IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

Re: [Users] RSASIG error

From: Vasiliy Boulytchev (vasiliy_at_boulytcheva.com)
Date: Mon May 06 2002 - 22:36:47 CEST

Thanks, that fixed the authentication problem,
    Now I get:

Do i have to specify mike's protected network on the gateway box?

"mike" mike'sip #7: cannot respond to IPsec SA request because no connection
is known for gateway'sip[C=US, ST=Colorado, L=Colorado Springs, O=Colorado
Information Technologies, Inc., OU=ISP, CN=BlueSpruce,
E=admin_at_bluespruce.coinfotech.com]...mike'sip[C=US, ST=CO, L=COlorado
springs, O=CIT, OU=ISP, CN=mike, E=mflynn_at_coinfotech.com]===192.168.168.0/24

Vasiliy Boulytchev
Colorado Information Technologies Inc.
----- Original Message -----
From: "Andreas Steffen" <andreas.steffen_at_zhwin.ch>
To: "Vasiliy Boulytchev" <vasiliy_at_boulytcheva.com>
Cc: <users_at_lists.freeswan.org>
Sent: Monday, May 06, 2002 2:18 PM
Subject: Re: [Users] RSASIG error

> You don't define a rightid on the CLIENT BOX. So it is not surprising
> that by default the ID becomes the client's IP address.
>
> To fix this, either you declare the distinguished name of the client
> as a rightid parameter or if you have an X.509 patch version 0.9.10 or
> newer, then, instead of putting the cert into /etc/x509cert.der,
> better load it via rightcert=rightcert=mflynn.coinfotech.com.pem and
> the ID will automatically become the DN contained in the cert.
>
> Regards
>
> Andreas
>
> > Vasiliy Boulytchev wrote:
> >
> > Ladies and gents,
> > I have a VPN box accepting connections. Sentinel has no problem
getting
> > in. When I configured FreeSWAN to FreeSWAN connection, i get this in
> > /var/log/secure
> >
> > #2: no RSA public key known for 'ipaddress'
> > May 6 08:53:58 bluespruce Pluto[20939]: "road" ipaddress #2: Peer ID is
> > ID_IPV4_ADDR: 'ipaddress'
> >
> > Please help ........
> > here are my ipsec.conf files from both sides:
> >
> > GATEWAY MACHINE:
> > config setup
> > interfaces="ipsec0=eth1"
> > klipsdebug=none
> > plutodebug=none
> > plutoload=%search
> > plutostart=%search
> > uniqueids=yes
> >
> > conn %default
> > keyingtries=1
> > keyexchange=ike
> > authby=rsasig
> > leftrsasigkey=%cert
> > rightrsasigkey=%cert
> > type=tunnel
> > left=wanip
> > leftnexthop=router
> > leftsubnet=10.0.0.0/24
> > ikelifetime=240m
> > keylife=60m
> > pfs=yes
> > compress=no
> > auto=add
> > disablearrivalcheck=no
> >
> > conn road
> > right=%any
> > leftcert=bluespruce.coinfotech.com.pem
> >
> > conn mike
> > right=ipaddress
> > rightcert=mflynn.coinfotech.com.pem
> > leftcert=bluespruce.coinfotech.com.pem
> >
> > conn acacia
> > right=itsip
> > leftcert=bluespruce.coinfotech.com.pem
> > CLIENT BOX:
> > config setup
> > interfaces="ipsec0=eth0"
> > klipsdebug=none
> > plutodebug=none
> > plutoload=%search
> > plutostart=%search
> > uniqueids=yes
> >
> > conn %default
> > keyingtries=1
> > keyexchange=ike
> > authby=rsasig
> > leftrsasigkey=%cert
> > rightrsasigkey=%cert
> > type=tunnel
> > right=wanip
> > rightnexthop=router
> > rightsubnet=192.168.168.0/24
> > ikelifetime=240m
> > keylife=60m
> > pfs=yes
> > compress=no
> > auto=add
> > disablearrivalcheck=no
> >
> > conn mike
> > left=gatewaybox
> > leftcert=bluespruce.coinfotech.com.pem
> > leftrsasigkey=%cert
> > Big hug to the list :)
> >
> > Vasiliy Boulytchev
> > Colorado Information Technologies Inc.
>
> --
> ======================================================================
> Andreas Steffen e-mail: andreas.steffen_at_zhwin.ch
> Zuercher Hochschule Winterthur home: http://www.zhwin.ch/~sna/
> CH-8401 Winterthur (Switzerland) phone: +41 76 340 25 56
> ===============================================================[ZHW]==

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:57 CEST