Bug#571133: openswan: pluto seems to ignore rightid if rightcert is set to missing file
Benjamin S.
Version: 1:2.6.23+dfsg-1
Severity: normal
Since I upgraded from lenny to testing my client was unable to connect to a server which is also using openswan but still lenny.
ipsec.conf at clientside was:
conn leftright
leftsourceip=192.168.111.5
leftsubnet=192.168.111.0/24
leftrsasigkey=%cert
leftcert=clientCert.pem
left=%defaultroute
leftid="C=XX, ST=XX, L=XX, O=XX, OU=XX, CN=client.domain/emailAddress=xx@xx"
rightid="C=XX, ST=XX, L=XX, O=XX, OU=XX, CN=server.domain, E=xx@xx"
right=server.dyndns.org
rightsubnet=192.168.113.0/24
rightrsasigkey=%cert
rightcert=serverCert.pem
auto=start
The serverCert.pem is only available on the server and the clientCert.pem only on the client.
Error from ipsec barf:
Feb 23 18:02:38 XXXXXXX pluto[18180]: "leftright" #1: no crl from issuer "C=XX, ST=XX, L=XX, O=XX, OU=XX, CN=<CA>, E=<mailaddress>" found (strict=no)
Feb 23 18:02:38 XXXXXXX pluto[18180]: | authcert list locked by 'verify_x509cert'
Feb 23 18:02:38 XXXXXXX pluto[18180]: | signature algorithm: 'md5WithRSAEncryption'
Feb 23 18:02:38 XXXXXXX pluto[18180]: | digest: 44 49 e6 32 93 b1 8e 43 42 36 9b bd 04 53 f8 ab
Feb 23 18:02:38 XXXXXXX pluto[18180]: | authcert list unlocked by 'verify_x509cert'
Feb 23 18:02:38 XXXXXXX pluto[18180]: | reached self-signed root ca
Feb 23 18:02:38 XXXXXXX pluto[18180]: | Public key validated
Feb 23 18:02:38 XXXXXXX pluto[18180]: "leftright" #1: we require peer to have ID '<SERVERIP>', but peer declares 'C=XX, ST=XX, L=XX, O=XX, OU=XX, CN=<server.domain>, E=<mailaddress>'
After I have removed the parameter rightcert=serverCert.pem the connection works again. I don't know if it is mandatory that the file is missing to reproduce this behaviour.
Although I am not sure if it is a bug or not I report it to be on the safe side. At least I have seen many howtos which are using rightcert and leftcert in one section.
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.31.7 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages openswan depends on:
ii bind9-host [host] 1:9.6.1.dfsg.P3-1 Version of 'host' bundled with BIN
ii bsdmainutils 8.0.6 collection of more utilities from
ii debconf [debconf-2.0] 1.5.28 Debian configuration management sy
ii debianutils 3.2.2 Miscellaneous utilities specific t
ii iproute 20091226-1 networking and traffic control too
ii ipsec-tools 1:0.7.1-1.6 IPsec tools for Linux
ii libc6 2.10.2-2 GNU C Library: Shared libraries
ii libcurl3 7.19.7-1 Multi-protocol file transfer libra
ii libgmp3c2 2:4.3.2+dfsg-1 Multiprecision arithmetic library
ii libldap-2.4-2 2.4.17-2.1 OpenLDAP libraries
ii libpam0g 1.1.1-1 Pluggable Authentication Modules l
ii openssl 0.9.8k-8 Secure Socket Layer (SSL) binary a
openswan recommends no packages.
Versions of packages openswan suggests:
ii curl 7.19.7-1 Get a file from an HTTP, HTTPS or
pn openswan-modules-source | lin <none> (no description available)
-- debconf information excluded
--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Benjamin S.
Paul wrote:
> Try using leftid=%fromcert
> You might also want to add leftsendcert=always
Both options have no influence.
May I ask why you are suggesting me these options? Do you think my
configuration is wrong?
If not there is no need to suggesting other options to me because
everything works fine without rightcert set and I had no need to
set in anyway. I have set it only because I have started with the
same configuration on the server and the client.
Thus I don't think anyone can do sth. for me unless my
configuration is wrong. Instead it can be clarified if this
behaviour is new and if it is intended. If so maybe the maintainer
wants to document it somewhere.
Paul Wouters
> Subject: openswan: pluto seems to ignore rightid if rightcert is set to
> missing file
>
> Paul wrote:
>> Try using leftid=%fromcert
>> You might also want to add leftsendcert=always
>
> Both options have no influence.
Hmm, then perhaps a log would be useful to see what is going on.
> May I ask why you are suggesting me these options? Do you think my
> configuration is wrong?
I'm trying to understand the issue to see if this is a bug we need
to fix (I'm upstream, an openswan developer) I guess I misuderstood
that the config file shown was on the other side then the log msg.
I'll file it as bug on bugs.openswan.org
Paul
Benjamin S.
Paul Wouters <pa...@xelerance.com> wrote:
> On Thu, 25 Feb 2010, Benjamin S. wrote:
> I'm trying to understand the issue to see if this is a bug we need
> to fix (I'm upstream, an openswan developer) I guess I misuderstood
> that the config file shown was on the other side then the log msg.
That was correct. The configuration and the log msg are from the
client. By the way left is the client and right is the server.
