[Openswan Users] Remote users (roadwarrior) with multiple CA certs?

Adam Rybak arybak at ar-it.pl
Tue Mar 27 10:25:53 EDT 2012


Sorry, my system responded to your personal email. Now changed to group.

I added and connection goes to the right CONN NAME but i got this error
when trying to connect:

<Users at lists.openswan.org>Mar 27 16:21:44 vpn01 pluto[739]: packet from
193.XXX.XXX.XXX:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY
00000004]
Mar 27 16:21:44 vpn01 pluto[739]: packet from 193.XXX.XXX.XXX:500: ignoring
Vendor ID payload [FRAGMENTATION]
Mar 27 16:21:44 vpn01 pluto[739]: packet from 193.XXX.XXX.XXX:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Mar 27 16:21:44 vpn01 pluto[739]: packet from 193.XXX.XXX.XXX:500: ignoring
Vendor ID payload [Vid-Initial-Contact]
Mar 27 16:21:44 vpn01 pluto[739]: "ROADW-NAT-NEWCA"[2] 193.XXX.XXX.XXX
#32748: responding to Main Mode from unknown peer 193.XXX.XXX.XXX
Mar 27 16:21:44 vpn01 pluto[739]: "ROADW-NAT-NEWCA"[2] 193.XXX.XXX.XXX
#32748: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 27 16:21:44 vpn01 pluto[739]: "ROADW-NAT-NEWCA"[2] 193.XXX.XXX.XXX
#32748: STATE_MAIN_R1: sent MR1, expecting MI2
Mar 27 16:21:45 vpn01 pluto[739]: "ROADW-NAT-NEWCA"[2] 193.XXX.XXX.XXX
#32748: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer
is NATed
Mar 27 16:21:45 vpn01 pluto[739]: "ROADW-NAT-NEWCA"[2] 193.XXX.XXX.XXX
#32748: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 27 16:21:45 vpn01 pluto[739]: "ROADW-NAT-NEWCA"[2] 193.XXX.XXX.XXX
#32748: STATE_MAIN_R2: sent MR2, expecting MI3
Mar 27 16:21:45 vpn01 pluto[739]: "ROADW-NAT-NEWCA"[2] 193.XXX.XXX.XXX
#32748: Main mode peer ID is ID_DER_ASN1_DN: 'C=PL, ST=Malopolska,
L=Krakow, O=Company S.A, OU=Dept, CN=user001, E=user001'
Mar 27 16:21:45 vpn01 pluto[739]: "ROADW-NAT-NEWCA"[2] 193.XXX.XXX.XXX
#32748: no crl from issuer "C=PL, ST=Malopolskie, L=Cracow, O=Company S.A,
CN=Company S.A PROD CA, E=admin at company.pl" found (strict=no)
Mar 27 16:21:45 vpn01 pluto[739]: "ROADW-NAT-NEWCA"[2] 193.XXX.XXX.XXX
#32748: no suitable connection for peer 'C=PL, ST=Malopolska, L=Krakow,
O=Company S.A, OU=Dept, CN=user001, E=user001'
Mar 27 16:21:45 vpn01 pluto[739]: "ROADW-NAT-NEWCA"[2] 193.XXX.XXX.XXX
#32748: sending encrypted notification INVALID_ID_INFORMATION to
193.XXX.XXX.XXX:500
Mar 27 16:21:45 vpn01 pluto[739]: "ROADW-NAT-NEWCA"[2] 193.XXX.XXX.XXX
#32748: Main mode peer ID is ID_DER_ASN1_DN: 'C=PL, ST=Malopolska,
L=Krakow, O=Company S.A, OU=Dept, CN=user001, E=user001'
Mar 27 16:21:45 vpn01 pluto[739]: "ROADW-NAT-NEWCA"[2] 193.XXX.XXX.XXX
#32748: no crl from issuer "C=PL, ST=Malopolskie, L=Cracow, O=Company S.A,
CN=Company S.A PROD CA, E=admin at company.pl" found (strict=no)
Mar 27 16:21:45 vpn01 pluto[739]: "ROADW-NAT-NEWCA"[2] 193.XXX.XXX.XXX
#32748: no suitable connection for peer 'C=PL, ST=Malopolska, L=Krakow,
O=Company S.A, OU=Dept, CN=user001, E=user001'
Mar 27 16:21:45 vpn01 pluto[739]: "ROADW-NAT-NEWCA"[2] 193.XXX.XXX.XXX
#32748: sending encrypted notification INVALID_ID_INFORMATION to
193.XXX.XXX.XXX:500
Mar 27 16:21:47 vpn01 pluto[739]: "ROADW-NAT-NEWCA"[2] 193.XXX.XXX.XXX
#32748: Main mode peer ID is ID_DER_ASN1_DN: 'C=PL, ST=Malopolska,
L=Krakow, O=Company S.A, OU=Dept, CN=user001, E=user001'
Mar 27 16:21:47 vpn01 pluto[739]: "ROADW-NAT-NEWCA"[2] 193.XXX.XXX.XXX
#32748: no crl from issuer "C=PL, ST=Malopolskie, L=Cracow, O=Company S.A,
CN=Company S.A PROD CA, E=admin at company.pl" found (strict=no)
Mar 27 16:21:47 vpn01 pluto[739]: "ROADW-NAT-NEWCA"[2] 193.XXX.XXX.XXX
#32748: no suitable connection for peer 'C=PL, ST=Malopolska, L=Krakow,
O=Company S.A, OU=Dept, CN=user001, E=user001'
Mar 27 16:21:47 vpn01 pluto[739]: "ROADW-NAT-NEWCA"[2] 193.XXX.XXX.XXX
#32748: sending encrypted notification INVALID_ID_INFORMATION to
193.XXX.XXX.XXX:500


2012/3/27 Tuomo Soini <tis at foobar.fi>

> On Tue, 27 Mar 2012 15:43:51 +0200
> Adam Rybak <arybak at ar-it.pl> wrote:
>
> > I tried to add second with correct cert (with new ca) but connection
> > was handled by first...
>
> Please, don't drop discussion off the list.
>
> rightca=%same for both conns.
>
>
> --
> Tuomo Soini <tis at foobar.fi>
> Foobar Linux services
> +358 40 5240030
> Foobar Oy <http://foobar.fi/>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openswan.org/pipermail/users/attachments/20120327/2848bab8/attachment.html>


More information about the Users mailing list