[Openswan Users] x509 auth unable to find suitable connection
Mariusz Kruk
kruk at epsilon.eu.org
Wed Feb 16 08:44:43 EST 2011
Hello.
I'm trying to set up a IPSEC/L2TP connection between Windows roadwarrior
and
Linux server. With PSK everything works perfectly. When I try to switch
to
certs, I can't connect. I'm just getting "no suitable connection found".
Log entries:
pluto[23296]: Starting Pluto (Openswan Version 2.6.28; Vendor ID OEQ{O\177nez{CQ) pid:23296
pluto[23296]: SAref support [disabled]: Protocol not available
pluto[23296]: SAbind support [disabled]: Protocol not available
pluto[23296]: Setting NAT-Traversal port-4500 floating to on
pluto[23296]: port floating activation criteria nat_t=1/port_float=1
pluto[23296]: NAT-Traversal support [enabled]
pluto[23296]: using /dev/urandom as source of random entropy
pluto[23296]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
pluto[23296]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
pluto[23296]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
pluto[23296]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
pluto[23296]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
pluto[23296]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
pluto[23296]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
pluto[23296]: starting up 1 cryptographic helpers
pluto[23296]: started helper pid=23299 (fd:7)
pluto[23299]: using /dev/urandom as source of random entropy
pluto[23296]: Kernel interface auto-pick
pluto[23296]: Using Linux 2.6 IPsec interface code on 2.6.32-5-686 (experimental code)
pluto[23296]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
pluto[23296]: ike_alg_add(): ERROR: Algorithm already exists
pluto[23296]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
pluto[23296]: ike_alg_add(): ERROR: Algorithm already exists
pluto[23296]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
pluto[23296]: ike_alg_add(): ERROR: Algorithm already exists
pluto[23296]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
pluto[23296]: ike_alg_add(): ERROR: Algorithm already exists
pluto[23296]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
pluto[23296]: ike_alg_add(): ERROR: Algorithm already exists
pluto[23296]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
pluto[23296]: Changed path to directory '/etc/ipsec.d/cacerts'
pluto[23296]: loaded CA cert file 'AVL.pem' (1872 bytes)
pluto[23296]: Changed path to directory '/etc/ipsec.d/aacerts'
pluto[23296]: Changed path to directory '/etc/ipsec.d/ocspcerts'
pluto[23296]: Changing to directory '/etc/ipsec.d/crls'
pluto[23296]: Warning: empty directory
pluto[23296]: loading certificate from /etc/ipsec.d/certs/whateverCert.pem
pluto[23296]: loaded host cert file '/etc/ipsec.d/certs/whateverCert.pem' (1826 bytes)
pluto[23296]: added connection description "l2tp-whatever"
pluto[23296]: listening for IKE messages
pluto[23296]: NAT-Traversal: Trying new style NAT-T
pluto[23296]: NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
pluto[23296]: NAT-Traversal: Trying old style NAT-T
pluto[23296]: adding interface ppp1/ppp1 192.168.5.1:500
pluto[23296]: adding interface ppp1/ppp1 192.168.5.1:4500
pluto[23296]: adding interface tun2/tun2 192.168.111.1:500
pluto[23296]: adding interface tun2/tun2 192.168.111.1:4500
pluto[23296]: adding interface tun1/tun1 192.168.110.1:500
