From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Tue Oct 29 2002 - 08:24:47 CET
With your connection definition:
conn gate-albatros
keyingtries=0
disablearrivalcheck=no
authby=rsasig
rightrsasigkey=%cert
right=80.218.20.44
rightsubnet=192.168.2.0/24
rightnexthop=80.218.20.1
leftrsasigkey=%cert
leftcert=private/fishbowl.dyn.madduck.net.pem
left=217.162.173.58
leftsubnet=192.168.1.0/24
leftnexthop=217.162.173.1
auto=start
Pluto expects the peer on the right side to have an ID of type
ID_IPV4_ADDR, because the rightid parameter is missing and by default
rightid = right = 80.218.20.44
is assumed. The certificate "albatros.dyn.madduck.net.pem" which
the peer sends as part of the IKE protocol and which causes the
warnings "Issuer CRL not found" must contain the IP address
80.218.20.44 as a subjectAltName. Otherwise the no RSA public key
will be found, since it will not be associated with the ID_IPV4_ADDR
80.218.20.44. You can easily verify this by typing
ipsec auto --listpubkeys
You probably don't want to have an IP address as a subjectAltName
in your certificates since you are working with dynamic IPs.
There are two solutions:
1) Don't specify the IP address of your peer:
conn gate-albatros
...
rightrsasigkey=%cert
right=%any
rightsubnet=192.168.2.0/24
...
This solution has the drawback, that any valid certificate your
CA has issued will be accepted.
2) Specify the distinguished name of your peer
conn gate-albatros
...
rightrsasigkey=%cert
right=80.218.20.44
rightid="C=..., O=..., CN=..."
rightsubnet=192.168.2.0/24
...
If you don't like distinguished names then you can add a host name
as a subjectAltName to your certificate and write e.g.
conn gate-albatros
...
rightrsasigkey=%cert
right=80.218.20.44
rightid=@albatros.dyn.madduck.net
rightsubnet=192.168.2.0/24
...
Regards
Andreas
martin f krafft wrote:
> hi there,
>
> i am trying to set up a VPN between two hosts running freeswan 1.98b
> with RSA certificates issued by a self-signed CA. However, it's not
> working, and I think it's related to the following log entries on the
> left side:
>
> pluto[14060]: "gate-albatros" #2: Peer ID is ID_IPV4_ADDR: '80.218.20.44'
> pluto[14060]: "gate-albatros" #2: Issuer CRL not found
> pluto[14060]: "gate-albatros" #2: Issuer CRL not found
> pluto[14060]: "gate-albatros" #2: no RSA public key known for '80.218.20.44'
> pluto[14060]: "gate-albatros" #2: sending notification INVALID_KEY_INFORMATION to 80.218.20.44:500
>
> on the right hand side, there are similar entries except that it
> doesn't complain about the CRL missing. there are no CRLs, but AFAIK,
> you don't need them unless you turn strict checking on.
>
> Anyway, here is the configuration for both sides. the
> asterisk-prefixed lines only appear on the corresponding side
> (rightcert on the right, leftcert on the left).
>
> conn gate-albatros
> keyingtries=0
> disablearrivalcheck=no
> authby=rsasig
> rightrsasigkey=%cert
> * rightcert=private/albatros.dyn.madduck.net.pem
> right=80.218.20.44
> rightsubnet=192.168.2.0/24
> rightnexthop=80.218.20.1
> leftrsasigkey=%cert
> * leftcert=private/fishbowl.dyn.madduck.net.pem
> left=217.162.173.58
> leftsubnet=192.168.1.0/24
> leftnexthop=217.162.173.1
> auto=start
>
> Please help me to get this going...
>
-- ====================================================================== Andreas Steffen e-mail: andreas.steffen_at_strongsec.com strongSec GmbH phone: +41 76 340 25 56 Alter Zürichweg 20 home: http://www.strongsec.com CH-8952 Schlieren (Switzerland) ==========================================[strong internet security]== _______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Wed Oct 30 2002 - 05:20:34 CET