IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

Re: [Users] white spaces in leftid

From: johan (johan30_at_easynet.be)
Date: Tue May 07 2002 - 00:22:33 CEST

Hi,

The connection is not being established. Here some more detail out pluto
debug :(it concerns error messages :
they are the reason why i cannot get a tunnel) :
"easynet-rsa" #3: max number of retransmissions (2) reached
STATE_MAIN_I3. Possible authentication failure: no acceptable response
to our first encrypted message and ". inserting event EVENT_RETRANSMIT,
timeout in 10 seconds for #3" are the most important

May 6 23:09:30 spiderke Pluto[13939]: Starting Pluto (FreeS/WAN Version
1.97)
May 6 23:09:30 spiderke Pluto[13939]: including X.509 patch (Version
0.9.11)
May 6 23:09:30 spiderke Pluto[13939]: | opening /dev/urandom
May 6 23:09:30 spiderke Pluto[13939]: | inserting event
EVENT_REINIT_SECRET, timeout in 3600 seconds
May 6 23:09:30 spiderke Pluto[13939]: | process 13939 listening for
PF_KEY_V2 on file descriptor 6
May 6 23:09:30 spiderke Pluto[13939]: | finish_pfkey_msg: SADB_REGISTER
message 1 for AH
May 6 23:09:30 spiderke Pluto[13939]: | 02 07 00 02 02 00 00 00 01
00 00 00 73 36 00 00
May 6 23:09:30 spiderke Pluto[13939]: | pfkey_get: SADB_REGISTER
message 1
May 6 23:09:30 spiderke Pluto[13939]: | AH registered with kernel.
May 6 23:09:30 spiderke Pluto[13939]: | finish_pfkey_msg: SADB_REGISTER
message 2 for ESP
May 6 23:09:30 spiderke Pluto[13939]: | 02 07 00 03 02 00 00 00 02
00 00 00 73 36 00 00
May 6 23:09:30 spiderke Pluto[13939]: | pfkey_get: SADB_REGISTER
message 2
May 6 23:09:30 spiderke Pluto[13939]: | ESP registered with kernel.
May 6 23:09:30 spiderke Pluto[13939]: | finish_pfkey_msg: SADB_REGISTER
message 3 for IPCOMP
May 6 23:09:30 spiderke Pluto[13939]: | 02 07 00 0a 02 00 00 00 03
00 00 00 73 36 00 00
May 6 23:09:30 spiderke Pluto[13939]: | pfkey_get: SADB_REGISTER
message 3
May 6 23:09:30 spiderke Pluto[13939]: | IPCOMP registered with kernel.
May 6 23:09:30 spiderke Pluto[13939]: | finish_pfkey_msg: SADB_REGISTER
message 4 for IPIP
May 6 23:09:30 spiderke Pluto[13939]: | 02 07 00 09 02 00 00 00 04
00 00 00 73 36 00 00
May 6 23:09:30 spiderke Pluto[13939]: | pfkey_get: SADB_REGISTER
message 4
May 6 23:09:30 spiderke Pluto[13939]: | IPIP registered with kernel.
May 6 23:09:30 spiderke Pluto[13939]: | inserting event
EVENT_SHUNT_SCAN, timeout in 120 seconds
May 6 23:09:30 spiderke Pluto[13939]: Changing to directory
'/etc/ipsec.d/cacerts'
May 6 23:09:30 spiderke Pluto[13939]: loaded cacert file 'caCert.der'
(873 bytes)
May 6 23:09:30 spiderke Pluto[13939]: | file coded in DER format
(...)

May 6 23:09:30 spiderke Pluto[13939]: | L5 - publicExponent:
May 6 23:09:30 spiderke Pluto[13939]: | 01 00 01
May 6 23:09:30 spiderke Pluto[13939]: | L2 - optional extensions:
May 6 23:09:30 spiderke Pluto[13939]: | L3 - extensions:
May 6 23:09:30 spiderke Pluto[13939]: | L4 - extension:
May 6 23:09:30 spiderke Pluto[13939]: | L5 - extnID:
May 6 23:09:30 spiderke Pluto[13939]: | 'subjectKeyIdentifier'
May 6 23:09:30 spiderke Pluto[13939]: | L5 - critical:
May 6 23:09:30 spiderke Pluto[13939]: | FALSE
May 6 23:09:30 spiderke Pluto[13939]: | L5 - extnValue:
May 6 23:09:30 spiderke Pluto[13939]: | 04 14 43 00 c7 8f 4c d5 06
51 0c b6 33 71 75 29
May 6 23:09:30 spiderke Pluto[13939]: | 7a 4b 2e e1 89 d4
May 6 23:09:30 spiderke Pluto[13939]: | L4 - extension:
May 6 23:09:30 spiderke Pluto[13939]: | L5 - extnID:
May 6 23:09:30 spiderke Pluto[13939]: | 'authorityKeyIdentifier'
May 6 23:09:30 spiderke Pluto[13939]: | L5 - critical:
May 6 23:09:30 spiderke Pluto[13939]: | FALSE
May 6 23:09:30 spiderke Pluto[13939]: | L5 - extnValue:

