Hello,
I have a PKI structure with a Root CA and a Subordinate CA. I have installed already both certificates into the ASL v6.3. I generated the ASL request, signed it with my Sub CA and then imported the certificate into ASL. Until here, everything is OK.
I have configured a Roadwarrior connection with the apropiate remote key (virtual ip and distinguished name as vpn id), also I have a double nat.
But when I try to connect I get the following logs
2006:09:03-12:32:15 (none) pluto[18821]: packet from 192.168.117.11:500: SSH Sentinel 1.4.1 found, setting XAUTH_ACK quirk
2006:09:03-12:32:15 (none) pluto[18821]: packet from 192.168.117.11:500: received Vendor ID payload [SSH Sentinel 1.4.1]
2006:09:03-12:32:15 (none) pluto[18821]: packet from 192.168.117.11:500: ignoring Vendor ID payload [draft-stenberg-ipsec-nat-traversal-02]
2006:09:03-12:32:15 (none) pluto[18821]: packet from 192.168.117.11:500: ignoring Vendor ID payload [draft-stenberg-ipsec-nat-traversal-01]
2006:09:03-12:32:15 (none) pluto[18821]: packet from 192.168.117.11:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
2006:09:03-12:32:15 (none) pluto[18821]: packet from 192.168.117.11:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 108
2006:09:03-12:32:15 (none) pluto[18821]: packet from 192.168.117.11:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 108
2006:09:03-12:32:15 (none) pluto[18821]: packet from 192.168.117.11:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
2006:09:03-12:32:15 (none) pluto[18821]: packet from 192.168.117.11:500: received Vendor ID payload [XAUTH]
2006:09:03-12:32:15 (none) pluto[18821]: "D_CTC09_0"[1] 192.168.117.11 #1: responding to Main Mode from unknown peer 192.168.117.11
2006:09:03-12:32:15 (none) pluto[18821]: "D_CTC09_0"[1] 192.168.117.11 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
2006:09:03-12:32:15 (none) pluto[18821]: "D_CTC09_0"[1] 192.168.117.11 #1: STATE_MAIN_R1: sent MR1, expecting MI2
2006:09:03-12:32:15 (none) pluto[18821]: "D_CTC09_0"[1] 192.168.117.11 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
2006:09:03-12:32:15 (none) pluto[18821]: "D_CTC09_0"[1] 192.168.117.11 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
2006:09:03-12:32:16 (none) pluto[18821]: "D_CTC09_0"[1] 192.168.117.11 #1: STATE_MAIN_R2: sent MR2, expecting MI3
2006:09:03-12:32:16 (none) pluto[18821]: "D_CTC09_0"[1] 192.168.117.11 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
2006:09:03-12:32:16 (none) pluto[18821]: "D_CTC09_0"[1] 192.168.117.11 #1: Main mode peer ID is ID_FQDN: '@ctc09'
2006:09:03-12:32:16 (none) pluto[18821]: "D_CTC09_0"[1] 192.168.117.11 #1: no crl from issuer "E=xxx@xxx.com, C=PA, O=xxx, OU=yyy, OU=zzz, CN=AC SUB" found (strict=no)
2006:09:03-12:32:16 (none) pluto[18821]: "D_CTC09_0"[1] 192.168.117.11 #1: issuer cacert not found
2006:09:03-12:32:16 (none) pluto[18821]: "D_CTC09_0"[1] 192.168.117.11 #1: X.509 certificate rejected
2006:09:03-12:32:16 (none) pluto[18821]: "D_CTC09_0"[1] 192.168.117.11 #1: no suitable connection for peer '@ctc09'
2006:09:03-12:32:16 (none) pluto[18821]: "D_CTC09_0"[1] 192.168.117.11 #1: sending encrypted notification INVALID_ID_INFORMATION to 192.168.117.11:500
I have tried the same scenario with a Signing CA and it works fine.
Thanks for helping. Regards,
langoleer
This thread was automatically locked due to age.