Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

Re: [Users] RSASIG error

From: Andreas Steffen (andreas.steffen_at_zhwin.ch)
Date: Mon May 06 2002 - 22:18:17 CEST

Next message: Don Hayward: "[Users] NAT & proxy arp & extruded IP ?"
Previous message: Jared Priddy: "RE: [Users] IPSec link established, but can not ping"
In reply to: Vasiliy Boulytchev: "[Users] RSASIG error"
Next in thread: Vasiliy Boulytchev: "Re: [Users] RSASIG error"
Reply: Vasiliy Boulytchev: "Re: [Users] RSASIG error"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

You don't define a rightid on the CLIENT BOX. So it is not surprising
that by default the ID becomes the client's IP address.

To fix this, either you declare the distinguished name of the client
as a rightid parameter or if you have an X.509 patch version 0.9.10 or
newer, then, instead of putting the cert into /etc/x509cert.der,
better load it via rightcert=rightcert=mflynn.coinfotech.com.pem and
the ID will automatically become the DN contained in the cert.

Regards

Andreas

> Vasiliy Boulytchev wrote:
>
> Ladies and gents,
> I have a VPN box accepting connections. Sentinel has no problem getting
> in. When I configured FreeSWAN to FreeSWAN connection, i get this in
> /var/log/secure
>
> #2: no RSA public key known for 'ipaddress'
> May 6 08:53:58 bluespruce Pluto[20939]: "road" ipaddress #2: Peer ID is
> ID_IPV4_ADDR: 'ipaddress'
>
> Please help ........
> here are my ipsec.conf files from both sides:
>
> GATEWAY MACHINE:
> config setup
> interfaces="ipsec0=eth1"
> klipsdebug=none
> plutodebug=none
> plutoload=%search
> plutostart=%search
> uniqueids=yes
>
> conn %default
> keyingtries=1
> keyexchange=ike
> authby=rsasig
> leftrsasigkey=%cert
> rightrsasigkey=%cert
> type=tunnel
> left=wanip
> leftnexthop=router
> leftsubnet=10.0.0.0/24
> ikelifetime=240m
> keylife=60m
> pfs=yes
> compress=no
> auto=add
> disablearrivalcheck=no
>
> conn road
> right=%any
> leftcert=bluespruce.coinfotech.com.pem
>
> conn mike
> right=ipaddress
> rightcert=mflynn.coinfotech.com.pem
> leftcert=bluespruce.coinfotech.com.pem
>
> conn acacia
> right=itsip
> leftcert=bluespruce.coinfotech.com.pem
> CLIENT BOX:
> config setup
> interfaces="ipsec0=eth0"
> klipsdebug=none
> plutodebug=none
> plutoload=%search
> plutostart=%search
> uniqueids=yes
>
> conn %default
> keyingtries=1
> keyexchange=ike
> authby=rsasig
> leftrsasigkey=%cert
> rightrsasigkey=%cert
> type=tunnel
> right=wanip
> rightnexthop=router
> rightsubnet=192.168.168.0/24
> ikelifetime=240m
> keylife=60m
> pfs=yes
> compress=no
> auto=add
> disablearrivalcheck=no
>
> conn mike
> left=gatewaybox
> leftcert=bluespruce.coinfotech.com.pem
> leftrsasigkey=%cert
> Big hug to the list :)
>
> Vasiliy Boulytchev
> Colorado Information Technologies Inc.

-- 
======================================================================
Andreas Steffen                     e-mail: andreas.steffen_at_zhwin.ch
Zuercher Hochschule Winterthur      home:   http://www.zhwin.ch/~sna/
CH-8401 Winterthur (Switzerland)    phone:  +41 76 340 25 56
===============================================================[ZHW]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: Don Hayward: "[Users] NAT & proxy arp & extruded IP ?"
Previous message: Jared Priddy: "RE: [Users] IPSec link established, but can not ping"
In reply to: Vasiliy Boulytchev: "[Users] RSASIG error"
Next in thread: Vasiliy Boulytchev: "Re: [Users] RSASIG error"
Reply: Vasiliy Boulytchev: "Re: [Users] RSASIG error"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:57 CEST