This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Please point me in the right direction...

I've been fighting this for three hours, and I should have been done in 10 minutes!  I had an IPsec Site-to-Site set up between my Production Astaro and my Test ASG220.  I experimented with Certs and CAs several months ago and don't remember how I left things.  When I tried to use it again over the weekend, I found it broken.

Just to be sure I didn't waste any time, I printed out Article #237057, the configuration document, from the KnowledgeBase.  I deleted all of the junk from both boxes, then I followed the document through twice and came up with the same problem after both attempts.

Below is the portion of the IPsec log that includes all of session 10448.  I don't understand why it complains "issuer cacert not found" - I thought that was supposed to come over with the cert in the PKCS#12 container!?!

Then, it gripes that it doesn't have the RSA public key of the remote system, but I think that's irrelevant to my problem, that it's just the standard precedure when the cert can't be authenticated - correct?

I regenerated the cert and re-imported it, but still got the same result.

I'm obviously not searching in the right places.  Thanks in advance for your help.

Cheers - Bob

2009:09:15-19:37:39 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: responding to Main Mode 

2009:09:15-19:37:39 testMyDomain-1 pluto[4053]: "S_MyCompany" #10446: max number of retransmissions (2) reached STATE_MAIN_R2 

2009:09:15-19:37:39 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: NAT-Traversal: Result using RFC 3947: no NAT detected 

2009:09:15-19:37:39 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: Peer ID is ID_DER_ASN1_DN: 'C=us, ST=Oklahoma, L=Oklahoma City, O=MyCompany, Inc., OU=Office, CN=mycompany, E=BAlfson@MyDomain.com' 

2009:09:15-19:37:39 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: issuer cacert not found 

2009:09:15-19:37:39 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: X.509 certificate rejected 

2009:09:15-19:37:39 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: no RSA public key known for 'C=us, ST=Oklahoma, L=Oklahoma City, O=MyCompany, Inc., OU=Office, CN=mycompany, E=BAlfson@MyDomain.com' 

2009:09:15-19:37:39 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: sending encrypted notification INVALID_KEY_INFORMATION to [IP of Production]:500 

2009:09:15-19:37:46 testMyDomain-1 pluto[4053]: "S_MyCompany" #10447: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message 

2009:09:15-19:37:46 testMyDomain-1 pluto[4053]: "S_MyCompany" #10447: starting keying attempt 21 of an unlimited number 

2009:09:15-19:37:46 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: initiating Main Mode to replace #10447 

2009:09:15-19:37:46 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: ignoring Vendor ID payload [strongSwan 4.2.3] 

2009:09:15-19:37:46 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: ignoring Vendor ID payload [Cisco-Unity] 

2009:09:15-19:37:46 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: received Vendor ID payload [XAUTH] 

2009:09:15-19:37:46 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: received Vendor ID payload [Dead Peer Detection] 

2009:09:15-19:37:46 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: received Vendor ID payload [RFC 3947] 

2009:09:15-19:37:46 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: enabling possible NAT-traversal with method 3 

2009:09:15-19:37:46 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: NAT-Traversal: Result using RFC 3947: no NAT detected 

2009:09:15-19:37:46 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: we have a cert and are sending it 

2009:09:15-19:37:47 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: Peer ID is ID_DER_ASN1_DN: 'C=us, ST=Oklahoma, L=Oklahoma City, O=MyCompany, Inc., OU=Office, CN=mycompany, E=BAlfson@MyDomain.com' 

2009:09:15-19:37:47 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: issuer cacert not found 

2009:09:15-19:37:47 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: X.509 certificate rejected 

2009:09:15-19:37:47 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: no RSA public key known for 'C=us, ST=Oklahoma, L=Oklahoma City, O=MyCompany, Inc., OU=Office, CN=mycompany, E=BAlfson@MyDomain.com' 

2009:09:15-19:37:47 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: sending encrypted notification INVALID_KEY_INFORMATION to [IP of Production]:500 

2009:09:15-19:37:50 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: Peer ID is ID_DER_ASN1_DN: 'C=us, ST=Oklahoma, L=Oklahoma City, O=MyCompany, Inc., OU=Office, CN=mycompany, E=BAlfson@MyDomain.com' 

2009:09:15-19:37:50 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: issuer cacert not found 

2009:09:15-19:37:50 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: X.509 certificate rejected 

2009:09:15-19:37:50 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: no RSA public key known for 'C=us, ST=Oklahoma, L=Oklahoma City, O=MyCompany, Inc., OU=Office, CN=mycompany, E=BAlfson@MyDomain.com' 

2009:09:15-19:37:50 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: sending encrypted notification INVALID_KEY_INFORMATION to [IP of Production]:500 

