Un certificat non reconnu provoque est visible dans les logs du serveur /var/log/auth.log
Après la séquence de négociation correcte :
Mar 18 13:24:54 debian pluto[6621]: "vpn-l2tp-XP"[1] 172.21.7.202 #1: responding to Main Mode from unknown peer 172.21.7.202
Mar 18 13:24:54 debian pluto[6621]: "vpn-l2tp-XP"[1] 172.21.7.202 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 18 13:24:54 debian pluto[6621]: "vpn-l2tp-XP"[1] 172.21.7.202 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Mar 18 13:24:55 debian pluto[6621]: "vpn-l2tp-XP"[1] 172.21.7.202 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
Mar 18 13:24:55 debian pluto[6621]: "vpn-l2tp-XP"[1] 172.21.7.202 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 18 13:24:55 debian pluto[6621]: "vpn-l2tp-XP"[1] 172.21.7.202 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Et l’erreur proprement dite :
Mar 18 13:24:55 debian pluto[6621]: "vpn-l2tp-XP"[1] 172.21.7.202 #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=FR, ST=Franche-Comte, O=UFC, OU=CRI, CN=choucroute, E=vpn-master@univ-fcomte.fr'
Mar 18 13:24:55 debian pluto[6621]: "vpn-l2tp-XP"[1] 172.21.7.202 #1: no crl from issuer "C=FR, ST=Franche-Comte, L=Besancon, O=UFC, OU=CRI, CN=CAvpn, E=vpn-master@univ-fcomte.fr" found (strict=no)
Mar 18 13:24:55 debian pluto[6621]: "vpn-l2tp-XP"[1] 172.21.7.202 #1: no suitable connection for peer 'C=FR, ST=Franche-Comte, O=UFC, OU=CRI, CN=choucroute, E=vpn-master@univ-fcomte.fr'
Mar 18 13:24:55 debian pluto[6621]: "vpn-l2tp-XP"[1] 172.21.7.202 #1: sending encrypted notification INVALID_ID_INFORMATION to 172.21.7.202:500
L’interprétation de l’erreur est assez simple puisque nous voyons que le certificat de choucroute contient OU=CRI ce qui n’est pas une valeur attendu (LINUX, XP, MACOS)
Tags: certificat, linux, problème