Re: [Users] x509cert

From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Sat Aug 03 2002 - 21:37:14 CEST

• Next message: Stephen J. Bevan: "Re: [Users] asynchronous network error: Message too large"
• Previous message: Ingo Bruell: "Re[2]: [Users] x509cert"
• In reply to: Ingo Bruell: "Re[2]: [Users] x509cert"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

FreeS/WAN's private key is loaded via ipsec.secrets:

: RSA gatewayKey.pem "<passphrase>"

In ipsec.conf you must load the certificate containing
the public key:

leftcert=gatewayCert.pem

Regards

Andreas

Ingo Bruell wrote:
> Hi Andreas,
>
> AS> You load the CA certificate
>
> AS> > leftcert=cacerts/cacert.pem
>
> AS> instead of the FreeS/WAN gateway's certificate.
>
> Now i have the problem that a passphrase is needed for the gateway
> certificate:
>
> leftcert=private/gatewayKey.pem
>
> I have put the passphrase in ipsec.secrets, but the log says:
>
> --- snip ---
> Aug 3 19:59:56 oblgw ipsec_setup: Starting FreeS/WAN IPsec 1.98b...
> Aug 3 19:59:56 oblgw ipsec_setup: KLIPS debug `none'
> Aug 3 19:59:56 oblgw ipsec_setup: KLIPS ipsec0 on ppp0 217.82.101.101/255.255.255.255 pointopoint 217.5.98.20
> Aug 3 19:59:56 oblgw ipsec__plutorun: Starting Pluto subsystem...
> Aug 3 19:59:56 oblgw pluto[4404]: Starting Pluto (FreeS/WAN Version 1.98b)
> Aug 3 19:59:56 oblgw pluto[4404]: including X.509 patch (Version 0.9.13)
> Aug 3 19:59:56 oblgw pluto[4404]: ike_alg_register_enc: Activating OAKLEY_AES_CBC: Ok (ret=0)
> Aug 3 19:59:56 oblgw ipsec_setup: ...FreeS/WAN IPsec started
> Aug 3 19:59:56 oblgw pluto[4404]: ike_alg_register_enc: Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
> Aug 3 19:59:56 oblgw pluto[4404]: ike_alg_register_hash: Activating OAKLEY_SHA2_256: Ok (ret=0)
> Aug 3 19:59:56 oblgw pluto[4404]: ike_alg_register_hash: Activating OAKLEY_SHA2_512: Ok (ret=0)
> Aug 3 19:59:56 oblgw pluto[4404]: ike_alg_register_enc: Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
> Aug 3 19:59:56 oblgw pluto[4404]: ike_alg_register_enc: Activating OAKLEY_SSH_PRIVATE_65289: Ok (ret=0)
> Aug 3 19:59:56 oblgw pluto[4404]: Changing to directory '/etc/ipsec.d/cacerts'
> Aug 3 19:59:56 oblgw pluto[4404]: loaded cacert file 'cacert.pem' (1371 bytes)
> Aug 3 19:59:56 oblgw pluto[4404]: loaded cacert file 'cabruellcert.pem' (1464 bytes)
> Aug 3 19:59:56 oblgw pluto[4404]: Changing to directory '/etc/ipsec.d/crls'
> Aug 3 19:59:56 oblgw pluto[4404]: loaded crl file 'crl.pem' (605 bytes)
> Aug 3 19:59:56 oblgw pluto[4404]: loaded crl file 'bruellcrl.pem' (633 bytes)
> Aug 3 19:59:56 oblgw pluto[4404]: could not open my default X.509 cert file '/etc/x509cert.der'
> Aug 3 19:59:56 oblgw pluto[4404]: OpenPGP certificate file '/etc/pgpcert.pgp' not found
> Aug 3 19:59:57 oblgw pluto[4404]: | from whack: got --esp=3des
> Aug 3 19:59:57 oblgw pluto[4404]: | from whack: got --ike=3des
> Aug 3 19:59:57 oblgw pluto[4404]: loaded host cert file '/etc/ipsec.d/private/gatewayKey.pem' (963 bytes)
> Aug 3 19:59:57 oblgw pluto[4404]: no passphrase available
> Aug 3 19:59:57 oblgw pluto[4404]: added connection description "cleppert"
> Aug 3 19:59:57 oblgw pluto[4404]: | from whack: got --esp=3des
> Aug 3 19:59:57 oblgw pluto[4404]: | from whack: got --ike=3des
