From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Fri Aug 16 2002 - 21:46:52 CEST
Probably your user certificate is not valid yet. When you generate
a certificate on a different machine the clocks can differ, so
that the notBefore certificate field specifies a time in the future.
Workaround: Go for a coffee and try again when you come back ;-)
Andreas
Thomas Will wrote:
> hi
> ich will connect 2 freeswangateways wit x509 patch
> i have patched the left and right host with x509 from strongstec
> 192.168.253.0/24 -left -172.16.0.2
> --------172.16.0.1-right-192.168.254.0/24
> i have read german article in ct from andreas steffen
> and then i have written a script
> make-host-ca
> ---------------
> #!/bin/bash
> PWD=$(pwd)
> IP=$2
> KEY="private/${1}key.pem"
> REQ="${1}req.pem"
> CERT="${1}cert.pem"
> CAKEY="private/cakey.pem"
> CACERT="cacert.pem"
> cd /usr/local/ssl
> openssl genrsa -des3 -out $CAKEY 2048
> openssl req -new -x509 -days 1460 -key $CAKEY -out $CACERT
> openssl x509 -in $CACERT -noout -text
> openssl genrsa -des3 -out $KEY 1024
> openssl req -new -key $KEY -out $REQ
> openssl ca -notext -in $REQ -out $CERT
> openssl x509 -in $CERT -outform der -out /etc/x509cert.de
> openssl ca -gencrl -out /etc/ipsec.d/crl.pem
> cp $KEY /etc/ipsec.d/private
> cp $CERT /etc/ipsec.d
> cp $CACERT /etc/ipsec.d/cacerts
> scp $CERT $IP:/etc/ipsec.d/
> cd $PWD
> --------------
> on the left host left i start the script with
> make-host-ca links 172.16.0.1
> on the right host i start the script with
> make-host-ca rechts 172.16.0.2
> ---------------------------------------------
> my ipsec.conf on both sides are the same
>
> config setup
> interfaces="ipsec0=eth1"
> klipsdebug=none
> plutodebug=none
> plutoload=%search
> plutostart=%search
> conn %default
> authby=rsasig
> compress=yes
> keyingtries=0
> leftrsasigkey=%cert
> rightrsasigkey=%cert
> rightcert=rechtscert.pem
> leftcert=linkscert.pem
> conn krabbel
> left=172.16.0.2
> leftnexthop=172.16.0.1
> leftsubnet=192.168.253.0/24
> right=172.16.0.1
> rightnexthop=172.16.0.2
> rightsubnet=192.168.254.0/24
> auto=add
> -------------------------------------------------
> but when i startet on the left site i get the following on the right in
> auth.log
> ipsec setup --restart && ipsec auto --up krabbel
>
> Aug 16 20:32:03 spiderman pluto[5209]: "krabbel" #55: Peer ID is
> ID_DER_ASN1_DN: 'C=de, ST=pf, O=xinux, OU=dv, CN=snake'
> Aug 16 20:32:03 spiderman pluto[5209]: "krabbel" #55: Certificate is
> invalid
> Aug 16 20:32:03 spiderman pluto[5209]: "krabbel" #55: X.509 certificate
> rejected
> Aug 16 20:32:03 spiderman pluto[5209]: "krabbel" #55: no RSA public key
> known for 'C=de, ST=pf, O=xinux, OU=dv, CN=snake'
>
>
> on the right i get this
> 104 "krabbel" #57: STATE_MAIN_I1: initiate
> 106 "krabbel" #57: STATE_MAIN_I2: sent MI2, expecting MR2
> 108 "krabbel" #57: STATE_MAIN_I3: sent MI3, expecting MR3
> 003 "krabbel" #57: no RSA public key known for 'C=de, ST=pf, O=xinux,
> OU=dv, CN=snake'
> 217 "krabbel" #57: STATE_MAIN_I3: INVALID_KEY_INFORMATION
> 010 "krabbel" #57: STATE_MAIN_I3: retransmission; will wait 20s for
> response
> 003 "krabbel" #57: no RSA public key known for 'C=de, ST=pf, O=xinux,
> OU=dv, CN=snake'
> 217 "krabbel" #57: STATE_MAIN_I3: INVALID_KEY_INFORMATION
> 010 "krabbel" #57: STATE_MAIN_I3: retransmission; will wait 40s for
> response
> 003 "krabbel" #57: no RSA public key known for 'C=de, ST=pf, O=xinux,
> OU=dv, CN=snake'
> 217 "krabbel" #57: STATE_MAIN_I3: INVALID_KEY_INFORMATION
> 031 "krabbel" #57: max number of retransmissions (2) reached
> STATE_MAIN_I3. Possible authentication failure: no acceptable response
> to our first encrypted message
> 000 "krabbel" #57: starting keying attempt 2 of an unlimited number, but
> releasing whack
>
> where is my error
>
>
>
>
>
>
>
>
>
>
>
>
>
-- ====================================================================== Andreas Steffen e-mail: andreas.steffen_at_strongsec.com strongSec GmbH phone: +41 76 340 25 56 Alter Zürichweg 20 home: http://www.strongsec.com CH-8952 Schlieren (Switzerland) ==========================================[strong internet security]==_______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.4 : Sat Aug 17 2002 - 00:19:43 CEST