Dear Mailinglist Users, I have been working with freeswan 1.xx under debian woody for more than a year now. As roadwarrior client i used ssh sentinel ... all worked fine. now i was forced to use a 2.xx so i used the newest with an x509 patch 2.05. now i am having problems converting my ipsec.conf to the new version to work properly. I am using virtual ips to stay independent to the way the client is connected. For authentication I use openssl x509 certs, I use no subjectAltname ... I tried but it also didn't work Here is my ipsec.conf gate:/etc# cat ipsec.conf # /etc/ipsec.conf - FreeS/WAN IPsec configuration file # RCSID $Id: ipsec.conf.in,v 1.11 2003/06/13 23:28:41 sam Exp $ # This file: /usr/local/share/doc/freeswan/ipsec.conf-sample # # Manual: ipsec.conf.5 # # Help: # http://www.strongsec.com/freeswan/install.htm version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup # Debug-logging controls: "none" for (almost) none, "all" for lots. # klipsdebug=all # plutodebug=all # crlcheckinterval=600 # strictcrlpolicy=yes interfaces=%defaultroute klipsdebug=none plutodebug=control uniqueids=yes conn %default keyingtries=1 authby=rsasig left=80.120.177.66 leftnexthop=80.120.177.65 leftcert=gate.akras.at.pem leftrsasigkey=%cert rightrsasigkey=%cert auto=add # OE policy groups are disabled by default conn block auto=ignore conn clear auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear-or-private auto=ignore conn packetdefault auto=ignore # Add connections here. # sample VPN connection conn virt right=%any leftsubnet=192.168.1.0/24 rightid="C=AT, L=Biedermannsdorf, O=AKRAS Flavours AG, CN=Robert Machaczek" rightsubnetwithin=192.168.2.0/24 auto=add # Left security gateway, subnet behind it, next hop toward right. #left=80.120.177.66 #leftsubnet=192.168.1.0/24 #leftnexthop=80.120.177.65 #leftrsasigkey=%cert #leftcert=gate.akras.at.pem # Right security gateway, subnet behind it, next hop toward left. #right=%any #rightid=@vpn.akras.at #rightrsasigkey=%cert #rightsubnetwithin=192.168.2.0/24 #auto=add # sample VPN connection #sample# conn sample #sample# # Left security gateway, subnet behind it, next hop toward right. #sample# left=%defaultroute #sample# leftcert=gate.akras.at.pem #sample# leftsubnet=192.168.1.0/24 #sample# # Right security gateway, subnet behind it, next hop toward left. #sample# right=%any #sample# rightid="<Distinguished name of right security gateway>" #sample# rightsubnet=192.168.167.0/24 #sample# # To authorize this connection, but not actually start it, at startup, #sample# # uncomment this. #sample# #auto=start Here is the error in the log: Nov 25 10:45:36 akrasvbox pluto[5203]: | Nov 25 10:45:36 akrasvbox pluto[5203]: | *received 1564 bytes from 10.10.10.9:500 on eth0 Nov 25 10:45:36 akrasvbox pluto[5203]: | ICOOKIE: ff ee 3a 26 f8 00 00 0e Nov 25 10:45:36 akrasvbox pluto[5203]: | RCOOKIE: 6e 7e fe ff eb dc 64 47 Nov 25 10:45:36 akrasvbox pluto[5203]: | peer: 0a 0a 0a 09 Nov 25 10:45:36 akrasvbox pluto[5203]: | state hash entry 13 Nov 25 10:45:36 akrasvbox pluto[5203]: | peer and cookies match, provided msgid 00000000 vs 00000000 Nov 25 10:45:36 akrasvbox pluto[5203]: | state object #5 found, in STATE_MAIN_R2 Nov 25 10:45:36 akrasvbox pluto[5203]: "virt"[3] 10.10.10.9 #5: ignoring informational payload, type IPSEC_INITIAL_CONTACT Nov 25 10:45:36 akrasvbox pluto[5203]: "virt"[3] 10.10.10.9 #5: Peer ID is ID_DER_ASN1_DN: 'C=AT, L=Biedermannsdorf, O=AKRAS Flavours AG, CN=Robert Machaczek' Nov 25 10:45:36 akrasvbox pluto[5203]: | subject: 'C=AT, L=Biedermannsdorf, O=AKRAS Flavours AG, CN=Robert Machaczek' Nov 25 10:45:36 akrasvbox pluto[5203]: | issuer: 'C=AT, L=Biedermannsdorf, O=AKRAS Flavours AG, CN=AKRAS CA, E=robert.machaczek@akras.at' Nov 25 10:45:36 akrasvbox pluto[5203]: | authkey: c7:b1:4c:dc:97:cb:66:36:95:76:a8:77:32:0e:50:fc:2d:84:01:72 Nov 25 10:45:36 akrasvbox pluto[5203]: | not before : Dec 04 15:50:42 UTC 2003 Nov 25 10:45:36 akrasvbox