[strongSwan] FW: certificate status is not available
Farivar Tanha, Bijan (Bijan)
bijan.farivar_tanha at alcatel-lucent.com
Thu Nov 18 12:28:21 CET 2010
Hello,
we have a problem with authentication of the peer using certificate, as you see below
charon: 08[CFG] checking certificate status of "C=DE, ST=Germany, L=Stuttgart, O=Alcatel-Lucent, CN=192.168.20.254, CN=JN11AEB36ADD, CN=rsa-key, CN=SSG320M., CN=JUNIPER"
charon: 08[CFG] ocsp check skipped, no ocsp found
charon: 08[CFG] certificate status is not available
charon: 08[IKE] authentication of 'SSG320M.' with RSA signature successful
charon: 08[CFG] constraint check failed: identity 'C=DE, ST=Germany, L=Stuttgart, O=Alcatel-Lucent, OU=Wireless, CN=JN11AEB36ADD, CN=rsa-key, CN=SSG320M, CN=JUNIPER' required
charon: 08[CFG] selected peer config 'net-net' inacceptable
charon: 08[CFG] no alternative config found
charon: 08[KNL] deleting SAD entry with SPI c8795470
We included below the certificates.
Could you please help us to find out which options in the certificates are not correct?
Regards,
Bijan
---------------------------------------------------------------------
ipsec_starter[2661]: Starting strongSwan 4.3.4 IPsec [starter]...
charon: 01[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.4)
charon: 01[KNL] listening on interfaces:
charon: 01[KNL] eth1
charon: 01[KNL] 192.168.20.51
charon: 01[KNL] fe80::217:3fff:fed0:772c
charon: 01[KNL] eth0
charon: 01[KNL] 149.204.17.51
charon: 01[KNL] fe80::224:81ff:fe1d:d4fa
charon: 01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
charon: 01[LIB] loaded certificate file '/etc/ipsec.d/cacerts/Myroot2.pem'
charon: 01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
charon: 01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
charon: 01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
charon: 01[CFG] loading crls from '/etc/ipsec.d/crls'
charon: 01[LIB] loaded crl file '/etc/ipsec.d/crls/crl_Myroot1.pem'
charon: 01[LIB] loaded crl file '/etc/ipsec.d/crls/crl_Myroot2.pem'
charon: 01[CFG] loading secrets from '/etc/ipsec.secrets'
charon: 01[CFG] loaded private key file '/etc/ipsec.d/private/MyBTS1_key.pem'
charon: 01[DMN] loaded plugins: curl ldap aes des sha1 sha2 md5 fips-prf random x509 pubkey openssl gcrypt xcbc hmac gmp kernel-netlink stroke updown attr resolv-conf
charon: 01[JOB] spawning 16 worker threads
ipsec_starter[2683]: charon (2684) started after 20 ms
charon: 04[CFG] stroke message => 272 bytes @ 0xb604f160
charon: 04[CFG] 0: 10 01 73 B7 0C 00 00 00 FF FF FF FF 01 00 00 00 ..s.............
charon: 04[CFG] 16: 48 B7 E5 BF 6B 86 06 08 A0 89 01 00 60 A6 06 08 H...k.......`...
charon: 04[CFG] 32: 48 B7 E5 BF 27 B7 E5 BF 00 94 73 B7 32 36 38 33 H...'.....s.2683
charon: 04[CFG] 48: 08 00 00 00 74 86 06 08 10 00 00 00 08 00 00 00 ....t...........
charon: 04[CFG] 64: F4 9F 73 B7 58 86 06 08 00 00 00 00 A0 B3 73 B7 ..s.X.........s.
charon: 04[CFG] 80: 50 86 64 B7 13 C8 64 B7 C0 8F 73 B7 02 00 00 00 P.d...d...s.....
charon: 04[CFG] 96: C0 41 06 08 08 20 00 00 F4 9F 73 B7 60 86 06 08 .A... ....s.`...
charon: 04[CFG] 112: 13 C8 64 B7 40 14 00 00 F0 B6 73 B7 C0 D6 5D B7 ..d. at .....s<mailto:..d. at .....s>...].
charon: 04[CFG] 128: 03 99 64 B7 D0 2B 06 08 00 00 00 00 F4 9F 73 B7 ..d..+........s.
charon: 04[CFG] 144: 58 A9 01 00 A8 86 06 08 D0 2B 06 08 F4 9F 73 B7 X........+....s.
charon: 04[CFG] 160: A0 B3 73 B7 00 00 00 00 C0 D6 5D B7 DD FF 64 B7 ..s.......]...d.
charon: 04[CFG] 176: 00 00 00 00 F4 9F 73 B7 F4 9F 73 B7 A0 B3 73 B7 ......s...s...s.
charon: 04[CFG] 192: D0 2B 06 08 C0 D6 5D B7 DD FF 64 B7 C0 D6 5D B7 .+....]...d...].
charon: 04[CFG] 208: F4 9F 73 B7 F4 9F 73 B7 14 00 00 00 77 C9 6A B7 ..s...s.....w.j.
charon: 04[CFG] 224: 60 86 06 08 60 86 06 08 4A 00 00 00 00 40 00 00 `...`...J.... at ..
