[Swan] my ipsec connection is failing after upgrade to libreswan from openswan

Madhan Raj madhanrajrm at gmail.com
Thu Apr 16 04:00:07 UTC 2020


just missed to attach the config files

On Wed, Apr 15, 2020 at 9:06 PM Madhan Raj <madhanrajrm at gmail.com> wrote:

> Hi Paul and others,
>
> version: -libreswan-3.25-4.1.el7.x86_64
>
> I have the attached my policy details.
>
> in the logs it keeps rejecting my connection.
> Apr 16 06:05:09.608383: loading secrets from "/etc/ipsec.secrets"
> Apr 16 06:05:09.608414: no secrets filename matched
> "/etc/ipsec.d/secrets/71807379470.secrets"
> Apr 16 06:05:09.608440: no secrets filename matched
> "/etc/ipsec.d/secrets/71807379470.secrets"
> Apr 16 06:05:09.608774: "71807379470_x509" #1: initiating Main Mode
> Apr 16 06:05:09.612050: "71807379470_x509" #1: STATE_MAIN_I2: sent MI2,
> expecting MR2
> Apr 16 06:05:09.619711: "71807379470_x509" #1: I am sending my cert
> Apr 16 06:05:09.619743: "71807379470_x509" #1: I am sending a certificate
> request
> Apr 16 06:05:09.625368: "71807379470_x509" #1: STATE_MAIN_I3: sent MI3,
> expecting MR3
> Apr 16 06:05:09.641313: "71807379470_x509" #1: Peer ID is ID_DER_ASN1_DN:
> 'C=IN, ST=i, L=i, O=i, OU=i, CN=cucm-142'
> Apr 16 06:05:09.641847: "71807379470_x509" #1: X509: no EE-cert in chain!
> Apr 16 06:05:09.641884: "71807379470_x509" #1:* X509: Certificate
> rejected for this connection*
> Apr 16 06:05:09.641927: "71807379470_x509" #1: X509: CERT payload bogus or
> revoked
> Apr 16 06:05:09.641969: "71807379470_x509" #1: sending encrypted
> notification INVALID_ID_INFORMATION to 10.77.137.142:500
> Apr 16 06:05:09.642991: "71807379470_x509" #1: received PAYLOAD_MALFORMED
> Apr 16 06:05:10.119659: "71807379470_x509" #1: STATE_MAIN_I3:
> retransmission; will wait 0.5 seconds for response
> Apr 16 06:05:10.158984: "71807379470_x509" #1: Peer ID is ID_DER_ASN1_DN:
> 'C=IN, ST=i, L=i, O=i, OU=i, CN=cucm-142'
> Apr 16 06:05:10.159367: "71807379470_x509" #1: X509: no EE-cert in chain!
> Apr 16 06:05:10.159403: "71807379470_x509" #1: X509: Certificate rejected
> for this connection
> Apr 16 06:05:10.159426: "71807379470_x509" #1: X509: CERT payload bogus or
> revoked
> Apr 16 06:05:10.159465: "71807379470_x509" #1: sending encrypted
> notification INVALID_ID_INFORMATION to 10.77.137.142:500
> Apr 16 06:05:10.160542: "71807379470_x509" #1: received PAYLOAD_MALFORMED
> Apr 16 06:05:10.621130: "71807379470_x509" #1: STATE_MAIN_I3:
> retransmission; will wait 1 seconds for response
> Apr 16 06:05:10.623819: "71807379470_x509" #1: Peer ID is ID_DER_ASN1_DN:
> 'C=IN, ST=i, L=i, O=i, OU=i, CN=cucm-142'
> Apr 16 06:05:10.624153: "71807379470_x509" #1: X509: no EE-cert in chain!
> Apr 16 06:05:10.624187: "71807379470_x509" #1: X509: Certificate rejected
> for this connection
> Apr 16 06:05:10.624208: "71807379470_x509" #1: X509: CERT payload bogus or
> revoked
> Apr 16 06:05:10.624245: "71807379470_x509" #1: sending encrypted
> notification INVALID_ID_INFORMATION to 10.77.137.142:500
> Apr 16 06:05:11.623533: "71807379470_x509" #1: STATE_MAIN_I3:
> retransmission; will wait 2 seconds for response
> Apr 16 06:05:13.624146: "71807379470_x509" #1: STATE_MAIN_I3:
> retransmission; will wait 4 seconds for response
> Apr 16 06:05:17.624964: "71807379470_x509" #1: STATE_MAIN_I3:
> retransmission; will wait 8 seconds for response
> Apr 16 06:05:25.632808: "71807379470_x509" #1: STATE_MAIN_I3:
> retransmission; will wait 16 seconds for response
> Apr 16 06:05:25.634157: packet from 10.77.137.142:500: phase 1 message is
> part of an unknown exchange
> Apr 16 06:05:27.903516: "71807379470_x509" #1: Quick Mode message is
> unacceptable because it is for an incomplete ISAKMP SA
> Apr 16 06:05:37.526420: "71807379470_x509" #1: next payload type of ISAKMP
> Hash Payload has an unknown value: 202 (0xca)
> Apr 16 06:05:37.526464: "71807379470_x509" #1: malformed payload in packet
>
>
> by end server certificate
>
> *Certificate*:
>     Data:
>         Version: 3 (0x2)
>         Serial Number:
>             21:00:00:00:06:f3:f5:a4:46:60:5d:83:b2:00:00:00:00:00:06
>     Signature Algorithm: sha256WithRSAEncryption
>         Issuer: DC=internal, DC=CAPLAB, CN=CAPLAB-BLDR-DEV-201-CA-1
>         Validity