complete output of ipsec barf of the client (original setup - without
leftid=%fromcert and without leftsendcert=always):
Feb 23 18:02:20 XXXXXXX pluto[18180]: | cmd( 80):PLUTO_INTERFACE='ppp0' PLUTO_NEXT_HOP='<SERVERIP>' PLUTO_ME='<CLIENTIP>' P:
Feb 23 18:02:20 XXXXXXX pluto[18180]: | cmd( 160):LUTO_MY_ID='C=XX, ST=XX, L=XX, O=XX, OU=XX, CN=<CLIENT>.:
Feb 23 18:02:20 XXXXXXX pluto[18180]: | cmd( 240).<DOMAIN>, E=<mailaddress>' PLUTO_MY_CLIENT='192.168.111.0/24' PLUTO_MY_CLIENT_NET=:
Feb 23 18:02:20 XXXXXXX pluto[18180]: | cmd( 320):'192.168.111.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_:
Feb 23 18:02:20 XXXXXXX pluto[18180]: | cmd( 400):PROTOCOL='0' PLUTO_PEER='<SERVERIP>' PLUTO_PEER_ID='<SERVERIP>' PLUTO_PEER:
Feb 23 18:02:20 XXXXXXX pluto[18180]: | cmd( 480):_CLIENT='192.168.113.0/24' PLUTO_PEER_CLIENT_NET='192.168.113.0' PLUTO_PEER_CLIE:
Feb 23 18:02:20 XXXXXXX pluto[18180]: | cmd( 560):NT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_C:
Feb 23 18:02:20 XXXXXXX pluto[18180]: | cmd( 640):A='' PLUTO_STACK='netkey' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEv2ALL:
Feb 23 18:02:20 XXXXXXX pluto[18180]: | cmd( 720):OW' PLUTO_MY_SOURCEIP='192.168.111.5' ipsec _updown:
Feb 23 18:02:20 XXXXXXX pluto[18180]: | * processed 0 messages from cryptographic helpers
Feb 23 18:02:20 XXXXXXX pluto[18180]: | next event EVENT_PENDING_DDNS in 60 seconds
Feb 23 18:02:20 XXXXXXX pluto[18180]: | next event EVENT_PENDING_DDNS in 60 seconds
Feb 23 18:02:21 XXXXXXX pluto[18180]: |
Feb 23 18:02:21 XXXXXXX pluto[18180]: | *received whack message
Feb 23 18:02:21 XXXXXXX pluto[18180]: | processing connection leftright
Feb 23 18:02:21 XXXXXXX pluto[18180]: | empty esp_info, returning defaults
Feb 23 18:02:21 XXXXXXX pluto[18180]: | creating state object #1 at 0x1857d60
Feb 23 18:02:21 XXXXXXX pluto[18180]: | processing connection leftright
Feb 23 18:02:21 XXXXXXX pluto[18180]: | ICOOKIE: 46 fc 4f b5 cb a6 38 77
Feb 23 18:02:21 XXXXXXX pluto[18180]: | RCOOKIE: 00 00 00 00 00 00 00 00
Feb 23 18:02:21 XXXXXXX pluto[18180]: | state hash entry 6
Feb 23 18:02:21 XXXXXXX pluto[18180]: | inserting state object #1 on chain 6
Feb 23 18:02:21 XXXXXXX pluto[18180]: | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1
Feb 23 18:02:21 XXXXXXX pluto[18180]: | event added at head of queue
Feb 23 18:02:21 XXXXXXX pluto[18180]: | processing connection leftright
Feb 23 18:02:21 XXXXXXX pluto[18180]: | Queuing pending Quick Mode with <SERVERIP> "leftright"
Feb 23 18:02:21 XXXXXXX pluto[18180]: "leftright" #1: initiating Main Mode
Feb 23 18:02:21 XXXXXXX pluto[18180]: | sending 592 bytes for main_outI1 through ppp0:500 to <SERVERIP>:500 (using #1)
Feb 23 18:02:21 XXXXXXX pluto[18180]: | deleting event for #1
Feb 23 18:02:21 XXXXXXX pluto[18180]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
Feb 23 18:02:21 XXXXXXX pluto[18180]: | event added at head of queue
Feb 23 18:02:21 XXXXXXX pluto[18180]: | * processed 0 messages from cryptographic helpers
Feb 23 18:02:21 XXXXXXX pluto[18180]: | next event EVENT_RETRANSMIT in 10 seconds for #1
Feb 23 18:02:21 XXXXXXX pluto[18180]: | next event EVENT_RETRANSMIT in 10 seconds for #1
Feb 23 18:02:25 XXXXXXX pluto[18180]: |
Feb 23 18:02:25 XXXXXXX pluto[18180]: | *received 140 bytes from <SERVERIP>:500 on ppp0 (port=500)
Feb 23 18:02:25 XXXXXXX pluto[18180]: | **parse ISAKMP Message:
Feb 23 18:02:25 XXXXXXX pluto[18180]: | initiator cookie:
Feb 23 18:02:25 XXXXXXX pluto[18180]: | 46 fc 4f b5 cb a6 38 77
Feb 23 18:02:25 XXXXXXX pluto[18180]: | responder cookie:
Feb 23 18:02:25 XXXXXXX pluto[18180]: | 7e 19 ac bd f1 bf 31 6f
Feb 23 18:02:25 XXXXXXX pluto[18180]: | next payload type: ISAKMP_NEXT_SA
Feb 23 18:02:25 XXXXXXX pluto[18180]: | ISAKMP version: ISAKMP Version 1.0 (rfc2407)
Feb 23 18:02:25 XXXXXXX pluto[18180]: | exchange type: ISAKMP_XCHG_IDPROT
Feb 23 18:02:25 XXXXXXX pluto[18180]: | flags: none
Feb 23 18:02:25 XXXXXXX pluto[18180]: | message ID: 00 00 00 00
Feb 23 18:02:25 XXXXXXX pluto[18180]: | length: 140
Feb 23 18:02:25 XXXXXXX pluto[18180]: | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2)
Feb 23 18:02:25 XXXXXXX pluto[18180]: | ICOOKIE: 46 fc 4f b5 cb a6 38 77
Feb 23 18:02:25 XXXXXXX pluto[18180]: | RCOOKIE: 7e 19 ac bd f1 bf 31 6f
Feb 23 18:02:25 XXXXXXX pluto[18180]: | state hash entry 14
Feb 23 18:02:25 XXXXXXX pluto[18180]: | v1 state object not found
Feb 23 18:02:25 XXXXXXX pluto[18180]: | ICOOKIE: 46 fc 4f b5 cb a6 38 77
Feb 23 18:02:25 XXXXXXX pluto[18180]: | RCOOKIE: 00 00 00 00 00 00 00 00
Feb 23 18:02:25 XXXXXXX pluto[18180]: | state hash entry 6
Feb 23 18:02:25 XXXXXXX pluto[18180]: | v1 peer and cookies match on #1, provided msgid 00000000 vs 00000000
Feb 23 18:02:25 XXXXXXX pluto[18180]: | v1 state object #1 found, in STATE_MAIN_I1
Feb 23 18:02:25 XXXXXXX pluto[18180]: | processing connection leftright