(...)
May 6 23:09:34 spiderke Pluto[13939]: | ***emit ISAKMP Identification
Payload (IPsec DOI):
May 6 23:09:34 spiderke Pluto[13939]: | next payload type:
ISAKMP_NEXT_CERT
May 6 23:09:34 spiderke Pluto[13939]: | ID type: ID_DER_ASN1_DN
May 6 23:09:34 spiderke Pluto[13939]: | Protocol ID: 0
May 6 23:09:34 spiderke Pluto[13939]: | port: 0
May 6 23:09:34 spiderke Pluto[13939]: | emitting 134 raw bytes of my
identity into ISAKMP Identification Payload (IPsec DOI)
(...)
May 6 23:09:34 spiderke Pluto[13939]: | emitting length of ISAKMP
Identification Payload (IPsec DOI): 142
May 6 23:09:34 spiderke Pluto[13939]: | ***emit ISAKMP Certificate
Payload:
May 6 23:09:34 spiderke Pluto[13939]: | next payload type:
ISAKMP_NEXT_CR
May 6 23:09:34 spiderke Pluto[13939]: | cert encoding:
CERT_X509_SIGNATURE
May 6 23:09:34 spiderke Pluto[13939]: | emitting 856 raw bytes of CERT
into ISAKMP Certificate Payload
(...)
May 6 23:12:03 spiderke Pluto[13939]: | encrypting using
OAKLEY_3DES_CBC
May 6 23:12:03 spiderke Pluto[13939]: | next IV: b8 22 f0 38 28 0a 15
8c
May 6 23:12:03 spiderke Pluto[13939]: | emitting length of ISAKMP
Message: 1316
May 6 23:12:03 spiderke Pluto[13939]: | sending 1316 bytes for
STATE_MAIN_I2 through ppp0 to 212.100.163.40:500:
(...)
May 6 23:12:03 spiderke Pluto[13939]: | inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #3
May 6 23:12:03 spiderke Pluto[13939]: | next event EVENT_RETRANSMIT in
10 seconds for #3
May 6 23:12:13 spiderke Pluto[13939]: |
May 6 23:12:13 spiderke Pluto[13939]: | *time to handle event
May 6 23:12:13 spiderke Pluto[13939]: | event after this is
EVENT_SHUNT_SCAN in 77 seconds
May 6 23:12:13 spiderke Pluto[13939]: | handling event EVENT_RETRANSMIT
for 212.100.163.40 "easynet-rsa" #3
May 6 23:12:13 spiderke Pluto[13939]: | sending 1316 bytes for
EVENT_RETRANSMIT through ppp0 to 212.100.163.40:500
(...)

.May 6 23:12:33 spiderke Pluto[13939]: | inserting event
EVENT_RETRANSMIT, timeout in 40 seconds for #3
May 6 23:12:33 spiderke Pluto[13939]: | next event EVENT_RETRANSMIT in
40 seconds for #3
May 6 23:13:13 spiderke Pluto[13939]: |
May 6 23:13:13 spiderke Pluto[13939]: | *time to handle event
May 6 23:13:13 spiderke Pluto[13939]: | event after this is
EVENT_SHUNT_SCAN in 17 seconds
May 6 23:13:13 spiderke Pluto[13939]: | handling event EVENT_RETRANSMIT
for 212.100.163.40 "easynet-rsa" #3
May 6 23:13:13 spiderke Pluto[13939]: "easynet-rsa" #3: max number of
retransmissions (2) reached STATE_MAIN_I3. Possible authentication
failure: no acceptable response to our first encrypted message