> Aug 3 19:59:57 oblgw pluto[4404]: loaded host cert file '/etc/ipsec.d/private/gatewayKey.pem' (963 bytes)
> Aug 3 19:59:57 oblgw pluto[4404]: no passphrase available
> Aug 3 19:59:57 oblgw pluto[4404]: added connection description "obl-bruell"
> Aug 3 19:59:58 oblgw pluto[4404]: | from whack: got --esp=3des
> Aug 3 19:59:58 oblgw pluto[4404]: | from whack: got --ike=3des
> Aug 3 19:59:58 oblgw pluto[4404]: loaded host cert file '/etc/ipsec.d/private/gatewayKey.pem' (963 bytes)
> Aug 3 19:59:58 oblgw pluto[4404]: no passphrase available
> Aug 3 19:59:58 oblgw pluto[4404]: added connection description "ibruell"
> Aug 3 19:59:58 oblgw pluto[4404]: | from whack: got --esp=3des
> Aug 3 19:59:58 oblgw pluto[4404]: | from whack: got --ike=3des
> Aug 3 19:59:58 oblgw pluto[4404]: loaded host cert file '/etc/ipsec.d/private/gatewayKey.pem' (963 bytes)
> Aug 3 19:59:58 oblgw pluto[4404]: no passphrase available
> Aug 3 19:59:58 oblgw pluto[4404]: added connection description "bhptooobl"
> Aug 3 19:59:58 oblgw pluto[4404]: | from whack: got --esp=aes128-sha1,aes128-md5
> Aug 3 19:59:58 oblgw pluto[4404]: | from whack: got --ike=aes128-sha,aes128-md5
> Aug 3 19:59:58 oblgw pluto[4404]: loaded host cert file '/etc/ipsec.d/private/gatewayKey.pem' (963 bytes)
> Aug 3 19:59:58 oblgw pluto[4404]: no passphrase available
> Aug 3 19:59:58 oblgw pluto[4404]: added connection description "deilmann"
> Aug 3 19:59:58 oblgw pluto[4404]: | from whack: got --esp=3des
> Aug 3 19:59:58 oblgw pluto[4404]: | from whack: got --ike=3des
> Aug 3 19:59:58 oblgw pluto[4404]: loaded host cert file '/etc/ipsec.d/private/gatewayKey.pem' (963 bytes)
> Aug 3 19:59:58 oblgw pluto[4404]: no passphrase available
> Aug 3 19:59:58 oblgw pluto[4404]: added connection description "gleppert"
> Aug 3 19:59:59 oblgw pluto[4404]: | from whack: got --esp=3des
> Aug 3 19:59:59 oblgw pluto[4404]: | from whack: got --ike=3des
> Aug 3 19:59:59 oblgw pluto[4404]: loaded host cert file '/etc/ipsec.d/private/gatewayKey.pem' (963 bytes)
> Aug 3 19:59:59 oblgw pluto[4404]: no passphrase available
> Aug 3 19:59:59 oblgw pluto[4404]: added connection description "bruell-obl"
> Aug 3 19:59:59 oblgw pluto[4404]: listening for IKE messages
> Aug 3 19:59:59 oblgw pluto[4404]: adding interface ipsec0/ppp0 217.82.101.101
> Aug 3 19:59:59 oblgw pluto[4404]: loading secrets from "/etc/ipsec.secrets"
> Aug 3 19:59:59 oblgw pluto[4404]: loaded private key file '/etc/ipsec.d/private/gatewayKey.pem' (963 bytes)
> --- snap ---
>
>
>
> so long
>
>
> Ingo Bruell
>
> ---
> <ibruell_at_gmx.de>
> <ICQ# 40377720>
> Oldenburg PGP-Fingerprint: CB01 AE12 B359 87C4 BF1C 953C 8FE7 C648 169E E5FC
> Germany PGP-Public-Key available at pgpkeys.mit.edu
>
>
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users

-- 
======================================================================
Andreas Steffen                 e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH                  phone:  +41 76 340 25 56
Alter Zürichweg 20              home:   http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Stephen J. Bevan: "Re: [Users] asynchronous network error: Message too large"
• Previous message: Ingo Bruell: "Re[2]: [Users] x509cert"
• In reply to: Ingo Bruell: "Re[2]: [Users] x509cert"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Aug 05 2002 - 21:01:36 CEST