pluto[5203]: | current time: Nov 25 09:45:36 UTC 2004 Nov 25 10:45:36 akrasvbox pluto[5203]: | not after : Dec 01 15:50:42 UTC 2013 Nov 25 10:45:36 akrasvbox pluto[5203]: | certificate is valid Nov 25 10:45:36 akrasvbox pluto[5203]: | issuer cacert found Nov 25 10:45:36 akrasvbox pluto[5203]: | signature algorithm: 'md5WithRSAEncryption' Nov 25 10:45:36 akrasvbox pluto[5203]: | certificate signature is valid Nov 25 10:45:36 akrasvbox pluto[5203]: | issuer crl found Nov 25 10:45:36 akrasvbox pluto[5203]: | signature algorithm: 'md5WithRSAEncryption' Nov 25 10:45:36 akrasvbox pluto[5203]: | crl signature is valid Nov 25 10:45:36 akrasvbox pluto[5203]: | serial number: 07 Nov 25 10:45:36 akrasvbox pluto[5203]: | certificate not revoked Nov 25 10:45:36 akrasvbox pluto[5203]: "virt"[3] 10.10.10.9 #5: crl update is overdue since Dec 19 12:16:58 UTC 2003 Nov 25 10:45:36 akrasvbox pluto[5203]: | subject: 'C=AT, L=Biedermannsdorf, O=AKRAS Flavours AG, CN=AKRAS CA, E=robert.machaczek@akras.at' Nov 25 10:45:36 akrasvbox pluto[5203]: | issuer: 'C=AT, L=Biedermannsdorf, O=AKRAS Flavours AG, CN=AKRAS CA, E=robert.machaczek@akras.at' Nov 25 10:45:36 akrasvbox pluto[5203]: | authkey: c7:b1:4c:dc:97:cb:66:36:95:76:a8:77:32:0e:50:fc:2d:84:01:72 Nov 25 10:45:36 akrasvbox pluto[5203]: | not before : Nov 19 11:08:25 UTC 2003 Nov 25 10:45:36 akrasvbox pluto[5203]: | current time: Nov 25 09:45:36 UTC 2004 Nov 25 10:45:36 akrasvbox pluto[5203]: | not after : Nov 17 11:08:25 UTC 2013 Nov 25 10:45:36 akrasvbox pluto[5203]: | certificate is valid Nov 25 10:45:36 akrasvbox pluto[5203]: | issuer cacert found Nov 25 10:45:36 akrasvbox pluto[5203]: | signature algorithm: 'md5WithRSAEncryption' Nov 25 10:45:36 akrasvbox pluto[5203]: | certificate signature is valid Nov 25 10:45:36 akrasvbox pluto[5203]: | reached self-signed root ca Nov 25 10:45:36 akrasvbox pluto[5203]: "virt"[3] 10.10.10.9 #5: no suitable connection for peer 'C=AT, L=Biedermannsdorf, O=AKRAS Flavours AG, CN=Robert Machaczek' Nov 25 10:45:36 akrasvbox pluto[5203]: "virt"[3] 10.10.10.9 #5: sending encrypted notification INVALID_ID_INFORMATION to 10.10.10.9:500 Nov 25 10:45:36 akrasvbox pluto[5203]: | state transition function for STATE_MAIN_R2 failed: INVALID_ID_INFORMATION Nov 25 10:45:36 akrasvbox pluto[5203]: | next event EVENT_RETRANSMIT in 7 seconds for #5 As you can see i also tried to put in the excact Distinguished name into the ipsec.conf to autheticate the user cert. I tried to use the fixed IP-Address but this would fit my need to stay as a road warrior as i understand it. another very strange thing is that the ipsec whack --status command outputs that ipsec connection as established gate:/etc# ipsec whack --status 000 interface ipsec0/eth0 80.120.177.66 000 %myid = (none) 000 debug control 000 000 "virt": 192.168.1.0/24===80.120.177.66[C=AT, ST=Some-State, L=Biedermannsdorf, O=AKRAS Flavours AG, CN=gate.akras.at]---80.120.177.65...%any[C=AT, L=Biedermannsdorf, O=AKRAS Flavours AG, CN=Robert Machaczek]==={192.168.2.0/24}; unrouted; eroute owner: #0 000 "virt": CAs: 'C=AT, L=Biedermannsdorf, O=AKRAS Flavours AG, CN=AKRAS CA, E=robert.machaczek@akras.at'...'%any' 000 "virt": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1 000 "virt": policy: RSASIG+ENCRYPT+TUNNEL+PFS; prio: 24,24; interface: eth0; 000 "virt": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 000 but the eroute for the virtual ip is missing.... I am really at the end of my ideas ... google also didn't helped me much. If any1 can help me I would be very appreciated. If you have further questions please ask i will provide you with any information if you can help greetings markus ******************************************************* Käfer Markus LOGIN Ges.m.b.H -Software Beratung Training Gumpendorferstraße 65 A-1060 Wien Mail: markus_kaefer@log.at Web: www.log.at Tel: 0043 1 586 58 97 Fax: 0043 1 586 58 97 50 *******************************************************