Greetings,
Johan

On Mon, 2002-05-06 at 11:33, Andreas Steffen wrote:
> Well the connection is loaded successfully :
>
> > May 6 08:09:08 spiderke Pluto[31222]: added connection description
> > "easynet-rsa"
>
> Then you start the connection:
>
> > May 6 08:09:08 spiderke Pluto[31222]: "easynet-rsa" #1: initiating Main
> > Mode
>
> A lot of "garbage" produced by KLIPS follows but the rest of the
> log is missing. What happens after that? Does the connection get
> established?
>
> Regards
>
> Andreas
>
> johan wrote:
> >
> > Hi,
> >
> > If I do that, I receive following messages :
> >
> >
> >
> > May 6 08:09:07 spiderke Pluto[31222]: Starting Pluto (FreeS/WAN Version
> > 1.97)
> > May 6 08:09:07 spiderke Pluto[31222]: including X.509 patch (Version
> > 0.9.11)
> > May 6 08:09:07 spiderke Pluto[31222]: Changing to directory
> > '/etc/ipsec.d/cacerts'
> > May 6 08:09:07 spiderke Pluto[31222]: loaded cacert file 'caCert.der'
> > (873 bytes)
> > May 6 08:09:07 spiderke Pluto[31222]: Changing to directory
> > '/etc/ipsec.d/crls'
> > May 6 08:09:07 spiderke Pluto[31222]: loaded crl file 'crl.der' (333
> > bytes)
> > May 6 08:09:07 spiderke Pluto[31222]: loaded my default X.509 cert
> > file '/etc/x509cert.der' (856 bytes)
> > May 6 08:09:08 spiderke Pluto[31222]: added connection description
> > "easynet-rsa"
> > May 6 08:09:08 spiderke Pluto[31222]: listening for IKE messages
> > May 6 08:09:08 spiderke Pluto[31222]: adding interface ipsec0/ppp0
> > 213.193.182.49
> > May 6 08:09:08 spiderke Pluto[31222]: loading secrets from
> > "/etc/ipsec.secrets"
> > May 6 08:09:08 spiderke Pluto[31222]: "easynet-rsa" #1: initiating Main
> > Mode
> > May 6 08:09:09 spiderke Pluto[31222]: "easynet-rsa" #1: ignoring Vendor
> > ID payload
> >
> > -----------------------------
> > May 6 08:09:09 spiderke kernel: klips_debug: IP: ihl:20 ver:4 tos:0
> > tlen:208 id:0 DF frag_off:0 ttl:64 proto:17 (UDP) chk:13981
> > saddr:213.193.182.49:500 daddr:212.100.163.40:500
> > May 6 08:09:09 spiderke kernel: klips_debug:ipsec_findroute:
> > 213.193.182.49->212.100.163.40
> > May 6 08:09:09 spiderke kernel: klips_debug:rj_match: * See if we match
> > exactly as a host destination
> > May 6 08:09:09 spiderke kernel: klips_debug:rj_match: ** try to match a
> > leaf, t=0xc81f6490
> > May 6 08:09:09 spiderke kernel: klips_debug:ipsec_findroute: found,
> > points to proto=61, spi=104, dst=0.
> > May 6 08:09:09 spiderke kernel: klips_debug:ipsec_tunnel_start_xmit:
> > checking for local udp/500 IKE packet saddr=d5c1b631, er=c81f6490,
> > daddr=d464a328, er_dst=0, proto=17 sport=500 dport=0
> > May 6 08:09:09 spiderke kernel: klips_debug:ipsec_tunnel_start_xmit:
> > Original head,tailroom: 16,16
> > May 6 08:09:09 spiderke kernel: klips_debug:ipsec_tunnel_start_xmit:
> > PASS: calling dev_queue_xmit
> > May 6 08:09:09 spiderke kernel: klips_debug:ipsec_tunnel_start_xmit:
> > With hard_header, final head,tailroom: 16,16
> > May 6 08:09:09 spiderke kernel: klips_debug:ipsec_tunnel_start_xmit:
> > ...done, calling ip_send() on device:ppp0
> > May 6 08:09:09 spiderke kernel: klips_debug: IP: ihl:20 ver:4 tos:0
> > tlen:208 id:0 DF frag_off:0 ttl:64 proto:17 (UDP) chk:13981
> > saddr:213.193.182.49:500 daddr:212.100.163.40:500
> > May 6 08:09:09 spiderke kernel: klips_debug:ipsec_version_get_info:
> > buffer=0xcd626000, *start=0x0, offset=0, length=3072
> > May 6 08:09:09 spiderke kernel: klips_debug:ipsec_version_get_info:
> > buffer=0xcd626000, *start=0x0, offset=24, length=3072
> > May 6 08:09:09 spiderke kernel: klips_debug:@@ flags = 6 @key =
