Welcome to the Sophos User Bulletin Board.
If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Reply
 
LinkBack Thread Tools Display Modes
BAlfson's Avatar
Grandis Professorem Astaro
Join Date: Mar 2007
Location: Oklahoma City
Posts: 20,878
#1 (permalink)  
Old 09-16-2009, 01:09 AM
Question Please point me in the right direction...

I've been fighting this for three hours, and I should have been done in 10 minutes! I had an IPsec Site-to-Site set up between my Production Astaro and my Test ASG220. I experimented with Certs and CAs several months ago and don't remember how I left things. When I tried to use it again over the weekend, I found it broken.

Just to be sure I didn't waste any time, I printed out Article #237057, the configuration document, from the KnowledgeBase. I deleted all of the junk from both boxes, then I followed the document through twice and came up with the same problem after both attempts.

Below is the portion of the IPsec log that includes all of session 10448. I don't understand why it complains "issuer cacert not found" - I thought that was supposed to come over with the cert in the PKCS#12 container!?!

Then, it gripes that it doesn't have the RSA public key of the remote system, but I think that's irrelevant to my problem, that it's just the standard precedure when the cert can't be authenticated - correct?

I regenerated the cert and re-imported it, but still got the same result.

I'm obviously not searching in the right places. Thanks in advance for your help.

Cheers - Bob

Code:
2009:09:15-19:37:39 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: responding to Main Mode 
2009:09:15-19:37:39 testMyDomain-1 pluto[4053]: "S_MyCompany" #10446: max number of retransmissions (2) reached STATE_MAIN_R2 
2009:09:15-19:37:39 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: NAT-Traversal: Result using RFC 3947: no NAT detected 
2009:09:15-19:37:39 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: Peer ID is ID_DER_ASN1_DN: 'C=us, ST=Oklahoma, L=Oklahoma City, O=MyCompany, Inc., OU=Office, CN=mycompany, E=BAlfson@MyDomain.com' 
2009:09:15-19:37:39 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: issuer cacert not found 
2009:09:15-19:37:39 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: X.509 certificate rejected 
2009:09:15-19:37:39 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: no RSA public key known for 'C=us, ST=Oklahoma, L=Oklahoma City, O=MyCompany, Inc., OU=Office, CN=mycompany, E=BAlfson@MyDomain.com' 
2009:09:15-19:37:39 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: sending encrypted notification INVALID_KEY_INFORMATION to [IP of Production]:500 
2009:09:15-19:37:46 testMyDomain-1 pluto[4053]: "S_MyCompany" #10447: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message 
2009:09:15-19:37:46 testMyDomain-1 pluto[4053]: "S_MyCompany" #10447: starting keying attempt 21 of an unlimited number 
2009:09:15-19:37:46 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: initiating Main Mode to replace #10447 
2009:09:15-19:37:46 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: ignoring Vendor ID payload [strongSwan 4.2.3] 
2009:09:15-19:37:46 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: ignoring Vendor ID payload [Cisco-Unity] 
2009:09:15-19:37:46 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: received Vendor ID payload [XAUTH] 
2009:09:15-19:37:46 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: received Vendor ID payload [Dead Peer Detection] 
2009:09:15-19:37:46 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: received Vendor ID payload [RFC 3947] 
2009:09:15-19:37:46 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: enabling possible NAT-traversal with method 3 
2009:09:15-19:37:46 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: NAT-Traversal: Result using RFC 3947: no NAT detected 
2009:09:15-19:37:46 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: we have a cert and are sending it 
2009:09:15-19:37:47 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: Peer ID is ID_DER_ASN1_DN: 'C=us, ST=Oklahoma, L=Oklahoma City, O=MyCompany, Inc., OU=Office, CN=mycompany, E=BAlfson@MyDomain.com' 
2009:09:15-19:37:47 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: issuer cacert not found 
2009:09:15-19:37:47 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: X.509 certificate rejected 
2009:09:15-19:37:47 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: no RSA public key known for 'C=us, ST=Oklahoma, L=Oklahoma City, O=MyCompany, Inc., OU=Office, CN=mycompany, E=BAlfson@MyDomain.com' 
2009:09:15-19:37:47 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: sending encrypted notification INVALID_KEY_INFORMATION to [IP of Production]:500 
2009:09:15-19:37:50 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: Peer ID is ID_DER_ASN1_DN: 'C=us, ST=Oklahoma, L=Oklahoma City, O=MyCompany, Inc., OU=Office, CN=mycompany, E=BAlfson@MyDomain.com' 
2009:09:15-19:37:50 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: issuer cacert not found 
2009:09:15-19:37:50 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: X.509 certificate rejected 
2009:09:15-19:37:50 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: no RSA public key known for 'C=us, ST=Oklahoma, L=Oklahoma City, O=MyCompany, Inc., OU=Office, CN=mycompany, E=BAlfson@MyDomain.com' 
2009:09:15-19:37:50 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: sending encrypted notification INVALID_KEY_INFORMATION to [IP of Production]:500 
2009:09:15-19:37:56 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: Peer ID is ID_DER_ASN1_DN: 'C=us, ST=Oklahoma, L=Oklahoma City, O=MyCompany, Inc., OU=Office, CN=mycompany, E=BAlfson@MyDomain.com' 
2009:09:15-19:37:56 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: issuer cacert not found 
2009:09:15-19:37:56 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: X.509 certificate rejected 
2009:09:15-19:37:56 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: no RSA public key known for 'C=us, ST=Oklahoma, L=Oklahoma City, O=MyCompany, Inc., OU=Office, CN=mycompany, E=BAlfson@MyDomain.com' 
2009:09:15-19:37:56 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: sending encrypted notification INVALID_KEY_INFORMATION to [IP of Production]:500 
2009:09:15-19:38:09 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: Peer ID is ID_DER_ASN1_DN: 'C=us, ST=Oklahoma, L=Oklahoma City, O=MyCompany, Inc., OU=Office, CN=mycompany, E=BAlfson@MyDomain.com' 
2009:09:15-19:38:09 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: issuer cacert not found 
2009:09:15-19:38:09 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: X.509 certificate rejected 
2009:09:15-19:38:09 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: no RSA public key known for 'C=us, ST=Oklahoma, L=Oklahoma City, O=MyCompany, Inc., OU=Office, CN=mycompany, E=BAlfson@MyDomain.com' 
2009:09:15-19:38:09 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: sending encrypted notification INVALID_KEY_INFORMATION to [IP of Production]:500 
2009:09:15-19:38:16 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: Peer ID is ID_DER_ASN1_DN: 'C=us, ST=Oklahoma, L=Oklahoma City, O=MyCompany, Inc., OU=Office, CN=mycompany, E=BAlfson@MyDomain.com' 
2009:09:15-19:38:16 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: issuer cacert not found 
2009:09:15-19:38:16 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: X.509 certificate rejected 
2009:09:15-19:38:16 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: no RSA public key known for 'C=us, ST=Oklahoma, L=Oklahoma City, O=MyCompany, Inc., OU=Office, CN=mycompany, E=BAlfson@MyDomain.com' 
2009:09:15-19:38:16 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: sending encrypted notification INVALID_KEY_INFORMATION to [IP of Production]:500 
2009:09:15-19:38:49 testMyDomain-1 pluto[4053]: packet from [IP of Production]:500: ignoring Vendor ID payload [strongSwan 4.2.3] 
2009:09:15-19:38:49 testMyDomain-1 pluto[4053]: packet from [IP of Production]:500: ignoring Vendor ID payload [Cisco-Unity] 
2009:09:15-19:38:49 testMyDomain-1 pluto[4053]: packet from [IP of Production]:500: received Vendor ID payload [XAUTH] 
2009:09:15-19:38:49 testMyDomain-1 pluto[4053]: packet from [IP of Production]:500: received Vendor ID payload [Dead Peer Detection] 
2009:09:15-19:38:49 testMyDomain-1 pluto[4053]: packet from [IP of Production]:500: received Vendor ID payload [RFC 3947] 
2009:09:15-19:38:49 testMyDomain-1 pluto[4053]: packet from [IP of Production]:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] 
2009:09:15-19:38:49 testMyDomain-1 pluto[4053]: packet from [IP of Production]:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] 
2009:09:15-19:38:49 testMyDomain-1 pluto[4053]: packet from [IP of Production]:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] 
2009:09:15-19:38:49 testMyDomain-1 pluto[4053]: packet from [IP of Production]:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] 
2009:09:15-19:38:49 testMyDomain-1 pluto[4053]: "S_MyCompany" #10450: responding to Main Mode 
2009:09:15-19:38:49 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: max number of retransmissions (2) reached STATE_MAIN_R2
__________________
ACE V7 - Astaro Preferred Partner since V3
SCA/UTM - Sophos Gold Solution Partner
www.MediaSoftUSA.com
Addicted to my iPhone!