Feb 23 18:02:25 XXXXXXX pluto[18180]: | got payload 0x2(ISAKMP_NEXT_SA) needed: 0x2 opt: 0x2080
Feb 23 18:02:25 XXXXXXX pluto[18180]: | ***parse ISAKMP Security Association Payload:
Feb 23 18:02:25 XXXXXXX pluto[18180]: | next payload type: ISAKMP_NEXT_VID
Feb 23 18:02:25 XXXXXXX pluto[18180]: | length: 56
Feb 23 18:02:25 XXXXXXX pluto[18180]: | DOI: ISAKMP_DOI_IPSEC
Feb 23 18:02:25 XXXXXXX pluto[18180]: | got payload 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080
Feb 23 18:02:25 XXXXXXX pluto[18180]: | ***parse ISAKMP Vendor ID Payload:
Feb 23 18:02:25 XXXXXXX pluto[18180]: | next payload type: ISAKMP_NEXT_VID
Feb 23 18:02:25 XXXXXXX pluto[18180]: | length: 16
Feb 23 18:02:25 XXXXXXX pluto[18180]: | got payload 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080
Feb 23 18:02:25 XXXXXXX pluto[18180]: | ***parse ISAKMP Vendor ID Payload:
Feb 23 18:02:25 XXXXXXX pluto[18180]: | next payload type: ISAKMP_NEXT_VID
Feb 23 18:02:25 XXXXXXX pluto[18180]: | length: 20
Feb 23 18:02:25 XXXXXXX pluto[18180]: | got payload 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080
Feb 23 18:02:25 XXXXXXX pluto[18180]: | ***parse ISAKMP Vendor ID Payload:
Feb 23 18:02:25 XXXXXXX pluto[18180]: | next payload type: ISAKMP_NEXT_NONE
Feb 23 18:02:25 XXXXXXX pluto[18180]: | length: 20
Feb 23 18:02:25 XXXXXXX pluto[18180]: "leftright" #1: ignoring unknown Vendor ID payload [4f45606c50487c5662707575]
Feb 23 18:02:25 XXXXXXX pluto[18180]: "leftright" #1: received Vendor ID payload [Dead Peer Detection]
Feb 23 18:02:25 XXXXXXX pluto[18180]: "leftright" #1: received Vendor ID payload [RFC 3947] method set to=109
Feb 23 18:02:25 XXXXXXX pluto[18180]: | ****parse IPsec DOI SIT:
Feb 23 18:02:25 XXXXXXX pluto[18180]: | IPsec DOI SIT: SIT_IDENTITY_ONLY
Feb 23 18:02:25 XXXXXXX pluto[18180]: | ****parse ISAKMP Proposal Payload:
Feb 23 18:02:25 XXXXXXX pluto[18180]: | next payload type: ISAKMP_NEXT_NONE
Feb 23 18:02:25 XXXXXXX pluto[18180]: | length: 44
Feb 23 18:02:25 XXXXXXX pluto[18180]: | proposal number: 0
Feb 23 18:02:25 XXXXXXX pluto[18180]: | protocol ID: PROTO_ISAKMP
Feb 23 18:02:25 XXXXXXX pluto[18180]: | SPI size: 0
Feb 23 18:02:25 XXXXXXX pluto[18180]: | number of transforms: 1
Feb 23 18:02:25 XXXXXXX pluto[18180]: | *****parse ISAKMP Transform Payload (ISAKMP):
Feb 23 18:02:25 XXXXXXX pluto[18180]: | next payload type: ISAKMP_NEXT_NONE
Feb 23 18:02:25 XXXXXXX pluto[18180]: | length: 36
Feb 23 18:02:25 XXXXXXX pluto[18180]: | transform number: 0
Feb 23 18:02:25 XXXXXXX pluto[18180]: | transform ID: KEY_IKE
Feb 23 18:02:25 XXXXXXX pluto[18180]: | ******parse ISAKMP Oakley attribute:
Feb 23 18:02:25 XXXXXXX pluto[18180]: | af+type: OAKLEY_LIFE_TYPE
Feb 23 18:02:25 XXXXXXX pluto[18180]: | length/value: 1
Feb 23 18:02:25 XXXXXXX pluto[18180]: | [1 is OAKLEY_LIFE_SECONDS]
Feb 23 18:02:25 XXXXXXX pluto[18180]: | ******parse ISAKMP Oakley attribute:
Feb 23 18:02:25 XXXXXXX pluto[18180]: | af+type: OAKLEY_LIFE_DURATION
Feb 23 18:02:25 XXXXXXX pluto[18180]: | length/value: 3600
Feb 23 18:02:25 XXXXXXX pluto[18180]: | ******parse ISAKMP Oakley attribute:
Feb 23 18:02:25 XXXXXXX pluto[18180]: | af+type: OAKLEY_ENCRYPTION_ALGORITHM
Feb 23 18:02:25 XXXXXXX pluto[18180]: | length/value: 7
Feb 23 18:02:25 XXXXXXX pluto[18180]: | [7 is OAKLEY_AES_CBC]
Feb 23 18:02:25 XXXXXXX pluto[18180]: | ******parse ISAKMP Oakley attribute:
Feb 23 18:02:25 XXXXXXX pluto[18180]: | af+type: OAKLEY_HASH_ALGORITHM
Feb 23 18:02:25 XXXXXXX pluto[18180]: | length/value: 2
Feb 23 18:02:25 XXXXXXX pluto[18180]: | [2 is OAKLEY_SHA1]
Feb 23 18:02:25 XXXXXXX pluto[18180]: | ******parse ISAKMP Oakley attribute:
Feb 23 18:02:25 XXXXXXX pluto[18180]: | af+type: OAKLEY_AUTHENTICATION_METHOD
Feb 23 18:02:25 XXXXXXX pluto[18180]: | length/value: 3
Feb 23 18:02:25 XXXXXXX pluto[18180]: | [3 is OAKLEY_RSA_SIG]
Feb 23 18:02:25 XXXXXXX pluto[18180]: | ******parse ISAKMP Oakley attribute:
Feb 23 18:02:25 XXXXXXX pluto[18180]: | af+type: OAKLEY_GROUP_DESCRIPTION
Feb 23 18:02:25 XXXXXXX pluto[18180]: | length/value: 14
Feb 23 18:02:25 XXXXXXX pluto[18180]: | [14 is OAKLEY_GROUP_MODP2048]
Feb 23 18:02:25 XXXXXXX pluto[18180]: | ******parse ISAKMP Oakley attribute:
Feb 23 18:02:25 XXXXXXX pluto[18180]: | af+type: OAKLEY_KEY_LENGTH
Feb 23 18:02:25 XXXXXXX pluto[18180]: | length/value: 128
Feb 23 18:02:25 XXXXXXX pluto[18180]: | Oakley Transform 0 accepted
Feb 23 18:02:25 XXXXXXX pluto[18180]: | sender checking NAT-t: 1 and 109
Feb 23 18:02:25 XXXXXXX pluto[18180]: "leftright" #1: enabling possible NAT-traversal with method 4
Feb 23 18:02:25 XXXXXXX pluto[18180]: | 0: w->pcw_dead: 0 w->pcw_work: 0 cnt: 1
Feb 23 18:02:25 XXXXXXX pluto[18180]: | asking helper 0 to do build_kenonce op on seq: 1 (len=2752, pcw_work=1)
Feb 23 18:02:25 XXXXXXX pluto[18180]: | crypto helper write of request: cnt=2752<wlen=2752.