> > c6c241f0 key = 00000000->00000000 @mask = 00000000
> > May 6 08:09:09 spiderke kernel: klips_debug:@@ flags = 4 @key =
> > c81f64e0 key = d5c1b631->d464a300 @mask = cf038240 mask =
> > ffffffff->ffffff00
> > May 6 08:09:09 spiderke kernel: klips_debug:* off = 0
> > May 6 08:09:09 spiderke kernel: klips_debug:@ flags = 6 @key = c6c241fc
> > key = ffffffff->ffffffff @mask = 00000000
> > May 6 08:09:09 spiderke kernel: klips_debug: off = 0
> > May 6 08:09:09 spiderke kernel: klips_debug:ipsec_eroute_get_info:
> > buffer=0xc9e72000, *start=0x0, offset=0, length=3072May 6 08:09:09
> > spiderke kernel: klips_debug:rj_walktree: for: rn=cb4e08f8 rj_b=-3
> > rj_flags=6 leaf key = 00000000->00000000
> > May 6 08:09:09 spiderke kernel: klips_debug:rj_walktree: processing
> > leaves, rn=c81f6490 rj_b=-1 rj_flags=4 leaf key = d5c1b631->d464a300
> > May 6 08:09:09 spiderke kernel: klips_debug:rj_walktree: while:
> > base=00000000 rn=cb4e08f8 rj_b=-3 rj_flags=6 leaf key =
> > 00000000->00000000
> > May 6 08:09:09 spiderke kernel: klips_debug:rj_walktree: for:
> > rn=c81f6490 rj_b=-1 rj_flags=4 leaf key = d5c1b631->d464a300
> > May 6 08:09:09 spiderke kernel: klips_debug:rj_walktree: processing
> > leaves, rn=cb4e0928 rj_b=-3 rj_flags=6 leaf key = ffffffff->ffffffff
> > May 6 08:09:09 spiderke kernel: klips_debug:rj_walktree: while:
> > base=00000000 rn=c81f6490 rj_b=-1 rj_flags=4 leaf key =
> > d5c1b631->d464a300
> > May 6 08:09:09 spiderke kernel: klips_debug:ipsec_rj_walker_procprint:
> > rn=c81f6490, w0=cb9e7f4c
> > May 6 08:09:09 spiderke kernel: klips_debug:@@ flags = 6 @key =
> > c6c241f0 key = 00000000->00000000 @mask = 00000000
> > May 6 08:09:09 spiderke kernel: klips_debug:@@ flags = 4 @key =
> > c81f64e0 key = d5c1b631->d464a300 @mask = cf038240 mask =
> > ffffffff->ffffff00
> > May 6 08:09:09 spiderke kernel: klips_debug:* off = 0
> > May 6 08:09:09 spiderke kernel: klips_debug:@ flags = 6 @key = c6c241fc
> > key = ffffffff->ffffffff @mask = 00000000
> > May 6 08:09:09 spiderke kernel: klips_debug: off = 0
> > May 6 08:09:09 spiderke kernel: klips_debug:ipsec_eroute_get_info:
> > buffer=0xca57d000, *start=0x0, offset=61, length=3072
> > May 6 08:09:09 spiderke kernel: klips_debug:rj_walktree: for:
> > rn=cb4e08f8 rj_b=-3 rj_flags=6 leaf key = 00000000->00000000
> > May 6 08:09:09 spiderke kernel: klips_debug:rj_walktree: processing
> > leaves, rn=c81f6490 rj_b=-1 rj_flags=4 leaf key = d5c1b631->d464a300
> > May 6 08:09:09 spiderke kernel: klips_debug:rj_walktree: while:
> > base=00000000 rn=cb4e08f8 rj_b=-3 rj_flags=6 leaf key =
> > 00000000->00000000
> > May 6 08:09:09 spiderke kernel: klips_debug:rj_walktree: for:
> > rn=c81f6490 rj_b=-1 rj_flags=4 leaf key = d5c1b631->d464a300
> > May 6 08:09:09 spiderke kernel: klips_debug:rj_walktree: processing
> > leaves, rn=cb4e0928 rj_b=-3 rj_flags=6 leaf key = ffffffff->ffffffff
> > May 6 08:09:09 spiderke kernel: klips_debug:rj_walktree: while:
> > base=00000000 rn=c81f6490 rj_b=-1 rj_flags=4 leaf key =
> > d5c1b631->d464a300
> > May 6 08:09:09 spiderke kernel: klips_debug:ipsec_rj_walker_procprint:
> > rn=c81f6490, w0=cb9e7f4c
> > May 6 08:09:09 spiderke kernel: klips_debug:ipsec_spi_get_info:
> > buffer=0xca57d000, *start=0x0, offset=0, length=3072
> > May 6 08:09:09 spiderke kernel: klips_debug:ipsec_spigrp_get_info:
> > buffer=0xca57d000, *start=0x0, offset=0, length=3072May 6 08:09:09
> > spiderke kernel: klips_debug:ipsec_tncfg_get_info: buffer=0xca57d000,
> > *start=0x0, offset=0, length=3072
