| View previous topic :: View next topic |
| Author |
Message |
Princess Nell
l33t
Joined: 15 Apr 2005
Posts: 931
|
 Posted: Mon Aug 15, 2011 9:13 pm Post subject: openswan client cannot connect |
 |
|
Can't get this quite right - any idea what I need to change? I have full control over the server as well, if any changes are required there.
All certs, including CA, were created with a slightly modified version of the easy-rsa scripts that come with openvpn.
| Code: |
Aug 15 21:34:02 client pluto[1696]: "L2TP-CERT-CLIENT" #1: initiating Main Mode
Aug 15 21:34:02 client pluto[1696]: "L2TP-CERT-CLIENT" #1: ignoring unknown Vendor ID payload [4f457e717f6b5a4e727d576b]
Aug 15 21:34:02 client pluto[1696]: "L2TP-CERT-CLIENT" #1: received Vendor ID payload [Dead Peer Detection]
Aug 15 21:34:02 client pluto[1696]: "L2TP-CERT-CLIENT" #1: received Vendor ID payload [RFC 3947] method set to=109
Aug 15 21:34:02 client pluto[1696]: "L2TP-CERT-CLIENT" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Aug 15 21:34:02 client pluto[1696]: "L2TP-CERT-CLIENT" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Aug 15 21:34:02 client pluto[1696]: "L2TP-CERT-CLIENT" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Aug 15 21:34:02 client pluto[1696]: "L2TP-CERT-CLIENT" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
Aug 15 21:34:02 client pluto[1696]: "L2TP-CERT-CLIENT" #1: I am sending my cert
Aug 15 21:34:02 client pluto[1696]: "L2TP-CERT-CLIENT" #1: I am sending a certificate request
Aug 15 21:34:02 client pluto[1696]: "L2TP-CERT-CLIENT" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Aug 15 21:34:02 client pluto[1696]: "L2TP-CERT-CLIENT" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Aug 15 21:34:02 client pluto[1696]: "L2TP-CERT-CLIENT" #1: IKEv2 Vendor ID payload received but not supported in this version
Aug 15 21:34:02 client pluto[1696]: "L2TP-CERT-CLIENT" #1: received Vendor ID payload [CAN-IKEv2]
Aug 15 21:34:02 client pluto[1696]: "L2TP-CERT-CLIENT" #1: Main mode peer ID is ID_FQDN: '@server.host.net'
Aug 15 21:34:02 client pluto[1696]: "L2TP-CERT-CLIENT" #1: no crl from issuer "C=XX, ST=XX, L=XX, O=XX Inc., OU=XX, CN=XX Inc. CA, N=First Last , E=caadmin@company.net" found (strict=no)
Aug 15 21:34:02 client pluto[1696]: "L2TP-CERT-CLIENT" #1: we require peer to have ID 'C=XX, ST=XX, L=XX, O=XX Inc., OU=XX, CN=server/host.net, N=First Last, E=caadmin@company.net', but peer declares '@server.host.net'
Aug 15 21:34:02 client pluto[1696]: "L2TP-CERT-CLIENT" #1: sending encrypted notification INVALID_ID_INFORMATION to <server.ip>:4500
Aug 15 21:34:02 client pluto[1696]: "L2TP-CERT-CLIENT" #1: received 1 malformed payload notifies
Aug 15 21:34:27 client pluto[1696]: "L2TP-CERT-CLIENT": terminating SAs using this connection
Aug 15 21:34:27 client pluto[1696]: "L2TP-CERT-CLIENT" #1: deleting state (STATE_MAIN_I3)
|
I don't understand the problem - is it a configuration problem or is there something wrong with the generated certs?
Here's the client config:
| Code: |
conn L2TP-CERT-CLIENT
authby=rsasig
pfs=no
rekey=yes
keyingtries=1
type=transport
left=%defaultroute
leftcert=/etc/ipsec.d/client.cert.pem
leftrsasigkey=%cert
leftprotoport=udp/l2tp
right=server.ip
rightcert=/etc/ipsec.d/certs/server.cert.pem
rightrsasigkey=%cert
rightprotoport=udp/1701
auto=add
|
This is on stable with openswan 2.4.15-r2. |
|
| Back to top |
|
 |
redagadir
n00b
Joined: 06 Aug 2011
Posts: 29
|
| Posted: Sat Aug 20, 2011 9:24 pm Post subject: |
|
|
something's probably wrong with your SSL certificate:
we require peer to have ID 'C=XX, ST=XX, L=XX, O=XX Inc., OU=XX, CN=server/host.net, N=First Last, E=caadmin@company.net', but peer declares '@server.host.net' |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
