It looks like you'll need to use the leftid parameter. You can find
information about it in the man pages. It will typically be your
DER_ASN.1_DN, e.g.,
"C=US,L=Maine,O=MyCompany,OU=MyDept,CN=John.Sullivan" unless you are
using extended attributes with alt_subject_names. You can probably see
what you are using by either looking at your cert or seeing what
information you are supplying by sniffing the packets from the wire
during the IKE exchange. It is possible that the PIX on the other side
wants one form of ID and you are passing another. For example, most of
our gateways expect DER_ASN.1_DN ID's but one of the clients we use
defaults to something else if any alt_subject_names are present. We
must make sure that we generate the certs for that software client
(Sentinel) without any alt_subject_names so that it provides the
DER_ASN.1_DN ID. Hope this helps - John
On Wed, 2002-04-24 at 12:10, Igmar Palsenberg wrote:
>
> Hi,
>
> Kernel 2.4.18, ipsec 1.97 with the x509 patch applied.
>
> Config :
> # basic configuration
> config setup
> #interfaces="ipsec0=eth0"
> interfaces=%defaultroute
> klipsdebug=none
> plutodebug=all
> plutoload=%search
> plutostart=%search
> uniqueids=yes
>
> conn bh-vo
> authby=rsasig
> right=%defaultroute
> rightsubnet=192.168.1.0/14
> rightcert=igmar.cer
> left=62.58.152.114
> leftsubnet=10.1.0.0/16
> leftcert=pix.cer
> pfs=yes
> auto=add
>
>
> Starting the connection gives me :
>
> [root_at_wrkst /root]# ipsec auto --up bh-vo
> 104 "bh-vo" #1: STATE_MAIN_I1: initiate
> 106 "bh-vo" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "bh-vo" #1: ignoring Vendor ID payload
> 003 "bh-vo" #1: ignoring Vendor ID payload
> 003 "bh-vo" #1: ignoring Vendor ID payload
> 108 "bh-vo" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> 003 "bh-vo" #1: encrypted Informational Exchange message is invalid
> because it is for incomplete ISAKMP SA
> 003 "bh-vo" #1: we require peer to have ID
> '0x2A864886F70D010902=JOF01001.jagergroep.local,
> CN=JOF01001.jagergroep.local', but peer declares '62.58.152.114'
> 218 "bh-vo" #1: STATE_MAIN_I3: INVALID_ID_INFORMATION
> 010 "bh-vo" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
>
> The other site is a PIX 515 which is suppose to get it's certs from a MS
> CA server.
>
> The Linux site debug logs show me that it loads the CA cert, the client and
> the remote cert.
>
> Anyone that can translate that error for me ???
>
>
>
> Regards,
>
>
> Igmar
>
>
>
> --
>
> Igmar Palsenberg
> JDI Media Solutions
>
> Boulevard Heuvelink 102
> 6828 KT Arnhem
> The Netherlands
>
> mailto: i.palsenberg_at_jdimedia.nl
> PGP/GPG key : http://www.jdimedia.nl/formulier/pgp/igmar
>
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users
-- John A. Sullivan III Group Technology Director Nexus Management +1 207-985-7880 John.Sullivan_at_nexusmgmt.com_______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:53 CEST