Feb 23 18:02:25 XXXXXXX pluto[18183]: ! helper 0 read 2744+4/2752 bytesfd: 8
Feb 23 18:02:25 XXXXXXX pluto[18180]: | deleting event for #1
Feb 23 18:02:25 XXXXXXX pluto[18183]: ! helper 0 doing build_kenonce op id: 1
Feb 23 18:02:25 XXXXXXX pluto[18180]: | inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #1
Feb 23 18:02:25 XXXXXXX pluto[18180]: | event added after event EVENT_PENDING_PHASE2
Feb 23 18:02:25 XXXXXXX pluto[18180]: | complete state transition with STF_SUSPEND
Feb 23 18:02:25 XXXXXXX pluto[18180]: | * processed 0 messages from cryptographic helpers
Feb 23 18:02:25 XXXXXXX pluto[18180]: | next event EVENT_PENDING_DDNS in 55 seconds
Feb 23 18:02:25 XXXXXXX pluto[18180]: | next event EVENT_PENDING_DDNS in 55 seconds
Feb 23 18:02:25 XXXXXXX pluto[18180]: |
Feb 23 18:02:25 XXXXXXX pluto[18180]: | helper 0 has finished work (cnt now 1)
Feb 23 18:02:25 XXXXXXX pluto[18180]: | helper 0 replies to id: q#1
Feb 23 18:02:25 XXXXXXX pluto[18180]: | main inR1_outI2: calculated ke+nonce, sending I2
Feb 23 18:02:25 XXXXXXX pluto[18180]: | processing connection leftright
Feb 23 18:02:25 XXXXXXX pluto[18180]: | ICOOKIE: 46 fc 4f b5 cb a6 38 77
Feb 23 18:02:25 XXXXXXX pluto[18180]: | RCOOKIE: 00 00 00 00 00 00 00 00
Feb 23 18:02:25 XXXXXXX pluto[18180]: | state hash entry 6
Feb 23 18:02:25 XXXXXXX pluto[18180]: | ICOOKIE: 46 fc 4f b5 cb a6 38 77
Feb 23 18:02:25 XXXXXXX pluto[18180]: | RCOOKIE: 7e 19 ac bd f1 bf 31 6f
Feb 23 18:02:25 XXXXXXX pluto[18180]: | state hash entry 14
Feb 23 18:02:25 XXXXXXX pluto[18180]: | inserting state object #1 on chain 14
Feb 23 18:02:25 XXXXXXX pluto[18180]: | complete state transition with STF_OK
Feb 23 18:02:25 XXXXXXX pluto[18180]: "leftright" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Feb 23 18:02:25 XXXXXXX pluto[18180]: | deleting event for #1
Feb 23 18:02:25 XXXXXXX pluto[18180]: | sending reply packet to <SERVERIP>:500 (from port 500)
Feb 23 18:02:25 XXXXXXX pluto[18180]: | sending 356 bytes for STATE_MAIN_I1 through ppp0:500 to <SERVERIP>:500 (using #1)
Feb 23 18:02:25 XXXXXXX pluto[18180]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
Feb 23 18:02:25 XXXXXXX pluto[18180]: | event added at head of queue
Feb 23 18:02:25 XXXXXXX pluto[18180]: "leftright" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Feb 23 18:02:25 XXXXXXX pluto[18180]: | modecfg pull: noquirk policy:push not-client
Feb 23 18:02:25 XXXXXXX pluto[18180]: | phase 1 is done, looking for phase 2 to unpend
Feb 23 18:02:25 XXXXXXX pluto[18180]: | * processed 1 messages from cryptographic helpers
Feb 23 18:02:25 XXXXXXX pluto[18180]: | next event EVENT_RETRANSMIT in 10 seconds for #1
Feb 23 18:02:25 XXXXXXX pluto[18180]: | next event EVENT_RETRANSMIT in 10 seconds for #1
Feb 23 18:02:27 XXXXXXX pluto[18180]: |
Feb 23 18:02:27 XXXXXXX pluto[18180]: | *received whack message
Feb 23 18:02:27 XXXXXXX pluto[18180]: | * processed 0 messages from cryptographic helpers
Feb 23 18:02:27 XXXXXXX pluto[18180]: | next event EVENT_RETRANSMIT in 8 seconds for #1
Feb 23 18:02:27 XXXXXXX pluto[18180]: | next event EVENT_RETRANSMIT in 8 seconds for #1
Feb 23 18:02:27 XXXXXXX pluto[18180]: |
Feb 23 18:02:27 XXXXXXX pluto[18180]: | *received whack message
Feb 23 18:02:27 XXXXXXX pluto[18180]: | * processed 0 messages from cryptographic helpers
Feb 23 18:02:27 XXXXXXX pluto[18180]: | next event EVENT_RETRANSMIT in 8 seconds for #1
Feb 23 18:02:27 XXXXXXX pluto[18180]: | next event EVENT_RETRANSMIT in 8 seconds for #1
Feb 23 18:02:27 XXXXXXX pluto[18180]: |
Feb 23 18:02:27 XXXXXXX pluto[18180]: | *received whack message
Feb 23 18:02:27 XXXXXXX pluto[18180]: | authcert list locked by 'list_authcerts'
Feb 23 18:02:27 XXXXXXX pluto[18180]: | authcert list unlocked by 'list_authcerts'
Feb 23 18:02:27 XXXXXXX pluto[18180]: | authcert list locked by 'list_authcerts'
Feb 23 18:02:27 XXXXXXX pluto[18180]: | authcert list unlocked by 'list_authcerts'
Feb 23 18:02:27 XXXXXXX pluto[18180]: | authcert list locked by 'list_authcerts'
Feb 23 18:02:27 XXXXXXX pluto[18180]: | authcert list unlocked by 'list_authcerts'
Feb 23 18:02:27 XXXXXXX pluto[18180]: | crl list locked by 'list_crls'
Feb 23 18:02:27 XXXXXXX pluto[18180]: | crl list unlocked by 'list_crls'
Feb 23 18:02:27 XXXXXXX pluto[18180]: | crl fetch request list locked by 'list_crl_fetch_requests'
Feb 23 18:02:27 XXXXXXX pluto[18180]: | crl fetch request list unlocked by 'list_crl_fetch_requests'
