Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

Re: [Users] Freeswan (x509) <-> SSH Sentinel Prob

From: Jussi Torhonen (jt_at_ssh.com)
Date: Wed May 29 2002 - 14:01:07 CEST

Next message: killhead_at_pandora.be: "Re: Re: [Users] Freeswan (x509) <-> SSH Sentinel Prob"
Previous message: killhead_at_pandora.be: "Re: Re: [Users] Freeswan (x509) <-> SSH Sentinel Prob"
Maybe in reply to: tom.myny_at_pandora.be: "[Users] Freeswan (x509) <-> SSH Sentinel Prob"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

killhead_at_pandora.be wrote:
>
> May 29 13:16:50 hermes Pluto[29627]: "roadwarrior" 192.168.0.1 #9: Peer ID is ID_DER_ASN1_DN: 'C=BE, O=Cameleon Projects Int, CN=calin.ignl.be'

Hmm, I'll get back to the Common Names. So the Common Name of of the SSH
Sentinel client cert is calin.ignl.be? And CN for OpenSSL CA was
hermes.ignl.be. What's then the CN for FreeSWAN client certificate?

You could try setting up certificate Common Names as

------------------------------------------------
cert
CN=
------------------------------------------------
CA cert freeswan-ca.ignl.be
FreeSWAN client cert freeswan-gw.ignl.be
Sentinel client cert sentinel-client.ignl.be
------------------------------------------------

Now, reading both FreeSWAN and SSH Sentinel logfiles comes much easier.
also clean up all those old .ignl.be certs from SSH Sentinel -> Trusted
certs -> CA, as well as from Trusted Certs -> Remote Hosts and sure
from My Keys.

Then install freeswan-ca.ignl.be root CA cert under Trusted certs -> CA.
Create a PKCS#12 formatted cert file including your SSH Sentinel client
cert with CN=sentinel-client.ignl.be under OpenSSL CA, and import the
file into SSH Sentinel -> My Keys.

Please check our document for quite a comprehensive configuration
informatio about the similar case:
http://www.ssh.com/products/sentinel/SSH-Sentinel-1.3-FreeSWAN.pdf

In addition to taht please follow the documentation of x509-patch. You
must have root CA certificate, FreeSWAN client certificate, FreeSWAN
private keys as well as SSH Sentinel client certificate installed in
proper format under proper directories to get the whole thing working.
The documentation of x509-patch is available at
http://www.strongsec.com/freeswan/install.htm

> If you want i'll will give you a detailled mail about my ipsec config/setup.
> Need to get this VPN to work :)

Please do that, if you won't get it working with our document. The
document says it all and we've got a lot of feedback that it really says
it all.

Regards,
Jussi

-- ______________________________________________________________ Jussi Törhönen, Kuopio R&D unit, e-mail jussi.torhonen_at_ssh.com SSH Communications Security Corp, http://www.ssh.com SSH Sentinel VPN Client, http://www.ipsec.com

_______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users

Next message: killhead_at_pandora.be: "Re: Re: [Users] Freeswan (x509) <-> SSH Sentinel Prob"
Previous message: killhead_at_pandora.be: "Re: Re: [Users] Freeswan (x509) <-> SSH Sentinel Prob"
Maybe in reply to: tom.myny_at_pandora.be: "[Users] Freeswan (x509) <-> SSH Sentinel Prob"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:07 CEST