[Openswan Users] x509 auth unable to find suitable connection

Mariusz Kruk Kruk at epsilon.eu.org
Thu Feb 17 06:56:46 EST 2011 

On Wed, Feb 16, 2011 at 07:32:04PM +0100, Mariusz Kruk wrote:
> >> Feb 16 11:48:38 epsilon pluto[31415]: "l2tp-cert"[1] 77.253.107.194
> >> #1: no crl from issuer "O=avl, OU=Organizational CA" found (strict=no)
> >> Feb 16 11:48:38 epsilon pluto[31415]: | subject: 'O=avl,
> >> OU=Organizational CA'
> >> Feb 16 11:48:38 epsilon pluto[31415]: | issuer: 'O=avl,
> >> OU=Organizational CA'
> > There is no CN= in your CA certs?
> 
> Hmm... indeed there isn't. You think this could be the problem?
> The CA I use is the "Organizational CA" from our local Novell's 
> eDirectory. It was created with the default settings so I suppose this 
> situation isn't that unusual in case of eDirectory's CA.

OK. I thought that maybe it had indeed been a problem with the
certificates, so I set up a new CA with openssl this time. I created new
self-signed rootCA cert, I signed keys for both the server, and the
client (which is BTW still providing only the old cert and ignoring the
new one even if I set rightca=%same in ipsec.conf) and still get same
errors.

pluto[5263]: "l2tp-cert"[3] 11.22.33.44 #3: Main mode peer ID is ID_DER_ASN1_DN: 'C=PL, ST=state, CN=jitensha-test'
pluto[5263]: | subject: 'C=PL, ST=state, CN=jitensha-test'
pluto[5263]: | issuer:  'C=PL, CN=poznojuzCA' Feb 17 12:34:07
pluto[5263]: | authkey: 35:5a:11:9e:97:ef:8a:be:a5:66:10:00:9e:da:7f:eb:59:41:94:e3
pluto[5263]: |   not before  : Feb 17 11:05:00 UTC 2011
pluto[5263]: |   current time: Feb 17 11:34:07 UTC 2011
pluto[5263]: |   not after   : Feb 17 11:05:00 UTC 2012
pluto[5263]: | valid certificate for "C=PL, ST=state, CN=jitensha-test"
pluto[5263]: | issuer cacert "C=PL, CN=poznojuzCA" found
pluto[5263]: | signature algorithm: 'md5WithRSAEncryption'
pluto[5263]: | valid certificate signature (C=PL, CN=poznojuzCA -> C=PL, ST=state, CN=jitensha-test)
pluto[5263]: "l2tp-cert"[3] 11.22.33.44 #3: no crl from issuer "C=PL, CN=poznojuzCA" found (strict=no)
pluto[5263]: | subject: 'C=PL, CN=poznojuzCA'
pluto[5263]: | issuer:  'C=PL, CN=poznojuzCA'
pluto[5263]: | authkey: 35:5a:11:9e:97:ef:8a:be:a5:66:10:00:9e:da:7f:eb:59:41:94:e3
pluto[5263]: |   not before  : Feb 17 11:02:41 UTC 2011
pluto[5263]: |   current time: Feb 17 11:34:07 UTC 2011
pluto[5263]: |   not after   : Feb 14 11:02:41 UTC 2021
pluto[5263]: | valid certificate for "C=PL, CN=poznojuzCA"
pluto[5263]: | issuer cacert "C=PL, CN=poznojuzCA" found
pluto[5263]: | signature algorithm: 'sha-1WithRSAEncryption'
pluto[5263]: | valid certificate signature (C=PL, CN=poznojuzCA -> C=PL, CN=poznojuzCA)
pluto[5263]: | reached self-signed root ca
pluto[5263]: | Public key validated
pluto[5263]: | requested CA: 'O=avl, OU=Organizational CA'
pluto[5263]: | requested CA: 'C=PL, CN=poznojuzCA'
pluto[5263]: |   trusted_ca called with a=C=PL, CN=poznojuzCA b=alidated
pluto[5263]: |   trusted_ca returning with failed
pluto[5263]: |   trusted_ca called with a=\370\001 b=C=PL, CN=poznojuzCA
pluto[5263]: |   trusted_ca returning with failed
pluto[5263]: |   trusted_ca called with a=\370\001 b=O=avl, OU=Organizational CA
pluto[5263]: |   trusted_ca returning with failed
pluto[5263]: |   trusted_ca called with a=C=PL, CN=poznojuzCA b=alidated
pluto[5263]: |   trusted_ca returning with failed
pluto[5263]: |   trusted_ca called with a=\370\001 b=C=PL, CN=poznojuzCA
pluto[5263]: |   trusted_ca returning with failed
pluto[5263]: |   trusted_ca called with a=\370\001 b=O=avl, OU=Organizational CA
pluto[5263]: |   trusted_ca returning with failed
pluto[5263]: "l2tp-cert"[3] 11.22.33.44 #3: no suitable connection for peer 'C=PL, ST=state, CN=jitensha-test'
pluto[5263]: | complete state transition with (null)


