[Openswan Users] no suitable connection for peer

Avesh Agarwal avagarwa at redhat.com
Mon Oct 26 16:37:33 EDT 2009 

On 10/26/2009 03:56 PM, mantizke at web.de wrote:
> Hello,
> since some days iam trying to bring up a tunnel with certificates between a linux vpn gateway and a windows client. yet only psk works fine for me. i created an own ca with openssl and two certificates, signed by the ca. i exported one of them to windows format (PKCS12) and succesfully imported it to windows.
>
> but the linux maschine still reject the certificate with following log:
>
> Oct 26 15:27:53 swan ipsec__plutorun: Starting Pluto subsystem...
> Oct 26 15:27:53 swan pluto[12731]: Starting Pluto (Openswan Version 2.6.14; Vendor ID OEoSJUweaqAX) pid:12731
> Oct 26 15:27:53 swan pluto[12731]: Setting NAT-Traversal port-4500 floating to off
> Oct 26 15:27:53 swan pluto[12731]: port floating activation criteria nat_t=0/port_float=1
> Oct 26 15:27:53 swan pluto[12731]: including NAT-Traversal patch (Version 0.6c) [disabled]
> Oct 26 15:27:53 swan pluto[12731]: using /dev/urandom as source of random entropy
> Oct 26 15:27:53 swan pluto[12731]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
> Oct 26 15:27:53 swan pluto[12731]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
> Oct 26 15:27:53 swan pluto[12731]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
> Oct 26 15:27:53 swan pluto[12731]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
> Oct 26 15:27:53 swan pluto[12731]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
> Oct 26 15:27:53 swan pluto[12731]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
> Oct 26 15:27:53 swan pluto[12731]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
> Oct 26 15:27:53 swan pluto[12731]: starting up 1 cryptographic helpers
> Oct 26 15:27:53 swan pluto[12743]: using /dev/urandom as source of random entropy
> Oct 26 15:27:53 swan pluto[12731]: started helper pid=12743 (fd:7)
> Oct 26 15:27:54 swan pluto[12731]: Using Linux 2.6 IPsec interface code on 2.6.18-8.el5 (experimental code)
> Oct 26 15:27:54 swan pluto[12731]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.cakley_enc_names
> Oct 26 15:27:54 swan pluto[12731]: ike_alg_register_enc(): Activating<NULL>: Ok (ret=0)
> Oct 26 15:27:54 swan pluto[12731]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.cakley_enc_names
> Oct 26 15:27:54 swan pluto[12731]: ike_alg_add(): ERROR: Algorithm already exists
> Oct 26 15:27:54 swan pluto[12731]: ike_alg_register_enc(): Activating<NULL>: FAILED (ret=-17)
> Oct 26 15:27:54 swan pluto[12731]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.cakley_enc_names
> Oct 26 15:27:54 swan pluto[12731]: ike_alg_add(): ERROR: Algorithm already exists
> Oct 26 15:27:54 swan pluto[12731]: ike_alg_register_enc(): Activating<NULL>: FAILED (ret=-17)
> Oct 26 15:27:54 swan pluto[12731]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.cakley_enc_names
> Oct 26 15:27:54 swan pluto[12731]: ike_alg_add(): ERROR: Algorithm already exists
> Oct 26 15:27:54 swan pluto[12731]: ike_alg_register_enc(): Activating<NULL>: FAILED (ret=-17)
> Oct 26 15:27:55 swan pluto[12731]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.cakley_enc_names
> Oct 26 15:27:55 swan pluto[12731]: ike_alg_add(): ERROR: Algorithm already exists
> Oct 26 15:27:55 swan pluto[12731]: ike_alg_register_enc(): Activating<NULL>: FAILED (ret=-17)
> Oct 26 15:27:55 swan pluto[12731]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.cakley_enc_names
