From: Markus Koellner (smshomey_at_gmx.de)
Date: Tue Jul 30 2002 - 23:01:54 CEST
>When i put the ID wich i in my opinion the id from the freeswan peer:
><MAILTO=admin_at_carano.de, CN=Elmar Grote, OU=Administration, O=CARANO
>Softwareentwicklungs GmbH, L=Berlin, ST=Berlin, C=DE>
>the message does'nt come anymore.
where do you put that id ? into the ipsecpeertable as peerids ?
>But this message is still comming:
>Phase-1 [initiator] between der_asn1_dn(udp:500,[0..144]=C=DE, ST=Berlin,
>O=Carano Softwareentwicklungs GmbH,
>OU=Neubrandenburg, CN=Elmar Grote/Email\=admin_at_carano.de) and
>der_asn1_dn(any:0,[0..171]=C=DE, ST=Berlin, L=Berlin, O=CARANO
>Softwareentwicklungs
>GmbH, OU=Administration, CN=Elmar Grote, MAILTO=admin_at_carano.de) for peer
>1, traffic 2 failed; Invalid signature.
>
>Could the error be the organisation in the freeswan cert ( Carano... <=>
>CARANO...)?
>Or the comon name in the bintec cert?
>Which entrys have to be the same in the CA CERT an the peers CERT(C,
>ST,O,.....)?
no entries have to be the same. the whole subject id string has to
match a particular entry in the bintec table and on the freeswan side
if you use the leftid/rightid parameter. the ca subject id can be
totally different from the bintec or freeswan subject id.
every id has to be unique! you can't sign two certs with same
subject id with the same ca.
>Freeswan CERT
>SubjectName = <MAILTO=admin_at_carano.de, CN=Elmar Grote, OU=Administration,
>O=CARANO Softwareentwicklungs GmbH, L=Berlin, ST=Berlin, C=DE>
>IssuerName = <MAILTO=admin_at_carano.de, CN=Elmar Grote, OU=Administration,
>O=Carano Softwareentwicklungs GmbH, L=Berlin, ST=Berlin, C=DE>
>
> CA CERT
>SubjectName = <MAILTO=admin_at_carano.de, CN=Elmar Grote, OU=Administration,
>O=Carano Softwareentwicklungs GmbH, L=Berlin, ST=Berlin, C=DE>
> IssuerName = <MAILTO=admin_at_carano.de, CN=Elmar Grote, OU=Administration,
> O=Carano Softwareentwicklungs GmbH, L=Berlin, ST=Berlin, C=DE>
>
> Bintec CERT
>SubjectName = <CN=Elmar Grote/Email\=admin_at_carano.de, OU=Neubrandenburg,
>O=Carano Softwareentwicklungs GmbH, ST=Berlin, C=DE>
the common name of the bintec cert looks strange.
maybe you should use a "CN=Bintec" or something else.
why don't you use more expressive names for the certs ?
e.g for the freeswan cert:
<CN=Freeswan, O=Carano Softwareentwicklungs GmbH, L=Berlin, ST=Berlin, C=DE>
for the ca cert:
<CN=Carano CA, O=Carano Softwareentwicklungs GmbH, L=Berlin, ST=Berlin, C=DE>
and for the bintec cert:
<CN=Bintec, O=Carano Softwareentwicklungs GmbH, L=???, ST=Neubrandenburg, C=DE>
by the way, you don't have to use all the possible entries (ST=, L=,...).
a cert with only CN= is also possible.
>A some other question. Do i every time have to reboot the router
>(cmd=reboot) when I'm making some changes?
>Or is saving enough?
normally saving (cmd=save) is enough but when you reboot
you are on the save side and the bintec can only use the new parameters.
when you send error messages next time, could you also please send
bintec's ipsecpeertable, publickeytable and certtable ?
Bye
Markus
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.4 : Mon Aug 05 2002 - 21:01:34 CEST