[Openswan Users] x509 auth unable to find suitable connection

Mariusz Kruk kruk at epsilon.eu.org
Wed Feb 16 08:44:43 EST 2011 

Hello.
I'm trying to set up a IPSEC/L2TP connection between Windows roadwarrior
and 
Linux server. With PSK everything works perfectly. When I try to switch
to 
certs, I can't connect. I'm just getting "no suitable connection found".

Log entries:
pluto[23296]: Starting Pluto (Openswan Version 2.6.28; Vendor ID OEQ{O\177nez{CQ) pid:23296
pluto[23296]: SAref support [disabled]: Protocol not available
pluto[23296]: SAbind support [disabled]: Protocol not available
pluto[23296]: Setting NAT-Traversal port-4500 floating to on
pluto[23296]:    port floating activation criteria nat_t=1/port_float=1
pluto[23296]:    NAT-Traversal support  [enabled]
pluto[23296]: using /dev/urandom as source of random entropy
pluto[23296]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
pluto[23296]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
pluto[23296]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
pluto[23296]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
pluto[23296]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
pluto[23296]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
pluto[23296]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
pluto[23296]: starting up 1 cryptographic helpers
pluto[23296]: started helper pid=23299 (fd:7)
pluto[23299]: using /dev/urandom as source of random entropy
pluto[23296]: Kernel interface auto-pick
pluto[23296]: Using Linux 2.6 IPsec interface code on 2.6.32-5-686 (experimental code)
pluto[23296]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
pluto[23296]: ike_alg_add(): ERROR: Algorithm already exists
pluto[23296]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
pluto[23296]: ike_alg_add(): ERROR: Algorithm already exists
pluto[23296]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
pluto[23296]: ike_alg_add(): ERROR: Algorithm already exists
pluto[23296]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
pluto[23296]: ike_alg_add(): ERROR: Algorithm already exists
pluto[23296]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
pluto[23296]: ike_alg_add(): ERROR: Algorithm already exists
pluto[23296]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
pluto[23296]: Changed path to directory '/etc/ipsec.d/cacerts'
pluto[23296]:   loaded CA cert file 'AVL.pem' (1872 bytes)
pluto[23296]: Changed path to directory '/etc/ipsec.d/aacerts'
pluto[23296]: Changed path to directory '/etc/ipsec.d/ocspcerts'
pluto[23296]: Changing to directory '/etc/ipsec.d/crls'
pluto[23296]:   Warning: empty directory
pluto[23296]: loading certificate from /etc/ipsec.d/certs/whateverCert.pem
pluto[23296]:   loaded host cert file '/etc/ipsec.d/certs/whateverCert.pem' (1826 bytes)
pluto[23296]: added connection description "l2tp-whatever"
pluto[23296]: listening for IKE messages
pluto[23296]: NAT-Traversal: Trying new style NAT-T
pluto[23296]: NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
pluto[23296]: NAT-Traversal: Trying old style NAT-T
pluto[23296]: adding interface ppp1/ppp1 192.168.5.1:500
pluto[23296]: adding interface ppp1/ppp1 192.168.5.1:4500
pluto[23296]: adding interface tun2/tun2 192.168.111.1:500
pluto[23296]: adding interface tun2/tun2 192.168.111.1:4500
pluto[23296]: adding interface tun1/tun1 192.168.110.1:500