> Oct 26 15:27:55 swan pluto[12731]: ike_alg_add(): ERROR: Algorithm already exists
> Oct 26 15:27:55 swan pluto[12731]: ike_alg_register_enc(): Activating<NULL>: FAILED (ret=-17)
> Oct 26 15:27:55 swan pluto[12731]: Changed path to directory '/etc/ipsec.d/cacerts'
> Oct 26 15:27:55 swan pluto[12731]: loaded CA cert file 'ca1Key.pem' (963 bytes)
> Oct 26 15:27:55 swan pluto[12731]: no passphrase available
> Oct 26 15:27:55 swan pluto[12731]: loaded CA cert file 'ca1Cert.pem' (1269 bytes)
> Oct 26 15:27:55 swan pluto[12731]: Changed path to directory '/etc/ipsec.d/aacerts'
> Oct 26 15:27:55 swan pluto[12731]: Could not change to directory '/etc/ipsec.d/ocspcerts': /
> Oct 26 15:27:55 swan pluto[12731]: Changing to directory '/etc/ipsec.d/crls'
> Oct 26 15:27:55 swan pluto[12731]: Warning: empty directory
> Oct 26 15:27:55 swan pluto[12731]: Changing back to directory '/' failed - (2 No such file or directory)
> Oct 26 15:27:55 swan pluto[12731]: Changing back to directory '/' failed - (2 No such file or directory)
> Oct 26 15:27:56 swan pluto[12731]: loading certificate from /etc/ipsec.d/certs/linuxSign.pem
> Oct 26 15:27:56 swan pluto[12731]: loaded host cert file '/etc/ipsec.d/certs/linuxSign.pem' (1318 bytes)
> Oct 26 15:27:56 swan pluto[12731]: added connection description "l2tp-x509"
> Oct 26 15:27:56 swan pluto[12731]: listening for IKE messages
> Oct 26 15:27:56 swan pluto[12731]: adding interface eth0/eth0 10.245.23.198:500
> Oct 26 15:27:56 swan pluto[12731]: adding interface eth1/eth1 172.17.240.1:500
> Oct 26 15:27:56 swan pluto[12731]: adding interface lo/lo 127.0.0.1:500
> Oct 26 15:27:56 swan pluto[12731]: adding interface lo/lo ::1:500
> Oct 26 15:27:56 swan pluto[12731]: loading secrets from "/etc/ipsec.secrets"
> Oct 26 15:27:56 swan pluto[12731]: loading secrets from "/etc/ipsec.d/ipsec.secrets"
>
>
> Oct 26 15:28:10 swan pluto[12731]: packet from 172.18.240.34:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000003]
> Oct 26 15:28:10 swan pluto[12731]: "l2tp-x509"[1] 172.18.240.34 #1: responding to Main Mode from unknown peer 172.18.240.34
> Oct 26 15:28:10 swan pluto[12731]: "l2tp-x509"[1] 172.18.240.34 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Oct 26 15:28:10 swan pluto[12731]: "l2tp-x509"[1] 172.18.240.34 #1: STATE_MAIN_R1: sent MR1, expecting MI2
> Oct 26 15:28:10 swan pluto[12731]: "l2tp-x509"[1] 172.18.240.34 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Oct 26 15:28:10 swan pluto[12731]: "l2tp-x509"[1] 172.18.240.34 #1: STATE_MAIN_R2: sent MR2, expecting MI3
> Oct 26 15:28:10 swan pluto[12731]: "l2tp-x509"[1] 172.18.240.34 #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, ST=LandA, O=FirmaA, L=StadtA, OU=AbteilungA, CN=musterfrau, E=test at test.de'
> Oct 26 15:28:10 swan pluto[12731]: "l2tp-x509"[1] 172.18.240.34 #1: no crl from issuer "C=DE, ST=LandA, L=StadtA, O=FirmaA, OU=AbteilungA, CN=mustermann, E=test at test.de" found (strict=no)
> Oct 26 15:28:10 swan pluto[12731]: "l2tp-x509"[1] 172.18.240.34 #1: no suitable connection for peer 'C=DE, ST=LandA, O=FirmaA, L=StadtA, OU=AbteilungA, CN=musterfrau, E=test at test.de'
> Oct 26 15:28:10 swan pluto[12731]: "l2tp-x509"[1] 172.18.240.34 #1: sending encrypted notification INVALID_ID_INFORMATION to 172.18.240.34:500
> Oct 26 15:28:11 swan pluto[12731]: "l2tp-x509"[1] 172.18.240.34 #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, ST=LandA, O=FirmaA, L=StadtA, OU=AbteilungA, CN=musterfrau, E=test at test.de'
