Please point me in the right direction...

BAlfson · 08:16 PM

I've been fighting this for three hours, and I should have been done in 10 minutes! I had an IPsec Site-to-Site set up between my Production Astaro and my Test ASG220. I experimented with Certs and CAs several months ago and don't remember how I left things. When I tried to use it again over the weekend, I found it broken.

Just to be sure I didn't waste any time, I printed out Article #237057, the configuration document, from the KnowledgeBase. I deleted all of the junk from both boxes, then I followed the document through twice and came up with the same problem after both attempts.

Below is the portion of the IPsec log that includes all of session 10448. I don't understand why it complains "issuer cacert not found" - I thought that was supposed to come over with the cert in the PKCS#12 container!?!

Then, it gripes that it doesn't have the RSA public key of the remote system, but I think that's irrelevant to my problem, that it's just the standard precedure when the cert can't be authenticated - correct?

I regenerated the cert and re-imported it, but still got the same result.

I'm obviously not searching in the right places. Thanks in advance for your help.

Cheers - Bob

Code:

2009:09:15-19:37:39 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: responding to Main Mode 
2009:09:15-19:37:39 testMyDomain-1 pluto[4053]: "S_MyCompany" #10446: max number of retransmissions (2) reached STATE_MAIN_R2 
2009:09:15-19:37:39 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: NAT-Traversal: Result using RFC 3947: no NAT detected 
2009:09:15-19:37:39 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: Peer ID is ID_DER_ASN1_DN: 'C=us, ST=Oklahoma, L=Oklahoma City, O=MyCompany, Inc., OU=Office, CN=mycompany, E=BAlfson@MyDomain.com' 
2009:09:15-19:37:39 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: issuer cacert not found 
2009:09:15-19:37:39 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: X.509 certificate rejected 
2009:09:15-19:37:39 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: no RSA public key known for 'C=us, ST=Oklahoma, L=Oklahoma City, O=MyCompany, Inc., OU=Office, CN=mycompany, E=BAlfson@MyDomain.com' 
2009:09:15-19:37:39 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: sending encrypted notification INVALID_KEY_INFORMATION to [IP of Production]:500 
2009:09:15-19:37:46 testMyDomain-1 pluto[4053]: "S_MyCompany" #10447: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message 
2009:09:15-19:37:46 testMyDomain-1 pluto[4053]: "S_MyCompany" #10447: starting keying attempt 21 of an unlimited number 
2009:09:15-19:37:46 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: initiating Main Mode to replace #10447 
2009:09:15-19:37:46 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: ignoring Vendor ID payload [strongSwan 4.2.3] 
2009:09:15-19:37:46 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: ignoring Vendor ID payload [Cisco-Unity] 
2009:09:15-19:37:46 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: received Vendor ID payload [XAUTH] 
2009:09:15-19:37:46 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: received Vendor ID payload [Dead Peer Detection] 
2009:09:15-19:37:46 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: received Vendor ID payload [RFC 3947] 
2009:09:15-19:37:46 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: enabling possible NAT-traversal with method 3 
2009:09:15-19:37:46 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: NAT-Traversal: Result using RFC 3947: no NAT detected 
2009:09:15-19:37:46 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: we have a cert and are sending it 
2009:09:15-19:37:47 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: Peer ID is ID_DER_ASN1_DN: 'C=us, ST=Oklahoma, L=Oklahoma City, O=MyCompany, Inc., OU=Office, CN=mycompany, E=BAlfson@MyDomain.com' 
2009:09:15-19:37:47 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: issuer cacert not found 
2009:09:15-19:37:47 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: X.509 certificate rejected 
2009:09:15-19:37:47 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: no RSA public key known for 'C=us, ST=Oklahoma, L=Oklahoma City, O=MyCompany, Inc., OU=Office, CN=mycompany, E=BAlfson@MyDomain.com' 
2009:09:15-19:37:47 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: sending encrypted notification INVALID_KEY_INFORMATION to [IP of Production]:500 
2009:09:15-19:37:50 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: Peer ID is ID_DER_ASN1_DN: 'C=us, ST=Oklahoma, L=Oklahoma City, O=MyCompany, Inc., OU=Office, CN=mycompany, E=BAlfson@MyDomain.com' 
2009:09:15-19:37:50 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: issuer cacert not found 
2009:09:15-19:37:50 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: X.509 certificate rejected 