Feb 23 18:02:27 XXXXXXX pluto[18180]: | * processed 0 messages from cryptographic helpers
Feb 23 18:02:27 XXXXXXX pluto[18180]: | next event EVENT_RETRANSMIT in 8 seconds for #1
Feb 23 18:02:27 XXXXXXX pluto[18180]: | next event EVENT_RETRANSMIT in 8 seconds for #1
Feb 23 18:02:29 XXXXXXX pluto[18180]: |
Feb 23 18:02:29 XXXXXXX pluto[18180]: | *received 356 bytes from <SERVERIP>:500 on ppp0 (port=500)
Feb 23 18:02:29 XXXXXXX pluto[18180]: | **parse ISAKMP Message:
Feb 23 18:02:29 XXXXXXX pluto[18180]: | initiator cookie:
Feb 23 18:02:29 XXXXXXX pluto[18180]: | 46 fc 4f b5 cb a6 38 77
Feb 23 18:02:29 XXXXXXX pluto[18180]: | responder cookie:
Feb 23 18:02:29 XXXXXXX pluto[18180]: | 7e 19 ac bd f1 bf 31 6f
Feb 23 18:02:29 XXXXXXX pluto[18180]: | next payload type: ISAKMP_NEXT_KE
Feb 23 18:02:29 XXXXXXX pluto[18180]: | ISAKMP version: ISAKMP Version 1.0 (rfc2407)
Feb 23 18:02:29 XXXXXXX pluto[18180]: | exchange type: ISAKMP_XCHG_IDPROT
Feb 23 18:02:29 XXXXXXX pluto[18180]: | flags: none
Feb 23 18:02:29 XXXXXXX pluto[18180]: | message ID: 00 00 00 00
Feb 23 18:02:29 XXXXXXX pluto[18180]: | length: 356
Feb 23 18:02:29 XXXXXXX pluto[18180]: | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2)
Feb 23 18:02:29 XXXXXXX pluto[18180]: | ICOOKIE: 46 fc 4f b5 cb a6 38 77
Feb 23 18:02:29 XXXXXXX pluto[18180]: | RCOOKIE: 7e 19 ac bd f1 bf 31 6f
Feb 23 18:02:29 XXXXXXX pluto[18180]: | state hash entry 14
Feb 23 18:02:29 XXXXXXX pluto[18180]: | v1 peer and cookies match on #1, provided msgid 00000000 vs 00000000
Feb 23 18:02:29 XXXXXXX pluto[18180]: | v1 state object #1 found, in STATE_MAIN_I2
Feb 23 18:02:29 XXXXXXX pluto[18180]: | processing connection leftright
Feb 23 18:02:29 XXXXXXX pluto[18180]: | got payload 0x10(ISAKMP_NEXT_KE) needed: 0x410 opt: 0x102080
Feb 23 18:02:29 XXXXXXX pluto[18180]: | ***parse ISAKMP Key Exchange Payload:
Feb 23 18:02:29 XXXXXXX pluto[18180]: | next payload type: ISAKMP_NEXT_NONCE
Feb 23 18:02:29 XXXXXXX pluto[18180]: | length: 260
Feb 23 18:02:29 XXXXXXX pluto[18180]: | got payload 0x400(ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x102080
Feb 23 18:02:29 XXXXXXX pluto[18180]: | ***parse ISAKMP Nonce Payload:
Feb 23 18:02:29 XXXXXXX pluto[18180]: | next payload type: ISAKMP_NEXT_NAT-D
Feb 23 18:02:29 XXXXXXX pluto[18180]: | length: 20
Feb 23 18:02:29 XXXXXXX pluto[18180]: | got payload 0x100000(ISAKMP_NEXT_NAT-D) needed: 0x0 opt: 0x102080
Feb 23 18:02:29 XXXXXXX pluto[18180]: | ***parse ISAKMP NAT-D Payload:
Feb 23 18:02:29 XXXXXXX pluto[18180]: | next payload type: ISAKMP_NEXT_NAT-D
Feb 23 18:02:29 XXXXXXX pluto[18180]: | length: 24
Feb 23 18:02:29 XXXXXXX pluto[18180]: | got payload 0x100000(ISAKMP_NEXT_NAT-D) needed: 0x0 opt: 0x102080
Feb 23 18:02:29 XXXXXXX pluto[18180]: | ***parse ISAKMP NAT-D Payload:
Feb 23 18:02:29 XXXXXXX pluto[18180]: | next payload type: ISAKMP_NEXT_NONE
Feb 23 18:02:29 XXXXXXX pluto[18180]: | length: 24
Feb 23 18:02:29 XXXXXXX pluto[18180]: | started looking for secret for C=XX, ST=XX, L=XX, O=XX, OU=XX, CN=<CLIENT.DOMAIN>, E=<mailaddress>-><SERVERIP> of kind PPK_PSK
Feb 23 18:02:29 XXXXXXX pluto[18180]: | actually looking for secret for C=XX, ST=XX, L=XX, O=XX, OU=XX, CN=<CLIENT.DOMAIN>, E=<mailaddress>-><SERVERIP> of kind PPK_PSK
Feb 23 18:02:29 XXXXXXX pluto[18180]: | line 11: key type PPK_PSK(C=XX, ST=XX, L=XX, O=XX, OU=XX, CN=<CLIENT.DOMAIN>, E=<mailaddress>) to type PPK_PSK
Feb 23 18:02:29 XXXXXXX pluto[18180]: | 1: compared key (none) to C=XX, ST=XX, L=XX, O=XX, OU=XX, CN=<CLIENT.DOMAIN>, E=<mailaddress> / <SERVERIP> -> 2
Feb 23 18:02:29 XXXXXXX pluto[18180]: | 2: compared key (none) to C=XX, ST=XX, L=XX, O=XX, OU=XX, CN=<CLIENT.DOMAIN>, E=<mailaddress> / <SERVERIP> -> 2
Feb 23 18:02:29 XXXXXXX pluto[18180]: | line 11: match=2
Feb 23 18:02:29 XXXXXXX pluto[18180]: | best_match 0>2 best=0x1856e00 (line=11)
Feb 23 18:02:29 XXXXXXX pluto[18180]: | line 9: key type PPK_PSK(C=XX, ST=XX, L=XX, O=XX, OU=XX, CN=<CLIENT.DOMAIN>, E=<mailaddress>) to type PPK_RSA
Feb 23 18:02:29 XXXXXXX pluto[18180]: | concluding with best_match=2 best=0x1856e00 (lineno=11)
Feb 23 18:02:29 XXXXXXX pluto[18180]: | parent1 type: 7 group: 14 len: 2752
Feb 23 18:02:29 XXXXXXX pluto[18180]: | 0: w->pcw_dead: 0 w->pcw_work: 0 cnt: 1
Feb 23 18:02:29 XXXXXXX pluto[18180]: | asking helper 0 to do compute dh+iv op on seq: 2 (len=2752, pcw_work=1)
Feb 23 18:02:29 XXXXXXX pluto[18180]: | crypto helper write of request: cnt=2752<wlen=2752.
