[Openswan Users] Smartcard auth issue 4.3.5

Mike Jones mikeones at gmail.com
Thu Jan 28 18:48:15 EST 2010 

I am having an issue getting my client to connect via a smartcard.  When I
connect from a windows client it looks like the server sends a certificate
request that contains two certificate request payloads.  The client sends
two IP packets in response.  When I connect from a linux client I only see
one ip packet being sent in response.  Looking at a successful connection in
windows I see the following after the ike policies are negotiated.



The client/server negotiate IKE.

The server sends a certificate request that contains two certificate request
payloads.

The client sends two IP packets (fragmented) and then an ISAKMP packet with
an encrypted payload of 3632 bytes.

The server then sends two IP packets (fragmented) and then an ISAKMP packet
with an encrypted payload of 3456 bytes.

Then the client and server go into ISAKMP Quick Mode and the ESP connection
starts.



When I connect from my linux client I see the following.



The client/server negotiate IKE.

The server sends a certificate request that contains two certificate request
payloads.

The client sends ONE IP packet (fragmented) and then an ISAKMP packet with
an encrypted payload of 2040 bytes.

The server never responds and the connection restarts until it times out.



Here is the console output.


002 "test" #1: initiating Main Mode
104 "test" #1: STATE_MAIN_I1: initiate
003 "test" #1: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
003 "test" #1: ignoring Vendor ID payload [FRAGMENTATION]
003 "test" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
002 "test" #1: enabling possible NAT-traversal with method RFC 3947
106 "test" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "test" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03:
i am NATed
002 "test" #1: we have a cert and are sending it upon request
108 "test" #1: STATE_MAIN_I3: sent MI3, expecting MR3
010 "test" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
010 "test" #1: STATE_MAIN_I3: retransmission; will wait 40s for response

I am running strongswan 4.3.5. Here is my ipsec.conf

conn test
        right=my.tunnel.co.com
        rightid=@co.com
        authby=rsasig
        left=%defaultroute
        leftcert=%smartcard
        auto=start
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100128/f90718f6/attachment-0001.html

More information about the Users mailing list