pluto[23296]: adding interface tun1/tun1 192.168.110.1:4500
pluto[23296]: adding interface tun0/tun0 10.0.12.1:500
pluto[23296]: adding interface tun0/tun0 10.0.12.1:4500
pluto[23296]: adding interface eth1/eth1 1.2.3.4:500
pluto[23296]: adding interface eth1/eth1 1.2.3.4:4500
pluto[23296]: adding interface eth0/eth0 192.168.105.251:500
pluto[23296]: adding interface eth0/eth0 192.168.105.251:4500
pluto[23296]: adding interface eth0/eth0 192.168.104.251:500
pluto[23296]: adding interface eth0/eth0 192.168.104.251:4500
pluto[23296]: adding interface eth0/eth0 192.168.103.251:500
pluto[23296]: adding interface eth0/eth0 192.168.103.251:4500
pluto[23296]: adding interface eth0/eth0 192.168.101.251:500
pluto[23296]: adding interface eth0/eth0 192.168.101.251:4500
pluto[23296]: adding interface lo/lo 127.0.0.1:500
pluto[23296]: adding interface lo/lo 127.0.0.1:4500
pluto[23296]: adding interface lo/lo ::1:500
pluto[23296]: loading secrets from "/etc/ipsec.secrets"
pluto[23296]: loading secrets from "/var/lib/openswan/ipsec.secrets.inc"
pluto[23296]: loaded private key file '/etc/ipsec.d/private/whateverKey.pem' (1679 bytes)
pluto[23296]: loaded private key for keyid: PPK_RSA:AwEAAccf7
pluto[23296]: packet from 77.253.107.194:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
pluto[23296]: packet from 77.253.107.194:500: ignoring Vendor ID payload [FRAGMENTATION]
pluto[23296]: packet from 77.253.107.194:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
pluto[23296]: packet from 77.253.107.194:500: ignoring Vendor ID payload [Vid- Initial-Contact]
pluto[23296]: "l2tp-whatever"[1] 77.253.107.194 #1: responding to Main Mode from unknown peer 77.253.107.194
pluto[23296]: "l2tp-whatever"[1] 77.253.107.194 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
pluto[23296]: "l2tp-whatever"[1] 77.253.107.194 #1: STATE_MAIN_R1: sent MR1, expecting MI2
pluto[23296]: "l2tp-whatever"[1] 77.253.107.194 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
pluto[23296]: "l2tp-whatever"[1] 77.253.107.194 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
pluto[23296]: "l2tp-whatever"[1] 77.253.107.194 #1: STATE_MAIN_R2: sent MR2, expecting MI3
pluto[23296]: "l2tp-whatever"[1] 77.253.107.194 #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=PL, CN=k... at whatever.pl'
pluto[23296]: "l2tp-whatever"[1] 77.253.107.194 #1: no crl from issuer "O=avl, OU=Organizational CA" found (strict=no)
pluto[23296]: "l2tp-whatever"[1] 77.253.107.194 #1: no suitable connection for peer 'C=PL, CN=kruk at whatever.pl'
pluto[23296]: "l2tp-whatever"[1] 77.253.107.194 #1: sending encrypted notification INVALID_ID_INFORMATION to 77.253.107.194:500
[cut some repetitions from here]
pluto[23296]: "l2tp-whatever"[1] 77.253.107.194 #1: byte 2 of ISAKMP Hash Payload must be zero, but is not
pluto[23296]: "l2tp-whatever"[1] 77.253.107.194 #1: malformed payload in packet
pluto[23296]: | payload malformed after IV
pluto[23296]: | cc 0b b8 37 5d 68 01 18 ba 7a 14 88 0c 49 22 6b
pluto[23296]: | 17 0e 49 35
pluto[23296]: "l2tp-whatever"[1] 77.253.107.194 #1: sending notification PAYLOAD_MALFORMED to 77.253.107.194:500
pluto[23296]: "l2tp-whatever"[1] 77.253.107.194 #1: max number of retransmissions (2) reached STATE_MAIN_R2
pluto[23296]: "l2tp-whatever"[1] 77.253.107.194: deleting connection "l2tp- whatever" instance with peer 77.253.107.194 {isakmp=#0/ipsec=#0
