RE: [Users] x509 and checkpoint fw-1

• Next message: Richard Guy Briggs: "Re: [Users] Re: ERROR: PF_KEY SADB_X_ADDFLOW response for flow %trap"
• Previous message: Gerd Schreiter: "[schreiter@swissonline.ch: Re: [Users] ipsec: ping ok, but nothing else]"
• In reply to: Markus Wernig: "Re: [Users] x509 and checkpoint fw-1"
• Next in thread: Sanjiv Bawa: "[Users] Steamballoon RPM and x509"
• Reply: Sanjiv Bawa: "[Users] Steamballoon RPM and x509"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Because the received certificate does not contain a subjectAltName
of type ipAddress and value 138.189.119.132, the public key cannot be
associated with the peer ID of type ID_IPV4_ADDR. If you are not able
to configure fw-1 to send you a distinguished name as its ID then you
must add the peer IP as a subjectAltName.

Regards

Andreas

======================================================================
Andreas Steffen e-mail: andreas.steffen_at_zhwin.ch
Zuercher Hochschule Winterthur home: http://www.zhwin.ch/~sna/
CH-8401 Winterthur (Switzerland) phone: +41 76 340 25 56
===============================================================[ZHW]==
 

> -----Original Message-----
> From: users-admin_at_lists.freeswan.org
> [mailto:users-admin_at_lists.freeswan.org]On Behalf Of Markus Wernig
> Sent: Montag, 18. Marz 2002 22:44
> To: users_at_lists.freeswan.org
> Subject: Re: [Users] x509 and checkpoint fw-1
>
>
> Markus Wernig wrote:
> dear all
>
>
> sorry for the double post before, here is some more output.
>
> i am not sure how to read this, but now it seems to me as if freeswan
> were not reading in the fw-1 public key correctly.
>
> [...] pluto reading fw-1 cert
> Mar 18 22:12:40 gate Pluto[16606]: | Issuer: '<trusted CA in
> /etc/ipsec.d/cacerts>'
> Mar 18 22:12:40 gate Pluto[16606]: | issuer CA certificate found
> [...]
> Mar 18 22:12:42 gate Pluto[16606]: | certificate signature is valid
> Mar 18 22:12:42 gate Pluto[16606]: "post" #1: Issuer CRL not found
> Mar 18 22:12:42 gate Pluto[16606]: | Public key validated
> Mar 18 22:12:42 gate Pluto[16606]: | Public key ID is ID_DER_ASN1_DN:
> '<exact match with leftid=@... in ipsec.conf>'
> Mar 18 22:12:42 gate Pluto[16606]: | new public key added
> Mar 18 22:12:42 gate Pluto[16606]: "post" #1: we require peer to have ID
> '<exact match with leftid=@... in ipsec.conf>', but peer declares
> '138.189.119.132'
> Mar 18 22:12:42 gate Pluto[16606]: | state transition function for
> STATE_MAIN_I3 failed: INVALID_ID_INFORMATION
> Mar 18 22:12:42 gate Pluto[16606]: | next event EVENT_RETRANSMIT in 0
> seconds for #1
>
>
> first it detects the correct public key, adds it, and then it's not
> there anymore...
>
> even more confused and in need of a hint
>
> markus

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Richard Guy Briggs: "Re: [Users] Re: ERROR: PF_KEY SADB_X_ADDFLOW response for flow %trap"
• Previous message: Gerd Schreiter: "[schreiter@swissonline.ch: Re: [Users] ipsec: ping ok, but nothing else]"
• In reply to: Markus Wernig: "Re: [Users] x509 and checkpoint fw-1"
• Next in thread: Sanjiv Bawa: "[Users] Steamballoon RPM and x509"
• Reply: Sanjiv Bawa: "[Users] Steamballoon RPM and x509"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:45 CEST