From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Fri Aug 23 2002 - 21:33:16 CEST
It seems that FreeS/WAN's private key and its certificate do not
match. If you have version 0.9.14 of the X.509 patch then you can
verify this by using the command
ipsec auto --listcerts
The FreeS/Wan certificate loaded with leftcert= should have the
comment "has private key" in the listing.
Pozdrawiam
Andreas
ma wrote:
>
>
> I do everythink from santinel with freeswan documentation but i can't
> connect.
>
> CN and E issue are diffrent in all created certificate ...just like in
> documentation
>
> Can anybody help me?
>
> luzik_at_pc-plus.com.pl <mailto:luzik_at_pc-plus.com.pl>
>
> Sentinel log:
>
> 0.0.0.0:500 (Initiator) <-> 192.168.3.1:500 { e96c793a 3d00001c -
> 00000000 00000000 [-1] / 0x00000000 } IP; Start isakmp sa negotiation
>
> 0.0.0.0:500 (Initiator) <-> 192.168.3.1:500 { e96c793a 3d00001c -
> 00000000 00000000 [-1] / 0x00000000 } IP; Version = 1.0, Input packet
> fields = 0000
>
> 0.0.0.0:500 (Initiator) <-> 192.168.3.1:500 { e96c793a 3d00001c -
> 00000000 00000000 [-1] / 0x00000000 } IP; Encode packet, version = 1.0,
> flags = 0x00000000
>
> 0.0.0.0:500 (Initiator) <-> 192.168.3.1:500 { e96c793a 3d00001c -
> d8aa6528 962029d6 [-1] / 0x00000000 } IP; Packet to old negotiation
>
> 0.0.0.0:500 (Initiator) <-> 192.168.3.1:500 { e96c793a 3d00001c -
> d8aa6528 962029d6 [-1] / 0x00000000 } IP; Version = 1.0, Input packet
> fields = 0001 SA
>
> 0.0.0.0:500 (Initiator) <-> 192.168.3.1:500 { e96c793a 3d00001c -
> d8aa6528 962029d6 [-1] / 0x00000000 } IP; Encode packet, version = 1.0,
> flags = 0x00000000
>
> 0.0.0.0:500 (Initiator) <-> 192.168.3.1:500 { e96c793a 3d00001c -
> d8aa6528 962029d6 [-1] / 0x00000000 } IP; Packet to old negotiation
>
> 0.0.0.0:500 (Initiator) <-> 192.168.3.1:500 { e96c793a 3d00001c -
> d8aa6528 962029d6 [-1] / 0x00000000 } IP; Warning, junk after packet len
> = 160, decoded = 157
>
> 0.0.0.0:500 (Initiator) <-> 192.168.3.1:500 { e96c793a 3d00001c -
> d8aa6528 962029d6 [-1] / 0x00000000 } IP; Version = 1.0, Input packet
> fields = 0052 KE CR NONCE
>
> 0.0.0.0:500 (Initiator) <-> 192.168.3.1:500 { e96c793a 3d00001c -
> d8aa6528 962029d6 [-1] / 0x00000000 } IP; Diffie-hellman secret
> g^xy[128] = 0x9cb8fd7b d3091e4d eed26d98 3e008dd6 04146e37 a6e72e60
> 3180ad45 739d86de d4c12529 8249e378 ee19dd36 8f6e860e df88bca2 48a34b9c
> 7d79c93e...
