[Openswan Users] X509 CA ROOT SHA256 not supported
Support Reseau
support.net at numlog.fr
Mon Jul 7 20:33:56 EDT 2014
Dear all OpenSwan users,
I used the following environment : OS Debian 6.0 / Kernel 2.6.32 /
Openswan 2.6.28
I used X509 certificate to secure VPN tunnels and when I start IPSec
Openswan service, I've got the following error :
Changing to directory '/etc/ipsec.d/crls'
loaded crl file 'XXXXX_root-crl.pem' (2145 bytes)
digest algorithm not supported
This CRL was generated using SHA256 algorithm.
You will find the list of public keys used by this service ( ipsec auto
listall ) :
000
000 List of Public Keys:
000
000 Jul 08 02:12:38 2014, 512 RSA Key AwEAAdclA (has private key),
until Aug 03 14:54:05 2015 ok
000 ID_DER_ASN1_DN 'C=FR, ST=XXXXX, L=XXXXX, O=YYYY, OU=IT,
CN=ZZZZ, E=support at xxxxx.fr'
000 Issuer 'C=FR, O=XXXXX, OU=CA Trust center, CN=XXXXXCA
Root, E=support at xxxxx.fr'
000 List of Pre-shared secrets (from /etc/ipsec.secrets)
000 12: RSA (none) (none)
000
000 List of X.509 End Certificates:
000
000 Jul 08 02:12:38 2014, count: 2
000 subject: 'C=FR, ST=XXXXX, L=XXXXX, O=YYYY, OU=IT,
CN=ZZZZ, E=support at xxxxx.fr'
000 issuer: 'C=FR, O=XXXXX, OU=CA Trust center, CN=XXXXXCA
Root, E=support at xxxxx.fr'
000 serial: 0b:c7
000 pubkey: 512 RSA Key AwEAAdclA, has private key
000 validity: not before Jun 29 14:54:05 2014 ok
000 not after Aug 03 14:54:05 2015 ok
000 subjkey:
a3:0b:dc:30:0c:90:e5:b5:a5:7e:66:ac:d6:65:03:bc:72:21:c5:ed
000 authkey:
4e:67:68:24:66:58:5c:de:8d:de:e2:f2:3a:60:cc:44:70:15:f4:b6
000
000 List of X.509 CA Certificates:
000
000 Jul 08 02:12:38 2014, count: 1
000 subject: 'C=FR, O=XXXXX, OU=CA Trust center, CN=XXXXX CA
Root, E=support at xxxxx.fr'
000 issuer: 'C=FR, O=XXXXX, OU=CA Trust center, CN=XXXXX CA
Root, E=support at xxxxx.fr'
000 serial: 00
000 pubkey: 2048 RSA Key AwEAAaliX
000 validity: not before Jun 12 11:04:22 2014 ok
000 not after Jan 11 10:04:22 2038 ok
000 subjkey:
4e:67:68:24:66:58:5c:de:8d:de:e2:f2:3a:60:cc:44:70:15:f4:b6
000 authkey:
4e:67:68:24:66:58:5c:de:8d:de:e2:f2:3a:60:cc:44:70:15:f4:b6
000 aserial: 00
And when I tried to established a VPN IPSec tunnel using a X509
certificate signed by our CA ROOT, I've got the following error :
packet from 88.174.245.115:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]
packet from 88.174.245.115:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
packet from 88.174.245.115:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] method set to=108
packet from 88.174.245.115:500: received Vendor ID payload [RFC
3947] method set to=109
packet from 88.174.245.115:500: received Vendor ID payload [Dead
Peer Detection]
"nomades_wan"[1] 88.174.245.115 #1: responding to Main Mode from
unknown peer 88.174.245.115
"nomades_wan"[1] 88.174.245.115 #1: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1
"nomades_wan"[1] 88.174.245.115 #1: STATE_MAIN_R1: sent MR1,
expecting MI2
"nomades_wan"[1] 88.174.245.115 #1: NAT-Traversal: Result using RFC
3947 (NAT-Traversal): peer is NATed
"nomades_wan"[1] 88.174.245.115 #1: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
"nomades_wan"[1] 88.174.245.115 #1: STATE_MAIN_R2: sent MR2,
expecting MI3
"nomades_wan"[1] 88.174.245.115 #1: ignoring informational payload,
type IPSEC_INITIAL_CONTACT msgid=00000000
"nomades_wan"[1] 88.174.245.115 #1: Main mode peer ID is
ID_DER_ASN1_DN: 'C=FR, O=ZZZZZ, OU=NOMADES, CN=1'
"nomades_wan"[1] 88.174.245.115 #1: no crl from issuer "C=FR,
O=XXXXX, OU=CA Trust center, CN=XXXXX CA Root, E=support at XXXXX.fr"
found (strict=no)
"nomades_wan"[1] 88.174.245.115 #1: *digest algorithm not supported*
"nomades_wan"[1] 88.174.245.115 #1: invalid certificate signature
from "C=FR, O=XXXXX, OU=CA Trust center, CN=XXXXX CA Root,
E=support at XXXXX.fr" on "C=FR, O=XXXXX, OU=CA Trust center, CN=XXXXX
CA Root, E=support.vpn at XXXXX.fr"
"nomades_wan"[1] 88.174.245.115 #1: *X.509 certificate rejected*
"nomades_wan"[1] 88.174.245.115 #1: while comparing A='C=FR,
O=ZZZZZ, OU=NOMADES, CN=1'<=>'0x3076310B300906035504061302465
2310E300C060355040A130553544556413110300E060355040B13074E4F4D41444553310A3008060355040314012A00000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'=B
with a wildcard count of 1, A had too
few RDNs
"nomades_wan"[1] 88.174.245.115 #1: while comparing A='C=FR,
O=ZZZZZ, OU=NOMADES, CN=1'<=>'0x3076310B300906035504061302465
2310E300C060355040A130553544556413110300E060355040B13074E4F4D41444553310A3008060355040314012A00000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'=B
with a wildcard count of 1, A had too
few RDNs
"nomades_wan"[1] 88.174.245.115 #1: while comparing A='C=FR,
O=ZZZZZ, OU=NOMADES, CN=1'<=>'0x306A310B300906035504061302465
2310E300C060355040A13055354455641310A3008060355040B14012A310A3008060355040314012A00000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000'=B
with a wildcard count of 2, A had too few RDNs
"nomades_wan"[1] 88.174.245.115 #1: no suitable connection for peer
'C=FR, O=ZZZZZ, OU=NOMADES, CN=1'
"nomades_wan"[1] 88.174.245.115 #1: sending encrypted notification
INVALID_ID_INFORMATION to 88.174.245.115:500
You will find the VPN profil about this :
conn nomades_wan
left=5.56.44.105
leftrsasigkey=%cert
leftcert=XXXXXXXXX.pem
leftid=%fromcert
leftsubnet=192.168.0.0/18
right=%any
#rightsubnet=vhost:%priv
rightsubnet=192.168.250.0/24
rightid="C=FR, O=ZZZZZ, OU=NOMADES, CN=*"
keyingtries=2
Any suggestions or help would be appreciate !
Kind regards
---
Ce courrier électronique ne contient aucun virus ou logiciel malveillant parce que la protection avast! Antivirus est active.
http://www.avast.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20140708/0b45eaff/attachment.html>
More information about the Users
mailing list