charon: 04[CFG] 240: 00 94 73 B7 E0 99 73 B7 02 00 00 00 1A 00 00 00 ..s...s.........
charon: 04[CFG] 256: 3A 00 00 00 0B 00 00 00 12 00 00 00 0A 00 00 00 :...............
charon: 04[CFG] crl caching to /etc/ipsec.d/crls enabled
charon: 04[CFG] stroke message => 289 bytes @ 0xb604f150
charon: 04[CFG] 0: 21 01 73 B7 09 00 00 00 FF FF FF FF 10 01 00 00 !.s.............
charon: 04[CFG] 16: 15 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
charon: 04[CFG] 32: 00 00 00 00 00 00 00 00 00 94 73 B7 32 36 38 33 ..........s.2683
charon: 04[CFG] 48: 08 00 00 00 74 86 06 08 10 00 00 00 08 00 00 00 ....t...........
charon: 04[CFG] 64: F4 9F 73 B7 58 86 06 08 00 00 00 00 A0 B3 73 B7 ..s.X.........s.
charon: 04[CFG] 80: 50 86 64 B7 13 C8 64 B7 C0 8F 73 B7 02 00 00 00 P.d...d...s.....
charon: 04[CFG] 96: C0 41 06 08 08 20 00 00 F4 9F 73 B7 60 86 06 08 .A... ....s.`...
charon: 04[CFG] 112: 13 C8 64 B7 40 14 00 00 F0 B6 73 B7 C0 D6 5D B7 ..d. at .....s<mailto:..d. at .....s>...].
charon: 04[CFG] 128: 03 99 64 B7 D0 2B 06 08 00 00 00 00 F4 9F 73 B7 ..d..+........s.
charon: 04[CFG] 144: 58 A9 01 00 A8 86 06 08 D0 2B 06 08 F4 9F 73 B7 X........+....s.
charon: 04[CFG] 160: A0 B3 73 B7 00 00 00 00 C0 D6 5D B7 DD FF 64 B7 ..s.......]...d.
charon: 04[CFG] 176: 00 00 00 00 F4 9F 73 B7 F4 9F 73 B7 A0 B3 73 B7 ......s...s...s.
charon: 04[CFG] 192: D0 2B 06 08 C0 D6 5D B7 DD FF 64 B7 C0 D6 5D B7 .+....]...d...].
charon: 04[CFG] 208: F4 9F 73 B7 F4 9F 73 B7 14 00 00 00 77 C9 6A B7 ..s...s.....w.j.
charon: 04[CFG] 224: 60 86 06 08 60 86 06 08 4A 00 00 00 00 40 00 00 `...`...J.... at ..
charon: 04[CFG] 240: 00 94 73 B7 E0 99 73 B7 02 00 00 00 1A 00 00 00 ..s...s.........
charon: 04[CFG] 256: 3A 00 00 00 0B 00 00 00 12 00 00 00 0A 00 00 00 :...............
charon: 04[CFG] 272: 73 77 61 6E 00 4D 79 72 6F 6F 74 32 2E 70 65 6D swan.Myroot2.pem
charon: 04[CFG] 288: 00 .
charon: 04[CFG] received stroke: add ca 'swan'
charon: 04[CFG] ca swan
charon: 04[CFG] cacert=Myroot2.pem
charon: 04[CFG] crluri=(null)
charon: 04[CFG] crluri2=(null)
charon: 04[CFG] ocspuri=(null)
charon: 04[CFG] ocspuri2=(null)
charon: 04[CFG] certuribase=(null)
charon: 04[LIB] loaded certificate file '/etc/ipsec.d/cacerts/Myroot2.pem'
charon: 04[CFG] added ca 'swan'
charon: 04[CFG] stroke message => 503 bytes @ 0xb604f070
charon: 04[CFG] 0: F7 01 00 00 03 00 00 00 FF FF FF FF 10 01 00 00 ................
charon: 04[CFG] 16: 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
charon: 04[CFG] 32: 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................
charon: 04[CFG] 48: 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 ................
charon: 04[CFG] 64: 01 00 00 00 18 01 00 00 2C 01 00 00 00 00 00 00 ........,.......
charon: 04[CFG] 80: D0 70 00 00 80 70 00 00 80 16 00 00 01 00 00 00 .p...p..........
charon: 04[CFG] 96: 64 00 00 00 3C 00 00 00 03 00 00 00 00 00 00 00 d...<...........
charon: 04[CFG] 112: 00 00 00 00 00 00 00 00 40 01 00 00 00 00 00 00 ........@<mailto:........@>.......
charon: 04[CFG] 128: 00 00 00 00 00 00 00 00 00 00 00 00 47 01 00 00 ............G...
charon: 04[CFG] 144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
charon: 04[CFG] 160: 00 00 00 00 52 01 00 00 00 00 00 00 01 00 00 00 ....R...........
charon: 04[CFG] 176: 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 ................
charon: 04[CFG] 192: 00 00 00 00 60 01 00 00 00 00 00 00 67 01 00 00 ....`.......g...
charon: 04[CFG] 208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
charon: 04[CFG] 224: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
charon: 04[CFG] 240: D8 01 00 00 00 00 00 00 00 00 00 00 E7 01 00 00 ................