Last edited by BAlfson; 09-16-2009 at 08:16 PM. Reason: RSA
Reply With Quote
BAlfson's Avatar
Grandis Professorem Astaro
Join Date: Mar 2007
Location: Oklahoma City
Posts: 20,878
#2 (permalink)  
Old 09-16-2009, 08:17 PM
Default

Any ideas? Is this a bug?
__________________
ACE V7 - Astaro Preferred Partner since V3
SCA/UTM - Sophos Gold Solution Partner
www.MediaSoftUSA.com
Addicted to my iPhone!
Reply With Quote
Member
Join Date: Sep 2009
Posts: 67
#3 (permalink)  
Old 12-12-2011, 12:54 PM
Default

Hi,

i know this is a quite old topic, but did you find any solution for this?
Reply With Quote
BAlfson's Avatar
Grandis Professorem Astaro
Join Date: Mar 2007
Location: Oklahoma City
Posts: 20,878
#4 (permalink)  
Old 12-12-2011, 08:18 PM
Default

I had an incorrect certificate with VPN ID of an email address when it should have been "Hostname" as that was what was in the "Email Address" field.

Show the log lines from one connection attempt, and maybe we can see from that what your issue might be.

Cheers - Bob
__________________
ACE V7 - Astaro Preferred Partner since V3
SCA/UTM - Sophos Gold Solution Partner
www.MediaSoftUSA.com
Addicted to my iPhone!
Reply With Quote
Member
Join Date: Sep 2009
Posts: 67
#5 (permalink)  
Old 02-09-2012, 02:14 PM
Default

Hi,
sorry for the delayed answer... i had a similiar problem, where i got the same errors as you. My solution was to switch the certificate in the "Advanced" register button under "IPSec" in "Site-To-Site-VPN".
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT. The time now is 04:15 AM.


Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2015, Jelsoft Enterprises Ltd.

These pages are specifically maintained for the discussion of firewall issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases.