[Openswan Users] no suitable connection for peer - using multiple CAs

[Bob Miller]

Hello List,
A pleasant day to you all...

I am seeking clarification regarding the usage of certificates.

I have an existing vpn for road-warriors, it was created with a
self-generated CA and all of its appropriate certs.

I have another existing VPN, also for road-warriors, and also with a
self-generated CA and all the appropriate certs.

I now want to create a net-to-net tunnel between these two gateways.

As best as I can tell, the certs are all loading up fine, --listall
shows what I expect to see, the CAs both show as being loaded in the
logs on both sides.  However, I get an error like so on which ever side
receives a connection initiation:

Main mode peer ID is ID_FQDN: '@gatelian.computerisms.ca'
no suitable connection for peer '@gatelian.computerisms.ca'
sending encrypted notification INVALID_ID_INFORMATION to
207.189.252.14:500

My config is duplicated on both sides as follows:

config setup
   interfaces="%defaultroute"
   plutodebug=none
   klipsdebug=none
   virtual_private=%v4:192.168.0.0/16,%v4:10.0.0.0/8,%v4:172.16.0.0/12,%
v4:!192.168.25.0/24,%v4:!192.168.150.0/24
   nat_traversal=yes
   protostack=netkey

conn %default
   keyingtries=5
   auto=add
   leftrsasigkey=%cert
   rightrsasigkey=%cert

conn computerisms-ctfn
   left=199.247.135.194
   leftnexthop=199.247.135.193
   leftsubnet=192.168.150.0/24
   leftcert=/etc/ipsec.d/certs/fw-ctfn.ctfn.ca.pem
   leftsourceip=192.168.150.1
   right=207.189.252.14
   rightnexthop=207.189.252.13
   rightsubnet=192.168.25.0/24
   rightcert=/etc/ipsec.d/certs/gatelian.computerisms.ca.pem
   rightsourceip=192.168.25.1
   auto=start
   leftca=/etc/ipsec.d/cacerts/CTFN.Root.Authority
   rightca=/etc/ipsec.d/cacerts/Computerisms.Root.Certificate
   rightid=@gatelian.computerisms.ca
   leftid=@fw-ctfn.ctfn.ca

   include /etc/ipsec.d/examples/no_oe.conf


The leftid is not a resolvable dns name, but both rightid and leftid
match the CN in their respective certs.

I have searched this one for some hours now.  I am of the understanding
that this error is indicating that the initiating side is sending an ID
payload that the receiving side does not find a match for in any of its
connections.  --status tells me that the correct connection is being
chosen, I fail to understand what the receiving side wants to see in the
ID payload that is not present.

My only theory as to why the ID is not correct is the usage of multiple
CA certs.  I haven't come across any documentation specifically
addressing how to configure for multiple CAs, but from the snippets I
have read, I think this config should work.  Since it does not, there is
obviously a flaw in my think.  I hope someone can point that flaw out
for me...  


Bob Miller
334-7117/633-3760
http://computerisms.ca
bob at computerisms.ca
Network, Internet, Server,
and Open Source Solutions