Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

[Users] SSHSentinel and OpenSSL generated X.509 certificates

From: Jason A. Pattie (pattieja_at_pcxperience.com)
Date: Wed Mar 27 2002 - 23:58:55 CET

Next message: Ding GuiJin: "[Users] A cdrom VPN firewall"
Previous message: Michael P. Blinn: "[Users] Packets coming from different source now?"
Next in thread: Jussi Torhonen: "Re: [Users] SSHSentinel and OpenSSL generated X.509 certificates"
Reply: Jussi Torhonen: "Re: [Users] SSHSentinel and OpenSSL generated X.509 certificates"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I've tried both SSHSentinel 1.3beta-1 and 1.3beta-2 with certificates
generated completely by OpenSSL and packaged into PKCS#12 format
following the instructions contained in the X.509 Installation Guide.
The certificate appears to be imported properly into SSHSentinel and
contains the correct information. When attempting the diagnostics for a
given VPN connection, they succeed. However, the moment the tunnel is
clicked on to bring it up, an error is dumped into FreeS/WAN's log file
stating something to the effect of "<Internet RW IP address:500>: Quick
Mode message if for a non-existent (expired?) ISAKMP SA". And that same
error message is dumped repeatedly into the logs. No other error
messages are generated. Of course turning on "all" debugging generates
more messages, but it cycles repeatedly eventually ending with the above
stated error message.

Interestingly, if I generate a certificate request after the manner of
the SSHSentinel/FreeS/WAN interoperability guide, sign it using the
demoCA OpenSSL certificate authority, and reimport the signed
certificate into SSHSentinel, the connection works perfectly. So the
only thing I can think of is that something is different concerning the
OpenSSL generated certificates than those generated by SSHSentinel. I
noticed that the file size of the OpenSSL generated certificate is
approximately twice as large as the size of the SSHSentinel generated
certificate.

Has anyone successfully gotten a connection to work with a PKCS#12
imported OpenSSL generated certificate into SSHSentinel?

Also, in the documentation for SSHSentinel 1.3beta-1/2, the old way of
generating a certificate request from SSHSentinel and then signing it by
OpenSSL CA and then reimporting it is the documented way of getting
SSHSentinel to work. But then, what is the point of being able to
import a PKCS#12 file if it doesn't work, or am I missing something?
(like command-line arguments to openssl when generating/signing the
request/certificate)

Thanks.

-- Jason A. Pattie pattieja_at_pcxperience.com

_______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users

Next message: Ding GuiJin: "[Users] A cdrom VPN firewall"
Previous message: Michael P. Blinn: "[Users] Packets coming from different source now?"
Next in thread: Jussi Torhonen: "Re: [Users] SSHSentinel and OpenSSL generated X.509 certificates"
Reply: Jussi Torhonen: "Re: [Users] SSHSentinel and OpenSSL generated X.509 certificates"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:47 CEST