[Openswan Users] we require peer ID 'O=xxxx, CN=yyyy, D=aaaaa' but peer declares 'O=xxxx, CN=yyyy, D=aaaaa'. Is the same ID!!!!!

Eduardo Barambio Donate ebarambio at ono.com
Mon Jun 14 04:30:10 EDT 2010 

Hello openswan users.

I want to create a tunnel between my host roadwarrior width opensean and a 
Cisco concentrator.

This is the result of up the conn:

...
valid certificate signature (O=vodafone.es -> O=vodafone.es)
| reached self-signed root ca
| Public key validated
"Vodafone" #1: we require peer to have ID 'O=vodafone.es, CN=VPN3030_A, 
D=Router de Atocha VPN 3030_A', but peer declares 'O=vodafone.es, 
CN=VPN3030_A, D=Router de Atocha VPN 3030_A'
| complete state transition with (null)
"Vodafone" #1: sending encrypted notification INVALID_ID_INFORMATION to 
xxx.xxx.xxx.xxx:500
...

As you can see, both ID, the one I require and the one gateway sent into the 
cert, ARE THE SAME!!!



And this is my ipsec.conf:

version	2.0	# conforms to second version of ipsec.conf specification

# basic configuration
#config setup
	# plutodebug / klipsdebug = "all", "none" or a combation from below:
	# "raw crypt parsing emitting control klips pfkey natt x509 private"
	# eg: plutodebug="control parsing"
	#
	# ONLY enable plutodebug=all or klipsdebug=all if you are a developer !!
	#
	# NAT-TRAVERSAL support, see README.NAT-Traversal
	#nat_traversal=yes
	# virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
	#
	# enable this if you see "failed to find any available worker"
	#nhelpers=0


config setup
	interfaces=%defaultroute
	klipsdebug=none
	plutodebug="all"
	plutostderrlog=/home/eduardo/ipsec.log
	#nat_traversal=yes
	#protostack=netkey

conn %default
	authby=rsasig
	#leftrsasigkey=%cert
	#rightrsasigkey=%cert
	#type=tunnel
	#keyingtries=3
	#keylife=1200s
	#ikelifetime=1200s


# Add connections here

conn Vodafone
	#aggrmode=yes
	#keyexchange=ike
        #auth=esp
	#3des-sha-modp2048
	#3des-md5-96
	#pfs=no
	#rekey=yes
	auto=add
	left=%defaultroute
	leftprotoport=17/1701
	leftcert="/etc/openswan/ipsec.d/certs/ipsec_teleworx_andmap.pem"
	leftid=<ID from my cert>
	#leftid=%fromcert
	right=<gateway IP>
	rightsubnet=0.0.0.0/0
	rightid="/O=vodafone.es/CN=VPN3030_A/D=Router de Atocha VPN 3030_A"
	#rightca=/etc/openswan/ipsec.d/cacerts/cacert.crt
	rightprotoport=17/1701

#Disable Opportunistic Encryption
include /etc/openswan/ipsec.d/examples/no_oe.conf


Any answer about that?

Thanks for any reply you can give me.

More information about the Users mailing list