From: martin f krafft (madduck_at_madduck.net)
Date: Wed Oct 23 2002 - 01:34:02 CEST
i am trying to get freeswan (1.98b) to work between two debian sarge
hosts with X.509 certs (debian has the x509 patch 0.9.14 installed per
default), and i am not succeeding. the kernel is a 2.4.19 edition.
the current error i am fighting with is that freeswan reports
ipsec__plutorun: 003 "/etc/ipsec.secrets" line 9: error loading RSA
private key file
upon startup (and upon `ipsec auto --rereadall`)
to facilitate the error-spotting, here's what I did:
1. generating the certificates:
-------------------------------
i have a self signed CA cert in ca.pem. ca.config is all properly
configured.
so i ran:
openssl genrsa -des3 2048 > gateway1.key
openssl req -sha1 -config ca.config -new -key gateway1.key \
-out gateway1.csr
openssl ca -config ca.config -days 10 -md sha1 \
policy policy_anything -out gateway1.crt -infiles gateway1.csr
cat gateway1.crt gateway1.key > gateway1.pem
the CN is the FQDN, subjectAltName is blank
and the same for the other gateway2.
2. installing certificates
--------------------------
i copied the respective certificates to /etc/ipsec.d/private
i copied the ca certificate (not the key) to /etc/ipsec.d/cacerts
on both hosts
all files are 0600 and owned by root:root
3. configuring ipsec.conf
-------------------------
i put the following line in /etc/ipsec.secrets on both systems:
(the ^ indicates line begin)
: RSA /etc/ipsec.d/private/gateway{1,2}.pem "password"
then i used the following in both gateway's ipsec.conf. left is
gateway1, right is gateway2. so the following is on both verbatim!
conn gate
authby=rsasig
rightrsasigkey=%cert
leftrsasigkey=%cert
leftcert=private/gateway1.pem
left=80.XXX.XX.XX
leftsubnet=192.168.255.248/28
right=%any
auto=add
conn office-gateway
also=gate
right=%any
rightrsasigkey=%cert
rightcert=private/gateway2.pem
4. wanting to try it
--------------------
upon start, freeswan now says:
ipsec__plutorun: 003 "/etc/ipsec.secrets" line 9: error loading
RSA private key file
it doesn't seem to work (obviously).
also, setting full debugging on klips and pluto doesn't show
anything interesting, so[1] doesn't apply...
i also tried using non-3des encrypted certificates, but got the
same error. this rules out[2].
1. http://lists.freeswan.org/pipermail/users/2002-June/011079.html
2. http://frell.ambush.de/archives/freeswan-users/1338.html
i am clueless. thanks for any help!
--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:" net_at_madduck
"computer science is no more about computers
than astronomy is about telescopes."
-- e.w. dijkstra
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Thu Oct 24 2002 - 05:20:31 CEST