<div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">2016-04-26 21:09 GMT-03:00 Paul Wouters <span dir="ltr"><<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="">On Tue, 26 Apr 2016, Sergio Belkin wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
abr 26 10:29:22 initiator.example.local pluto[11534]: "windows" #1: STATE_MAIN_I3: sent MI3, expecting MR3<br>
abr 26 10:29:23 initiator.example.local pluto[11534]: "windows" #1: Main mode peer ID is ID_DER_ASN1_DN:<br>
'CN=<a href="http://server.example.com" rel="noreferrer" target="_blank">server.example.com</a>'<br>
abr 26 10:29:23 initiator.example.local pluto[11534]: "windows" #1: no RSA public key known for<br>
'CN=<a href="http://server.example.com" rel="noreferrer" target="_blank">server.example.com</a>'<br>
abr 26 10:29:23 initiator.example.local pluto[11534]: "windows" #1: sending encrypted notification<br>
INVALID_KEY_INFORMATION to <a href="http://190.0.2.236:4500" rel="noreferrer" target="_blank">190.0.2.236:4500</a><br>
</blockquote>
<br></span>
You seem to reject the remote certificate. Looks like a missing CA cert<br>
on your end?<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
leftcert=le-3dbfb38a-2a4d-42a2-8830-0f2711db9df9<br>
</blockquote>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
rightid="CN=<a href="http://server.example.com" rel="noreferrer" target="_blank">server.example.com</a>"<br>
</blockquote><span class="">
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Certificates list:<br>
<br>
certutil -L -d sql:/etc/ipsec.d/<br>
<br>
Certificate Nickname Trust Attributes<br>
SSL,S/MIME,JAR/XPI<br>
<br>
le-3dbfb38a-2a4d-42a2-8830-0f2711db9df9 u,u,u<br>
</blockquote>
<br></span>
This lists only your EE-cert. I do not see the CA cert in there.<br>
<br>
If you create a PKCS#12 file, it should include the CAcert, EEcert and<br>
EEprivkey, and you can import that using "ipsec import file.p12"<span class=""><font color="#888888"><br>
<br>
Paul<br>
</font></span></blockquote></div><br><br></div><div class="gmail_extra">Thanks Paul, <br><br><br></div><div class="gmail_extra">I've successfuly imported everything as you explained, no I have the following issue:<br><br> Main PID: 17451 (pluto)<br> CGroup: /system.slice/ipsec.service<br> ├─17451 /usr/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork<br> └─17480 _pluto_adns<br><br>abr 27 11:10:08 initiator.example.local pluto[17451]: "windows" #2: our client subnet returned doesn't match my proposal - us:<a href="http://192.168.40.21/32">192.168.40.21/32</a> vs them:<a href="http://192.0.2.65/32">192.0.2.65/32</a><br>abr 27 11:10:08 initiator.example.local pluto[17451]: "windows" #2: Allowing questionable proposal anyway [ALLOW_MICROSOFT_BAD_PROPOSAL]<br>abr 27 11:10:08 initiator.example.local pluto[17451]: "windows" #2: peer client subnet returned doesn't match my proposal - us:<a href="http://190.226.58.236/32">190.226.58.236/32</a> vs them:<a href="http://172.16.100.2/32">172.16.100.2/32</a><br>abr 27 11:10:08 initiator.example.local pluto[17451]: "windows" #2: Allowing questionable proposal anyway [ALLOW_MICROSOFT_BAD_PROPOSAL]<br>abr 27 11:10:08 initiator.example.local pluto[17451]: "windows" #2: cannot route template policy of RSASIG+ENCRYPT+DONT_REKEY+UP+IKEV1_ALLOW+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW<br>abr 27 11:10:08 initiator.example.local pluto[17451]: "windows" #2: discarding duplicate packet; already STATE_QUICK_I1<br>abr 27 11:10:09 initiator.example.local pluto[17451]: "windows" #2: discarding duplicate packet; already STATE_QUICK_I1<br>abr 27 11:10:10 initiator.example.local pluto[17451]: "windows" #2: discarding duplicate packet; already STATE_QUICK_I1<br>abr 27 11:10:12 initiator.example.local pluto[17451]: "windows" #2: discarding duplicate packet; already STATE_QUICK_I1<br>abr 27 11:10:16 initiator.example.local pluto[17451]: "windows" #2: discarding duplicate packet; already STATE_QUICK_I1<br><br><br></div><div class="gmail_extra">I'm using NAT-T:<br>Verifying installed system and configuration files<br><br>Version check and ipsec on-path [OK]<br>Libreswan 3.15 (netkey) on 3.10.0-327.13.1.el7.x86_64<br>Checking for IPsec support in kernel [OK]<br> NETKEY: Testing XFRM related proc values<br> ICMP default/send_redirects [OK]<br> ICMP default/accept_redirects [OK]<br> XFRM larval drop [OK]<br>Pluto ipsec.conf syntax [OK]<br>Hardware random device [N/A]<br>Two or more interfaces found, checking IP forwarding [OK]<br>Checking rp_filter [OK]<br>Checking that pluto is running [OK]<br> Pluto listening for IKE on udp 500 [OK]<br> Pluto listening for IKE/NAT-T on udp 4500 [OK]<br> Pluto ipsec.secret syntax [OK]<br>Checking 'ip' command [OK]<br>Checking 'iptables' command [OK]<br>Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options [OK]<br>Opportunistic Encryption [DISABLED]<br><br></div><div class="gmail_extra">Please could you help me?<br><br></div><div class="gmail_extra">Thanks in advance!<br></div><div class="gmail_extra"><br></div><div class="gmail_extra">-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr">--<br>Sergio Belkin<br>LPIC-2 Certified - <a href="http://www.lpi.org" target="_blank">http://www.lpi.org</a></div></div></div></div>
</div></div>