[Swan] No PARENT proposal selected
Bob Miller
bob at computerisms.ca
Fri Oct 9 17:09:20 UTC 2015
Hi Paul,
>> I am using the new format for the NSS DB sql:/etc/ipsec.d as specified
>> on the wiki, and I have compared my ipsec.conf to the ikev2 one on the
>> wiki as well.
>>
>> Any other suggestions where I might look for the problem?
>
> Run with plutodebug=all and see what's going on?
Seems libreswan doesn't load the fw certificate, but it's a little bit
odd because ipsec auto --listall shows all the certs like I expect. I
will retrace my steps to see what I missed.
Oct 9 10:02:02 fw-kz pluto[30128]: | Added new connection rw-ikev2 with
policy
RSASIG+ENCRYPT+TUNNEL+PFS+DONT_REKEY+IKEV2_ALLOW+IKEV2_PROPOSE+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW
Oct 9 10:02:02 fw-kz pluto[30128]: | loaded certificate 'fw-kz.kza.yk.ca'
Oct 9 10:02:02 fw-kz pluto[30128]: | certificate is valid
Oct 9 10:02:02 fw-kz pluto[30128]: | get_pluto_gn_from_nss_cert:
allocated pluto_gn 0x563ea31fad00
Oct 9 10:02:02 fw-kz pluto[30128]: | get_pluto_gn_from_nss_cert:
allocated pluto_gn 0x563ea322c5b0
Oct 9 10:02:02 fw-kz pluto[30128]: | get_pluto_gn_from_nss_cert:
allocated pluto_gn 0x563ea3227ba0
Oct 9 10:02:02 fw-kz pluto[30128]: | id kind mismatch
Oct 9 10:02:02 fw-kz pluto[30128]: | id kind mismatch
Oct 9 10:02:02 fw-kz pluto[30128]: | id kind mismatch
Oct 9 10:02:02 fw-kz pluto[30128]: | id kind mismatch
Oct 9 10:02:02 fw-kz pluto[30128]: | id kind mismatch
Oct 9 10:02:02 fw-kz pluto[30128]: | unreference key: 0x563ea31ff1d0
C=CA, ST=Yukon, O=Kobayashi & Zedda Architects, OU=Network Admin,
CN=fw-kz.kza.yk.ca, E=bob at computerisms.ca cnt 1--
Oct 9 10:02:02 fw-kz pluto[30128]: | id kind mismatch
Oct 9 10:02:02 fw-kz pluto[30128]: | id kind mismatch
Oct 9 10:02:02 fw-kz pluto[30128]: | unreference key: 0x563ea322c250
@fw-kz.kza.yk.ca cnt 1--
Oct 9 10:02:02 fw-kz pluto[30128]: | counting wild cards for
@fw-kz.kza.yk.ca is 0
Oct 9 10:02:02 fw-kz pluto[30128]: | certificate not loaded for this end
Oct 9 10:02:02 fw-kz pluto[30128]: | counting wild cards for %fromcert is 0
>
> Paul
More information about the Swan
mailing list