IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

Re: [Users] x509 certificate patch - error: no RSA public key found for <DN>

From: Andreas Steffen (andreas.steffen_at_strongsec.com)
Date: Wed Mar 27 2002 - 07:37:30 CET

The problem is the single quote in O=Chad's IPSec Client. The ID string
is exported as an environment variable to the updown script and wreaks
havoc there. As a workaround generate a certificate without single quotes
in the distinguished name. I'm going to check if the ID string must be
double-quoted before exporting it.

Regards

Andreas

Chad Carr wrote:
>
> On Sat, 23 Mar 2002 01:04:00 +0100
> "Andreas Steffen" <andreas.steffen_at_zhwin.ch> wrote:
>
> > Chad Carr wrote:
> >
> > > Feb 3 09:15:58 wlanfw Pluto[1901]: "w2k-road-warriors" #1: responding
> > > to Main Mode from unknown peer 192.168.3.10 Feb 3 09:15:59 wlanfw
> > > Pluto[1901]: "w2k-road-warriors" #1: Peer ID is ID_DER_ASN1_DN: 'C=US,
> > > ST=California, L=Orange, O=Win2000 Client, CN=Chad Carr,
> > > E=ccarr_at_franzdoodle.com' Feb 3 09:15:59 wlanfw Pluto[1901]:
> > > "w2k-road-warriors" #1: Certificate is invalid
> >
> > This error message says that current date Feb 3 09:15:59 does not fall
> > between the
> > notBefore and notAfter dates coded in the certificate. This is why the
> > cert is not valid.
>
> Thanks so much for your reply. Seems simple enough that it should have
> occurred to me without help, but thanks for it nonetheless. Setting my
> ipsec gateway's date to something more current than 1980 did the trick.
>
> Continuing, however, I am now to a point in my installation where I seem
> to get very close to a connection, but pluto is reporting that it cannot
> find some file called "IPSec" but I cannot find a reference to a file like
> that anywhere. I have looked very thoroughly at the scripts (so much so
> that I have modified _updown, _startklips and _realsetup to use iproute2
> instead of ifconfig, netstat and route for my embedded application which
> doesn't have those programs) and I cannot find anything in them. Is there
> a shell call in the pluto binary somewhere? Or am I misinterpreting the
> log file?
>
> Thanks in advance for taking the time to help. auth.log attached.
>
> Mar 25 09:56:51 wlanfw ipsec__plutorun: Starting Pluto subsystem...
> Mar 25 09:56:52 wlanfw Pluto[835]: Starting Pluto (FreeS/WAN Version 1.96)
> Mar 25 09:56:52 wlanfw Pluto[835]: including X.509 patch (Version 0.9.9)
> Mar 25 09:56:52 wlanfw Pluto[835]: Changing to directory '/etc/ipsec.d/cacerts'
> Mar 25 09:56:52 wlanfw Pluto[835]: loaded cacert file 'RootCA.der' (1146 bytes)
> Mar 25 09:56:52 wlanfw Pluto[835]: Changing to directory '/etc/ipsec.d/crls'
> Mar 25 09:56:52 wlanfw Pluto[835]: loaded crl file 'crl.pem' (682 bytes)
> Mar 25 09:56:52 wlanfw Pluto[835]: loaded my X.509 cert file '/etc/x509cert.der' (1195 bytes)
> Mar 25 09:56:54 wlanfw Pluto[835]: added connection description "w2k-road-warriors"
> Mar 25 09:56:55 wlanfw Pluto[835]: listening for IKE messages
> Mar 25 09:56:55 wlanfw Pluto[835]: adding interface ipsec0/eth0 192.168.3.1
> Mar 25 09:56:55 wlanfw Pluto[835]: loading secrets from "/etc/ipsec.secrets"
> Mar 25 09:59:34 wlanfw login[845]: root login on `ttyS0'
> Mar 25 10:00:57 wlanfw Pluto[835]: packet from 192.168.3.10:500: Informational Exchange is for an unknown (expired?) SA
> Mar 25 10:01:01 wlanfw Pluto[835]: packet from 192.168.3.10:500: ignoring Vendor ID payload
> Mar 25 10:01:01 wlanfw Pluto[835]: "w2k-road-warriors" 192.168.3.10 #1: responding to Main Mode from unknown peer 192.168.3.10
> Mar 25 10:01:02 wlanfw Pluto[835]: "w2k-road-warriors" 192.168.3.10 #1: Peer ID is ID_DER_ASN1_DN: 'C=US, ST=California, L=Orange, O=Chad's IPSec Client, CN=Chad Carr, E=ccarr_at_franzdoodle.com'
