[strongSwan] Error 13801 in windows

Kamil Jońca kjonca at o2.pl
Wed Jun 8 14:15:33 CEST 2011


Andreas Steffen
<andreas.steffen at strongswan.org> writes:

> Czesc Kamil,
>
> strongSwan uses ',' and '/' as reserved characters to separate
> Relative Distinguished Names in an X.509 Distinguished Name.
> Therefore CN=host/bambus at KJONCA will be incorrectly encoded.
> Could you generate another certificate not containing a '/'
> character?

I have generated, and Win says that is connected but I cannot ping
"other peer"


--8<---------------cut here---------------start------------->8---
2011-06-08T13:55:47+02:00 alfa charon: 15[IKE] received cert request for unknown ca with keyid 07:15:28:6d:70:73:aa:b2:8a:7c:0f:86:ce:38:93:00:38:05:8a:b1
2011-06-08T13:55:47+02:00 alfa charon: 15[IKE] received end entity cert "C=PL, ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec, CN=bambus.kjonca"
2011-06-08T13:55:47+02:00 alfa charon: 15[CFG] looking for peer configs matching 192.168.200.200[%any]...80.50.55.206[C=PL, ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec, CN=bambus.kjonca]
2011-06-08T13:55:47+02:00 alfa charon: 15[CFG] selected peer config 'bambus'
2011-06-08T13:55:47+02:00 alfa charon: 15[CFG]   using certificate "C=PL, ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec, CN=bambus.kjonca"
2011-06-08T13:55:47+02:00 alfa charon: 15[CFG]   using trusted ca certificate "C=PL, ST=Mazowieckie, L=Warszawa, O=kjonca.kjonca, OU=ipsec, CN=openswan--kjonca.kjonca"
2011-06-08T13:55:47+02:00 alfa charon: 15[CFG] checking certificate status of "C=PL, ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec, CN=bambus.kjonca"
2011-06-08T13:55:47+02:00 alfa charon: 15[CFG] certificate status is not available
2011-06-08T13:55:47+02:00 alfa charon: 15[CFG]   reached self-signed root ca with a path length of 0
2011-06-08T13:55:47+02:00 alfa charon: 15[IKE] authentication of 'C=PL, ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec, CN=bambus.kjonca' with RSA signature successful
2011-06-08T13:55:47+02:00 alfa charon: 15[IKE] peer supports MOBIKE
2011-06-08T13:55:47+02:00 alfa charon: 15[IKE] authentication of 'C=PL, ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec, CN=alfa.kjonca' (myself) with RSA signature successful
2011-06-08T13:55:47+02:00 alfa charon: 15[IKE] IKE_SA bambus[16] established between 192.168.200.200[C=PL, ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec, CN=alfa.kjonca]...80.50.55.206[C=PL, ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec, CN=bambus.kjonca]
2011-06-08T13:55:47+02:00 alfa charon: 15[IKE] scheduling reauthentication in 9941s
2011-06-08T13:55:47+02:00 alfa charon: 15[IKE] maximum IKE_SA lifetime 10481s
2011-06-08T13:55:47+02:00 alfa charon: 15[IKE] sending end entity cert "C=PL, ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec, CN=alfa.kjonca"
2011-06-08T13:55:47+02:00 alfa charon: 15[IKE] peer requested virtual IP %any6
2011-06-08T13:55:47+02:00 alfa charon: 15[CFG] reassigning offline lease to 'C=PL, ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec, CN=bambus.kjonca'
2011-06-08T13:55:47+02:00 alfa charon: 15[IKE] assigning virtual IP 192.168.200.211 to peer 'C=PL, ST=Mazowieckie, O=kjonca.kjonca, OU=ipsec, CN=bambus.kjonca'
2011-06-08T13:55:47+02:00 alfa charon: 15[IKE] CHILD_SA bambus{3} established with SPIs c1dbbfcc_i ca8b9d08_o and TS 192.168.200.0/24 === 192.168.200.211/32
2011-06-08T13:55:47+02:00 alfa charon: 15[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CP(ADDR DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
2011-06-08T13:55:47+02:00 alfa charon: 15[NET] sending packet: from 192.168.200.200[4500] to 80.50.55.206[4500]
2011-06-08T13:55:47+02:00 alfa charon: 08[KNL] NAT mappings of ESP CHILD_SA with SPI c1dbbfcc and reqid {3} changed, queuing update job
2011-06-08T13:55:47+02:00 alfa charon: 08[KNL] NAT mappings of ESP CHILD_SA with SPI c1dbbfcc and reqid {3} changed, queuing update job
2011-06-08T13:55:48+02:00 alfa charon: 08[KNL] NAT mappings of ESP CHILD_SA with SPI c1dbbfcc and reqid {3} changed, queuing update job
--8<---------------cut here---------------end--------------->8---
KJ



-- 
http://blogdebart.pl/2010/03/17/dalsze-przygody-swinki-w-new-jersey/
Linux jest w stanie przeżyc wyjęcie procesora - resztę doliczy w pamięci.





More information about the Users mailing list