[Swan] No PARENT proposal selected

Matt Rogers mrogers at redhat.com
Fri Oct 9 17:34:39 UTC 2015


> Seems libreswan doesn't load the fw certificate, but it's a little bit
> odd because ipsec auto --listall shows all the certs like I expect.  I
> will retrace my steps to see what I missed.
> 
> Oct  9 10:02:02 fw-kz pluto[30128]: | Added new connection rw-ikev2 with
> policy
> RSASIG+ENCRYPT+TUNNEL+PFS+DONT_REKEY+IKEV2_ALLOW+IKEV2_PROPOSE+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW

It's loading (I assume by name) the fw cert here:

> Oct  9 10:02:02 fw-kz pluto[30128]: | loaded certificate 'fw-kz.kza.yk.ca'
> Oct  9 10:02:02 fw-kz pluto[30128]: | certificate is valid
> Oct  9 10:02:02 fw-kz pluto[30128]: | get_pluto_gn_from_nss_cert:
> allocated pluto_gn 0x563ea31fad00
> Oct  9 10:02:02 fw-kz pluto[30128]: | get_pluto_gn_from_nss_cert:
> allocated pluto_gn 0x563ea322c5b0
> Oct  9 10:02:02 fw-kz pluto[30128]: | get_pluto_gn_from_nss_cert:
> allocated pluto_gn 0x563ea3227ba0
> Oct  9 10:02:02 fw-kz pluto[30128]: | id kind mismatch
> Oct  9 10:02:02 fw-kz pluto[30128]: | id kind mismatch
> Oct  9 10:02:02 fw-kz pluto[30128]: | id kind mismatch
> Oct  9 10:02:02 fw-kz pluto[30128]: | id kind mismatch
> Oct  9 10:02:02 fw-kz pluto[30128]: | id kind mismatch
> Oct  9 10:02:02 fw-kz pluto[30128]: | unreference key: 0x563ea31ff1d0
> C=CA, ST=Yukon, O=Kobayashi & Zedda Architects, OU=Network Admin,
> CN=fw-kz.kza.yk.ca, E=bob at computerisms.ca cnt 1--
> Oct  9 10:02:02 fw-kz pluto[30128]: | id kind mismatch
> Oct  9 10:02:02 fw-kz pluto[30128]: | id kind mismatch
> Oct  9 10:02:02 fw-kz pluto[30128]: | unreference key: 0x563ea322c250
> @fw-kz.kza.yk.ca cnt 1--
> Oct  9 10:02:02 fw-kz pluto[30128]: | counting wild cards for
> @fw-kz.kza.yk.ca is 0
> Oct  9 10:02:02 fw-kz pluto[30128]: | certificate not loaded for this end
> Oct  9 10:02:02 fw-kz pluto[30128]: | counting wild cards for %fromcert is 0
> 
> 

This debug logging may be a little misleading. There's an attempt to load a certificate
for each end, so if you have leftcert=fw-kz.kza.yk.ca and no rightcert=, then the
"certificate not loaded for this end" line happens for the 'right' end.

You should check further down in the logs to see what is happening when the proposal
is rejected.

Matt


More information about the Swan mailing list