charon: 04[CFG] 256: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
charon: 04[CFG] 272: 6E 65 74 2D 6E 65 74 00 33 64 65 73 2D 73 68 61 net-net.3des-sha
charon: 04[CFG] 288: 31 2D 6D 6F 64 70 31 30 32 34 21 00 33 64 65 73 1-modp1024!.3des
charon: 04[CFG] 304: 2D 73 68 61 31 2D 6D 6F 64 70 31 30 32 34 21 00 -sha1-modp1024!.
charon: 04[CFG] 320: 72 73 61 73 69 67 00 4D 79 42 54 53 31 2E 70 65 rsasig.MyBTS1.pe
charon: 04[CFG] 336: 6D 00 31 39 32 2E 31 36 38 2E 32 30 2E 35 31 00 m.192.168.20.51.
charon: 04[CFG] 352: 72 73 61 73 69 67 00 43 3D 44 45 2C 20 53 54 3D rsasig.C=DE, ST=
charon: 04[CFG] 368: 47 65 72 6D 61 6E 79 2C 20 4C 3D 53 74 75 74 74 Germany, L=Stutt
charon: 04[CFG] 384: 67 61 72 74 2C 20 4F 3D 41 6C 63 61 74 65 6C 2D gart, O=Alcatel-
charon: 04[CFG] 400: 4C 75 63 65 6E 74 2C 20 4F 55 3D 57 69 72 65 6C Lucent, OU=Wirel
charon: 04[CFG] 416: 65 73 73 2C 20 43 4E 3D 4A 4E 31 31 41 45 42 33 ess, CN=JN11AEB3
charon: 04[CFG] 432: 36 41 44 44 2C 43 4E 3D 72 73 61 2D 6B 65 79 2C 6ADD,CN=rsa-key,
charon: 04[CFG] 448: 20 43 4E 3D 53 53 47 33 32 30 4D 2C 20 43 4E 3D CN=SSG320M, CN=
charon: 04[CFG] 464: 4A 55 4E 49 50 45 52 00 31 39 32 2E 31 36 38 2E JUNIPER.192.168.
charon: 04[CFG] 480: 32 30 2E 32 35 34 00 31 39 32 2E 31 36 38 2E 33 20.254.192.168.3
charon: 04[CFG] 496: 30 2E 30 2F 32 34 00 0.0/24.
charon: 04[CFG] received stroke: add connection 'net-net'
charon: 04[CFG] conn net-net
charon: 04[CFG] left=192.168.20.51
charon: 04[CFG] leftsubnet=(null)
charon: 04[CFG] leftsourceip=(null)
charon: 04[CFG] leftauth=rsasig
charon: 04[CFG] leftauth2=(null)
charon: 04[CFG] leftid=(null)
charon: 04[CFG] leftid2=(null)
charon: 04[CFG] leftcert=MyBTS1.pem
charon: 04[CFG] leftcert2=(null)
charon: 04[CFG] leftca=(null)
charon: 04[CFG] leftca2=(null)
charon: 04[CFG] leftgroups=(null)
charon: 04[CFG] leftupdown=(null)
charon: 04[CFG] right=192.168.20.254
charon: 04[CFG] rightsubnet=192.168.30.0/24
charon: 04[CFG] rightsourceip=(null)
charon: 04[CFG] rightauth=rsasig
charon: 04[CFG] rightauth2=(null)
charon: 04[CFG] rightid=C=DE, ST=Germany, L=Stuttgart, O=Alcatel-Lucent, OU=Wireless, CN=JN11AEB36ADD,CN=rsa-key, CN=SSG320M, CN=JUNIPER
charon: 04[CFG] rightid2=(null)
charon: 04[CFG] rightcert=(null)
charon: 04[CFG] rightcert2=(null)
charon: 04[CFG] rightca=(null)
charon: 04[CFG] rightca2=(null)
charon: 04[CFG] rightgroups=(null)
charon: 04[CFG] rightupdown=(null)
charon: 04[CFG] eap_identity=(null)
charon: 04[CFG] ike=3des-sha1-modp1024!
charon: 04[CFG] esp=3des-sha1-modp1024!
charon: 04[CFG] mediation=no
charon: 04[CFG] mediated_by=(null)
charon: 04[CFG] me_peerid=(null)
charon: 04[KNL] getting interface name for 192.168.20.254
charon: 04[KNL] 192.168.20.254 is not a local address
charon: 04[KNL] getting interface name for 192.168.20.51
charon: 04[KNL] 192.168.20.51 is on interface eth1
charon: 04[LIB] loaded certificate file '/etc/ipsec.d/certs/MyBTS1.pem'
charon: 04[CFG] peerid 192.168.20.51 not confirmed by certificate, defaulting to subject DN: C=DE, O=Alcatel-Lucent, OU=Wireless, CN=SWAN
charon: 04[CFG] added configuration 'net-net'
charon: 12[CFG] stroke message => 280 bytes @ 0xb2047150
charon: 12[CFG] 0: 18 01 00 00 00 00 00 00 FF FF FF FF 10 01 00 00 ................
charon: 12[CFG] 16: 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................
charon: 12[CFG] 32: 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 ................
