[Openswan Users] X.509 certificate rejected

goog long cecolong at yahoo.com
Mon Mar 15 17:02:50 EDT 2010 

I need your help with this error from host log:



Mar 15 15:19:19  pluto[12210]: packet from 192.168.50.2:500: received Vendor ID payload [Openswan (this version) 2.6.21 ]

Mar 15 15:19:19 host-lx pluto[12210]: packet from 192.168.50.2:500: received Vendor ID payload [Dead Peer Detection]

Mar 15 15:19:19 host-lx pluto[12210]: "roadwarrior-net"[4] 192.168.50.2
#4: responding to Main Mode from unknown peer 192.168.50.2

Mar 15 15:19:19 host-lx pluto[12210]: "roadwarrior-net"[4] 192.168.50.2
#4: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1

Mar 15 15:19:19 host-lx pluto[12210]: "roadwarrior-net"[4] 192.168.50.2 #4: STATE_MAIN_R1: sent MR1, expecting MI2

Mar 15 15:19:19 host-lx pluto[12210]: "roadwarrior-net"[4] 192.168.50.2
#4: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2

Mar 15 15:19:19 host-lx pluto[12210]: "roadwarrior-net"[4] 192.168.50.2 #4: STATE_MAIN_R2: sent MR2, expecting MI3

Mar 15 15:19:19 host-lx pluto[12210]: "roadwarrior-net"[4] 192.168.50.2 #4: Main mode peer ID is ID_IPV4_ADDR: '192.168.50.2'

Mar 15 15:19:19 host-lx pluto[12210]: "roadwarrior-net"[4] 192.168.50.2 #4: issuer cacert not found

Mar 15 15:19:19 host-lx pluto[12210]: "roadwarrior-net"[4] 192.168.50.2 #4: X.509 certificate rejected



My host ipsec.conf:

version 2.0



config setup

	interfaces=%defaultroute

	nat_traversal=no



conn %default

	keyingtries=1

	compress=yes

	disablearrivalcheck=no

	authby=rsasig

	leftrsasigkey=%cert

	rightrsasigkey=%cert



conn roadwarrior-net

	leftsubnet=192.168.50.0/255.255.255.0

	also=roadwarrior



conn roadwarrior

	# left=%defaultroute

	left=192.168.50.1

	leftcert=host.example.com.pem

	right=%any

	rightsubnet=vhost:%no,%priv

	auto=add

	pfs=yes



Files on client machine:

/etc/ipsec.d/private/host.example.com.key

/etc/ipsec.d/crls/crl.pem

/etc/ipsec.d/certs/host.example.com.pem

/etc/ipsec.d/cacerts/cacert.pem





My client ipsec.conf:



version 2.0



config setup

	interfaces=%defaultroute

	nat_traversal=no



conn %default

	keyingtries=1

	compress=yes

	authby=rsasig

	leftrsasigkey=%cert

	rightrsasigkey=%cert



conn roadwarrior-net

	leftsubnet=192.168.50.0/255.255.255.0

	also=roadwarrior



conn roadwarrior

	# left=%defaultroute

	left=192.168.50.2

	leftcert=clienthost.example.com.pem

	right=192.168.50.1

	rightsubnet=host.example.com.pem

	auto=add

	pfs=yes





Files on host machine:

/etc/ipsec.d/private/clienthost.example.com.key

/etc/ipsec.d/crls/crl.pem

/etc/ipsec.d/certs/host.example.com.pem

/etc/ipsec.d/certs/clienthost.example.com.pem

/etc/ipsec.d/cacerts/cacert.pem



where host.example.com.pem is copied from host. All key files and pem files are generated separately using openssl CA.sh on client machine and host machine.


      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100315/a4e30c72/attachment.html

More information about the Users mailing list