Feb 23 18:02:29 XXXXXXX pluto[18183]: ! helper 0 read 2744+4/2752 bytesfd: 8
Feb 23 18:02:29 XXXXXXX pluto[18180]: | deleting event for #1
Feb 23 18:02:29 XXXXXXX pluto[18183]: ! helper 0 doing compute dh+iv op id: 2
Feb 23 18:02:29 XXXXXXX pluto[18180]: | inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #1
Feb 23 18:02:29 XXXXXXX pluto[18180]: | event added after event EVENT_PENDING_PHASE2
Feb 23 18:02:29 XXXXXXX pluto[18180]: | complete state transition with STF_SUSPEND
Feb 23 18:02:29 XXXXXXX pluto[18180]: | * processed 0 messages from cryptographic helpers
Feb 23 18:02:29 XXXXXXX pluto[18180]: | next event EVENT_PENDING_DDNS in 51 seconds
Feb 23 18:02:29 XXXXXXX pluto[18180]: | next event EVENT_PENDING_DDNS in 51 seconds
Feb 23 18:02:29 XXXXXXX pluto[18180]: |
Feb 23 18:02:29 XXXXXXX pluto[18180]: | helper 0 has finished work (cnt now 1)
Feb 23 18:02:29 XXXXXXX pluto[18180]: | helper 0 replies to id: q#2
Feb 23 18:02:29 XXXXXXX pluto[18180]: | main inR2_outI3: calculated DH, sending R1
Feb 23 18:02:29 XXXXXXX pluto[18180]: | processing connection leftright
Feb 23 18:02:29 XXXXXXX pluto[18180]: | thinking about whether to send my certificate:
Feb 23 18:02:29 XXXXXXX pluto[18180]: | I have RSA key: OAKLEY_RSA_SIG cert.type: CERT_X509_SIGNATURE
Feb 23 18:02:29 XXXXXXX pluto[18180]: | sendcert: CERT_ALWAYSSEND and I did not get a certificate request
Feb 23 18:02:29 XXXXXXX pluto[18180]: | so send cert.
Feb 23 18:02:29 XXXXXXX pluto[18180]: | I am sending a certificate request
Feb 23 18:02:29 XXXXXXX pluto[18180]: "leftright" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
Feb 23 18:02:29 XXXXXXX pluto[18180]: | inserting event EVENT_NAT_T_KEEPALIVE, timeout in 20 seconds
Feb 23 18:02:29 XXXXXXX pluto[18180]: | event added at head of queue
Feb 23 18:02:29 XXXXXXX pluto[18180]: "leftright" #1: I am sending my cert
Feb 23 18:02:29 XXXXXXX pluto[18180]: "leftright" #1: I am sending a certificate request
Feb 23 18:02:29 XXXXXXX pluto[18180]: | started looking for secret for C=XX, ST=XX, L=XX, O=XX, OU=XX, CN=<CLIENT.DOMAIN>, E=<mailaddress>-><SERVERIP> of kind PPK_RSA
Feb 23 18:02:29 XXXXXXX pluto[18180]: | searching for certificate PPK_PSK:N/A vs PPK_RSA:AwEAAd/Hi
Feb 23 18:02:29 XXXXXXX pluto[18180]: | searching for certificate PPK_RSA:AwEAAd/Hi vs PPK_RSA:AwEAAd/Hi
Feb 23 18:02:29 XXXXXXX pluto[18180]: | signing hash with RSA Key *AwEAAd/Hi
Feb 23 18:02:29 XXXXXXX pluto[18180]: | complete state transition with STF_OK
Feb 23 18:02:29 XXXXXXX pluto[18180]: "leftright" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Feb 23 18:02:29 XXXXXXX pluto[18180]: | deleting event for #1
Feb 23 18:02:29 XXXXXXX pluto[18180]: | sending reply packet to <SERVERIP>:4500 (from port 4500)
Feb 23 18:02:29 XXXXXXX pluto[18180]: | sending 1308 bytes for STATE_MAIN_I2 through ppp0:4500 to <SERVERIP>:4500 (using #1)
Feb 23 18:02:29 XXXXXXX pluto[18180]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
Feb 23 18:02:29 XXXXXXX pluto[18180]: | event added at head of queue
Feb 23 18:02:29 XXXXXXX pluto[18180]: "leftright" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Feb 23 18:02:29 XXXXXXX pluto[18180]: | modecfg pull: noquirk policy:push not-client
Feb 23 18:02:29 XXXXXXX pluto[18180]: | phase 1 is done, looking for phase 2 to unpend
Feb 23 18:02:29 XXXXXXX pluto[18180]: | * processed 1 messages from cryptographic helpers
Feb 23 18:02:29 XXXXXXX pluto[18180]: | next event EVENT_RETRANSMIT in 10 seconds for #1
Feb 23 18:02:29 XXXXXXX pluto[18180]: | next event EVENT_RETRANSMIT in 10 seconds for #1
Feb 23 18:02:38 XXXXXXX pluto[18180]: |
Feb 23 18:02:38 XXXXXXX pluto[18180]: | *received 1564 bytes from <SERVERIP>:4500 on ppp0 (port=4500)
Feb 23 18:02:38 XXXXXXX pluto[18180]: | **parse ISAKMP Message:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | initiator cookie:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | 46 fc 4f b5 cb a6 38 77
Feb 23 18:02:38 XXXXXXX pluto[18180]: | responder cookie:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | 7e 19 ac bd f1 bf 31 6f
Feb 23 18:02:38 XXXXXXX pluto[18180]: | next payload type: ISAKMP_NEXT_ID
Feb 23 18:02:38 XXXXXXX pluto[18180]: | ISAKMP version: ISAKMP Version 1.0 (rfc2407)
Feb 23 18:02:38 XXXXXXX pluto[18180]: | exchange type: ISAKMP_XCHG_IDPROT
Feb 23 18:02:38 XXXXXXX pluto[18180]: | flags: ISAKMP_FLAG_ENCRYPTION
Feb 23 18:02:38 XXXXXXX pluto[18180]: | message ID: 00 00 00 00
Feb 23 18:02:38 XXXXXXX pluto[18180]: | length: 1564
Feb 23 18:02:38 XXXXXXX pluto[18180]: | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2)
Feb 23 18:02:38 XXXXXXX pluto[18180]: | ICOOKIE: 46 fc 4f b5 cb a6 38 77
Feb 23 18:02:38 XXXXXXX pluto[18180]: | RCOOKIE: 7e 19 ac bd f1 bf 31 6f
Feb 23 18:02:38 XXXXXXX pluto[18180]: | state hash entry 14
Feb 23 18:02:38 XXXXXXX pluto[18180]: | v1 peer and cookies match on #1, provided msgid 00000000 vs 00000000
Feb 23 18:02:38 XXXXXXX pluto[18180]: | v1 state object #1 found, in STATE_MAIN_I3
Feb 23 18:02:38 XXXXXXX pluto[18180]: | processing connection leftright