charon: 12[CFG] 48: 01 00 00 00 18 01 00 00 2C 01 00 00 00 00 00 00 ........,.......
charon: 12[CFG] 64: D0 70 00 00 80 70 00 00 80 16 00 00 01 00 00 00 .p...p..........
charon: 12[CFG] 80: 64 00 00 00 3C 00 00 00 03 00 00 00 00 00 00 00 d...<...........
charon: 12[CFG] 96: 00 00 00 00 00 00 00 00 40 01 00 00 00 00 00 00 ........@<mailto:........@>.......
charon: 12[CFG] 112: 00 00 00 00 00 00 00 00 00 00 00 00 47 01 00 00 ............G...
charon: 12[CFG] 128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
charon: 12[CFG] 144: 00 00 00 00 52 01 00 00 00 00 00 00 01 00 00 00 ....R...........
charon: 12[CFG] 160: 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 ................
charon: 12[CFG] 176: 00 00 00 00 60 01 00 00 00 00 00 00 67 01 00 00 ....`.......g...
charon: 12[CFG] 192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
charon: 12[CFG] 208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
charon: 12[CFG] 224: D8 01 00 00 00 00 00 00 00 00 00 00 E7 01 00 00 ................
charon: 12[CFG] 240: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
charon: 12[CFG] 256: 6E 65 74 2D 6E 65 74 00 33 64 65 73 2D 73 68 61 net-net.3des-sha
charon: 12[CFG] 272: 6E 65 74 2D 6E 65 74 00 net-net.
charon: 12[CFG] received stroke: initiate 'net-net'
charon: 12[IKE] queueing IKE_INIT task
charon: 12[IKE] queueing IKE_NATD task
charon: 12[IKE] queueing IKE_CERT_PRE task
charon: 12[IKE] queueing IKE_AUTHENTICATE task
charon: 12[IKE] queueing IKE_CERT_POST task
charon: 12[IKE] queueing IKE_CONFIG task
charon: 12[IKE] queueing IKE_AUTH_LIFETIME task
charon: 12[IKE] queueing CHILD_CREATE task
charon: 12[IKE] activating new tasks
charon: 12[IKE] activating IKE_INIT task
charon: 12[IKE] activating IKE_NATD task
charon: 12[IKE] activating IKE_CERT_PRE task
charon: 12[IKE] activating IKE_AUTHENTICATE task
charon: 12[IKE] activating IKE_CERT_POST task
charon: 12[IKE] activating IKE_CONFIG task
charon: 12[IKE] activating CHILD_CREATE task
charon: 12[IKE] activating IKE_AUTH_LIFETIME task
charon: 12[IKE] initiating IKE_SA net-net[1] to 192.168.20.254
charon: 12[IKE] initiating IKE_SA net-net[1] to 192.168.20.254
charon: 12[IKE] IKE_SA net-net[1] state change: CREATED => CONNECTING
charon: 12[IKE] natd_chunk => 22 bytes @ 0x80a9d20
charon: 12[IKE] 0: 4E 5D 6F 38 14 2B 36 FE 00 00 00 00 00 00 00 00 N]o8.+6.........
charon: 12[IKE] 16: C0 A8 14 FE 01 F4 ......
charon: 12[IKE] natd_hash => 20 bytes @ 0x80a7c80
charon: 12[IKE] 0: A8 0D E1 2B 4D CB 4D 42 BC 26 59 E4 3C 3E 88 89 ...+M.MB.&Y.<>..
charon: 12[IKE] 16: AE DD E1 76 ...v
charon: 12[IKE] natd_chunk => 22 bytes @ 0x80a9d20
charon: 12[IKE] 0: 4E 5D 6F 38 14 2B 36 FE 00 00 00 00 00 00 00 00 N]o8.+6.........
charon: 12[IKE] 16: C0 A8 14 33 01 F4 ...3..
charon: 12[IKE] natd_hash => 20 bytes @ 0x80a7c80
charon: 12[IKE] 0: 18 27 5C 02 7C C7 51 BA 46 EC DB 4A D9 93 4F 27 .'\.|.Q.F..J..O'
charon: 12[IKE] 16: 34 4A A6 7E 4J.~
charon: 12[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
charon: 12[NET] sending packet: from 192.168.20.51[500] to 192.168.20.254[500]
charon: 15[NET] received packet: from 192.168.20.254[500] to 192.168.20.51[500]
charon: 15[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ]
charon: 15[CFG] selecting proposal:
charon: 15[CFG] proposal matches
charon: 15[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
charon: 15[CFG] configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
charon: 15[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
charon: 15[IKE] shared Diffie Hellman secret => 128 bytes @ 0x80ab128
[...]
charon: 15[IKE] SKEYSEED => 20 bytes @ 0x80a9818
[...]
charon: 15[IKE] Sk_d secret => 20 bytes @ 0x80a9818
[...]
charon: 15[IKE] Sk_ai secret => 20 bytes @ 0x80a9e08
[...]
charon: 15[IKE] Sk_ar secret => 20 bytes @ 0x80a9e08
[...]
charon: 15[IKE] Sk_ei secret => 24 bytes @ 0x80aa670
[...]