> Oct 26 15:28:11 swan pluto[12731]: "l2tp-x509"[1] 172.18.240.34 #1: no crl from issuer "C=DE, ST=LandA, L=StadtA, O=FirmaA, OU=AbteilungA, CN=mustermann, E=test at test.de" found (strict=no)
> Oct 26 15:28:11 swan pluto[12731]: "l2tp-x509"[1] 172.18.240.34 #1: no suitable connection for peer 'C=DE, ST=LandA, O=FirmaA, L=StadtA, OU=AbteilungA, CN=musterfrau, E=test at test.de'
> Oct 26 15:28:11 swan pluto[12731]: "l2tp-x509"[1] 172.18.240.34 #1: sending encrypted notification INVALID_ID_INFORMATION to 172.18.240.34:500
> Oct 26 15:28:13 swan pluto[12731]: "l2tp-x509"[1] 172.18.240.34 #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, ST=LandA, O=FirmaA, L=StadtA, OU=AbteilungA, CN=musterfrau, E=test at test.de'
> Oct 26 15:28:13 swan pluto[12731]: "l2tp-x509"[1] 172.18.240.34 #1: no crl from issuer "C=DE, ST=LandA, L=StadtA, O=FirmaA, OU=AbteilungA, CN=mustermann, E=test at test.de" found (strict=no)
> Oct 26 15:28:13 swan pluto[12731]: "l2tp-x509"[1] 172.18.240.34 #1: no suitable connection for peer 'C=DE, ST=LandA, O=FirmaA, L=StadtA, OU=AbteilungA, CN=musterfrau, E=test at test.de'
> Oct 26 15:28:13 swan pluto[12731]: "l2tp-x509"[1] 172.18.240.34 #1: sending encrypted notification INVALID_ID_INFORMATION to 172.18.240.34:500
> Oct 26 15:28:14 swan pluto[12731]: "l2tp-x509"[1] 172.18.240.34 #1: next payload type of ISAKMP Hash Payload has an unknown value: 167
> Oct 26 15:28:14 swan pluto[12731]: "l2tp-x509"[1] 172.18.240.34 #1: malformed payload in packet
> Oct 26 15:28:14 swan pluto[12731]: | payload malformed after IV
> Oct 26 15:28:14 swan pluto[12731]: | 69 71 b7 38 42 1b 24 ce 9c 1b 9e 70 ad 29 4f 80
> Oct 26 15:28:14 swan pluto[12731]: | c1 62 c4 b1
> Oct 26 15:28:14 swan pluto[12731]: "l2tp-x509"[1] 172.18.240.34 #1: sending notification PAYLOAD_MALFORMED to 172.18.240.34:500
> Oct 26 15:28:20 swan pluto[12731]: "l2tp-x509"[1] 172.18.240.34 #1: ignoring informational payload, type INVALID_COOKIE msgid=00000000
> Oct 26 15:28:20 swan pluto[12731]: "l2tp-x509"[1] 172.18.240.34 #1: received and ignored informational message
>
>
> my ipsec.conf:
>
> config setup
> #interfaces=%defaultroute
> #protostack=netkey
> #nat_traversal=yes
> #virtual_private=%v4:192.168.2.0/24,%v4:0/24
>
> include /etc/ipsec.d/no_oe.conf
>
> conn l2tp-x509
> left=10.245.23.198
> leftprotoport=17/%any
> leftcert=/etc/ipsec.d/certs/linuxSign.pem
> rightprotoport=17/%any
> right=%any
> rightrsasigkey=%cert
> auto=add
> rightid="C=DE, ST=LandA, L=StadtA, O=FirmaA, OU=AbteilungA, CN=mustermann, E=test at test.de"
>    
It seems to me that you are getting the following,

'C=DE, ST=LandA, O=FirmaA, L=StadtA, OU=AbteilungA, CN=musterfrau,E=test at test.de'

in which order of "O=" and "L=" is interchanged as compared to what you 
have put as "rightid".

Not sure if that is the problem but better to verify.

Regards
Avesh

> pfs=no
>
>
> i played a lot with the settings, but nothing worked for me, always this error. i also tried things like rightid="C=DE, ST=*, L=*, O=*, OU=*, CN=*, E=*", with no success.
> maybe someone could help me, in the meantime i had to work with psk but my employer is not happy about that.
>
>
>
> regards
> _______________________________________________________________
> Neu: WEB.DE DSL bis 50.000 kBit/s und 200,- Euro Startguthaben!
> http://produkte.web.de/go/02/
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>

More information about the Users mailing list