Feb 23 18:02:38 XXXXXXX pluto[18180]: | got payload 0x20(ISAKMP_NEXT_ID) needed: 0x220 opt: 0x20c0
Feb 23 18:02:38 XXXXXXX pluto[18180]: | ***parse ISAKMP Identification Payload:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | next payload type: ISAKMP_NEXT_CERT
Feb 23 18:02:38 XXXXXXX pluto[18180]: | length: 160
Feb 23 18:02:38 XXXXXXX pluto[18180]: | ID type: ID_DER_ASN1_DN
Feb 23 18:02:38 XXXXXXX pluto[18180]: | DOI specific A: 0
Feb 23 18:02:38 XXXXXXX pluto[18180]: | DOI specific B: 0
Feb 23 18:02:38 XXXXXXX pluto[18180]: | obj: 30 81 95 31 0b 30 09 06 03 55 04 06 13 02 44 45
Feb 23 18:02:38 XXXXXXX pluto[18180]: | obj: 31 0b 30 09 06 03 55 04 08 13 02 42 57 31 0f 30
Feb 23 18:02:38 XXXXXXX pluto[18180]: | obj: 0d 06 03 55 04 07 13 06 4b 2d 54 6f 77 6e 31 12
Feb 23 18:02:38 XXXXXXX pluto[18180]: | obj: 30 10 06 03 55 04 0a 13 09 4d 69 6c 6b 79 20 57
Feb 23 18:02:38 XXXXXXX pluto[18180]: | obj: 61 79 31 15 30 13 06 03 55 04 0b 13 0c 4d 69 6c
Feb 23 18:02:38 XXXXXXX pluto[18180]: | obj: 6b 79 20 57 61 79 20 49 54 31 1c 30 1a 06 03 55
Feb 23 18:02:38 XXXXXXX pluto[18180]: | obj: 04 03 13 13 6d 73 6c 73 65 72 76 65 72 2e 6d 69
Feb 23 18:02:38 XXXXXXX pluto[18180]: | obj: 6c 6b 79 2e 77 61 79 31 1f 30 1d 06 09 2a 86 48
Feb 23 18:02:38 XXXXXXX pluto[18180]: | obj: 86 f7 0d 01 09 01 16 10 64 61 5f 6a 6f 69 6e 64
Feb 23 18:02:38 XXXXXXX pluto[18180]: | obj: 40 67 6d 78 2e 6e 65 74 09 00 04 54 04 30 82 04
Feb 23 18:02:38 XXXXXXX pluto[18180]: | got payload 0x40(ISAKMP_NEXT_CERT) needed: 0x200 opt: 0x20c0
Feb 23 18:02:38 XXXXXXX pluto[18180]: | ***parse ISAKMP Certificate Payload:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | next payload type: ISAKMP_NEXT_SIG
Feb 23 18:02:38 XXXXXXX pluto[18180]: | length: 1108
Feb 23 18:02:38 XXXXXXX pluto[18180]: | cert encoding: CERT_X509_SIGNATURE
Feb 23 18:02:38 XXXXXXX pluto[18180]: | got payload 0x200(ISAKMP_NEXT_SIG) needed: 0x200 opt: 0x20c0
Feb 23 18:02:38 XXXXXXX pluto[18180]: | ***parse ISAKMP Signature Payload:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | next payload type: ISAKMP_NEXT_NONE
Feb 23 18:02:38 XXXXXXX pluto[18180]: | length: 260
Feb 23 18:02:38 XXXXXXX pluto[18180]: | removing 8 bytes of padding
Feb 23 18:02:38 XXXXXXX pluto[18180]: | DER ASN1 DN: 30 81 95 31 0b 30 09 06 03 55 04 06 13 02 44 45
Feb 23 18:02:38 XXXXXXX pluto[18180]: | DER ASN1 DN: 31 0b 30 09 06 03 55 04 08 13 02 42 57 31 0f 30
Feb 23 18:02:38 XXXXXXX pluto[18180]: | DER ASN1 DN: 0d 06 03 55 04 07 13 06 4b 2d 54 6f 77 6e 31 12
Feb 23 18:02:38 XXXXXXX pluto[18180]: | DER ASN1 DN: 30 10 06 03 55 04 0a 13 09 4d 69 6c 6b 79 20 57
Feb 23 18:02:38 XXXXXXX pluto[18180]: | DER ASN1 DN: 61 79 31 15 30 13 06 03 55 04 0b 13 0c 4d 69 6c
Feb 23 18:02:38 XXXXXXX pluto[18180]: | DER ASN1 DN: 6b 79 20 57 61 79 20 49 54 31 1c 30 1a 06 03 55
Feb 23 18:02:38 XXXXXXX pluto[18180]: | DER ASN1 DN: 04 03 13 13 6d 73 6c 73 65 72 76 65 72 2e 6d 69
Feb 23 18:02:38 XXXXXXX pluto[18180]: | DER ASN1 DN: 6c 6b 79 2e 77 61 79 31 1f 30 1d 06 09 2a 86 48
Feb 23 18:02:38 XXXXXXX pluto[18180]: | DER ASN1 DN: 86 f7 0d 01 09 01 16 10 64 61 5f 6a 6f 69 6e 64
Feb 23 18:02:38 XXXXXXX pluto[18180]: | DER ASN1 DN: 40 67 6d 78 2e 6e 65 74
Feb 23 18:02:38 XXXXXXX pluto[18180]: "leftright" #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=XX, ST=XX, L=XX, O=XX, OU=XX, CN=<server.domain>, E=<mailaddress>'
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L0 - certificate:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L1 - tbsCertificate:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L2 - DEFAULT v1:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L3 - version:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | v3
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L2 - serialNumber:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L2 - signature:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L3 - algorithmIdentifier:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L4 - algorithm:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | 'md5WithRSAEncryption'
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L2 - issuer:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | 'C=XX, ST=XX, L=XX, O=XX, OU=XX, CN=<CA>, E=<mailaddress>'
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L2 - validity:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L3 - notBefore:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L4 - utcTime:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | 'Nov 07 12:56:19 UTC 2009'
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L3 - notAfter:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L4 - utcTime:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | 'Aug 03 12:56:19 UTC 2015'
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L2 - subject:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | 'C=XX, ST=XX, L=XX, O=XX, OU=XX, CN=<server.domain>, E=<mailaddress>'
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L2 - subjectPublicKeyInfo:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L3 - algorithm:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L4 - algorithmIdentifier:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L5 - algorithm:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | 'rsaEncryption'