>
> 0.0.0.0:500 (Initiator) <-> 192.168.3.1:500 { e96c793a 3d00001c -
> d8aa6528 962029d6 [-1] / 0x00000000 } IP; Hash algorithm = hmac-md5
>
> 0.0.0.0:500 (Initiator) <-> 192.168.3.1:500 { e96c793a 3d00001c -
> d8aa6528 962029d6 [-1] / 0x00000000 } IP; Prf key[32] = 0xd81d5d4d
> 799ead69 34261c1b 31163ee6 2f2e2821 a9e00e17 78e40dcb 6dcc9cac
>
> 0.0.0.0:500 (Initiator) <-> 192.168.3.1:500 { e96c793a 3d00001c -
> d8aa6528 962029d6 [-1] / 0x00000000 } IP; Calculating SKEYID
>
> 0.0.0.0:500 (Initiator) <-> 192.168.3.1:500 { e96c793a 3d00001c -
> d8aa6528 962029d6 [-1] / 0x00000000 } IP; Output of SKEYID hash[16] =
> 0x093d8b3d 2230401e 24cc4d38 c401019f
>
> 0.0.0.0:500 (Initiator) <-> 192.168.3.1:500 { e96c793a 3d00001c -
> d8aa6528 962029d6 [-1] / 0x00000000 } IP; Output of SKEYID_d hash[16] =
> 0x7c8a80a5 a530a260 078f5650 9c855a78
>
> 0.0.0.0:500 (Initiator) <-> 192.168.3.1:500 { e96c793a 3d00001c -
> d8aa6528 962029d6 [-1] / 0x00000000 } IP; Output of SKEYID_a hash[16] =
> 0xe49c6ed8 b28a109d 3e178e1e 53c8ea04
>
> 0.0.0.0:500 (Initiator) <-> 192.168.3.1:500 { e96c793a 3d00001c -
> d8aa6528 962029d6 [-1] / 0x00000000 } IP; Output SKEYID_e hash[16] =
> 0x0e988e2b 9c47d979 8f1d658a ace47de0
>
> 0.0.0.0:500 (Initiator) <-> 192.168.3.1:500 { e96c793a 3d00001c -
> d8aa6528 962029d6 [-1] / 0x00000000 } IP; Final encryption key[24] =
> 0xe37db47e 8f8ad162 8b7d2d7d 528dc4dc 49e60654 0b0ff784
>
> 0.0.0.0:500 (Initiator) <-> 192.168.3.1:500 { e96c793a 3d00001c -
> d8aa6528 962029d6 [-1] / 0x00000000 } IP; Output of HASH_I hash[16] =
> 0x7b68b1eb 2b308813 12325158 0af4f954
>
> 0.0.0.0:500 (Initiator) <-> 192.168.3.1:500 { e96c793a 3d00001c -
> d8aa6528 962029d6 [-1] / 0x00000000 } IP; Encode packet, version = 1.0,
> flags = 0x00000001
>
> 0.0.0.0:500 (Initiator) <-> 192.168.3.1:500 { e96c793a 3d00001c -
> d8aa6528 962029d6 [-1] / 0x00000000 } IP; Packet to old negotiation
>
> 0.0.0.0:500 (Initiator) <-> 192.168.3.1:500 { e96c793a 3d00001c -
> d8aa6528 962029d6 [-1] / 0x00000000 } IP; Version = 1.0, Input packet
> fields = 008c ID CERT SIG
>
> 0.0.0.0:500 (Initiator) <-> 192.168.3.1:500 { e96c793a 3d00001c -
> d8aa6528 962029d6 [-1] / 0x00000000 } IP; Output of HASH_R hash[16] =
> 0xedb20f84 b6b55eb8 fc94872a f50e3406
>
> 0.0.0.0:500 (Initiator) <-> 192.168.3.1:500 { e96c793a 3d00001c -
> d8aa6528 962029d6 [-1] / 0x00000000 } IP; Signature check failed
>
> 0.0.0.0:500 (Initiator) <-> 192.168.3.1:500 { e96c793a 3d00001c -
> d8aa6528 962029d6 [-1] / 0x00000000 } IP; Error = Invalid signature (25)
>
> 0.0.0.0:500 (Initiator) <-> 192.168.3.1:500 { e96c793a 3d00001c -
> d8aa6528 962029d6 [0] / 0x8d37624c } Info; Sending negotiation back,
> error = 25
>
> 0.0.0.0:500 (Initiator) <-> 192.168.3.1:500 { e96c793a 3d00001c -
> d8aa6528 962029d6 [0] / 0x8d37624c } Info; Encode packet, version = 1.0,
> flags = 0x00000000
>
> 0.0.0.0:500 (Initiator) <-> 192.168.3.1:500 { e96c793a 3d00001c -
> d8aa6528 962029d6 [0] / 0x8d37624c } Info; Deleting negotiation
>
> 0.0.0.0:500 (Initiator) <-> 192.168.3.1:500 { e96c793a 3d00001c -
> d8aa6528 962029d6 [-1] / 0x00000000 } IP; Removing negotiation
>
> 0.0.0.0:500 (Initiator) <-> 192.168.3.1:500 { e96c793a 3d00001c -
> d8aa6528 962029d6 [-1] / 0x00000000 } IP; Deleting negotiation
>
>
>
>
>
> Freeswan log
>
> .....sent MR3 ISAKMP SA established
>
> ....ISAKMP SA must be encrypted
======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zürichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.4 : Sat Aug 24 2002 - 06:20:17 CEST