> Mar 25 10:01:02 wlanfw Pluto[835]: "w2k-road-warriors" 192.168.3.10 #1: deleting connection "w2k-road-warriors" instance with peer 192.168.3.10
> Mar 25 10:01:04 wlanfw Pluto[835]: "w2k-road-warriors" 192.168.3.10 #1: sent MR3, ISAKMP SA established
> Mar 25 10:01:04 wlanfw Pluto[835]: "w2k-road-warriors" 192.168.3.10 #1: retransmitting in response to duplicate packet; already STATE_MAIN_R3
> Mar 25 10:01:04 wlanfw Pluto[835]: "w2k-road-warriors" 192.168.3.10 #2: responding to Quick Mode
> Mar 25 10:01:05 wlanfw Pluto[835]: "w2k-road-warriors" 192.168.3.10 #2: up-client output: sh: IPSec: command not found
> Mar 25 10:01:05 wlanfw Pluto[835]: "w2k-road-warriors" 192.168.3.10 #2: up-client command exited with status 127
> Mar 25 10:01:05 wlanfw Pluto[835]: "w2k-road-warriors" 192.168.3.10 #1: ignoring Delete SA payload
> Mar 25 10:01:05 wlanfw Pluto[835]: "w2k-road-warriors" 192.168.3.10 #1: received and ignored informational message
> Mar 25 10:01:15 wlanfw Pluto[835]: "w2k-road-warriors" 192.168.3.10 #2: up-client output: sh: IPSec: command not found
> Mar 25 10:01:15 wlanfw Pluto[835]: "w2k-road-warriors" 192.168.3.10 #2: up-client command exited with status 127
> Mar 25 10:01:15 wlanfw Pluto[835]: ERROR: "w2k-road-warriors" 192.168.3.10 #2: pfkey write() of SADB_DELETE message 21 for Delete SA esp.caeb80d2_at_192.168.3.1 failed. Errno 3: No such process
> Mar 25 10:01:15 wlanfw Pluto[835]: | 02 04 00 03 0a 00 00 00 15 00 00 00 43 03 00 00
> Mar 25 10:01:15 wlanfw Pluto[835]: | 02 00 01 00 ca eb 80 d2 00 01 00 00 00 00 00 00
> Mar 25 10:01:15 wlanfw Pluto[835]: | 03 00 05 00 00 00 00 00 02 00 01 f4 c0 a8 03 0a
> Mar 25 10:01:15 wlanfw Pluto[835]: | 00 00 00 00 00 00 00 00 03 00 06 00 00 00 00 00
> Mar 25 10:01:15 wlanfw Pluto[835]: | 02 00 00 00 c0 a8 03 01 00 00 00 00 00 00 00 00
> Mar 25 10:01:35 wlanfw Pluto[835]: "w2k-road-warriors" 192.168.3.10 #2: up-client output: sh: IPSec: command not found
> Mar 25 10:01:35 wlanfw Pluto[835]: "w2k-road-warriors" 192.168.3.10 #2: up-client command exited with status 127
> Mar 25 10:01:35 wlanfw Pluto[835]: ERROR: "w2k-road-warriors" 192.168.3.10 #2: pfkey write() of SADB_DELETE message 28 for Delete SA esp.caeb80d2_at_192.168.3.1 failed. Errno 3: No such process
> Mar 25 10:01:35 wlanfw Pluto[835]: | 02 04 00 03 0a 00 00 00 1c 00 00 00 43 03 00 00
> Mar 25 10:01:35 wlanfw Pluto[835]: | 02 00 01 00 ca eb 80 d2 00 01 00 00 00 00 00 00
> Mar 25 10:01:35 wlanfw Pluto[835]: | 03 00 05 00 00 00 00 00 02 00 01 f4 c0 a8 03 0a
> Mar 25 10:01:35 wlanfw Pluto[835]: | 00 00 00 00 00 00 00 00 03 00 06 00 00 00 00 00
> Mar 25 10:01:35 wlanfw Pluto[835]: | 02 00 00 00 c0 a8 03 01 00 00 00 00 00 00 00 00
> Mar 25 10:02:15 wlanfw Pluto[835]: "w2k-road-warriors" 192.168.3.10 #2: max number of retransmissions (2) reached STATE_QUICK_R1
> Mar 25 10:02:15 wlanfw Pluto[835]: ERROR: "w2k-road-warriors" 192.168.3.10 #2: pfkey write() of SADB_DELETE message 29 for Delete SA esp.caeb80d2_at_192.168.3.1 failed. Errno 3: No such process
> Mar 25 10:02:15 wlanfw Pluto[835]: | 02 04 00 03 0a 00 00 00 1d 00 00 00 43 03 00 00
> Mar 25 10:02:15 wlanfw Pluto[835]: | 02 00 01 00 ca eb 80 d2 00 01 00 00 00 00 00 00
> Mar 25 10:02:15 wlanfw Pluto[835]: | 03 00 05 00 00 00 00 00 02 00 01 f4 c0 a8 03 0a
> Mar 25 10:02:15 wlanfw Pluto[835]: | 00 00 00 00 00 00 00 00 03 00 06 00 00 00 00 00
> Mar 25 10:02:15 wlanfw Pluto[835]: | 02 00 00 00 c0 a8 03 01 00 00 00 00 00 00 00 00 

-- 
======================================================================
Andreas Steffen                 e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH                  phone:  +41 76 340 25 56
Alter Zuerichweg 20             fax:    +41 52 268 74 34 
CH-8952 Schlieren (Switzerland) web:    http://www.strongsec.com 
======================================================================
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:47 CEST