Re: [Users] x509cert

From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Fri Aug 02 2002 - 16:54:47 CEST

• Next message: mlafon_at_arkoon.net: "Re: [Users] Is the Arkoon NAT-T 0.2 patch actually working?"
• Previous message: Corey Rogers: "Re: [Users] Routing issues with FreeSWAN - Routes not in correct order of preference"
• In reply to: Ingo Bruell: "[Users] x509cert"
• Next in thread: Ingo Bruell: "Re[2]: [Users] x509cert"
• Reply: Ingo Bruell: "Re[2]: [Users] x509cert"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

You load the CA certificate

> leftcert=cacerts/cacert.pem

instead of the FreeS/WAN gateway's certificate.

Regards

Andreas

Ingo Bruell wrote:
> Hi,
>
> i thought the x509cert.der in /etc is no longer needed and so i have
> removed it. But now i get no tunnel established. The last message i
> have got was the one with establishing MI3 ...
>
> I am using freeswan 1.98b with the x509 patch 0.9.13 under suse linux
> 7.3 with kernel 2.4.18.
>
> Here the startup log:
>
> --- snip ---
> Aug 2 16:16:26 oblgw ipsec_setup: Starting FreeS/WAN IPsec 1.98b...
> Aug 2 16:16:26 oblgw ipsec_setup: KLIPS debug `none'
> Aug 2 16:16:26 oblgw ipsec_setup: KLIPS ipsec0 on ppp0 80.130.19.244/255.255.255.255 pointopoint 217.5.98.20
> Aug 2 16:16:26 oblgw ipsec__plutorun: Starting Pluto subsystem...
> Aug 2 16:16:26 oblgw ipsec_setup: ...FreeS/WAN IPsec started
> Aug 2 16:16:26 oblgw pluto[1191]: Starting Pluto (FreeS/WAN Version 1.98b)
> Aug 2 16:16:26 oblgw pluto[1191]: including X.509 patch (Version 0.9.13)
> Aug 2 16:16:26 oblgw pluto[1191]: ike_alg_register_enc: Activating OAKLEY_AES_CBC: Ok (ret=0)
> Aug 2 16:16:26 oblgw pluto[1191]: ike_alg_register_enc: Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
> Aug 2 16:16:26 oblgw pluto[1191]: ike_alg_register_hash: Activating OAKLEY_SHA2_256: Ok (ret=0)
> Aug 2 16:16:26 oblgw pluto[1191]: ike_alg_register_hash: Activating OAKLEY_SHA2_512: Ok (ret=0)
> Aug 2 16:16:26 oblgw pluto[1191]: ike_alg_register_enc: Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
> Aug 2 16:16:26 oblgw pluto[1191]: ike_alg_register_enc: Activating OAKLEY_SSH_PRIVATE_65289: Ok (ret=0)
> Aug 2 16:16:26 oblgw pluto[1191]: Changing to directory '/etc/ipsec.d/cacerts'
> Aug 2 16:16:26 oblgw pluto[1191]: loaded cacert file 'cacert.pem' (1371 bytes)
> Aug 2 16:16:26 oblgw pluto[1191]: loaded cacert file 'cabruellcert.pem' (1464 bytes)
> Aug 2 16:16:26 oblgw pluto[1191]: Changing to directory '/etc/ipsec.d/crls'
> Aug 2 16:16:26 oblgw pluto[1191]: loaded crl file 'crl.pem' (605 bytes)
> Aug 2 16:16:26 oblgw pluto[1191]: loaded crl file 'bruellcrl.pem' (633 bytes)
> Aug 2 16:16:26 oblgw pluto[1191]: could not open my default X.509 cert file '/etc/x509cert.der'
> Aug 2 16:16:26 oblgw pluto[1191]: OpenPGP certificate file '/etc/pgpcert.pgp' not found
> Aug 2 16:16:27 oblgw pluto[1191]: | from whack: got --esp=3des
> Aug 2 16:16:27 oblgw pluto[1191]: | from whack: got --ike=3des
> Aug 2 16:16:27 oblgw pluto[1191]: loaded host cert file '/etc/ipsec.d/cacerts/cacert.pem' (1371 bytes)
> Aug 2 16:16:27 oblgw pluto[1191]: added connection description "cleppert"
> Aug 2 16:16:28 oblgw pluto[1191]: | from whack: got --esp=3des
> Aug 2 16:16:28 oblgw pluto[1191]: | from whack: got --ike=3des
> Aug 2 16:16:28 oblgw pluto[1191]: loaded host cert file '/etc/ipsec.d/cacerts/cacert.pem' (1371 bytes)
> --- snap ---
>
> some lines aout of ipsec.con:
>
> --- snip ---
> config setup
> # THIS SETTING MUST BE CORRECT or almost nothing will work;
> # %defaultroute is okay for most simple cases.
> interfaces="ipsec0=ppp0"
> # Debug-logging controls: "none" for (almost) none, "all" for lots.
> klipsdebug=none
> plutodebug=none
> # Use auto= parameters in conn descriptions to control startup actions.
> plutoload=%search
> plutostart=%search
> # Close down old connection when new one using same ID shows up.
> uniqueids=yes
>
> conn %default
> type=tunnel
> keyexchange=ike
> keyingtries=0
> disablearrivalcheck=no
> authby=rsasig
> leftrsasigkey=%cert
> rightrsasigkey=%cert
> leftsubnet=192.168.0.0/24
> leftcert=cacerts/cacert.pem
> leftid="/C=DE/ST=Niedersachsen/O=OBL GmbH/CN=gateway.oblgmbh.de"
> right=%any
> pfs=yes
> left=80.130.19.244
> leftnexthop=217.5.98.20
> --- snap ---
>
> best regards
>
> Ingo Bruell
>
> ---
> <ibruell_at_gmx.de>
> <Ingo.Bruell_at_epost.de>
> <ICQ# 40377720>
> Oldenburg PGP-Fingerprint: CB01 AE12 B359 87C4 BF1C 953C 8FE7 C648 169E E5FC
> Germany PGP-Public-Key available at pgpkeys.mit.edu
>
>
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users

-- 
======================================================================
Andreas Steffen                 e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH                  phone:  +41 76 340 25 56
Alter Zürichweg 20              home:   http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: mlafon_at_arkoon.net: "Re: [Users] Is the Arkoon NAT-T 0.2 patch actually working?"
• Previous message: Corey Rogers: "Re: [Users] Routing issues with FreeSWAN - Routes not in correct order of preference"
• In reply to: Ingo Bruell: "[Users] x509cert"
• Next in thread: Ingo Bruell: "Re[2]: [Users] x509cert"
• Reply: Ingo Bruell: "Re[2]: [Users] x509cert"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Aug 05 2002 - 21:01:35 CEST