pluto[23296]: adding interface tun1/tun1 192.168.110.1:4500
pluto[23296]: adding interface tun0/tun0 10.0.12.1:500
pluto[23296]: adding interface tun0/tun0 10.0.12.1:4500
pluto[23296]: adding interface eth1/eth1 1.2.3.4:500
pluto[23296]: adding interface eth1/eth1 1.2.3.4:4500
pluto[23296]: adding interface eth0/eth0 192.168.105.251:500
pluto[23296]: adding interface eth0/eth0 192.168.105.251:4500
pluto[23296]: adding interface eth0/eth0 192.168.104.251:500
pluto[23296]: adding interface eth0/eth0 192.168.104.251:4500
pluto[23296]: adding interface eth0/eth0 192.168.103.251:500
pluto[23296]: adding interface eth0/eth0 192.168.103.251:4500
pluto[23296]: adding interface eth0/eth0 192.168.101.251:500
pluto[23296]: adding interface eth0/eth0 192.168.101.251:4500
pluto[23296]: adding interface lo/lo 127.0.0.1:500
pluto[23296]: adding interface lo/lo 127.0.0.1:4500
pluto[23296]: adding interface lo/lo ::1:500
pluto[23296]: loading secrets from "/etc/ipsec.secrets"
pluto[23296]: loading secrets from "/var/lib/openswan/ipsec.secrets.inc"
pluto[23296]:   loaded private key file '/etc/ipsec.d/private/whateverKey.pem' (1679 bytes)
pluto[23296]: loaded private key for keyid: PPK_RSA:AwEAAccf7
pluto[23296]: packet from 77.253.107.194:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
pluto[23296]: packet from 77.253.107.194:500: ignoring Vendor ID payload [FRAGMENTATION]
pluto[23296]: packet from 77.253.107.194:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
pluto[23296]: packet from 77.253.107.194:500: ignoring Vendor ID payload [Vid- Initial-Contact]
pluto[23296]: "l2tp-whatever"[1] 77.253.107.194 #1: responding to Main Mode from unknown peer 77.253.107.194
pluto[23296]: "l2tp-whatever"[1] 77.253.107.194 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
pluto[23296]: "l2tp-whatever"[1] 77.253.107.194 #1: STATE_MAIN_R1: sent MR1, expecting MI2
pluto[23296]: "l2tp-whatever"[1] 77.253.107.194 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
pluto[23296]: "l2tp-whatever"[1] 77.253.107.194 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
pluto[23296]: "l2tp-whatever"[1] 77.253.107.194 #1: STATE_MAIN_R2: sent MR2, expecting MI3
pluto[23296]: "l2tp-whatever"[1] 77.253.107.194 #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=PL, CN=k... at whatever.pl'
pluto[23296]: "l2tp-whatever"[1] 77.253.107.194 #1: no crl from issuer "O=avl, OU=Organizational CA" found (strict=no)
pluto[23296]: "l2tp-whatever"[1] 77.253.107.194 #1: no suitable connection for peer 'C=PL, CN=kruk at whatever.pl'
pluto[23296]: "l2tp-whatever"[1] 77.253.107.194 #1: sending encrypted notification INVALID_ID_INFORMATION to 77.253.107.194:500
[cut some repetitions from here]
pluto[23296]: "l2tp-whatever"[1] 77.253.107.194 #1: byte 2 of ISAKMP Hash Payload must be zero, but is not
pluto[23296]: "l2tp-whatever"[1] 77.253.107.194 #1: malformed payload in packet
pluto[23296]: | payload malformed after IV
pluto[23296]: |   cc 0b b8 37  5d 68 01 18  ba 7a 14 88  0c 49 22 6b
pluto[23296]: |   17 0e 49 35
pluto[23296]: "l2tp-whatever"[1] 77.253.107.194 #1: sending notification PAYLOAD_MALFORMED to 77.253.107.194:500
pluto[23296]: "l2tp-whatever"[1] 77.253.107.194 #1: max number of retransmissions (2) reached STATE_MAIN_R2
pluto[23296]: "l2tp-whatever"[1] 77.253.107.194: deleting connection "l2tp- whatever" instance with peer 77.253.107.194 {isakmp=#0/ipsec=#0

