[Openswan Users] Problem with X.509 Certificates since Update

Patrick Naubert patrickn at xelerance.com
Wed Apr 9 17:38:46 EDT 2014 

Rescued from the Spam bucket.  Please remember to subscribe to the mailing list before posting to it.


From: Mario Hommel <mario at hommel-net.de>
Subject: Problem with X.509 Certificates since Update
Date: April 9, 2014 at 4:02:17 PM EDT
To: users at lists.openswan.org


Hi all.

I have a VPN-Gateway wich worked with self-signed X.509 certificates for
a long time. Since i updated my Debian Wheezy there are Problems with
the certificates.

auth.log says:

Apr  9 21:56:52 vpngate pluto[3716]: "hommel_XP2N"[83] 87.168.144.XX
#129: Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, L=Kassel, O=Wagner und
Koerdel, CN=soellner'
Apr  9 21:56:52 vpngate pluto[3716]: "hommel_XP2N"[83] 87.168.144.XX
#129: no suitable connection for peer 'C=DE, L=Kassel, O=Wagner und
Koerdel, CN=soellner'
Apr  9 21:56:52 vpngate pluto[3716]: "hommel_XP2N"[83] 87.168.144.XX
#129: sending encrypted notification INVALID_ID_INFORMATION to
87.168.144.XX:500

It doesn't recognice the right connection.

In ipsec auto --status there are strange numbers instead of the
certificate-data from the remote gateways:

000 "hommel_XP2N"[86]: 192.168.10.0/24===217.237.XXX.XXX<%eth0>[C=DE,
L=Kassel, O=Wagner und Koerdel,
CN=VPN-Gate,+S=C]...87.139.XXX.XXX[0x308198310B3009060355040613024445310F300
D060355040713064B617373656C311B3019060355040A13125761676E657220756E64
204B6F657264656C310F300D06035504031306686F6D6D656C0000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000,
+S=C]===?; unrouted; eroute owner: #0
000 "hommel_XP2N"[86]:     myip=unset; hisip=unset; myup=ipsec
_updown.netkey.x509 --route yes; mycert=VPN-GateCert.pem;
000 "hommel_XP2N"[86]:   CAs: 'C=DE, L=Kassel, O=Wagner und Koerdel,
CN=CA-WGKOE'...'%any'
000 "hommel_XP2N"[86]:   ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "hommel_XP2N"[86]:   policy:
RSASIG+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+rKOD; prio: 24,32;
interface: eth0;
000 "hommel_XP2N"[86]:   newest ISAKMP SA: #0; newest IPsec SA: #0;

What is going on here?

Regards
Mario Hommel



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20140409/4fe203e7/attachment.html>

More information about the Users mailing list