Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

RE: [Users] FreeSwan / W2k, Basic configuration

From: Andreas Steffen (andreas.steffen_at_zhwin.ch)
Date: Tue Mar 19 2002 - 22:47:31 CET

Next message: Glen Mehn: "Re: [Users] iptables rules for NAT with ipsec"
Previous message: David Davidse: "Re: [Users] iptables rules for NAT with ipsec"
In reply to: Stephane: "[Users] FreeSwan / W2k, Basic configuration"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

> -----Original Message-----
> From: users-admin_at_lists.freeswan.org
> [mailto:users-admin_at_lists.freeswan.org]On Behalf Of Stephane
> Sent: Montag, 18. März 2002 18:07
> To: users_at_freeswan.org
> Subject: [Users] FreeSwan / W2k, Basic configuration
>
>
> Hi all,
>
> I try to connect a W2k with freeswan with x509 authentication.
>
> At the moment i only try to connect them directly
>
> Win2K (192.168.0.34) -------------------------- (192.168.0.149)
> Linux/FreeSWan
>
> The ipsec.conf on Win2K :
>
> conn Linux
> left=%any
> right=192.168.0.149
> rightca="C=fr, ST=state, L=fontenay, O=publibanque, CN=publibanque,
> Email=sfroment_at_publibanque.fr"
> auto=start
> pfs=yes
>
> The ipsec.conf on the Linuxbox :
>
> # basic configuration
> config setup
> interfaces="ipsec0=eth0"
> klipsdebug=none
> plutodebug=all
> plutoload=%search
> plutostart=%search
> uniqueids=yes
>
> conn %default
> keyingtries=0
> authby=rsasig
> leftrsasigkey=%cert
> rightrsasigkey=%cert
> compress=yes
> disablearrivalcheck=no
> left=192.168.0.149

You must specify
leftid="<DN of FreeS/WAN, subject of x509cert.der>

> auto=add
> pfs=yes
>
> conn roadwarrior
> right=192.168.0.34

You must specify
rightid="C=fr, ST=state, L=fontenay, O=publibanque,
CN=publibanque, E=sfroment_at_publibanque.fr"
>
> the log for /var/log/secure when i attemmpt a ping from the w2k (it seems
> that the x509 certificat is ok but something else goes wrong :( ) is at the
> end of the mail
>
> If you need barf, tell me and i'll send you.
>
> Thanks in advance
>
> Stephane
>
>
> Mar 18 17:50:36 supervision Pluto[18454]: | Issuer: 'C=fr, ST=state,
> L=fontenay, O=publibanque, CN=publibanque, E=sfroment_at_publibanque.fr'
> Mar 18 17:50:36 supervision Pluto[18454]: | issuer CA certificate found
...
> Mar 18 17:50:36 supervision Pluto[18454]: "roadwarrior" #1: no suitable
> connection for peer 'C=fr, ST=state, L=fontenay, O=publibanque,
> CN=publibanque, E=sfroment_at_publibanque.fr'

Strange that your peer has the same distinguished name as
the issuer, i.e the CA. Are you using a self-signed peer certificate?
This is ok, as long as you additionally put it into /etc/ipsec.d/cacerts.

Regards

Andreas

======================================================================
Andreas Steffen e-mail: andreas.steffen_at_zhwin.ch
Zuercher Hochschule Winterthur home: http://www.zhwin.ch/~sna/
CH-8401 Winterthur (Switzerland) phone: +41 76 340 25 56
===============================================================[ZHW]==

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: Glen Mehn: "Re: [Users] iptables rules for NAT with ipsec"
Previous message: David Davidse: "Re: [Users] iptables rules for NAT with ipsec"
In reply to: Stephane: "[Users] FreeSwan / W2k, Basic configuration"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:45 CEST