When I tried to debug x509, I got additional info in logs:

Feb 16 11:48:38 epsilon pluto[31415]: "l2tp-cert"[1] 77.253.107.194 #1: no crl from issuer "O=avl, OU=Organizational CA" found (strict=no)
Feb 16 11:48:38 epsilon pluto[31415]: | subject: 'O=avl, OU=Organizational CA'
Feb 16 11:48:38 epsilon pluto[31415]: | issuer:  'O=avl, OU=Organizational CA'
Feb 16 11:48:38 epsilon pluto[31415]: | authkey:  db:d2:e2:90:44:65:4f:d2:b6:58:ab:e0:94:7b:fd:9d:1d:32:69:45
Feb 16 11:48:38 epsilon pluto[31415]: |   not before  : Jan 14 13:14:57 UTC 2008
Feb 16 11:48:38 epsilon pluto[31415]: |   current time: Feb 16 10:48:38 UTC 2011
Feb 16 11:48:38 epsilon pluto[31415]: |   not after   : Jan 14 13:14:57 UTC 2018
Feb 16 11:48:38 epsilon pluto[31415]: | valid certificate for "O=avl, OU=Organizational CA"
Feb 16 11:48:38 epsilon pluto[31415]: | issuer cacert "O=avl, OU=Organizational CA" found
Feb 16 11:48:38 epsilon pluto[31415]: | signature algorithm: 'sha-1WithRSAEncryption'
Feb 16 11:48:38 epsilon pluto[31415]: |   digest:  bd 65 46 f0  bc e2 9d 71  a5 d1 12 17  55 38 ba d6
Feb 16 11:48:38 epsilon pluto[31415]: |   digest:  87 f5 00 ef
Feb 16 11:48:38 epsilon pluto[31415]: | valid certificate signature (O=avl, OU=Organizational CA -> O=avl, OU=Organizational CA)
Feb 16 11:48:38 epsilon pluto[31415]: | reached self-signed root ca
Feb 16 11:48:38 epsilon pluto[31415]: | Public key validated
Feb 16 11:48:38 epsilon pluto[31415]: | CR  30 2a 31 0c  30 0a 06 03  55 04 0a 13  03 61 76 6c
Feb 16 11:48:38 epsilon pluto[31415]: | CR  31 1a 30 18  06 03 55 04  0b 13 11 4f  72 67 61 6e
Feb 16 11:48:38 epsilon pluto[31415]: | CR  69 7a 61 74  69 6f 6e 61  6c 20 43 41
Feb 16 11:48:38 epsilon pluto[31415]: | requested CA: 'O=avl, OU=Organizational CA'
Feb 16 11:48:38 epsilon pluto[31415]: |   trusted_ca called with a=O=avl, OU=Organizational CA b=alidated
Feb 16 11:48:38 epsilon pluto[31415]: |   trusted_ca returning with failed
Feb 16 11:48:38 epsilon pluto[31415]: |   trusted_ca called with a=\367\001 b=O=avl, OU=Organizational CA
Feb 16 11:48:38 epsilon pluto[31415]: |   trusted_ca returning with failed
Feb 16 11:48:38 epsilon pluto[31415]: |   trusted_ca called with a=O=avl, OU=Organizational CA b=alidated
Feb 16 11:48:38 epsilon pluto[31415]: |   trusted_ca returning with failed
Feb 16 11:48:39 epsilon pluto[31415]: |   trusted_ca called with a=\367\001 b=O=avl, OU=Organizational CA
Feb 16 11:48:39 epsilon pluto[31415]: |   trusted_ca returning with failed
Feb 16 11:48:39 epsilon pluto[31415]: "l2tp-cert"[1] 77.253.107.194 #1: no suitable connection for peer 'C=PL, CN=kruk at whatever.pl'

My config:
config setup
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        oe=off
        protostack=auto
conn l2tp-whatever
        authby=rsasig
        pfs=no
        rekey=no
        ikelifetime=8h
        keylife=1h
        type=transport
        left=1.2.3.4
        leftrsasigkey=/etc/ipsec.d/private/whateverKey.pem
        leftcert=/etc/ipsec.d/certs/whateverCert.pem
        leftprotoport=17/1701
        right=%any
        rightca=/etc/ipsec.d/cacerts/AVL.pem
        rightprotoport=17/%any
        auto=add 

It acts the same regardless of whether I change rightca to %same or even %any.
(it just sometimes calls trusted_ca with (empty) instead of \367\001 and fails 
just the same).

Any ideas why it doesn't work? Anything else to check?
TIA for any hints.
-- 
d'`'`'`'`'`'`'`'`'`'`'`'`'Yb 
`b  Kruk at epsilon.eu.org   d' 
d' http://epsilon.eu.org/ Yb 
`b,-,.,-,.,-,.,-,.,-,.,-,.d'

More information about the Users mailing list