[Openswan Users] x509 auth unable to find suitable connection

Mariusz Kruk Kruk at epsilon.eu.org
Wed Feb 16 13:32:04 EST 2011 

W dniu 2011-02-16 17:18, Paul Wouters pisze:
>> I'm trying to set up a IPSEC/L2TP connection between Windows roadwarrior
>> and
>> Linux server. With PSK everything works perfectly. When I try to switch
>> to
>> certs, I can't connect. I'm just getting "no suitable connection found".
>
> What does ipsec auto --listall say?

000
000 List of Public Keys:
000
000 Feb 16 11:56:31 2011, 2048 RSA Key AwEAAemM6 (no private key), until 
Feb 10 15:57:00 2013 ok
000        ID_DER_ASN1_DN 'C=PL, CN=kruk at whatever.pl'
000        Issuer 'O=avl, OU=Organizational CA'
000 Feb 16 11:47:57 2011, 2048 RSA Key AwEAAccf7 (has private key), 
until Jan 14 14:13:00 2018 ok
000        ID_DER_ASN1_DN 'C=PL, O=Whatever, CN=epsilon'
000        Issuer 'O=avl, OU=Organizational CA'
000 List of Pre-shared secrets (from /etc/ipsec.secrets)
000     1: RSA (none) (none)
000     11: PSK %any 11.22.33.44
000
000 List of X.509 End Certificates:
000
000 Feb 16 11:47:57 2011, count: 1
000        subject: 'C=PL, O=Whatever, CN=epsilon'
000        issuer:  'O=avl, OU=Organizational CA'
000        serial: 
02:1c:14:e1:6e:79:d1:03:d9:e1:a2:dc:b4:99:f5:49:66:d1:60:ce:e4:5b:c1:9c:74:7a:a2:61:d3:d4:02:02:04:24:5d:34
000        pubkey:   2048 RSA Key AwEAAccf7, has private key
000        validity: not before Feb 10 14:44:00 2011 ok
000                  not after  Jan 14 14:13:00 2018 ok
000        subjkey: 
f3:78:73:9b:d4:4c:2c:64:ea:27:29:e5:a5:a9:12:3a:ee:4b:02:1f
000        authkey: 
db:d2:e2:90:44:65:4f:d2:b6:58:ab:e0:94:7b:fd:9d:1d:32:69:45
000
000 List of X.509 CA Certificates:
000
000 Feb 16 11:47:57 2011, count: 1
000        subject: 'O=avl, OU=Organizational CA'
000        issuer:  'O=avl, OU=Organizational CA'
000        serial: 
02:1c:14:e1:6e:79:d1:03:d9:e1:a2:dc:b4:99:f5:49:66:d1:60:ce:e4:5b:c1:9c:74:7a:a2:61:d3:d4:02:02:02:1d:79:d6
000        pubkey:   2048 RSA Key AwEAAbqQU
000        validity: not before Jan 14 14:14:57 2008 ok
000                  not after  Jan 14 14:14:57 2018 ok
000        subjkey: 
db:d2:e2:90:44:65:4f:d2:b6:58:ab:e0:94:7b:fd:9d:1d:32:69:45
000        authkey: 
db:d2:e2:90:44:65:4f:d2:b6:58:ab:e0:94:7b:fd:9d:1d:32:69:45


>> Feb 16 11:48:38 epsilon pluto[31415]: "l2tp-cert"[1] 77.253.107.194
>> #1: no crl from issuer "O=avl, OU=Organizational CA" found (strict=no)
>> Feb 16 11:48:38 epsilon pluto[31415]: | subject: 'O=avl,
>> OU=Organizational CA'
>> Feb 16 11:48:38 epsilon pluto[31415]: | issuer: 'O=avl,
>> OU=Organizational CA'
> There is no CN= in your CA certs?

Hmm... indeed there isn't. You think this could be the problem?
The CA I use is the "Organizational CA" from our local Novell's 
eDirectory. It was created with the default settings so I suppose this 
situation isn't that unusual in case of eDirectory's CA.

More information about the Users mailing list