[Openswan Users] Phase 1 hangs

Erich Titl erich.titl at think.ch
Thu Aug 12 07:40:48 EDT 2010


Hi everybody

I have an OpenSwan installation with roughly 100 tunnels going. The
clients use certificates for authentication.

Trying to ad another client using the same software and comparable
configuration gets a hang on Phase 1

here are some log excerpts

Client

Aug 12 13:24:30 Bruenisried pluto[12904]: "asp_dmz" #1: initiating Main Mode
Aug 12 13:24:30 Bruenisried pluto[12904]: "asp_dmz" #1: ignoring unknown
Vendor ID payload [4f455a7e4261425d725c705f]
Aug 12 13:24:30 Bruenisried pluto[12904]: "asp_dmz" #1: received Vendor
ID payload [Dead Peer Detection]
Aug 12 13:24:30 Bruenisried pluto[12904]: "asp_dmz" #1: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
Aug 12 13:24:30 Bruenisried pluto[12904]: "asp_dmz" #1: STATE_MAIN_I2:
sent MI2, expecting MR2
Aug 12 13:24:30 Bruenisried pluto[12904]: "asp_dmz" #1: I am sending my cert
Aug 12 13:24:30 Bruenisried pluto[12904]: "asp_dmz" #1: I am sending a
certificate request
Aug 12 13:24:30 Bruenisried pluto[12904]: "asp_dmz" #1: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
Aug 12 13:24:30 Bruenisried pluto[12904]: "asp_dmz" #1: STATE_MAIN_I3:
sent MI3, expecting MR3
Aug 12 13:24:40 Bruenisried pluto[12904]: "asp_dmz" #1: discarding
duplicate packet; already STATE_MAIN_I3


Server

Aug 12 13:24:30 greatwall pluto[10516]: packet from aa.bb.cc.dd:500:
ignoring unknown Vendor ID payload [4f454e7c454d716b5f4d6c67]
Aug 12 13:24:30 greatwall pluto[10516]: packet from aa.bb.cc.dd:500:
received Vendor ID payload [Dead Peer Detection]
Aug 12 13:24:30 greatwall pluto[10516]: "test_support"[68] aa.bb.cc.dd
#313337: responding to Main Mode from unknown peer aa.bb.cc.dd
Aug 12 13:24:30 greatwall pluto[10516]: "test_support"[68] aa.bb.cc.dd
#313337: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 12 13:24:30 greatwall pluto[10516]: "test_support"[68] aa.bb.cc.dd
#313337: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 12 13:24:30 greatwall pluto[10516]: "test_support"[68] aa.bb.cc.dd
#313337: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 12 13:24:30 greatwall pluto[10516]: "test_support"[68] aa.bb.cc.dd
#313337: STATE_MAIN_R2: sent MR2, expecting MI3

It looks to me like the Identification does not work.

Both client and Server appear to have correct certificates

SERVER

000
000 List of X.509 End Certificates:
000
000 Aug 04 15:43:54 2010, count: 168
000        subject: 'C=CH, L=Schlieren, O=Ruf Telematik, OU=ASP,
CN=greatwall.asp.ruf.ch, E=ca at asp.ruf.ch'
000        issuer:  'C=CH, L=Schlieren, O=Ruf Telematik, OU=ASP,
CN=AspCA, E=ca at asp.ruf.ch'
000        serial:   57
000        pubkey:   1024 RSA Key AwEAAdFw9, has private key
000        validity: not before Apr 16 16:43:55 2009 ok
000                  not after  Mar 21 15:43:55 2014 ok
000        subjkey:
9c:6f:5d:d9:28:61:c9:0d:29:c2:79:f4:c4:e8:f8:3e:cb:6e:4c:8e
000        authkey:
94:e8:ab:11:ae:d4:13:02:2b:af:76:1c:e5:96:0a:f7:72:9f:02:a3

CLIENT

000
000 List of X.509 End Certificates:
000
000 Aug 12 11:24:29 2010, count: 1
000        subject: 'C=CH, L=Bruenisried, O=Gemeinde Bruenisried,
OU=ASP, CN=Gemeinde Bruenisried'
000        issuer:  'C=CH, L=Schlieren, O=Ruf Telematik, OU=ASP,
CN=AspCA, E=ca at asp.ruf.ch'
000        serial:   06
000        pubkey:   2048 RSA Key AwEAAcehC, has private key
000        validity: not before Aug 05 20:09:14 2010 ok
000                  not after  Jul 10 20:09:14 2015 ok
000        subjkey:
69:92:22:f6:4a:69:52:63:42:90:c6:8c:5c:a9:98:8e:2c:85:38:92
000        authkey:
21:f7:8f:aa:d9:cf:9e:f9:25:97:2e:d5:67:55:37:1c:15:cf:8f:78
000        aserial:  00:d6:3e:be:55:14:c1:57:5f

It appears as if the public keys of the peer Machines never make it to
the other side.

Any ideas

Thanks

Erich


More information about the Users mailing list