charon: 15[IKE] Sk_er secret => 24 bytes @ 0x80aa670
[...]
charon: 15[IKE] Sk_pi secret => 20 bytes @ 0x80a9c68
[...]
charon: 15[IKE] Sk_pr secret => 20 bytes @ 0x80a9e08
[...]
charon: 15[IKE] natd_chunk => 22 bytes @ 0x80a5918
[...]
charon: 15[IKE] natd_hash => 20 bytes @ 0x80a9a30
[...]
charon: 15[IKE] natd_chunk => 22 bytes @ 0x80a5918
[...]
charon: 15[IKE] natd_hash => 20 bytes @ 0x80a60e8
[...]
charon: 15[IKE] precalculated src_hash => 20 bytes @ 0x80a60e8
[...]
charon: 15[IKE] precalculated dst_hash => 20 bytes @ 0x80a9a30
charon: 15[IKE] 0: 82 BE D1 D4 FB 95 A9 68 63 2D A8 F2 D9 0C E2 0D .......hc-......
charon: 15[IKE] 16: 75 BF 12 E2 u...
charon: 15[IKE] received cert request for unknown ca with keyid 12:b9:6f:ae:3c:15:64:e2:f1:16:5f:e9:be:e3:3a:ca:03:65:af:c5
charon: 15[IKE] reinitiating already active tasks
charon: 15[IKE] IKE_CERT_PRE task
charon: 15[IKE] IKE_AUTHENTICATE task
charon: 15[IKE] sending cert request for "C=DE, O=Alcatel-Lucent, OU=Wireless, CN=JuniperRoot"
charon: 15[IKE] sending cert request for "C=DE, O=Alcatel-Lucent, OU=Wireless, CN=SWAN"
charon: 15[IKE] IDx' => 78 bytes @ 0xb0844040
charon: 15[IKE] 0: 09 00 00 00 30 48 31 0B 30 09 06 03 55 04 06 13 ....0H1.0...U...
charon: 15[IKE] 16: 02 44 45 31 17 30 15 06 03 55 04 0A 13 0E 41 6C .DE1.0...U....Al
charon: 15[IKE] 32: 63 61 74 65 6C 2D 4C 75 63 65 6E 74 31 11 30 0F catel-Lucent1.0.
charon: 15[IKE] 48: 06 03 55 04 0B 13 08 57 69 72 65 6C 65 73 73 31 ..U....Wireless1
charon: 15[IKE] 64: 0D 30 0B 06 03 55 04 03 13 04 53 57 41 4E .0...U....SWAN
charon: 15[IKE] SK_p => 20 bytes @ 0x80a9c68
charon: 15[IKE] 0: F9 0B C5 61 80 3D FC 9A F1 19 9B 94 97 E6 EF 26 ...a.=.........&
charon: 15[IKE] 16: E1 97 83 5C ...\
charon: 15[IKE] octets = message + nonce + prf(Sk_px, IDx') => 352 bytes @ 0x80ab850
charon: 15[IKE] 0: 4E 5D 6F 38 14 2B 36 FE 00 00 00 00 00 00 00 00 N]o8.+6.........
charon: 15[IKE] 16: 21 20 22 08 00 00 00 00 00 00 01 2C 22 00 00 2C ! "........,"..,
charon: 15[IKE] 32: 00 00 00 28 01 01 00 04 03 00 00 08 01 00 00 03 ...(............
charon: 15[IKE] 48: 03 00 00 08 03 00 00 02 03 00 00 08 02 00 00 02 ................
charon: 15[IKE] 64: 00 00 00 08 04 00 00 02 28 00 00 88 00 02 00 00 ........(.......
charon: 15[IKE] 80: B3 FB 9A 96 FF 15 BE C0 3B CA 64 6C C1 13 C5 3A ........;.dl...:
charon: 15[IKE] 96: 7E 3E 98 1A 21 2E 3D 5E 8C 2C 3D 7C E2 EA 4F CA ~>..!.=^.,=|..O.
charon: 15[IKE] 112: 8D 89 AB F5 0D 6C 83 2E 54 41 6B 84 61 DF D8 F0 .....l..TAk.a...
charon: 15[IKE] 128: 1B 2C A3 B6 0D BB BF 5D 1F 8F 0B 5E 81 A0 A1 34 .,.....]...^...4
charon: 15[IKE] 144: 13 E4 26 CB FD DB 3D 6C C1 8D A7 11 3B 32 38 58 ..&...=l....;28X
charon: 15[IKE] 160: A9 0D 9D 28 85 6A B2 53 3D 43 37 8B 6C B2 93 47 ...(.j.S=C7.l..G
charon: 15[IKE] 176: B7 C9 8E FE CD D5 1F FC D2 02 69 8C 84 18 C8 79 ..........i....y
charon: 15[IKE] 192: A1 00 34 BC 8E B7 C5 17 FE D1 9F 8D 62 DF 0C 3E ..4.........b..>
charon: 15[IKE] 208: 29 00 00 24 F9 3B 41 2C 32 74 27 AD 38 44 45 2B )..$.;A,2t'.8DE+
charon: 15[IKE] 224: 8D 44 C6 84 78 16 4A C4 FB 05 9A 11 67 DB C1 EF .D..x.J.....g...
