[Openswan Users] Problem with authentication at tunnel startup

fatcharly at gmx.de fatcharly at gmx.de
Wed Aug 15 07:49:13 EDT 2012 

Hi,

I´m using a openswan-2.6.32-3.el5 on a CentOS 5.8. When I try to initiate a tunnel with our partner I get some error messages. The full log can be found at http://pastebin.com/9fU9JADG . I found this error in the logfile:

Aug 15 11:50:04 pilotswan pluto[8077]: "XXX_xxx_test" #1: initiating Main Mode
Aug 15 11:50:04 pilotswan pluto[8077]: "XXX_xxx_test" #1: ignoring unknown Vendor ID payload [4f454e7c454d716b5f4d6c67]
Aug 15 11:50:04 pilotswan pluto[8077]: "XXX_xxx_test" #1: received Vendor ID payload [Dead Peer Detection]
Aug 15 11:50:04 pilotswan pluto[8077]: "XXX_xxx_test" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Aug 15 11:50:04 pilotswan pluto[8077]: "XXX_xxx_test" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Aug 15 11:50:04 pilotswan pluto[8077]: "XXX_xxx_test" #1: unable to locate my private key for RSA Signature
Aug 15 11:50:04 pilotswan pluto[8077]: "XXX_xxx_test" #1: sending notification AUTHENTICATION_FAILED to 194.113.XXX.XX:500


this is my configuration:

version 2.0     # conforms to second version of ipsec.conf specification

# --------------------------------------------------------------
# Basis Konfiguration
# --------------------------------------------------------------
config setup
        interfaces=%defaultroute
        klipsdebug=all
        klipsdebug=none
        plutodebug=all
        plutodebug=none
        forwardcontrol=yes
#
        protostack=netkey
# ---------------------------------------------------------------
# Serverkonfiguration
# ---------------------------------------------------------------

conn %default
        keyingtries=1
        keylife=3600s
        left=62.109.XX.X
        leftnexthop=62.109.XX.X
        auto=start

include /etc/ipsec.d/examples/no_oe.conf

#conn winlogic
conn XXX_xxx_test
        authby=rsasig
        leftrsasigkey=%cert
        leftcert=/etc/zertifikate/fscert.pem
        leftid="C=DE, ST=XX, L=XXX, O=XXX, OU=XXX, CN=XXX, E=vpn at XXXXXX.XX"
        leftsubnet=192.168.XXX.XX/24
        rightrsasigkey=%cert
        right=194.113.XXX.XX
        rightid=@ipsect1.XXXXX.xx
        rightsubnet=192.168.XXX.X/24
        rightnexthop=194.113.XXX.XX




This tunnel has worked a few years ago.

Any suggestions are welcome.

Kind regards

fatcharly

More information about the Users mailing list