]
192.168.103.8 #2: Aggressive mode peer ID is ID_DER_ASN1_DN: 'C=ES,
ST=Tarifa, L=Cadiz, O=Test, CN=vyatta-2, E=test at test.com'
Apr 29 20:12:37 vyattatar pluto[10906]: | refine_connection: starting with
peer-test-tunnel-1
Apr 29 20:12:37 vyattatar pluto[10906]: | trusted_ca called with a=(empty)
b=C=ES, ST=Tarifa, O=Test, CN=vyatta, E=test at test.com
Apr 29 20:12:37 vyattatar pluto[10906]: | started looking for secret for
C=ES, ST=Tarifa, L=Cadiz, O=Test, CN=vyatta-1, E=test at test.com->C=ES,
ST=Tarifa, L=Cadiz, O=Test, CN=vyatta-2, E=test at test.com of kind PPK_PSK
Apr 29 20:12:37 vyattatar pluto[10906]: | actually looking for secret for
C=ES, ST=Tarifa, L=Cadiz, O=Test, CN=vyatta-1, E=test at test.com->C=ES,
ST=Tarifa, L=Cadiz, O=Test, CN=vyatta-2, E=test at test.com of kind PPK_PSK
Apr 29 20:12:37 vyattatar pluto[10906]: | concluding with best_match=0
best=(nil) (lineno=-1)
Apr 29 20:12:37 vyattatar pluto[10906]: "peer-test-tunnel-1"[2]
192.168.103.8 #2: no suitable connection for peer 'C=ES, ST=Tarifa, L=Cadiz,
O=Test, CN=vyatta-2, E=test at test.com'
Apr 29 20:12:37 vyattatar pluto[10906]: "peer-test-tunnel-1"[2]
192.168.103.8 #2: initial Aggressive Mode packet claiming to be from C=ES,
ST=Tarifa, L=Cadiz, O=Test, CN=vyatta-2, E=test at test.com on 192.168.103.8
but no connection has been authorized
Apr 29 20:12:37 vyattatar pluto[10906]: | complete state transition with
(null)
Apr 29 20:12:37 vyattatar pluto[10906]: "peer-test-tunnel-1"[2]
192.168.103.8 #2: sending notification INVALID_ID_INFORMATION to
192.168.103.8:500
Any idea what could be causing this? I'm sure I have something configured
incorrectly. I'm just trying to verify that this connection will work with
x509 certs and then need to run this test with another vendor's equipment.
Thanks!
Robyn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090429/b69ac65e/attachment.html
More information about the Users
mailing list