Re: [Users] freeswan-x509 <-> freeswan-x509

From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Mon Aug 19 2002 - 12:10:55 CEST

• Next message: Sunny Cheung: "RE: [Users] IPsec SA expired (LATEST!)"
• Previous message: job: "*****SPAM***** [Users] Else enable end endtrace enter erase escape"
• In reply to: Thomas Will: "Re: [Users] freeswan-x509 <-> freeswan-x509"
• Next in thread: Thomas Will: "Re: [Users] freeswan-x509 <-> freeswan-x509"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

The ISAKMP SA gets established because you have locally loaded
the peer's certificate (probably rechtscert.pem). With locally
trusted host certificates FreeS/WAN does not check if a CA cert
exists (which does not seem the case), because you have accepted
the certificate itself by putting it into /etc/ipsec.d.

Regards

Andreas

Thomas Will wrote:
> Andreas Steffen wrote:
>
>> Probably your user certificate is not valid yet. When you generate
>> a certificate on a different machine the clocks can differ, so
>> that the notBefore certificate field specifies a time in the future.
>>
>> Workaround: Go for a coffee and try again when you come back ;-)
>>
>> Andreas
>>
> ok thx very much ;) that was the solution .
> now i can establish a sa but i get a strange message in my auth.log
>
> Aug 19 09:22:45 snake pluto[6265]: "krabbel" #2278: deleting state
> (STATE_QUICK_R2)
> Aug 19 09:22:45 snake pluto[6265]: "krabbel" #2277: deleting state
> (STATE_MAIN_R3)
> Aug 19 09:22:55 snake pluto[6265]: loaded host cert file
> '/etc/ipsec.d/linkscert.pem' (1257 bytes)
> Aug 19 09:22:55 snake pluto[6265]: loaded host cert file
> '/etc/ipsec.d/rechtscert.pem' (1245 bytes)
> Aug 19 09:22:55 snake pluto[6265]: added connection description "krabbel"
> Aug 19 09:23:00 snake pluto[6265]: "krabbel" #2279: initiating Main Mode
> Aug 19 09:23:00 snake pluto[6265]: "krabbel" #2279: Peer ID is
> ID_DER_ASN1_DN: 'C=de, ST=p, O=xinux, OU=dv, CN=spiderman'
> Aug 19 09:23:00 snake pluto[6265]: "krabbel" #2279: Issuer CA
> certificate not found
> Aug 19 09:23:00 snake pluto[6265]: "krabbel" #2279: X.509 certificate
> rejected
> Aug 19 09:23:00 snake pluto[6265]: "krabbel" #2279: ISAKMP SA established
> Aug 19 09:23:00 snake pluto[6265]: "krabbel" #2280: initiating Quick
> Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+DISABLEARRIVALCHECK
> Aug 19 09:23:00 snake pluto[6265]: "krabbel" #2280: sent QI2, IPsec SA
> established
>
> why do i get first "Issuer CA certificate not found" and "X.509
> certificate rejected"
> if in the following ISAKMP SA is established
>
> regards

-- 
======================================================================
Andreas Steffen                 e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH                  phone:  +41 76 340 25 56
Alter Zürichweg 20              home:   http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Sunny Cheung: "RE: [Users] IPsec SA expired (LATEST!)"
• Previous message: job: "*****SPAM***** [Users] Else enable end endtrace enter erase escape"
• In reply to: Thomas Will: "Re: [Users] freeswan-x509 <-> freeswan-x509"
• Next in thread: Thomas Will: "Re: [Users] freeswan-x509 <-> freeswan-x509"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Aug 19 2002 - 15:19:45 CEST