[Swan] L2TP/IPsec with certificates: INVALID_KEY_INFORMATION
Sergio Belkin
sebelk at gmail.com
Tue Apr 26 22:32:16 UTC 2016
Hi, libreswan community!
I'm trying to configure a L2TP/IPsec client on Centos 7, the packages are:
- libreswan-3.15-5
- xl2tpd-1.3.6-8
The server is MS Windows
I cannot bring up the vpn.
Error are as follows:
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled;
vendor preset: disabled)
Active: active (running) since mar 2016-04-26 10:29:13 ART; 7min ago
Process: 11269 ExecStopPost=/usr/sbin/ipsec --stopnflog (code=exited,
status=0/SUCCESS)
Process: 11267 ExecStopPost=/sbin/ip xfrm state flush (code=exited,
status=0/SUCCESS)
Process: 11265 ExecStopPost=/sbin/ip xfrm policy flush (code=exited,
status=0/SUCCESS)
Process: 11260 ExecStop=/usr/libexec/ipsec/whack --shutdown
(code=exited, status=0/SUCCESS)
Process: 11523 ExecStartPre=/usr/sbin/ipsec --checknflog
(code=exited, status=0/SUCCESS)
Process: 11521 ExecStartPre=/usr/sbin/ipsec --checknss (code=exited,
status=0/SUCCESS)
Process: 11277 ExecStartPre=/usr/libexec/ipsec/_stackmanager start
(code=exited, status=0/SUCCESS)
Process: 11275 ExecStartPre=/usr/libexec/ipsec/addconn --config
/etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
Main PID: 11534 (pluto)
CGroup: /system.slice/ipsec.service
├─11534 /usr/libexec/ipsec/pluto --config /etc/ipsec.conf
--nofork
└─11563 _pluto_adns
abr 26 10:29:22 initiator.example.local pluto[11534]: "windows" #1:
transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
abr 26 10:29:22 initiator.example.local pluto[11534]: "windows" #1:
STATE_MAIN_I2: sent MI2, expecting MR2
abr 26 10:29:22 initiator.example.local pluto[11534]: "windows" #1:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: I am
behind NAT+peer behind NAT
abr 26 10:29:22 initiator.example.local pluto[11534]: "windows" #1: I
am sending my cert
abr 26 10:29:22 initiator.example.local pluto[11534]: "windows" #1: I
am sending a certificate request
abr 26 10:29:22 initiator.example.local pluto[11534]: "windows" #1:
transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
abr 26 10:29:22 initiator.example.local pluto[11534]: "windows" #1:
STATE_MAIN_I3: sent MI3, expecting MR3
abr 26 10:29:23 initiator.example.local pluto[11534]: "windows" #1:
Main mode peer ID is ID_DER_ASN1_DN: 'CN=server.example.com'
abr 26 10:29:23 initiator.example.local pluto[11534]: "windows" #1: no
RSA public key known for 'CN=server.example.com'
abr 26 10:29:23 initiator.example.local pluto[11534]: "windows" #1:
sending encrypted notification INVALID_KEY_INFORMATION to 190.0.2.236:4500
IPsec settings is:
conn windows
type=transport
authby=rsasig
#leftrsasigkey=%cert
#rightrsasigkey=%dnsondemand
pfs=no
rekey=no
keyingtries=3
narrowing=yes
left=192.168.40.21
leftprotoport=udp/l2tp
leftcert=le-3dbfb38a-2a4d-42a2-8830-0f2711db9df9
#leftid=le-3dbfb38a-2a4d-42a2-8830-0f2711db9df9
right=192.0.2.236
rightid="CN=server.example.com"
#rightid=@server.example.com
#rightrsasigkey=%cert
#rightca=%same
#right=server.example.com
rightprotoport=udp/%any
auto=start
Certificates list:
certutil -L -d sql:/etc/ipsec.d/
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
le-3dbfb38a-2a4d-42a2-8830-0f2711db9df9 u,u,u
What is wrong of this configuration?
Thanks in advance!
--
--
Sergio Belkin
LPIC-2 Certified - http://www.lpi.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20160426/e2c86de0/attachment.html>
More information about the Swan
mailing list