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L3 - subjectPublicKey:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L4 - RSAPublicKey:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L5 - modulus:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L5 - publicExponent:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L2 - optional extensions:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L3 - extensions:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L4 - extension:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L5 - extnID:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | 'basicConstraints'
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L5 - critical:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | FALSE
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L5 - extnValue:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L6 - basicConstraints:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L7 - CA:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | FALSE
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L4 - extension:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L5 - extnID:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | 'nsComment'
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L5 - critical:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | FALSE
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L5 - extnValue:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L4 - extension:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L5 - extnID:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | 'subjectKeyIdentifier'
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L5 - critical:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | FALSE
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L5 - extnValue:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L6 - keyIdentifier:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L4 - extension:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L5 - extnID:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | 'authorityKeyIdentifier'
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L5 - critical:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | FALSE
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L5 - extnValue:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L6 - authorityKeyIdentifier:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L7 - keyIdentifier:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L8 - keyIdentifier:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L7 - authorityCertIssuer:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L8 - generalNames:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L9 - generalName:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L10 - directoryName:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | 'C=XX, ST=XX, L=XX, O=XX, OU=XX, CN=<CA>, E=<mailaddress>'
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L7 - authorityCertSerialNumber:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L1 - signatureAlgorithm:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L2 - algorithmIdentifier:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L3 - algorithm:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | 'md5WithRSAEncryption'
Feb 23 18:02:38 XXXXXXX pluto[18180]: | L1 - signatureValue:
Feb 23 18:02:38 XXXXXXX pluto[18180]: | authcert list locked by 'verify_x509cert'
Feb 23 18:02:38 XXXXXXX pluto[18180]: | signature algorithm: 'md5WithRSAEncryption'
Feb 23 18:02:38 XXXXXXX pluto[18180]: | digest: f0 2a 82 26 2c 51 da ae 30 95 30 a9 48 b3 60 fd
Feb 23 18:02:38 XXXXXXX pluto[18180]: | authcert list unlocked by 'verify_x509cert'
Feb 23 18:02:38 XXXXXXX pluto[18180]: | crl list locked by 'verify_by_crl'
Feb 23 18:02:38 XXXXXXX pluto[18180]: | crl list unlocked by 'verify_by_crl'
Feb 23 18:02:38 XXXXXXX pluto[18180]: "leftright" #1: no crl from issuer "C=XX, ST=XX, L=XX, O=XX, OU=XX, CN=<CA>, E=<mailaddress>" found (strict=no)
Feb 23 18:02:38 XXXXXXX pluto[18180]: | authcert list locked by 'verify_x509cert'
Feb 23 18:02:38 XXXXXXX pluto[18180]: | signature algorithm: 'md5WithRSAEncryption'
Feb 23 18:02:38 XXXXXXX pluto[18180]: | digest: 44 49 e6 32 93 b1 8e 43 42 36 9b bd 04 53 f8 ab
Feb 23 18:02:38 XXXXXXX pluto[18180]: | authcert list unlocked by 'verify_x509cert'
Feb 23 18:02:38 XXXXXXX pluto[18180]: | reached self-signed root ca
Feb 23 18:02:38 XXXXXXX pluto[18180]: | Public key validated
Feb 23 18:02:38 XXXXXXX pluto[18180]: "leftright" #1: we require peer to have ID '<SERVERIP>', but peer declares 'C=XX, ST=XX, L=XX, O=XX, OU=XX, CN=<server.domain>, E=<mailaddress>'
Feb 23 18:02:38 XXXXXXX pluto[18180]: | complete state transition with (null)
Feb 23 18:02:38 XXXXXXX pluto[18180]: "leftright" #1: sending encrypted notification INVALID_ID_INFORMATION to <SERVERIP>:4500