[strongSwan] Error 13801 in windows

Andreas Steffen andreas.steffen at strongswan.org
Wed Jun 8 13:33:52 CEST 2011 

Czesc Kamil,

strongSwan uses ',' and '/' as reserved characters to separate
Relative Distinguished Names in an X.509 Distinguished Name.
Therefore CN=host/bambus at KJONCA will be incorrectly encoded.
Could you generate another certificate not containing a '/'
character?

Regards

Andreas

On 06/08/2011 01:17 PM, Kamil Jońca wrote:
> 
> My /etc/ipsec.conf
> --8<---------------cut here---------------start------------->8---
> config setup
>          nat_traversal=yes
>         charonstart=yes
>         plutostart=no
> conn bambus
>       left=%defaultroute
>       leftsubnet=192.168.200.0/24
>       leftcert=alfa.kjonca.1.pem
>       leftid="C=PL, ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec, CN=alfa.kjonca"
>       right=%any
>       rightid="C=PL, ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec, CN=host/bambus at KJONCA"
>       rightsourceip=192.168.200.211
>       keyexchange=ikev2
>       auto=add
>       rightca="C=PL, ST=Mazowieckie, L=Warszawa, O=kjonca.kjonca, OU=ipsec, CN=openswan--kjonca.kjonca"
>       leftca="C=PL, ST=Mazowieckie, L=Warszawa, O=kjonca.kjonca, OU=ipsec, CN=openswan--kjonca.kjonca"
> include /var/lib/strongswan/ipsec.conf.inc
> --8<---------------cut here---------------end--------------->8---
> 
> Server box is behind nat.
> Client laptop also is behind nat.
> And I cannot create connection windows shows error 13801.
> In syslog I have:
> 
> [...]
> 
> 2011-06-08T13:12:18+02:00 alfa charon: 00[JOB] spawning 16 worker threads
> 2011-06-08T13:12:18+02:00 alfa charon: 10[CFG] received stroke: add connection 'bambus'
> 2011-06-08T13:12:18+02:00 alfa charon: 10[CFG]   loaded certificate "C=PL, ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec, CN=alfa.kjonca" from 'alfa.kjonca.1.pem'
> 2011-06-08T13:12:18+02:00 alfa charon: 10[CFG] added configuration 'bambus'
> 2011-06-08T13:12:18+02:00 alfa charon: 10[CFG] adding virtual IP address pool 'bambus': 192.168.200.211/32
> 2011-06-08T13:12:21+02:00 alfa charon: 15[NET] received packet: from 80.50.55.206[500] to 192.168.200.200[500]
> 2011-06-08T13:12:21+02:00 alfa charon: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> 2011-06-08T13:12:21+02:00 alfa charon: 15[IKE] 80.50.55.206 is initiating an IKE_SA
> 2011-06-08T13:12:21+02:00 alfa charon: 15[IKE] local host is behind NAT, sending keep alives
> 2011-06-08T13:12:21+02:00 alfa charon: 15[IKE] remote host is behind NAT
> 2011-06-08T13:12:21+02:00 alfa charon: 15[IKE] sending cert request for "C=PL, ST=Mazowieckie, L=Warszawa, O=kjonca.kjonca, OU=ipsec, CN=openswan--kjonca.kjonca"
> 2011-06-08T13:12:21+02:00 alfa charon: 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> 2011-06-08T13:12:21+02:00 alfa charon: 15[NET] sending packet: from 192.168.200.200[500] to 80.50.55.206[500]
> 2011-06-08T13:12:21+02:00 alfa charon: 16[NET] received packet: from 80.50.55.206[4500] to 192.168.200.200[4500]
> 2011-06-08T13:12:21+02:00 alfa charon: 16[ENC] unknown attribute type INTERNAL_IP4_SERVER
> 2011-06-08T13:12:21+02:00 alfa charon: 16[ENC] unknown attribute type INTERNAL_IP6_SERVER
> 2011-06-08T13:12:21+02:00 alfa charon: 16[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
> 
> 2011-06-08T13:12:21+02:00 alfa charon: 16[IKE] received cert request  for unknown ca with keyid [....some unknown certs ....]
> 
> 2011-06-08T13:12:21+02:00 alfa charon: 16[IKE] received cert request for "C=PL, ST=Mazowieckie, L=Warszawa, O=kjonca.kjonca, OU=ipsec, CN=openswan--kjonca.kjonca"
> 2011-06-08T13:12:21+02:00 alfa charon: 16[IKE] received end entity cert "C=PL, ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec, CN=host/bambus at KJONCA"
> 2011-06-08T13:12:21+02:00 alfa charon: 16[CFG] looking for peer configs matching 192.168.200.200[%any]...80.50.55.206[C=PL, ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec, CN=host/bambus at KJONCA]
> 2011-06-08T13:12:21+02:00 alfa charon: 16[CFG] no matching peer config found
> 2011-06-08T13:12:21+02:00 alfa charon: 16[IKE] peer supports MOBIKE
> 2011-06-08T13:12:21+02:00 alfa charon: 16[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> 2011-06-08T13:12:21+02:00 alfa charon: 16[NET] sending packet: from 192.168.200.200[4500] to 80.50.55.206[4500]
> 
> [...]
> Any ideas?
> KJ
>  


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list