From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Fri Aug 16 2002 - 08:16:05 CEST
Hi Chris,
strange problem. Could you send me both RootCA.der and client.pem?
There might be something wrong with the issuer and subject names
of these certificates. As a next step I would need a barf from
Oreo with plutodebug=all set in ipsec.conf.
Regards
Andreas
Christopher Marston wrote:
> Hi,
>
> I orginally sent this to Nate Carlson, after trying to fiddle a
> roadwarrior-type config
> set up between two freeswan boxen. However, he seems to be quite busy
> ATM , so I'm forwarding
> it here. Note that I've set everything up (almost?) exactly as he's
> described. However, I can't make
> it past Main Mode (the host replies that it can't find the issuer CA,
> when the damned
> thing is right where it's supposed to be, in
> /etc/ipsec.d/cacerts/RootCA.der) I'm only a lowly junior admin (still in
> uni), and
> I've been banging my head against this problem, consistently, for over a
> week. I've skimmed
> a lot of the freeswan-users archives to boot, but due to the abhorrent
> absence of a search engine
> from the default Pipermail layout (and of course my own sub-jedi-level
> knowledge of SSL and X509 and certification models in general), I've
> drawn nothing but blanks. This is a very simple setup, and
> neither myself nor my boss can believe that this is taking so long. :-/
>
> If this doesn't work, said boss (who is somewhat linux-sceptic to begin
> with) is going to replace our beautiful
> debian firewall with some braindead buggy 'hole-istic' piece of MS-ware.
> So, please give the barf-logs a
> glance, for great justice!
>
> Since it might be relevant, this is the procedure used to generate the
> certs and keys. Note that prior to following this procedure,
> I've edited both ipsec.secrets (Oreo's and Marzipan's) to contain ': RSA
> gateway.key "..."' and ': RSA client.key "..."' respectively.
>
>
> CA.sh -newca
> ..
> CA.sh -newreq
> ..
> CA.sh -sign
> ..
> vim newreq.pem # to leave only the key
> cp newreq.pem /etc/ipsec.d/private/gateway.key
> cp newcert.pem /etc/ipsec.d/gateway.pem
> openssl x509 -in demoCA/cacert.pem -outform der -out rootca.der
> cp rootca.der /etc/ipsec.d/cacerts/RootCA.der
>
> ..
> CA.sh -newreq
> ..
> CA.sh -sign
> ..
> vim newreq.pem # to leave only the key
> scp newreq.pem marzipan.dyndns.org:/etc/ipsec.d/private/client.key
> scp newcert.pem marzipan.dyndns.org:/etc/ipsec.d/client.pem
> scp /etc/ipsec.d/gateway.pem marzipan.dyndns.org:/etc/ipsec.d/gateway.pem
> scp rootca.der marzipan.dyndns.org:/etc/ipsec.d/cacerts/RootCA.der
>
> ...
> and then, /etc/init.d/ipsec restart on both machines, followed by 'ipsec
> auto --up magic' on marzipan.
>
> and then... well, see the barf-logs for yourself.
>
> Gah, I'd appreciate any help that I can get ATM.
>
======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zürichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.4 : Fri Aug 16 2002 - 11:19:44 CEST