From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Wed Oct 30 2002 - 10:00:28 CET
martin f krafft wrote:
> also sprach Andreas Steffen <andreas.steffen_at_strongsec.net> [2002.10.30.0754 +0100]:
>
>>What connection definition is shown if you type
>>
>> ipsec auto --status
>
>
> the two are attached. it's quite interesting to see that albatros
> seems to support more ESP ciphers and authentication methods, even
> though they both use the same software with the same configuration.
>
> fishbowl is left, albatros is right btw.
>
>
>>after you have started up pluto on both sides? Are there
>>any error messages in the log during startup?
>
>
> left, which is started first:
>
> # i don't think these four really matter, do they?
> Changing to directory '/etc/ipsec.d/crls'
> Warning: empty directory
> could not open my default X.509 cert file '/etc/x509cert.der'
> OpenPGP certificate file '/etc/pgpcert.pgp' not found
>
These warnings can be ignored. These files are just for backward
compatibility and have disappeared in version 1.0 of the patch.
> # then this:
> loaded host cert file '/etc/ipsec.d/private/fishbowl.dyn.madduck.net.pem'
> (1751 bytes)
> no passphrase available
>
I remember that you have both the certificate and the password-protected
private key in a single file. Could you separate them into two files?
Is the certificate actually loaded? You can verify this by typing
ipsec auto --listcerts
I suspect that at least on one side the certificate cannot be loaded.
Therefore by default IPV4_ADDR is assumed as the ID.
> ---> the line in ipsec.secrets is:
> : RSA /etc/ipsec.d/private/fishbowl.dyn.madduck.net.pem "password"
>
> "gate-albatros" #1: ERROR: asynchronous network error report on eth0
> for message to 217.162.173.237 port 500, complainant
> 217.162.173.237: Connection refused [errno 111, origin ICMP type
> 3 code 3 (not authenticated)]
>
> then i start the right side:
>
> # we get the same errors about the CRL directory, the missing
> # x509cert.de and pgpcert.pgp files, it loads the host cert file and
> # complains that there is no passphrase available, even though
> # ipsec.secrets is set just like on the left side.
> #
> # and then:
>
> "gate-albatros" #1: initiating Main Mode
> "gate-albatros" #1: ignoring informational payload, type
> INVALID_ID_INFORMATION
> "gate-albatros" #2: responding to Main Mode
> "gate-albatros" #2: Peer ID is ID_IPV4_ADDR: '80.218.18.6'
> "gate-albatros" #2: no suitable connection for peer '80.218.18.6'
> "gate-albatros" #2: sending notification INVALID_ID_INFORMATION to
> 80.218.18.6:500
>
> to which the left side then says:
>
> "gate-albatros" #2: responding to Main Mode
> "gate-albatros" #2: Peer ID is ID_IPV4_ADDR: '217.162.173.237'
> "gate-albatros" #2: Issuer CRL not found
> "gate-albatros" #2: Issuer CRL not found
> "gate-albatros" #2: no suitable connection for peer '217.162.173.237'
> "gate-albatros" #2: sending notification INVALID_ID_INFORMATION
> to 217.162.173.237:500
> "gate-albatros" #1: ignoring informational payload, type
> INVALID_ID_INFORMATION
>
> This lines, prefixed with #1 and #2 will just repeat over and over,
> incrementing the numbers...
>
> Thanks for your time!
======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zürichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Thu Oct 31 2002 - 05:20:35 CET