charon: 15[IKE] 240: 22 A7 4E C5 29 00 00 1C 00 00 40 04 18 27 5C 02 ".N.)..... at ..'\.
charon: 15[IKE] 256: 7C C7 51 BA 46 EC DB 4A D9 93 4F 27 34 4A A6 7E |.Q.F..J..O'4J.~
charon: 15[IKE] 272: 00 00 00 1C 00 00 40 05 A8 0D E1 2B 4D CB 4D 42 ...... at ....+M.MB<mailto:...... at ....+M.MB>
charon: 15[IKE] 288: BC 26 59 E4 3C 3E 88 89 AE DD E1 76 3F 85 3B E1 .&Y.<>.....v?.;.
charon: 15[IKE] 304: 67 0D E8 E2 4E 07 76 65 BE 0A B5 F8 8B 04 59 0B g...N.ve......Y.
charon: 15[IKE] 320: BB D2 B0 CF AF 22 98 56 79 CD CF 60 7F B0 66 C4 .....".Vy..`..f.
charon: 15[IKE] 336: 93 9D 64 33 33 C8 ED 50 DE 44 D1 67 E3 7B 38 11 ..d33..P.D.g.{8.
charon: 15[IKE] authentication of 'C=DE, O=Alcatel-Lucent, OU=Wireless, CN=SWAN' (myself) with RSA signature successful
charon: 15[IKE] sending end entity cert "C=DE, O=Alcatel-Lucent, OU=Wireless, CN=SWAN"
charon: 15[IKE] establishing CHILD_SA net-net
charon: 15[IKE] establishing CHILD_SA net-net
charon: 15[CFG] proposing traffic selectors for us:
charon: 15[CFG] dynamic (derived from dynamic)
charon: 15[CFG] proposing traffic selectors for other:
charon: 15[CFG] 192.168.30.0/24 (derived from 192.168.30.0/24)
charon: 15[KNL] getting SPI for reqid {1}
charon: 15[KNL] sending XFRM_MSG_ALLOCSPI: => 244 bytes @ 0xb0843cfc
charon: 15[KNL] 0: F4 00 00 00 16 00 01 00 C9 00 00 00 7C 0A 00 00 ............|...
charon: 15[KNL] 16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
charon: 15[KNL] 32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
charon: 15[KNL] 48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
charon: 15[KNL] 64: 00 00 00 00 00 00 00 00 C0 A8 14 33 00 00 00 00 ...........3....
charon: 15[KNL] 80: 00 00 00 00 00 00 00 00 00 00 00 00 32 00 00 00 ............2...
charon: 15[KNL] 96: C0 A8 14 FE 00 00 00 00 00 00 00 00 00 00 00 00 ................
charon: 15[KNL] 112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
charon: 15[KNL] 128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
charon: 15[KNL] 144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
charon: 15[KNL] 160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
charon: 15[KNL] 176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
charon: 15[KNL] 192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
charon: 15[KNL] 208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
charon: 15[KNL] 224: 01 00 00 00 02 00 01 00 00 00 00 00 00 00 00 C0 ................
charon: 15[KNL] 240: FF FF FF CF ....
charon: 15[KNL] got SPI c8795470 for reqid {1}
charon: 15[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH CP SA TSi TSr ]
charon: 15[NET] sending packet: from 192.168.20.51[500] to 192.168.20.254[500]
charon: 08[NET] received packet: from 192.168.20.254[500] to 192.168.20.51[500]
charon: 08[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH CP SA N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) TSi TSr ]
charon: 08[IKE] received end entity cert "C=DE, ST=Germany, L=Stuttgart, O=Alcatel-Lucent, CN=192.168.20.254, CN=JN11AEB36ADD, CN=rsa-key, CN=SSG320M., CN=JUNIPER"
charon: 08[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED notify
charon: 08[IKE] received NON_FIRST_FRAGMENTS_ALSO notify
charon: 08[IKE] IDx' => 12 bytes @ 0xb404b0b0
charon: 08[IKE] 0: 02 00 00 00 53 53 47 33 32 30 4D 2E ....SSG320M.
charon: 08[IKE] SK_p => 20 bytes @ 0x80a9e08
charon: 08[IKE] 0: E1 AA 58 8B 27 36 64 F6 9A 9B 8E DF 3E 0A 66 5F ..X.'6d.....>.f_
charon: 08[IKE] 16: 26 27 E1 6C &'.l
charon: 08[IKE] octets = message + nonce + prf(Sk_px, IDx') => 321 bytes @ 0x80ab938
charon: 08[IKE] 0: 4E 5D 6F 38 14 2B 36 FE 6C E2 E9 07 32 41 86 85 N]o8.+6.l...2A..
charon: 08[IKE] 16: 21 20 22 20 00 00 00 00 00 00 01 0D 22 00 00 2C ! " ........"..,
charon: 08[IKE] 32: 00 00 00 28 01 01 00 04 03 00 00 08 01 00 00 03 ...(............
charon: 08[IKE] 48: 03 00 00 08 02 00 00 02 03 00 00 08 03 00 00 02 ................
charon: 08[IKE] 64: 00 00 00 08 04 00 00 02 28 00 00 88 00 02 00 00 ........(.......
