Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

RE: [Users] x509 and checkpoint fw-1

From: Andreas Steffen (andreas.steffen_at_strongsec.com)
Date: Tue Mar 19 2002 - 17:37:43 CET

Next message: Andreas Steffen: "RE: [Users] ipsec.secrets syntax"
Previous message: Jakob Curdes: "[Users] Comments please : planning a VPN / Firewall solution"
In reply to: Markus Wernig: "Re: [Users] x509 and checkpoint fw-1"
Next in thread: Markus Wernig: "Re: [Users] x509 and checkpoint fw-1"
Reply: Markus Wernig: "Re: [Users] x509 and checkpoint fw-1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

In the first place it is strange that you cannot configure
fw-1 to send you a DN or a FQDN ID. But if you are really
stuck with an IPV4_ADDR then the only thing you can do is
to extract the public key from the fw-1 certificate using

fswcert -c --left fw-1.pem

and paste it into ipsec.conf:

left=138.189.119.132
leftrsasigkey=0x.......

Unfortunately for you Pluto will not accept

left=138.189.119.132
leftcert=fw-1.pem

since there is no subjectAltName for the IP address
contained in the certificate.

Regards

Andreas

BTW - You'll find the fswcert tool under
http://www.strongsec.com/freeswan/old.htm

======================================================================
Andreas Steffen e-mail: andreas.steffen_at_zhwin.ch
Zuercher Hochschule Winterthur home: http://www.zhwin.ch/~sna/
CH-8401 Winterthur (Switzerland) phone: +41 76 340 25 56
===============================================================[ZHW]==

> -----Original Message-----
> From: users-admin_at_lists.freeswan.org
> [mailto:users-admin_at_lists.freeswan.org]On Behalf Of Markus Wernig
> Sent: Dienstag, 19. Marz 2002 11:56
> To: users_at_lists.freeswan.org
> Subject: Re: [Users] x509 and checkpoint fw-1
>
>
> well, this breaks it for me. i do not have write access to that
> certificate. yet it works with other ipsec implementations :-[
>
> would it change anything if i used locally stored certificates and
> imported the one in question?
>
> >>>Because the received certificate does not contain a subjectAltName
> >>>of type ipAddress and value 138.189.119.132, the public key cannot be
> >>>associated with the peer ID of type ID_IPV4_ADDR. If you are not able
> >>>to configure fw-1 to send you a distinguished name as its ID then you
> >>>must add the peer IP as a subjectAltName.
>
>
>
> --
> **************************************************
>
> Markus Wernig
>
> GPG - http://markus.wernig.net/pubkey
> -------------------------------------------------
> Linux User Group Bern - http://www.lugbe.ch
>
> **************************************************

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: Andreas Steffen: "RE: [Users] ipsec.secrets syntax"
Previous message: Jakob Curdes: "[Users] Comments please : planning a VPN / Firewall solution"
In reply to: Markus Wernig: "Re: [Users] x509 and checkpoint fw-1"
Next in thread: Markus Wernig: "Re: [Users] x509 and checkpoint fw-1"
Reply: Markus Wernig: "Re: [Users] x509 and checkpoint fw-1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:45 CEST