[Solved] IPSEC / RSA Broken ?



  • Hi,

    I can't run IPSEC with certificates, i don't know if it's a mistake from me or a bug.

    My configuration :

    2.0-RC1 (i386) built on Sat Feb 26 15:30:26 EST 2011
    Host A and B with static address
    Negotiation mode : main
    My identifier : Distinguished name (Ex: hostA.vpn.mydomain.tld)
    Proposal Checking : Obey
    NAT-T : Disabled
    ESP, ports 4500/500 allowed

    Relevant logs :

    Mar 22 16:17:13 racoon: ERROR: phase1 negotiation failed due to time up. 743afea88736c58b:2f1c2544d53341b8
    Mar 22 16:17:04 racoon: ERROR: no peer's CERT payload found.
    Mar 22 16:17:04 racoon: ERROR: failed to get subjectAltName
    Mar 22 16:17:04 racoon: ERROR:

    With PSK, no problem !

    I hope someone can help me, thank you in advance.



  • After spending over 3 hours, problem solved.
    Moved from "My identifier : Distinguished name" to "ASN.1 distinguished Name"

    Thanks to those who have read this message :)



  • @MrJacK:

    After spending over 3 hours, problem solved.
    Moved from "My identifier : Distinguished name" to "ASN.1 distinguished Name"

    Thanks to those who have read this message :)

    And what value did you use for that parameter?, I'm using the DN given by the Cert Manager but racoon complains with:```
    racoon: ERROR: 46968:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/a_mbstr.c:154:maxsize=2



  • Could please tell me how do you created the certificates?  :-\



  • Try leaving it blank. I have both My and Peer identifier set to 'ASN.1 distinguished Name"' with blank values and it's working fine.

    @cyruspy:

    @MrJacK:

    After spending over 3 hours, problem solved.
    Moved from "My identifier : Distinguished name" to "ASN.1 distinguished Name"

    Thanks to those who have read this message :)

    And what value did you use for that parameter?, I'm using the DN given by the Cert Manager but racoon complains with:```
    racoon: ERROR: 46968:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/a_mbstr.c:154:maxsize=2



  • @azzido: yeah thx for your tip  ;D

    but do you know what this warning means?

    May 2 14:37:22 	racoon: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/C=AT/ST=xxx/L=xxxx/O=Traussnig/emailAddress=xxx/CN=internal-ca
    May 2 14:37:22 	racoon: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/C=AT/ST=xxx/L=xxx/O=Traussnig/emailAddress=xxx/CN=internal-ca
    

    vpn connection is working.



  • I think I remember seeing CRL messages in my logs as well. It probably tries to check CRL upon client connection to see if user certificate has not been revoked. As long as you don't revoke certificates I would not worry about this.


Locked