1 Reply Latest reply on Apr 20, 2011 2:15 PM by tictoc

    vpn IPsec cert issues

      So I am attempting to set up a ipsec from a client to my snap gear. I am able to use shared key but I am not able to use certificates. When I load the certificates, I am getting this error on the firewall.

       

      Apr 19 11:17:22 cgix[6737]: Configuration in section 'IPSec VPN Setup' has been modifed 

      Apr 19 11:17:40 pppd[6711]: Connect script failed

      Apr 19 11:17:41 pppd[6767]: pppd 2.3.8 started by (unknown), uid 0

      Apr 19 11:18:08 cgix[6807]: Configuration in section 'L2TP IPSec Configuration' has been modifed 

       

      Apr 19 11:18:11 Pluto[5984]: authentication method disagrees with "XXXX

       

      ", which is also for an unspecified peer

      Apr 19 11:18:11 Pluto[5984]: forgetting secrets

      Apr 19 11:18:11 Pluto[5984]: loading secrets from "/etc/config/ipsec.secrets"

      Apr 19 11:18:12 Pluto[5984]: Changing to directory '/etc/config'

      Apr 19 11:18:12 Pluto[5984]:   error in X.509 certificate: ssl_key.pem

      Apr 19 11:18:12 Pluto[5984]:   X.509 loaded: ssl_cert.pem

      Apr 19 11:18:12 Pluto[5984]:   error in X.509 certificate: ssh_host_rsa_key

      Apr 19 11:18:12 Pluto[5984]:   X.509 loaded: cert1.pem

      Apr 19 11:18:12 Pluto[5984]:   X.509 loaded: ca.pem

      Apr 19 11:18:12 Pluto[5984]:   X.509 loaded: 02.pem

      Apr 19 11:18:12 Pluto[5984]:   error in X.509 CRL: ssl_key.pem

      Apr 19 11:18:12 Pluto[5984]:   error in X.509 CRL: ssl_cert.pem

      Apr 19 11:18:12 Pluto[5984]:   error in X.509 CRL: ssh_host_rsa_key

      Apr 19 11:18:12 Pluto[5984]:   error in X.509 CRL: cert1.pem

      Apr 19 11:18:12 Pluto[5984]:   error in X.509 CRL: ca.pem

      Apr 19 11:18:12 Pluto[5984]:   error in X.509 CRL: 02.pem

      Apr 19 11:18:12 ipsecctl[6811]: Failed to route ipsec tunnel brad: 21

      Apr 19 11:18:30 pppd[6767]: Connect script failed

      Apr 19 11:18:31 pppd[6859]: pppd 2.3.8 started by (unknown), uid 0

       

       

       

      I think it is a problem with the CRL file. I have attempted to create one but am unable to.

      When I lanch an L2tp connection, I can see my attempt come in and get

       

       


      Apr 19 10:36:03 Pluto[3108]: packet from 72.102.185.94:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
      Apr 19 10:36:03 Pluto[3108]: packet from 72.102.185.94:500: ignoring Vendor ID payload [FRAGMENTATION]
      Apr 19 10:36:03 Pluto[3108]: packet from 72.102.185.94:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
      Apr 19 10:36:03 Pluto[3108]: packet from 72.102.185.94:500: ignoring Vendor ID payload [26244d38eddb61b3...]
      Apr 19 10:36:03 Pluto[3108]: "XXXX" XX.XXX.185.94 #1: responding to Main Mode from unknown peer XX.XXX.185.94
      Apr 19 10:36:03 Pluto[3108]: "XXXX" XX.XXX.185.94 #1: only OAKLEY_GROUP_MODP768, OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported.  Attribute OAKLEY_GROUP_DESCRIPTION
      Apr 19 10:36:03 Pluto[3108]: "XXXX" XX.XXX.185.94 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
      Apr 19 10:36:04 Pluto[3108]: "XXXX" XX.XXX.185.94 #1:   Certificate DN: C=us, ST=or, O=XXXX_XXX, CN=XXXX, E=X@X.com
      Apr 19 10:36:04 Pluto[3108]: "XXXX" XX.XXX.185.94 #1:   valid from: Apr 18 09:33:26 UTC 2011
      Apr 19 10:36:04 Pluto[3108]: "XXXX" XX.XXX.185.94 #1:           to: Apr 17 09:33:26 UTC 2012
      Apr 19 10:36:04 Pluto[3108]: "XXXX" XX.XXX.185.94 #1: Issuer CRL not found
      Apr 19 10:36:04 Pluto[3108]: "XXXX" XX.XXX.185.94 #1:   Certificate DN: C=us, ST=or, L=XXXX, O=XXXX_XXX, CN=XXXX, E=X@X.com
      Apr 19 10:36:04 Pluto[3108]: "XXXX" XX.XXX.185.94 #1:   valid from: Apr 18 09:29:22 UTC 2011
      Apr 19 10:36:04 Pluto[3108]: "XXXX" XX.XXX.185.94 #1:           to: Jul 17 09:29:22 UTC 2011
      Apr 19 10:36:04 Pluto[3108]: "XXXX" XX.XXX.185.94 #1: Issuer CRL not found
      Apr 19 10:36:04 Pluto[3108]: "XXXX" XX.XXX.185.94 #1: switched from "XXXX" to "XXXX"
      Apr 19 10:36:04 Pluto[3108]: "XXXX" XX.XXX.185.94 #1: deleting connection "XXXX" instance with peer XX.XXX.185.94
      Apr 19 10:36:04 Pluto[3108]: "XXXX" XX.XXX.185.94 #1: sent MR3, ISAKMP SA established
      Apr 19 10:36:04 Pluto[3108]: "XXXX" XX.XXX.185.94 #1: XX.XXX.131.3[C=us, ST=or, O=XXXX_XXX1, CN=XXXX, E=X@X.com]---XXX.XXX.84.226...XX.XXX.185.94[C=us, ST=or, O=XXXX_XXX, CN=XXXX, E=X@X.com]
      Apr 19 10:36:04 Pluto[3108]: "XXXX" XX.XXX.185.94 #1: retransmitting in response to duplicate packet; already STATE_MAIN_R3
      Apr 19 10:36:05 Pluto[3108]: "XXXX" XX.XXX.185.94 #2: responding to Quick Mode
      Apr 19 10:36:05 Pluto[3108]: "XXXX" XX.XXX.185.94 #2: IPsec SA established
      Apr 19 10:36:05 Pluto[3108]: "XXXX" XX.XXX.185.94 #2: XX.XXX.131.3[C=us, ST=or, O=XXXX_XXX, CN=XXXX, E=X@X.com]---XXX.XXX.84.226...XX.1XXX185.94[C=us, ST=or, O=XXXX_XXX, CN=brad, E=X@X.com]
      Apr 19 10:36:12 l2tpd[1586]: Maximum retries exceeded for tunnel 41690.  Closing. 
      Apr 19 10:36:33 pppd[4080]: Connect script failed

      Can any one point me in a good direction?