# ipsec auto --listall
000  
000 List of Public Keys:
000  
000 Feb 17 12:36:11 2011, 2048 RSA Key AwEAAZ/G3 (no private key), until Feb 17 12:05:00 2012 ok
000        ID_DER_ASN1_DN 'C=PL, ST=state, CN=jitensha-test'
000        Issuer 'C=PL, CN=poznojuzCA'
000 Feb 17 12:29:23 2011, 2048 RSA Key AwEAAbQYX (has private key), until Feb 17 12:04:43 2012 ok
000        ID_DER_ASN1_DN 'C=PL, ST=state, CN=epsilon-temp'
000        Issuer 'C=PL, CN=poznojuzCA'
000 List of Pre-shared secrets (from /etc/ipsec.secrets)
000     2: RSA (none) (none)
000     11: PSK %any 77.252.106.53
000  
000 List of X.509 End Certificates:
000  
000 Feb 17 12:29:23 2011, count: 1
000        subject: 'C=PL, ST=state, CN=epsilon-temp'
000        issuer:  'C=PL, CN=poznojuzCA'
000        serial:   04
000        pubkey:   2048 RSA Key AwEAAbQYX, has private key
000        validity: not before Feb 17 12:04:43 2011 ok
000                  not after  Feb 17 12:04:43 2012 ok
000        subjkey: 78:8c:95:c6:5f:bc:8a:9b:7e:da:ef:85:7b:b0:32:c8:3f:d0:86:e4
000        authkey: 35:5a:11:9e:97:ef:8a:be:a5:66:10:00:9e:da:7f:eb:59:41:94:e3
000        aserial:  00:e8:60:4b:e9:c8:c6:5c:90
000  
000 List of X.509 CA Certificates:
000  
000 Feb 17 12:29:23 2011, count: 1
000        subject: 'C=PL, CN=poznojuzCA'
000        issuer:  'C=PL, CN=poznojuzCA'
000        serial:   00:e8:60:4b:e9:c8:c6:5c:90
000        pubkey:   2048 RSA Key AwEAAbd4U
000        validity: not before Feb 17 12:02:41 2011 ok
000                  not after  Feb 14 12:02:41 2021 ok
000        subjkey: 35:5a:11:9e:97:ef:8a:be:a5:66:10:00:9e:da:7f:eb:59:41:94:e3
000        authkey: 35:5a:11:9e:97:ef:8a:be:a5:66:10:00:9e:da:7f:eb:59:41:94:e3
000        aserial:  00:e8:60:4b:e9:c8:c6:5c:90

Just to be on the safe side, I tried to connect with another Openswan
linux machine. And it got me the same effect, so it seems it's not
a Windows client problem.
-- 
  Kruk@ -\                   | 
          }-> epsilon.eu.org | 
http:// -/                   | 
                             |

More information about the Users mailing list