Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

RE: [Users] x509 patch ... need ipsec.secrets?

From: Andreas Steffen (andreas.steffen_at_zhwin.ch)
Date: Thu Mar 14 2002 - 20:45:30 CET

Next message: David Davidse: "[Users] x509 gateway to gateway"
Previous message: Doug Wilson: "Re: [Users] x509 patch ... need ipsec.secrets?"
In reply to: Doug Wilson: "Re: [Users] x509 patch ... need ipsec.secrets?"
Next in thread: Doug Wilson: "Re: [Users] x509 patch ... need ipsec.secrets?"
Reply: Doug Wilson: "Re: [Users] x509 patch ... need ipsec.secrets?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

> -----Original Message-----
> From: Doug Wilson [mailto:dwilson_at_virtc.com]
> Sent: Donnerstag, 14. Marz 2002 20:09
> To: Andreas Steffen
> Cc: freeswan users
> Subject: Re: [Users] x509 patch ... need ipsec.secrets?
>
>
> Aha. Now I understand that part. Thank you very much, Andreas!
>
> There's so much to understand. :)
>
> I have another question if someone wouldn't mind addressing it.
>
> To get this to work (ie.,
>
> new authentication method based on CA certificates ... described in
> section 4.1 (
> http://www.strongsec.com/freeswan/install.htm#section_4.1 )
>
> do I need a functioning CA on both sides (ie., on all my road warriors)?
> Both sides now properly load their private key (private key file
> referenced from /etc/ipsec.secrets), but I get the following errors in
> /var/log/secure on my roadwarrior "client".
>

Yes, all your roadwarriors need the CA certificate in /etc/ipsec.d/cacerts
since by putting it there you express trust in the CA cert and implicitly
in all user certs issued by the CA.

> Mar 14 13:50:37 snidely Pluto[8222]: Could not change to directory
> '/etc/ipsec.d
> /cacerts'
> Mar 14 13:50:37 snidely Pluto[8222]: Could not change to directory
> '/etc/ipsec.d
> /crls'
> .

CRL support is optional since the X.509 patch currently accepts a
user cert when no CRL is present. But in order to suppress the error
message above I'd recommend to create the directory /etc/ipsec.d/crls

> .
> Mar 14 13:50:38 snidely Pluto[8222]: "road-warriors" #1: Issuer CA
> certificate n
> ot found
> Mar 14 13:50:38 snidely Pluto[8222]: "road-warriors" #1: X.509
> certificate rejec
> ted
> Mar 14 13:50:38 snidely Pluto[8222]: "road-warriors" #1: no RSA public
> key known
> for 'C=US, ST=Virginia, O=Virtual Technology Corporation,
> OU=HomeBaseHost, CN=d
> eunan.virtc.com, E=sysadmin_at_virtc.com'
>
> Thanks for any help you can give me to understand.
>
> -----------------------------------------------------------
> Doug Wilson
> Project Director - Information Systems
> Virtual Technology Corporation
> 703-658-7050
> dwilson_at_virtc.com

Regards

Andreas

======================================================================
Andreas Steffen e-mail: andreas.steffen_at_zhwin.ch
Zuercher Hochschule Winterthur home: http://www.zhwin.ch/~sna/
CH-8401 Winterthur (Switzerland) phone: +41 76 340 25 56
===============================================================[ZHW]==

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: David Davidse: "[Users] x509 gateway to gateway"
Previous message: Doug Wilson: "Re: [Users] x509 patch ... need ipsec.secrets?"
In reply to: Doug Wilson: "Re: [Users] x509 patch ... need ipsec.secrets?"
Next in thread: Doug Wilson: "Re: [Users] x509 patch ... need ipsec.secrets?"
Reply: Doug Wilson: "Re: [Users] x509 patch ... need ipsec.secrets?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:42 CEST