charon: 08[IKE] 80: 52 D2 C9 D1 FF D4 83 82 A9 1C C4 4F 53 75 CA FE R..........OSu..
charon: 08[IKE] 96: BA 35 1C C4 CC 4B E1 1C 94 F1 20 FD F9 BC C8 1A .5...K.... .....
charon: 08[IKE] 112: E2 16 A2 F8 ED 29 2D FA 5F 14 57 B2 75 09 EF E6 .....)-._.W.u...
charon: 08[IKE] 128: 5C 22 E2 4D 80 52 8B 45 6E 2A FE AF 78 84 8B D1 \".M.R.En*..x...
charon: 08[IKE] 144: B7 DF DA 39 17 F2 E3 38 36 84 C7 2C 42 BA 50 20 ...9...86..,B.P
charon: 08[IKE] 160: EA 7E 4B 37 E3 A1 14 1D CE A3 81 5B 4B F7 9A F4 .~K7.......[K...
charon: 08[IKE] 176: 9C 83 97 40 37 50 66 55 B5 D4 E1 90 F1 BA 87 B0 ... at 7PfU<mailto:... at 7PfU>........
charon: 08[IKE] 192: 3F D2 00 BC DD CD C2 D8 7F 0F 7C 3A 70 57 A0 F0 ?.........|:pW..
charon: 08[IKE] 208: 26 00 00 24 3F 85 3B E1 67 0D E8 E2 4E 07 76 65 &..$?.;.g...N.ve
charon: 08[IKE] 224: BE 0A B5 F8 8B 04 59 0B BB D2 B0 CF AF 22 98 56 ......Y......".V
charon: 08[IKE] 240: 79 CD CF 60 00 00 00 19 04 12 B9 6F AE 3C 15 64 y..`.......o.<.d
charon: 08[IKE] 256: E2 F1 16 5F E9 BE E3 3A CA 03 65 AF C5 F9 3B 41 ..._...:..e...;A
charon: 08[IKE] 272: 2C 32 74 27 AD 38 44 45 2B 8D 44 C6 84 78 16 4A ,2t'.8DE+.D..x.J
charon: 08[IKE] 288: C4 FB 05 9A 11 67 DB C1 EF 22 A7 4E C5 2B DF F4 .....g...".N.+..
charon: 08[IKE] 304: FE 5A 53 27 87 F8 4B 3B D9 92 0C 9F 33 38 26 93 .ZS'..K;....38&.
charon: 08[IKE] 320: AA .
charon: 08[CFG] using certificate "C=DE, ST=Germany, L=Stuttgart, O=Alcatel-Lucent, CN=192.168.20.254, CN=JN11AEB36ADD, CN=rsa-key, CN=SSG320M., CN=JUNIPER"
charon: 08[CFG] using trusted ca certificate "C=DE, O=Alcatel-Lucent, OU=Wireless, CN=JuniperRoot"
charon: 08[CFG] checking certificate status of "C=DE, ST=Germany, L=Stuttgart, O=Alcatel-Lucent, CN=192.168.20.254, CN=JN11AEB36ADD, CN=rsa-key, CN=SSG320M., CN=JUNIPER"
charon: 08[CFG] ocsp check skipped, no ocsp found
charon: 08[CFG] certificate status is not available
charon: 08[IKE] authentication of 'SSG320M.' with RSA signature successful
charon: 08[CFG] constraint check failed: identity 'C=DE, ST=Germany, L=Stuttgart, O=Alcatel-Lucent, OU=Wireless, CN=JN11AEB36ADD, CN=rsa-key, CN=SSG320M, CN=JUNIPER' required
charon: 08[CFG] selected peer config 'net-net' inacceptable
charon: 08[CFG] no alternative config found
charon: 08[KNL] deleting SAD entry with SPI c8795470
charon: 08[KNL] sending XFRM_MSG_DELSA: => 40 bytes @ 0xb404ad7c
charon: 08[KNL] 0: 28 00 00 00 11 00 05 00 CA 00 00 00 7C 0A 00 00 (...........|...
charon: 08[KNL] 16: C0 A8 14 33 00 00 00 00 00 00 00 00 00 00 00 00 ...3............
charon: 08[KNL] 32: C8 79 54 70 02 00 00 00 .yTp....