When I tried to debug x509, I got additional info in logs:
Feb 16 11:48:38 epsilon pluto[31415]: "l2tp-cert"[1] 77.253.107.194 #1: no crl from issuer "O=avl, OU=Organizational CA" found (strict=no)
Feb 16 11:48:38 epsilon pluto[31415]: | subject: 'O=avl, OU=Organizational CA'
Feb 16 11:48:38 epsilon pluto[31415]: | issuer: 'O=avl, OU=Organizational CA'
Feb 16 11:48:38 epsilon pluto[31415]: | authkey: db:d2:e2:90:44:65:4f:d2:b6:58:ab:e0:94:7b:fd:9d:1d:32:69:45
Feb 16 11:48:38 epsilon pluto[31415]: | not before : Jan 14 13:14:57 UTC 2008
Feb 16 11:48:38 epsilon pluto[31415]: | current time: Feb 16 10:48:38 UTC 2011
Feb 16 11:48:38 epsilon pluto[31415]: | not after : Jan 14 13:14:57 UTC 2018
Feb 16 11:48:38 epsilon pluto[31415]: | valid certificate for "O=avl, OU=Organizational CA"
Feb 16 11:48:38 epsilon pluto[31415]: | issuer cacert "O=avl, OU=Organizational CA" found
Feb 16 11:48:38 epsilon pluto[31415]: | signature algorithm: 'sha-1WithRSAEncryption'
Feb 16 11:48:38 epsilon pluto[31415]: | digest: bd 65 46 f0 bc e2 9d 71 a5 d1 12 17 55 38 ba d6
Feb 16 11:48:38 epsilon pluto[31415]: | digest: 87 f5 00 ef
Feb 16 11:48:38 epsilon pluto[31415]: | valid certificate signature (O=avl, OU=Organizational CA -> O=avl, OU=Organizational CA)
Feb 16 11:48:38 epsilon pluto[31415]: | reached self-signed root ca
Feb 16 11:48:38 epsilon pluto[31415]: | Public key validated
Feb 16 11:48:38 epsilon pluto[31415]: | CR 30 2a 31 0c 30 0a 06 03 55 04 0a 13 03 61 76 6c
Feb 16 11:48:38 epsilon pluto[31415]: | CR 31 1a 30 18 06 03 55 04 0b 13 11 4f 72 67 61 6e
Feb 16 11:48:38 epsilon pluto[31415]: | CR 69 7a 61 74 69 6f 6e 61 6c 20 43 41
Feb 16 11:48:38 epsilon pluto[31415]: | requested CA: 'O=avl, OU=Organizational CA'
Feb 16 11:48:38 epsilon pluto[31415]: | trusted_ca called with a=O=avl, OU=Organizational CA b=alidated
Feb 16 11:48:38 epsilon pluto[31415]: | trusted_ca returning with failed
Feb 16 11:48:38 epsilon pluto[31415]: | trusted_ca called with a=\367\001 b=O=avl, OU=Organizational CA
Feb 16 11:48:38 epsilon pluto[31415]: | trusted_ca returning with failed
Feb 16 11:48:38 epsilon pluto[31415]: | trusted_ca called with a=O=avl, OU=Organizational CA b=alidated
Feb 16 11:48:38 epsilon pluto[31415]: | trusted_ca returning with failed
Feb 16 11:48:39 epsilon pluto[31415]: | trusted_ca called with a=\367\001 b=O=avl, OU=Organizational CA
Feb 16 11:48:39 epsilon pluto[31415]: | trusted_ca returning with failed
Feb 16 11:48:39 epsilon pluto[31415]: "l2tp-cert"[1] 77.253.107.194 #1: no suitable connection for peer 'C=PL, CN=kruk at whatever.pl'
My config:
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
protostack=auto
conn l2tp-whatever
authby=rsasig
pfs=no
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=1.2.3.4
leftrsasigkey=/etc/ipsec.d/private/whateverKey.pem
leftcert=/etc/ipsec.d/certs/whateverCert.pem
leftprotoport=17/1701
right=%any
rightca=/etc/ipsec.d/cacerts/AVL.pem
rightprotoport=17/%any
auto=add
It acts the same regardless of whether I change rightca to %same or even %any.
(it just sometimes calls trusted_ca with (empty) instead of \367\001 and fails
just the same).
Any ideas why it doesn't work? Anything else to check?
TIA for any hints.
--
d'`'`'`'`'`'`'`'`'`'`'`'`'Yb
`b Kruk at epsilon.eu.org d'
d' http://epsilon.eu.org/ Yb
`b,-,.,-,.,-,.,-,.,-,.,-,.d'
More information about the Users
mailing list