> > May 6 08:09:09 spiderke kernel: klips_debug:ipsec_tncfg_get_info:
> > buffer=0xca57d000, *start=0x0, offset=126, length=3072
> > May 6 08:09:10 spiderke kernel: klips_debug:ipsec_version_get_info:
> > buffer=0xc59db000, *start=0x0, offset=0, length=3072
> > May 6 08:09:10 spiderke kernel: klips_debug:ipsec_version_get_info:
> > buffer=0xc59db000, *start=0x0, offset=24, length=30
> >
> > Greetz,
> > Johan Boeckx
> >
> > On Sun, 2002-05-05 at 17:14, Andreas Steffen wrote:
> > > Due to a more stringent syntax checking introduced by the FreeW/SWAN
> > > team I had to change my notation for IDs of type ID_DER_ASN1_DN.
> > > It is now
> > >
> > > leftid="/C=BE/ST=Brussels/L=Brussels/O=Easynet/OU=Customer Care/
> > > CN=johan.boeckx.be.easynet.net"
> > >
> > > IDs of type ID_FQDN don't need any quotes, thus
> > >
> > > rightid=@entropy.office.be.easynet.net
> > >
> > > Regards
> > >
> > > Andreas
> > >
> > > ======================================================================
> > > Andreas Steffen e-mail: andreas.steffen_at_zhwin.ch
> > > Zuercher Hochschule Winterthur home: http://www.zhwin.ch/~sna/
> > > CH-8401 Winterthur (Switzerland) phone: +41 76 340 25 56
> > > ===============================================================[ZHW]==
> > >
> > >
> > > > -----Original Message-----
> > > > From: users-admin_at_lists.freeswan.org
> > > > [mailto:users-admin_at_lists.freeswan.org]On Behalf Of johan
> > > > Sent: Donnerstag, 2. Mai 2002 02:53
> > > > To: users_at_lists.freeswan.org
> > > > Subject: [Users] white spaces in leftid
> > > >
> > > >
> > > > Hi,
> > > >
> > > > I have a problem since i tried to change from freeswan 1.91 to 1.92 and
> > > > now to freeswan 1.97. I have a ipsec to a remote netscreen10 where ipsec
> > > > is configured. the ipsec is configured with x509 certificate version
> > > > x509patch-0.9.11. The problem is the white space in the leftid at my
> > > > side and of course also for the other users, which means that all linux
> > > > users are forced to use freeswan 1.91 and not higher, which means they
> > > > can not upgrade to kernel higher then 2.4.9.
> > > >
> > > > conn easynet-rsa
> > > > authby=rsasig
> > > > left=%defaultroute
> > > > leftid=@'/C=BE/ST=Brussels/L=Brussels/O=Easynet/OU=Customer
> > > > Care/CN=johan.boeckx.be.easynet.net'
> > > > leftrsasigkey=%cert
> > > > right=212.100.163.12
> > > > rightsubnet=212.100.163.0/24
> > > > rightrsasigkey=%cert
> > > > rightid=@'entropy.office.be.easynet.net'
> > > > auto=start
> > > >
> > > >
> > > > As you can see , there is a white space in the OU : Customer Care.
> > > > The error message is the ipsec barf :
> > > > May 2 02:30:17 spiderke ipsec__plutorun: ipsec_auto: fatal error in
> > > > "easynet-rsa": (/etc/ipsec.conf, line 64) white space within non-quoted
> > > > parameter "leftid"
> > > >
> > > > Is there a patch to resolve this problem, or another way ?
> > > >
> > > > Greetz,
> > > > Johan Boeckx
> > > >
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > Users mailing list
> > > > Users_at_lists.freeswan.org
> > > > http://lists.freeswan.org/mailman/listinfo/users
> > > >
> > >
>
> --
> ======================================================================
> Andreas Steffen e-mail: andreas.steffen_at_zhwin.ch
> Zuercher Hochschule Winterthur home: http://www.zhwin.ch/~sna/
> CH-8401 Winterthur (Switzerland) phone: +41 76 340 25 56
> ===============================================================[ZHW]==
>
> Content Security by MailMarshal
>

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:57 CEST