charon: 08[KNL] received netlink error: Invalid argument (22)
charon: 08[KNL] unable to delete SAD entry with SPI c8795470
charon: 08[IKE] IKE_SA net-net[1] state change: CONNECTING => DESTROYING
11:58:56 destgd0h003661 charon: 02[KNL] received a XFRM_MSG_EXPIRE
11:58:56 destgd0h003661 charon: 02[KNL] creating delete job for ESP CHILD_SA with SPI c8795470 and reqid {1}
11:58:56 destgd0h003661 charon: 10[JOB] CHILD_SA with reqid 1 not found for delete
----------------------------------------------------------------------------------------------------------------------------------------------
Contents of CA Myroot2
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
92:5e:a6:77:59:63:3c:74
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=DE, O=Alcatel-Lucent, OU=Wireless, CN=JuniperRoot
Validity
Not Before: 07:37:16 2010 GMT
Not After : Dec 18 07:37:16 2010 GMT
Subject: C=DE, O=Alcatel-Lucent, OU=Wireless, CN=JuniperRoot
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:e2:31:7f:4b:9f:4e:c6:8d:44:e8:00:1c:45:df:
78:a9:bd:f1:ba:8e:35:e9:ee:e2:38:d9:ba:74:d3:
11:fe:75:ca:70:07:15:0a:a5:ed:73:b0:5c:6c:d3:
4e:f7:8c:15:28:36:48:ae:88:13:8b:a3:ca:36:d7:
93:dc:6b:7f:d8:35:b8:24:85:f9:9f:28:c7:ac:0b:
1e:94:4d:17:59:52:a8:ae:78:99:7e:91:90:28:3f:
4c:e7:73:1c:2c:7f:50:13:18:37:f6:f9:2d:55:d5:
43:8e:3d:bd:6c:ec:13:a0:8a:b4:9f:a5:3f:77:9f:
f4:5a:91:d5:9e:1f:d0:de:f1:2b:c8:3a:a3:0f:f7:
6a:3e:8a:41:a8:7a:0e:b6:7a:0a:76:da:b7:9a:8e:
63:1c:c1:2f:67:70:0b:7a:b1:b4:64:f9:bd:e6:17:
a9:10:4e:e5:1e:48:7b:65:87:b2:76:89:4c:72:0b:
a6:65:c4:33:74:5e:97:42:8c:0b:46:65:e8:c9:74:
88:a0:3c:84:39:1a:39:87:cf:a7:5a:74:a5:59:c0:
93:e7:90:c0:91:b0:e7:a3:60:c5:84:16:21:8f:59:
33:8c:ee:8d:0d:d4:79:03:af:f9:61:89:60:e1:73:
91:28:2a:7a:69:1d:63:81:97:02:90:f0:64:96:33:
a1:af
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
83:B1:07:7A:EE:CF:E0:01:61:44:E1:3D:4D:70:FE:D2:9A:F9:C7:C4
X509v3 Authority Key Identifier:
keyid:83:B1:07:7A:EE:CF:E0:01:61:44:E1:3D:4D:70:FE:D2:9A:F9:C7:C4
DirName:/C=DE/O=Alcatel-Lucent/OU=Wireless/CN=JuniperRoot
serial:92:5E:A6:77:59:63:3C:74
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
[...]
---------------------------------------------
Contents of peer certificate received
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 330 (0x14a)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=DE, O=Alcatel-Lucent, OU=Wireless, CN=JuniperRoot
Validity
Not Before: 10:46:51 2010 GMT
Not After : Nov 15 10:46:51 2020 GMT
Subject: C=DE, ST=Germany, L=Stuttgart, O=Alcatel-Lucent, CN=192.168.20.254, CN=JN11AEB36ADD, CN=rsa-key, CN=SSG320M., CN=JUNIPER
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:be:ab:04:cc:f9:59:2b:12:f7:62:52:44:b6:f8:
46:09:77:95:38:e5:a4:c7:3d:f6:3a:89:9e:7c:25:
43:5c:56:8a:d9:8a:4f:ca:9a:f9:6d:15:0e:f6:40:
cd:e4:33:d1:37:23:6e:ce:cb:93:0e:4c:8b:d9:7f:
ea:04:4c:86:0d:56:b8:1a:12:e9:ff:2a:07:8b:ae:
06:4d:57:7e:72:fa:9a:9e:7e:6e:b4:6d:ac:17:84:
30:86:d2:07:5c:8a:18:6a:3e:b2:01:9c:06:46:30:
82:d5:e3:ea:69:d2:fd:8d:63:ec:d1:7c:80:16:fa:
14:96:d3:13:3e:1f:0d:a0:ce:37:36:50:6e:f0:80:
59:91:67:ba:18:d5:d0:d6:75:e8:5f:31:56:a3:8c:
1a:a6:df:63:17:fa:63:c8:b3:a8:f4:23:88:b8:7f:
ca:0d:39:46:5e:2c:64:41:0e:0e:6c:e0:a4:e6:c1:
47:f2:9d:72:30:49:b5:7b:92:05:c5:58:6c:86:14:
a6:df:16:6a:03:cd:14:ae:5d:72:f8:5e:af:1e:cd:
b5:36:4e:aa:e7:15:01:b0:e6:54:20:49:d4:b3:12:
cd:7b:6b:79:28:3f:c8:86:37:66:be:c1:e1:36:70:
15:61:8c:8c:da:f6:b4:27:04:ab:29:a8:12:6b:a2:
5f:65
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE, pathlen:1
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C4:81:52:16:BD:CB:A8:C6:E5:A1:97:8A:CE:1A:8B:2E:7D:F4:5B:A9
X509v3 Authority Key Identifier:
keyid:83:B1:07:7A:EE:CF:E0:01:61:44:E1:3D:4D:70:FE:D2:9A:F9:C7:C4
X509v3 Subject Alternative Name:
email:juniper at alcatel-lucent.com, IP Address:192.168.20.254, DNS:SSG320M.
Signature Algorithm: sha1WithRSAEncryption
[...]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101118/2f6ad188/attachment.html>
More information about the Users
mailing list