Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

Re: Re: [Users] Freeswan (x509) <-> SSH Sentinel Prob

From: killhead_at_pandora.be
Date: Wed May 29 2002 - 12:51:11 CEST

Next message: Jussi Torhonen: "Re: [Users] Freeswan (x509) <-> SSH Sentinel Prob"
Previous message: Jussi Torhonen: "Re: [Users] Freeswan (x509) <-> SSH Sentinel Prob"
Next in thread: killhead_at_pandora.be: "Re: Re: [Users] Freeswan (x509) <-> SSH Sentinel Prob"
Maybe reply: killhead_at_pandora.be: "Re: Re: [Users] Freeswan (x509) <-> SSH Sentinel Prob"
Maybe reply: killhead_at_pandora.be: "Re: Re: [Users] Freeswan (x509) <-> SSH Sentinel Prob"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I checked the following things:

------------------------
Jussi Torhonen <jt_at_ssh.com> wrote:
------------------------

>tom.myny_at_pandora.be wrote:
>> Hi,
>>
>> I checked now the error log on sentinel SSH and it seems that there is an error:
>
>Have you installed your OpenSSL root CA certificate under SSH Sentinel
>Key Management -> Trust Policy -> Trusted Certificates -> Certification
>Authorities? You must do that.
>

Yepz, i have a valid root CA cert under Certification Authorities?

>Verify Common Name of the FreeSWAN host certificate and the OpenSSL root
>CA. They must be different. In your case, be sure that you haven't used
>hermes.ignl.be as Common Name of both FreeSWAN host and OpenSSL root CA
>certificates.
>

I maked a new one: the root CA is now hermes.ignl.be and the host key now is calin.ignl.be, but still this error ...

>Open Properties of the root CA cert: you must have both options 'Trust
>in certification path verification' and Accept connections authenticated
>with a certificate issued byt this CA' selected. Is the root CA cert
>valid? Check Details and verify you have there Basic constraints =
>'Subject Type=CA'.

Both are selected and the details are showing indeed Subject Type=CA

>Find your client cert under My Keys. Is the Certification path (trust
>relationship) ok? Is the client cert valid? Check Details -> Issuer ->
>CN; this Common Name is used for your OpenSSL CA and it should be
>something different to Common Name of FreeSWAN client certificate.
>

Seems to me the client cert is valid and is binded with the openssl CA
The common name on Issuer of host key is:
CN=hermes.ignl.be
The subject here is:
CN=calin.ignl.be

The common name of the issuer of CA is:
CN=hermes.ignl.be
The subject here is:
CN=hermes.ignl.be

Is that correct ?

>Troubleshooting IPSec connections is a way too nasty at the moment. We
>know this and we've plans to improve user-friendliness of SSH Sentinel
>in future releases so, that end-user should not start reading logfiles
>to find answers to very basic things.
>
>Best regards,
>Jussi
>
>--
>______________________________________________________________
>Jussi Törhönen, Kuopio R&D unit, e-mail jussi.torhonen_at_ssh.com
>SSH Communications Security Corp, http://www.ssh.com
>SSH Sentinel VPN Client, http://www.ipsec.com
>

I hope you can help me.

Greetings,
Tom

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: Jussi Torhonen: "Re: [Users] Freeswan (x509) <-> SSH Sentinel Prob"
Previous message: Jussi Torhonen: "Re: [Users] Freeswan (x509) <-> SSH Sentinel Prob"
Next in thread: killhead_at_pandora.be: "Re: Re: [Users] Freeswan (x509) <-> SSH Sentinel Prob"
Maybe reply: killhead_at_pandora.be: "Re: Re: [Users] Freeswan (x509) <-> SSH Sentinel Prob"
Maybe reply: killhead_at_pandora.be: "Re: Re: [Users] Freeswan (x509) <-> SSH Sentinel Prob"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:07 CEST