2009:09:15-19:37:56 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: Peer ID is ID_DER_ASN1_DN: 'C=us, ST=Oklahoma, L=Oklahoma City, O=MyCompany, Inc., OU=Office, CN=mycompany, E=BAlfson@MyDomain.com' 

2009:09:15-19:37:56 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: issuer cacert not found 

2009:09:15-19:37:56 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: X.509 certificate rejected 

2009:09:15-19:37:56 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: no RSA public key known for 'C=us, ST=Oklahoma, L=Oklahoma City, O=MyCompany, Inc., OU=Office, CN=mycompany, E=BAlfson@MyDomain.com' 

2009:09:15-19:37:56 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: sending encrypted notification INVALID_KEY_INFORMATION to [IP of Production]:500 

2009:09:15-19:38:09 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: Peer ID is ID_DER_ASN1_DN: 'C=us, ST=Oklahoma, L=Oklahoma City, O=MyCompany, Inc., OU=Office, CN=mycompany, E=BAlfson@MyDomain.com' 

2009:09:15-19:38:09 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: issuer cacert not found 

2009:09:15-19:38:09 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: X.509 certificate rejected 

2009:09:15-19:38:09 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: no RSA public key known for 'C=us, ST=Oklahoma, L=Oklahoma City, O=MyCompany, Inc., OU=Office, CN=mycompany, E=BAlfson@MyDomain.com' 

2009:09:15-19:38:09 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: sending encrypted notification INVALID_KEY_INFORMATION to [IP of Production]:500 

2009:09:15-19:38:16 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: Peer ID is ID_DER_ASN1_DN: 'C=us, ST=Oklahoma, L=Oklahoma City, O=MyCompany, Inc., OU=Office, CN=mycompany, E=BAlfson@MyDomain.com' 

2009:09:15-19:38:16 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: issuer cacert not found 

2009:09:15-19:38:16 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: X.509 certificate rejected 

2009:09:15-19:38:16 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: no RSA public key known for 'C=us, ST=Oklahoma, L=Oklahoma City, O=MyCompany, Inc., OU=Office, CN=mycompany, E=BAlfson@MyDomain.com' 

2009:09:15-19:38:16 testMyDomain-1 pluto[4053]: "S_MyCompany" #10449: sending encrypted notification INVALID_KEY_INFORMATION to [IP of Production]:500 

2009:09:15-19:38:49 testMyDomain-1 pluto[4053]: packet from [IP of Production]:500: ignoring Vendor ID payload [strongSwan 4.2.3] 

2009:09:15-19:38:49 testMyDomain-1 pluto[4053]: packet from [IP of Production]:500: ignoring Vendor ID payload [Cisco-Unity] 

2009:09:15-19:38:49 testMyDomain-1 pluto[4053]: packet from [IP of Production]:500: received Vendor ID payload [XAUTH] 

2009:09:15-19:38:49 testMyDomain-1 pluto[4053]: packet from [IP of Production]:500: received Vendor ID payload [Dead Peer Detection] 

2009:09:15-19:38:49 testMyDomain-1 pluto[4053]: packet from [IP of Production]:500: received Vendor ID payload [RFC 3947] 

2009:09:15-19:38:49 testMyDomain-1 pluto[4053]: packet from [IP of Production]:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] 

2009:09:15-19:38:49 testMyDomain-1 pluto[4053]: packet from [IP of Production]:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] 

2009:09:15-19:38:49 testMyDomain-1 pluto[4053]: packet from [IP of Production]:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] 

2009:09:15-19:38:49 testMyDomain-1 pluto[4053]: packet from [IP of Production]:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] 

2009:09:15-19:38:49 testMyDomain-1 pluto[4053]: "S_MyCompany" #10450: responding to Main Mode 

2009:09:15-19:38:49 testMyDomain-1 pluto[4053]: "S_MyCompany" #10448: max number of retransmissions (2) reached STATE_MAIN_R2

This thread was automatically locked due to age.

0 BAlfson over 15 years ago

Any ideas? Is this a bug?
Cancel
Vote Up 0 Vote Down

Cancel
0 Rumak18 over 13 years ago in reply to BAlfson

Hi,

i know this is a quite old topic, but did you find any solution for this?
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 13 years ago

I had an incorrect certificate with VPN ID of an email address when it should have been "Hostname" as that was what was in the "Email Address" field.

Show the log lines from one connection attempt, and maybe we can see from that what your issue might be.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 Rumak18 over 13 years ago in reply to BAlfson

Hi,
sorry for the delayed answer... i had a similiar problem, where i got the same errors as you. My solution was to switch the certificate in the "Advanced" register button under "IPSec" in "Site-To-Site-VPN".
Cancel
Vote Up 0 Vote Down

Cancel