2009:09:15-19:37:50 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: no RSA public key known for 'C=us, ST=Oklahoma, L=Oklahoma City, O=MyCompany, Inc., OU=Office, CN=mycompany, E=BAlfson@MyDomain.com' 
2009:09:15-19:37:50 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: sending encrypted notification INVALID_KEY_INFORMATION to [IP of Production]:500 
2009:09:15-19:37:56 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: Peer ID is ID_DER_ASN1_DN: 'C=us, ST=Oklahoma, L=Oklahoma City, O=MyCompany, Inc., OU=Office, CN=mycompany, E=BAlfson@MyDomain.com' 
2009:09:15-19:37:56 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: issuer cacert not found 
2009:09:15-19:37:56 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: X.509 certificate rejected 
2009:09:15-19:37:56 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: no RSA public key known for 'C=us, ST=Oklahoma, L=Oklahoma City, O=MyCompany, Inc., OU=Office, CN=mycompany, E=BAlfson@MyDomain.com' 
2009:09:15-19:37:56 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: sending encrypted notification INVALID_KEY_INFORMATION to [IP of Production]:500 
2009:09:15-19:38:09 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: Peer ID is ID_DER_ASN1_DN: 'C=us, ST=Oklahoma, L=Oklahoma City, O=MyCompany, Inc., OU=Office, CN=mycompany, E=BAlfson@MyDomain.com' 
2009:09:15-19:38:09 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: issuer cacert not found 
2009:09:15-19:38:09 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: X.509 certificate rejected 
2009:09:15-19:38:09 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: no RSA public key known for 'C=us, ST=Oklahoma, L=Oklahoma City, O=MyCompany, Inc., OU=Office, CN=mycompany, E=BAlfson@MyDomain.com' 
2009:09:15-19:38:09 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: sending encrypted notification INVALID_KEY_INFORMATION to [IP of Production]:500 
2009:09:15-19:38:16 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: Peer ID is ID_DER_ASN1_DN: 'C=us, ST=Oklahoma, L=Oklahoma City, O=MyCompany, Inc., OU=Office, CN=mycompany, E=BAlfson@MyDomain.com' 
2009:09:15-19:38:16 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: issuer cacert not found 
2009:09:15-19:38:16 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: X.509 certificate rejected 
2009:09:15-19:38:16 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: no RSA public key known for 'C=us, ST=Oklahoma, L=Oklahoma City, O=MyCompany, Inc., OU=Office, CN=mycompany, E=BAlfson@MyDomain.com' 
2009:09:15-19:38:16 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: sending encrypted notification INVALID_KEY_INFORMATION to [IP of Production]:500 
2009:09:15-19:38:49 testMyDomain-1 pluto[4053]: packet from [IP of Production]:500: ignoring Vendor ID payload [strongSwan 4.2.3] 
2009:09:15-19:38:49 testMyDomain-1 pluto[4053]: packet from [IP of Production]:500: ignoring Vendor ID payload [Cisco-Unity] 
2009:09:15-19:38:49 testMyDomain-1 pluto[4053]: packet from [IP of Production]:500: received Vendor ID payload [XAUTH] 
2009:09:15-19:38:49 testMyDomain-1 pluto[4053]: packet from [IP of Production]:500: received Vendor ID payload [Dead Peer Detection] 
2009:09:15-19:38:49 testMyDomain-1 pluto[4053]: packet from [IP of Production]:500: received Vendor ID payload [RFC 3947] 
2009:09:15-19:38:49 testMyDomain-1 pluto[4053]: packet from [IP of Production]:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] 
2009:09:15-19:38:49 testMyDomain-1 pluto[4053]: packet from [IP of Production]:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] 
2009:09:15-19:38:49 testMyDomain-1 pluto[4053]: packet from [IP of Production]:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] 
2009:09:15-19:38:49 testMyDomain-1 pluto[4053]: packet from [IP of Production]:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] 
2009:09:15-19:38:49 testMyDomain-1 pluto[4053]: "S_MyCompany" #10450: responding to Main Mode 
2009:09:15-19:38:49 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: max number of retransmissions (2) reached STATE_MAIN_R2

BAlfson · 09-16-2009, 08:17 PM

Any ideas? Is this a bug?

Rumak18 · 12-12-2011, 12:54 PM

Hi,

i know this is a quite old topic, but did you find any solution for this?

BAlfson · 12-12-2011, 08:18 PM

I had an incorrect certificate with VPN ID of an email address when it should have been "Hostname" as that was what was in the "Email Address" field.

Show the log lines from one connection attempt, and maybe we can see from that what your issue might be.

Cheers - Bob

Rumak18 · 02-09-2012, 02:14 PM

Hi,
sorry for the delayed answer... i had a similiar problem, where i got the same errors as you. My solution was to switch the certificate in the "Advanced" register button under "IPSec" in "Site-To-Site-VPN".

Astaro Security Gateway

Network Security

Web Security

Web Application Security

Mail Security

Information