[Swan] L2TP/IPsec with certificates: INVALID_KEY_INFORMATION
Sergio Belkin
sebelk at gmail.com
Wed Apr 27 14:20:40 UTC 2016
2016-04-26 21:09 GMT-03:00 Paul Wouters <paul at nohats.ca>:
> On Tue, 26 Apr 2016, Sergio Belkin wrote:
>
> abr 26 10:29:22 initiator.example.local pluto[11534]: "windows" #1:
>> STATE_MAIN_I3: sent MI3, expecting MR3
>> abr 26 10:29:23 initiator.example.local pluto[11534]: "windows" #1:
>> Main mode peer ID is ID_DER_ASN1_DN:
>> 'CN=server.example.com'
>> abr 26 10:29:23 initiator.example.local pluto[11534]: "windows" #1:
>> no RSA public key known for
>> 'CN=server.example.com'
>> abr 26 10:29:23 initiator.example.local pluto[11534]: "windows" #1:
>> sending encrypted notification
>> INVALID_KEY_INFORMATION to 190.0.2.236:4500
>>
>
> You seem to reject the remote certificate. Looks like a missing CA cert
> on your end?
>
> leftcert=le-3dbfb38a-2a4d-42a2-8830-0f2711db9df9
>>
>
> rightid="CN=server.example.com"
>>
>
> Certificates list:
>>
>> certutil -L -d sql:/etc/ipsec.d/
>>
>> Certificate Nickname Trust
>> Attributes
>>
>> SSL,S/MIME,JAR/XPI
>>
>> le-3dbfb38a-2a4d-42a2-8830-0f2711db9df9 u,u,u
>>
>
> This lists only your EE-cert. I do not see the CA cert in there.
>
> If you create a PKCS#12 file, it should include the CAcert, EEcert and
> EEprivkey, and you can import that using "ipsec import file.p12"
>
> Paul
>
Thanks Paul,
I've successfuly imported everything as you explained, no I have the
following issue:
Main PID: 17451 (pluto)
CGroup: /system.slice/ipsec.service
├─17451 /usr/libexec/ipsec/pluto --config /etc/ipsec.conf
--nofork
└─17480 _pluto_adns
abr 27 11:10:08 initiator.example.local pluto[17451]: "windows" #2: our
client subnet returned doesn't match my proposal - us:192.168.40.21/32 vs
them:192.0.2.65/32
abr 27 11:10:08 initiator.example.local pluto[17451]: "windows" #2:
Allowing questionable proposal anyway [ALLOW_MICROSOFT_BAD_PROPOSAL]
abr 27 11:10:08 initiator.example.local pluto[17451]: "windows" #2: peer
client subnet returned doesn't match my proposal - us:190.226.58.236/32 vs
them:172.16.100.2/32
abr 27 11:10:08 initiator.example.local pluto[17451]: "windows" #2:
Allowing questionable proposal anyway [ALLOW_MICROSOFT_BAD_PROPOSAL]
abr 27 11:10:08 initiator.example.local pluto[17451]: "windows" #2: cannot
route template policy of
RSASIG+ENCRYPT+DONT_REKEY+UP+IKEV1_ALLOW+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW
abr 27 11:10:08 initiator.example.local pluto[17451]: "windows" #2:
discarding duplicate packet; already STATE_QUICK_I1
abr 27 11:10:09 initiator.example.local pluto[17451]: "windows" #2:
discarding duplicate packet; already STATE_QUICK_I1
abr 27 11:10:10 initiator.example.local pluto[17451]: "windows" #2:
discarding duplicate packet; already STATE_QUICK_I1
abr 27 11:10:12 initiator.example.local pluto[17451]: "windows" #2:
discarding duplicate packet; already STATE_QUICK_I1
abr 27 11:10:16 initiator.example.local pluto[17451]: "windows" #2:
discarding duplicate packet; already STATE_QUICK_I1
I'm using NAT-T:
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.15 (netkey) on 3.10.0-327.13.1.el7.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPSChecking for
obsolete ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]
Please could you help me?
Thanks in advance!
--
--
Sergio Belkin
LPIC-2 Certified - http://www.lpi.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20160427/cdf8f736/attachment.html>
More information about the Swan
mailing list