[Openswan Users] Phase 1 hangs
Erich Titl
erich.titl at think.ch
Thu Aug 12 07:40:48 EDT 2010
Hi everybody
I have an OpenSwan installation with roughly 100 tunnels going. The
clients use certificates for authentication.
Trying to ad another client using the same software and comparable
configuration gets a hang on Phase 1
here are some log excerpts
Client
Aug 12 13:24:30 Bruenisried pluto[12904]: "asp_dmz" #1: initiating Main Mode
Aug 12 13:24:30 Bruenisried pluto[12904]: "asp_dmz" #1: ignoring unknown
Vendor ID payload [4f455a7e4261425d725c705f]
Aug 12 13:24:30 Bruenisried pluto[12904]: "asp_dmz" #1: received Vendor
ID payload [Dead Peer Detection]
Aug 12 13:24:30 Bruenisried pluto[12904]: "asp_dmz" #1: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
Aug 12 13:24:30 Bruenisried pluto[12904]: "asp_dmz" #1: STATE_MAIN_I2:
sent MI2, expecting MR2
Aug 12 13:24:30 Bruenisried pluto[12904]: "asp_dmz" #1: I am sending my cert
Aug 12 13:24:30 Bruenisried pluto[12904]: "asp_dmz" #1: I am sending a
certificate request
Aug 12 13:24:30 Bruenisried pluto[12904]: "asp_dmz" #1: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
Aug 12 13:24:30 Bruenisried pluto[12904]: "asp_dmz" #1: STATE_MAIN_I3:
sent MI3, expecting MR3
Aug 12 13:24:40 Bruenisried pluto[12904]: "asp_dmz" #1: discarding
duplicate packet; already STATE_MAIN_I3
Server
Aug 12 13:24:30 greatwall pluto[10516]: packet from aa.bb.cc.dd:500:
ignoring unknown Vendor ID payload [4f454e7c454d716b5f4d6c67]
Aug 12 13:24:30 greatwall pluto[10516]: packet from aa.bb.cc.dd:500:
received Vendor ID payload [Dead Peer Detection]
Aug 12 13:24:30 greatwall pluto[10516]: "test_support"[68] aa.bb.cc.dd
#313337: responding to Main Mode from unknown peer aa.bb.cc.dd
Aug 12 13:24:30 greatwall pluto[10516]: "test_support"[68] aa.bb.cc.dd
#313337: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 12 13:24:30 greatwall pluto[10516]: "test_support"[68] aa.bb.cc.dd
#313337: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 12 13:24:30 greatwall pluto[10516]: "test_support"[68] aa.bb.cc.dd
#313337: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 12 13:24:30 greatwall pluto[10516]: "test_support"[68] aa.bb.cc.dd
#313337: STATE_MAIN_R2: sent MR2, expecting MI3
It looks to me like the Identification does not work.
Both client and Server appear to have correct certificates
SERVER
000
000 List of X.509 End Certificates:
000
000 Aug 04 15:43:54 2010, count: 168
000 subject: 'C=CH, L=Schlieren, O=Ruf Telematik, OU=ASP,
CN=greatwall.asp.ruf.ch, E=ca at asp.ruf.ch'
000 issuer: 'C=CH, L=Schlieren, O=Ruf Telematik, OU=ASP,
CN=AspCA, E=ca at asp.ruf.ch'
000 serial: 57
000 pubkey: 1024 RSA Key AwEAAdFw9, has private key
000 validity: not before Apr 16 16:43:55 2009 ok
000 not after Mar 21 15:43:55 2014 ok
000 subjkey:
9c:6f:5d:d9:28:61:c9:0d:29:c2:79:f4:c4:e8:f8:3e:cb:6e:4c:8e
000 authkey:
94:e8:ab:11:ae:d4:13:02:2b:af:76:1c:e5:96:0a:f7:72:9f:02:a3
CLIENT
000
000 List of X.509 End Certificates:
000
000 Aug 12 11:24:29 2010, count: 1
000 subject: 'C=CH, L=Bruenisried, O=Gemeinde Bruenisried,
OU=ASP, CN=Gemeinde Bruenisried'
000 issuer: 'C=CH, L=Schlieren, O=Ruf Telematik, OU=ASP,
CN=AspCA, E=ca at asp.ruf.ch'
000 serial: 06
000 pubkey: 2048 RSA Key AwEAAcehC, has private key
000 validity: not before Aug 05 20:09:14 2010 ok
000 not after Jul 10 20:09:14 2015 ok
000 subjkey:
69:92:22:f6:4a:69:52:63:42:90:c6:8c:5c:a9:98:8e:2c:85:38:92
000 authkey:
21:f7:8f:aa:d9:cf:9e:f9:25:97:2e:d5:67:55:37:1c:15:cf:8f:78
000 aserial: 00:d6:3e:be:55:14:c1:57:5f
It appears as if the public keys of the peer Machines never make it to
the other side.
Any ideas
Thanks
Erich
More information about the Users
mailing list