>             Not Before: Apr 14 02:18:57 2020 GMT
>             Not After : Apr 14 02:28:57 2022 GMT
>         Subject: C=IN, ST=i, L=i, O=i, OU=i, CN=cucm-142
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>                 Public-Key: (2048 bit)
>                 Modulus:
>                     00:a4:c8:44:64:a3:08:56:8f:23:c0:26:4e:7e:8e:
>                     e6:1e:52:4d:9c:0b:5e:48:7f:70:71:b9:37:68:ac:
>                     f7:e3:72:44:22:30:1a:7a:41:0d:e7:06:ea:7e:cd:
>                     c9:ad:88:52:fd:9c:5b:bb:de:ce:dd:64:05:47:b3:
>                     a7:13:02:5e:0a:99:b3:45:57:cd:ba:64:b8:22:3d:
>                     cb:4e:42:41:53:ea:7c:05:f9:bf:e5:35:9c:04:44:
>                     89:9a:f5:3f:41:3a:cc:55:6e:76:27:18:9f:01:d9:
>                     82:cf:26:28:66:d9:d1:84:59:dc:4a:85:84:1f:8f:
>                     3c:15:bc:7f:5d:b6:f4:26:93:50:64:e8:70:f5:fb:
>                     19:d0:37:9d:2b:e8:03:f4:8d:10:76:e2:91:24:57:
>                     7c:c4:f6:ca:39:2a:a6:66:af:69:14:33:f0:2f:35:
>                     6b:c7:00:39:4a:2f:0e:fd:f5:97:51:66:d4:0e:99:
>                     1d:0f:0b:dc:d7:0b:7e:a4:b0:21:11:d4:2e:3e:b4:
>                     f7:d2:0a:ba:22:3c:b9:3b:8e:be:71:91:06:8c:7a:
>                     c6:13:ec:df:d9:4c:47:1b:7f:5c:9c:34:93:24:49:
>                     f3:30:e4:3f:28:67:30:1f:7f:86:6a:0f:25:be:fd:
>                     5b:a3:66:05:6f:ba:ad:c3:c9:03:c0:1d:ba:9d:5e:
>                     4e:e5
>                 Exponent: 65537 (0x10001)
>         X509v3 extensions:
>             X509v3 Extended Key Usage:
>                 TLS Web Server Authentication, TLS Web Client
> Authentication, IPSec End System
>             X509v3 Key Usage: critical
>                 Digital Signature, Certificate Sign, CRL Sign
>             X509v3 Subject Key Identifier:
>                 A4:8B:F6:FE:A2:86:7D:A9:2B:D2:73:8A:40:5A:A0:6E:B2:47:6F:5B
>             X509v3 Authority Key Identifier:
>
> keyid:15:2B:6B:1C:78:C9:49:28:8A:F0:2A:83:6A:A4:B4:93:C8:E4:64:96
>
>             X509v3 CRL Distribution Points:
>
>                 Full Name:
>
> URI:ldap:///CN=CAPLAB-BLDR-DEV-201-CA-1,CN=bldr-dev-201,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=CAPLAB,DC=internal?certificateRevocationList?base?objectClass=cRLDistributionPoint
>
>             Authority Information Access:
>                 CA Issuers -
> URI:ldap:///CN=CAPLAB-BLDR-DEV-201-CA-1,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=CAPLAB,DC=internal?cACertificate?base?objectClass=certificationAuthority
>
>             1.3.6.1.4.1.311.20.2:
>                 .
> .S.u.b.C.A
>             X509v3 Basic Constraints: critical
>                 CA:TRUE
>     Signature Algorithm: sha256WithRSAEncryption
>          4b:2f:45:dd:e3:63:bf:9c:ac:aa:7b:b0:a3:e2:27:3c:ff:e4:
>          1c:dc:c0:c9:09:6e:04:bf:78:c4:d4:c5:e8:86:e0:16:b9:94:
>          89:cd:fa:41:4c:34:89:01:6d:a8:43:49:42:33:91:1c:b1:d6:
>          79:42:a7:ae:38:8b:97:77:c6:77:6f:22:7d:8f:4e:67:a0:a4:
>          94:fd:df:3d:52:72:ea:ee:cd:d8:f6:95:94:13:f2:81:29:79:
>          d8:9d:09:55:d4:9a:62:5c:1e:5c:d2:a8:77:fc:8c:be:c2:86:
>          ba:9b:9c:2f:b9:34:5c:04:1f:6c:d7:c9:95:e8:82:e0:d8:a9:
>          33:d9:0b:35:6f:91:db:7a:6f:f7:e4:80:a2:ce:fc:72:f2:9f:
>          61:ba:e9:3a:c5:0f:4d:0c:a0:16:d2:8a:93:0e:18:7b:cb:38:
>          2a:4f:23:72:00:7a:13:c6:d3:40:f2:46:6b:40:79:71:84:2d:
>          d6:45:30:d4:c0:8f:83:04:1c:f2:54:16:00:88:41:c2:70:01:
>          e7:cb:81:83:e9:0d:78:6c:1e:9d:02:7d:db:c6:66:ad:a0:95:
>          a6:7f:30:ee:30:cd:34:e9:9f:71:ed:d0:2d:86:19:51:c9:d0:
>          82:05:9e:bc:ae:23:b4:60:62:66:c7:bf:39:70:87:71:e6:72:
>          0a:f3:2c:59
>
> Can you please help me out here ?
>
> Thanks,
> Madhan
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200416/644da134/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 71807379470.conf
Type: application/octet-stream
Size: 425 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200416/644da134/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsec.conf
Type: application/octet-stream
Size: 1084 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200416/644da134/attachment-0003.obj>


More information about the Swan mailing list